Dell Networking N-Series N1500, N2000, N3000, and N4000 Switches User’s Configuration Guide Version 6.3.0.
Notes and Cautions NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed. ____________ Information in this publication is subject to change without notice. Copyright © 2016 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. Dell™ and the Dell logo are trademarks of Dell Inc.
Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . About This Document Audience . . . . . . . . . . . . . . . . . . . 55 . . . . . . . . . . . . . . . . . . . . . . . . 55 Document Conventions . . . . . . . . . . . . . . . . . Additional Documentation . 2 . . . . . . . . . . . . . . . Switch Feature Overview System Management Features 56 57 . . . . . . . . . . . . . 58 . . . . . . . . . . 58 . . . . . . . . . . . . 58 . . . . . . . . . . . . . . . . . . .
Stacking Features . . . . . . . . . . . . . . . . . . . . High Stack Count . . . . . . . . . . . . . . . . . . Single IP Management . . . . . . . . . . . . . . . . . . . . . . . . 66 . . . . . . . . . . . 66 . . . . . . . . . . . . . . . . . . . . 67 Hot Add/Delete and Firmware Synchronization . . . . . . . . Configurable Access and Authentication Profiles . . . . . . . . . . . . . . . . . . . . . . . Password-Protected Management Access 67 . . . . 67 . . . . . . . . . .
Power Utilization Reporting . . . . . . . . . . . . Power over Ethernet (PoE) Plus Features . Power Over Ethernet (PoE) Plus Configuration . . . . . . . . . . 74 . . . . . . . 75 . . . . . . . . . . 75 . . . . . . . . . . . . . . . . . 75 UPOE Support . . . . . . . . . . . . . . . . . . . . 75 Switching Features . . . . . . . . . . . . . . . . . . . 76 PoE Plus Support . . . . . . . . . 76 . . . . . . . . . 76 Flow Control Support (IEEE 802.3x) .
IP Subnet-based VLAN MAC-based VLAN. . . . . . . . . . . . . . . . 82 . . . . . . . . . . . . . . . . . 82 . . . . . . . . 82 . . . . . . . . . . . . . 82 . . . . . . . . . . . . . . . . . . . . . 83 IEEE 802.1v Protocol-Based VLANs. GARP and GVRP Support . Voice VLAN Guest VLAN . . . . . . . . . . . . . . . . . . . . . Unauthorized VLAN . Double VLANs . . . . . . . . . . . . . . . . . 83 . . . . . . . . . . . . . . . . . . . 83 Spanning Tree Protocol Features . . . . . . . . . . . .
Routing Table . . . . . . . . . . . . . . . . . . . . Virtual Router Redundancy Protocol (VRRP) . 91 . . . . . . . . . 91 . . . . . . . . . . . . . . . . . . 92 Tunnel and Loopback Interfaces . IPv6 Routing Features . . . . . . . . . . . . . . . . . 92 . . . . . . . . . . . . . . . . . . . . 92 . . . . . . . . . . . . . . . . . . . . . . . 92 IPv6 Configuration IPv6 Routes . OSPFv3 90 . . . DHCPv6 . . . . . . . . . . . . . . . . . . . . . . . Quality of Service (QoS) Features . . . . .
3 Hardware Overview . . . . . . . . . . . . . . . . Dell Networking N1500 Series Switch Hardware . . . . . . . . . . . . . . . . . . . . . . . . . 99 Front Panel . . . . . . . . . . . . . . . . . . . . . 99 Back Panel . . . . . . . . . . . . . . . . . . . . LED Definitions . . . . . . . . . . . . . . . . . . Power Consumption for PoE Switches . 104 107 . . . . . . . . 109 Front Panel . . . . . . . . . . . . . . . . . . . . 109 Back Panel . . . . . . . . . . . . . . . . . . . .
4 Using Dell OpenManage Switch Administrator . . . . . . . . . . . . . . . . . . . . About Dell OpenManage Switch Administrator Starting the Application . . . . . 145 . . . . . . . . . . . . . . . . 146 Understanding the Interface . . . 149 . . . . . . . . . . . . . . . . . . . . . 150 Understanding the Device View. . . . 153 . . . . . . . . . 153 . . . . . . . . . . . . . . . . 153 . . . . . . . . . . . . . . . . . 154 Console Connection . . . . . . . . . . . . 155 . . . . . . . .
6 Default Settings . 7 Setting the IP Address and Other Basic Network Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP Address and Network Information Overview . . . 165 . . . . 165 . . . . . . . 166 How Is Basic Network Information Configured? . . . . . . . . . . . . . . . . . . . . 167 What Is Out-of-Band Management and In-Band Management? . . . . . . . . . Default Network Information . . . . . 167 . . . . . . . . . . . . .
Configuring and Viewing Additional Network Information . . . . . . . . Basic Network Information Configuration Examples . . . . . . . . . . . . . . . . . . 9 Stacking . 186 . . . . . . Configuring Network Information Using the Serial Interface . . . . . . . . . . . . . . . Managing QSFP Ports 186 . . . . . . . Configuring Network Information Using the OOB Port . . . . . . . . . . . . . . 8 184 . . . . . . . . 187 . . . . . . . . . . . . . . . . . . 191 . . . . . . . . . . . . . . . . . . .
Supported Switches . . . . . . . . . . . . . . . 210 Stack Port Summary . . . . . . . . . . . . . . . 211 Stack Port Counters. . . . . . . . . . . . . . . . 212 Stack Port Diagnostics NSF Summary . . . . . . . . . . . . . . . 212 . . . . . . . . . . . . . . . . . . 213 Checkpoint Statistics . . . . . . . . . . . . . . . 214 Managing the Stack (CLI) . . . . . . . . . . . . . . . 215 Configuring Stack Member, Stack Port, and NSF Settings . . . . . . . . . . . . . . . . . . .
Authentication . . . . . . . . . . . . . . . . . . . . . . Authentication Types . . . . . . . . . . . . . . . . Authentication Manager . . . . . . . . . . . . . . Using RADIUS . . . . . . . . . . . . . . Using TACACS+ Servers to Control Management Access . . . . . . . . . . . Authentication Examples . . . . . . . . . Public Key SSH Authentication Example . 241 . . . . . . . . . . 263 . . . . . . . . . . . . . . . . . . . . . . 265 Authorization Examples. . . . . . . . . . . . . . . . 265 .
Configuring Captive Portal (Web) . . . Configuring Captive Portal (CLI) . . . Captive Portal Configuration Example In Case Of Problems in Captive Portal Deployment . . . . . . . . . . . . . . . . . . . . 323 341 347 . . . . . . 351 11 Monitoring and Logging System Information . . . . . . . . . . . . . . . . . . . . . . 353 . . . . . . . . . . . . . 353 System Monitoring Overview . . . . . . . . . . . . . . . . 353 . . . . . . 354 . . . . . . . . 354 What System Information Is Monitored? .
Email Alert Mail Server Configuration Email Alert Subject Configuration . . . . . . . 372 . . . . . . . . . 374 . . . . . . . 375 . . . . . . . . . . . . . . . . 376 Email Alert To Address Configuration Email Alert Statistics Monitoring System Information and Configuring Logging (CLI) . . . . . . . . . . . . . . . . . . . . Viewing System Information and Enabling the Locator LED . . . . . . . . . . . . . . . . . . 377 . . . . 377 Running Cable Diagnostics . . . . . . . . . . . . .
Dynamic/Static Power Management Mode Class-Based Power Management Mode . . . . 398 . . . . 398 . . 398 . . . . . . . . . . . . . . . 398 Configuring General System Settings (Web) . System Information . CLI Banner . . . . . . . . . SDM Template Preference . Clock . . . . . . . . . . . . SNTP Global Settings . . . . SNTP Authentication . . . . SNTP Server . . . . . . . . Summer Time Configuration Time Zone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General System Settings Configuration Examples . . . . . . . . . . . . . . . . . . . . 427 . . . . . . . . . . 430 432 Configuring System and Banner Information Configuring SNTP . . . . . . . . Configuring the Time Manually . 13 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMP Overview . 427 . . . . . . . . 433 . . . . . . . . . . . . . . . . . . . . What Is SNMP? . . . . . . . . . . . . . . . . . . . 433 433 What Are SNMP Traps? . . . . . . . . . . . . .
SNMP Configuration Examples . . . . . . . . . . . . Configuring SNMPv3 464 . . . . . . . . . . . . . . . 465 14 Images and File Management . . . . . . . . Image and File Management Overview . What Files Can Be Managed? 469 . . . . . . . . . . 469 . . . . . . . What Methods Are Supported for File Management? . . . . . . . . . . . . . . . . . . . 471 474 What Factors Should Be Considered When Managing Files?. . . . . . . . . . . . . . . . . . 474 How Is the Running Configuration Saved? . .
File and Image Management Configuration Examples . . . . . . . . . . . . . . . . . . . Upgrading the Firmware . . . . . . 492 . . . . . . . . . . . . . . 492 Managing Configuration Scripts 15 DHCP and USB Auto-Configuration . Auto Configuration Overview 495 . . . . . . . . . . Managing Files by Using the USB Flash Drive . 497 . . . . . 499 . . . . . . . . . . . . . . What Is USB Auto Configuration? . . . . . . . . . What Files Does USB Auto Configuration Use? . . . . . . . . . . . . . . . .
16 Monitoring Switch Traffic Traffic Monitoring Overview. . . . . . . . . . . . 519 . . . . . . . . . . . . . 519 . . . . . . . . . . . 519 . . . . . . . . . . . . . . . . . 522 What is sFlow Technology?. What is RMON? . What is Port Mirroring? . . . . . . . . . . . . . . Remote Capture . 524 . . . . . . . . . . . . . . . . . 526 Why is Traffic Monitoring Needed? . . . . . . . 526 . . . . . . . . . . 526 . . . . . . . . . . . 527 . . . . . . . . . . . . . .
Configuring RMON . . . . . . . . . . . . . . . . . 553 Viewing Statistics. . . . . . . . . . . . . . . . . . 555 . . . . . . . . . . . . . 556 . . . . . . . . . . . . . . . . 557 Configuring Port Mirroring Configuring RSPAN . Traffic Monitoring Examples Configuring sFlow. . . . . . . . . . . . . . 560 . . . . . . . . . . . . . . . . . 561 Configuring RMON . . . . . Configuring Remote Capture Configuring RSPAN . . . . . 17 iSCSI Optimization . 560 . . . . . . . . . . . . . .
Configuring iSCSI Optimization (Web). . . . . . . . . 581 . . . . . . . . . . . . 581 . . . . . . . . . . . . . 582 583 584 iSCSI Global Configuration iSCSI Targets Table . . . iSCSI Sessions Table . . iSCSI Sessions Detailed . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring iSCSI Optimization (CLI) . . . . . . . . . iSCSI Optimization Configuration Examples . . . . . Configuring iSCSI Optimization Between Servers and a Disk Array . . . . . . . . . 587 . . . . . . . . . . . . .
Configuring Port Characteristics (CLI) Configuring Port Settings . . . . . . . . . . 611 . . . . . . . . . . . . . 611 Configuring Link Dependencies Configuring Green Features . . Port Configuration Examples . . . . . . . . . . 613 614 . . . . . . . . . . . . . . 615 Configuring Port Settings . . . . . . . . . . . Configuring a Link Dependency Groups Configuring a Port in Access Mode . . Configuring a Port in Trunk Mode . . . . . . 616 616 . . . . . . . . .
Preventing False ACL Matches . . . . . . . . . . Using IP and MAC Address Masks . Policy-Based Routing 641 . . . . . . . . . . . . . . . . . 643 Packet Classification . . . . . . . . . . . . . . . Route-Map Processing . Route-Map Actions . . . . . . . . . . . . . . 644 645 . . . . . . . 647 . . . . . . . . . . . . 648 . . . . . . . . . . . . . . . . . . . . 648 PBR and Implicit Deny-all . Configuring ACLs (Web) . . . . . . . . . . . . . . . . IP ACL Configuration . . . . . . . . . . . .
21 VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . VLAN Overview . . . . . . . . . . . . . . . . . . . . . 701 . . . . . . . . . . . . . . . . . . . 704 . . . . . . . . . . . . . . . . . . . . . . . . 705 VLAN Tagging GVRP 701 Double-VLAN Tagging Voice VLAN . . . . . . . . . . . . . . . . 705 . . . . . . . . . . . . . . . . . . . . 707 Private VLANs . . . . . . . . . . . . . . . . . . . Additional VLAN Features Default VLAN Behavior 715 . . . . . . . . . . . . . . . . . 716 .
Enterprise Voice VLAN Configuration With QoS . . . . . . . . . . . . . . . MLAG with RPVST and Voice VLAN . . . . . . 754 . . . . . . . 756 Assigning an 802.1p Priority to VLAN Traffic . . . 763 . . . . . . . . . . . 763 . . . . . . . . . . . . 766 Configuring a Private VLAN . VLAN Configuration Examples . Configuring VLANs Using The Dell OpenManage Administrator . . . . . . . . . . . 766 Configuring VLANs Using the CLI . . . . . . . . . 774 . . . . . . . . . . . . 779 . . . . . . . . .
STP LAG Settings . . Rapid Spanning Tree 804 805 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MSTP Settings . . . . . . MSTP Interface Settings . 807 809 . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Spanning Tree (CLI) 810 . . . . . . . . . . . . . . . . . . 810 Configuring Optional STP Features . . . . . . . . . 811 Configuring STP Interface Settings . . . . . . . . 812 Configuring Global STP Bridge Settings Configuring MSTP Switch Settings. .
LLDP Statistics . . . . . . . . . . . . . LLDP Connections. . . . . . . . . . . . LLDP-MED Global Configuration . . . . LLDP-MED Interface Configuration . . . LLDP-MED Local Device Information . . LLDP-MED Remote Device Information Configuring ISDP and LLDP (CLI) . . . . . 835 836 838 839 840 840 . . . . . . . . . . . 841 Configuring Global ISDP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling ISDP on a Port . . . . . . . .
Storm Control . . . . . . . . . Protected Port Configuration . LLPF Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Port-Based Traffic Control (CLI) 862 . . . . . . . . . 862 . . . . . . . . . . . . 863 . . . . . . . . . . . . . . . . . . 864 Configuring Flow Control and Storm Control . Configuring Protected Ports Configuring LLPF 856 858 860 . . . . . . . . . . . Port-Based Traffic Control Configuration Example . . . . . . . . . . . . . . . . . .
Bridge Multicast Group . . . . . . . . . . . . MRouter Status . . . . . . . . . . . . . . . . General IGMP Snooping . . . . . . . . . . . Global Querier Configuration . . . . . . . . . VLAN Querier . . . . . . . . . . . . . . . . . VLAN Querier Status . . . . . . . . . . . . . MFDB IGMP Snooping Table . . . . . . . . . MLD Snooping General . . . . . . . . . . . . MLD Snooping Global Querier Configuration . MLD Snooping VLAN Querier . . . . . MLD Snooping VLAN Querier Status . MFDB MLD Snooping Table . . . .
26 Connectivity Fault Management Dot1ag Overview . . . . . . . 923 923 . . . . . . . . . . . . . . . . . . . . How Does Dot1ag Work Across a Carrier Network? . . . . . . . . . . . . . . . . . What Entities Make Up a Maintenance Domain?. . . . . . . . . . . . . . . . . 924 . . . . . . 925 . . . . . . . . . 927 . . . . . . . . . . . . . . . . . 928 What is the Administrator’s Role? Default Dot1ag Values . . . . . . Configuring Dot1ag (Web) . 929 . . . . . . . . . . . . . . . . . . . . . . . .
How Is the DHCP Snooping Bindings Database Populated? . . . . . . . . . What Is IP Source Guard? . . . . What is Dynamic ARP Inspection? . . . . . . 945 . . . . . . . . 948 949 . . . . . . . . Why Is Traffic Snooping and Inspection Necessary? . . . . . . . . . . . . . . . . . . . . . . . 950 . . . . 952 . . . . . . . . . . 952 Default Traffic Snooping and Inspection Values Configuring Traffic Snooping and Inspection (Web) . . . . . . . . . . . . . . . . . . . . . .
Traffic Snooping and Inspection Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . 975 . . . . . . . . . . . . 975 . . . . . . . . . . . . . . . . . . 977 Configuring DHCP Snooping Configuring IPSG 28 Link Aggregation Link Aggregation . Overview . . . . . . . . . . . . . . . . . . . . 979 . . . . . . . . . . . . . . . . . . . . . . 979 Default Link Aggregation Values . 983 . . . . . . . . . Configuring Link Aggregation (Web) . . . . Configuring Link Aggregation (CLI) .
Configuring PFC Using the Web Interface . . . . 1054 . . . . . . . . . . 1056 . . . . . . . . . . . 1058 . . . . . . . . . . . . . . . 1060 Configuring PFC Using the CLI PFC Configuration Example . DCB Capability Exchange . . . . . . . . . 1061 . . . . . . . . . . . . . . . 1061 Interoperability with IEEE DCBx DCBx and Port Roles Configuration Source Port Selection Process . . . . . . . . . . . . . . . . Disabling DCBX . . . . . . . 1063 . . . . . . . . . . . . . . . . .
31 DHCP Server and Relay Settings . DHCP Overview . . . . . . . . . . . . . . . . . . . . . . . . How Does DHCP Work? . . . . . . . . . . . . . What are DHCP Options? . . . . . . . . . . . . . How is DHCP Option 82 Used? . . . . . . . . . . What Additional DHCP Features Does the Switch Support? . . . . . . . . . . . . . . Default DHCP Server Values. 1090 1090 1091 1093 . . . . . . . . . . . . . 1094 . . . . . . . . . 1095 . . . . . . . . 1095 . . . . . . . . . . . . . . . . . . .
IP Path MTU and Path MTU Discovery ARP Table . . . . . . . . 1118 . . . . . . . . . . . . . . . . . . . . . . . 1119 Configuring IP Routing Features (Web) IP Configuration . . . . . . . . . 1120 . . . . . . . . . . . . . . . . . 1120 IP Statistics . . . . . . . . . . . . ARP Create . . . . . . . . . . . . ARP Table Configuration . . . . . Router Discovery Configuration . Router Discovery Status . . . . . Route Table . . . . . . . . . . . . Best Routes Table. . . . . . . . .
What Are Tunnel Interfaces? . . . . . . . . . . . Why Are Routing Interfaces Needed? Default Routing Interface Values 1143 . . . . . . 1144 . . . . . . . . . . . 1146 . . . . . . . . 1147 IP Interface Configuration . . . . . . . . . . . . 1147 DHCP Lease Parameters . VLAN Routing Summary . . . . . . . . . . . . . Configuring Routing Interfaces (Web). . . . . . . . . . . . . 1148 1148 . . . . . . . . . . . . . . . 1149 . . . . . . . . . . . . . . . .
IP Helper Global Configuration . . IP Helper Interface Configuration IP Helper Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175 . . . . . . . . . . . 1175 Configuring L2 and L3 Relay Features (CLI) Configuring L2 DHCP Relay . Configuring L3 Relay (IP Helper) Settings Relay Agent Configuration Example . 35 OSPF and OSPFv3 OSPF Overview . . . . . 1177 . . . . . . . . . 1179 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OSPF Neighbor Configuration . OSPF Link State Database . . . OSPF Virtual Link Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1204 1205 1206 1207 . . . . . . . . . 1208 . . . . . . . . . . . . . . 1208 OSPF Virtual Link Summary . . . . . . . . OSPF Route Redistribution Configuration OSPF Route Redistribution Summary. . . NSF OSPF Configuration . . . . . . . . . Configuring OSPFv3 Features (Web) OSPFv3 Configuration 1201 1202 1202 OSPFv3 Area Configuration. . . . . . .
Configuring Virtual Links . . . . . . . . . Configuring an OSPFv3 Area Range . . . Configuring OSPFv3 Route Redistribution Settings . . . . . . . . . . . . . . . . . . Configuring NSF Settings for OSPFv3. . . OSPF Configuration Examples . . . . . . . . . . . . . 1247 1247 . . . . . 1250 . . . . . 1253 . . . . . . . . . . 1256 1259 . . . . . . . . . . . 1264 . . . . . . . . . . . . . . . . 1270 Configuring Flood Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRF ARP Entries .
Configuring RIP Features (Web) . RIP Configuration . . . . . . . . . . . . 1282 . . . . . . . . . . . . . . . . 1282 RIP Interface Configuration . . . . . . RIP Interface Summary . . . . . . . . . RIP Route Redistribution Configuration RIP Route Redistribution Summary . . . Configuring RIP Features (CLI). . . . . . 1283 1284 1285 1286 . . . . . . . . . . . . 1287 Configuring Global RIP Settings . . . . . . . . . . . . . . . . . . . . . . . . Configuring RIP Interface Settings . . . . . . . .
Configuring VRRP Settings . . . . . . . . . . . . 1308 VRRP Configuration Example . . . . . . . . . . . . . 1310 VRRP with Load Sharing . . . . . . . . . . . . . 1310 . . . . . . . . . . . . . . 1313 Troubleshooting VRRP VRRP with Route and Interface Tracking . Configuring VRRP in a VRF . . . . . . . . 39 BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview . . . . . . . . . . . . . . . . . . . . . . . . BGP Operations 1322 . . . . . . . . . . . . . . . . . . . .
Route Reflection VRF Support . . . . . . . . . . . . . . . . . . 1345 . . . . . . . . . . . . . . . . . . . 1346 . . . . . . . . . . 1346 . . . . . . . . . . . . . 1346 BGP Neighbor Configuration . Extended Communities . VPNv4/VRF Route Distribution via MP-BGP IPv6 . . . 1349 . . . . . . . . . . . . . . . . . . . . . . . . 1352 BGP Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1360 . . . . . . . . . . . . . . . . . .
41 IPv6 Routing . . . . . . . . . . . . . . . . . . . . . IPv6 Routing Overview . . . . . . . . . . . . . . . . . How Does IPv6 Compare with IPv4? . . . . . . . How Are IPv6 Interfaces Configured? Default IPv6 Routing Values . . . . . . . . . . . . . . 1400 . . . . . . 1402 . . . . . . . . . . . . . . . 1402 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42 DHCPv6 Server and Relay Settings . DHCPv6 Overview . . . . . . . . . . . . . . . . . . . . . What Is a DHCPv6 Pool? . . . . . . . . . . . . . What Is a Stateless Server? . . . . . . . . . . . What Is the DHCPv6 Relay Agent Information Option? . . . . . . . . What Is a Prefix Delegation? . 1425 1426 1426 . . . . . . . . 1426 . . . . . . . . . . 1426 . . . . . . 1427 . . . . . . . . . 1428 . . . . . . . . . . 1428 Default DHCPv6 Server and Relay Values.
43 Differentiated Services DiffServ Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Does DiffServ Functionality Vary Based on the Role of the Switch? . . What Are the Elements of DiffServ Configuration? . . . . . . . . . . . . Default DiffServ Values 1446 . . . . . . 1446 . . . . . . . . . . . . . . . . 1447 Configuring DiffServ (Web) . . . . . . . . . . . . . . 1448 DiffServ Configuration . . . . . . . . . . . . . . 1448 . . . . . . . . . . . . . . . 1449 1450 .
44 Class-of-Service CoS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What Are Trusted and Untrusted Port Modes? . . . . . . . . . . . . . . . . How Is Traffic Shaping Used on Egress Traffic? . . . . . . . . . 1474 . . . . . . . . . 1474 . . . . . . 1475 . . . . . . 1475 . . . . . . . . . . . . . . . . 1476 . . . . . . . . . . . . . . . . . . 1477 CoS Queue Usage Configuring CoS (Web) . . . . . . . . . . . . . . . . Mapping Table Configuration . . .
Two-Rate Meter Implementation . Explicit Congestion Notification. . . . . . . . . 1494 . . . . . . . . . . . 1495 Enabling ECN in Microsoft Windows . . . . . . . 1496 Example 1: SLA Configuration . . . . Example 2: Long-Lived Congestion . . Example 3: Data Center TCP (DCTCP) Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 1497 1501 . . . . . . 1502 45 Auto VoIP . . . . . . . . . . . . . . . . . . . . . . . Auto VoIP Overview . . . . . . . . . . . . . . . . . . 1504 . . . .
What Is PIM? . . . . . . . . . . . . . . . . . . . What Is DVMRP? . . . . . . . . . . . . . . . . . Default L3 Multicast Values . . . . . . . . . . . . . . 1515 1526 1528 Configuring General IPv4 Multicast Features (Web) . . . . . . . . . . . . . . . . . . . . . 1530 Multicast Global Configuration . . . . . . . . . . 1530 Multicast Interface Configuration . . . . Multicast Route Table . . . . . . . . . . Multicast Admin Boundary Configuration Multicast Admin Boundary Summary . .
MLD Traffic . . . . . . . . . . . . . . . . . MLD Proxy Configuration . . . . . . . . . . MLD Proxy Configuration Summary . . . . MLD Proxy Interface Membership Information . . . . . . . . . . . . . . . . . Detailed MLD Proxy Interface Membership Information . . . . . . . . . . . . . . . . . . . . 1550 1551 1552 . . . 1553 . . . 1554 . . . . . . . 1555 . . . . . . . . . . . . 1555 Configuring PIM for IPv4 and IPv6 (Web) PIM Global Configuration . PIM Global Status . . . . . . .
Configuring and Viewing PIM-DM for IPv4 Multicast Routing . . . . . . . . . . . . . . . . . 1580 Configuring and Viewing PIM-DM for IPv6 Multicast Routing . . . . . . . . . . . . . . . . . 1581 . . . 1583 Configuring and Viewing PIM-SM for IPv4 Multicast Routing . . . . . . . . . . . . . . Configuring and Viewing PIM-SM for IPv6 Multicast Routing . . . . . . . . . . . . . . . . . 1585 Configuring and Viewing DVMRP Information . . . . . . . . . . . . . . . . . . . .
48 OpenFlow . . . . . . . . . . . . . . . . . . . . . . . Dell Networking OpenFlow Hybrid Overview . . . . . 1611 Enable Dell Networking OpenFlow Hybrid . . . . 1612 Interaction with the OpenFlow Controllers . . . . 1613 Deploy OpenFlow Controller Flows . . . . . . . . 1645 Collect Port and Queue Status and Statistics . . . . . . . . . . . . . . . . . . . . . 1650 . . . . . . . . . . . . . . . . . 1650 Usage Scenarios . . . . . . . . . . . . . . . . 1650 . . . . . . . . . . . . . . . .
49 Dell Networking Python Support . . . . . 1657 A Feature Limits and Platform Constants . . . . . . . . . . . . . . . . . . . . . . 1663 B System Process Definitions . . . . . . . . 1675 . . . . . . . . . . . . . . . 1683 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1687 C Dell SupportAssist .
Contents
1 Introduction The switches in the Dell Networking N1500, N2000, N3000, and N4000 Series switches Series are stackable layer-2 and layer-3 switches. These switches include the following features: • 1U form factor, rack-mountable chassis design. • Support for all data-communication requirements for a multi-layer switch, including layer-2 switching, IPv4 routing, IPv6 routing, IP multicast, quality of service, security, and system management features.
Document Conventions Table 1-1 describes the typographical conventions this document uses. Table 1-1. Document Conventions Convention Description Bold Page names, field names, menu options, button names, and CLI commands and keywords. courier font Command-line text (CLI output) and file names [] In a command line, square brackets indicate an optional entry. {} In a command line, inclusive brackets indicate a selection of compulsory parameters separated by the | character.
Switch Feature Overview 2 This section describes the switch user-configurable software features. NOTE: Before proceeding, read the release notes for this product. The release notes are part of the firmware download.
System Management Features Multiple Management Options Any of the following methods can be used to manage the switch: • Use a web browser to access the Dell OpenManage Switch Administrator interface. The switch contains an embedded Web server that serves HTML pages. Dell Networking N-Series switches support HTTP and HTTPS over IPv4 or IPv6. • Use a Telnet client, SSH client, or a direct console connection to access the CLI.
For information about configuring system time settings, see "Managing General System Settings " on page 389. Log Messages The switch maintains in-memory log messages as well as persistent logs. Remote logging can be configured so that the switch sends log messages to a remote syslog server. The switch can also be configured to email log messages to a configured SMTP server. This allows the administrator to receive the log message in a specified e-mail account.
If the switch detects an IP address conflict on the management interface, it generates a trap and sends a log message. For information about configuring basic network information, see "Setting the IP Address and Other Basic Network Information " on page 165. IPv6 Management Features Dell Networking N-Series switches provide IPv6 support for many standard management features including HTTP, HTTPS/SSL, Telnet, SSH, syslog, SNTP, TFTP, and traceroute on both the in-band and out-of-band management ports.
Switch Database Management Templates Switch Database Management (SDM) templates enable reallocating system resources to support a different mix of features based on network requirements. Dell Networking N-Series switches support the following three templates: • Dual IPv4 and IPv6 (default) • IPv4 Routing • IPv4 Data Center For information about setting the SDM template, see "Managing General System Settings " on page 389.
NOTE: Automatic migration of the startup configuration to the next version of firmware from the current and previous versions of firmware is supported; the syntax is automatically updated when it is read into the running-config. Check the release notes to determine if any parts of the configuration cannot be migrated. Save the running-config to maintain the updated syntax. Migration of configuration is not assured on a firmware downgrade.
CDP Interoperability Through ISDP Industry Standard Discovery Protocol (ISDP) allows the Dell Networking N-Series switch to interoperate with Cisco devices running the Cisco Discovery Protocol (CDP). ISDP is a proprietary layer-2 network protocol which inter-operates with Cisco network equipment and is used to share information between neighboring devices (routers, bridges, access servers, and switches). For information about configuring ISDP settings, see "Discovering Network Devices " on page 825.
!System Software Version 6.3.0.51 !Image File Name N3000_BGPv6.3.0.51.stk !Software Capability AGGREGATION ROUTER When migrating between the two types of images, certain commands in the startup-config may fail to execute because the relevant feature is not available. The switch firmware will identify any failed commands. It is necessary to edit the startup-config if errors are displayed and remove any failed commands.
Stacking Features For information about creating and maintaining a stack of switches, see "Stacking " on page 193. High Stack Count The Dell Networking N2000, N3000, and N4000 Series switches include a stacking feature that allows up to 12 switches to operate as a single unit. The Dell Networking N1500 switches allows stack configuration up to 4 units. The Dell Networking N2000 and N3000 Series switches have two fixed mini-SAS stacking connectors at the rear.
Nonstop Forwarding on the Stack The Nonstop Forwarding (NSF) feature allows the forwarding plane of stack units to continue to forward packets while the control and management planes restart as a result of a power failure, hardware failure, or software fault on the stack master and allows the standby switch to quickly takeover as the master. Hot Add/Delete and Firmware Synchronization Units can be added to and deleted from the stack without cycling the power on the stack.
Security Features Configurable Access and Authentication Profiles Rules can be configured to limit access to the switch management interface based on criteria such as access type and source IP address of the management host. The user can also be required to be authenticated locally or by an external server, such as a RADIUS server. For information about configuring access and authentication profiles, see "Authentication, Authorization, and Accounting " on page 229.
RADIUS Support The switch has a Remote Authentication Dial In User Service (RADIUS) client and can support up to 32 named authentication and accounting RADIUS servers. The switch also supports RADIUS Attribute 4, which is the configuration of a NAS-IP address. The switch can also be configured to accept RADIUS-assigned VLANs. For information about configuring RADIUS client settings, see "Authentication, Authorization, and Accounting " on page 229.
Port Protection A port may be put into the error-disabled state for any of the following reasons: • BPDU Storm: By default, if Spanning Tree Protocol (STP) bridge protocol data units (BPDUs) are received at a rate of 15pps or greater for three consecutive seconds on a port, the port will be error-disabled. The threshold is not configurable.
• ICMP storms: Ports on which ICMP storms are detected are errordisabled. The rate limit and burst sizes are configurable separately for IPv4 and IPv6. • PML: Interfaces on which the port security violation is configured to shut down the interface are error-disabled when a violation occurs. • Loop Protect: Loop protection diagnostically disables ports on which a loop is detected. A log message may be issued when a port is disabled by Loop Protection.
however, the switch will transport encrypted packets, such as PEAP or EAPTLS packets, between the supplicant and authentication server in support of mutual authentication and privacy. For information about configuring IEEE 802.1X settings, see "Port and System Security " on page 623. MAC-Based 802.1X Authentication MAC-based authentication allows multiple supplicants connected to the same port to each authenticate individually.
Access Control Lists (ACLs) Access Control Lists (ACLs) can help to ensure network availability for legitimate users while blocking attempts to access the network by unauthorized users or to restrict legitimate users from accessing the network. ACLs may be used to provide traffic flow control, restrict contents of routing updates, decide which types of traffic are forwarded or blocked, and above all, provide some level of security for the network.
DHCP Snooping DHCP Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server. It filters harmful DHCP messages and builds a bindings database of (MAC address, IP address, VLAN ID, port) tuples that are specified as authorized. DHCP snooping can be enabled globally and on specific VLANs. Ports within the VLAN can be configured to be trusted or untrusted. DHCP servers must be reached through trusted ports.
Green Technology Features For information about configuring Green Technology features, see "Port Characteristics " on page 591. Energy Detect Mode When the Energy Detect mode is enabled and the port link is down, the PHY automatically goes down for short period of time and then wakes up periodically to check link pulses. This mode reduces power consumption on the port when no link partner is present. Energy Detect is proprietary and operates independently from EEE.
Power over Ethernet (PoE) Plus Features NOTE: The Dell Networking N1524P/N1548P, N2024P/N2048P, and N3024P/N3048P switches support PoE Plus and UPOE on selected ports. The PoE Plus and UPOE features do not apply to the other models in the Dell Networking N2000/N3000/N4000 Series. For information about configuring PoE Plus features, see "Managing General System Settings " on page 389.
Switching Features Flow Control Support (IEEE 802.3x) Flow control enables lower speed switches to communicate with higher speed switches by requesting that the higher speed switch refrain from sending packets for a limited period of time. Transmissions are temporarily halted to prevent buffer overflows. For information about configuring flow control, see "Port-Based Traffic Control " on page 849.
Auto-MDI/MDIX Support The switch supports auto-detection between crossed and straight-through cables. Media-Dependent Interface (MDI) is the standard wiring for end stations, and the standard wiring for hubs and switches is known as MediaDependent Interface with Crossover (MDIX). Auto-negotiation must be enabled for MDIX to detect the wiring configuration. VLAN-Aware MAC-based Switching Packets arriving from an unknown source address are sent to the CPU and added to the Hardware Table.
Storm Control When layer-2 frames are processed, broadcast, unknown unicast, and multicast frames are flooded to all ports on the relevant virtual local area network (VLAN). The flooding occupies bandwidth and loads all nodes connected on all ports. Storm control limits the amount of broadcast, unknown unicast, and multicast frames accepted and forwarded by the switch. For information about configuring Broadcast Storm Control settings, see "Port-Based Traffic Control " on page 849.
Link Layer Discovery Protocol (LLDP) The IEEE 802.1AB defined standard, Link Layer Discovery Protocol (LLDP), allows the switch to advertise major capabilities and physical descriptions. This information can be used to help identify system topology and detect bad configurations on the LAN. For information about configuring LLDP, settings see "Discovering Network Devices " on page 825.
protocols that are highly loss sensitive can share the same link with traffic that has different loss tolerances. Priorities are differentiated by the priority field of the 802.1Q VLAN header. The Dell Networking N4000 Series switches support lossless transport of frames on up to two priority classes. NOTE: An interface that is configured for PFC is automatically disabled for 802.3x flow control. For information about configuring the PFC feature, see "Data Center Bridging Features " on page 1051.
Cisco Protocol Filtering The Cisco Protocol Filtering feature (also known as Link Local Protocol Filtering) filters Cisco protocols that should not normally be relayed by a bridge. The group addresses of these Cisco protocols do not fall within the IEEE defined range of the 802.1D MAC Bridge Filtered MAC Group Addresses (01-80-C2-00-00-00 to 01-80-C2-00-00-0F). For information about configuring LLPF, settings see "Port-Based Traffic Control " on page 849.
Virtual Local Area Network Supported Features For information about configuring VLAN features see "VLANs " on page 701. VLAN Support VLANs are collections of switching ports that comprise a single broadcast domain. Packets are classified as belonging to a VLAN based on either the VLAN tag or a combination of the ingress port and packet contents. Packets sharing common attributes can be groups in the same VLAN. The Dell Networking N-Series switches are in full compliance with IEEE 802.1Q VLAN tagging.
The switch supports the Generic Attribute Registration Protocol (GARP). GARP VLAN Registration Protocol (GVRP) relies on the services provided by GARP to provide IEEE 802.1Q-compliant VLAN pruning and dynamic VLAN creation on 802.1Q trunk ports. When GVRP is enabled, the switch registers and propagates VLAN membership on all ports that are part of the active spanning tree protocol topology. For information about configuring GARP timers see "Layer-2 Multicast Features " on page 867.
Spanning Tree Protocol Features For information about configuring Spanning Tree Protocol features, see "Spanning Tree Protocol " on page 779. Spanning Tree Protocol (STP) Spanning Tree Protocol (IEEE 802.1D) is a standard requirement of layer-2 switches that allows bridges to automatically prevent and resolve layer-2 forwarding loops.
Bridge Protocol Data Unit (BPDU) Guard Spanning Tree BPDU Guard is used to disable the port in case a new device tries to enter the already existing topology of STP. Thus devices, which were originally not a part of STP, are not allowed to influence the STP topology. BPDU Filtering When spanning tree is disabled on a port, the BPDU Filtering feature allows BPDU packets received on that port to be dropped.
Link Aggregation Features For information about configuring link aggregation (port-channel) features, see "Link Aggregation " on page 979. Link Aggregation Up to eight ports can combine to form a single Link Aggregation Group (LAG). This enables fault tolerance protection from physical link disruption, higher bandwidth connections and improved bandwidth granularity. LAGs are formed from similarly configured physical links; i.e.
of-order frames. Devices unable to buffer the requisite number of frames will show excessive frame discard. Configuring copper and fiber ports together in an aggregation group is not recommended. Link Aggregate Control Protocol (LACP) Link Aggregate Control Protocol (LACP) uses peer exchanges across links to determine, on an ongoing basis, the aggregation capability of various links, and continuously provides the maximum level of aggregation capability achievable between a given pair of systems.
Routing Features Address Resolution Protocol (ARP) Table Management Static ARP entries can created and many settings for the dynamic ARP table can be managed, such as age time for entries, retries, and cache size. For information about managing the ARP table, see "IP Routing " on page 1115. VLAN Routing Dell Networking N-Series switches support VLAN routing. The software can also be configured to allow traffic on a VLAN to be treated as if the VLAN were a router port.
Border Gateway Protocol (BGP) NOTE: This feature is not available on Dell Networking N1500 and N2000 Series switches. It is also not available on N3000 Series switches running the ACCESS ROUTER image. BGP is a protocol used for exchanging reachability information between autonomous systems. BGP uses a standardized decision process, which, when used in conjunction with network policies configured by the administrator, support a robust set of capabilities for managing the distribution of routing information.
BOOTP/DHCP Relay Agent The switch BootP/DHCP Relay Agent feature relays BootP and DHCP messages between DHCP clients and DHCP servers that are located in different IP subnets. For information about configuring the BootP/DHCP Relay agent, see "Layer2 and Layer-3 Relay Features " on page 1157. IP Helper and UDP Relay The IP Helper and UDP Relay features provide the ability to relay various protocols to servers on a different subnet.
Virtual Router Redundancy Protocol (VRRP) NOTE: This feature is not available on Dell Networking N2000 Series switches. VRRP provides hosts with redundant routers in the network topology without any need for the hosts to reconfigure or know that there are multiple routers. If the primary (master) router fails, a secondary router assumes control and continues to use the virtual router IP (VRIP) address.
IPv6 Routing Features NOTE: This feature is not available on Dell Networking N1500 and N2000 Series switches. IPv6 Configuration The switch supports IPv6, the next generation of the Internet Protocol. IPv6 can be globally enabled on the switch and settings such as the IPv6 hop limit and ICMPv6 rate limit error interval can be configured. The administrator can also control whether IPv6 is enabled on a specific interface.
For information about configuring DHCPv6 settings, see "DHCPv6 Server and Relay Settings " on page 1425. Quality of Service (QoS) Features NOTE: Some features that can affect QoS, such as ACLs and Voice VLAN, are described in other sections within this chapter. Differentiated Services (DiffServ) The QoS Differentiated Services (DiffServ) feature allows traffic to be classified into streams and given certain QoS treatment in accordance with defined per-hop behaviors.
Internet Small Computer System Interface (iSCSI) Optimization NOTE: This feature is not available on Dell Networking N1500 Series switches. It is also not available on N3000 Series switches running the AGGREGATION ROUTER image. The iSCSI Optimization feature helps network administrators track iSCSI traffic between iSCSI initiator and target systems. This is accomplished by monitoring, or snooping traffic to detect packets used by iSCSI stations in establishing iSCSI sessions and connections.
IGMP Snooping Querier When Protocol Independent Multicast (PIM) and IGMP are enabled in a network with IP multicast routing, an IP multicast router acts as the IGMP querier. However, if it is desirable to keep the multicast network layer-2 switched only, the IGMP Snooping Querier can perform the query functions of a layer-3 multicast router.
Layer-3 Multicast Features For information about configuring layer-3 (L3) multicast features, see "IPv4 and IPv6 Multicast " on page 1509. NOTE: This feature is not available on Dell Networking N1500 and N2000 Series switches. Distance Vector Multicast Routing Protocol Distance Vector Multicast Routing Protocol (DVMRP) exchanges probe packets with all DVMRP-enabled routers, establishing two way neighboring relationships and building a neighbor table.
Protocol Independent Multicast—Sparse Mode Protocol Independent Multicast-Sparse Mode (PIM-SM) is used to efficiently route multicast traffic to multicast groups that may span wide area networks, and where bandwidth is a constraint. PIM-SM uses shared trees by default and implements source-based trees for efficiency. This data threshold rate is used to toggle between trees.
Switch Feature Overview
3 Hardware Overview This section provides an overview of the switch hardware.
Figure 3-1. Dell Networking N1548 Front-Panel Switch with 48 10/100/1000BASE-T Ports (Front Panel) Console Port 48 10/100/1000BASE-T Ports USB Port SFP+ Ports In addition to the switch ports, the front panel of each model in the Dell Networking N1500 Series includes the following ports: • RJ-45 Console port • USB port for storage Figure 3-2.
The Dell Networking 1524P front panel, shown in Figure 3-2, has status LEDs for over-temperature alarm, internal power, and status on the top row. The bottom row of status LEDs displays Stack Master, modular power supply (MPS) status, and fan alarm status. Switch Ports The Dell Networking N1524/N1524P front panel provides 24 Gigabit Ethernet (10/100/1000BASE-T) RJ-45 ports that support auto-negotiation for speed, flow control, and duplex.
Te1/0/1 and Te1/0/2 may be configured to support stacking, or Te1/0/3 and Te1/0/4 may be configured to support stacking, or all four ports may be configured to support stacking. • The Dell Networking N1524P/N1548P front-panel ports support PoE (15.4W) and PoE+ (34.2W) as well as legacy capacitive detection for prestandard powered devices (PDs). Console Port The console port provides serial communication capabilities, which allows communication using the RS-232 protocol.
Port and System LEDs The front panel contains light emitting diodes (LEDs) that indicate the status of port links, power supplies, fans, stacking, and the overall system status. See "LED Definitions " on page 104 for more information. Stack Master LED and Stack Number Display When a switch within a stack is the master unit, the Stack Master LED is solid green. If the Stack Master LED is off, the stack member is not the master unit. The Stack No. panel displays the unit number for the stack member.
Dell Networking N1524P and N1548P The Dell Networking N1524P and N1548P switches have an internal 600-watt power supply feeding up to 24 PoE devices at full PoE+ power (500W). An additional modular power supply (MPS1000) provides 1000 watts and gives full power coverage for all 48 PoE devices (1500W). NOTE: PoE power is dynamically allocated. Not all ports will require the full PoE+ power. CAUTION: Remove the power cable from the power supplies prior to removing the power supply module itself.
Figure 3-4. 100/1000/10000Base-T Port LEDs Link/SPD Activity Table 3-1 shows the 100/1000/10000Base-T port LED definitions. Table 3-1. 100/1000/10000Base-T Port Definitions LED Color Link/SPD LED Off Activity LED (on non-PoE switches) Activity/PoE LED (on PoE switches) Definition There is no link. Solid yellow The port is operating at 10/100 Mbps. Solid green The port is operating at 1000 Mbps. Off There is no current transmit/receive activity.
Stacking Port LEDs Table 3-2. Stacking Port LED Definitions LED Color Definition Link LED Off There is no link. Solid green The port is actively transmitting/receiving. Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving. Activity LED Table 3-3. Console Port LED Definitions LED Color Link/SPD LED Off Solid green Definition There is no link. A link is present.
Table 3-4. System LED Definitions (Continued) LED Color Definition RPS (on non-PoE Off switches) Solid green EPS (on PoE switches) Fan Stack Master Temp Stack No. There is no redundant power supply (RPS). Power to the RPS is on. Solid red An RPS is detected but it is not receiving power. Off There is no external power supply (EPS). Solid green Power to the EPS is on. Solid red An EPS is detected but it is not receiving power.
Table 3-5. Power Consumption Model Input Voltage Power Supply Configuration Max Steady Current Consumption (A) Max Steady Power (W) Dell Networking N1548P 100V Main PSU+EPS PSU 17.1 1719.0 110V Main PSU+EPS PSU 15.5 1704.0 120V Main PSU+EPS PSU 14.1 1690.0 220V Main PSU+EPS PSU 7.5 1642.4 240V Main PSU+EPS PSU 6.9 1647.0 The PoE power budget for each interface is controlled by the switch firmware.
Dell Networking N2000 Series Switch Hardware This section contains information about device characteristics and modular hardware configurations for the Dell Networking N2000 Series switches.
Figure 3-6. Dell Networking N2024 Close-up The Dell Networking N2024 front panel, shown in Figure 3-6, has status LEDs for over-temperature alarm (left), internal power (middle), and status (right) on the top row. The bottom row of status LEDs displays, from left to right, the Stack Master, redundant power supply (RPS) status, and fan alarm status. The Dell Networking N2024P front panel has status LEDs for overtemperature alarm, internal power and status on the top row.
The front-panel switch ports have the following characteristics: • The switch automatically detects the difference between crossed and straight-through cables on RJ-45 ports and automatically chooses the MDI or MDIX configuration to match the other end. • SFP+ ports support Dell-qualified transceivers. The default behavior is to log a message and generate an SNMP trap on insertion or removal of an optic that is not qualified by Dell.
switch. The USB flash drive may be used to move and copy configuration files and images from one switch to other switches in the network. The system does not support the deletion of files on USB flash drives. The USB port does not support any other type of USB device. Reset Button The reset button is accessed through the pinhole and enables performing a hard reset on the switch. To use the reset button, insert an unbent paper clip or similar tool into the pinhole.
Figure 3-7. Dell Networking N2000 Series Back Panel Fan Vents AC Power Receptacle Figure 3-8. Dell Networking N2024P/N2048P Back Panel The term mini-SAS refers to the stacking port cable connections shown in Figure 3-9. See "Stacking " on page 193 for information on using the mini-SAS ports to connect switches. Figure 3-9.
NOTE: PoE power is dynamically allocated. Not all ports will require the full PoE+ power. CAUTION: Remove the power cable from the power supplies prior to removing the power supply module itself. Power must not be connected prior to insertion in the chassis. Ventilation System Two internal fans cool the Dell Networking N2000 Series switches. Information Tag The back panel includes a slide-out label panel that contains system information, such as the Service Tag, MAC address, and so on.
Table 3-7 shows the 100/1000/10000Base-T port LED definitions. Table 3-7. 100/1000/10000Base-T Port Definitions LED Color Link/SPD LED Off Activity LED (on non-PoE switches) Activity/PoE LED (on PoE switches) Definition There is no link. Solid yellow The port is operating at 10/100 Mbps. Solid green The port is operating at 1000 Mbps. Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving.
Table 3-9. Console Port LED Definitions LED Color Link/SPD LED Off Solid green Definition There is no link. A link is present. System LEDs The system LEDs, located on the back panel, provide information about the power supplies, thermal conditions, and diagnostics. Table 3-10 shows the System LED definitions for the Dell Networking N2000 Series switches. Table 3-10. System LED Definitions LED Color Definition Status Solid green Normal operation.
Table 3-10. System LED Definitions (Continued) LED Color Definition Stack Master Off The switch is not stack master. Solid green The switch is master for the stack. Solid green The switch is operating below the threshold temperature. Solid red The switch temperature exceeds the threshold of 75°C. – Switch ID within the stack. Temp Stack No. Power Consumption for PoE Switches Table 3-11 shows power consumption data for the PoE-enabled switches. Table 3-11.
Table 3-12. Dell Networking N2000 Series PoE Power Budget Limit One PSU Two PSUs Model Name System Power Max. PSU PoE+ Power Max. PSUs PoE+ Power Max. Dissipation Output Ability Turn-on Limitation Output Ability Turn-on Limitation Dell Networking N2024P 90W Dell Networking N2048P 110W 118 1000W Power budget is 850W: 2000W All PoE+ ports can supply maximum power. The total PoE supplied power must not exceed 850W.
Dell Networking N3000 Series Switch Hardware This section contains information about device characteristics and modular hardware configurations for the Dell Networking N3000 Series switches.
Figure 3-12. Dell Networking N3048 with 48 10/100/1000BASE-T Ports (Front Panel) Combo Ports 10/100/1000BASE-T Auto-sensing Full Duplex RJ-45 Ports SFP+ Ports The additional ports are on the right side of the front panel, as shown in Figure 3-12 and Figure 3-13. Figure 3-13.
Switch Ports The Dell Networking N3024/N3024P front panel provides 24 Gigabit Ethernet (10/100/1000BASE-T) RJ-45 ports that support auto-negotiation for speed, flow control, and duplex. The Dell Networking N3024P models support two SFP+ 10G ports. Dell-qualified SFP+ transceivers are sold separately. The Dell Networking N3000 Series switches operate in full-duplex mode only. The Dell Networking N3024F front panel provides 24 Gigabit Ethernet 100BASE-FX/1000BASE-X SFP ports plus 2 1000BASE-T combo ports.
Combo Ports Combo ports automatically select the active media and always choose fiber media if both copper and fiber are active. Copper combo ports do not support 10 Mbps forced mode. Console Port The console port provides serial communication capabilities, which allows communication using RS-232 protocol.
Reset Button The reset button is accessed through the pinhole and enables performing a hard reset on the switch. To use the reset button, insert an unbent paper clip or similar tool into the pinhole. When the switch completes the boot process after the reset, it resumes operation with the most recently saved configuration. Any changes made to the running configuration that were not saved to the startup configuration prior to the reset are lost.
Figure 3-14. Dell Networking N3000 Series Back Panel Fan Vents Dual 10G Slots for SFP+ or 10GBASE-T Modules AC Power Receptacle Figure 3-15. Dell Networking N3024P/N3048P Back Panel Figure 3-16. Dell Networking N3048 Mini-SAS Stacking Ports Close-up Mini-SAS stacking ports The term mini-SAS refers to the stacking port cable connections shown in Figure 3-16. See "Stacking " on page 193 for information on using the miniSAS ports to connect switches.
Power Supplies Dell Networking N3024, N3024F and N3048 Dell Networking N3024, N3024F and N3048 switches support two 200-watt Field Replaceable Unit (FRU) power supplies which give full power redundancy for the switch. The Dell Networking N3024, N3024F, and N3048 switches offer the V-lock feature for users desiring the need to eliminate accidental power disconnection.
Information Tag The back panel includes a slide-out label panel that contains system information, such as the Service Tag, MAC address, and other information. LED Definitions This section describes the LEDs on the front and back panels of the switch. Port LEDs Each port on a Dell Networking N3000 Series switch includes two LEDs. One LED is on the left side of the port, and the second LED is on the right side of the port. This section describes the LEDs on the switch ports.
Table 3-13 shows the 100/1000/10000Base-T port LED definitions. Table 3-13. 100/1000/10000Base-T Port Definitions LED Color Link/SPD LED Off Definition There is no link. Solid yellow The port is operating at 10/100 Mbps. Solid green The port is operating at 1000 Mbps. Activity LED (on non-PoE switches) Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving.
Table 3-15. 10GBase-T Module LED Definitions LED Color Link/SPD LED Off Activity LED Definition There is no link. Solid green The port is operating at 10 Gbps. Solid amber The port is operating at 100/1000 Mbps. Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving. Table 3-16. Stacking Port LED Definitions LED Color Definition Link LED Off There is no link. Solid green The port is actively transmitting/receiving.
Table 3-18. Console Port LED Definitions LED Color Definition Link/SPD LED Off There is no link. Solid green A link is present. System LEDs The system LEDs, located on the back panel, provide information about the power supplies, thermal conditions, and diagnostics. Table 3-19 shows the System LED definitions for the Dell Networking N3000 Series switches. Table 3-19. System LED Definitions LED Color Definition Status Solid green Normal operation.
Power Consumption for PoE Switches Table 3-20 shows power consumption data for the PoE-enabled switches. Table 3-20. Dell Networking N3000 Series Power Consumption Model Input Voltage Power Supply Configuration Max Steady Current Consumption (A) Max Steady Power (W) Dell Networking N3024P 100V PSU1+PSU2 13.1 1310.0 110V PSU1+PSU2 11.7 1287.0 120V PSU1+PSU2 10.6 1272.0 220V PSU1+PSU2 5.6 1232.0 240V PSU1+PSU2 5.2 1240.8 100V PSU1+PSU2 21.8 2180.0 110V PSU1+PSU2 19.5 2145.
Table 3-21. Dell Networking N3000 Series PoE Power Budget Limit One PSU Model Name System Power Max. PSU PoE+ Power Max. PSUs PoE+ Power Dissipation Output Ability Turn-on Limitation Output Ability Turn-on Limitation 110W Dell Networking 715W N3024P 140W Dell Networking N3048P Two PSUs 715W Power budget is 550W: All PoE+ ports can supply maximum power. The total PoE supplied power must not exceed 550W. 1100W 2200W Power budget is 950W: The total PoE supplied power must not exceed 950W.
Dell Networking N4000 Series Switch Hardware NOTE: Both the Dell Networking PC8100 and N4000 Series switches can run firmware versions 6.0.0.8 and beyond. The Dell Networking N4000 Series switches cannot run firmware prior to version 6.0.0.8. This section contains information about device characteristics and modular hardware configurations for the Dell Networking N4000 Series switches.
Figure 3-18. Dell Networking N4032 Front Panel 10GbE Copper Ports Module bay USB port Figure 3-19. Dell Networking N4032F Front Panel 10GbE Fiber Ports Module bay USB port Dell Networking N4032 and N4032F switches can be stacked with other Dell Networking N4000 Series switches using 10G or 40G SFP+ or QSFP modules in the module bay. The Dell Networking N4064 front panel provides 48 x 10GbE copper ports and two fixed QSFP ports, each supporting 4 x 10G or 1 x 40G connections.
Figure 3-20. Dell Networking N4064 Front Panel Module bay 10GbE Copper Ports USB port Fixed QSFP ports Figure 3-21. Dell Networking N4064F Front Panel Module bay 10GbE Fiber Ports USB port Fixed QSFP ports The Dell Networking N4064 and N4064F switches can be stacked with other Dell Networking N4000 Series switches using the 10G or 40G SFP+ or QSFP modules in the module bay or fixed QSFP ports.
A reboot is not necessary when a hot-pluggable module is replaced with a module of different type. Plug-in modules with any port configured as a stacking port are not hot-swappable. Remove the stack-port configuration from a slot before plugging in a module. A no slot or clear config command must be executed prior to inserting the new module. Note that changing the role of a port from stacking to Ethernet or vice-versa also requires a switch reboot.
• Complies with IEEE802.3z, IEEE 802.3, IEEE802.3u, IEEE802.3ab, IEEE802.3az, IEEE802.3an • Four 10GBase-T/1GBase-T/100MBase-T copper ports. • front-panel port status LEDs USB Port The Type-A, female USB port supports a USB 2.0-compliant flash memory drive. The Dell Networking N4000 Series switch can read or write to a flash drive with a single partition formatted as FAT-32. Use a USB flash drive to copy switch configuration files and images between the USB flash drive and the switch.
The following image show the back panel of the Dell Networking N4000 Series switches. Figure 3-22. Dell Networking N4000 Series Back Panel RJ-45 serial console port AC power OOB Ethernet port Fans AC power Console Port The console port is for management through a serial interface. This port provides a direct connection to the switch and provides access to the CLI from a console terminal connected to the port through the provided serial cable (RJ-45 to female DB-9 connectors).
CAUTION: Remove the power cable from the modules prior to removing the module itself. Power must not be connected prior to insertion in the chassis. Ventilation System The Dell Networking N4000 Series switches have two fans. Each switch also has four thermal sensors and a fan speed controller, which can be used to control FAN speeds. Verify operation by observing the LEDs. LED Definitions This section describes the LEDs on the front and back panels of the switch.
Table 3-22 shows the 100/1000/10000Base-T port LED definitions. Table 3-22. 100/1000/10000Base-T Port Definitions LED Color Definition Link LED Off There is no link. Solid green The port is operating at 10 Gbps. Solid amber The port is operating at 100/1000 Mbps. Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving.
Table 3-25. QSFP Module LED Definitions LED Color Definition Link LED Off There is no link. Solid green The port is operating at 40 Gbps. Solid amber The port is operating at other speeds. Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving. Activity LED Out-of-Band Ethernet Management Port LEDs Table 3-26 shows the LED definitions for the OOB Ethernet management port. Table 3-26.
Table 3-27 shows the System LED definitions for the Dell Networking N4000 Series switches. Table 3-27. System LED Definitions—Dell Networking N4000 Series Switches LED Color Definition System Blinking blue The switch is booting Solid red A critical system error has occurred. Blinking red A noncritical system error occurred (fan or power supply failure). Off The switch is operating at normal temperature. Solid amber The thermal sensor’s system temperature threshold of 75°C has been exceeded.
Switch MAC Addresses The switch allocates MAC addresses from the Vital Product Data information stored locally in flash. MAC addresses are used as follows: Table 3-28.
---1 1 1 ----------System Main Secondary ----------OK OK No Power ---------42.0 N/A N/A -------43.4 N/A N/A ------------------04/06/2001 16:36:16 01/01/1970 00:00:00 USB Port Power Status: ---------------------Device Not Present console#show ip interface out-of-band IP Address..................................... Subnet Mask.................................... Default Gateway................................ Configured IPv4 Protocol....................... Burned In MAC Address..........................
Hardware Overview
Using Dell OpenManage Switch Administrator 4 Dell Networking N1500, N2000, N3000, and N4000 Series Switches This section describes how to use the Dell OpenManage Switch Administrator application.
Starting the Application To access the Dell OpenManage Switch Administrator and log on to the switch: 1 Open a web browser. 2 Enter the IP address of the switch in the address bar and press . For information about assigning an IP address to a switch, see "Setting the IP Address and Other Basic Network Information " on page 165. 3 When the Login window displays, enter a user name and password. Passwords are both case sensitive and alpha-numeric. Figure 4-1.
5 The Dell OpenManage Switch Administrator home page displays. The home page is the Device Information page, which contains a graphical representation of the front panel of the switch. For more information about the home page, see "Device Information " on page 359.
Figure 4-2.
Using the Switch Administrator Buttons and Links Table 4-2 describes the buttons and links available from the Dell OpenManage Switch Administrator interface. Table 4-2. Button and Link Descriptions Button or Link Description Support Opens the Dell Support page at www.dell.com/support. About Contains the version and build number and Dell copyright information. Log Out Logs out of the application and returns to the login screen. Save Saves the running configuration to the startup configuration.
Defining Fields User-defined fields can contain 1–159 characters, unless otherwise noted on the Dell OpenManage Switch Administrator web page. All characters may be used except for the following: • \ • / • : • * • ? • < • > • | Understanding the Device View The Device View shows various information about switch. This graphic appears on the OpenManage Switch Administrator Home page, which is the page that displays after a successful login.
Using the Device View Switch Locator Feature The Device View graphic includes a Locate button and a drop-down menu of timer settings. When the user clicks Locate, the switch locator LED on the back panel of the switch blinks for the number of seconds selected from the timer menu. The green, blinking LED on the back of the switch can help the administrator or a technician near the switch identify the physical location of the switch within a room or rack full of switches.
Using Dell OpenManage Switch Administrator
5 Using the Command-Line Interface Dell Networking N1500, N2000, N3000, and N4000 Series Switches This section describes how to use the Command-Line Interface (CLI) on a Dell Networking N1500, N2000, N3000, and N4000 Series switches.
NOTE: For a stack of switches, be sure to connect to the console port on the Master switch. The Master LED is illuminated on the stack Master. 2 Start the terminal emulator, such as Microsoft HyperTerminal, and select the appropriate serial port (for example, COM 1) to connect to the console. 3 Configure the management station serial port with the following settings: • Data rate — 9600 baud.
A Telnet session can also be initiated from the OpenManage Switch Administrator. For more information, see "Initiating a Telnet Session from the Web Interface " on page 399. Understanding Command Modes The CLI groups commands into modes according to the command function. Each of the command modes supports specific software commands. The commands in one mode are not available until the user switches to that particular mode, with the exception of the User EXEC mode commands.
Table 5-1. Command Mode Overview Command Mode Access Method Command Prompt User EXEC console> The user is automatically in User EXEC mode unless the user is defined as a privileged user. Exit or Access Previous Mode logout console# Privileged EXEC From User EXEC mode, enter the enable command Use the exit command, or press Ctrl-Z to return to User EXEC mode. Global Configuration From Privileged console(config)# EXEC mode, use the configure command.
Entering CLI Commands The switch CLI provides several techniques to help users enter commands. Using the Question Mark to Get Help Enter a question mark (?) at the command prompt to display the commands available in the current mode. console(config-vlan)#? exit help ip ipv6 protocol vlan To exit from the mode. Display help for various special keys. Configure IP parameters. Configure IPv6 parameters. Configure the Protocols associated with particular Group Ids. Create a new VLAN or delete an existing VLAN.
Using Command Completion The CLI can complete partially entered commands when the or key are pressed. console#show run console#show running-config If the characters entered are not enough for the switch to identify a single matching command, continue entering characters until the switch can uniquely identify the command. Use the question mark (?) to display the available commands matching the characters already entered.
Understanding Error Messages If a command is entered and the system is unable to execute it, an error message appears. Table 5-2 describes the most common CLI error messages. Table 5-2. CLI Error Messages Message Text Description % Invalid input detected at '^' marker. Indicates that an incorrect or unavailable command was entered. The carat (^) shows where the invalid text is detected. This message also appears if any of the parameters or values are not recognized.
Using the Command-Line Interface
6 Default Settings This section describes the default settings for many of the software features on the Dell Networking N-Series switches. Table 6-1. Default Settings Feature Default IP address DHCP on OOB interface, if equipped. DHCP on VLAN1, if no OOB interface Subnet mask None Default gateway None DHCP client Enabled on out-of-band (OOB) interface.
Table 6-1.
Table 6-1. Default Settings (Continued) Feature Default PoE Plus (POE switches) Auto Flow Control Support (IEEE 802.
Table 6-1. Default Settings (Continued) Feature Default Multiple Spanning Tree Disabled Link Aggregation No LAGs configured LACP System Priority 1 Routing Mode Disabled OSPF Admin Mode Disabled OSPF Router ID 0.0.0.0 IP Helper and UDP Relay Disabled RIP Disabled VRRP Disabled Tunnel and Loopback Interfaces None IPv6 Routing Disabled DHCPv6 Disabled OSPFv3 Disabled DiffServ Enabled Auto VoIP Disabled Auto VoIP Traffic Class 6 PFC Disabled; no classifications configured.
Setting the IP Address and Other Basic Network Information 7 Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes how to configure basic network information for the switch, such as the IP address, subnet mask, and default gateway.
Table 7-1. Basic Network Information (Continued) Feature Description Default Gateway Typically a router interface that is directly connected to the switch and is in the same subnet. The switch sends IP packets to the default gateway when it does not recognize the destination IP address in a packet. DHCP Client Requests network information from a DHCP server on the network. Domain Name System (DNS) Server Translates hostnames into IP addresses.
server on the network, the TFTP server must be identified. If configuring the switch to use a DNS server to resolve hostnames into IP addresses, it is possible to enter the hostname of the TFTP server instead of the IP address. It is often easier to remember a hostname than an IP address, and if the IP address is dynamically assigned, it might change from time-to-time. How Is Basic Network Information Configured? A console-port connection is required to perform the initial switch configuration.
connected only to a physically isolated secure management network. The OOB port is a layer-3 interface that uses an internal non-user-configurable VLAN. The out-of-band port is a logical management interface. The IP stack’s routing table contains both IPv4/IPv6 routes associated with these management interfaces and IPv4/IPv6 routes associated with routing interfaces.
The administrator can assign an IPv4 address or IPv6 addresses to the OOB management port and to any VLAN. By default, all ports (other than the OOB port) are members of VLAN 1. If an IP address is assigned to VLAN 1, it is possible to connect to the switch management interface by using any of the front-panel switch ports. This is required to manage the Dell Networking N1500 and N2000 Series switches. The use of VLAN 1 for switch administration presents some security risks.
By default, no network information is configured. The DHCP client is enabled on the OOB interface by default on Dell Networking N3000 and N4000 Series switches. The DHCP client is enabled on VLAN 1 by default on the Dell Networking N1500 and N2000 Series switches. DNS is enabled, but no DNS servers are configured. VLAN 1 does not have an IP address, subnet mask, or default gateway configured on Dell Networking N3000 and N4000 Series switches.
Configuring Basic Network Information (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring basic network information on the Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. Out-of-Band Interface NOTE: Dell Networking N1500 and N2000 Series switches do not have an out-ofband interface.
Figure 7-1. Out of Band Interface To enable the DHCP client and allow a DHCP server on your network to automatically assign the network information to the OOB interface, select DHCP from the Protocol menu. If the network information is statically assigned, ensure that the Protocol menu is set to None.
Figure 7-2. IP Interface Configuration (Default VLAN) Assigning Network Information to the Default VLAN To assign an IP Address and subnet mask to the default VLAN: 1 From the Interface menu, select VLAN 1. 2 From the Routing Mode field, select Enable. 3 From the IP Address Configuration Method field specify whether to assign a static IP address (Manual) or use DHCP for automatic address assignment.
Route Entry Configuration (Switch Default Gateway) Use the Route Entry Configuration page to configure the default gateway for the switch. The default VLAN uses the switch default gateway as its default gateway. The switch default gateway must not be on the same subnet as the OOB management port, as the OOB management port cannot route packets received on the front-panel ports. To display the Route Entry Configuration page, click Routing Router Route Entry Configuration in the navigation panel.
Configuring a Default Gateway for the Switch: To configure the switch default gateway: 1 Open the Route Entry Configuration page. 2 From the Route Type field, select Default. Figure 7-4. Default Route Configuration (Default VLAN) 3 In the Next Hop IP Address field, enter the IP address of the default gateway. 4 Click Apply. For more information about configuring routes, see "IP Routing " on page 1115.
Domain Name Server Use the Domain Name Server page to configure the IP address of the DNS server. The switch uses the DNS server to translate hostnames into IP addresses. To display the Domain Name Server page, click System IP Addressing Domain Name Server in the navigation panel. Figure 7-5. DNS Server To configure DNS server information, click the Add link and enter the IP address of the DNS server in the available field. Figure 7-6.
Default Domain Name Use the Default Domain Name page to configure the domain name the switch adds to a local (unqualified) hostname. To display the Default Domain Name page, click System IP Addressing Default Domain Name in the navigation panel. Figure 7-7.
Host Name Mapping Use the Host Name Mapping page to assign an IP address to a static host name. The Host Name Mapping page provides one IP address per host. To display the Host Name Mapping page, click System IP Addressing Host Name Mapping. Figure 7-8. Host Name Mapping To map a host name to an IP address, click the Add link, type the name of the host and its IP address in the appropriate fields, and then click Apply. Figure 7-9.
Dynamic Host Name Mapping Use the Dynamic Host Name Mapping page to view dynamic host entries the switch has learned. The switch learns hosts dynamically by using the configured DNS server to resolve a hostname. For example, if you ping www.dell.com from the CLI, the switch uses the DNS server to lookup the IP address of dell.com and adds the entry to the Dynamic Host Name Mapping table.
Configuring Basic Network Information (CLI) This section provides information about the commands used for configuring basic network information on the Dell Networking N1500, N2000, N3000, and N4000 Series switches. For more information about these commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Enabling the DHCP Client on the OOB Port NOTE: Dell Networking N1500 and N2000 Series switches do not have an out-ofband interface.
Command Purpose ip address dhcp Enable the DHCP client. ipv6 address dhcp Enable the DHCPv6 client. CTRL + Z Exit to Privileged EXEC mode. show ip interface vlan 1 Display network information for VLAN 1. Managing DHCP Leases Beginning in Privileged EXEC mode, use the following commands to manage and troubleshoot DHCP leases on the switch. Command Purpose show dhcp lease interface [interface] Display IPv4 addresses leased from a DHCP server.
Configuring Static Network Information on the OOB Port NOTE: Dell Networking N1500 and N2000 Series switches do not have an out-ofband interface. Beginning in Privileged EXEC mode, use the following commands to configure a static IP address, subnet mask, and default gateway on the OOB port. If no default gateway is configured, then the zero subnet (0.0.0.0) is used.
Configuring Static Network Information on the Default VLAN Beginning in Privileged EXEC mode, use the following commands to configure a static IP address, subnet mask, and default gateway on the default VLAN. Alternatively, a DHCP server may be used to obtain a network address. The switch also supports IPv6 address auto-configuration. IP subnets on in-band ports (configured on switch VLANs) may not overlap with the OOB port subnet.
Command Purpose show ip interface vlan 10 Verify the network information for VLAN 10. show ipv6 interface vlan 10 Verify IPv6 network information for VLAN 10. interface Gi1/0/24 Enter physical Interface Configuration mode for the specified interface. switchport access vlan 10 Allow access to the management VLAN over this port. exit Exit Interface Configuration mode.
Command Purpose show ip address-conflict View the status information corresponding to the last detected address conflict. clear ip address-conflict- Clear the address conflict detection status in the switch.
Basic Network Information Configuration Examples Configuring Network Information Using the OOB Port In this example, an administrator at a Dell office in California decides not to use the Dell Easy Setup Wizard to perform the initial switch configuration. The administrator configures Dell Networking N3000 and N4000 Series switches to obtain information from a DHCP server on the management network and creates the administrative user with read/write access.
console(config)#ip domain-name sunny.dell.com console(config)#ip host admin-laptop 10.27.65.103 console(config)#exit 4 View the network information that the DHCP server on the network dynamically assigned to the switch. console#show ip interface out-of-band IP Address........................ 10.27.22.153 Subnet Mask...................... 255.255.255.0 Default Gateway.................. 10.27.22.1 Protocol Current................. DHCP Burned In MAC Address............ 001E.C9AA.
1 Connect a front-panel port (e.g., gi1/0/24) to the management network. Use the following commands to create a management VLAN, disable DHCP on VLAN 1, and disable L3 addressing on VLAN 1, and enable the DHCP client on the management VLAN.
Bandwidth.............................. 10000 kbps Destination Unreachables.................. Enabled ICMP Redirects............................ Enabled Refer to the Access Control Lists section for information on restricting access to the switch management interface.
Setting Basic Network Information
8 Managing QSFP Ports Dell Networking N4000 Series Switches QSFP ports available on Dell Networking N4000 Series switches can operate in 1 x 40G mode or in 4 x 10G mode. Appropriate cables must be used that match the selected mode. When changing from one mode to another, a switch reboot is required. The QSFP ports also support stacking over the interfaces in either 1 x 40G or 4 x 10G mode. Changing from Ethernet mode to stacking mode and vice-versa requires a reboot as well.
Are you sure you want to reload the stack? (y/n) To change a 4 x 10G port to 1 x 40G mode, enter the following commands on the 40-gigabit interface: console(config)#interface Fo2/1/1 console(config-if-Fo2/1/1)#hardware profile portmode 1x40g This command will not take effect until the switch is rebooted.
9 Stacking Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes how to configure and manage a stack of switches.
A stack of four 48-port Dell Networking N1500 Series switches has an aggregate throughput capacity of 192 Gbps. Dell Networking N1500 Series stacking links operate at 10 Gbps or 5.2% of total aggregate throughput capacity of a full stack; therefore, it is recommended that operators provision large stacking topologies such that it is unlikely that a significant portion of the stack capacity will transit stacking links. One technique for achieving this is to distribute uplinks evenly across the stack vs.
capacity will transit stacking links. One technique for achieving this is to distribute downlinks and transit links evenly across the stack vs. connecting all downlinks/transit links to a single stack unit or to adjacent stacking units. If Priority Flow Control (PFC) is enabled on any port in a Dell Networking N4000 Series stack, stacking is supported at distances up to 100 meters on the stacking ports.
• The running configuration is propagated to all units and the application state is synchronized between the master and standby during normal stacking operation. The startup configuration and backup configuration on the stack members are not overwritten with the master switch configuration. Dell strongly recommends connecting the stack in a ring topology so that each switch is connected to two other switches.
Figure 9-1. Connecting a Stack of Switches Unit 1 Unit 2 Unit 3 The stack in Figure 9-1 has the following physical connections between the switches: • The lower stacking port on Unit 1 is connected to the upper stacking port on Unit 2. • The lower stacking port on Unit 2 is connected to the upper stacking port on Unit 3. • The lower stacking port on Unit 3 is connected to the upper stacking port on Unit 1.
N1500 Series switches. Dell Networking N2000 Series switches only stack with other Dell Networking N2000 Series switches. Likewise, Dell Networking N3000 Series switches only stack with other Dell Networking N3000 Series switches. Dell Networking N4000 Series switches only stack with other Dell Networking N4000 Series switches. How is the Stack Master Selected? A stack master is elected or re-elected based on the following considerations, in order: 1 The switch is currently the stack master.
• If the switch has a unit number that is already in use, then the unit that is added to the stack changes its configured unit number to the lowest unassigned unit number. • If the added switch does not have an assigned unit number, then the switch sets its configured unit number to the lowest unassigned unit number. • If the unit number is configured and there are no other devices using the unit number, then the switch starts using the configured unit number.
with the stack master configuration. Stack port configuration is always stored on the local unit and may be updated with preconfiguration information from the stack master when the unit joins the stack. Information about a stack member and its ports can be pre-configured before the unit is added to the stack. The preconfiguration takes place on the stack master.
How is the Firmware Updated on the Stack? When adding a new switch to a stack, the Stack Firmware Synchronization feature, if enabled, automatically synchronizes the firmware version with the version running on the stack master per the configuration on the master switch. The synchronization operation may result in either upgrade or downgrade of firmware on the mismatched stack member. Use the boot autocopy-sw command to enable stack firmware synchronization.
packets, deciding which data packets are allowed to be forwarded and where they should go. Application software on the stack master acts as the control plane. The management plane is application software running on the stack master that provides interfaces allowing a network administrator to configure the device.
controlled and causes minimal network disruption, some ephemeral application state is lost, such as pending timers and other pending internal events. Use the show nsf command to view the stack checkpoint status prior to reloading a stack member. Do not reload while a checkpoint operation is in progress. Always check the stack health before failing over to the standby unit. Use the show switch stack-ports counters command to verify that the stack ports are up and no errors are present.
Table 9-1 lists the applications on the switch that checkpoint data and describes the type of data that is checkpointed. Table 9-1. Applications that Checkpoint Data Application Checkpointed Data ARP Dynamic ARP entries Auto VOIP Calls in progress Captive Portal Authenticated clients DHCP server Address bindings (persistent) DHCP snooping DHCP bindings database DOT1Q Internal VLAN assignments DOT1S Spanning tree port roles, port states, root bridge, etc. 802.
Switch Stack MAC Addressing and Stack Design Considerations The switch stack uses the MAC addresses assigned to the stack master. NOTE: Each switch is assigned four consecutive MAC addresses. A stack of switches uses the MAC addresses assigned to the stack master. If the backup unit assumes control due to a stack master failure or warm restart, the backup unit continues to use the original stack master’s MAC addresses.
forwarding table entries. If the cleanup leaves a route without any next hops, the route is deleted. The forwarding plane only selects ECMP next hops on surviving units. For this reason, try to distribute links providing ECMP paths across multiple stack units. Why is Stacking Needed? Stacking increases port count without requiring additional configuration.
Managing and Monitoring the Stack (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring stacking on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. NOTE: Changes made on the Stacking configuration pages take effect only after the device is reset.
Changing the ID or Switch Type for a Stack Member To change the switch ID or type: 1 Open the Unit Configuration page. 2 Click Add to display the Add Unit page. Figure 9-3. Add Remote Log Server Settings 3 Specify the switch ID, and select the model number of the switch. 4 Click Apply. Stack Summary Use the Stack Summary page to view a summary of switches participating in the stack. To display the Stack Summary page, click System Stack Management Stack Summary in the navigation panel. Figure 9-4.
Stack Firmware Synchronization Use the Stack Firmware Synchronization page to control whether the firmware image on a new stack member can be automatically upgraded or downgraded to match the firmware image of the stack master. To display the Stack Firmware Synchronization page, click System Stack Management Stack Firmware Synchronization in the navigation panel. Figure 9-5.
Supported Switches Use the Supported Switches page to view information regarding each type of supported switch for stacking, and information regarding the supported switches. To display the Supported Switches page, click System Stack Management Supported Switches in the navigation panel. Figure 9-6.
Stack Port Summary Use the Stack Port Summary page to configure the stack-port mode and to view information about the stackable ports. This screen displays the unit, the stackable interface, the configured mode of the interface, the running mode as well as the link status and link speed of the stackable port. NOTE: By default the ports are configured to operate as Ethernet ports. To configure a port as a stack port, the Configured Stack Mode setting must be changed from Ethernet to Stack.
Stack Port Counters Use the Stack Port Counters page to view the transmitted and received statistics, including data rate and error rate. To display the Stack Port Counters page, click System Stack Management Stack Point Counters in the navigation panel. Figure 9-8. Stack Port Counters Stack Port Diagnostics The Stack Port Diagnostics page is intended for Field Application Engineers (FAEs) and developers only.
NSF Summary Use the NSF Summary page to change the administrative status of the NSF feature and to view NSF information. NOTE: The OSPF feature uses NSF to enable the hardware to continue forwarding IPv4 packets using OSPF routes while a backup unit takes over stack master responsibility. To configure NSF on a stack that uses OSPF or OSPFv3, see "NSF OSPF Configuration " on page 1207 and "NSF OSPFv3 Configuration " on page 1224.
Checkpoint Statistics Use the Checkpoint Statistics page to view information about checkpoint messages generated by the stack master. To display the Checkpoint Statistics page, click System Stack Management Checkpoint Statistics in the navigation panel. Figure 9-10.
Managing the Stack (CLI) This section provides information about the commands for managing the stack and viewing information about the switch stack. For more information about these commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Stack Member, Stack Port, and NSF Settings Beginning in Privileged EXEC mode, use the following commands to configure stacking and NSF settings.
Command Purpose member unit SID Add a switch to the stack and specify the model of the new stack member. • unit - The switch unit ID • SID - The index into the database of the supported switch types, indicating the type of the switch being preconfigured. Note: Member configuration displayed in the running config may be learned from the physical stack. Member configuration is not automatically saved in the startup configuration. Save the configuration to retain the current member settings.
NOTE: The OSPF feature uses NSF to enable the hardware to continue forwarding IPv4 packets using OSPF routes while a backup unit takes over stack master responsibility. Additional NSF commands are available in OSPF and OSPFv3 command modes.
Command Purpose connect [unit] Connect the console on the remote unit to the local unit Stacking and NSF Usage Scenarios Only a few settings are available to control the stacking configuration, such as the designation of the standby unit or enabling/disabling NSF. The examples in this section describe how the stacking and NSF feature act in various environments.
Figure 9-11. Basic Stack Failover When all four units are up and running, the show switch CLI command gives the following output: console#show switch SW Management Status Standby Status --1 2 3 4 --------Stack Member Stack Member Mgmt Switch Stack Member ------- Preconfig PluggedModel ID in Model ID -------- --------N3048 N3048 N3048 N3048 N3048 N3048 N3048 N3048 Switch Code Status Version ------- -------OK 6.0.0.0 OK 6.0.0.0 OK 6.0.0.0 OK 6.0.0.
4 Stack Member N3048 N3048 OK 6.0.0.0 When the failed unit resumes normal operation, the previous configuration that exists for that unit is reapplied by the stack master. To permanently remove the unit from the stack, enter into Stack Config Mode and use the member command, as the following example shows.
6 7 8 9 N2024 N2024P N2048 N2048P The following is the output on Dell Networking N1500 Series switches: console#show supported switchtype SID --1 2 3 4 5 6 7 8 9 Switch Model ID -------------------------------N3024 N3024F N3024P N3048 N3048P N2024 N2024P N2048 N2048P NOTE: Dell Networking N1500, N2000, and N3000 Series switches cannot be stacked together. 2 Preconfigure the switch (SID = 2) as member number 2 in the stack.
NSF in the Data Center Figure 9-12 illustrates a data center scenario, where the stack of two Dell Networking N-Series switches acts as an access switch. The access switch is connected to two aggregation switches, AS1 and AS2. The stack has a link from two different units to each aggregation switch, with each pair of links grouped together in a LAG. The two LAGs and link between AS1 and AS2 are members of the same VLAN. Spanning tree is enabled on the VLAN.
NSF and VoIP Figure 9-13 shows how NSF maintains existing voice calls during a stack master failure. Assume the top unit is the stack master. When the stack master fails, the call from phone A is immediately disconnected. The call from phone B continues. On the uplink, the forwarding plane removes the failed LAG member and continues using the remaining LAG member. If phone B has learned VLAN or priority parameters through LLDP-MED, it continues to use those parameters.
NSF and DHCP Snooping Figure 9-14 illustrates a layer-2 access switch running DHCP snooping. DHCP snooping only accepts DHCP server messages on ports configured as trusted ports. DHCP snooping listens to DHCP messages to build a bindings database that lists the IP address the DHCP server has assigned to each host. IP Source Guard (IPSG) uses the bindings database to filter data traffic in hardware based on source IP address and source MAC address.
If a host is in the middle of an exchange with the DHCP server when the failover occurs, the exchange is interrupted while the control plane restarts. When DHCP snooping is enabled, the hardware traps all DHCP packets to the CPU. The control plane drops these packets during the restart. The DHCP client and server retransmit their DHCP messages until the control plane has resumed operation and messages get through. Thus, DHCP snooping does not miss any new bindings during a failover.
Figure 9-15. NSF and a Storage Area Network When the stack master fails, session A drops. The initiator at 10.1.1.10 detects a link down on its primary NIC and attempts to reestablish the session on its backup NIC to a different IP address on the disk array. The hardware forwards the packets to establish this new session, but assuming the session is established before the control plane is restarted on the backup unit, the new session receives no priority treatment in the hardware.
NSF and Routed Access Figure 9-16 shows a stack of three units serving as an access router for a set of hosts. Two LAGs connect the stack to two aggregation routers. Each LAG is a member of a VLAN routing interface. The stack has OSPF and PIM adjacencies with each of the aggregation routers. The top unit in the stack is the stack master. Figure 9-16. NSF and Routed Access If the stack master fails, its link to the aggregation router is removed from the LAG.
JOIN messages upstream. The control plane updates the driver with checkpointed unicast routes. The forwarding plane reconciles layer-3 hardware tables. The OSPF graceful restart finishes, and the control plane deletes any stale unicast routes not relearned at this point. The forwarding plane reconciles layer-3 multicast hardware tables.
10 Authentication, Authorization, and Accounting Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes how to control access to the switch management interface using authentication and authorization. These services can also be used to restrict or allow network access when used in conjunction with IEEE 802.1x. It also describes how to record this access using accounting. Together the three services are referred to by the acronym AAA.
error, the next method in the list is tried. This continues until all methods in the list have been attempted. If no method can perform the service, then the service fails. A method may return an error due to lack of network access, misconfiguration of a server, and other reasons. If there is no error, the method returns success if the user is allowed access to the service and failure if the user is not.
Methods that never return an error cannot be followed by any other methods in a method list. • The enable method uses the enable password. If there is no enable password defined, then the enable method will return an error. • The ias method is a special method that is only used for 802.1X. It uses an internal database (separate from the local user database) that acts like an 802.1X authentication server. This method never returns an error. It will always pass or deny a user.
Table 10-2. Default Method Lists (Continued) AAA Service (type) List Name List Methods Authorization (commands) dfltCmdAuthList none Accounting (exec) dfltExecList tacacs (start-stop) Accounting (commands) dfltCmdList tacacs (stop-only) Access Lines There are five access lines: console, Telnet, SSH, HTTP, and HTTPS. HTTP and HTTPS are not configured using AAA method lists. Instead, the authentication list for HTTP and HTTPS is configured directly (authorization and accounting are not supported).
This authentication method is not implemented by Dell Networking N-Series switches. Use the Management ACL capability to perform the equivalent function. Public key authentication operates as follows: The administrator first generates a pair of encryption keys, the “public” key and the “private” key. Messages encrypted with the private key can be decrypted only by the public key, and vice-versa. The administrator keeps the private key on his/her local machine, and loads the public key on to the switch.
Table 10-3. Default AAA Methods (Continued) AAA Service (type) Console Telnet SSH Authorization (exec) dfltExecAuthList dfltExecAuthList dfltExecAuthList Authorization (commands) dfltCmdAuthList dfltCmdAuthList dfltCmdAuthList Accounting (exec) none none none Accounting (commands) none none none Access Lines (Non-AAA) Table 10-4 shows the default configuration of the access lines that do not use method lists. Table 10-4.
Authentication Authentication is the process of validating a user's identity. During the authentication process, only identity validation is done. There is no determination made of which switch services the user is allowed to access. This is true even when RADIUS is used for authentication; RADIUS cannot perform separate transactions for authentication and authorization. However, the RADIUS server can provide attributes during the authentication process that are used in the authorization process.
Authentication Manager Overview The Authentication Manager supports the hierarchical configuration of host authentication methods on an interface. Use of the Authentication Manager is optional, but it is recommended when using multiple types of authentication on an interface, e.g., Captive Portal in conjunction with MAB or IEEE 802.1X. Dell switches support the following host authentication methods: • IEEE 802.
By default, Dell switches are configured with a method list that contains the methods (in order) Dot1x, MAB, and Captive Portal (web-auth) as the default methods for all the ports. Dell switches restrict the configuration such that no method is allowed to follow the Captive Portal method, if configured. The authentication manager controls only the order in which the authentication methods are executed.
authenticated client is removed and the authentication process begins again from the first method in the order. If 802.1X has a lower priority than the authenticated method, then the client is not removed and the 802.1X frames are ignored. If administrator changes the priority of the methods, then all the users who are authenticated using a lower-priority method are forced to reauthenticate.
console(config)#interface te1/0/4 console(config-if-Te1/0/4)#dot1x port-control mac-based console(config-if-Te1/0/4)#dot1x mac-auth-bypass console(config-if-Te1/0/4)#authentication order dot1x mab console(config-if-Te1/0/4)#dot1x reauthentication console(config-if-Te1/0/4)#exit Configuration Example—MAB Client This example shows how to configure a MAB client on interface Gi1/0/2 using the IAS database for authentication. 1 Enter global configuration mode and create VLAN 3.
If it is possible that an 802.1x aware client may be connected, it is advisable to configure a re-authentication timer on the port using the dot1x timeout reauthperiod command. The following command shows the 802.1x configuration on the interface: console(config-if-Gi1/0/1)#show dot1x interface gi1/0/2 Administrative Mode............... Dynamic VLAN Creation Mode........ VLAN Assignment Mode.............. Monitor Mode......................
Using RADIUS The RADIUS client on the switch supports multiple RADIUS servers. When multiple authentication servers are configured, they can help provide redundancy. One server can be designated as the primary and the other(s) will function as backup server(s). The switch attempts to use the primary server first. if the primary server does not respond, the switch attempts to use the backup servers. A priority value can be configured to determine the order in which the backup servers are contacted.
As a user attempts to connect to the switch management interface, the switch first detects the contact and prompts the user for a name and password. The switch encrypts the supplied information, and a RADIUS client transports the request to a pre-configured RADIUS server. Figure 10-1.
Which RADIUS Attributes Does the Switch Support? Table 10-6 lists the RADIUS attributes that the switch supports and indicates whether the 802.1X feature, user management feature, or Captive Portal feature supports the attribute. The RADIUS administrator must configure these attributes on the RADIUS server(s) when utilizing the switch RADIUS service. Table 10-6. Supported RADIUS Attributes Type RADIUS Attribute Name 802.
Table 10-6. Supported RADIUS Attributes (Continued) Type RADIUS Attribute Name 802.
• REPLY-MESSAGE Trigger to respond to the Access-Accept message with an EAP notification. • STATE RADIUS server state. Transmitted in Access-Request and AccountingRequest messages. • SESSION-TIMEOUT Session time-out value for the session (in seconds). Used by both 802.1x and Captive Portal. • TERMINATION-ACTION Indication as to the action taken when the service is completed. • EAP-MESSAGE Contains an EAP message to be sent to the user. This is typically used for MAB clients.
Using TACACS+ Servers to Control Management Access TACACS+ (Terminal Access Controller Access Control System) provides access control for networked devices via one or more centralized servers. TACACS+ simplifies authentication by making use of a single database that can be shared by many clients on a large network. TACACS+ uses TCP to ensure reliable delivery and a shared key configured on the client and daemon server to encrypt all messages.
Each server host can be configured with a specific connection type, port, timeout, and shared key, or the server hosts can be globally configured with the key and timeout. The TACACS+ server can do the authentication itself, or redirect the request to another back-end device. All sensitive information is encrypted and the shared secret is never passed over the network; it is used only to encrypt the data.
Authentication Examples It is important to understand that during authentication, all that happens is that the user is validated. If any attributes are returned from the server, they are not processed during authentication. In the examples below, it is assumed that the default configuration of authorization—that is, no authorization—is used.
7 Set the minimum number of character classes that must be present in the password. The possible character classes are: upper-case, lower-case, numeric and special: console(config)#passwords strength minimum character-classes 4 8 Enable password strength checking: console(config)#passwords strength-check 9 Create a user with the name “admin” and password “paSS1&word2”. This user is enabled for privilege level 15.
RADIUS Authentication Example Use the following configuration to require RADIUS authentication to login over a Telnet connection: 1 Create a login authentication list called “rad” that contains the method radius. If this method returns an error, the user will fail to login: console#config console(config)#aaa authentication login “rad” radius 2 Create an enable authentication list called “raden” that contains the method radius.
ACL Using Authentication Manager to Configure MAB with RADIUS Server The following is a relatively complex example of using an ACL to control access to Gi1/0/1, using the Authentication Manager to configure MAB in conjunction with a RADIUS server. 1 Create VLAN 60 which will be used for management access via Gi1/0/1: console#config console(config)#vlan 60 console(config-vlan60)#exit 2 Enable 802.
console(config-auth-radius)#primary console(config-auth-radius)#name “Default-RADIUS-Server” console(config-auth-radius)#usage 802.1x console(config-auth-radius)#key “dellSecret” console(config)#exit 10 Configure the management interface and bypass 802.
Combined RADIUS, CoA, MAB and 802.1x Example The following example configures RADIUS in conjunction with IEEE 802.1X to provide network access to switch clients. 1 Enable 802.1x: console#config console(config)#dot1x system-auth-control 2 Configure 802.1x clients to use RADIUS services: console(config)#aaa authentication dot1x default radius 3 Enable CoA for RADIUS: console(config)#aaa server radius dynamic-author 4 Configure the remote RADIUS server for COA requests at 10.130.191.
console(config)#interface Gi1/0/7 console(config-if-Gi1/0/7)#dot1x port-control mac-based console(config-if-Gi1/0/7)#exit 11 Configure Gi1/0/6 to allow connected hosts access to network resources, regardless of RADIUS configuration. RADIUS CoA disconnect requests are ignored for clients on this port: console(config)#interface Gi1/0/6 console(config-if-Gi1/0/6)#dot1x port-control force-authorized console(config-if-Gi1/0/6)#exit 12 Configure Gi1/0/5 to use standard 802.
TACACS+ Authentication Example Use the following configuration to require TACACS+ authentication when logging in over a Telnet connection: 1 Create a login authentication list called “tacplus” that contains the method tacacs. If this method returns an error, the user will fail to login: console#config console(config)#aaa authentication login “tacplus” tacacs 2 Create an enable authentication list called “tacp” that contains the method tacacs.
NOTE: Dell Networking TACACS supports setting the maximum user privilege level in the authorization response. Configure the TACACS server to send priv-lvl=X, where X is either 1 (Non-privileged mode), or 15 (Privileged mode). Public Key SSH Authentication Example The following is an example of a public key configuration for SSH login. Using a tool such as putty and a private/public key infrastructure, one can enable secure login to the Dell Networking N-Series switch without a password.
5 Enter the public key obtained from a key authority or from a tool such as PuTTyGen. This command is entered as a single line, not as multiple lines as it appears in the following text.
SSH defaultList HTTPS HTTP DOT1X enableList :local :local : PUTTY Configuration Main Screen On the following screen, the IP address of the switch is configured and SSH is selected as the secure login protocol.
On the next screen, PUTTY is configured to use SSH-2 only. This is an optional step that accelerates the login process.
The following screen is the key to the configuration. It is set to display the authentication banner, disable authentication with Pageant, disable keyboardinteractive authentication (unless desired), disable attempted changes of user name, and select the private key file used to authenticate with the switch.
The following screen configures the user name to be sent to the switch. A user name is always required. Alternatively, leave Auto-login name blank and the system will prompt for a user name.
After configuring Putty, be sure to save the configuration. The following screen shows the result of the login process. The user name is entered automatically and the switch confirms that public key authentication occurs.
Authenticating Without a Public Key When authenticating without the public key, the switch prompts for the user name and password. This is a SSH function, not a switch function. If the user knows the administrator login and password, then they are able to authenticate in this manner. Associating a User With an SSH Key The following example shows how to associate a user with an externally generated SSH key.
4 Add the externally generated key. All of the key information is entered between double quotes.
Authorization Authorization is used to determine which services the user is allowed to access. For example, the authorization process may assign a user’s privilege level, which determines the set of commands the user can execute. There are three kinds of authorization: commands, exec, and network. • Commands: Command authorization determines which CLI commands the user is authorized to execute.
Administrative Profiles The Administrative Profiles feature allows the network administrator to define a list of rules that control the CLI commands available to a user. These rules are collected in a “profile.” The rules in a profile can define the set of commands, or a command mode, to which a user is permitted or denied access. Within a profile, rule numbers determine the order in which the rules are applied.
Table 10-9. Default Administrative Profiles Name Description network-admin Allows access to all commands. network-security Allows access to network security features such as 802.1X, Voice VLAN, Dynamic ARP Inspection and IP Source Guard. router-admin Allows access to Layer 3 features such as IPv4 Routing, IPv6 Routing, OSPF, RIP, etc. multicast-admin Allows access to multicast features at all layers, this includes L2, IPv4 and IPv6 multicast, IGMP, IGMP Snooping, etc.
With the users that were previously configured, the guest user will still log into user EXEC mode, since the guest user only has privilege level 1 (the default). The admin user will be able to login directly to privileged EXEC mode since his privilege level was configured as 15.
The RADIUS server should be configured such that it will send the Cisco AV Pair attribute with the “roles” value. For example: shell:roles=router-admin The above example attribute gives the user access to the commands permitted by the router-admin profile. RADIUS Change of Authorization Dell Networking N-Series switches support the Change of Authorization Disconnect-Request per RFC 3575. The Dell Networking N-Series switch listens for the Disconnect-Request on UDP port 3799.
The administrator can configure whether all or any of the session attributes are used to identify a client session. If all is configured, all session identification attributes included in the CoA Disconnect-Request must match a session or the device returns a Disconnect-NAK or CoA-NAK with the “Invalid Attribute Value” error-code attribute.
4 Disconnect-request client identification must match on all keys. console(config-radius-da)#auth-type all console(config-radius-da)#exit RADIUS COA Example with Telnet and SSH The following example configures telnet and SSH clients in conjunction with RADIUS CoA.
8 Configure SSH sessions to the switch to use RADIUS authentication: console(config)#line ssh console(config-ssh)#login authentication login-list console(config-ssh)#exit 9 Enable the SSH server (the telnet server is enabled by default): console(config)#ip ssh server 272 Authentication, Authorization, and Accounting
TACACS Authorization TACACS+ Authorization Example—Direct Login to Privileged EXEC Mode Apply the following configuration to use TACACS+ for authorization, such that a user can enter privileged EXEC mode directly: 1 Create an exec authorization method list called “tacex” which contains the method tacacs. console#config console(config)#aaa authorization exec “tacex” tacacs 2 Assign the tacex exec authorization method list to be used for users accessing the switch via Telnet.
The above example attribute will give the user access to the commands permitted by the router-admin profile. NOTE: If the priv-lvl attribute is also supplied, the user can also be placed directly into privileged EXEC mode. TACACS+ Authorization Example—Custom Administrative Profile This example creates a custom profile that allows the user to control user access to the switch by configuring a administrative profile that only allows access to AAA related commands.
console(admin-profile)#rule console(admin-profile)#rule console(admin-profile)#rule console(admin-profile)#rule .*” console(admin-profile)#rule .*” 88 87 86 85 permit permit permit permit command command command command “^password .*” “^username .*” “^show user.*" “^radius-server 84 permit command “^tacacs-server 3 Enter rule number permit mode mode-name commands to allows all commands in the named mode.
TACACS+ Authorization Example—Per-command Authorization An alternative method for command authorization is to use the TACACS+ feature of per-command authorization. With this feature, every time the user enters a command, a request is sent to the TACACS+ server to ask if the user is permitted to execute that command. Exec authorization does not need to be configured to use per-command authorization.
Accounting Accounting is used to record security events, such as a user logging in or executing a command. Accounting records may be sent upon completion of an event (stop-only) or at both the beginning and end of an event (startstop). There are three types of accounting: commands, Dot1x, and exec. • Commands—Sends accounting records for command execution. • Dot1x—Sends accounting records for network access. • Exec—Sends accounting records for management access (logins).
• Acct-Session Time(46) • Acct-Input-Octets (42) • Acct-Output-Octets (43) • Acct-Input-Gigawords(52) • Acct-Output-Gigawords (53) Certain of the attributes above are sent only if received from the RADIUS server during the Access Request process, e.g., Class or State. The following attributes are sent in the Accounting Start record sent to the RADIUS server when the switch is configured for 802.
IEEE 802.1X What is IEEE 802.1X? The IEEE 802.1X standard provides a means of preventing unauthorized access by supplicants (clients) to the services the switch offers, such as access to the LAN. The 802.1X network has three components: • Supplicant — The client connected to the authenticated port that requests access to the network. • Authenticator — The network device that prevents network access prior to authentication.
As shown in Figure 10-3, the Dell Networking N1500, N2000, N3000, or N4000 Series switch, is the authenticator and ensures that the supplicant (a PC) that is attached to an 802.1X-controlled port is authenticated by an authentication server (a RADIUS server). The result of the authentication process determines whether the supplicant is authorized to access network services on that controlled port.
In addition to force-authorized, force-unauthorized, and auto modes, the 802.1X mode of a port can be MAC based, as the following section describes. NOTE: Only MAC-Based and Auto modes actually use 802.1X to authenticate. Authorized and Unauthorized modes are manual overrides. What is MAC-Based 802.1X Authentication? MAC-based authentication allows multiple supplicants connected to the same port to authenticate individually. For example, a 5-port hub might be connected to a single port on the switch.
• Considers the client to be 802.1X unaware client (if it does not receive an EAP response packet from that client) The authenticator sends a request to the authentication server with the MAC address of the client in a hexadecimal format as the username and the MD5 hash of the MAC address as the password. The authentication server checks its database for the authorized MAC addresses and returns an Access-Accept or an Access-Reject response, depending on whether the MAC address is found in the database.
VLAN. Host that do not attempt authentication may be placed into an unauthenticated VLAN. The network administrator can configure the type of access provided to the authenticated, guest, and unauthenticated VLANs. Much of the configuration to assign authenticated hosts to a particular VLAN takes place on the 802.1X authenticator server (for example, a RADIUS server).
Unauthenticated VLAN The network administrator may choose to configure an unauthorized VLAN. Hosts that attempt authentication and fail three times are placed in the unauthenticated VLAN. Once in the unauthenticated VLAN, authentication is not reattempted until: • the re-authentication timer expires • the supplicant disconnects from the port • the port is shut down and re-enabled The number of re-authentication failures required to place a supplicant in the unauthenticated VLAN is not configurable.
What is Monitor Mode? The monitor mode is a special mode that can be enabled in conjunction with 802.1X authentication. Monitor mode provides a way for network administrators to identify possible issues with the 802.1X configuration on the switch without affecting the network access to the users of the switch. It allows network access even in case where there is a failure to authenticate but logs the results of the authentication process for diagnostic purposes.
Table 10-11. IEEE 802.
For additional guidelines about using an authentication server to assign DiffServ policies, see "Configuring Authentication Server DiffServ Policy Assignments " on page 310. What is the Internal Authentication Server? The Internal Authentication Server (IAS) is a dedicated database for localized authentication of users for network access through 802.1X. In this database, the switch maintains a list of username and password combinations to use for 802.1X authentication.
Table 10-12.
Figure 10-4. Dot1x Authentication To configure 802.1X authentication on multiple ports: 1 Open the Dot1x Authentication page. 2 Click Show All to display the Dot1x Authentication Table page. 3 In the Ports list, select the check box in the Edit column for the port to configure. 4 Select the desired settings to change for all ports that are selected for editing.
Figure 10-5. Configure Dot1x Settings 5 Click Apply. To reauthenticate a port: 1 Open the Dot1x Authentication page. 2 Click Show All. The Dot1x Authentication Table displays. 3 Check Edit to select the Unit/Port to re-authenticate. 4 Check Reauthenticate Now. 5 Click Apply. The authentication process is restarted on the specified port. To reauthenticate multiple ports: 1 Open the Dot1x Authentication page. 2 Click Show All. The Dot1x Authentication Table displays.
To change the administrative port control: 1 Open the Dot1x Authentication page. 2 Click Show All. The Dot1x Authentication Table displays. 3 Scroll to the right side of the table and select the Edit check box for each port to configure. Change Admin Port Control to Authorized, Unauthorized, or Automode as needed for chosen ports. Only MACBased and Automode actually use 802.1X to authenticate. Authorized and Unauthorized are manual overrides. 4 Click Apply.
Port Access Control Configuration Use the Port Access Control Configuration page to globally enable or disable RADIUS-assigned VLANs and to enable Monitor Mode to help troubleshoot 802.1X configuration issues. NOTE: The VLAN Assignment Mode field is the same as the Admin Mode field on the System Management Security Authorization Network RADIUS page.
Figure 10-8. Port Access Control History Log Summary Internal Authentication Server Users Configuration Use the Internal Authentication Server Users Configuration page to add users to the local IAS database and to view the database entries. To display the Internal Authentication Server Users Configuration page, click System Management Security Internal Authentication Server Users Configuration in the navigation panel. Figure 10-9.
2 Click Add to display the Internal Authentication Server Users Add page. 3 Specify a username and password in the appropriate fields. Figure 10-10. Adding an IAS User 4 Click Apply. To view the Internal Authentication Server Users Table page, click Show All. To delete an IAS user: 1 Open the Internal Authentication Server Users Configuration page. 2 From the User menu, select the user to remove, select the user to remove. 3 Select the Remove check box. Figure 10-11. Removing an IAS User 4 Click Apply.
Configuring IEEE 802.1X (CLI) This section provides information about commands you use to configure 802.1X and Port Security settings. For additional information about the commands in this section, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Basic 802.1X Authentication Settings Beginning in Privileged EXEC mode, use the following commands to enable and configure 802.1X authentication on the switch.
Command Purpose dot1x port-control {force-authorized | force-unauthorized | auto | mac-based} Specify the 802.1X mode for the port. NOTE: For standard 802.1X implementations in which one client is connected to one port, use the dot1x port-control auto command to enable 802.1X authentication on the port. • auto — Enables 802.1X authentication on the interface and causes the port to transition to the authorized or unauthorized state based on the 802.
NOTE: To enable 802.1X Monitor Mode to help troubleshoot authentication issues, use the dot1x system-auth-control monitor command in Global Configuration mode. To view 802.1X authentication events and information, use the show dot1x authentication-history {interface | all} [failed-auth-only] [detail] command in Privileged EXEC mode. To clear the history, use the clear dot1x authenticationhistory command. Configuring Additional 802.
Command Purpose dot1x timeout supptimeout seconds Set the time that the switch waits for a response before retransmitting an Extensible Authentication Protocol (EAP)-request frame to the client. dot1x max-req count Set the maximum number of times that the switch sends an Extensible Authentication Protocol (EAP)-request frame (assuming that no response is received) to the client before restarting the authentication process.
Command Purpose dot1x dynamic-vlan enable If the RADIUS assigned VLAN does not exist on the switch, allow the switch to dynamically create the assigned VLAN. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. A range of interfaces can be specified using the interface range command.
Configuring Internal Authentication Server Users Beginning in Privileged EXEC mode, use the following commands to add users to the IAS database and to use the database for 802.1X authentication. Command Purpose configure Enter Global Configuration mode. aaa ias-user username Add a user to the IAS user database. This command also changes the mode to the AAA User Config mode. password password [encrypted] Configure the password associated with the user. CTRL + Z Exit to Privileged EXEC mode.
The switch uses an authentication server with an IP address of 10.10.10.10 to authenticate clients. Port 7 is connected to a printer in the unsecured area. The printer is an 802.1X unaware client, so Port 7 is configured to use MACbased authentication with MAB. NOTE: The printer requires an entry in the client database that uses the printer MAC address as the username. An IP phone is directly connected to Port 8, and a PC is connected to the IP phone.
Figure 10-12. 802.1X Example Physically Unsecured Devices Physically Secured Devices Clients (Ports 1 and 3) Authentication Server (RADIUS) Dell Networking N-Series switch Clients (Port 8) Printer (Port 7) LAN Uplink (Port 24) LAN Server (Port 9) The following example shows how to configure the example shown in Figure 10-12. 1 Configure the RADIUS server IP address and shared secret (secret). console#configure console(config)#radius-server host 10.10.10.
4 Configure Port 7 to require MAC-based authentication with MAB. console(config)#interface gi1/0/7 console(config-if-Gi1/0/7)#dot1x port-control mac-based console(config-if-Gi1/0/7)#dot1x mac-auth-bypass 5 Set the port to an 802.1Q VLAN. The port must be in general mode in order to enable MAC-based 802.1X authentication.
VLAN Assigned.................................. 1 (Default) Interface...................................... User Name...................................... Supp MAC Address............................... Session Time................................... Filter Id...................................... VLAN Assigned.................................. Gi1/0/7 0006.6B33.06BA 0006.6B33.06BA 826 1 (Default) 9 View a summary of the port status. console#show dot1x Administrative Mode...............
10 View 802.1X information about Port 8. console#show dot1x interface Gi1/0/8 Administrative Mode............... Enabled Dynamic VLAN Creation Mode........ Enabled Monitor Mode...................... Disabled Port ------Gi1/0/8 Admin Oper Reauth Reauth Mode Mode Control Period ---------------- ------------ -------- ---------mac-based Authorized FALSE 3600 Quiet Period................................... Transmit Period................................ Maximum Requests...............................
NOTE: Dynamic VLAN creation applies only to authorized ports. The VLANs for unauthorized and guest users must be configured on the switch and cannot be dynamically created based on RADIUS-based VLAN assignment. NOTE: RADIUS VLAN assignment is supported on general mode ports only if MAC-based authentication is enabled. VLAN assignment is supported for all port modes other than trunk mode if auto assignment is enabled (dot1x port-control auto).
To configure the switch: 1 Create the VLANs and configure the VLAN names. console(config)#vlan 100 console(config-vlan100)#name Authorized console(config-vlan100)#exit console(config)#vlan 200 console(config-vlan200)#name Unauthorized console(config-vlan200)#exit console(config)#vlan 300 console(config-vlan300)#name Guest console(config-vlan300)#exit 2 Configure information about the external RADIUS server the switch uses to authenticate clients. The RADIUS server IP address is 10.10.10.
information is removed from the RADIUS server after it has been authenticated, the client will be denied access when it attempts to reauthenticate. console(config-if)#dot1x reauthentication console(config-if)#dot1x timeout re-authperiod 300 9 Set the unauthenticated VLAN on the ports to VLAN 200 so that any client that connects to one of the ports and fails the 802.1X authentication is placed in VLAN 200. console(config-if)#dot1x unauth-vlan 200 10 Set the guest VLAN on the ports to VLAN 300.
switch. However, the network administrator in this example has determined that traffic in VLANs 1000–2000 should not be forwarded on the trunk port, even if the RADIUS server assigns a connected host to a VLAN in this range, and the switch dynamically creates the VLAN. NOTE: The configuration to control the VLAN assignment for hosts is done on the external RADIUS server. To configure the switch: 1 Configure information about the external RADIUS server the switch uses to authenticate clients.
8 Enter Interface Configuration mode for port 24, the uplink (trunk) port. console(config)#interface Gi1/0/24 9 Disable 802.1X authentication on the interface. This causes the port to transition to the authorized state without any authentication exchange required. This port does not connect to any end-users, so there is no need for 802.1X-based authentication.
Equal Access to External Network " on page 1467, describes how to configure a policy named internet_access. If you use an authentication server to assign DiffServ policies to an authenticated user, note the following guidelines: • If the policy specified within the server Filter-id attribute does not exist on the switch, authentication will fail. • Do not delete policies used as the Filter-id by the RADIUS server while 802.1X is enabled.
3 Configure the DiffServ policy. console(config)#policy-map con-pol in console(config-policy-map)#class cl-ssh console(config-policy-classmap)#drop console(config-policy-classmap)#exit console(config-policy-map)#class cl-http console(config-policy-classmap)#police-simple 1000000 64 conform-action transmit violate-action drop console(config-policy-classmap)#exit console(config-policy-map)#exit 4 Enable DiffServ on the switch. (Optional as diffserv is enabled by default.
Captive Portal This section describes how to configure the Captive Portal feature. The topics covered in this section include: • Captive Portal Overview • Default Captive Portal Behavior and Settings • Configuring Captive Portal (Web) • Configuring Captive Portal (CLI) • IEEE 802.1X Configuration Examples Captive Portal Overview A Captive Portal (CP) helps manage or restrict network access.
Figure 10-13. Connecting to the Captive Portal DHCP Server Switch with Captive Portal DNS Server RADIUS Server (Optional) Captive Portal User (Host) ` Default Captive Portal Welcome Screen (Displays in Captive Portal User’s Browser) The CP feature blocks hosts connected to the switch from most network access until user verification has been established. Access to 802.1X, DHCP, ARP, NetBIOS, and DNS services is allowed.
Is Captive Portal Dependent on Any Other Feature? If security procedures require RADIUS authentication, the administrator must configure the RADIUS server information on the switch (see "Using RADIUS " on page 241). The RADIUS administrator must also configure the RADIUS attributes for CP users on the RADIUS server. For information about the RADIUS attributes to configure, see Table 10-15.
the network. If traps are enabled, the switch also writes a message to the trap log when the event occurs. To enable the CP traps, see "Configuring SNMP Notifications (Traps and Informs) " on page 461. What Factors Should Be Considered When Designing and Configuring a Captive Portal? Before enabling the CP feature, decide what type (or types) of authentication will be supported.
Figure 10-14. Customized Captive Portal Welcome Screen How Does Captive Portal Work? When a port is enabled for CP, all the traffic coming onto the port from the unverified clients is dropped except for the ARP, DHCP, NetBIOS, and DNS packets. These packets are forwarded by the switch so that the unverified clients can get an IP address and are able to resolve host or domain names.
• Logout Page — If the user logout mode is enabled, this page displays in a pop-up window after the user successfully authenticates. This window contains the logout button. • Logout Success Page — If the user logout mode is enabled, this page displays after a user clicks the logout button and successfully deauthenticates. Understanding User Logout Mode The User Logout Mode feature allows a user who successfully authenticates to the network through the CP to explicitly deauthenticate from the network.
Captive Portal and DNS CP allows unauthenticated users access to DNS services on TCP and UDP destination port 53. CP inspects all DNS traffic to ensure that it conforms with the DNS protocol (RFC 1035/1996). CP checks the format of DNS messages and discards packets that do not conform to the minimum standards.
Table 10-13. Captive Portal Status Values (Continued) Status Value Description Browser Action RADIUS_WIP Indicates that RADIUS validation is in progress. The browser action is the same as for the WIP status. Success Indicates that authentication is Displays either the customized a success. welcome page or an external URL. Denied Indicates that the user has failed to enter credentials that match the expected configuration.
Default Captive Portal Behavior and Settings CP is disabled by default. If you enable CP, no interfaces are associated with the default CP. After you associate an interface with the CP and globally enable the CP feature, a user who connects to the switch through that interface is presented with the CP Welcome screen shown in Figure 10-15. Figure 10-15.
Table 10-14. Default Captive Portal Values Feature Value Configured Captive Portals 1 Captive Portal Name Default Protocol Mode HTTP Verification Mode Guest URL Redirect Mode Off User Group 1-Default Session Timeout 86400 seconds Local Users None configured Interface associations None Interface status Not blocked If the CP is blocked, users cannot gain access to the network through the CP.
Configuring Captive Portal (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring CP settings on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. Captive Portal Global Configuration Use the Captive Portal Global Configuration page to control the administrative state of the CP feature and configure global settings that affect all CPs configured on the switch.
Figure 10-17. Captive Portal Configuration From the Captive Portal Configuration page, click Add to create a new CP instance. Figure 10-18. Add Captive Portal Configuration From the Captive Portal Configuration page, click Summary to view summary information about the CP instances configured on the switch.
Figure 10-19. Captive Portal Summary Customizing a Captive Portal The procedures in this section customize the pages that the user sees when he or she attempts to connect to (and log off of) a network through the CP. These procedures configure the English version of the Default Captive Portal. To configure the switch: 1 From the Captive Portal Configuration page click the (English) tab. The settings for the Authentication Page display, and the links to the CP customization appear.
3 Make sure Download is selected in the Available Images menu, and click Browse. 4 Browse to the directory where the image to be downloaded is located and select the image. 5 Click Apply to download the selected file to the switch. 6 To customize the Authentication Page, which is the page that a user sees upon attempting to connect to the network, click the Authentication Page link.
Figure 10-21. Captive Portal Authentication Page 7 Select the branding image to use and customize other page components such as the font for all text the page displays, the page title, and the acceptance use policy. 8 Click Apply to save the settings to the running configuration or click Preview to view what the user will see. To return to the default views, click Clear.
9 Click the Logout Page link to configure the page that contains the logout window. NOTE: The Logout Page settings can be configured only if the User Logout Mode is selected on the Configuration page. The User Logout Mode allows an authenticated client to deauthenticate from the network. Figure 10-22. Captive Portal Logout Page 10 Customize the look and feel of the Logout Page, such as the page title and logout instructions.
13 Customize the look and feel of the Logout Page, such as the background image and successful logout message. 14 Click Apply to save the settings to the running configuration or click Preview to view what the user will see. To return to the default views, click Clear. Local User A portal can be configured to accommodate guest users and authorized users. Guest users do not have assigned user names and passwords.
Figure 10-24. Local User Configuration From the Local User page, click Add to add a new user to the local database. Figure 10-25.
From the Local User page, click Show All to view summary information about the local users configured in the local database. Figure 10-26. Captive Portal Local User Summary To delete a configured user from the database, select the Remove check box associated with the user and click Apply. Configuring Users in a Remote RADIUS Server A remote RADIUS server client authorization can be used. All users must be added to the RADIUS server.
Table 10-15. Captive Portal User RADIUS Attributes (Continued) Attribute Number Description Range Usage Default Session-Timeout 27 Logout once Integer session timeout is (seconds) reached (seconds). If the attribute is 0 or not present then use the value configured for the CP. Optional 0 Dell-CaptivePortal-Groups A commaString delimited list of group names that correspond to the configured CP instance configurations. Optional None.
From the User Group page, click Add to configure a new user group. Figure 10-28. Add User Group From the User Group page, click Show All to view summary information about the user groups configured on the switch. Figure 10-29. Captive Portal User Group Summary To delete a configured group, select the Remove check box associated with the group and click Apply. Interface Association Using the Interface Association page, a configured CP can be associated with specific interfaces.
Figure 10-30. Captive Portal Interface Association NOTE: When you associate an interface with a CP, the interface is disabled in the Interface List. Each interface can be associated with only one CP at a time. Captive Portal Global Status The Captive Portal Global Status page contains a variety of information about the CP feature, including information about the CP activity and interfaces. To display the Global Status page, click System Captive Portal Status Global Status.
Figure 10-31. Captive Portal Global Status Captive Portal Activation and Activity Status The Captive Portal Activation and Activity Status page provides information about each CP configured on the switch. The Captive Portal Activation and Activity Status page has a drop-down menu that contains all CPs configured on the switch. When you select a CP, the activation and activity status for that portal displays.
Figure 10-32. Captive Portal Activation and Activity Status NOTE: Use the Block and Unblock buttons to control the blocked status. If the CP is blocked, users cannot gain access to the network through the CP. Use this function to temporarily protect the network during unexpected events, such as denial of service attacks. Interface Activation Status The Interface Activation Status page shows information for every interface assigned to a CP instance.
Figure 10-33. Interface Activation Status Interface Capability Status The Interface Capability Status page contains information about interfaces that can have CPs associated with them. The page also contains status information for various capabilities. Specifically, this page indicates what services are provided through the CP to clients connected on this interface. The list of services is determined by the interface capabilities.
Client Summary Use the Client Summary page to view summary information about all authenticated clients that are connected through the CP. From this page, the CP can be manually forced to disconnect one or more authenticated clients. The list of clients is sorted by client MAC address. To display the Client Summary page, click System Captive Portal Client Connection Status Client Summary. Figure 10-35.
Figure 10-36. Client Detail Captive Portal Interface Client Status Use the Interface Client Status page to view clients that are authenticated to a specific interface. To display the Interface Client Status page, click System Captive Portal Client Connection Status Interface Client Status. Figure 10-37. Interface - Client Status Captive Portal Client Status Use the Client Status page to view clients that are authenticated to a specific CP configuration.
Figure 10-38.
Configuring Captive Portal (CLI) This section provides information about the commands you use to create and configure CP settings. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global Captive Portal Settings Beginning in Privileged EXEC mode, use the following commands to configure global CP settings. Command Purpose configure Enter global configuration mode.
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show captive-portal [status] View the CP administrative and operational status. Use the status keyword to view additional global CP information and summary information about all configured CP instances. Creating and Configuring a Captive Portal Beginning in Privileged EXEC mode, use the following commands to create a CP instance and configure its settings. Command Purpose configure Enter global configuration mode.
Command Purpose user-logout (Optional) Enable user logout mode to allow an authenticated client to deauthenticate from the network. If this option is clear or the user does not specifically request logout, the client connection status remains authenticated until the CP deauthenticates the user, for example by reaching the idle timeout or session timeout values.
Command Purpose block (Optional) Block all traffic for a CP configuration. If the CP is blocked, users cannot gain access to the network through the CP. Use this function to temporarily protect the network during unexpected events, such as denial of service attacks. CTRL + Z Exit to Privileged EXEC mode. show captive-portal configuration cp-id [status | interface] View summary information about a CP instance. • cp-id — The CP instance (Range: 1–10).
Command Purpose user group group-id [name name] Configure a group. Each CP that requires authentication has a group associated with it. Only the users who are members of that group can be authenticated if they connect to the CP. • group-id — Group ID (Range: 1–10). • name — Group name (Range: 1–32 characters). user user-id name name Create a new user for the local user authentication database. • user-id —User ID (Range: 1–128). • name —user name (Range: 1–32 characters).
Command Purpose clear captive portal users (Optional) Delete all CP user entries from the local database. Managing Captive Portal Clients The commands in this section are all executed in Privileged EXEC mode. Use the following commands to view and manage clients that are connected to a CP. Command Purpose show captive-portal configuration [cp-id] client status Display information about the clients authenticated to all CP configurations or a to specific configuration.
Captive Portal Configuration Example The manager of a resort and conference center needs to provide wired Internet access to each guest room at the resort and in each conference room. Due to legal reasons, visitors and guests must agree to the resort’s acceptable use policy to gain network access. Additionally, network access from the conference rooms must be authenticated. The person who rents the conference room space receives a list username and password combinations upon arrival.
1. If a RADIUS server is selected for authentication, configure the RADIUS server settings on the switch. 2. If authentication is required, configure the user groups to associate with each CP. 3. Create (add) the CPs. 4. Configure the CP settings for each CP, such as the verification mode. 5. Associate interfaces with the CP instances. 6. Download the branding images, such as the company logo, to the switch.
Detailed Configuration Procedures Use the following steps to perform the CP configuration: 1. Configure the RADIUS server information on the switch. In this example, the RADIUS server IP address is 192.168.2.188, and the RADIUS server name is luxury-radius. console#configure console(config)#radius-server host 192.168.12.182 console(Config-auth-radius)#name luxury-radius console(Config-auth-radius)#exit 2. Configure the CP groups.
console(config-CP 4)#interface te1/0/18 ... console(config-CP 4)#interface te1/0/40 console(config-CP 4)#exit 6. Use the web interface to customize the CP pages that are presented to users when they attempt to connect to the network. NOTE: CP page customization is supported only through the web interface. For information about customizing the CP pages, see "Customizing a Captive Portal " on page 325. 7. Add the Conference users to the local database.
In Case Of Problems in Captive Portal Deployment When configuring captive portal, many administrators will find that the web browsers or hosts are not able to reach the captive portal web page. This is most often due to network issues as opposed to issues with the captive portal service. When deploying captive portal, first ensure that web clients on the internal network can reach the external network by disabling captive portal entirely and verifying connectivity.
Authentication, Authorization, and Accounting
11 Monitoring and Logging System Information Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter provides information about the features used for monitoring the switch, including logging, cable tests, and email alerting.
Why Is System Information Needed? The information the switch provides can help the switch administrator troubleshoot issues that might be affecting system performance. The cable diagnostics test help the administrator troubleshoot problems with the physical connections to the switch. Auditing access to the switch and the activities an administrator performed while managing the switch can help provide security and accountability.
What Are the Severity Levels? The severity of the messages to be logged for each local or remote log file can be specified. Each severity level is identified by a name and a number. Table 11-1 provides information about the severity levels. Table 11-1. Log Message Severity Severity Keyword Severity Level Description emergencies 0 The switch is unusable. alerts 1 Action must be taken immediately. critical 2 The switch is experiencing critical conditions.
To view the log messages in the system startup and operational log files, the log files must be download to an administrative host. The startup log files are named slogX.txt and the operation log files are named ologX.txt. When enabled, the system stores the startup and operation log files for the last three switch boots.
• Stack ID —This is the assigned stack ID. For the Dell Networking N1500, N2000, N3000, and N4000 Series switches, the stack ID number is always 1. The number 1 is used for systems without stacking ability. The stack master is used to collect messages for the entire stack. • Component name—The component name for the logging component. Component “UNKN” is substituted for components that do not identify themselves to the logging component. • Thread ID—The thread ID of the logging component.
Default Log Settings System logging is enabled, and messages are sent to the console (severity level: warning and above), and RAM log (severity level: informational and above). Switch auditing, CLI command logging, Web logging, and SNMP logging are disabled. By default, no messages are sent to the log file that is stored in flash, and no remote log servers are defined. Email alerting is disabled, and no recipient email address is configured. Additionally, no mail server is defined.
Monitoring System Information and Configuring Logging (Web) This section provides information about the OpenManage Switch Administrator pages to use to monitor system information and configure logging on the Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. Device Information The Device Information page displays after you successfully log on to the switch by using the Dell OpenManage Switch Administrator.
Figure 11-2. Stack View For more information about the device view features, see "Understanding the Device View " on page 150.
System Health Use the Health page to view status information about the switch power and ventilation sources. To display the Health page, click System General Health in the navigation panel. Figure 11-3.
System Resources Use the System Resources page to view information about memory usage and task utilization. To display the System Resources page, click System General System Resources in the navigation panel. Figure 11-4.
Unit Power Usage History Use the Unit Power Usage History page to view information about switch power consumption. To display the Unit Power Usage History page, click System General Unit Power Usage History in the navigation panel. Figure 11-5.
Integrated Cable Test for Copper Cables Use the Integrated Cable Test for Copper Cables page to perform tests on copper cables. Cable testing provides information about where errors occurred in the cable, the last time a cable test was performed, and the type of cable error which occurred. The tests use Time Domain Reflectometry (TDR) technology to test the quality and characteristics of a copper cable attached to a port. Cables up to 120 meters long can be tested.
To view a summary of all integrated cable tests performed, click the Show All link. Figure 11-7. Integrated Cable Test Summary Optical Transceiver Diagnostics Use the Transceiver Diagnostics page to perform tests on Fiber Optic cables. To display the Transceiver Diagnostics page, click System Diagnostics Transceiver Diagnostics in the navigation panel. NOTE: Optical transceiver diagnostics can be performed only when the link is present.
Figure 11-8. Transceiver Diagnostics To view a summary of all optical transceiver diagnostics tests performed, click the Show All link. Figure 11-9.
Log Global Settings Use the Global Settings page to enable logging globally, to enable other types of logging. The severity of messages that are logged to the console, RAM log, and flash-based log file can also be specified. The Severity table lists log messages from the highest severity (Emergency) to the lowest (Debug). When a severity level is selected, all higher levels are automatically selected.
RAM Log Use the RAM Log page to view information about specific RAM (cache) log entries, including the time the log was entered, the log severity, and a description of the log. To display the RAM Log, click System Logs RAM Log in the navigation panel. Figure 11-11.
Log File The Log File contains information about specific log entries, including the time the log was entered, the log severity, and a description of the log. To display the Log File, click System Logs Log File in the navigation panel. Figure 11-12. Log File Syslog Server Use the Remote Log Server page to view and configure the available syslog servers, to define new syslog servers, and to set the severity of the log events sent to the syslog server.
Figure 11-13. Remote Log Server Adding a New Remote Log Server To add a syslog server: 1 Open the Remote Log Server page. 2 Click Add to display the Add Remote Log Server page. 3 Specify the IP address or hostname of the remote server. 4 Define the UDP Port and Description fields.
Figure 11-14. Add Remote Log Server 5 Select the severity of the messages to send to the remote server. NOTE: When a severity level is selected, all higher (numerically lower) severity levels are automatically selected. 6 Click Apply. Click the Show All link to view or remove remote log servers configured on the system. Figure 11-15.
Email Alert Global Configuration Use the Email Alert Global Configuration page to enable the email alerting feature and configure global settings so that system log messages can be sent to from the switch to one or more email accounts. To display the Email Alert Global Configuration page, click System Email Alerts Email Alert Global Configuration in the navigation panel. Figure 11-16.
Figure 11-17. Email Alert Mail Server Configuration Adding a Mail Server To add a mail server: 1 Open the Email Alert Mail Server Configuration page. 2 Click Add to display the Email Alert Mail Server Add page. 3 Specify the hostname of the mail server. Figure 11-18. Add Mail Server 4 Click Apply. 5 If desired, click Configuration to return to the Email Alert Mail Server Configuration page to specify port and security settings for the mail server.
Figure 11-19. Show All Mali Servers Email Alert Subject Configuration Use the Email Alert Subject Configuration page to configure the subject line for email alerts that are sent by the switch. The subject for the message severity and entry status can customize be customized. To display the Email Alert Subject Configuration page, click System Email Alerts Email Alert Subject Configuration in the navigation panel. Figure 11-20.
Figure 11-21. View Email Alert Subjects Email Alert To Address Configuration Use the Email Alert To Address Configuration page to specify where the email alerts are sent. Multiple recipients can be configured and different message severity levels can be associated with different recipient addresses. To display the Email Alert To Address Configuration page, click System Email Alerts Email Alert To Address Configuration in the navigation panel. Figure 11-22.
Figure 11-23. View Email Alert To Address Configuration Email Alert Statistics Use the Email Alert Statistics page to view the number of emails that were successfully and unsuccessfully sent, and when emails were sent. To display the Email Alert Statistics page, click System >Email Alerts Email Alert Statistics in the navigation panel. Figure 11-24.
Monitoring System Information and Configuring Logging (CLI) This section provides information about the commands used for configuring features for monitoring on the Dell Networking N1500, N2000, N3000, and N4000 Series switches. For more information about these commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose test copper-port tdr Perform the Time Domain Reflectometry (TDR) test to diagnose the quality and characteristics of a copper cable attached to the specified port. SFP, SFP+, and QSFP cables with passive copper assemblies are not capable of performing TDR tests. interface CAUTION: Issuing the test copper-port tdr command will bring the interface down.
Configuring Local Logging Beginning in Privileged EXEC mode, use the following commands to configure the type of messages that are logged and where the messages are logged locally. Command Purpose configure Enter Global Configuration mode. logging on Globally enables logging. logging audit Enable switch auditing. logging cli-command Enable CLI command logging logging web-sessions Enable logging of the switch management Web page visits. logging snmp Enable logging of SNMP set commands.
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show logging Displays the state of logging and the syslog messages stored in the internal buffer. show logging file View information about the flash (persistent) log file. clear logging Use to clear messages from the logging buffer. Configuring Remote Logging Beginning in Privileged EXEC mode, use the following commands to define a remote server to which the switch sends log messages.
Configuring Mail Server Settings Beginning in Privileged EXEC mode, use the following commands to configure information about the mail server (SMTP host) on the network that will initially receive the email alerts from the switch and relay them to the correct recipient. Command Purpose configure Enter Global Configuration mode. mail-server ip-address Specify the IP address of the SMTP server on the network and enter the configuration mode for the mail server.
Configuring Email Alerts for Log Messages Beginning in Privileged EXEC mode, use the following commands to configure email alerts so that log messages are sent to the specified address. Command Purpose configure Enter Global Configuration mode. logging email [severity] Enable email alerting and determine which non-critical log messages should be emailed. Including the severity value sets the lowest severity for which log messages are emailed.
Command Purpose logging email test message-type {urgent | non-urgent | both} message-body body Send a test email to the configured recipient to verify that the feature is properly configured. CTRL + Z Exit to Privileged EXEC mode. show logging email config View the configured settings for email alerts. show logging email statistics View information about the number of emails sent and the time they were sent. clear logging email statistics Clear the email alerting statistics.
Logging Configuration Examples This section contains the following examples: • Configuring Local and Remote Logging • Configuring Email Alerting Configuring Local and Remote Logging This example shows how to enable switch auditing and CLI command logging. Log messages with a severity level of Notification (level 5) and above are sent to the RAM (buffered) log. Emergency, Critical, and Alert (level 2) log messages are written to the log file on the flash drive.
4 Verify the remote log server configuration. console#show syslog-servers IP Address/Hostname Port ------------------------- -----192.168.2.10 514 Severity Description -------------- ---------debugging Syslog Server 5 Verify the local logging configuration and view the log messages stored in the buffer (RAM log). console#show logging Logging is enabled Console Logging: level debugging. Console Messages: 748 Dropped. Buffer Logging: level notifications.
Configuring Email Alerting The commands in this example define the SMTP server to use for sending email alerts. The mail server does not require authentication and uses the standard TCP port for SMTP, port 25, which are the default values. Only Emergency messages (severity level 0) will be sent immediately as individual emails, and messages with a severity of alert, critical, and error (levels 1-3) will be sent in a single email every 120 minutes.
2 Configure the username and password that the switch must use to authenticate with the mail server. console(Mail-Server)#username switchN3048 console(Mail-Server)#password passwordN3048 console(Mail-Server)#exit 3 Configure emergencies and alerts to be sent immediately, and all other messages to be sent in a single email every 120 minutes.
Email Alert Trap Severity Level................ 6 Email Alert Notification Period................ 120 min Email Alert To Address Table: For Msg Type..........................1 Address1..............................administrator@dell.com For Msg Type..........................2 Address1..............................administrator@dell.com Email Alert Subject Table : For Msg Type 1, subject is............LOG MESSAGES - EMERGENCY For Msg Type 2, subject is............
12 Managing General System Settings Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes how to set system information, such as the hostname, and time settings, and how to select the Switch Database Management (SDM) template to use on the switch. For the Dell Networking N1500, N2000, and N3000 Series switches, this chapter also describes how to configure the Power over Ethernet (PoE) settings.
Table 12-1. System Information (Continued) Feature Description CLI Banner Displays a message upon connecting to the switch or logging on to the switch by using the CLI. SDM Template Determines the maximum resources a switch or router can use for various features. For more information, see "What Are SDM Templates? " on page 391 The switch can obtain the time from a Simple Network Time Protocol (SNTP) server, or the time can be set manually.
Why Does System Information Need to Be Configured? Configuring system information is optional. However, it can be helpful in providing administrative information about the switch. For example, if an administrator manages several standalone Dell Networking N-Series switches and has Telnet sessions open with several different switches, the system name can help quickly identify the switch because the host name replaces console as the CLI command prompt.
Table 12-3.
Table 12-3.
SDM Template Configuration Guidelines When the switch is configured to use an SDM template that is not currently in use, the switch must be reloaded for the configuration to take effect. NOTE: If a unit is attached to a stack and its template does not match the stack's template, then the new unit will automatically reboot using the template used by the management unit. To avoid the automatic reboot, you may first set the template to the template used by the management unit.
Requesting the time from a unicast SNTP server is more secure. Use this method if you know the IP address of the SNTP server on your network. If you allow the switch to receive SNTP broadcasts, any clock synchronization information is accepted, even if it has not been requested by the device. This method is less secure than polling a specified SNTP server. To increase security, authentication can be required between the configured SNTP server and the SNTP client on the switch.
What Are the Key PoE Plus Features for the Dell Networking N1524P/N1548P, N2024P/N2048P, and N3024P/N3048P Switches? Table 12-4 describes some of the key PoE Plus features the switches support. Table 12-4. PoE Plus Key Features Feature Description Global Usage Threshold Provides the ability to specify a power limit as a percentage of the maximum power available to PoE ports. Setting a limit prevents the PoE switch from reaching an overload condition.
Default General System Information By default, no system information or time information is configured, and the SNTP client is disabled. The default SDM Template applied to the switch is the Dual IPv4-IPv6 template. The following table shows the default PoE Plus settings for the Dell Networking N1524P/N1548P, N2024P /N2048P, and N3024P/N3048P switches. Table 12-5.
Dynamic/Static Power Management Mode In this mode, the dynamic guard band is: • Class 0 device: User-defined power limit for the port being powered up (this value can be found with the command show power inline interface-id detailed). By default, 32 Watts. • Class 1 device: 4 Watts. • Class 2 device: 7 Watts. • Class 3 device: 15.4 Watts. • Class 4 device: User defined power limit.
Figure 12-1. System Information Initiating a Telnet Session from the Web Interface NOTE: The Telnet client feature does not work with Microsoft Windows Internet Explorer 7 and later versions. Initiating this feature from any browser running on a Linux operating system is not supported. To launch a Telnet session: 1 From the System General System Information page, click the Telnet link. 2 Click the Telnet button.
Figure 12-2. Telnet 3 Select the Telnet client, and click OK. Figure 12-3.
The selected Telnet client launches and connects to the switch CLI. Figure 12-4.
CLI Banner Use the CLI Banner page to configure a message for the switch to display when a user connects to the switch by using the CLI. Different banners can be configured for various CLI modes and access methods. To display the CLI Banner page, click System General CLI Banner in the navigation panel. Figure 12-5.
SDM Template Preference Use the SDM Template Preference page to view information about template resource settings and to select the template that the switch uses. If a new SDM template is selected for the switch to use, the switch must be rebooted before the template is applied. To display the SDM Template Preference page, click System General SDM Template Preference in the navigation panel. Figure 12-6.
Clock If the switch is not configured to obtain the system time from an SNTP server, the date and time can be manually set on the switch using the Clock page. The Clock page also displays information about the time settings configured on the switch. To display the Clock page, click System Time Synchronization Clock in the navigation panel. Figure 12-7. Clock NOTE: The system time cannot be set manually if the SNTP client is enabled.
SNTP Global Settings Use the SNTP Global Settings page to enable or disable the SNTP client, configure whether and how often the client sends SNTP requests, and determine whether the switch can receive SNTP broadcasts. To display the SNTP Global Settings page, click System Time Synchronization SNTP Global Settings in the navigation panel. Figure 12-8.
SNTP Authentication Use the SNTP Authentication page to enable or disable SNTP authentication, to modify the authentication key for a selected encryption key ID, to designate the selected authentication key as a trusted key, and to remove the selected encryption key ID. NOTE: The SNTP server must be configured with the same authentication information to allow time synchronization to take place between the two devices.
Figure 12-10. Add Authentication Key 3 Enter a numerical encryption key ID and an authentication key in the appropriate fields. 4 If the key is to be used to authenticate a unicast SNTP server, select the Trusted Key check box. If the check box is clear, the key is untrusted and cannot be used for authentication. 5 Click Apply. The SNTP authentication key is added, and the device is updated. To view all configured authentication keys, click the Show All link. The Authentication Key Table displays.
SNTP Server Use the SNTP Server page to view and modify information about SNTP servers, and to add new SNTP servers that the switch can use for time synchronization. The switch can accept time information from both IPv4 and IPv6 SNTP servers. To display the SNTP Server page, click System Time Synchronization SNTP Server in the navigation panel. If no servers have been configured, the fields in the following image are not displayed. Figure 12-12.
Figure 12-13. Add SNTP Server 3 In the SNTP Server field, enter the IP address or host name for the new SNTP server. 4 Specify whether the information entered in the SNTP Server field is an IPv4 address, IPv6 address, or a hostname (DNS). 5 If authentication is required between the SNTP client on the switch and the SNTP server, select the Encryption Key ID check box, and then select the key ID to use. To define a new encryption key, see "Adding an SNTP Authentication Key " on page 406.
To view all configured SNTP servers, click the Show All link. The SNTP Server Table displays. The SNTP Server Table page can also be used to remove or edit existing SNTP servers. Figure 12-14.
Summer Time Configuration Use the Summer Time Configuration page to configure summer time (daylight saving time) settings. To display the Summer Time Configuration page, click System Time Synchronization Summer Time Configuration in the navigation panel. Figure 12-15. Summer Time Configuration NOTE: The fields on the Summer Time Configuration page change when the Recurring check box is selected or cleared.
Time Zone Configuration Use the Time Zone Configuration to configure time zone information, including the amount time the local time is offset from UTC and the acronym that represents the local time zone. To display the Time Zone Configuration page, click System Time Synchronization Time Zone Configuration in the navigation panel. Figure 12-16.
Card Configuration Use the Card Configuration page to control the administrative status of the rear-panel expansion slots (Slot 1 or Slot 2) and to configure the plug-in module to use in the slot. To display the Card Configuration page, click Switching Slots Card Configuration in the navigation panel. Figure 12-17.
Slot Summary Use the Slot Summary page to view information about the expansion slot status. To display the Slot Summary page, click Switching Slots Summary in the navigation panel. Figure 12-18.
Supported Cards Use the Supported Cards page to view information about the supported plug-in modules for the switch. To display the Supported Cards page, click Switching Slots Supported Cards in the navigation panel. Figure 12-19.
Power Over Ethernet Global Configuration (Dell Networking N1524P/N1548P, N2024P/N2048P, and N3024P/N3048P Only) Use the PoE Global Configuration page to configure the PoE settings for the switch. To display the PoE Global Configuration page, click System General Power over Ethernet Global Configuration in the navigation panel. Figure 12-20.
Power Over Ethernet Interface Configuration (Dell Networking N1524P/N1548P, N2024P/N2048P, and N3024P/N3048P Only) Use the PoE Interface Configuration page to configure the per-port PoE settings. This page also provides access to the PoE Counters table and PoE Port Table. The PoE Port table allows viewing and configuring PoE settings for multiple ports on the same page.
To view PoE statistics for each port, click Counters. Figure 12-22. PoE Counters Table To view the PoE Port Table, click Show All. Figure 12-23. PoE Port Table If you change any settings for one or more ports on the PoE Port Table page, click Apply to update the switch with the new settings.
Configuring System Settings (CLI) This section provides information about the commands used for configuring system information and time settings on the Dell Networking N1500, N2000, N3000, and N4000 Series switches. For more information about these commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring System Information Beginning in Privileged EXEC mode, use the following commands to configure system information.
Configuring the Banner Beginning in Privileged EXEC mode, use the following commands to configure the MOTD, login, or User EXEC banner. The switch supports the following banner messages: • MOTD—Displays when a user connects to the switch. • Login—Displays after the MOTD banner and before the login prompt. • Exec—Displays immediately after the user logs on to the switch. Command Purpose configure Enter Global Configuration mode.
Managing the SDM Template Beginning in Privileged EXEC mode, use the following commands to set the SDM template preference and to view information about the available SDM templates. Command Purpose configure Enter Global Configuration mode. sdm prefer {dual-ipv4and-ipv6 default| ipv4routing {data-center | default}} Select the SDM template to apply to the switch after the next boot. CTRL + Z Exit to Privileged EXEC mode.
Command Purpose sntp trusted-key key_id Specify the authentication key the SNTP server must include in SNTP packets that it sends to the switch. The key_id number must be an encryption key ID defined in the previous step. sntp authenticate Require authentication for communication with the SNTP server. A trusted key must be configured before this command is executed. sntp server {ip_address | Define the SNTP server.
Setting the System Time and Date Manually Beginning in Privileged EXEC mode, use the following commands to configure the time and date, time zone, and summer time settings. Command Purpose clock set {mm/dd/yyyy Configure the time and date. Enter the time first and then hh:mm:ss} | the date, or the date and then the time. {hh:mm:ss • hh:mm:ss —Time in hours (24-hour format, from 01-24), mm/dd/yyyy minutes (00-59), and seconds (00-59).
Command Purpose clock summer-time date {date month | month date} year hh:mm {date month | month date} year hh:mm [offset offset] [zone acronym] Use this command if the summer time does not start and end every year according to a recurring pattern. Enter the month and then the date, or the date and then the month. • date— Day of the month. (Range: 1-31.) • month — Month. (Range: The first three letters by name) • hh:mm — Time in 24-hour format in hours and minutes.
Viewing Slot Information (Dell Networking N4000 Series Only) Use the following commands to view information about Slot 0 and its support. Command Purpose show slot Display status information about the expansion slots. show supported cardtype Display information about the modules the switch supports. Configuring PoE Settings (Dell Networking N1524P/N1548P, N2024P/N2048P, and N3024P/N3048P Only) Beginning in Privileged EXEC mode, use the following commands to configure PoE information.
Command Purpose power inline {auto | never} Set the PoE device discovery admin mode. • auto — Enables the device discovery protocol and, if found, supplies power to the device. • never — Disables the device discovery protocol and stops supplying power to the device. power inline priority {critical | high | low} Configures the port priority level for the delivery of power to an attached device. power inline high-power Configure the port high-power mode for connected-device compatibility.
General System Settings Configuration Examples This section contains the following examples: • Configuring System and Banner Information • Configuring SNTP • Configuring the Time Manually Configuring System and Banner Information In this example, an administrator configures the following system information: • System name: N2048 • System contact: Jane Doe • System location: RTP100 • Asset tag: 006429 The administrator then configures the MOTD banner to alert other switch administrators of the c
System Location: RTP100 Burned In MAC Address: 001E.C9AA.AA07 System Object ID: 1.3.6.1.4.1.674.10895.3035 System Model ID: N2048 Machine Type: Dell Networking N2048 Temperature Sensors: Unit Temperature (Celsius) Status ----------------------------1 43 OK Power Supplies: Unit Description Status Source ----------------------------1 Main OK AC 1 Secondary Error DC 5 View additional information about the system.
Figure 12-24.
Configuring SNTP The commands in this example configure the switch to poll an SNTP server to synchronize the time. Additionally, the SNTP sessions between the client and server must be authenticated. To configure the switch: 1 Configure the authentication information. The SNTP server must be configured with the same authentication key and ID.
4 View the SNTP status on the switch. console#show sntp status Client Mode: Last Update Time: Unicast MAR 01 09:12:43 2010 Unicast servers: Server Status Last response --------------- ------------ --------------------192.168.10.
Configuring the Time Manually The commands in this example manually set the system time and date. The time zone is set to Eastern Standard Time (EST), which has an offset of -5 hours. Summer time is enabled and uses the pre-configured United States settings. To configure the switch: 1 Configure the time zone offset and acronym. console#configure console(config)#clock timezone -5 zone EST 2 Configure the summer time (daylight saving time) to use the preconfigured settings for the United States.
SNMP 13 Dell Networking N1500, N2000, N3000, and N4000 Series Switches The topics covered in this chapter include: • SNMP Overview • Default SNMP Values • Configuring SNMP (Web) • Configuring SNMP (CLI) • SNMP Configuration Examples SNMP Overview Simple Network Management Protocol (SNMP) provides a method for managing network devices. The Dell Networking N-Series switches support SNMP version 1, SNMP version 2, and SNMP version 3. Dell Networking switches support SNMP over IPv4 only.
The SNMP agent maintains a list of variables that are used to manage the switch. The variables are defined in the MIB. The MIB presents the variables controlled by the agent. The SNMP agent defines the MIB specification format, as well as the format used to access the information over the network. Access rights to the SNMP agent are controlled by access strings. SNMP v3 also applies access control and a new traps mechanism to SNMPv1 and SNMPv2 PDUs.
Various features can be configured on the switch to generate SNMP traps that inform the NMS about events or problems that occur on the switch. Traps generated by the switch can also be viewed locally by using the web-based interface or CLI. Why Is SNMP Needed? Some network administrators prefer to use SNMP as the switch management interface. Settings that you view and configure by using the web-based Dell OpenManage Switch Administrator and the CLI are also available by using SNMP.
Table 13-1. SNMP Defaults Parameter Default Value QoS traps Enabled Multicast traps Disabled Captive Portal traps Disabled OSPF traps Disabled Table 13-2 describes the two views that are defined by default. Table 13-2. SNMP Default Views View Name OID Subtree View Type Default iso Included snmpVacmMIB Excluded usmUser Excluded snmpCommunityTable Excluded iso Included DefaultSuper By default, three groups are defined. Table 13-3 describes the groups.
Configuring SNMP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the SNMP agent on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. NOTE: For some features, the control to enable or disable traps is available from a configuration page for that feature and not from the Trap Manager pages that this chapter describes.
SNMP View Settings Use the SNMP View Settings page to create views that define which features of the device are accessible and which are blocked. A view can be created that includes or excludes OIDs corresponding to interfaces. To display the View Settings page, click System SNMP View Settings in the navigation panel. Figure 13-2. SNMP View Settings Adding an SNMP View To add a view: 1 Open the View Settings page. 2 Click Add.
Figure 13-3. Add View 3 Specify a name for the view and a valid SNMP OID string. 4 Select the view type. 5 Click Apply. The SNMP view is added, and the device is updated. Click Show All to view information about configured SNMP Views.
Access Control Group Use the Access Control Group page to view information for creating SNMP groups, and to assign SNMP access privileges. Groups allow network managers to assign access rights to specific device features or features aspects. To display the Access Control Group page, click System SNMP Access Control in the navigation panel. Figure 13-4. SNMP Access Control Group Adding an SNMP Group To add a group: 1 Open the Access Control Configuration page. 2 Click Add.
Figure 13-5. Add Access Control Group 3 Specify a name for the group. 4 Select a security model and level 5 Define the context prefix and the operation. 6 Click Apply to update the switch. Click Show All to view information about existing access control configurations.
SNMPv3 User Security Model (USM) Use the User Security Model page to assign system users to SNMP groups and to define the user authentication method. NOTE: The Local User Database page under Management Security can also be used for configuring SNMPv3 settings for users. For more information, see "Authentication, Authorization, and Accounting " on page 229. To display the User Security Model page, click System SNMP User Security Model in the navigation panel. Figure 13-6.
Figure 13-7. Add Local Users 3 Define the relevant fields. 4 Click Apply to update the switch. Click Show All to view the User Security Model Table, which contains information about configured Local and Remote Users. Adding Remote SNMPv3 Users to a USM To add remote users: 1 Open the SNMPv3 User Security Model page. 2 Click Add Remote User.
Figure 13-8. Add Remote Users 3 Define the relevant fields. 4 Click Apply to update the switch. Click Show All to view the User Security Model Table, which contains information about configured Local and Remote Users.
Communities Access rights for SNMPv1 and SNMPv2 are managed by defining communities Communities page. When the community names are changed, access rights are also changed. SNMP Communities are defined only for SNMP v1 and SNMP v2. To display the Communities page, click System SNMP Communities in the navigation panel. Figure 13-9. SNMP Communities Adding SNMP Communities To add a community: 1 Open the Communities page. 2 Click Add.
Figure 13-10. Add SNMPv1,2 Community 3 Specify the IP address of an SNMP management station and the community string to act as a password that will authenticate the management station to the SNMP agent on the switch. 4 Select the access mode. 5 Click Apply to update the switch. Click Show All to view the communities that have already been configured.
Notification Filter Use the Notification Filter page to set filtering traps based on OIDs. Each OID is linked to a device feature or a feature aspect. The Notification Filter page also allows you to filter notifications. To display the Notification Filter page, click System SNMP Notification Filters in the navigation panel. Figure 13-11. SNMP Notification Filter Adding a Notification Filter To add a filter: 1 Open the Notification Filter page. 2 Click Add.
Figure 13-12. Add Notification Filter 3 Specify the name of the filter, the OID for the filter. 4 Choose whether to send (include) traps or informs to the trap recipient or prevent the switch from sending (exclude) the traps or informs. 5 Click Apply to update the switch. Click Show All to view information about the filters that have already been configured.
Figure 13-13. SNMP Notification Recipient Adding a Notification Recipient To add a recipient: 1 Open the Notification Recipient page. 2 Click Add.
Figure 13-14. Add Notification Recipient 3 Specify the IP address or hostname of the host to receive notifications. 4 Select whether to send traps or informs to the specified recipient 5 Define the relevant fields for the SNMP version you use. 6 Configure information about the port on the recipient. 7 Click Apply to update the switch. Click Show All to view information about the recipients that have already been configured.
To access the Trap Flags page, click Statistics/RMON Trap Manager Trap Flags in the navigation panel. Figure 13-15. Trap Flags OSPFv2 Trap Flags The OSPFv2 Trap Flags page is used to specify which OSPFv2 traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log.
Figure 13-16. OSPFv2 Trap Flags OSPFv3 Trap Flags The OSPFv3 Trap Flags page is used to specify which OSPFv3 traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log. To access the OSPFv3 Trap Flags page, click Statistics/RMON Trap Manager OSPFv3 Trap Flags in the navigation panel.
Figure 13-17. OSPFv3 Trap Flags Trap Log The Trap Log page is used to view entries that have been written to the trap log. To access the Trap Log page, click Statistics/RMON Trap Manager Trap Log in the navigation panel.
Figure 13-18. Trap Logs Click Clear to delete all entries from the trap log.
Configuring SNMP (CLI) This section provides information about the commands you use to manage and view SNMP features on the switch. For more information about these commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring the SNMPv3 Engine ID To use SNMPv3, the switch must have an engine ID configured. The default string that is generated using the MAC address of the switch can be used, or another value can be specified.
Command Purpose snmp-server engineID local {engineid-string | default} Configure the SNMPv3 Engine ID. • engineid-string — The character string that identifies the engine ID. The engine ID is a concatenated hexadecimal string. Each byte in hexadecimal character strings is two hexadecimal digits. Each byte can be separated by a period or colon. (Range: 6-32 characters) • default — The engineID is created automatically, based on the device MAC address. exit Exit to Privileged EXEC mode.
Command Purpose snmp-server group groupname {v1 | v2 | v3 {noauth | auth | priv} [notify view-name]} [context view-name] [read view-name] [write view-name] Specify the identity string of the receiver and set the receiver timeout value. • groupname — Specifies the name of the group. (Range: 1-30 characters.) • v1 — Indicates the SNMP Version 1 security model. • v2 — Indicates the SNMP Version 2 security model. • v3 — Indicates the SNMP Version 3 security model.
Command Purpose snmp-server user Configure a new SNMPv3 user. username groupname • username — Specifies the name of the user on the host [remote engineid-string] that connects to the agent. (Range: 1-30 characters.) [{authmd5 password | • groupname — Specifies the name of the group to which auth-sha password | the user belongs. (Range: 1-30 characters.
Command Purpose (continued) • des-key — A pregenerated DES encryption key. Length is determined by authentication method selected: 32 hex characters if MD5 Authentication is selected, 48 hex characters if SHA Authentication is selected. • priv-aes128 — The CBC-AES128 Symmetric Encryption privacy level. Enter a password. • priv-aes128-key — The CBC-AES128 Symmetric Encryption privacy level. The user must enter a pregenerated MD5 or SHA key depending on the authentication level selected.
Command Purpose snmp-server community Configure the community string and specify access criteria string [ro | rw | su] for the community. [view view-name] • community-string — Acts as a password and is used to [ipaddress ip_address] authenticate the SNMP management station to the switch. The string must also be defined on the NMS in order for the NMS to access the SNMP agent on the switch (Range: 1-20 characters) • ro — Indicates read-only access • rw — Indicates read-write access.
Configuring SNMP Notifications (Traps and Informs) Beginning in Privileged EXEC mode, use the following commands to allow the switch to send SNMP traps and to configure which traps are sent.
Command Purpose snmp-server host host- For SNMPv1 and SNMPv2, identify the system to receive addr [informs [timeout SNMP traps or informs. seconds] [retries retries] • host-addr — Specifies the IP address of the host (targeted | traps version {1 | 2}]] community-string [udpport port] [filter filtername] recipient) or the name of the host. (Range:1-158 characters).
Command Purpose snmp-server v3-host {ipaddress | hostname} username {traps | informs} [noauth | auth | priv] [timeout seconds] [retries retries] [udpport port] [filter filtername] For SNMPv3, identify the system to receive SNMP traps or informs. • ip-address — Specifies the IP address of the host (targeted recipient). • hostname — Specifies the name of the host. (Range: 1158 characters.) • username — Specifies user name used to generate the notification. (Range: 1-25 characters.
SNMP Configuration Examples This section contains the following examples: • Configuring SNMPv1 and SNMPv2 • Configuring SNMPv3 Configuring SNMPv1 and SNMPv2 This example shows how to complete a basic SNMPv1/v2 configuration. The commands enable read-only access from any host to all objects on the switch using the community string public, and enable read-write access from any host to all objects on the switch using the community string private.
public DefaultRead All Traps are enabled. Authentication trap is enabled. Version 1,2 notifications Target Addr. Type Community Version UDP Filter TO Port Name Sec ------------ ---- --------- -------- ----- --192.168.3.65 Trap public 1 162 Version 3 notifications Target Addr.
console(config)#snmp-server v3-host 192.168.3.35 admin traps auth console(config)#exit 5 View the current SNMP configuration on the switch. The output includes the SNMPv1/2 configuration in the previous example.
DefaultSuper iso Included console#show snmp group Name Context Model Prefix ------------ -------- -----DefaultRead "" V1 DefaultRead "" V2 DefaultSuper "" V1 DefaultSuper "" V2 DefaultWrite "" V1 DefaultWrite "" V2 group_snmpv3 "" V3 Security Level -------NoAuthNoPriv NoAuthNoPriv NoAuthNoPriv NoAuthNoPriv NoAuthNoPriv NoAuthNoPriv AuthNoPriv Read Views Write -------- -----Default "" ------Default Default Default "" DefaultSuDefault per Super DefaultSuDefault per Super Default Defaul
SNMP
14 Images and File Management Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes how to upload, download, and copy files, such as firmware images and configuration files, on the switch.
Table 14-1. Files to Manage File Action Description image Download Upload Copy Firmware for the switch. The switch can maintain two images: the active image and the backup image. startup-config Download Upload Copy Contains the software configuration that loads during the boot process. running-config Download Upload Copy Contains the current switch configuration. backup-config Download Upload Copy An additional configuration file that serves as a backup.
Table 14-1. Files to Manage File Action Description SSL certificate files Download Contains information to encrypt, authenticate, and validate HTTPS sessions.
Where the switch name is: N4000 — Dell Networking N4000 Series switch firmware for N4032, N4032F, N4064, N4064F. N3000_N2000 — Dell Networking N2000/N3000 Series switch firmware for N2024, N2048, N2024P, N2048P, N3024, N3024P, N3024F, N3048, N3048P. N3000_BGP — Dell Networking N3000 Series switch firmware for N3024, N3024P, N3024F, N3048, N3048P. N1500 — Dell Networking N1500 Series switch firmware for N1524, N1524P, N1548, N1548P.
• N3000_N2000v6.0.1.3.stk — Dell Networking N3000/N2000 Series switch firmware version 6.0.1.3. This is the third build for the first maintenance release for the 6.0 major release. • N4000v6.1.0.1.stk — Dell Networking N4000 Series switch firmware version 6.1.0.1. This is the first build for the first minor release after the 6.0 major release, i.e., release 6.1. Configuration Files Configuration files contain the CLI commands that change the switch from its default configuration.
• To load the same configuration file on multiple switches Use a text editor to open a configuration file and view or change its contents. SSH/SSL Keys and Certificates If you use OpenManage Switch Administrator to manage the switch over an HTTPS connection, you must import the appropriate certificate files to the switch (crypto key import).
Managing Images When you download a new image to the switch, it overwrites the backup image, if it exists. To use the new image, it must be activated and reloaded on the switch. The image that was previously the active image becomes the backup image after the switch reloads. If the switch is upgraded to a newer image and the image is found to be incompatible with the network, the switch can revert to the original image.
• The file extension must be .scr. • A maximum of seven scripts are allowed on the switch. • The combined size of all script files on the switch cannot exceed 2 MB. • The maximum number of configuration file command lines is 2000. Single-line annotations in the configuration file can be used to improve script readability. The exclamation point (!) character flags the beginning of a comment.
How Is the Running Configuration Saved? Changes you make to the switch configuration while the switch is operating are written to the running-config. These changes are not automatically written to the startup-config. When you reload the switch, the startup-config file is loaded. If you reload the switch (or if the switch resets unexpectedly), any settings in the running-config that were not explicitly saved to the startup-config are lost.
Table 14-2. Features Included/Excluded in Access Router/Switch Image Includes Excludes iSCSI BGP DVLAN MVR MLAG GARP Auto-VoIP Web interface for all features Aggregation Router Role New naming format: N3000_BGPvA.B.C.D.stk. This image should only be downloaded to the Dell Networking N3000 Series switches. Table 14-3 shows the feature set for this image (features not shown are included in the image). Table 14-3.
Managing Images and Files (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage images and files on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. File System Use the File System page to view a list of the files on the device and to modify the image file descriptions. To display the File System page, click System File Management File System in the navigation panel.
Active Images Use the Active Images page to set the firmware image to use when the switch boots. If you change the boot image, it does not become the active image until you reset the switch. On the Dell Networking N4000 Series switches, the images are named active and backup. To display the Active Images page, click System File Management Active Images in the navigation panel. Figure 14-2.
USB Flash Drive Use the USB Flash Drive page to view information about a USB flash drive connected to the USB port on the front panel of the switch. The page also displays information about the files stored on the USB flash drive. A USB flash drive must be un-mounted by the operator before removing it from the switch. If a new USB flash drive is installed without un-mounting the previous drive, the new flash drive may not be recognized.
File Download Use the File Download page to download image (binary) files, SSH and SSL certificates, IAS User files, and configuration (ASCII), files from a remote server to the switch. To display the File Download page, click System File Management File Download in the navigation panel. Figure 14-4. File Download Downloading Files To download a file to the switch: 1 Open the File Download page. 2 Select the type of file to download to the switch. 3 Select the transfer mode.
If you select a transfer mode that requires authentication, additional fields appear in the Download section. If you select HTTP as the download method, some of the fields are hidden. NOTE: If you are using HTTPS to manage the switch, the download method will be HTTPS. 4 To download using HTTP, click Browse and select the file to download, then click Apply.
File Upload Use the File Upload to Server page to upload configuration (ASCII), image (binary), IAS user, operational log, and startup log files from the switch to a remote server. To display the File Upload to Server page, click System File Management File Upload in the navigation panel. Figure 14-6. File Upload Uploading Files To upload a file from the switch to a remote system: 1 Open the File Upload page. 2 Select the type of file to download to the remote server. 3 Select the transfer mode.
NOTE: If you are using HTTPS to manage the switch, the download method will be HTTPS. 4 To upload by using HTTP, click Apply. A dialog box opens to allow you to open or save the file. Figure 14-7. File Upload 5 To upload by using any method other than HTTP, enter the IP address of the server and specify a name for the file. For SFTP and SCP, provide the user name and password. 6 Click Apply to begin the upload.
Copy Files Use the Copy Files page to: • Copy the active firmware image to one or all members of a stack. • Copy the running, startup, or backup configuration file to the startup or backup configuration file. • Restore the running configuration to the factory default settings. To display the Copy Files page, click System File Management Copy Files in the navigation panel. Figure 14-8.
Managing Images and Files (CLI) This section provides information about the commands you use to upload, download, and copy files to and from the Dell Networking N1500, N2000, N3000, and N4000 Series switches. For more information about these commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. It also describes the commands that control the Auto Configuration feature. NOTE: Upload, download, and copy functions use the copy command.
Command Purpose boot system {image1 | image2} Set the image to use as the boot (active) image after the switch resets. Images on the N4032/N4064 are named active and backup. For Dell Networking N4000 Series switches, use the following command: boot system {active | backup} reload Reboot the switch to make the new image the active image. You are prompted to verify that you want to continue.
Managing Files in Internal Flash Beginning in Privileged EXEC mode, use the following commands to copy, rename, delete and list the files in the internal flash. Command Purpose dir List the files in the flash file system. copy flash://filename usb://filename Copy a file from the internal flash to a USB flash drive. Use the dir command to see a list of the files that can be copied from the internal flash.
Managing Files on a USB Flash Device Beginning in Privileged EXEC mode, use the following commands to manage files that are on a USB device that is plugged into the USB flash port on the front panel of the switch. Command Purpose show usb device Display USB flash device details dir usb Display USB device contents and memory statistics copy usb://filename Copy the specified file from the USB flash device to the {backup-config | image specified file in internal flash.
Managing Configuration Scripts (SFTP) Beginning in Privileged EXEC mode, use the following commands to download a configuration script from a remote system to the switch, validate the script, and activate it. NOTE: The startup-config and backup-config files are essentially configuration scripts and can be validated and applied by using the commands in this section. Command Purpose Downloads the specified script from the remote server to copy sftp://user@{ipaddress|hostname}/path the switch.
File and Image Management Configuration Examples This section contains the following examples: • Upgrading the Firmware • Managing Configuration Scripts Upgrading the Firmware This example shows how to download a firmware image to the switch and activate it. The TFTP server in this example is PumpKIN, an open source TFTP server running on a Windows system. • TFTP server IP address: 10.27.65.103 • File path: \image • File name: dell_0308.
Figure 14-9. Image Path 3 View information about the current image. console#show version Image Descriptions image1 :default image image2 : Images currently available on Flash ------- ------------ ------------ --------------- -------------unit image1 image2 current-active next-active ------- ------------ ------------ --------------- -------------1 4.1.0.7 5.0.0.8 image1 image1 4 Download the image to the switch. After you execute the copy command, you must verify that you want to start the download.
Destination Filename........................... image Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n)y 5 Activate the new image (backup) so that it becomes the active image after the switch resets. This step is not necessary if downloading to the active image. Use either the active or backup keyword, depending on which image you selected for replacement in step 4.
Are you sure you want to continue? (y/n)y Reloading all switches... Managing Configuration Scripts This example shows how to create a configuration script that adds three hostname-to-IP address mappings to the host table. To configure the switch: 1 Open a text editor on an administrative computer and type the commands as if you were entering them by using the CLI. Figure 14-10. Create Config Script 2 Save the file with an *.scr extension and copy it to the appropriate directory on your TFTP server.
TFTP Filename.................................. labhost.scr Data Type...................................... Config Script Destination Filename........................... labhost.scr Management access will be blocked for the duration of the transfer 4 After you confirm the download information and the script successfully downloads, it is automatically validated for correct syntax. Are you sure you want to start? (y/n) y 135 bytes transferred Validating configuration script...
6 Verify that the script was successfully applied. console#show hosts Host name: test Name/address lookup is enabled Name servers (Preference order): 192.168.3.20 Configured host name-to-address mapping: Host Addresses ------------------------ -----------------------labpc1 192.168.3.56 labpc2 192.168.3.58 labpc3 192.168.3.
Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y 4 Download the new image from the USB flash drive to the switch. The image overwrites the backup image. console#copy usb://new_image.stk backup Mode................................... unknown Data Type..............................
15 DHCP and USB Auto-Configuration Dell Networking N1500, N2000, N3000, and N4000 Series Switches The topics covered in this chapter include: • Auto Configuration Overview • What Are the Dependencies for DHCP Auto Configuration? • Default Auto Configuration Values • Managing Auto Configuration (Web) • Managing Auto Configuration (CLI) • Auto Configuration Example Auto Configuration Overview The Auto Configuration feature can automatically update the firmware image and obtain configuration info
NOTE: Neither USB Configuration nor Auto Install is invoked if a saved startup configuration file is on the switch. What Is USB Auto Configuration? The USB Auto Configuration feature can be used to configure or upgrade one or more switches that have not been previously configured, such as when new switches are deployed.
files exist, the switch uses the dellswitch.text file. If only a *.stk file is present, the switch checks the .stk file version and loads it into the backup image if the version is later than the current active image. If multiple *.stk files are present, the switch checks the image with the highest (most recent) version. Finally, if no *.setup, *.text, or *.stk files are found, the switch proceeds to the DHCP Auto Configuration process.
different IP addresses to be assigned, but the same configuration file or image is downloaded to multiple switches. Alternatively, the line may contain a specific configuration or image file name, or both. After the current switch has been configured and/or upgraded and the completion message is displayed on the switch, the current line in the *.setup text file will be marked as used. This allows using the *.setup file for additional switches without manually changing the file.
single image for all switches being upgraded, it is not necessary to include the image file name in the .setup file as long as it is present on the USB device. The specified image file should exist on the USB device. What Is the Setup File Format? The setup file must have a *.setup extension or this part of the Auto Configuration process will never begin. If there are multiple .setup files located on the USB device, the dellswitch.setup file will be utilized. If no dellswitch.
NOTE: The downloaded configuration file is not automatically saved to startup- config. You must explicitly issue a save request (copy running-config startupconfig) in order to save the configuration. If the downloaded configuration is not saved to the startup-config, DHCP auto configuration will be done every time the DHCP lease expires. Obtaining IP Address Information DHCP is enabled by default on the Out-of-Band (OOB) interface on Dell Networking N3000 and N4000 Series switches.
When a DHCP OFFER identifies the TFTP server more than once, the DHCP client selects one of the options in the following order: sname, option 66, option 150, siaddr. If the TFTP server is identified by hostname, a DNS server is required to translate the name to an IP address. The DHCP client on the switch also processes the name of the text file (option 125, the V-I vendor-specific Information option) which contains the path to the image file as noted below.
Option 125 also supports sub-option 6, which is the path to a configuration file on the TFTP server. Only the path name is relevant. Configure the DHCP server to use vendor ID 674 and the required sub-option 6 and a hexadecimal encoded ASCII path value. If sub-option 6 is specified, the switch attempts to download the configuration file .cfg using the DHCP-supplied host name (DHCP option 12). If that file is not found on the TFTP server, the switch attempts to download the "host.cfg" file.
Obtaining the Configuration File If the DHCP OFFER identifies a configuration file, either as option 67 or in the file field of the DHCP header, the switch attempts to download the configuration file. NOTE: The configuration file is required to have a file name that matches the following pattern: "*.cfg" The TFTP client makes three unicast requests. If the unicast attempts fail, or if the DHCP OFFER did not specify a TFTP server address, the TFTP client makes three broadcast requests.
Table 15-1 summarizes the config files that may be downloaded and the order in which they are sought. Table 15-1. Configuration File Possibilities Order Sought File Name Description Final File Sought 1 bootfile.cfg Host-specific config file, ending in a *.cfg file extension Yes 2 dell-net.cfg Default network config file No 3 hostname.cfg Host-specific config file, associated with hostname. Yes 4 host.
Monitoring and Completing the DHCP Auto Configuration Process When the switch boots and triggers an Auto Configuration, a message displays on the console screen to indicate that the process is starting. After the process completes, the Auto Configuration process writes a log message. When Auto Configuration has successfully completed, the show runningconfig command can be used to validate the contents of configuration.
A file is not automatically deleted after it is downloaded. The file does not take effect upon a reboot unless you explicitly save the configuration (the saved configuration takes effect upon reboot). If you do not save the configuration downloaded by the Auto Configuration feature, the Auto Configuration process occurs again on a subsequent reboot or when the DHCP lease expires. This may result in one of the previously downloaded files being overwritten.
Default Auto Configuration Values Table 15-3 describes the Auto Configuration defaults. Table 15-3. Auto Configuration Defaults Feature Default Description Auto Install Mode Enabled When the switch boots and no saved configuration is found, the Auto Configuration automatically begins. Retry Count 3 When the DHCP or BootP server returns information about the TFTP server and bootfile, the switch makes three unicast TFTP requests for the specified bootfile.
Managing Auto Configuration (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage images and files on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page.
Managing Auto Configuration (CLI) This section provides information about the commands you manage the Auto-Install Configuration feature on the switch. For more information about these commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support.
Auto Configuration Example A network administrator is deploying three Dell Networking N-Series switches and wants to quickly and automatically install the latest image and a common configuration file that configures basic settings such as VLAN creation and membership, RADIUS server settings, and 802.1X information. The configuration file also contains the command boot host autosave so that the downloaded configuration is automatically saved to the startup config.
4 Create a setup file named dellswitch.setup. The setup file contains the following lines: 192.168.0.1 255.255.255.0 switchA.txt N2000v6.1.0.1.stk 192.168.0.2 255.255.255.0 switchB.txt N2000v6.2.0.1.stk 192.168.0.3 255.255.255.0 switchC.txt N2000v6.2.0.1.stk 5 Copy the dellswitch.setup file to the USB device. 6 Connect the USB device to Switch A. 7 Insert the USB device into the USB port on the front panel of Switch A. 8 Power on Switch A.
1 Create a default config file for the switches named host.cfg. The host.cfg file contains the path and name of the image file on the TFTP server (option 125, sub-option 5). For information about creating configuration files, see Images and File Management. 2 Upload the host.cfg file to the TFTP server. 3 Upload the image file to the TFTP server.
Easy Firmware Upgrade via USB If a USB device is detected during bootup and there is an image on the USB device (and no .setup files and no .text files), and the switch has no saved startup config file, then the image version on the USB device is checked against the active image version on the switch. If a newer image version is found on the USB device, the image is copied to the switch backup image and the switch reloads using the new image. 1 Copy the startup-config file to the backup-config,; e.g.
DHCP and USB Auto-Configuration
Monitoring Switch Traffic 16 Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes sFlow features, Remote Monitoring (RMON), and Port Mirroring features. The topics covered in this chapter include: • Traffic Monitoring Overview • Default Traffic Monitoring Values • Monitoring Switch Traffic (Web) • Monitoring Switch Traffic (CLI) • Traffic Monitoring Examples Traffic Monitoring Overview The switch maintains statistics about network traffic that it handles.
from monitored devices. sFlow datagrams forward sampled traffic statistics to the sFlow Collector for analysis. Up to eight different sFlow receivers can be specified to which the switch sends sFlow datagrams. Figure 16-1. sFlow Architecture The advantages of using sFlow are: 520 • It is possible to monitor all ports of the switch continuously, with no impact on the distributed switching performance. • Minimal memory/CPU is required.
sFlow Sampling The sFlow Agent in the Dell Networking software uses two forms of sampling: • Statistical packet-based sampling of switched or routed Packet Flows • Time-based sampling of counters Packet Flow Sampling and Counter Sampling are performed by sFlow Instances associated with individual Data Sources within an sFlow Agent. Both types of samples are combined in sFlow datagrams. Packet Flow Sampling creates a steady, but random, stream of sFlow datagrams that are sent to the sFlow Collector.
Counter Sampling The primary objective of Counter Sampling is to efficiently, periodically export counters associated with Data Sources. A maximum Sampling Interval is assigned to each sFlow instance associated with a Data Source. Counter Sampling is accomplished as follows: • sFlow Agents keep a list of counter sources being sampled. • When a Packet Flow Sample is generated the sFlow Agent examines the list and adds counters to the sample datagram, least recently sampled first.
The RMON agent in the switch supports the following groups: • Group 1—Statistics. Contains cumulative traffic and error statistics. • Group 2—History. Generates reports from periodic traffic sampling that are useful for analyzing trends. • Group 3 —Alarm. Enables the definition and setting of thresholds for various counters. Thresholds can be passed in either a rising or falling direction on existing MIB objects, primarily those in the Statistics group.
entries are purged); and do not utilize any static filter configuration. The original configuration of a destination port is restored when the port is no longer configured as a destination port. Each source port can be configured whether to mirror ingress traffic (traffic the port receives, or RX), egress traffic (traffic the port sends, or TX), or both ingress and egress traffic. NOTE: A DiffServ policy class definition or an ACL can be created that mirrors specific types of traffic to a destination port.
• The destination (probe) port loses its VLAN configuration when port mirroring is enabled. The VLAN configuration is restored when the port is no longer configured for a monitor session. The mirrored source and the transit ports retain their VLAN configuration. Transit ports must be members of the RSPAN VLAN. • When port mirroring is enabled, all MAC address entries associated with destination ports are purged. This prevents transmitting packets out of the port that are not seen on the mirrored port.
• On ingress, the port mirroring logic stage is after the VLAN tag processing stage in the hardware. This means that mirrored packets may not appear the same as they do on the wire if VLAN tag processing occurs. Examples of VLAN tag processing are DVLAN tunneling (QinQ) or VLAN rewriting. Likewise, on egress, the port mirroring logic stage is before the VLAN tag processing stage.
RMON is enabled by default, but no RMON alarms, events, or history statistic groups are configured. Port mirroring is disabled, and no ports are configured as source or destination ports. After you configure a port mirroring session, the administrative mode is disabled until you explicitly enable it.
sFlow Receiver Configuration Use the sFlow Receiver Configuration page to configure settings for the sFlow receiver to which the switch sends sFlow datagrams. Up to eight sFlow receivers can be configured to receive datagrams. To display the Receiver Configuration page, click System sFlow Receiver Configuration in the navigation panel. Figure 16-3. sFlow Receiver Configuration Click Show All to view information about configured sFlow receivers.
sFlow Sampler Configuration Use the sFLow Sampler Configuration page to configure the sFlow sampling settings for switch ports. To display the Sampler Configuration page, click System sFlow Sampler Configuration in the navigation panel. Figure 16-4. sFlow Sampler Configuration Click Show All to view information about configured sampler data sources.
sFlow Poll Configuration Use the sFLow Poll Configuration page to configure how often a port should collect counter samples. To display the Sampler Configuration page, click System sFlow Sampler Configuration in the navigation panel. Figure 16-5. sFlow Poll Configuration Click Show All to view information about the ports configured to collect counter samples.
Interface Statistics Use the Interface Statistics page to display statistics for both received and transmitted packets. The fields for both received and transmitted packets are identical. To display the page, click Statistics/RMON Table Views Interface Statistics in the navigation panel. Figure 16-6.
Etherlike Statistics Use the Etherlike Statistics page to display interface statistics. To display the page, click Statistics/RMON Table Views Etherlike Statistics in the navigation panel. Figure 16-7.
GVRP Statistics Use the GVRP Statistics page to display switch statistics for GVRP. To display the page, click Statistics/RMON Table Views GVRP Statistics in the navigation panel. Figure 16-8.
EAP Statistics Use the EAP Statistics page to display information about EAP packets received on a specific port. For more information about EAP, see "Port and System Security " on page 623. To display the EAP Statistics page, click Statistics/RMON Table Views EAP Statistics in the navigation panel. Figure 16-9.
Utilization Summary Use the Utilization Summary page to display interface utilization statistics. To display the page, click Statistics/RMON Table Views Utilization Summary in the navigation panel. Figure 16-10.
Counter Summary Use the Counter Summary page to display interface utilization statistics in numeric sums as opposed to percentages. To display the page, click Statistics/RMON Table Views Counter Summary in the navigation panel. Figure 16-11.
Switchport Statistics Use the Switchport Statistics page to display statistical summary information about switch traffic, address tables, and VLANs. To display the page, click Statistics/RMON Table Views Switchport Statistics in the navigation panel. Figure 16-12.
RMON Statistics Use the RMON Statistics page to display details about switch use such as packet processing statistics and errors that have occurred on the switch. To display the page, click Statistics/RMON RMON Statistics in the navigation panel. Figure 16-13.
RMON History Control Statistics Use the RMON History Control page to maintain a history of statistics on each port. For each interface (either a physical port or a port-channel), the number of buckets and the time interval between each bucket snapshot can be configured. To display the page, click Statistics/RMON RMON History Control in the navigation panel. Figure 16-14. RMON History Control Adding a History Control Entry To add an entry: 1 Open the RMON History Control page. 2 Click Add.
Figure 16-15. Add History Entry 3 Select the port or LAG on which you want to maintain a history of statistics. 4 Specify an owner, the number of historical buckets to keep, and the sampling interval. 5 Click Apply to add the entry to the RMON History Control Table. To view configured history entries, click the Show All tab. The RMON History Control Table displays. Configured history entries can be removed using this page.
RMON History Table Use the RMON History Table page to display interface-specific statistical network samplings. Each table entry represents all counter values compiled during a single sample. To display the RMON History Table page, click Statistics/RMON RMON History Table in the navigation panel. Figure 16-16.
RMON Event Control Use the RMON Events Control page to define RMON events. Events are used by RMON alarms to force some action when a threshold is crossed for a particular RMON counter. The event information can be stored in a log and/or sent as a trap to a trap receiver. To display the page, click Statistics/RMON RMON Event Control in the navigation panel. Figure 16-17. RMON Event Control Adding an RMON Event To add an event: 1 Open the RMON Event Control page. 2 Click Add.
Figure 16-18. Add an Event Entry 3 If the event sends an SNMP trap, specify the SNMP community to receive the trap. 4 Optionally, provide a description of the event and the name of the event owner. 5 Select an event type. 6 Click Apply. The event is added to the RMON Event Table, and the device is updated. Viewing, Modifying, or Removing an RMON Event To manage an event: 1 Open the RMON Event Control page. 2 Click Show All to display the Event Control Table page.
RMON Event Log Use the RMON Event Log page to display a list of RMON events. To display the page, click Statistics/RMON RMON Events Log in the navigation panel. Figure 16-19.
RMON Alarms Use the RMON Alarms page to set network alarms. Alarms occur when certain thresholds are crossed for the configured RMON counters. The alarm triggers an event to occur. The events can be configured as part of the RMON Events group. For more information about events, see "RMON Event Log " on page 544. To display the page, click Statistics/RMON RMON Alarms in the navigation panel. Figure 16-20.
Adding an Alarm Table Entry To add an alarm: 1. Open the RMON Alarms page. 2. Click Add. The Add an Alarm Entry page displays. Figure 16-21. Add an Alarm Entry 3. Complete the fields on this page as needed. Use the help menu to learn more information about the data required for each field. 4. Click Apply. The RMON alarm is added, and the device is updated. To view configured alarm entries, click the Show All tab. The Alarms Table displays. Configured alarms can be removed using this page.
Port Statistics Use the Port Statistics page to chart port-related statistics on a graph. To display the page, click Statistics/RMON Charts Port Statistics in the navigation panel. Figure 16-22. Ports Statistics To chart port statistics, select the type of statistics to chart and (if desired) the refresh rate, then click Draw.
LAG Statistics Use the LAG Statistics page to chart LAG-related statistics on a graph. To display the page, click Statistics/RMON Charts LAG Statistics in the navigation panel. Figure 16-23. LAG Statistics To chart LAG statistics, select the type of statistics to chart and (if desired) the refresh rate, then click Draw.
Port Mirroring Use the Port Mirroring page to create a mirroring session in which all traffic that is sent or received (or both) on one or more source ports is mirrored to a destination port. To display the Port Mirroring page, click Switching Ports Traffic Mirroring Port Mirroring in the navigation panel. Figure 16-24. Port Mirroring Configuring a Port Mirror Session To configure port mirroring: 1 Open the Port Mirroring page. 2 Click Add. The Add Source Port page displays.
Figure 16-25. Add Source Port 5 Click Apply. 6 Repeat the previous steps to add additional source ports. 7 Click Port Mirroring to return to the Port Mirroring page. 8 Enable the administrative mode and specify the destination port. Figure 16-26. Configure Additional Port Mirroring Settings 9 Click Apply.
Monitoring Switch Traffic (CLI) This section provides information about the commands you use to manage traffic monitoring features on the switch and to view information about switch traffic. For more information about these commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose sflow rcvr-index polling Enable a new sFlow poller instance on an interface range. if_type if_number pollinterval • rcvr-index — The sFlow Receiver associated with the poller (Range: 1–8). • if_type if_number — The list of interfaces to poll. The interface type can be Gigabitethernet (gi) or Tengigabitethernet (te), for example te1/0/3-5 enables polling on ports 3, 4, and 5. • poll-interval — The sFlow instance polling interval.
Command Purpose sflow rcvr-index sampling Enable a new sflow sampler instance for the interface. sampling-rate [size] CTRL + Z Exit to Privileged Exec mode. show sflow agent View information about the switch sFlow agent. show sflow index destination View information about a configured sFlow receivers. show sflow index polling View information about the configured sFlow poller instances for the specified receiver.
Command Purpose rmon alarm number variable interval Add an alarm entry • number — The alarm index. (Range: 1–65535) {absolute |delta} risingthreshold value [event- • variable — A fully qualified SNMP object identifier that resolves to a particular instance of an MIB object. number] risingthreshold value [event- • interval — The interval in seconds over which the data is number] [startup sampled and compared with the rising and falling direction] [owner string] thresholds.
Command Purpose rmon collection history index [owner ownername] [buckets bucket-number] [interval seconds] Enable an RMON MIB history statistics group on the interface. NOTE: You must configure RMON alarms and events before RMON collection history is able to display. • index — The requested statistics index group. (Range: 1–65535) • ownername — Records the RMON statistics group owner name. If unspecified, the name is an empty string.
Command Purpose show interfaces traffic [interface-id] Display the current TX and RX queue congestion and congestion discards. Configuring Port Mirroring Use the following commands in Privileged EXEC mode to configure a port mirroring session. Command Purpose configure Enter Global Configuration mode monitor session Configure a source (monitored) port or CPU interface for a monitor session.
Configuring RSPAN RSPAN is an extension of port mirroring that operates across multiple switches. Use the following commands in Privileged EXEC mode to configure RSPAN. Remember to assign VLANs to physical interfaces (steps not shown). Configuring RSPAN (Source Switch) Command Purpose configure Enter Global Configuration mode. vlan vlan-id Configure an RSPAN VLAN. remote-span Configure the VLAN as a spanning VLAN. exit Exit to Global Configuration mode.
Command Purpose monitor session session_number mode Enable the administrative mode for the configured port mirroring session to start sending the traffic from the source port to the destination (probe) port. exit Exit to Privileged EXEC mode. Configuring RSPAN (Transit Switch) Command Purpose configure Enter Global Configuration mode. vlan vlan-id Create an RSPAN VLAN. remote-span Configure the VLAN as a spanning VLAN. exit Exit to Global Configuration mode.
Command Purpose monitor session session_id mode Enable the monitor session.
Traffic Monitoring Examples This section contains the following examples: • Showing Interface Traffic • Configuring sFlow • Configuring RMON • Configuring Remote Capture • Configuring RSPAN Showing Interface Traffic Use the show interfaces utilization and show interfaces traffic commands to display information about interface traffic and internal packet buffer usage. The following are examples of the output of these commands.
console#show interfaces utilization Port ------Gi1/0/1 Gi1/0/2 Gi1/0/3 Gi1/0/4 Gi1/0/5 Gi1/0/6 Gi1/0/7 Gi1/0/8 Load Interval -------300 300 300 300 300 300 300 300 Oper.
Receiver Index.................... Owner String...................... Time out.......................... IP Address:....................... Address Type...................... Port.............................. Datagram Version.................. Maximum Datagram Size............. 1 receiver1 99994 192.168.30.
Configuring RMON This example generates a trap and creates a log entry when the number of inbound packets are undeliverable due to errors increases by 20 or more. First, an RMON event is created. Then, the alarm is created. The event (event 1) generates a trap and creates a log entry. The alarm is configured for the MIB object ifInErrors (OID: 1.3.6.1.2.1.2.2.1.14.1). The OID is the variable.
Configuring Remote Capture This example configures the switch to mirror packets transmitted and received by the switch CPU to a Wireshark client. This is useful to diagnose switch behavior and to determine if an attached device is sending properly formatted packets with correct information to the switch, or just to monitor traffic sent to the switch CPU. The capture feature can also be configured to capture to a local file in pcap format or to capture to an in-memory buffer (text format).
5 On the Capture Options dialog, click Manage Interfaces.
6 Add a new interface by giving the switch IP address and the default remote port (2002). First, select the Remote Interfaces tab and click Add. 7 Enter the switch IP address and port (2002). Choose Null authentication (default).
8 Click OK to accept the entry. 9 On the Add new interfaces dialog, click Apply and then click Close.
10 From the Wireshark:Capture Options dialog, select the remote switch and click Start. Remote Capture Caveats Remote capture over an in-band port captures the capture packets transmitted to the Wireshark client. Therefore, when using remote capture over an in-band port, it is best to configure remote capture to capture only received packets, to configure remote capture to operate over the out-of-band port, or to configure local capture to capture to the in-memory buffer or a local pcap file.
Configuring RSPAN RSPAN supports the transport of mirrored packets across the network to a remote switch. Ports may be configured as source ports, intermediate ports, or destination ports. RSPAN Source Switch This example mirrors interface gi1/0/3 to VLAN 723. VLAN 723 is the selected transit VLAN. Administrators should reserve a VLAN as the RSPAN VLAN when designing their network. The source switch requires a reflector port to carry packets to the transit switch.
RSPAN Transit Switch The following is an example of an RSPAN transit switch configuration. The RSPAN VLAN should be configured as a remote-span in order to disable MAC learning on the VLAN. In this case, the transit switch ports are configured as trunk ports (members of all VLANs) and may be used by other traffic. Packets on the transit switch (in this example) are received and transmitted tagged.
4 Enable the mirroring session: console(config)#monitor session 1 mode Monitoring Switch Traffic 571
Monitoring Switch Traffic
iSCSI Optimization 17 Dell Networking N2000, N3000, and N4000 Series Switches NOTE: This feature is only available on the Dell Networking N2000, N3000, and N4000 Series switches. This chapter describes how to configure Internet Small Computer System Interface (iSCSI) optimization, which enables special quality of service (QoS) treatment for iSCSI traffic.
What Does iSCSI Optimization Do? In networks containing iSCSI initiators and targets, iSCSI Optimization helps to monitor iSCSI sessions or give iSCSI traffic preferential QoS treatment. Dynamically-generated classifier rules generated by snooping iSCSI traffic are used to direct iSCSI data traffic to queues that can be given the desired preference characteristics over other data traveling through the switch.
can be removed from monitoring. A target name can also be associated with a configured target TCP port entry. The maximum number of iSCSI sessions is 1024. How Is Quality of Service Applied to iSCSI Traffic Flows? The iSCSI CoS mode is configurable and controls whether CoS queue assignment and/or packet marking is performed on iSCSI traffic. When the iSCSI CoS mode is enabled, the CoS policy is applied to packets in detected iSCSI sessions.
How Does iSCSI Optimization Use ACLs? iSCSI Optimization borrows ACL lists from the global system pool. ACL lists allocated by iSCSI Optimization reduce the total number of ACLs available for use by the network operator. Enabling iSCSI Optimization uses one ACL list to monitor for iSCSI sessions. Each monitored iSCSI session utilizes two rules from additional ACL lists up to a maximum of two ACL lists. This means that the maximum number of ACL lists allocated by iSCSI is three.
How Does iSCSI Optimization Interact With Dell EqualLogic Arrays? The iSCSI feature includes auto-provisioning support with the ability to detect directly connected Dell EqualLogic (EQL) SAN storage arrays and automatically reconfigure the switch to enhance storage traffic flows. The Dell Networking N-Series switches use LLDP, a vendor-neutral protocol, to discover Dell EQL devices on the network. LLDP is enabled by default. For more information about LLDP, see "Discovering Network Devices " on page 825.
How Does iSCSI Optimization Interact with DCBx? NOTE: The DCBx feature is available on the Dell Networking N4000 Series switches only. The Data Center Bridging Exchange (DCBx) component supports the reception, decoding, and transmission of the Application Priority TLV. In general, if the Application Priority TLV has been received from the configuration source, it will be transmitted to the other auto configuration ports.
NOTE: If it is desired to utilize DCBX to configure lossless transport of iSCSI using PFC, the operator MUST configure a non-default VLAN end-to-end in order to transport the VLAN priority tag and ensure proper CoS treatment on every network enabled device, including CNAs and the EQL arrays. iSCSI CoS and Priority Flow Control/Enhanced Transmission Selection Interactions NOTE: The ETS feature is available on the Dell Networking N4000 Series switches only.
Default iSCSI Optimization Values Table 17-1 shows the default values for the iSCSI optimization feature. Table 17-1. iSCSI Optimization Defaults Parameter Default Value iSCSI optimization global status Enabled iSCSI CoS mode Disabled Jumbo frames Disabled Spanning tree portfast Disabled Unicast storm control Disabled Classification iSCSI packets are classified by VLAN instead of by DSCP values. VLAN priority tag iSCSI flows are assigned by default the highest 802.
Configuring iSCSI Optimization (Web) This section provides information about the OpenManage Switch Administrator pages to use to the iSCSI features on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. iSCSI Global Configuration Use the Global Configuration page to allow the switch to snoop for iSCSI sessions/connections and to configure QoS treatment for packets where the iSCSI protocol is detected.
iSCSI Targets Table Use the Targets Table page to view and configure iSCSI targets on the switch. To access the Targets Table page, click System iSCSI Targets in the navigation panel. Figure 17-2. iSCSI Targets Table To add an iSCSI Target, click Add at the top of the page and configure the relevant information about the iSCSI target. Figure 17-3.
iSCSI Sessions Table Use the Sessions Table page to view summary information about the iSCSI sessions that the switch has discovered. An iSCSI session occurs when an iSCSI initiator and iSCSI target communicate over one or more TCP connections. The maximum number of iSCSI sessions is 192. Redundant (MPIO paths) may not be accounted for in the iSCSI sessions table if a separate iSCSI login is not issued during establishment of the session.
iSCSI Sessions Detailed Use the Sessions Detailed page to view detailed information about an iSCSI sessions that the switch has discovered. To access the Sessions Detailed page, click System iSCSI Sessions Detailed in the navigation panel. Figure 17-5.
Configuring iSCSI Optimization (CLI) This section provides information about the commands used for configuring iSCSI settings on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Command Purpose configure Enter Global Configuration mode. iSCSI optimization is enabled by default. iscsi target port tcp-port-1 [tcp-port-2...
Command Purpose iscsi cos {enable | disable | Optionally set the quality of service profile that will vtp vtp | dscp dscp [remark] be applied to iSCSI flows. • enable—Enables application of preferential QoS treatment to iSCSI frames. On switches that support DCBX, this also enables the generation of the Application Priority TLV for iSCSI. • disable—Disables application of preferential QoS treatment to iSCSI frames. • vpt/dscp—The VLAN Priority Tag or DSCP value to assign received iSCSI session packets.
iSCSI Optimization Configuration Examples iSCSI optimization is enabled by default. The following procedure illustrates the configuration steps required if configuring iSCSI manually. Configuring iSCSI Optimization Between Servers and a Disk Array Figure 17-6 illustrates a stack of three Dell Networking N-Series switches connecting two servers (iSCSI initiators) to a disk array (iSCSI targets).
The following commands show how to configure the iSCSI example depicted in Figure 17-6. Remember that iSCSI optimization is enabled by default. 1 Set the system MTU to 9216 to enable the use of jumbo frames. console#config console(config)#system jumbo mtu 9216 2 Optionally configure the switch to associate CoS queue 5 with detected iSCSI session traffic.
console(config)#interface range te1/0/1-4 console(config-if)#switchport mode trunk 4 Configure the DCBx port role as auto-downstream. This step automatically enables PFC and ETS on the ports using the configuration received from the other switch. console(config-if)#lldp dcbx port-role auto-down console(config-if)#exit 5 Enter interface configuration mode for the switch-facing ports and configure the DCBx port role as auto-up.
4 Map VLAN priority 4 onto traffic class 4. (config)#classofservice dot1p-mapping 4 4 5 Enter Interface Configuration mode for CNA connected ports 1-4 and array connected ports 16-17. console(config)#interface range te1/0/1-4,te1/0/16-17 6 Enable VLAN tagging to allow the CNA connected ports to carry 802.1p priority values through the network. console(config-if)#switchport mode trunk 7 Enter datacenter bridging mode to enable PFC on the ports.
18 Port Characteristics Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes how to configure physical switch port characteristics, including settings such as administrative status and maximum frame size. This chapter also describes the link dependency feature.
Table 18-1. Port Characteristics Feature Description Speed Specifies the transmission rate for frames. Duplex mode Specifies whether the interface supports transmission between the switch and the connected client in one direction at a time (half) or both directions simultaneously (both). Maximum frame size Indicates the maximum frame size that can be handled by the port.
Auto-Negotiation Dell Networking N-Series switches implement IEEE 802.3 auto-negotiation for 1000BASE-T, 1000BASE-X, and 10GBASE-T based copper interfaces. 1000BASE-X fiber interfaces also implement auto-negotiation. Autonegotiation is required to be present and enabled for 1000BASE-T and 10GBASE-T copper interfaces in order for a clock master to be selected. The administrator can configure the advertised capabilities, including the acceptable link speeds, or may disable auto-negotiation altogether.
(1522 bytes with a VLAN header) to 9216 bytes. Dell Networking N-Series switches assumes that all packets are in Ethernet format. Any device connecting to the same broadcast domain must support the same MTU. Dell Networking N-Series switches do not fragment L2 or L3 forwarded traffic. Received frames larger than the system MTU are discarded. The switch will not transmit a frame larger than the system MTU. Packets originated by the switch are fragmented based upon path MTU discovery.
Link Action The link action specifies the action that the group members will take when the dependent port is down. The group members can transition to the same state as the dependant port, or they can transition to the opposite state. In other words, if the link action is down and the dependent port goes down, the members ports will go down as well. Conversely, when the link action is up and the dependant link goes down, the group member ports are enabled (brought up).
What Interface Types are Supported? The physical ports on the switch include the out-of-band (OOB) interface (Dell Networking N3000 and N4000 Series only) and Ethernet switch ports. The OOB interface supports a limited set of features and is for switch management only. The Ethernet switch ports support many logical features that are often supported by logical interfaces. The switch supports the following types of logical interfaces: • Port-based VLANs — For more information, see "VLANs " on page 701.
To enter Interface Configuration mode for a physical switch port, the following information is required: • Type — For physical switch ports, the type is Gigabit Ethernet (gigabitethernet or gi) for 10/100/1000 Mbps Ethernet ports or 10-Gibabit Ethernet (tengigabitethernet or te) for 10,000 Mbps Ethernet ports. • Stack member number— The unit number within the stack. The range is 1–12. The default unit number for a switch that has not been in a stack is 1.
For many features, a range of interfaces can be specified. When you enter Interface Configuration mode for multiple interfaces, the commands you execute apply to all interfaces specified in the range. To enter Interface Configuration mode for a range of interfaces, include the keyword range and specify the interfaces to configure.
Switchport Modes Each port on the Dell Networking N1500, N2000, N3000, and N4000 Series switches can be configured to be in one of the following modes: • Access — Access ports are intended to connect end-stations to the system, especially when the end-stations are incapable of generating VLAN tags. Access ports support a single VLAN (the PVID). Packets received untagged are processed as if they are tagged with the access port PVID. Packets received that are tagged with the PVID are also processed.
When a port is in General mode, all VLAN features are configurable. When ingress filtering is on, the frame is dropped if the port is not a member of the VLAN identified by the VLAN ID in the tag. If ingress filtering is off, all tagged frames are forwarded. The port decides whether to forward or drop the frame when the port receives the frame. Default Port Values Table 18-3 lists the default values for the port characteristics that this chapter describes. Table 18-3.
Configuring Port Characteristics (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring port characteristics on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. Port Configuration Use the Port Configuration page to define port parameters. To display the Port Configuration page, click Switching Ports Port Configuration in the navigation panel.
Configuring Multiple Ports To configure port settings on multiple ports: 1 Open the Port Configuration page. 2 Click Show All to display the Port Configuration Table page. 3 In the Ports list, select the check box in the Edit column for the port to configure. 4 Select the desired settings. 5 Click Apply. Figure 18-2. Configure Port Settings 6 Select the Copy Parameters From check box, and select the port with the settings to apply to other ports.
Figure 18-3. Copy Port Settings 8 Click Apply.
Link Dependency Configuration Use the Link Dependency Configuration page to create link dependency groups. A maximum of 16 dependency groups can be created. The page displays the groups whether they have been configured or not. To display the Link Dependency Configuration page, click Switching Link Dependency Configuration in the navigation panel. Figure 18-4. Link Dependency Configuration Creating a Link Dependency Group To create link dependencies: 1 Open the Link Dependency Configuration page.
In the following example, Group 1 is configured so that Port 3 is dependent on Port 4. Figure 18-5. Link Dependency Group Configuration 6 Click Apply. The Link Dependency settings for the group are modified, and the device is updated.
Link Dependency Summary Use the Link Dependency Summary page to view all link dependencies on the system and to access the Link Dependency Configuration page. A maximum of 16 dependency groups can be created. The page displays the groups whether they have been configured or not. To display the Link Dependency Summary page, click Switching Link Dependency Link Dependency Summary in the navigation panel. Figure 18-6.
Port Green Ethernet Configuration Use the Green Ethernet Configuration page to enable or disable energysaving modes on each port. To display the Green Ethernet Configuration page, click System Green Ethernet Green Ethernet Configuration in the navigation panel. Figure 18-7.
Port Green Ethernet Statistics Use the Green Ethernet Statistics page to view information about per-port energy savings. To display the Green Ethernet Statistics page, click System Green Ethernet Green Ethernet Statistics in the navigation panel. Figure 18-8.
To view a summary of energy savings for the switch and all ports, click Summary. Figure 18-9. Green Ethernet Statistics Summary To view a chart that shows the estimated per-port energy savings, click Chart. Figure 18-10.
Port Green Ethernet LPI History Use the Green Ethernet LPI History page to view data about the amount of time the switch has spent in low-power idle (LPI) mode. To display the Green Ethernet LPI History page, click System Green Ethernet Green Ethernet LPI History in the navigation panel. Figure 18-11.
Configuring Port Characteristics (CLI) This section provides information about the commands used for configuring port characteristics. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Port Settings Beginning in Privileged EXEC mode, use the following commands to configure various port settings. Command Purpose configure Enter Global Configuration mode.
Command Purpose system jumbo mtu size Enable jumbo frames on the switch by adjusting the maximum size of a packet. CTRL + Z Exit to Privileged EXEC mode. show interfaces status Show summary information about all interfaces. show interfaces configuration View a summary of the configuration for all ports. show interfaces advertise View a summary of the speeds that are advertised on each port. show interfaces description View configured descriptions for all ports.
Configuring Link Dependencies Beginning in Privileged EXEC mode, use the following commands to configure ports that are dependent on the state of other ports. Command Purpose configure Enter Global Configuration mode. link-dependency group group_id Enter the link-dependency mode to configure a linkdependency group. add interface Add member ports to the group. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3.
Configuring Green Features Beginning in Privileged EXEC mode, use the following commands to configure and monitor energy-saving features for the ports and the switch. Command Purpose configure Enter Global Configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example gigabitethernet 1/0/3. A range of interfaces can be specified using the interface range command.
Port Configuration Examples This section contains the following examples: • Configuring Port Settings • Configuring a Link Dependency Groups Configuring Port Settings The commands in this example specify the speed for port 1 (gigabitEthernet 1/0/1) and change the system MTU size. To configure the switch: 1 Enter Interface Configuration mode for port 1. console#configure console(config)#interface gigabitEthernet 1/0/1 2 Change the speed settings for the port.
Configuring a Link Dependency Groups The commands in this example create two link dependency groups. Group 1 has port 3 as a member port that is dependent on port 4. The group uses the default link action, which is down. This means that if port 4 goes down, port 3 goes down. When port 4 returns to the up state, port 3 is brought back up. In Group 2, port 6 dependent on port-channel (LAG) 1, and the link action is up. If port-channel 1 goes down, port 6 is brought up.
discarded. When you configure an interface as an access mode port, the interface is automatically made a member of VLAN 1 and removed from all other VLAN memberships. Each interface can be configured separately, or a range of interfaces can be configured with the same settings. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface.
automatically configured as a member of all VLANs. Trunk ports can be removed from membership in specific VLANs. By default, the native VLAN for a trunk port is VLAN 1. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3.
Command Purpose Set the list of allowed VLANs that can receive and send switchport trunk traffic on this interface in tagged format when in trunking {allowed vlan vlanlist|native vlan vlan-id} mode. • allowed vlan-list — Set the list of allowed VLANs that can receive and send traffic on this interface in tagged format when in trunking mode. Separate non-consecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.
Configuring a Port in General Mode Beginning in Privileged EXEC mode, use the following commands to configure an interface with full 802.1q support and configure the VLAN membership information for the interface. Except when noted as required (for example, when configuring MAB, Voice VLAN, or 802.1x), it is recommended that operators use either trunk or access mode. Command Purpose configure Enter global configuration mode.
Command Purpose switchport general pvid (Optional) Set the port VLAN ID. Untagged traffic that enters the switch through this port is tagged with the PVID. vlan-id vlan-id — PVID. The selected PVID assignment must be to an existing VLAN. (Range: 1–4093). Entering a PVID value does not remove the previous PVID value from the list of allowed VLANs. switchport general acceptable-frame-type tagged-only (Optional) Specifies that the port will only accept tagged frames.
Port Characteristics
Port and System Security 19 Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes how to configure port-based and system security features, which control access to the network through the switch ports, and the denial of service (DoS) feature. The topics covered in this chapter include: • Port-based Security—Port MAC Locking • Denial of Service Port-based Security—Port MAC Locking Port MAC locking is used to enable security on a per-port basis.
When link goes down on a port, all of the dynamically locked addresses are cleared from the source MAC address table the feature maintains. When the link is restored, that port can once again learn addresses up to the specified limit. The port can learn MAC addresses dynamically, and a list of static MAC addresses can be specified for a port. The number of static addresses that may be configured is limited by the port security limit, regardless of whether port security is enabled on the interface or not.
Figure 19-1. Network Security Port Security Configuring Port Security Settings on Multiple Ports To configure port security on multiple ports: 1 Open the Port Security page. 2 Click Show All to display the Port Security Table page. 3 In the Ports list, select the check box in the Edit column for the port to configure. 4 Select the desired settings for all ports that are selected for editing.
Figure 19-2. Configure Port Security Settings 5 Click Apply.
Configuring Port Security (CLI) Beginning in Privileged EXEC mode, use the following commands to enable port security on an interface to limit the number of source MAC addresses that can be learned. Command Purpose configure Enter Global Configuration mode. switchport port-security Enable port-security administrative mode. Port security must be enabled globally in order to operate on any interfaces. interface interface Enter interface configuration mode for the specified interface.
Denial of Service Denial of Service (DoS) refers to the exploitation of a variety of vulnerabilities which would interrupt the service of a host or make a network unstable. Use the Denial of Service page to configure settings to help prevent DoS attacks. DoS protection is disabled by default. To display the Denial of Service page, click System Management Security Denial of Service in the navigation panel. Figure 19-3.
Access Control Lists 20 Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes how to configure Access Control Lists (ACLs), including IPv4, IPv6, and MAC ACLs. This chapter also describes how to configure time ranges that can be applied to any of the ACL types.
Depending on whether an ingress or egress ACL is applied to a port, when the traffic enters (ingress) or leaves (egress) a port, the ACL compares the criteria configured in its rules, in list order, to the fields in a packet or frame to check for matching conditions. The ACL processes the traffic based on the actions contained in the rules. ACLs are organized into access groups. Access groups are numbered in priority (lowest number has highest priority).
ACLs may be used to control traffic at layer 2, layer 3, or layer 4. MAC ACLs contain packet match criteria based on layer-2 fields in Ethernet frames. IP ACLs contain packet match criteria based on layer-3 and layer-4 fields in the packet. Dell Networking N-Series switches support both IPv4 and IPv6 ACLs and supports ACLs applied to up to 24 VLAN interfaces. ACL Counters Matching rules in an ACL are counted. The counts may be displayed using the show ip access-list or show mac access-list commands.
MAC access list actions include CoS queue assignment, logging, mirroring, redirection to another port, and logging, as well as the usual permit and deny actions. It is possible to configure MAC access groups in conjunction with IP access groups on the same interface. MAC ACLs can be configured on a VLAN interface as well as a physical interface or port channel. What Are IP ACLs? IP ACLs contain filters for layers 3 and 4 on IPv4 or IPv6 traffic.
• Log—perform the logging action on the matching packet as described below. • Mirror—forward a copy of the matching packet to the designated interface. The original packet continues to be forwarded to its original destination. • Redirect—forward the matching packet to the designated interface. The original destination of the packet is ignored. • Rate limit—forward matching packets that do not exceed the rate limit. Drop packets exceeding the rate limit.
What Is the ACL Mirror Function? ACL mirroring provides the ability to send a copy of traffic that matches a permit rule to a specific physical port or LAG. Using ACLs to mirror traffic is called flow-based mirroring, since the traffic flow is defined by the ACL classification rules. This is in contrast to port mirroring, where all traffic encountered on a specific interface is replicated out of another interface.
NOTE: Adding a conflicting periodic time range to an absolute time range will cause the time range to become inactive. For example, consider an absolute time range from 8:00 AM Tuesday March 1st 2011 to 10 PM Tuesday March 1st 2011. Adding a periodic entry using the 'weekend' keyword will cause the time-range to become inactive because Tuesdays are not on the weekend. A named time range can contain up to 10 configured time ranges. Only one absolute time range can be configured per time range.
fixed number of matching criteria (values and masks). Slices operate in parallel to perform the configured matching operations. An ACL with a different offset requires the use of a new hardware slice but multiple matching values can be specified for a single slice (e.g., an IPv4 destination address with a 32-bit mask is 192.168.21.1 or 192.168.12.3).
• The hardware has 14 ingress slices and 4 egress slices, with the 14 ingress slices having a depth of 256 rules. The egress slices have a depth of 256 rules. The Dell Networking N2000 Series switches support the following hardware limits: • 1024 ingress rules and 512 egress rules, for a total of 1536 rules. • The hardware has 14 ingress slices and 4 egress slices, with the 14 ingress slices having a depth of 256 rules. The egress slices have a depth of 256 rules.
Please note the following additional limitations on ingress and egress ACLs: 638 • Port ranges are not supported for egress ACLs for either IPv4 or IPv6 ACLs. • It is possible to configure mirror or redirect attributes for a given ACL rule, but not both. • The Dell Networking N-Series switches support a limited number of counter resources, so it may not be possible to log every ACL rule.
• On the Dell Networking N4000 Series switches, the IPv6 ACL fragment keyword matches only on the first two IPv6 extension headers for the fragment header (next header code 44). If the fragment header appears in the third or subsequent header, it is not matched • On the Dell Networking N2000 and N3000 Series switches, the IPv6 ACL fragment keyword matches only on the first IPv6 extension header (next header code 44). If the fragment header appears in the second or subsequent header, it is not matched.
ACL, enter a sequence number less than the following rule and greater than the preceding rule. Use the no [sequence-number] command in ACL Configuration mode to remove rules from an ACL. NOTE: When configuring access lists, complete checks are made only when the access list is applied to an active interface. It is recommended that you configure and test an access list on an active (up) interface prior to deploying it on links in the production network.
Table 20-2. Common EtherType Numbers (Continued) EtherType Protocol 0x8808 MAC Control 0x8809 Slow Protocols (IEEE 802.3) 0x8870 Jumbo frames 0x888E EAP over LAN (EAPOL – 802.1x) 0x88CC Link Layer Discovery Protocol 0x8906 Fibre Channel over Ethernet 0x9100 Q in Q Figure 20-3 lists commonly-used IP protocol numbers: Table 20-3.
IP address. Likewise, a MAC address of 68:94:23:AD:F3:18 with a mask of 00:00:00:00:00:ff indicates that the first five bytes must match (e.g., 68:94:23:AD:F3) and the last byte may take on any value from 0x00 to 0xff (0–255) and still be considered a match. The following ACL equivalents are noted: Address Mask Equivalent Address 0.0.0.0 255.255.255.255 any x.x.x.x host x.x.x.
Policy-Based Routing In contemporary inter-networks, network administrators often need to implement packet forwarding/routing according to specific organizational policies. Policy-Based Routing (PBR) exactly fits this purpose. Policy-Based Routing provides a flexible mechanism to implement solutions where organizational constraints dictate that traffic be routed through specific network paths. PBR does not affect route redistribution that occurs via routing protocols. PBR is a true routing policy solution.
Additional match criteria may be configured by the administrator if desired. Since a route-map is configured in the context of a routing VLAN, a VLAN tag is automatically added to the match criteria without the need for the administrator to specify the VLAN ID. Route-Map Processing An incoming packet is matched against the criteria in the 'match' terms specified in each route-map in the policy. The 'match' terms (clauses) must refer to one or more MAC or IPv4 addresses or a packet length.
• For a deny route-map, if the decision reached in the above step is permit, then PBR processing logic terminates and the packet goes through standard destination-based routing logic. The counter is incremented for each matching packet. • For a deny route-map, if the decision reached in the above step is deny, the counter for this match statement is not incremented. The processing logic terminates, and the packet goes through the standard destination-based routing logic.
using the routing table. A default route in the routing table is not considered an explicit route for an unknown destination address. This type of rule takes priority over default entries in the routing table. • IP precedence—Packets matching the ACL criteria have their IP precedence rewritten. The IP precedence value is the 4 ToS bits in the IP packet header.
Interface ACLs and PBR Interaction PBR can be configured only on VLAN routing interfaces. However, userdefined ACLs can be configured on all types of interfaces, including physical interfaces, port-channels, and VLANs. When processing packets on which both PBR and user-defined ACLs are configured, routing policy is performed only after the application of all user-defined VLAN and interface ACLs.
PBR Action (VLAN) ACL Action (Interface) Result mirror both redirect both (see Note 1) rate limit both 1. In the case of redirect ACL action, both the redirect and PBR actions are honored, if possible. This implies the PBR routed packet is redirected to the configured physical port and the redirected port is participating in the egress VLAN to which the packet is being routed. In other words, the system will select the interface specified by the ACL which is a member of the egress VLAN.
packets are considered as candidates for routing according to rules specified in route-map. If none of the match rules are successful, then packet is routed by the standard L3 routing process. The implicit “deny all” rule is not applicable to interfaces on which a routing policy is configured. Configuring an explicit deny all ACL that not associated with a route-map will drop packets prior to them being processed by PBR.
ACL Resource Usage When a route-map defines a “match” rule associated with an ACL, except for the implicit routing behavior mentioned above, the resource consumption is the same as if a normal ACL is applied on an interface. Rules consumed by an ACL corresponding to route-map “match” clause share hardware resources with the ACL component. Some resources cannot be shared.
Configuring ACLs (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring ACLs on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. IP ACL Configuration Use the IP ACL Configuration page to add or remove IP-based ACLs.
Figure 20-2. Add IP ACL 4 Click Apply. Removing IPv4 ACLs To delete an IPv4 ACL: 1 From the IP ACL Name menu on the IP ACL Configuration page, select the ACL to remove. 2 Select the Remove checkbox. 3 Click Apply. Viewing IPv4 ACLs To view configured ACLs, click Show All from the IP ACL Configuration page. Figure 20-3.
IP ACL Rule Configuration Use the IP ACL Rule Configuration page to define rules for IP-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. Additionally, rules can be used to assign traffic to a particular queue, filter on some traffic, change a VLAN tag, shut down a port, and/or redirect the traffic to a particular port. NOTE: There is an implicit deny all rule at the end of an ACL list.
Figure 20-4. IP ACL - Rule Configuration Removing an IP ACL Rule To delete an IP ACL rule: 1 From the Rule ID menu, select the ID of the rule to delete. 2 Select the Remove option near the bottom of the page. 3 Click Apply to remove the selected rule.
MAC ACL Configuration Use the MAC ACL Configuration page to define a MAC-based ACL. To display the MAC ACL Configuration page, click Switching Network Security Access Control Lists MAC Access Control Lists Configuration in the navigation panel. Figure 20-5. MAC ACL Configuration Adding a MAC ACL To add a MAC ACL: 1 Open the MAC ACL Configuration page. 2 Click Add to display the Add MAC ACL page. 3 Specify an ACL name. Figure 20-6. Add MAC ACL 4 Click Apply.
Renaming or Removing MAC ACLs To rename or delete a MAC ACL: 1 From the MAC ACL Name menu on the MAC ACL Configuration page, select the ACL to rename or remove. 2 To rename the ACL, select the Rename checkbox and enter a new name in the associated field. 3 To remove the ACL, select the Remove checkbox. 4 Click Apply. Viewing MAC ACLs To view configured ACLs, click Show All from the MAC ACL Configuration page.
MAC ACL Rule Configuration Use the MAC ACL Rule Configuration page to define rules for MAC-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. A default deny all rule is the last rule of every list. To display the MAC ACL Rule Configuration page, click Switching Network Security Access Control Lists MAC Access Control Lists Rule Configuration in the navigation panel. Figure 20-7.
IPv6 ACL Configuration Use the IPv6 ACL Configuration page to add or remove IP-based ACLs. To display the IP ACL Configuration page, click Switching Network Security Access Control Lists IPv6 Access Control Lists IPv6 ACL Configuration in the navigation panel. Figure 20-8. IPv6 ACL Configuration Adding an IPv6 ACL To add an IPv6 ACL: 1 Open the IPv6 ACL Configuration page. 2 Click Add to display the Add IPv6 ACL page. 3 Specify an ACL name. Figure 20-9. Add IPv6 ACL 4 Click Apply.
Removing IPv6 ACLs To delete an IPv6 ACL: 1 From the IPv6 ACL Name menu on the IPv6 ACL Configuration page, select the ACL to remove. 2 Select the Remove checkbox. 3 Click Apply. Viewing IPv6 ACLs To view configured ACLs, click Show All from the IPv6 ACL Configuration page. The IPv6 ACL Table page displays. IPv6 ACL Rule Configuration Use the IPv6 ACL Rule Configuration page to define rules for IPv6-based ACLs.
Figure 20-10. IPv6 ACL - Rule Configuration Removing an IPv6 ACL Rule To delete an IPv6 ACL rule: 1 From the Rule ID menu, select the ID of the rule to delete. 2 Select the Remove option near the bottom of the page. 3 Click Apply to remove the selected rule.
ACL Binding Configuration When an ACL is bound to an interface, all the rules that have been defined are applied to the selected interface. Use the ACL Binding Configuration page to assign ACL lists to ACL Priorities and Interfaces. From the web interface, the ACLs rules can be configured in the ingress or egress direction so that they implement security rules for packets entering or exiting the port. ACLs can be applied to any physical (including 10 Gb) interface, LAG, or routing port.
Time Range Entry Configuration Use the Time Range Entry Configuration page to define time ranges to associate with ACL rules. To display the Time Range Entry Configuration page, click System Time Synchronization Time Range Configuration in the navigation panel. The following image shows the page after at least one time range has been added. Otherwise, the page indicates that no time ranges are configured, and the time range configuration fields are not displayed. Figure 20-12.
Figure 20-13. Add a Time Range 3 Click Apply. 4 Click Configuration to return to the Time Range Entry Configuration page. 5 In the Time Range Name field, select the name of the time range to configure. 6 Specify an ID for the time range. Up to 10 different time range entries can be configured to include in the named range. However, only one absolute time entry is allowed per time range. 7 Configure the values for the time range entry. 8 Click Apply.
Configuring ACLs (CLI) This section provides information about the commands you use to create and configure ACLs. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring an IPv4 ACL Beginning in Privileged EXEC mode, use the following commands to create an IPv4 ACL, configure rules for the ACL, and bind the ACL to an interface.
Command Purpose [sequence-number] {deny | permit} {every | {{ipv4-protocol | 0-255 | every} {srcip srcmask | any | host srcip} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535}] {dstip dstmask | any | host dstip} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535}] [flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | ack] [+urg | -urg] [established]] [icmptype icmp-type [icmpcode icmp-code] | icmpmessage i
Command Purpose continued – When range is specified, IP ACL rule matches only if the layer-4 port number falls within the specified port range. The startport and endport parameters identify the first and last ports that are part of the port range. They have values from 0 to 65535. The ending port must have a value equal or greater than the starting port. The starting port, ending port, and all ports in between will be part of the layer-4 port range.
Command Purpose continued • flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | psh] [+ack | -ack] [+urg | -urg] [established]— Specifies that the IP/TCP/UDP ACL rule matches on the TCP flags. – Ack – Acknowledgement bit – Fin – Finished bit – Psh – push bit – Rst – reset bit – Syn – Synchronize bit – Urg – Urgent bit – When “+” is specified, a match occurs if specified flag is set in the TCP header.
Command Purpose continued • igmp-type igmp-type—When igmp-type is specified, the IP ACL rule matches on the specified IGMP message type (i.e., a number from 0 to 255). • fragments—Specifies the rule matches packets that are non-initial fragments (fragment bit asserted). Not valid for rules that match L4 information such as TCP port number since that information is carried in the initial packet. This keyword is visible only if the protocol is ip, tcp, or udp.
Command Purpose interface interface (Optional) Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. A range of interfaces can be specified using the interface range command. For example, interface range tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10, 11, and 12. ip access-group name direction seqnum Bind the specified ACL to an interface.
Configuring a MAC ACL Beginning in Privileged EXEC mode, use the following commands to create an MAC ACL, configure rules for the ACL, and bind the ACL to an interface. Command Purpose configure Enter global configuration mode. mac access-list extended Create a named MAC ACL. This command also enters name MAC Access List Configuration mode. If a MAC ACL with this name already exists, this command enters the mode to update the existing ACL.
Command Purpose [sequence-number] {deny | permit} {srcmac srcmacmask | any} {dstmac dstmacmask | any | bpdu} [{ethertypekey | 0x06000xFFFF} [vlan eq 04093] [cos 0-7] [secondary-vlan eq 04093] [secondary-cos 07] [log] [time-range time-range-name] [assign-queue queue-id] [{mirror |redirect} interface] Specify the rules (match conditions) for the MAC access list. • sequence-number — Identifies the order of application of the permit/deny statement.
Command Purpose continued • log—Specifies that this rule is to be logged. • time-range time-range-name—Allows imposing time limitation on the ACL rule as defined by the parameter time-range-name. If a time range with the specified name does not exist and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied immediately.
Command Purpose mac access-group name Bind the specified MAC ACL to an interface. direction seqnum NOTE: To apply this ACL to all interfaces, issue the command in Global Configuration mode. • name — Access list name. (Range: Valid MAC access-list name up to 31 characters in length) • direction — Direction of the ACL. (Range: In or out. Default is in.) • seqnum — Precedence for this interface and direction. A lower sequence number has higher precedence. Range: 1 – 4294967295. Default is 1.
Configuring an IPv6 ACL Beginning in Privileged EXEC mode, use the following commands to create an IPv6 ACL, configure rules for the ACL, and bind the ACL to an interface. Command Purpose configure Enter global configuration mode. ipv6 traffic-filter name Create an extended IPv6 ACL. This command also enters IPv6 Access List Configuration mode. If an IPv6 ACL with this name already exists, this command enters the mode to update the existing ACL.
Command Purpose [sequence-number] {deny | permit} {ipv6protocol | number | every} {source-ipv6prefix/prefix-length | any | host source-ipv6address} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535}] {destination-ipv6prefix/prefix-length | any | host destination-ipv6address} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535}] [flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | ack] [+urg | -urg] [establis
Command Purpose (Continued) – When eq is specified, IPv6 ACL rule matches only if the layer-4 port number is equal to the specified port number or portkey. – When lt is specified, IPv6 ACL rule matches if the layer-4 destination port number is less than the specified port number or portkey. It is equivalent to specifying the range as 0 to . • destination ipv6 prefix — IPv6 prefix in IPv6 global address format.
Command Purpose ipv6 traffic-filter name Bind the specified IPv6 ACL to an interface. direction [sequence seq- NOTE: To apply this ACL to all interfaces, issue the command num] in Global Configuration mode. • name — Access list name. (Range: Valid IPv6 access-list name up to 31 characters in length) • direction — Direction of the ACL. (Range: In or out. Default is in.) • seqnum — Precedence for this interface and direction. A lower sequence number has higher precedence. Range: 1 – 4294967295.
Command Purpose Configure a recurring time entry for the named time periodic {days-of-theweek time} to {[days-of- range. the-week] time} • days-of-the-week —The first occurrence indicates the starting day(s) the ACL goes into effect. The second occurrence is the ending day(s) when the ACL rule is no longer in effect.
ACL Configuration Examples This section contains the following examples: • "Basic Rules " on page 679 • "Internal System ACLs " on page 680 • "Complete ACL Example " on page 681 • "Advanced Examples " on page 685 • "Policy-Based Routing Examples " on page 697 NOTE: None of these ACL rules are applicable to the OOB interface. Basic Rules • Inbound rule allowing all packets sequenced after all other rules.
• Inbound rule allowing access FROM hosts with IP addresses ranging from 10.0.46.0 to 10.0.47.254: permit ip 10.0.46.0 0.0.1.255 any • Inbound rule allowing access TO hosts with IP addresses ranging from 10.0.48.0 to 10.0.49.254: permit ip any 10.0.48.0 0.0.1.255 As the last rule in an administrator-defined list, the narrower scope of this inbound rule has no effect other than to possibly interfere with switch management access or router operations.
Complete ACL Example The following example is a complete inbound ACL that allows access for hosts connected to gi1/0/1 with IP address in 10.1.1.x range to send IP packets to 192.168.0.X hosts on gi1/0/2. IP packets not from 10.1.1.x addresses or not addressed to 192.168.0.x hosts are dropped. Packets with protocols other than IP, DNS, ARP, or ICMP are dropped. Allowing ICMP supports the 10.1.1.x hosts in reliably receiving and initiating TCP connections and pinging through the switch.
console(config-if-gi1/0/2)#exit Consider the following inbound rules that allow Telnet connections and UDP traffic from the 192.168.0.x network to host 10.1.1.23: ip access-list Host10-1-1-23 ! Permit Telnet traffic from 192.168.0.X network to host 10.1.1.23: permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 eq telnet ! Permit TCP traffic from 192.168.0.X network to host 10.1.1.23: permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 ! Permit UDP traffic from 192.168.0.X network to host 10.1.1.23 permit udp 192.
packets with either the RST or ACK bits set (logical OR). Flags that are neither set nor cleared in the rule are not checked in the ACL (don't care or wildcard). console(config)#ip access-list flags-demo console(config-ip-acl)#permit tcp any any flag ? established Enter a TCP Flag (+fin, -fin, +syn, -syn, +rst, -rst, +psh, -psh, +ack, -ack, +urg, -urg, established). Enter a flag (+|-) only once.
pop2 | pop3 | ntp | rip | time | who }. To bind an access-list to an interface, use the access-group command. The in parameter specifies that the ACL is applied to ingress packets. The out parameter specifies that the ACL is applied to egress packets not generated by the switch/router. If no in/out parameter is specified, the access list default is to apply the ACL to ingress packets.
Advanced Examples Configuring a Time-Based ACL The following example configures an ACL that denies HTTP traffic from 8:00 pm to 12:00 pm and 1:00 pm to 6:00 pm on weekdays and from 8:30 am to 12:30 pm on weekends. The ACL affects all hosts connected to ports that are members of VLAN 100. The ACL permits VLAN 100 members to browse the Internet only during lunch and after hours. To configure the switch: 1 Create a time range called work-hours.
console#show ip access-lists web-limit IP ACL Name: web-limit Rule Number: 1000 Action......................................... Match All...................................... Protocol....................................... Source IP Address.............................. Destination IP Address......................... Destination Layer 4 Operator................... Destination L4 Port Keyword.................... deny FALSE 6(tcp) any any Equal To 80(www/http) Rule Number: 1010 Action.....................
Allow FTP Traffic Only to an FTP Server This ACL limits traffic from a router to a directly connected FTP server (172.16.0.5) on gi1/0/11. Notice that this is an “out” or egress ACL. Traffic to the router from the FTP server is not affected by this rule. Traffic from the router to the FTP server is limited to ICMP and packets destined to the FTP ports. There is no need to add permit rules for all the protocols the router can send to the host (e.g., ARP, ICMP, LLDP, etc.
Block Incoming Pings and Responses This example configures an ingress ACL that blocks incoming pings and ping responses. Since packets generated by the CPU are not affected by ACLs, to block pinging from the switch we add a rule to block the ping responses on ingress.
Assign Ingress Packets to a CoS Queue Assign a range of source or destination TCP ports to CoS queue 3 to provide elevated service. Two rules are necessary to handle packets that have source or destination ports outside the range.
Schedule Forwarding of Packets to a Different Port This ACL layer-2 forwards matching packets to a different port based on a time schedule. This is not equivalent to Policy-Based Forwarding, as the TTL in the packet is not decremented, nor is a new destination MAC address written into the packet. The access-group policy is globally configured on all switch interfaces.
Rate limit WWW traffic (ACL) This example creates an ACL to rate-limit WWW traffic ingressing the switch on te1/0/1. Initial and established values require tuning for local traffic patterns and link speeds. Note that this ACL applies to traffic sent to the switch IP address as well as traffic forwarded by the switch (in rule). Permit rules with a rate-limit parameter do not require a following deny rule as matching packets exceeding the rate limit are discarded. Compare this with the example above.
console(config-ip-acl)#permit tcp any any eq 22 flag established rate-limit 1024 128 console(config-ip-acl)#permit tcp any any eq telnet rate-limit 12 2 console(config-ip-acl)#permit tcp any any eq 22 rate-limit 12 2 console(config-ip-acl)#2147483647 permit every console(config-ip-acl)#exit console(config)#ip access-group rate-limit-inband-mgmt controlplane The following commands block fragmented traffic from being sent to the CPU: console#config console(config)#ip access-list no-frag-inband-mgmt console(c
Expedite DSCP(EF) Traffic/Limit Background Traffic By default (with no CoS or DSCP configuration), packets are assigned to User Priority 1/CoS queue 0 (see the output from show classofservice trust and show classofservice dot1p-mapping). When incast occurs (multiple ports sending to a single output port at a rate greater than can be accommodated), the switch buffer capacity can be exhausted.
3 Match source MAC 001E.C9XX.XXXX. Rate limit to 100 Kbps with a burst of 32 Kbytes: console(config-mac-access-list)#permit 001E.C900.0000 0000.00FF.
A Consolidated DoS Example This example includes some ACL rules to consider to reduce DoS attacks on the switch. It does not represent a complete DoS suite. A firewall with deep packet inspection capabilities should be used for true DoS protection. NOTE: The rate limits below should be adjusted to match the expected rates of traffic coming to the CPU.
console(config)#ip access-group squelch-dos-attacks controlplane 9 Further limit inbound traffic on in-band management ports. Allow only VLAN 99 SSH and TFTP, no telnet, HTTP, HTTPS, or SNMP. The management access list actions are performed by the switch firmware in addition to the access list actions performed by the switching silicon, e.g., squelch-dos-attacks.
Policy-Based Routing Examples Route-Map with Scheduled Redirection of RFC 1918 Addresses to a Different NextHop 1 Create a time range named “work-hours” the from 7:30 AM to 6:00 PM: console#config console(config)#time-range work-hours console(config-time-range)#periodic weekdays 07:30 to 18:00 console(config-time-range)#exit 2 Define an IP ACL named “subnet-172-16” and permit all accesses on the subnet during the work-hours time range: console(config)#ip access-list subnet-172-16 console(config-ip-acl)#pe
Complete Example of Policy-Based Routing on VLAN Routing Interfaces In this example, an layer-3 router with four VLAN routing interfaces (VLAN 10, VLAN 20, VLAN 30 and VLAN 40) is configured. Each of these interfaces is connected to layer-2 switches. Traffic sent to host 2.2.2.2 from host 1.1.1.2 on VLAN interface 10 is normally routed over VLAN interface 20.
console(config-if-gi1/0/2)#exit console(config)#interface gi 1/0/4 console(config-if-gi1/0/4)#switchport mode trunk console(config-if-gi1/0/4)#switchport trunk allowed vlan remove 1 console(config-if-gi1/0/4)#switchport trunk native vlan 20 console(config-if-gi1/0/4)#exit console(config)#interface gi1/0/22 console(config-if-gi1/0/22)#switchport mode trunk console(config-if-gi1/0/22)#switch trunk allowed vlan remove 1 console(config-if-gi1/0/22)#switch trunk native vlan 30 console(config-if-gi1/0/22)#exit co
5 Configure Policy Routing. To policy-route such traffic to VLAN routing interface 30, the following additional steps should be performed: a Create an access-list matching all incoming IP traffic from host 1.1.1.1 destined to host 2.2.2.2: console(config)#ip access-list Match-ip-1_1_1_2-to-2_2_2_2 console(config-ip-acl)#permit ip host 1.1.1.2 host 2.2.2.
VLANs 21 Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes how to configure VLANs, including port-based VLANs, protocol-based VLANs, double-tagged VLANs, subnet-based VLANs, and Voice VLANs.
segregate traffic by type so that the time-sensitive traffic, like voice traffic, has priority over other traffic, such as data. Administrators also use VLANs to protect network resources. Traffic sent by authenticated clients might be assigned to one VLAN, while traffic sent from unauthenticated clients might be assigned to a different VLAN that allows limited network access. When one host in a VLAN sends a broadcast, the switch forwards traffic only to other members of that VLAN.
Figure 21-1. Simple VLAN Topology Router Engineering VLAN 100 Switch Payroll VLAN 300 Tech Pubs VLAN 200 In this example, each port is manually configured so that the end station attached to the port is a member of the VLAN configured for the port. The VLAN membership for this network is port-based or static.
Table 21-1 provides an overview of the types of VLANs that can be used to logically divide the network. Table 21-1. VLAN Assignment VLAN Assignment Description Port-based (Static) This is the most common way to assign hosts to VLANs. The port where the traffic enters the switch determines the VLAN membership. IP Subnet Hosts are assigned to a VLAN based on their IP address. All hosts in the same subnet are members of the same VLAN.
Trunk ports can receive tagged and untagged traffic. Untagged traffic is tagged internally with the native VLAN. Native VLAN traffic received untagged is transmitted untagged on a trunk port. By default, trunk ports are members of all existing VLANs and will automatically participate in any newly created VLANs. The administrator can restrict the VLAN membership of a trunk port. VLAN membership for tagged frames received on a trunk port is configured separately from the membership of the native VLAN.
additional tag on the traffic, the switch can differentiate between customers in the MAN while preserving an individual customer’s VLAN identification when the traffic enters the customer’s 802.1Q domain. With the introduction of this second tag, customers are no longer required to divide the 4-byte VLAN ID space to send traffic on a Ethernet-based MAN.
Figure 21-2. Double VLAN Tagging Network Example Voice VLAN The Voice VLAN feature enables switch ports to carry voice traffic from IP phones with an administrator-defined priority. When multiple devices, such as a PC and an IP phone, are connected to the same port, the port can be configured to use one VLAN for voice traffic and another VLAN for data traffic. Multiple IP phones per port are supported.
NOTE: Voice VLAN must be configured on general mode ports. It is not supported on access mode or trunk mode ports. Identifying Voice Traffic Some VoIP phones contain full support for IEEE 802.1X. When these phones are connected to a port that uses 802.1X port-based authentication, these phones authenticate and receive their VLAN information from LLDP-MED. However, if a VoIP phone has limited support for 802.1X authentication it might try to authenticate and fail. A phone with no 802.
phone is identified: if it is identified via CDP, then the VLAN assignment is via CDP and if it is identified via LLDP-MED, then the VLAN assignment is via LLDP-MED. In either case, the voice data coming from the VoIP phone is tagged with the exchanged VLAN ID. Untagged data arriving on the switch is given the default PVID of the port. As a result, both kinds of traffic may be segregated by operator configuration in order to provide better service to the voice traffic.
particular private VLAN instance. The secondary VLAN ID differentiates the subdomains from each other and provides layer-2 isolation between ports on the same private VLAN. The following types of VLANs can be configured in a private VLAN: • Primary VLAN—Forwards the traffic from the promiscuous ports to isolated ports, community ports and other promiscuous ports in the same private VLAN. Only one primary VLAN can be configured per private VLAN. All ports within a private VLAN share the same primary VLAN.
The same traffic isolation can be achieved by assigning each port with a different VLAN, allocating an IP subnet for each VLAN, and enabling layer-3 routing between them. In a private VLAN domain, on the other hand, all members can share the common address space of a single subnet, which is associated with a primary VLAN. So, the advantage of the private VLANs feature is that it reduces the number of consumed VLANs, improves IP addressing space utilization, and helps to avoid layer-3 routing.
In the configuration shown in Figure 21-3, the port connected from SW1 to R1 (TE1/1/1) is configured as a promiscuous port. It is possible to configure a port-channel as a promiscuous port in order to provide a level of redundancy on the private VLAN uplink. Isolated Ports An endpoint connected to an isolated port is allowed to communicate with endpoints connected to promiscuous ports only. Endpoints connected to adjacent isolated ports cannot communicate with each other.
and community ports in the same secondary VLAN. A promiscuous port broadcasts traffic to other promiscuous ports, isolated ports, and community ports. Table 21-2. Forwarding Rules for Traffic in Primary VLAN To From promiscuous community 1 community 2 isolated stack (trunk) promiscuous allow allow allow allow allow community 1 N/A N/A N/A N/A N/A community 2 N/A N/A N/A N/A N/A isolated N/A N/A N/A N/A N/A stack (trunk) allow allow allow allow allow Table 21-3.
To From promiscuous community 1 community 2 isolated stack (trunk) isolated allow deny deny deny allow stack (trunk) allow deny deny deny Allow Limitations and Recommendations 714 • Only a single isolated VLAN can be associated with a primary VLAN. Multiple community VLANs can be associated with a primary VLAN. • Trunk and general modes are not supported on private VLAN ports. • Do not configure access ports using the VLANs participating in any of the private VLANs.
• A private VLAN cannot be enabled on the default VLAN. • VLAN routing can be enabled on private VLANs. It is not very useful to enable routing on secondary VLANs, as the access to them is restricted. However, primary VLANs can be enabled for routing. • It is recommended that the private VLAN IDs be removed from the trunk ports connected to devices that do not participate in the private VLAN traffic. Private VLAN Configuration Example See "Configuring a Private VLAN " on page 763.
Default VLAN Behavior One VLAN is configured on the Dell Networking N-Series switches by default. The VLAN ID is 1, and all ports are included in the VLAN as access ports, which are untagged. This means when a device connects to any port on the switch, the port forwards the packets without inserting a VLAN tag. If a device sends a tagged frame to a port with a VLAN ID other than 1, the frame is dropped.
Table 21-6 shows the default values or maximum values for VLAN features. Table 21-6. Additional VLAN Default and Maximum Values Feature Value Default VLAN VLAN 1 VLAN Name No VLAN name is configured except for VLAN 1, whose name “default” cannot be changed. VLAN Range 2–4093 Switchport mode Access Double-VLAN tagging Disabled If double-VLAN tagging is enabled, the default EtherType value is 802.
Configuring VLANs (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring VLANs on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. VLAN Membership Use the VLAN Membership page to create VLANs and define VLAN groups stored in the VLAN membership table. To display the VLAN Membership page, click Switching VLAN VLAN Membership in the navigation panel.
Table 21-7. VLAN Port Membership Definitions Port Control Definition Blank Blank: the interface is not a VLAN member. Packets in this VLAN are not forwarded on this interface. To perform additional port configuration, such as making the port a trunk port, use the Port Settings page. Figure 21-4. VLAN Membership Adding a VLAN To create a VLAN: 1 Open the VLAN Membership page. 2 Click Add to display the Add VLAN page. 3 Specify a VLAN ID and a VLAN name.
Figure 21-5. Add VLAN 4 Click Apply. Configuring Ports as VLAN Members To add member ports to a VLAN: 1 Open the VLAN Membership page. 2 From the Show VLAN menu, select the VLAN to which you want to assign ports. 3 In the Static row of the VLAN Membership table, click the blank field to assign the port as an untagged member. Figure 21-6 shows Gigabit Ethernet ports 8–10 being added to VLAN 300.
Figure 21-6. Add Ports to VLAN 4 Click Apply. 5 Verify that the ports have been added to the VLAN.
In Figure 21-7, the presence of the letter U in the Current row indicates that the port is an untagged member of the VLAN. Figure 21-7.
VLAN Port Settings Use the VLAN Port Settings page to add ports to an existing VLAN and to configure settings for the port. If you select Trunk or Access as the Port VLAN Mode, some of the fields are not configurable because of the requirements for that mode. NOTE: Ports can be added to a VLAN through the table on the VLAN Membership page or through the PVID field on the Port Settings page. The PVID is the VLAN that untagged received packets are assigned to.
Figure 21-9. VLAN Settings for All Ports VLAN LAG Settings Use the VLAN LAG Settings page to map a LAG to a VLAN and to configure specific VLAN settings for the LAG. To display the LAG Settings page, click Switching VLAN LAG Settings in the navigation panel. Figure 21-10.
From the LAG Settings page, click Show All to see the current VLAN settings for all LAGs. To change the settings for one or more LAGs, click the Edit option for a port and select or enter new values. Figure 21-11.
Bind MAC to VLAN Use the Bind MAC to VLAN page to map a MAC address to a VLAN. After the source MAC address and the VLAN ID are specified, the MAC to VLAN configurations are shared across all ports of the switch. The MAC to VLAN table supports up to 128 entries. To display the Bind MAC to VLAN page, click Switching VLAN Bind MAC to VLAN in the navigation panel. Figure 21-12. Bind MAC to VLAN From the Bind MAC to VLAN page, click Show All to see the MAC addresses that are mapped to VLANs.
Bind IP Subnet to VLAN Use the Bind IP Subnet to VLAN page to assign an IP Subnet to a VLAN. The IP Subnet to VLAN configurations are shared across all ports of the switch. There can be up to 128 entries configured in this table. To display the Bind IP Subnet to VLAN page, click Switching VLAN Bind IP Subnet to VLAN in the navigation panel. Figure 21-14. Bind IP Subnet to VLAN From the Bind IP Subnet to VLAN page, click Show All to see the IP subnets that are mapped to VLANs.
GVRP Parameters Use the GVRP Parameters page to enable GVRP globally and configure the port settings. To display the GVRP Parameters page, click Switching VLAN GVRP Parameters in the navigation panel. Figure 21-16. GVRP Parameters From the GVRP Parameters page, click Show All to see the GVRP configuration for all ports. From this page, settings can be changed for one or more entries. NOTE: Per-port and per-LAG GVRP Statistics are available from the Statistics/RMON page.
Figure 21-17.
Protocol Group Use the Protocol Group page to configure which EtherTypes go to which VLANs, and then enable certain ports to use these settings. Protocol-based VLANs are most often used in situations where network segments contain hosts running multiple protocols. To display the Protocol Group page, click Switching VLAN Protocol Group in the navigation panel. Figure 21-18.
Adding a Protocol Group To add a protocol group: 1 Open the Protocol Group page. 2 Click Add to display the Add Protocol Group page. 3 Create a name for the group and associate a VLAN with the group. Figure 21-19. Add Protocol Group 4 Click Apply. 5 Click Protocol Group to return to the main Protocol Group page. 6 From the Group ID field, select the group to configure. 7 In the Protocol Settings table, select the protocol and interfaces to associate with the protocol-based VLAN.
Figure 21-20. Configure Protocol Group 8 Click Apply. 9 Click Show All to see the protocol-based VLANs and their members. Figure 21-21.
Double VLAN Global Configuration Use the Double VLAN Global Configuration page to specify the value of the EtherType field in the first EtherType/tag pair of the double-tagged frame. To display the Double VLAN Global Configuration page, click Switching VLAN Double VLAN Global Configuration in the navigation panel. Figure 21-22.
Double VLAN Interface Configuration Use the Double VLAN Interface Configuration page to specify the value of the EtherType field in the first EtherType/tag pair of the double-tagged frame. To display the Double VLAN Interface Configuration page, click Switching VLAN Double VLAN Interface Configuration in the navigation panel. Figure 21-23.
Figure 21-24.
Voice VLAN Use the Voice VLAN Configuration page to configure and view voice VLAN settings that apply to the entire system and to specific interfaces. To display the page, click Switching VLAN Voice VLAN Configuration in the navigation panel. Figure 21-25. Voice VLAN Configuration NOTE: IEEE 802.1X must be enabled on the switch before you disable voice VLAN authentication.
Configuring VLANs (CLI) This section provides information about the commands you use to create and configure VLANs. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Creating a VLAN Beginning in Privileged EXEC mode, use the following commands to configure a VLAN and associate a name with the VLAN. Command Purpose configure Enter global configuration mode.
Configuring VLAN Settings for a LAG The VLAN mode and memberships settings you configure for a port are also valid for a LAG (port-channel). Beginning in Privileged EXEC mode, use the following commands to configure the VLAN mode for a LAG. Once the switchport mode settings are specified for a LAG, other VLAN memberships settings can be specified that are valid for the switchport mode. Command Purpose configure Enter global configuration mode.
Configuring Double VLAN Tagging Dell Networking N-Series switches use switchport dot1q-tunnel mode to configure an interface as a customer edge (CE) interface. The dot1q-tunnel mode is an overlay on switchport access mode. In particular, configuring the access mode PVID sets the outer dot1q-tunnel VLAN ID. Changing the switchport mode on a CE port to access, general, or trunk, effectively disables tunneling on the interface. CE interfaces can be physical ports or port-channels.
DVLAN CE interfaces must be configured for tagging (dot1q-tunnel mode) for double tags to be observed on frames egressing the service provider (SP) interface. The DVLAN uplink interface should be configured to accept tagged frames for the DVLAN or outer VLAN (trunk or general mode). Ensure that the native (access mode) VLAN on the customer edge (CE) port is set to the DVLAN ID. MAC address learning on DVLAN enabled ports occurs on the DVLAN CE port's native VLAN.
Command Purpose spanning-tree guard root (Optional) Disable the ability of the CE port to become spanning tree root. spanning-tree tcnguard (Optional) Ignore topology changes received from CE ports. exit Exit to global configuration mode CTRL + Z Exit to Privileged EXEC mode.
Command Purpose switchport trunk allowed Only allow VLAN 100 packets on the interface. vlan 100 switchport trunk native vlan 100 Configure untagged packets to be members of VLAN 100. Configuring MAC-Based VLANs Beginning in Privileged EXEC mode, use the following commands to associate a MAC address with a configured VLAN. The VLAN does not need to be configured on the system to associate a MAC address with it.
Command Purpose vlan association mac Associate a MAC address with a VLAN. mac-address • mac-address — MAC address to associate. (Range: Any MAC address in the format xxxx.xxxx.xxxx or xx:xx:xx:xx:xx:xx) CTRL + Z Exit to Privileged EXEC mode. show vlan association mac [mac-address] Display the VLAN associated with a specific configured MAC address. If no MAC address is specified, the VLAN associations of all the configured MAC addresses are displayed.
Configuring IP-Based VLANs Beginning in Privileged EXEC mode, use the following commands to associate an IP subnet with a configured VLAN. The VLAN does not need to be configured on the system to associate an IP subnet with it. However, the subnet VLAN must be configured on a port in order for the system to map packets matching the IP address to the subnet VLAN and to learn the associated MAC address on the subnet VLAN so that packets addressed to the associated IP address are forwarded properly.
Command Purpose switchport access vlan vlanid Specify the subnet VLAN ID of which gi1/0/4 is an access port member. exit Exit to Global Config mode. CTRL + Z Exit to Privileged EXEC mode. show vlan association subnet [ip-address ip- Display the VLAN associated with a specific configured IPAddress and netmask. If no IP Address and net mask are specified, the VLAN associations of all the configured IPsubnets are displayed.
Configuring a Protocol-Based VLAN Beginning in Privileged EXEC mode, use the following commands to create and name a protocol group, and associate VLANs with the protocol group. When you create a protocol group, the switch automatically assigns it a unique group ID number. The group ID is used for both configuration and script generation to identify the group in subsequent commands.
Command Purpose exit Exit to Global Config Mode show port protocol all Obtain the group ID for the newly configured group. configure Enter global configuration mode. vlan protocol group add Add any EtherType protocol to the protocol-based VLAN protocol groupid groups identified by groupid. A group may have more than ethertype value one protocol associated with it. Each interface and protocol combination can be associated with one group only.
Command Purpose protocol group groupid Attach a VLAN ID to the protocol-based group identified by groupid. A group may only be associated with one VLAN at a time. However, the VLAN association can be changed. vlanid • groupid — The protocol-based VLAN group ID, which is automatically generated when you create a protocolbased VLAN group with the vlan protocol group command. To see the group ID associated with the name of a protocol group, use the show port protocol all command.
Configuring GVRP Beginning in Privileged EXEC mode, use the following commands to enable GVRP on the switch and on an interface, and to configure various GVRP settings. Command Purpose configure Enter global configuration mode. gvrp enable Enable GVRP on the switch. interface interface Enter interface configuration mode for the specified port or LAG. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3 or portchannel 3.
Command Purpose vlan makestatic vlan-id (Optional) Change a dynamically created VLAN (one that is created by GVRP registration) to a static VLAN (one that is permanently configured and defined). vlan-id — Valid vlan ID. Range is 2-4093. CTRL + Z Exit to Privileged EXEC mode. show gvrp configuration Display GVRP configuration information. Timer values are displayed. Other data shows whether GVRP is enabled and which ports are running GVRP.
Configuring Voice VLANs Beginning in Privileged EXEC mode, use the following commands to enable the Voice VLAN feature on the switch and on an interface. Command Purpose configure Enter global configuration mode. voice vlan Enable the voice VLAN capability on the switch. interface interface Enter interface configuration mode for the specified interface. interface — Specific interface, such as gi1/0/8. A range of interfaces can be specified using the interface range command.
Command Purpose voice vlan {vlanid | Enable the voice VLAN capability on the interface. dot1p priority | none | • vlanid —The voice VLAN ID. This VLAN ID is sent to IP untagged | data priority phones via LLDP. {trust | untrust} | auth • priority —The IEEE 802.1p priority sent to IP phones on {enable | disable} | the port. This value is transmitted to the IP phone via dscp value} LLDP. The switch must be configured locally to give packets using the transmitted priority the appropriate QoS.
Configuring a Voice VLAN (Extended Example) The commands in this example create a VLAN for voice traffic with a VLAN ID of 25 using an IP phone that does not support 802.1X authentication. Port gi1/0/10 is set to an 802.1Q VLAN. In this example, there are multiple devices connected to port gi1/0/10, so the port must be in general mode in order to enable MAC-based 802.1X authentication. Next, Voice VLAN is enabled on the port with the Voice VLAN ID set to 25.
5 Enable the voice VLAN feature on the interface console(config-if-Gi1/0/10)#voice vlan 25 6 Disable authentication for the voice VLAN on the port. This step is required only if the voice phone does not support port-based authentication. console(config-if-Gi1/0/10)#voice vlan auth disable 7 Exit to Privileged Exec mode. console(config-if-Gi1/0/10)# 8 View the voice VLAN settings for port 10. console#show voice vlan interface gi1/0/10 Interface.............................
3 Configure a rate-limiting ACL to ensure that the voice VLAN does not present a denial-of-service threat. A G.711 voice stream generates 64 Kbps, which translates to 80 bytes of uncompressed voice every 10 ms. Overhead adds 40 bytes, so the phone will generate 100 to 120 byte packets every second per voice stream, or about 96 Kbps. The rate limit below will permit a single voice stream.
Step 9 should be configured on all ports connected to IP phones if using strict priority or perhaps on all host facing ports if IP phones are moved frequently. Do not configure steps 3 or 9 on inter-switch connections as they will be used to aggregate voice traffic. When configuring an MLAG for transport of voice VLAN traffic, remember to configure steps 6-8 on the corresponding MLAG/Voice VLAN and both ends of the MLAG peer link (or configure them globally on both peers and the partner switches).
MLAG Primary Peer Configuration 1 Configure the MLAG primary switch. Keepalives are disabled on the peer links (optional). The four peer-links are placed in port-channel 3. Port-channel 1 is the northbound (partner 1) MLAG interface in VPC 1 and port-channel 4 is the southbound (partner 2) interface in VPC 4. Finally, VPC is enabled and the VPC domain is set to 1.
console(config-if-Po3)#vpc peer-link console(config-if-Po3)#switchport mode trunk console(config-if-Po3)#exit console(config)#interface port-channel 4 console(config-if-Po4)#vpc 4 console(config-if-Po4)#switchport mode trunk console(config-if-Po4)#exit console(config)#feature vpc console(config)#vpc domain 1 console(config-vpc 1)#peer-keepalive enable console(config-vpc 1)#exit 2 Disable loop protect on all interfaces.
console(config)#interface Te1/0/3 console(config-if-Te1/0/3)#channel-group 3 mode active console(config-if-Te1/0/3)#no keepalive console(config-if-Te1/0/3)#exit console(config)#interface Te1/0/4 console(config-if-Te1/0/4)#channel-group 3 mode active console(config-if-Te1/0/4)#no keepalive console(config-if-Te1/0/4)#exit console(config)#interface Te1/0/21 console(config-if-Te1/0/21)#channel-group 4 mode active console(config-if-Te1/0/21)#no keepalive console(config-if-Te1/0/21)#exit console(config)#interface
console(config)#spanning-tree mode rapid-pvst 4 Create VLAN 2 for voice traffic. This configuration must be identical on both MLAG peers. console(config)#vlan 2 console(config-vlan-2)#exit 5 Enable voice VLAN globally. console(config)#voice vlan 6 Configure egress queue 2 as strict. By default, the VoIP phone sends voice traffic with 802.1p priority 5, which is mapped to egress queue 2 by default. This configuration must be identical on both MLAG peers.
console(config-vlan-2)#exit 5 Enable voice VLAN globally. console(config)#voice vlan 6 Configure the VoIP phone connected port. The voice VLAN assignment must be the same on all switches. console(config)#interface Gi2/0/11 console(config-if-Gi2/0/11)#switchport mode access console(config-if-Gi2/0/11)#voice vlan 2 console(config-if-Gi2/0/11)#exit 7 Configure egress queue 2 as strict. By default, the VoIP phone sends voice traffic with 802.1p priority 5, which is mapped to egress queue 2 by default.
console(config)#interface port-channel 4 console(config-if-Po4)#switchport mode trunk console(config-if-Po4)#exit 2 Disable loop protect on all the interfaces (optional). console(config)#interface range gigabitethernet all console(config-if)#no keepalive console(config-if)#exit 3 Configure spanning-tree mode as RPVST. console(config)#spanning-tree mode rapid-pvst 4 Create VLAN 2 for voice traffic. All switches must be configured identically for the voice VLAN.
NOTE: Spanning-tree status is shown accurately on the MLAG primary switch and on the partner switches. On the MLAG secondary switch, interfaces may show as spanning-tree disabled, but will remain in and are shown in the forwarding state. Assigning an 802.1p Priority to VLAN Traffic The following example assigns all traffic on VLAN 25 to internal CoS queue 4. This might be useful when assigning voice traffic a higher priority than normal data traffic.
switch(config-vlan-102)#exit switch(config)#vlan 103 switch(config-vlan-103)#private-vlan isolated switch(config-vlan-103)#exit 2 Associate the community and isolated VLANs with the primary VLAN. switch(config)#vlan 100 switch(config-vlan-100)#private-vlan association 101-102 switch(config-vlan-100)#exit This completes the configuration of the private VLAN. The only remaining step is to assign the ports to the private VLAN.
console(config)#show vlan private-vlan type VLAN ---100 101 102 103 Type ----------------------primary community isolated isolated console#show vlan private-vlan Primary VLAN Secondary VLAN Community ------------ -------------- ------------------100 102 101 console(config)#show vlan VLAN ----1 100 101 102 Name Ports ----------- ------------default Po1-128, Te1/1/1, Gi1/0/1-10, Gi1/0/13-24 VLAN0100 Te1/1/1, Gi1/0/11-12 VLAN0101 Gi1/0/11 VLAN0102 Gi1/0/12 Type ------------Default Static Static Static V
VLAN Configuration Examples This section contains the following examples: • Configuring VLANs Using The Dell OpenManage Administrator • Configuring VLANs Using the CLI • Configuring a Voice VLAN (Extended Example) NOTE: For an example that shows how to use a RADIUS server to provide VLAN information, see "Controlling Authentication-Based VLAN Assignment " on page 305.
Figure 21-27 shows the network topology for this example. As the figure shows, there are two switches, two file servers, and many hosts. One switch has an uplink port that connects it to a layer-3 device and the rest of the corporate network. Figure 21-27.
Table 21-9 shows the port assignments on the switches. Table 21-9. Switch Port Connections Port/LAG Function Switch 1 1 Connects to Switch 2 2–15 Host ports for Payroll 16–20 Host ports for Marketing LAG1 (ports 21–24) Connects to Payroll server Switch 2 1 Connects to Switch 1 2–10 Host ports for Marketing 11–30 Host ports for Engineering LAG1 (ports 35–39) Connects to file server LAG2 (ports 40–44) Uplink to router.
Figure 21-28. Add VLANs e Repeat steps b–d to create VLANs 300 (Sales) and 400 (Payroll). 2 Assign ports 16–20 to the Marketing VLAN. a From the Switching VLAN VLAN Membership page, select 200-Marketing from the Show VLAN field. b In the Static row, click the space for ports 13–16 so the U (untagged) displays for each port. Figure 21-29. VLAN Membership - VLAN 200 3 Click Apply. 4 Assign ports 2–15 and LAG1 to the Payroll VLAN.
a From the Switching VLAN VLAN Membership page, select 400-Payroll from the Show VLAN field. b In the Static row, click the space for ports 2–15 and LAG 1 so the U (untagged) displays for each port, and then click Apply. 5. Configure LAG 1 to be in general mode and specify that the LAG will accept tagged or untagged frames, but that untagged frames will be transmitted tagged with PVID 400. a. From the Switching VLAN LAG Settings page, make sure Po1 is selected. b.
Figure 21-31. Trunk Port Configuration 7 From the Switching VLAN VLAN Membership page, verify that port 1 is marked as a tagged member (T) for each VLAN. Figure 21-32 shows VLAN 200, in which port 1 is a tagged member, and ports 13–16 are untagged members. Figure 21-32. Trunk Port Configuration 8 Configure the MAC-based VLAN information. a Go to the Switching VLAN Bind MAC to VLAN page. b In the MAC Address field, enter a valid MAC address, for example 00:1C:23:55:E9:8B.
Figure 21-33. Trunk Port Configuration e Repeat steps b–d to add additional MAC address-to-VLAN information for the Sales department. 9 To save the configuration so that it persists across a system reset, use the following steps: a Go to the System File Management Copy Files page b Select Copy Configuration and ensure that Running Config is the source and Startup Config is the destination. c Click Apply.
c. Click Apply. 3. Configure port 1 as a trunk port. 4. Configure LAG2 as a trunk port. 5. Assign ports 1–10 to VLAN 200 as untagged (U) members. 6. Assign ports 11–30 to VLAN 100 as untagged (U) members. 7. Assign LAG1 to VLAN 100 and 200 as a tagged (T) member. 8. Assign port 1 and LAG2 to VLAN 100, VLAN 200, VLAN 300, and VLAN 400 as a tagged (T) member. 9. Configure the MAC-based VLAN information. 10. If desired, copy the running configuration to the startup configuration.
Configuring VLANs Using the CLI This example shows how to perform the same configuration by using CLI commands. Configure the VLANs and Ports on Switch 1 Use the following steps to configure the VLANs and ports on Switch 1. None of the hosts that connect to Switch 1 use the Engineering VLAN (VLAN 100), so it is not necessary to create it on that switch. To configure Switch 1: 1. Create VLANs 200 (Marketing), 300 (Sales), and 400 (Payroll), and associate the VLAN ID with the appropriate name.
4. Assign LAG1 to the Payroll VLAN and specify that frames will always be transmitted tagged with a VLAN ID of 400. By default, all VLANs are members of a trunk port. console(config)#interface port-channel 1 console(config-if-Po1)#switchport mode trunk console(config-if-Po1)#switchport trunk native vlan 400 console(config-if-Po1)#exit 5. Configure port 1 as a trunk port and add VLAN 200, VLAN 300, and VLAN 400 as members.
8. View the VLAN settings. console#show vlan VLAN ----1 Name --------Default 200 Marketing 300 400 Sales Payroll Ports -----------Po1-12, Te1/0/2-15, Te1/0/21-24 Te1/12 Te1/0/1, Te1/0/16-20 Te1/0/1 Te1/0/1-15 Type --------Default Authorization ------------Required Static Required Static Static Required Required 9. View the VLAN membership information for a port.
Configure the VLANs and Ports on Switch 2 Use the following steps to configure the VLANs and ports on Switch 2. Many of the procedures in this section are the same as procedures used to configure Switch 1. For more information about specific procedures, see the details and figures in the previous section. To configure Switch 2: 1. Create the Engineering, Marketing, Sales, and Payroll VLANs.
VLANs
Spanning Tree Protocol 22 Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes how to configure the Spanning Tree Protocol (STP) settings on the switch. The topics covered in this chapter include: • STP Overview • RSTP-PV • Default STP Values • Configuring Spanning Tree (Web) • Configuring Spanning Tree (CLI) • STP Configuration Examples STP Overview STP is a layer-2 protocol that provides a tree topology for switches on a bridged LAN.
the traditional STP (IEEE 802.1d) is the ability to recognize full-duplex connectivity and ports which are connected to end stations, resulting in rapid transitioning of the port to the Forwarding state and the suppression of Topology Change Notifications. MSTP is compatible with both RSTP and STP. It behaves appropriately when connected to STP and RSTP bridges. A MSTP bridge can be configured to behave entirely as a RSTP bridge or a STP bridge.
How Does MSTP Operate in the Network? In the following diagram of a small 802.1d bridged network, STP is necessary to create an environment with full connectivity and without loops. Figure 22-1. Small Bridged Network Assume that Switch A is elected to be the Root Bridge, and Port 1 on Switch B and Switch C are calculated to be the root ports for those bridges, Port 2 on Switch B and Switch C would be placed into the Blocking state. This creates a loop-free topology.
Figure 22-2 shows the logical single STP network topology. Figure 22-2. Single STP Topology For VLAN 10 this single STP topology is fine and presents no limitations or inefficiencies. On the other hand, VLAN 20's traffic pattern is inefficient. All frames from Switch B will have to traverse a path through Switch A before arriving at Switch C. If the Port 2 on Switch B and Switch C could be used, these inefficiencies could be eliminated.
The logical representation of the MSTP environment for these three switches is shown in Figure 22-3. Figure 22-3.
In order for MSTP to correctly establish the different MSTIs as above, some additional changes are required. For example, the configuration would have to be the same on each and every bridge. That means that Switch B would have to add VLAN 10 to its list of supported VLANs (shown in Figure 22-3 with a *). This is necessary with MSTP to allow the formation of Regions made up of all switches that exchange the same MST Configuration Identifier.
MSTP with Multiple Forwarding Paths Consider the physical topology shown in Figure 22-4. It might be assumed that MSTI 2 and MSTI 3 would follow the most direct path for VLANs 20 and 30. However, using the default path costs, this is not the case. MSTI operates without considering the VLAN membership of the ports. This results in unexpected behavior if the active topology of an MSTI depends on a port that is not a member of the VLAN assigned to the MSTI and the port is selected as root port.
MSTP and VLAN IDs MSTP allows VLAN 4094 to be configured in the MD5 digest of an MSTI region for compatibility purposes. However, the switch reserves VLAN 4094 internally for use in stacking and will drop received packets tagged with VLAN 4094.
If BPDU filtering is configured globally on the switch, the feature is automatically enabled on all operational PortFast-enabled ports. These ports are typically connected to hosts that drop BPDUs. However, if an operational edge port receives a BPDU, the BPDU filtering feature disables PortFast and allows the port to participate in the spanning tree calculation. Enabling BPDU filtering on a specific port prevents the port from sending BPDUs and allows the port to drop any BPDUs it receives.
Enabling loop guard prevents such accidental loops. When a port is no longer receiving BPDUs and the max age timer expires, the port is moved to a loopinconsistent blocking state. In the loop-inconsistent blocking state, traffic is not forwarded so the port behaves as if it is in the blocking state; that is, it discards received traffic, does not learn MAC addresses, and is not part of the active topology. The port will remain in this state until it receives a BPDU.
STP-PV is the IEEE 802.1s (STP) standard implemented per VLAN. The STP-PV-related state machine, roles, and timers are similar to those defined for STP. STP-PV does not have the DirectLink Rapid Convergence (DRC) or IndirectLink Rapid Convergence (IRC) features enabled by default. These features can be enabled by the switch administrator. The switch spanning tree configuration is global in nature. Enabling RSTPPV disables other spanning tree modes on the switch.
The DRC feature is based on the concept of an uplink group. An uplink group consists of all the ports that provide a path to the root bridge (the root port and any blocked ports). If the root port fails, the blocked port with next lowest cost from the uplink group is selected and immediately put in the forwarding state without going through the standard spanning tree listening and learning states.
IndirectLink Rapid Convergence Feature To handle indirect link failure, the STP standard requires that a switch passively wait for “max_age” seconds once a topology change has been detected. IndirectLink Rapid Convergence (IRC) handles these failures in two phases: • Rapid detection of an indirect link failure. Tracking the inferior BPDUs that a designated bridge detects when it transmits a direct link failure indicates that a failure has occurred elsewhere in the network.
on ports that should have a path to the root. The port where the switch received the inferior BPDU is excluded because it already failed; self-looped and designated ports are eliminated as they do not have a path to the root. Figure 22-5. IRC Flow Inferior BDPU received. Are there other non-self-looped non-designated ports? No Connectivity to root is lost. Recompute spanning-tree. Yes -> Send RLQ query on non-designated ports. Negative: Root lost on this port Wait for RLQ responses.
Interoperability Between STP-PV and RSTP-PV Modes STP-PV is derived from 802.1D and RSTP-PV is derived from 802.1w. The fallback mechanism is the same as between a standard 802.1D switch and a standard 802.1w switch. When a lower protocol version BPDU is received on a switch that runs a higher protocol version, the latter falls back to the lower version after its migration delay timer expires.
RSTP-PV region and the MSTP region, the RSTP-PV switch sends VLAN1 BPDUs in IEEE standard format, so they can be interpreted by the MSTP peers. Similarly, the RSTP-PV switch processes incoming MSTP BPDUs as though they were BPDUs for the VLAN 1 RSTP-PV instance.
Figure 22-7. RSTP-PV and RSTP Interoperability Root for VLAN2 and 3 1/0/1 1/0/1 SW1 SW2 1/0/1 1/0/2 1/0/3 1/0/4 VLAN1 VLAN2 VLAN3 SW3 Root for VLAN1 SW3 sends IEEE STP BPDUs to the IEEE multicast MAC address as untagged frames. These BPDUs are processed by the VLAN 1 STP instance on the RSTP-PV switch as part of the VLAN 1 STP instance. The RSTP-PV side sends IEEE STP BPDUs corresponding to the VLAN 1 STP to the IEEE MAC address as untagged frames across the link.
The VLAN 1 STP instance of SW1 and SW2 are joined with the STP instance running in SW3. VLANs 2 and 3 consider the path across SW3 as another segment linking SW1 and SW2, and their SSTP information is multicast across SW3. The bridge priority of SW1 and SW2 for VLAN1 instance is 32769 (bridge priority + VLAN identifier). The bridge priority of SW3 is 32768, per the IEEE 802.w standard.
• The MSTP domain contains the root bridge for ALL VLANs. This implies that the CIST Root Bridge ID is configured to be better than any RSTPPV STP root Bridge ID. If there is only one MSTP region connected to the RSTP-PV domain, then all boundary ports on the virtual-bridge will be unblocked and used by RSTP-PV. This is the only supported topology, as the administrator can manipulate uplink costs on the RSTP-PV side and obtain optimal traffic engineering results.
• The alternative is that the RSTP-PV domain contains the root bridges for ALL VLANs. This is only true if all RSTP-PV root bridges’ Bridge IDs for all VLANs are better than the MSTP CIST Root Bridge ID. This is not a supported topology, because all MSTIs map to CIST on the border link, and it is not possible to load-balance the MSTIs as they enter the RSTPPV domain. The Dell Networking RSTP-PV implementation does not support the second option.
Default STP Values Spanning tree is globally enabled on the switch and on all ports and LAGs. Table 22-1 summarizes the default values for STP. Table 22-1.
Configuring Spanning Tree (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring STP settings on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. STP Global Settings The STP Global Settings page contains fields for enabling STP on the switch. To display the STP Global Settings page, click Switching Spanning Tree Global Settings in the navigation panel.
Figure 22-9.
STP Port Settings Use the STP Port Settings page to assign STP properties to individual ports. To display the STP Port Settings page, click Switching Spanning Tree STP Port Settings in the navigation panel. Figure 22-10.
Configuring STP Settings for Multiple Ports To configure STP settings for multiple ports: 1 Open the STP Port Settings page. 2 Click Show All to display the STP Port Table. Figure 22-11. Configure STP Port Settings 3 For each port to configure, select the check box in the Edit column in the row associated with the port. 4 Select the desired settings. 5 Click Apply.
STP LAG Settings Use the STP LAG Settings page to assign STP aggregating ports parameters. To display the STP LAG Settings page, click Switching Spanning Tree STP LAG Settings in the navigation panel. Figure 22-12. STP LAG Settings Configuring STP Settings for Multiple LAGs To configure STP settings on multiple LAGS: 1 Open the STP LAG Settings page. 2 Click Show All to display the STP LAG Table.
Figure 22-13. Configure STP LAG Settings 3 For each LAG to configure, select the check box in the Edit column in the row associated with the LAG. 4 Select the desired settings. 5 Click Apply. Rapid Spanning Tree Rapid Spanning Tree Protocol (RSTP) detects and uses network topologies that allow a faster convergence of the spanning tree without creating forwarding loops. To display the Rapid Spanning Tree page, click Switching Spanning Tree Rapid Spanning Tree in the navigation panel. Figure 22-14.
To view RSTP Settings for all interfaces, click the Show All link. The Rapid Spanning Tree Table displays. Figure 22-15.
MSTP Settings The Multiple Spanning Tree Protocol (MSTP) supports multiple instances of Spanning Tree to efficiently channel VLAN traffic over different interfaces. MSTP is compatible with both RSTP and STP; a MSTP bridge can be configured to behave entirely as a RSTP bridge or a STP bridge. To display the MSTP Settings page, click Switching Spanning Tree MSTP Settings in the navigation panel. Figure 22-16.
Viewing and Modifying the Instance ID for Multiple VLANs To configure MSTP settings for multiple VLANS: 1 Open the MSTP Settings page. 2 Click Show All to display the MSTP Settings Table. Figure 22-17. Configure MSTP Settings 3 For each Instance ID to modify, select the check box in the Edit column in the row associated with the VLAN. 4 Update the Instance ID settings for the selected VLANs. 5 Click Apply.
MSTP Interface Settings Use the MSTP Interface Settings page to assign MSTP settings to specific interfaces. To display the MSTP Interface Settings page, click Switching Spanning Tree MSTP Interface Settings in the navigation panel. Figure 22-18. MSTP Interface Settings Configuring MSTP Settings for Multiple Interfaces To configure MSTP settings for multiple interfaces: 1 Open the MSTP Interface Settings page. 2 Click Show All to display the MSTP Interface Table.
Configuring Spanning Tree (CLI) This section provides information about the commands used for configuring STP settings on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global STP Bridge Settings Beginning in Privileged EXEC mode, use the following commands to configure the global STP settings for the switch, such as the priority and timers.
Command Purpose show spanning-tree [detail] [active | blockedports] View information about spanning tree and the spanning tree configuration on the switch. Configuring Optional STP Features Beginning in Privileged EXEC mode, use the following commands to configure the optional STP features on the switch or on specific interfaces. Command Purpose configure Enter global configuration mode.
Command Purpose spanning-tree tcnguard Prevent the port from propagating topology change notifications. CTRL + Z Exit to Privileged EXEC mode. show spanning-tree summary View various spanning tree settings and parameters for the switch. Configuring STP Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure the STP settings for a specific interface. Command Purpose configure Enter global configuration mode.
Configuring MSTP Switch Settings Beginning in Privileged EXEC mode, use the following commands to configure MSTP settings for the switch. Command Purpose configure Enter global configuration mode. spanning-tree mst configuration Enable configuring an MST region by entering the multiple spanning tree (MST) mode. name string Define the MST configuration name. This step is required to establish an MST domain. revision version Identify the MST configuration revision number.
Configuring MSTP Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure MSTP settings for the switch. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3 or port-channel 4. A range of interfaces can be specified using the interface range command.
STP Configuration Examples This section contains the following examples: • STP Configuration Example • MSTP Configuration Example • RSTP-PV Access Switch Configuration Example STP Configuration Example This example shows a LAN with four switches. On each switch, ports 1, 2, and 3 connect to other switches, and ports 4–20 connect to hosts (in Figure 22-19, each PC represents 17 host systems).
Figure 22-19. STP Example Network Diagram Of the four switches in Figure 22-19, the administrator decides that Switch A is the most centrally located in the network and is the least likely to be moved or redeployed. For these reasons, the administrator selects it as the root bridge for the spanning tree. The administrator configures Switch A with the highest priority and uses the default priority values for Switch B, Switch C, and Switch D.
The administrator also configures Port Fast BPDU filtering and Loop Guard to extend STP’s capability to prevent network loops. For all other STP settings, the administrator uses the default STP values. To configure the switch: 1 Connect to Switch A and configure the priority to be higher (a lower value) than the other switches, which use the default value of 32768. console#config console(config)#spanning-tree priority 8192 2 Configure ports 4–20 to be in Port Fast mode.
Figure 22-20. MSTP Configuration Example To make multiple switches be part of the same MSTP region, make sure the STP operational mode for all switches is MSTP. Also, make sure the MST region name and revision level are the same for all switches in the region. To configure the switches: 1 Create VLAN 10 (Switch A and Switch B) and VLAN 20 (all switches).
4 Create MST instances 20 and associate it to VLAN 20. console(config-mst)#instance 20 add vlan 20 5 Change the region name and revision number so that all the bridges that want to be part of the same region can form the region. This step is required for MST to operate properly.
RSTP-PV Access Switch Configuration Example In this configuration, all 1G ports are presumed to be connected to host machines, and the two 10G uplink ports are connected to an aggregationlayer switch with a total layer-2 network diameter of 4. The aggregation-layer switch can be a single switch or multiple switches, running either RSTP-PV or MSTP. For fastest convergence during failover scenarios, it is recommended that the uplink switches be configured in RSTP-PV mode.
console(config)#interface range gi1/0/37-48 console(config-if)#switchport access vlan 4 console(config-if)#exit Spanning Tree Protocol 821
RSTP-PV Aggregation-Layer Switch Configuration Example In this configuration example, two aggregation-layer switches are configured. Ports 1–4 are configured in a LAG connecting the two aggregation-layer switches. Ports 12–24 are configured as down-links to twelve access-layer switches configured as in the previous example. Down-links to the accesslayer switches have physical diversity; there is one downlink to each of the twelve access-layer switches from each of the paired aggregation-layer switches.
console(config-if-fo1/0/1-2)#channel-group 1 mode active console(config-if-fo1/0/1-2)#exit 8 Configure peer switch links: console(config)#interface range te1/0/1-4 console(config-if-te1/0/1-4)#channel-group 2 mode active console(config-if-te1/0/1-4)#exit 9 Configure the uplinks into a port channel: console(config)#interface port-channel 1 console(config-if-port-channel 1)#switchport mode trunk console(config-if-port-channel 1)#exit 10 Configure the peer links into a port channel and prefer to go to the c
Spanning Tree Protocol
23 Discovering Network Devices Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes the Industry Standard Discovery Protocol (ISDP) feature and the Link Layer Discovery Protocol (LLDP) feature, including LLDP for Media Endpoint Devices (LLDP-MED).
LLDP is a one-way protocol; there are no request/response sequences. Information is advertised by stations implementing the transmit function, and is received and processed by stations implementing the receive function. The transmit and receive functions can be enabled/disabled separately on each switch port. What is LLDP-MED? LLDP-MED is an extension of the LLDP standard.
Default IDSP and LLDP Values ISDP and LLDP are globally enabled on the switch and enabled on all ports by default. By default, the switch transmits and receives LLDP information on all ports. LLDP-MED is disabled on all ports. Table 23-1 summarizes the default values for ISDP. Table 23-1.
Table 23-3 summarizes the default values for LLDP-MED. Table 23-3.
Configuring ISDP and LLDP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring IDSP and LLDP/LLDPMED on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. ISDP Global Configuration The ISDP Global Configuration page enables configuring the ISDP settings for the switch, such as the administrative mode.
ISDP Cache Table The ISDP Neighbor Table page enables viewing information about other devices the switch has discovered through the ISDP. To access the ISDP Neighbor Table page, click System ISDP Neighbor Table in the navigation panel. Figure 23-2.
ISDP Interface Configuration The ISDP Interface Configuration page enables configuring the ISDP settings for each interface. If ISDP is enabled on an interface, it must also be enabled globally in order for the interface to transmit ISDP packets. If the ISDP mode on the ISDP Global Configuration page is disabled, the interface will not transmit ISDP packets, regardless of the mode configured on the interface.
ISDP Statistics The ISDP Statistics page enables viewing information about the ISDP packets sent and received by the switch. To access the ISDP Statistics page, click System ISDP Statistics in the navigation panel. Figure 23-5.
LLDP Configuration Use the LLDP Configuration page to specify LLDP parameters. Parameters that affect the entire system as well as those for a specific interface can be specified here. To display the LLDP Configuration page, click Switching LLDP Configuration in the navigation panel. Figure 23-6.
To view the LLDP Interface Settings Table, click Show All. The LLDP Interface Settings Table page enables viewing and editing information about the LLDP settings for multiple interfaces. Figure 23-7.
LLDP Statistics Use the LLDP Statistics page to view LLPD-related statistics. To display the LLDP Statistics page, click Switching LLDP Statistics in the navigation panel. Figure 23-8.
LLDP Connections Use the LLDP Connections page to view the list of ports with LLDP enabled. Basic connection details are displayed. To display the LLDP Connections page, click Switching LLDP Connections in the navigation panel. Figure 23-9.
To view additional information about a device connected to a port that has been discovered through LLDP, click the port number in the Local Interface table (it is a hyperlink), or click Details and select the port with the connected device. Figure 23-10.
LLDP-MED Global Configuration Use the LLDP-MED Global Configuration page to change or view the LLDP-MED parameters that affect the entire system. To display the LLDP-MED Global Configuration page, click Switching LLDP LLDP-MED Global Configuration in the navigation panel. Figure 23-11.
LLDP-MED Interface Configuration Use the LLDP-MED Interface Configuration page to specify LLDP-MED parameters that affect a specific interface. To display the LLDP-MED Interface Configuration page, click Switching LLDP LLDP-MED Interface Configuration in the navigation panel. Figure 23-12. LLDP-MED Interface Configuration To view the LLDP-MED Interface Summary table, click Show All. Figure 23-13.
LLDP-MED Local Device Information Use the LLDP-MED Local Device Information page to view the advertised LLDP local data for each port. To display the LLDP-MED Local Device Information page, click Switching LLDP LLDP-MED Local Device Information in the navigation panel. Figure 23-14. LLDP-MED Local Device Information LLDP-MED Remote Device Information Use the LLDP-MED Remote Device Information page to view the advertised LLDP data advertised by remote devices.
Configuring ISDP and LLDP (CLI) This section provides information about the commands you use to manage and view the device discovery protocol features on the switch. For more information about these commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global ISDP Settings Beginning in Privileged EXEC mode, use the following commands to configure ISDP settings that affect the entire switch.
Enabling ISDP on a Port Beginning in Privileged EXEC mode, use the following commands to enable ISDP on a port. Command Purpose configure Enter Global Configuration mode. interface interface Enter interface configuration mode for the specified interface. isdp enable Administratively enable ISDP on the switch. exit Exit to Global Config mode. exit Exit to Privileged Exec mode. show isdp interface all View the ISDP mode on all interfaces.
Configuring Global LLDP Settings Beginning in Privileged EXEC mode, use the following commands to configure LLDP settings that affect the entire switch. Command Purpose configure Enter Global Configuration mode. lldp notificationinterval interval Specify how often, in seconds, the switch should send remote data change notifications. Configure the timing for local data transmission on ports lldp timers [interval transmit-interval] [hold enabled for LLDP.
Command Purpose lldp notification Enable remote data change notifications on the interface. lldp transmit-tlv [sysdesc][sys-name][syscap][port-desc] Specify which optional type-length-value settings (TLVs) in the 802.1AB basic management set will be transmitted in the LLDP PDUs. • sys-name — Transmits the system name TLV • sys-desc — Transmits the system description TLV • sys-cap — Transmits the system capabilities TLV • port desc — Transmits the port description TLV exit Exit to Global Config mode.
Configuring LLDP-MED Settings Beginning in Privileged EXEC mode, use the following commands to configure LLDP-MED settings that affect the entire switch. Command Purpose configure Enter Global Configuration mode. lldp med faststartrepeatcount Specifies the number of LLDP PDUs that will be transmitted when the protocol is enabled. interface interface Enter interface configuration mode for the specified Ethernet interface. lldp med Enable LLDP-MED on the interface.
Viewing LLDP-MED Information Beginning in Privileged EXEC mode, use the following commands to view information about the LLDP-MED Protocol Data Units (PDUs) that are sent and have been received. Command Purpose show lldp med localdevice detail interface View LLDP information advertised by the specified port. show lldp remote-device View LLDP-MED information received by all ports or by {all | interface | detail the specified port. Include the keyword detail to see interface} additional information.
Timer....................................45 Hold Time................................60 Version 2 Advertisements.................Enabled Neighbors table time since last change...00 days 00:00:00 Device ID................................none Device ID format capability..............Serial Number, Host Name Device ID format.........................
7 View global LLDP settings on the switch. console#show lldp LLDP Global Configuration Transmit Interval..................... Transmit Hold Multiplier.............. Reinit Delay.......................... Notification Interval................. 60 seconds 5 3 seconds 5 seconds 8 View summary information about the LLDP configuration on port 1/0/3.
Port-Based Traffic Control 24 Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes how to configure features that provide traffic control through filtering the type of traffic or limiting the speed or amount of traffic on a per-port basis. The features this section describes includes flow control, storm control, protected ports, and Link Local Protocol Filtering (LLPF), which is also known as Cisco Protocol Filtering.
Table 24-1. Port-Based Traffic Control Features Feature Description LLPF Filters proprietary protocols that should not normally be relayed by a bridge. The Priority Flow Control (PFC) feature, which is available on the Dell Networking N4000 Series switches only, provides a way to distinguish which traffic on a physical link is paused when congestion occurs based on the priority of the traffic. For more information, see "Data Center Bridging Features " on page 1051. What is Flow Control? IEEE 802.
bandwidth on the port. If the ingress rate of that type of packet is greater than the configured threshold level the port drops the excess traffic until the ingress rate for the packet type falls below the threshold.
occur with these protocols running on standards-based switches. If certain protocol PDUs cause unexpected results, LLPF can be enabled to prevent those PDUs from being processed by the switch.
What is Loop Protection? Dell Networking implements a subset of the Configuration Testing Protocol (CTP) for the detection of network loops. The Configuration Testing Protocol is part of the original Ethernet specification. It does not appear in the IEEE 802 standard.
Default Port-Based Traffic Control Values Table 24-2 lists the default values for the port-based traffic control features that this chapter describes. Table 24-2.
Configuring Port-Based Traffic Control (Web) This section provides information about the OpenManage Switch Administrator pages to use to control port-based traffic on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. Flow Control (Global Port Parameters) Use the Global Parameters page for ports to enable or disable flow control support on the switch.
Storm Control Use the Storm Control page to enable and configure the storm control feature. To display the Storm Control interface, click Switching Ports Storm Control in the navigation menu. Figure 24-2. Storm Control Configuring Storm Control Settings on Multiple Ports To configure storm control on multiple ports: 1 Open the Storm Control page. 2 Click Show All to display the Storm Control Settings Table. 3 In the Ports list, select the check box in the Edit column for the port to configure.
Figure 24-3. Storm Control 5 Click Apply.
Protected Port Configuration Use the Protected Port Configuration page to prevent ports in the same protected ports group from being able to see each other’s traffic. To display the Protected Port Configuration page, click Switching Ports Protected Port Configuration in the navigation menu. Figure 24-4. Protected Port Configuration Configuring Protected Ports To configure protected ports: 1 Open the Protected Ports page. 2 Click Add to display the Add Protected Group page. 3 Select a group (0–2).
Figure 24-5. Add Protected Ports Group 5 Click Apply. 6 Click Protected Port Configuration to return to the main page. 7 Select the port to add to the group. 8 Select the protected port group ID. Figure 24-6. Add Protected Ports 9 Click Apply. 10 To view protected port group membership information, click Show All.
Figure 24-7. View Protected Port Information 11 To remove a port from a protected port group, select the Remove check box associated with the port and click Apply. LLPF Configuration Use the LLPF Interface Configuration page to filter out various proprietary protocol data units (PDUs) and/or ISDP if problems occur with these protocols running on standards-based switches.
Figure 24-8. LLPF Interface Configuration To view the protocol types that have been blocked for an interface, click Show All. Figure 24-9.
Configuring Port-Based Traffic Control (CLI) This section provides information about the commands used for configuring port-based traffic control settings. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Flow Control and Storm Control Beginning in Privileged EXEC mode, use the following commands to configure the flow control and storm control features.
Command Purpose CTRL + Z Exit to Privileged EXEC mode. show interfaces detail interface Display detailed information about the specified interface, including the flow control status. show storm-control View whether 802.3x flow control is enabled on the switch. show storm-control [interface | all] View storm control settings for all interfaces or the specified interface.
Configuring LLPF Beginning in Privileged EXEC mode, use the following commands to configure LLPF settings. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. A range of interfaces can be specified using the interface range command.
Port-Based Traffic Control Configuration Example The commands in this example configure storm control, LLPF, and protected port settings for various interfaces on the switch. The storm control configuration in this example sets thresholds on the switch so that if broadcast traffic occupies more than 10% on the bandwidth on any physical port, the interface blocks the broadcast traffic until the measured amount of this traffic drops below the threshold.
Intf Mode Level Mode Level Mode Level ------ ------- ------- ------- ------- ------- ------Te1/0/1 Enable 10 Enable 5 Disable 5 console#show service-acl interface te1/0/1 Protocol --------------CDP VTP DTP UDLD PAGP SSTP ALL Mode ---------Disabled Enabled Disabled Disabled Enabled Disabled Disabled console#show switchport protected 0 Name.........................................
Layer-2 Multicast Features 25 Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes the layer-2 (L2) multicast features on the Dell Networking N-Series switches. The features this chapter describes include bridge multicast flooding and forwarding, Internet Group Management Protocol (IGMP) snooping, Multicast Listener Discovery (MLD) snooping, and Multicast VLAN Registration (MVR).
desirable as it reduces the network load by sending packets only to other hosts/switches/routers that have indicated an interest in receiving the multicast. If L2 snooping is not enabled, multicast packets are flooded in the ingress VLAN. What Are the Multicast Bridging Features? The Dell Networking N-Series switches support multicast forwarding and multicast flooding.
What Is L2 Multicast Traffic? L3 IP multicast traffic is traffic that is destined to a host group. Host groups are identified by class D IPv4 addresses, which range from 224.0.1.0 to 239.255.255.255, or by FF0x:: or FF3x:: IPv6 addresses. In contrast to L3 multicast traffic, layer-2 multicast traffic is identified by the MAC address, i.e., the range 01:00:5e:00:00:00 to 01:00:5e:7f:ff:ff:ff for IPv4 multicast traffic or 33:33:xx:xx:xx:xx for IPv6 multicast traffic.
Group addresses that fall into the range 224.0.0.x are never pruned by IGMP snooping—they are always flooded to all ports in the VLAN. Note that this flooding is based on the IP address, not the corresponding 01-00-5e-00-00-xx MAC address. When a multicast router is discovered (or locally configured on the switch), its interface is added to the interface distribution list for all multicast groups in the VLAN.
• Unregistered multicast traffic may be flooded in the VLAN by a user configuration option. NOTE: It is strongly recommended that operators enable MLD snooping if IGMP snooping is enabled and vice-versa. This is because both IGMP snooping and MLD snooping utilize the same forwarding table. Not enabling both may cause unwanted pruning of protocol packets utilized by other protocols, e.g. OSPFv3. NOTE: IGMP snooping (and IGMP querier) validates IGMP packets.
associated with a multicast router or host that has indicated an interest in receiving a particular multicast group. In IPv6, MLD snooping performs a similar function. With MLD snooping, IPv6 multicast data is selectively forwarded to a list of ports that want to receive the data instead of being flooded to all ports in a VLAN. This list is constructed in the MFDB by snooping IPv6 multicast control packets. MLD snooping floods multicast data packets until a multicast router port has been identified.
NOTE: It is strongly recommended that users enable IGMP snooping if MLD snooping is enabled and vice-versa. This is because both IGMP snooping and MLD snooping utilize the same forwarding table, and not enabling both may cause unwanted pruning of protocol packets utilized by other protocols, e.g. OSPFv2.
Enabling MVR and IGMP on the Same Interface MVR and IGMP snooping operate independently and can both be enabled on an interface. When both MVR and IGMP snooping are enabled, MVR listens to the IGMP join and report messages for static multicast group information, and IGMP snooping manages dynamic multicast groups. When Are Layer-3 Multicast Features Required? In addition to L2 multicast features, the switch suports IPv4 and IPv6 multicast features.
• GARP Multicast Registration Protocol (GMRP) to help control the flooding of multicast traffic by keeping track of group membership information. GVRP and GMRP use the same set of GARP Timers to specify the amount of time to wait before transmitting various GARP messages. GMRP is similar to IGMP snooping in its purpose, but IGMP snooping is more widely used.
Snooping Switch Restrictions MAC Address-Based Multicast Group The L2 multicast forwarding table consists of the Multicast group MAC address filtering entries. For IPv4 multicast groups, 16 IP multicast group addresses map to the same multicast MAC address. For example, 224.1.1.1 and 225.1.1.1 map to the MAC address 01:00:5E:01:01:01, and IP addresses in the range [224-239].3.3.3 map to 01:00:5E:03:03:03. As a result, if a host requests 225.1.1.1, then it might receive multicast traffic of group 226.1.1.
Default L2 Multicast Values Details about the L2 multicast are in Table 25-1. Table 25-1.
Table 25-1.
Configuring L2 Multicast Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring L2 multicast features on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. Multicast Global Parameters Use the Multicast Global Parameters page to enable or disable IGMP snooping, or MLD snooping on the switch.
Bridge Multicast Group Use the Bridge Multicast Group page to create new multicast service groups or to modify ports and LAGs assigned to existing multicast service groups. Attached interfaces display in the Port and LAG tables and reflect the manner in which each is joined to the Multicast group. To display the Bridge Multicast Group page, click Switching Multicast Support Bridge Multicast Group in the navigation menu. Figure 25-2.
Table 25-2 contains definitions for port/LAG IGMP management settings. Table 25-2. Port/LAG IGMP Management Settings Port Control Definition D Dynamic: Indicates that the port/LAG was dynamically joined to the Multicast group (displays in the Current row). S Static: Attaches the port to the Multicast group as a static member in the Static row. Displays in the Current row once Apply is clicked. F Forbidden: Indicates that the port/LAG is forbidden entry into the Multicast group in the Static row.
4 In the Bridge Multicast Group tables, assign a setting by clicking in the Static row for a specific port/LAG. Each click toggles between S, F, and blank. (not a member). 5 Click Apply. The bridge multicast address is assigned to the multicast group, ports/LAGs are assigned to the group (with the Current rows being updated with the Static settings), and the switch is updated. Removing a Bridge Multicast Group To delete a bridge multicast group: 1 Open the Bridge Multicast Group page.
MRouter Status Use the MRouter Status page to display the status of dynamically learned multicast router interfaces. To access this page, click Switching Multicast Support MRouter Status in the navigation panel. Figure 25-4.
General IGMP Snooping Use the General IGMP snooping page to configure IGMP snooping settings on specific ports and LAGs. To display the General IGMP snooping page, click Switching Multicast Support IGMP Snooping General in the navigation menu. Figure 25-5. General IGMP Snooping Modifying IGMP Snooping Settings for Multiple Ports, LAGs, or VLANs To modify the IGMP snooping settings: 1 From the General IGMP snooping page, click Show All. The IGMP Snooping Table displays.
Figure 25-6. Edit IGMP Snooping Settings 3 Edit the IGMP snooping fields as needed. 4 Click Apply. The IGMP snooping settings are modified, and the device is updated. Copying IGMP Snooping Settings to Multiple Ports, LAGs, or VLANs To copy IGMP snooping settings: 1 From the General IGMP snooping page, click Show All. The IGMP Snooping Table displays. 2 Select the Copy Parameters From checkbox. 3 Select a Unit/Port, LAG, or VLAN to use as the source of the desired parameters.
Figure 25-7. Copy IGMP Snooping Settings 5 Click Apply. The IGMP snooping settings are modified, and the device is updated.
Global Querier Configuration Use the Global Querier Configuration page to configure IGMP snooping querier settings, such as the IP address to use as the source in periodic IGMP queries when no source address has been configured on the VLAN. To display the Global Querier Configuration page, click Switching Multicast Support IGMP Snooping Global Querier Configuration in the navigation menu. Figure 25-8.
VLAN Querier Use the VLAN Querier page to specify the IGMP snooping querier settings for individual VLANs. To display the VLAN Querier page, click Switching Multicast Support IGMP Snooping VLAN Querier in the navigation menu. Figure 25-9. VLAN Querier Adding a New VLAN and Configuring its VLAN Querier Settings To configure a VLAN querier: 1 From the VLAN Querier page, click Add. The page refreshes, and the Add VLAN page displays. Figure 25-10.
3 Return to the VLAN Querier page and select the new VLAN from the VLAN ID menu. 4 Specify the VLAN querier settings. 5 Click Apply. The VLAN Querier settings are modified, and the device is updated. To view a summary of the IGMP snooping VLAN querier settings for all VLANs on the switch, click Show All. Figure 25-11.
VLAN Querier Status Use the VLAN Querier Status page to view the IGMP snooping querier settings for individual VLANs. To display the VLAN Querier Status page, click Switching Multicast Support IGMP Snooping VLAN Querier Status in the navigation menu. Figure 25-12.
MFDB IGMP Snooping Table Use the MFDB IGMP Snooping Table page to view the multicast forwarding database (MFDB) IGMP Snooping Table and Forbidden Ports settings for individual VLANs. To display the MFDB IGMP Snooping Table page, click Switching Multicast Support IGMP Snooping MFDB IGMP Snooping Table in the navigation menu. Figure 25-13.
MLD Snooping General Use the MLD Snooping General page to add MLD members. To access this page, click Switching Multicast Support MLD Snooping General in the navigation panel. Figure 25-14. MLD Snooping General Modifying MLD Snooping Settings for VLANs To configure MLD snooping: 1 From the General MLD snooping page, click Show All. The MLD Snooping Table displays.
Figure 25-15. MLD Snooping Table 2 Select the Edit checkbox for each VLAN to modify. 3 Edit the MLD snooping fields as needed. 4 Click Apply. The MLD snooping settings are modified, and the device is updated.
Copying MLD Snooping Settings to VLANs To copy MLD snooping settings: 1 From the General MLD snooping page, click Show All. The MLD Snooping Table displays. 2 Select the Copy Parameters From checkbox. 3 Select a VLAN to use as the source of the desired parameters. 4 Select the Copy To checkbox for the VLANs that these parameters will be copied to. 5 Click Apply. The MLD snooping settings are modified, and the device is updated.
MLD Snooping VLAN Querier Use the MLD Snooping VLAN Querier page to specify the MLD snooping querier settings for individual VLANs. To display the MLD Snooping VLAN Querier page, click Switching Multicast Support MLD Snooping VLAN Querier in the navigation menu. Figure 25-17. MLD Snooping VLAN Querier Adding a New VLAN and Configuring its MLD Snooping VLAN Querier Settings To configure an MLD snooping VLAN querier: 1 From the VLAN Querier page, click Add.
2 Enter the VLAN ID and, if desired, an optional VLAN name. 3 Return to the VLAN Querier page and select the new VLAN from the VLAN ID menu. 4 Specify the VLAN querier settings. 5 Click Apply. The VLAN Querier settings are modified, and the device is updated. To view a summary of the IGMP snooping VLAN querier settings for all VLANs on the switch, click Show All. Figure 25-19.
MLD Snooping VLAN Querier Status Use the VLAN Querier Status page to view the MLD snooping querier settings for individual VLANs. To display the VLAN Querier Status page, click Switching Multicast Support MLD Snooping VLAN Querier Status in the navigation menu. Figure 25-20.
MFDB MLD Snooping Table Use the MFDB MLD Snooping Table page to view the MFDB MLD snooping table settings for individual VLANs. To display the MFDB MLD Snooping Table page, click Switching Multicast Support MLD Snooping MFDB MLD Snooping Table in the navigation menu. Figure 25-21.
MVR Global Configuration Use the MVR Global Configuration page to enable the MVR feature and configure global parameters. To display the MVR Global Configuration page, click Switching MVR Configuration Global Configuration in the navigation panel. Figure 25-22.
MVR Members Use the MVR Members page to view and configure MVR group members. To display the MVR Members page, click Switching MVR Configuration MVR Members in the navigation panel. Figure 25-23. MVR Members Adding an MVR Membership Group To add an MVR membership group: 1 From the MVR Membership page, click Add. The MVR Add Group page displays. Figure 25-24. MVR Member Group 2 Specify the MVR group IP multicast address. 3 Click Apply.
MVR Interface Configuration Use the MVR Interface Configuration page to enable MVR on a port, configure its MVR settings, and add the port to an MVR group. To display the MVR Interface Configuration page, click Switching MVR Configuration MVR Interface Configuration in the navigation panel. Figure 25-25. MVR Interface Configuration To view a summary of the MVR interface configuration, click Show All. Figure 25-26.
Figure 25-27. MVR - Add to Group 2 Select the interface to add to the MVR group. 3 Specify the MVR group IP multicast address. 4 Click Apply. Removing an Interface from an MVR Group To remove an interface from an MVR group: 1 From the MVR Interface page, click Remove. Figure 25-28. MVR - Remove from Group 2 Select the interface to remove from an MVR group. 3 Specify the IP multicast address of the MVR group. 4 Click Apply.
MVR Statistics Use the MVR Statistics page to view MVR statistics on the switch. To display the MVR Statistics page, click Switching MVR Configuration MVR Statistics in the navigation panel. Figure 25-29.
GARP Timers The Timers page contains fields for setting the GARP timers used by GVRP and GMRP on the switch. To display the Timers page, click Switching GARP Timers in the navigation panel. Figure 25-30. GARP Timers Configuring GARP Timer Settings for Multiple Ports To configure GARP timers on multiple ports: 1 Open the Timers page. 2 Click Show All to display the GARP Timers Table.
Figure 25-31. Garp Timers Table 3 For each port or LAG to configure, select the check box in the Edit column in the row associated with the port. 4 Specify the desired timer values. 5 Click Apply.
Copying GARP Timer Settings From One Port to Others To copy GARP timer settings: 1 Select the Copy Parameters From check box, and select the port or LAG with the settings to apply to other ports or LAGs. 2 In the Ports or LAGs list, select the check box(es) in the Copy To column that will have the same settings as the port selected in the Copy Parameters From field. 3 Click Apply to copy the settings.
Figure 25-33. GMRP Port Configuration Table 3 For each port or LAG to configure, select the check box in the Edit column in the row associated with the port. 4 Specify the desired timer values. 5 Click Apply.
Copying Settings From One Port or LAG to Others To copy GMRP settings: 1 Select the Copy Parameters From check box, and select the port or LAG with the settings to apply to other ports or LAGs. 2 In the Ports or LAGs list, select the check box(es) in the Copy To column that will have the same settings as the port selected in the Copy Parameters From field. 3 Click Apply to copy the settings.
Configuring L2 Multicast Features (CLI) This section provides information about the commands used for configuring L2 multicast settings on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Layer-2 Multicasting Beginning in Privileged EXEC mode, use the following commands to configure MAC address table features. Command Purpose configure Enter global configuration mode.
Command Purpose show mac address-table multicast [vlan vlan-id] [address mac-multicastaddress | ip-multicastaddress] [format ip | mac]] View entries in the multicast MAC address table. The show mac address-table multicast command shows only multicast addresses. Multicast address are shown along with unicast addresses if the multicast keyword is not used. Configuring IGMP Snooping on VLANs Beginning in Privileged EXEC mode, use the following commands to configure IGMP snooping settings on VLANs.
Command Purpose ip igmp snooping vlan vlan-id mcrtexpiretime Specify the multicast router time-out value for to associate with a VLAN. This command sets the number of seconds to wait to age out an automatically-learned multicast router port. CTRL + Z Exit to Privileged EXEC mode. show ip igmp snooping groups Shows IGMP snooping configuration on all VLANs. show ip igmp snooping vlan vlan-id View the IGMP snooping settings on the VLAN.
Command Purpose ip igmp snooping querier Allow the IGMP snooping querier to participate in the election participate vlan- querier election process when it discovers the presence of id another querier in the VLAN. When this mode is enabled, if the snooping querier finds that the other querier source address is more than the snooping querier address, it stops sending periodic queries.
Command Purpose ipv6 mld snooping vlan vlan-id immediate-leave Enables MLD snooping immediate-leave mode on the specified VLAN. Enabling immediate-leave allows the switch to immediately remove the layer-2 LAN interface from its forwarding table entry upon receiving an MLD leave message for that multicast group without first sending out MAC-based general queries to the interface.
Command Purpose ipv6 mld snooping querier election participate vlan-id Allow the MLD snooping querier to participate in the querier election process when it discovers the presence of another querier in the VLAN. When this mode is enabled, if the snooping querier finds that the other querier source address is more than the snooping querier address, it stops sending periodic queries. If the snooping querier wins the election, then it continues sending periodic queries.
Command Purpose mvr querytime time Set the MVR query response time. The value for time is in units of tenths of a second. This is the time to wait for a response to the query sent after receiving a leave message and before removing the port from the group. mvr mode {compatible | Specify the MVR mode of operation. dynamic} mvr group mcast-address Add an MVR membership group.
Command Purpose show mvr interface interface View information about the MVR configuration for a specific port. show mvr traffic View information about IGMP traffic in the MVR table. Configuring GARP Timers and GMRP Beginning in Privileged EXEC mode, use the following commands to configure the GARP timers and to control the administrative mode GMRP on the switch and per-interface. Command Purpose configure Enter global configuration mode.
Case Study on a Real-World Network Topology Multicast Snooping Case Study Figure 25-35 shows the topology that the scenarios in this case study use. Figure 25-35. Case Study Topology The topology in Figure 25-35 includes the following elements: • Snooping Switches: D1, D2, D3 with IGMP snooping enabled on VLANs 10, 20 • Multicast Router: D4 with PIM-SM enabled on VLANs 10, 20 • Multicast Listeners: Client A-G • Multicast Sources: Server A – 239.20.30.40, Server B – 239.20.30.
• Subnets: VLAN 10 – 192.168.10.x, VLAN 20 – 192.168.20.x • Mrouter ports: D3 – 1/0/20, D2 – PortChannel1, D1 – 1/0/15 Snooping Within a Subnet In the example network topology, the multicast source and listeners are in the same subnet VLAN 20 – 192.168.20.x/24. D4 sends periodic queries on VLAN 10 and 20, and these queries are forwarded to D1, D2, and D3 via trunk links. Snooping switches D1, D2, and D3 flood these queries in VLANs 10 and 20 to clients G, F, and D, respectively.
4 Client D will receive the multicast stream from Server B because it is forwarded by D1 to D3 and then to D4 because D4 is a multicast router. Because the multicast stream is present on D3, a L2 forwarding entry is created on D3, where 239.20.30.42 is not a registered group. 5 Client F does not receive the multicast stream because it did not respond to queries from D4. Snooping Switch Interaction with a Multicast Router In the example network topology, consider Client B and Server A.
2 A multicast forwarding entry is created on D2 VLAN20, 239.20.30.40 – 1/0/20, PortChannel1. 3 The Client F report message is forwarded to D3-PortChannel1 (multicast router attached port). 4 A multicast forwarding entry is created on D3 VLAN 20, 239.20.30.40 – PortChannel1, 1/0/20. 5 The Client F report message is forwarded to D4 via D3 – 1/0/20 (multicast router attached port). 6 An IP multicast routing entry is created on D4 VLAN 10 – VLAN 20 with the layer-3 outgoing port list as VLAN 20 – 1/0/20.
Multicast Source and Listener connected to Multicast Router via intermediate snooping switches and are part of different routing VLANs: Server B Client E Clients E, B, and C are on the same subnet VLAN10 – 192.168.10.70/24. Server B is in a different subnet VLAN20 – 192.168.20.70/24. 1 Client E sends a report for 239.20.30.42. 2 A multicast forwarding entry is created on D2 VLAN10, 239.20.30.42 – 1/0/2, PortChannel 1. 3 The report from Client E is forwarded to D3 via D2 – PortChannel 1.
Layer-2 Multicast Features
26 Connectivity Fault Management Dell Networking N4000 Series Switches NOTE: This feature is supported only on the Dell Networking N4000 Series switches. This chapter describes how to configure the Connectivity Fault Management feature, which is specified in IEEE 802.1ag (IEEE Standard for Local and Metropolitan Area Networks Virtual Bridged Local Area Networks Amendment 5: Connectivity Fault Management).
IEEE Std. 802.3 LAN, Dot1ag addresses fault diagnosis at the service layer across networks comprising multiple LANs, including LANs other than 802.3 media. How Does Dot1ag Work Across a Carrier Network? A typical metropolitan area network comprises operator, service provider, and customer networks. To suit this business model, CFM relies on a functional model of hierarchical maintenance domains (MDs). These domains are assigned a unique MD level.
Higher levels have a broader, but less detailed, view of the network. As a result, a provider could include multiple operators, provided that the domains never intersect. The operator transparently passes frames from the customer and provider, and the customer does not see the operator frames. Multiple levels within a domain (say, operator) are supported for flexibility.
Figure 26-2 depicts two MEPs and the MIPs that connect them in a maintenance domain. Figure 26-2. Maintenance Endpoints and Intermediate Points Maintenance Associations An MA is a logical connection between one or more MEPs that enables monitoring a particular service instance. Each MA is associated with a unique SVLAN ID. An MA is identified by a maintenance association ID. All MEPs in the MA are assigned the maintenance identifier (MAID) for the association.
Figure 26-3. Provider View for Service Level OAM What is the Administrator’s Role? On the switch, the administrator configures the customer-level maintenance domains, associations, and endpoints used to participate in Dot1ag services with other switches connected through the provider network. The Administrator can also use utilities to troubleshoot connectivity faults when reported via SNMP traps. All the domains within the customer domain should use different domain levels.
Troubleshooting Tasks In the event of a connectivity loss between MEPs, the administrator can perform path discovery, similar to traceroute, from one MEP to any MEP or MIP in a maintenance domain using Link Trace Messages (LTMs). The connectivity loss is narrowed down using path discovery and is verified using Loop-back Messages (LBMs), which are similar to ping operations in IP networks.
Configuring Dot1ag (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring Dot1ag features on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. Dot1ag Global Configuration Use the Global Configuration page to enable and disable the Dot1ag admin mode and to configure the time after which inactive RMEP messages are removed from the MEP database.
Figure 26-5. Dot1ag MD Configuration Dot1ag MA Configuration Use the MA Configuration page to associate a maintenance domain level with one or more VLAN ID, provide a name for each maintenance association (MA), and to set the interval between continuity check messages sent by MEPs for the MA. To display the page, click Switching Dot1ag MA Configuration in the tree view. Figure 26-6.
To add an MA, click the Add link at the top of the page. Dot1ag MEP Configuration Use the MEP Configuration page to define switch ports as Management End Points. MEPs are configured per domain and per VLAN. To display the page, click Switching Dot1ag MEP Configuration in the tree view. Figure 26-7.
To add a MEP, click the Add link at the top of the page. A VLAN must be associated with the selected domain before you configure a MEP to be used within an MA (see the MA Configuration page). Dot1ag MIP Configuration Use the MIP Configuration page to define a switch port as an intermediate bridge for a selected domain. To display the page, click Switching Dot1ag MIP Configuration in the tree view. Figure 26-8.
Dot1ag RMEP Summary Use the RMEP Summary page to view information on remote MEPs that the switch has learned through CFM PDU exchanges with MEPs on the switch. To display the page, click Switching Dot1ag RMEP Summary in the tree view. Figure 26-9.
Dot1ag L2 Ping Use the L2 Ping page to generate a loopback message from a specified MEP. The MEP can be identified by the MEP ID or by its MAC address. To display the page, click Switching Dot1ag L2 Ping in the tree view. Figure 26-10. Dot1ag L2 Ping Dot1ag L2 Traceroute Use the L2 Traceroute page to generate a Link Trace message from a specified MEP. The MEP can be specified by the MAC address, or by the remote MEP ID. To display the page, click Switching Dot1ag L2 Traceroute in the tree view.
Figure 26-11. Dot1ag L2 Traceroute Dot1ag L2 Traceroute Cache Use the L2 Traceroute Cache page to view link traces retained in the link trace database. To display the page, click Switching Dot1ag L2 Traceroute Cache in the tree view. Figure 26-12.
Dot1ag Statistics Use the Statistics page to view Dot1ag information for a selected domain and VLAN ID. To display the page, click Switching Dot1ag Statistics in the tree view. Figure 26-13.
Configuring Dot1ag (CLI) This section provides information about the commands used for configuring Dot1ag settings on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Dot1ag Global Settings and Creating Domains Beginning in Privileged Exec mode, use the following commands to configure CFM settings and to view global status and domain information.
Configuring MEP Information Beginning in Privileged Exec mode, use the following commands to configure the mode and view related settings. CLI Command Description configure Enter global configuration mode. interface interface Enter Interface Config mode for the specified interface, where interface is replaced by gigabitethernet unit/slot/port, or tengigabitethernet unit/slot/port.
Dot1ag Ping and Traceroute Beginning in Privileged Exec mode, use the following commands to help identify and troubleshoot Ethernet CFM settings. CLI Command Description ping ethernet cfm mac mac- addr Generate a loopback message from the MEP with the specified MAC address. ping ethernet cfm remote–mpid mep-id Generate a loopback message from the MEP with the specified MEP ID. traceroute ethernet cfm mac mac-addr Generate a Link Trace message from the MEP with the specified MAC address.
Dot1ag Configuration Example In the following example, the switch at the customer site is part of a Metro Ethernet network that is bridged to remote sites through a provider network. A service VLAN (SVID 200) identifies a particular set of customer traffic on the provider network. Figure 26-14.
2 Configure port 1/0/5 as an MEP for service VLAN 200 so that the port can exchange CFM PDUs with its counterpart MEPs on the customer network. The port is first configured as a MEP with MEP ID 20 on domain level 6 for VLAN 200. Then the port is enabled and activated as a MEP.
Connectivity Fault Management
27 Snooping and Inspecting Traffic Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes Dynamic Host Configuration Protocol (DHCP) Snooping, IP Source Guard (IPSG), and Dynamic ARP Inspection (DAI), which are layer-2 security features that examine traffic to help prevent accidental and malicious attacks on the switch or network.
What Is DHCP Snooping? Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server to accomplish the following tasks: • Ensure that only authorized DHCP clients are able to utilize the network.
• On untrusted DHCP client interfaces, the switch drops DHCP packets with a source MAC address that does not match the client hardware address. This is a configurable option. How Is the DHCP Snooping Bindings Database Populated? The DHCP snooping application uses DHCP messages to build and maintain the binding’s database. DHCP snooping creates a tentative binding from DHCP DISCOVER and REQUEST messages. Tentative bindings tie a client to a port (the port where the DHCP client message was received).
Figure 27-1. DHCP Binding No Binding Discover Request Tentative Binding Decline NACK Discover ACK Release NACK Complete Binding The binding database includes data for clients only on untrusted ports. DHCP Snooping and VLANs DHCP snooping forwards valid DHCP client messages received on nonrouting VLANs. The message is forwarded on all trusted interfaces in the VLAN. DHCP snooping can be configured on switching VLANs and routing VLANs.
If DHCP relay co-exists with DHCP snooping, DHCP client messages are sent to DHCP relay for further processing. To prevent DHCP packets from being used as a DoS attack when DHCP snooping is enabled, the snooping application enforces a rate limit for DHCP packets received on interfaces. DHCP rate limiting can be configured on both trusted and untrusted interfaces. DHCP snooping monitors the receive rate on each interface separately.
What Is IP Source Guard? IPSG is a security feature that filters IP packets based on source ID. This feature helps protect the network from attacks that use IP address spoofing to compromise or overwhelm the network. The source ID may be either the source IP address or a {source IP address, source MAC address} pair.
What is Dynamic ARP Inspection? Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI prevents a class of man-in-the-middle attacks where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. The malicious attacker sends ARP requests or responses mapping another station’s IP address to its own MAC address.
re-enable the port. DAI rate limiting cannot be enabled on trusted interfaces. Use the no ip arp inspection limit command to disable diagnostic disabling of untrusted ports due to DAI. Why Is Traffic Snooping and Inspection Necessary? DHCP Snooping, IPSG, and DAI are security features that can help protect the switch and the network against various types of accidental or malicious attacks.
Table 27-1.
Configuring Traffic Snooping and Inspection (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring DHCP snooping, IPSG, and DAI features on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page.
DHCP Snooping Interface Configuration Use the DHCP Snooping Interface Configuration page to configure the DHCP Snooping settings on individual ports and LAGs. To access the DHCP Snooping Interface Configuration page, click Switching DHCP Snooping Interface Configuration in the navigation panel. Figure 27-3.
To view a summary of the DHCP snooping configuration for all interfaces, click Show All. Figure 27-4.
DHCP Snooping VLAN Configuration Use the DHCP Snooping VLAN Configuration page to control the DHCP snooping mode on each VLAN. To access the DHCP Snooping VLAN Configuration page, click Switching DHCP Snooping VLAN Configuration in the navigation panel. Figure 27-5. DHCP Snooping VLAN Configuration To view a summary of the DHCP snooping status for all VLANs, click Show All. Figure 27-6.
DHCP Snooping Persistent Configuration Use the DHCP Snooping Persistent Configuration page to configure the persistent location of the DHCP snooping database. The bindings database can be stored locally on the switch or on a remote system somewhere else in the network. The switch must be able to reach the IP address of the remote system to send bindings to a remote database.
DHCP Snooping Static Bindings Configuration Use the DHCP Snooping Static Bindings Configuration page to add static DHCP bindings to the binding database. To access the DHCP Snooping Static Bindings Configuration page, click Switching DHCP Snooping Static Bindings Configuration in the navigation panel. Figure 27-8. DHCP Snooping Static Bindings Configuration To view a summary of the DHCP snooping status for all VLANs, click Show All. Figure 27-9.
DHCP Snooping Dynamic Bindings Summary The DHCP Snooping Dynamic Bindings Summary lists all the DHCP snooping dynamic binding entries learned on the switch ports. To access the DHCP Snooping Dynamic Bindings Summary page, click Switching DHCP Snooping Dynamic Bindings Summary in the navigation panel. Figure 27-10.
DHCP Snooping Statistics The DHCP Snooping Statistics page displays DHCP snooping interface statistics. To access the DHCP Snooping Statistics page, click Switching DHCP Snooping Statistics in the navigation panel. Figure 27-11.
IPSG Interface Configuration Use the IPSG Interface Configuration page to configure IPSG on an interface. To access the IPSG Interface Configuration page, click Switching IP Source Guard IPSG Interface Configuration in the navigation panel. Figure 27-12. IPSG Interface Configuration IPSG Binding Configuration Use the IPSG Binding Configuration page displays DHCP snooping interface statistics.
IPSG Binding Summary The IPSG Binding Summary page displays the IPSG Static binding list and IPSG dynamic binding list (the static bindings configured in Binding configuration page). To access the IPSG Binding Summary page, click Switching IP Source Guard IPSG Binding Summary in the navigation panel. Figure 27-14.
DAI Global Configuration Use the DAI Configuration page to configure global DAI settings. To display the DAI Configuration page, click Switching Dynamic ARP Inspection Global Configuration in the navigation panel. Figure 27-15.
DAI Interface Configuration Use the DAI Interface Configuration page to select the DAI Interface for which information is to be displayed or configured. To display the DAI Interface Configuration page, click Switching Dynamic ARP Inspection Interface Configuration in the navigation panel. Figure 27-16. Dynamic ARP Inspection Interface Configuration To view a summary of the DAI status for all interfaces, click Show All.
Figure 27-17.
DAI VLAN Configuration Use the DAI VLAN Configuration page to select the VLANs for which information is to be displayed or configured. To display the DAI VLAN Configuration page, click Switching Dynamic ARP Inspection VLAN Configuration in the navigation panel. Figure 27-18. Dynamic ARP Inspection VLAN Configuration To view a summary of the DAI status for all VLANs, click Show All. Figure 27-19.
DAI ACL Configuration Use the DAI ACL Configuration page to add or remove ARP ACLs. To display the DAI ACL Configuration page, click Switching Dynamic ARP Inspection ACL Configuration in the navigation panel. Figure 27-20. Dynamic ARP Inspection ACL Configuration To view a summary of the ARP ACLs that have been created, click Show All. Figure 27-21. Dynamic ARP Inspection ACL Summary To remove an ARP ACL, select the Remove checkbox associated with the ACL and click Apply.
Figure 27-22. Dynamic ARP Inspection Rule Configuration To view a summary of the ARP ACL rules that have been created, click Show All. Figure 27-23. Dynamic ARP Inspection ACL Rule Summary To remove an ARP ACL rule, select the Remove checkbox associated with the rule and click Apply. DAI Statistics Use the DAI Statistics page to display the statistics per VLAN. To display the DAI Statistics page, click Switching Dynamic ARP Inspection Statistics in the navigation panel.
Figure 27-24.
Configuring Traffic Snooping and Inspection (CLI) This section provides information about the commands used for configuring DHCP snooping, IPSG, and DAI settings on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring DHCP Snooping Beginning in Privileged EXEC mode, use the following commands to configure and view DHCP snooping settings.
Command Purpose ip dhcp snooping database write-delay Configure the interval, in seconds, at which the DHCP Snooping database will be stored in persistent storage. The number of seconds can range from 15–86400. ip dhcp snooping limit {none | rate rate [burst interval seconds]} Configure the maximum rate of DHCP messages allowed on the switch at any given time. seconds • rate —The maximum number of packets per second allowed (Range: 0–300 pps).
Command Purpose clear ip dhcp snooping statistics Reset the DHCP snooping statistics to zero. Configuring IP Source Guard Beginning in Privileged EXEC mode, use the following commands to configure IPSG settings on the switch. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified port or LAG. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3.
Command Purpose exit Exit to Privileged EXEC mode. show ip verify interface View IPSG parameters for a specific port or LAG. The interface parameter includes the interface type (gigabitethernet, tengigabitethernet, or port-channel) and number. show ip verify source [interface interface] View IPSG bindings configured on the switch or on a specific port or LAG. show ip source binding View IPSG bindings.
Command Purpose arp access-list acl-name Create an ARP ACL with the specified name (1–31 characters) and enter ARP Access-list Configuration mode for the ACL. permit ip host sender-ip Configure a rule for a valid IP address and MAC address mac host sender-mac combination used in ARP packet validation. • sender-ip — Valid IP address used by a host. • sender-mac —Valid MAC address in combination with the above sender-ip used by a host. exit Exit to Global Config mode.
Command Purpose show ip arp inspection vlan [vlan-range ] View the Dynamic ARP Inspection configuration on the specified VLAN(s). This command also displays the global configuration values for source MAC validation, destination MAC validation and invalid IP validation. show ip arp inspection statistics [vlan vlanrange] View the statistics of the ARP packets processed by Dynamic ARP Inspection for the switch or for the specified VLAN(s).
Traffic Snooping and Inspection Configuration Examples This section contains the following examples: • Configuring DHCP Snooping • Configuring IPSG Configuring DHCP Snooping In this example, DHCP snooping is enabled on VLAN 100. Ports 1-20 connect end users to the network and are members of VLAN 100. These ports are configured to limit the maximum number of DHCP packets with a rate limit of 100 packets per second.
To configure the switch: 1 Enable DHCP snooping on VLAN 100. console#config console(config)#ip dhcp snooping vlan 100 2 Configure LAG 1, which includes ports 21-24, as a trusted port. All other interfaces are untrusted by default.
Configuring IPSG This example builds on the previous example and uses the same topology shown in Figure 27-25. In this configuration example, IP source guard is enabled on ports 1-20. DHCP snooping must also be enabled on these ports. Additionally, because the ports use IP source guard with source IP and MAC address filtering, port security must be enabled on the ports as well. To configure the switch: 1 Enter interface configuration mode for the host ports and enable IPSG.
Snooping and Inspecting Traffic
Link Aggregation 28 Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes how to create and configure link aggregation groups (LAGs), which are also known as port-channels. The topics covered in this chapter include: • Link Aggregation • Multi-Switch LAG (MLAG) Link Aggregation Overview Link Aggregation allows one or more full-duplex Ethernet links of the same speed to be aggregated together to form a LAG.
Figure 28-1 shows an example of a switch in the wiring closet connected to a switch in the data center by a LAG that consists of four physical 10 Gbps links. The LAG provides full-duplex bandwidth of 40 Gbps between the two switches. Figure 28-1. LAG Configuration LAGs can be configured on stand-alone or stacked switches. In a stack of switches, the LAG can consist of ports on a single unit or across multiple stack members.
undetected and thus cause undesirable network behavior. Both static and dynamic LAGs (via LACP) can detect physical link failures within the LAG and continue forwarding traffic through the other connected links within that same LAG. LACP can also detect switch or port failures that do not result in loss of link. This provides a more resilient LAG. Best practices suggest using dynamic link aggregation instead of static link aggregation.
• Excellent load balancing performance. How Do LAGs Interact with Other Features? From a system perspective, a LAG is treated just as a physical port, with the same configuration parameters for administrative enable/disable, spanning tree port priority, path cost as may be for any other physical port. VLAN When members are added to a LAG, they are removed from all existing VLAN membership.
• Each member of the LAG must be running at the same speed and must be in full duplex mode. • The port cannot be a mirrored port The following are the interface restrictions • The configured speed of a LAG member cannot be changed. • An interface can be a member of only one LAG. Default Link Aggregation Values The LAGs on the switch are created by default, but no ports are members. Table 28-1 summarizes the default values for the MAC address table. Table 28-1.
Configuring Link Aggregation (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring LAGs on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. LAG Configuration Use the LAG Configuration page to set the name and administrative status (up/down) of a LAG. To display the LAG Configuration page, click Switching Ports LAG Configuration in the navigation panel.
To view or edit settings for multiple LAGs, click Show All. LACP Parameters Dynamic link aggregation is initiated and maintained by the periodic exchanges of LACP PDUs. Use the LACP Parameters page to configure LACP LAGs. To display the LACP Parameters page, click Switching Link Aggregation LACP Parameters in the navigation panel.
Figure 28-3. LACP Parameters Configuring LACP Parameters for Multiple Ports To configure LACP settings: 1 Open the LACP Parameters page. 2 Click Show All. The LACP Parameters Table page displays.
Figure 28-4. LACP Parameters Table 3 Select the Edit check box associated with each port to configure. 4 Specify the LACP port priority and LACP timeout for each port. 5 Click Apply. LAG Membership Your switch supports 48 LAGs per system, and eight ports per LAG. Use the LAG Membership page to assign ports to static and dynamic LAGs. To display the LAG Membership page, click Switching Link Aggregation LAG Membership in the navigation panel.
Figure 28-5. LAG Membership Adding a Port to a Static LAG To add a static LAG member: 1 Open the LAG Membership page. 2 Click in the LAG row to toggle the port to the desired LAG. The LAG number displays for that port. The LAG number increases each time you click until the number reaches the maximum LAG number and then returns to blank (no LAG assigned). 3 Click Apply. The port is assigned to the selected LAG, and the device is updated.
LAG Hash Configuration Use the LAG hash algorithm to set the traffic distribution mode on the LAG. The hash type can be set for each LAG. To display the LAG Hash Configuration page, click Switching Link Aggregation LAG Hash Configuration in the navigation panel. Figure 28-6. LAG Hash Configuration LAG Hash Summary The LAG Hash Summary page lists the channels on the system and their assigned hash algorithm type.
Figure 28-7.
Configuring Link Aggregation (CLI) This section provides information about the commands used for configuring link aggregation settings on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring LAG Characteristics Beginning in Privileged EXEC mode, use the following commands to configure a few of the available LAG characteristics.
Configuring Link Aggregation Groups Beginning in Privileged EXEC mode, use the following commands to add ports as LAG members and to configure the LAG hashing mode. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified port. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. A range of ports can be specified using the interface range command.
Command Purpose hashing-mode mode Set the hashing algorithm on the LAG. The mode value is a number from 1 to 7.
Command Purpose interface port-channel Enter interface configuration mode for the specified LAG. number A range of LAGs to configure can be specified using the interface range port-channel command. For example, interface range port-channel 1-3,10 configures LAGs 1, 2, 3, and 10. lacp port-priority value Set the Link Aggregation Control Protocol priority for the port or range of ports. The priority value range is 1–65535.
Link Aggregation Configuration Examples This section contains the following examples: • Configuring Dynamic LAGs • Configuring Static LAGs NOTE: The examples in this section show the configuration of only one switch. Because LAGs involve physical links between two switches, the LAG settings and member ports must be configured on both switches. Configuring Dynamic LAGs The commands in this example show how to configure a static LAG on a switch.
3 View information about LAG 1.
3 View information about LAG 2.
Multi-Switch LAG (MLAG) NOTE: This feature is not available on the Dell Networking N1500 Series switches. Overview In a typical layer-2 network, the Spanning Tree Protocol (STP) is deployed to avoid packet storms due to loops in the network. To perform this function, STP sets ports into either a forwarding state or a blocking state. Ports in the blocking state do not carry traffic. In the case of a topology change, STP reconverges to a new loop-free network and updates the port states.
Deployment Scenarios MLAG is intended to support higher bandwidth utilization in scenarios where a redundant layer-2 network is desired. In such scenarios the effects of STP on link utilization are profound. Large percentages of links do not carry data because they are blocked and only a single path through the network carries traffic. Figure 28-8. STP Blocking SW4 SW1 SW2 Traffic does not flow through SW2 due to spanning tree blocking the SW2/SW3 link.
Figure 28-9. MLAG in a Layer-2 Network SW4 MLAG Peer Link SW2 SW1 SW3 1000 Link Aggregation Traffic flows on all available links.
Definitions Refer to Figure 28-10 for the definitions that follow. Figure 28-10. MLAG Components L3 Network Virtual Link Peer-Link S4 P4 P2 P3 SW1 P1 MLAG 1 LAG A P2 S2 S3 S1 SW2 S2 MLAG 2 LAG B MLAG switches: MLAG aware switches running Dell Networking Series switch firmware. No more than two MLAG aware switches can pair to form one end of the LAG. Stacked switches do not support MLAGs. In the above figure, SW1 and SW2 are MLAG peer switches.
MLAG member ports: Ports on the peer MLAG switches that are part of the MLAG interface (P1 on SW1 and S1 on SW2). Non-redundant ports: Ports on either of the peer switches that are not part of the MLAG (ports P4 and S4). MLAG interfaces and non-redundant ports cannot be members of the same VLAN, i.e. a VLAN may contain MLAG interfaces or a VLAN may contain non-redundant ports, but not both. To attach a host or switch to a non-redundant port, configure the port to be a member of the non-MLAG VLANs.
• Collector max-delay • Partner parameters 2 STP The default STP mode for Dell Networking N-Series switches is RSTP. VLANs cannot be configured to contain both MLAG ports and nonMLAG (non-redundant) ports. RSTP, MSTP, and STP-PV/RSTP-PV are supported with MLAG. The following STP configuration parameters must be the identical on both MLAG peers.
The administrator should also ensure that the following are identical before enabling MLAG: – FDB entry aging timers – Static MAC entries. – ACL configuration 4 Interface Configuration – PFC configuration – CoS queue assignments 5 VLAN configuration in an L2 topology – MLAG VLANs must span the MLAG topology and be configured on both MLAG peers. This means that every MLAG VLAN must connect to two partner LAGs. – VLAN termination of an MLAG VLAN on an MLAG peer is not supported.
Operation in the Network Below is a sample MLAG topology and discussion: Figure 28-11. Example MLAG Topology C C1 C2 VLAN 10 MLAG3 Peer-Link P5 P P1 P3,P4 P2 MLAG 1 A S5 S3,S4 S1 S S2 MLAG 2 B In Figure 28-11: 1 VLAN 10 spans the MLAG network. 2 P and S are MLAG-aware peer devices. P stands for primary and S stands for secondary. The roles are elected after the DUTs exchange keep-alive messages. The two devices are connected with a peer-link {P3/P4–S3/S4}.
Supported topologies and the way traffic is handled in these topologies is explained in the following sections. The MLAG component uses the keep-alive protocol to select a primary and a secondary device. The primary switch owns the MLAG member ports on the secondary device. It handles the control plane functionality of supported protocols for the MLAG member ports on the secondary. Peer-Link The peer-link is a crucial for MLAG operation. The peer-link must be configured on a port-channel interface.
MLAG switch and traffic must egress through selected ports on the MLAG peer. These filters block incoming traffic on all VLANs configured on the peer link, not just those configured as part of an MLAG. Therefore, there is no connectivity between non-redundant ports across the peer-link. Control Plane Election in MLAG Switches The MLAG component uses the keep-alive protocol running on the peer link to select a primary and a secondary switch. The keep-alive protocol is mandatory.
DCPDP and Peer Link Failures DCPDP is intended to provide a secondary layer of protection against peer link failures. If the peer-link goes down while the DCPDP protocol is enabled and remains up, the MLAG links on the MLAG secondary peer are disabled. The primary switch continues to forward traffic and, if LACP is enabled, send LACPDUs using the system MAC of the MLAG. Spanning tree reconvergence on the partner devices is avoided.
configured in a unique MST instance not shared with the MLAG domain. If the VLAN assigned to the redundant link is also configured on the peer link, traffic on that VLAN is blocked by MLAG. To configure the redundant link to be the forwarding for the redundant MST instance, the link cost needs to be reduced in order to be the root port.
console(config-vpc 1)#role 10 console(config-vpc 1)#exit Modifications to priority and timeout interval are effective only before the keep-alive protocol is enabled. Once enabled, MLAG switches contest in an election to select the primary and secondary switch. The election is non-preemptive. If configured, the system virtual MAC address MUST be the same on both of the MLAG peers. 3 Configure the peer-link. On each MLAG peer: • Configure a port-channel as the peer-link for the MLAG devices.
4 Configure DCPDP (optional): a Configure a VLAN routing interface and assign a local IP address (different from the peer address). b Configure the peer-switch IP address (the destination IP address) c If needed, configure the UDP port number to send and receive the protocol messages. d Configure the source IP address e Enable the protocol. The protocol starts running if MLAG is globally enabled.
to the primary switch for handling. FDB entries learned on MLAG interfaces are synced between the two devices.
2 On the MLAG secondary switch, shut down the MLAG peer-link. 3 Reload the secondary switch. 4 Re-enable the peer-link, if disabled, and ensure that it is up. Re-enable the MLAG-associated physical ports. 5 Wait until traffic is re-established on the standby switch. Repeat the upgrade procedure on the MLAG primary peer: 1 On MLAG primary switch, shut down the MLAG enabled physical links. 2 On MLAG primary switch, shut down the MLAG peer-link. 3 Reload the primary switch.
assigned, but MLAG VLANs cannot be used to route across MLAG or nonredundant VLANs, as the MLAG feature does not correlate failures in one VLAN with another VLAN to unblock packets crossing the MLAG peer-link. Recommended Layer-3 Connectivity The topology shown in Figure 28-12 uses the MLAG switches as layer-2 switches. All VLANs traverse the MLAG topology from the top switches/routers to the bottom switches/routers. The LAGs for each VLAN host are in a separate VPC.
Alternative Recommended Layer-3 Connectivity The loop-free topology shown in Figure 28-13 uses the MLAG switches as layer-2 switches in an EOR role. The single VLAN traverses the MLAG topology from the top router to the bottom storage and servers. Multiple VLANs in different VPCs may be used to isolate clusters of storage/servers from each other.
Layer-3 VLAN Termination on MLAG Not Supported In the “two-armed” fully routed scenario shown in Figure 28-14, both the routed network and the switched network are in the MLAG. Switched traffic to and from the upstream network is automatically unblocked over the peerlink when an MLAG link fails.
In the scenario shown in Figure 28-15(similar to the previous scenario), the downstream router is not configured with port-channel and uses ECMP or some other load sharing scheme to send packets to routed MLAG peers. MLAG cannot react appropriately to a link failure on the upstream router because the VLANs are routed across the MLAG peers. MLAG cannot logically connect the failure on VLAN 30 with non-redundant VLAN 20. Consequently, MLAG does not unblock VLAN 20 from traversing the peer link.
required to handle the case where a link from the router to one of the MLAG peers fails. Static routes must be added to the primary and secondary MLAG peers to route traffic addressed to the connected router across the backup routed link in the case of a failure of an MLAG link to the router.
Virtual Router Redundancy Protocol If VRRP is enabled on a VLAN that has an MLAG port as its member, both VRRP routers become VRRP masters operationally in the VLAN. This is to allow load balancing of the northbound layer-3 traffic on the MLAG. Since the peer-link is a member of the same routing VLANs as all MLAGs, both the primary and secondary MLAG routers see VRRP advertisements sent by the other router.
transmitted with the source MAC address as the physical MAC address and not the virtual MAC address. In the example in Figure 28-17, if the virtual MAC address is used as the source MAC address in the ARP from P to A, then S will consume the packet, as it is operationally a VRRP master too. The packet is forwarded to P if the physical MAC address is used. Note that the VLANs connecting A and B to the MLAG peers are extended to R1. P and S do not actually route packets.
Routing is not supported across multiple MLAGs (i.e., in two-tier topology). This is a fundamental limitation of MLAG, which is intended as a replacement for other, less efficient layer-2 topologies. Should a multi-tier layer-3 topology be desired, other well established and well understood techniques, such as ECMP and redundant router pairs, will allow a layer-3 routed network to utilize bandwidth efficiently. Layer-3 routing is capable of routing packets around failed links and failed routers.
• On a failover from the primary MLAG peer to the secondary MLAG peer, the ports are made members of the secondary MLAG peer switch's spanning tree and spanning tree reconvergence may occur.. The forwarding database and ARP cache are flushed and relearned. • MLAG (VPC) status only shows correctly on the primary MLAG peer and does not show correctly on the secondary MLAG peer. Status is not forwarded from the primary MLAG peer to the secondary MLAG peer.
work properly; e.g., port mirroring for an MLAG link must be configured on both MLAG peer switches to capture the conversation from the MLAG partner switch. • A Yes entry indicates that the feature may be configured on an MLAG VLAN and will synchronize state across the MLAG peers. The configuration for features marked Yes must be identical on both switches. MLAG does not synchronize configuration with the MLAG peer.
Table 28-2. MLAG State Synchronization Per Feature (Continued) Components MLAG State Synchronization Support DOT1S Yes Loop Guard No FDB Yes MACLOCK No DVLAN No DOT1AB No IP Subnet-based VLANs N/A MACVLAN N/A Protected Port No DHCP Snooping No IP Source Guard No Dynamic ARP Inspection No Auto-Negotiation N/A L2-Relay No MRP No MMRP No DOT1AS No 802.
Table 28-2.
Basic Configuration Example This example shows the configuration of the two MLAG peers and a single MLAG partner in the simplest possible configuration. No MLAG peer priorities are configured, nor is UDLD enabled on the peer-link. DCPDP is not enabled. The default spanning tree configuration is used and spanningtree is disabled on the peer link. A system MAC address is assigned to both MLAG peers. The system virtual MAC address is used in the spanning-tree BPDUs and LACPDUs.
MLAG-Peer-A(config-if-Po2)#vpc 1 MLAG-Peer-A(config-if-Po2)#exit MLAG-Peer-A(config)#snmp-server engineid local 800002a203001ec9dec52b MLAG-Peer-A(config)#snmp-server agent boot count 2 MLAG-Peer-A(config)#feature vpc MLAG-Peer-A(config)#vpc domain 3 MLAG-Peer-A(config-vpc 3)#system-mac 0011.2233.
MLAG Peer B Current Configuration: • System Description “Dell Networking N3024F, 6.0.0.0, Linux 3.6.5858bcf6e” • System Software Version 6.0.0.
MLAG-Peer-B(config)#exit MLAG Partner Current Configuration: • System Description “Dell Networking N2048, 6.0.0.0, Linux 3.6.5858bcf6e” • System Software Version 6.0.0.
Status Reporting The status outputs of the various VPC commands are self-explanatory. Both the configured and operational status is shown in the outputs. Additional commands are shown below that may be useful in troubleshooting MLAG configuration or operational issues. All of the commands below are run on the MLAG primary switch except as noted otherwise. MLAG-Peer-A(config)#show vpc brief VPC admin status............................... Keep-alive admin status........................
LAG-SW(config)#show vpc role Self ---Keep-alive admin status........................ Keep-alive operational status.................. Priority....................................... System MAC address............................. Time-out....................................... VPC admin status............................... VPC role....................................... Disabled Disabled 100 001E.C9DE.B777 5 Disabled None Peer ---Priority....................................... 0 VPC role..................
MLAG-Peer-A(config)#show interfaces status po2 Port Description Channel ------- -----------------------------Po2 Operational State.............................. Up Admin Mode..................................... Enabled Port Channel Flap Count........................
MLAG-Peer-B#show vpc statistics peer-link Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer link link link link link link link link link link link link link link link link link link control messages transmitted......... control messages Tx errors........... control messages Tx timeout.......... control messages ACK transmitted..... control messages ACK Tx errors....... control messages received............ data messages transmitted............
A Complete MLAG Example The following example configures eight VLANs (10–17) across two VPCs. VPC 1 is connected to a Dell Networking N2048 over two links (gi1/0/23-24) over port-channel 2 on each MLAG peer. Interfaces Te1/0/1-2 on each MLAG peer connect to each other on port-channel 1 utilizing LACP. UDLD is enabled on the two MLAG peer-links and the timers are configured to the minimum values. DCPDP is enabled on VLAN 100 (interface gi1/0/8 on each MLAG peer).
MLAG-Peer-A(config-if-vlan100)#ip address 192.168.0.1 255.255.255.
MLAG-Peer-A(config-if-Te1/0/2)#exit MLAG-Peer-A(config)#interface port-channel 1 MLAG-Peer-A(config-if-Po1)#description “MLAG-Peer-Link” MLAG-Peer-A(config-if-Po1)#switchport mode trunk MLAG-Peer-A(config-if-Po1)#switchport trunk allowed vlan 1-99,1014093 MLAG-Peer-A(config-if-Po1)#vpc peer-link MLAG-Peer-A(config-if-Po1)#spanning-tree mst 2 cost 50000 MLAG-Peer-A(config-if-Po1)#exit MLAG-Peer-A(config)#interface port-channel 2 MLAG-Peer-A(config-if-Po2)#switchport mode trunk MLAG-Peer-A(config-if-Po2)#swit
MLAG Peer B Configuration Current Configuration: • System Description “Dell Networking N3024F, 6.0.0.0, Linux 3.6.5858bcf6e” • System Software Version 6.0.0.
MLAG-Peer-B(config-if-Gi1/0/23)#description “MLAG-Partner-Link” MLAG-Peer-B(config-if-Gi1/0/23)#exit MLAG-Peer-B(config)#interface Gi1/0/24 MLAG-Peer-B(config-if-Gi1/0/24)#channel-group 2 mode active MLAG-Peer-B(config-if-Gi1/0/24)#description “MLAG-Partner-Link” MLAG-Peer-B(config-if-Gi1/0/24)#exit MLAG-Peer-B(config)#interface Te1/0/1 MLAG-Peer-B(config-if-Te1/0/1)#channel-group 1 mode active MLAG-Peer-B(config-if-Te1/0/1)#description “MLAG-Peer-Link” MLAG-Peer-B(config-if-Te1/0/1)#udld enable MLAG-Peer-B
MLAG-Peer-B(config)#snmp-server engineid local 800002a203001ec9dec513 MLAG-Peer-B(config)#snmp-server agent boot count 3 MLAG-Peer-B(config)#feature vpc MLAG-Peer-B(config)#vpc domain 1 MLAG-Peer-B(config-vpc 1)#peer-keepalive enable MLAG-Peer-B(config-vpc 1)#peer-keepalive destination 192.168.0.1 source 192.168.0.
LAG-SW(config-if-Gi1/0/3)#channel-group 1 mode active LAG-SW(config-if-Gi1/0/3)#exit LAG-SW(config)#interface Gi1/0/4 LAG-SW(config-if-Gi1/0/4)#channel-group 1 mode active LAG-SW(config-if-Gi1/0/4)#exit LAG-SW(config)#interface port-channel 1 LAG-SW(config-if-Po1)#switchport mode trunk LAG-SW(config-if-Po1)#exit LAG-SW(config)#snmp-server engineid local 800002a203001ec9deb777 LAG-SW(config)#snmp-server agent boot count 3 LAG-SW(config)#exit Cisco 3750 MLAG Partner Configuration Current configuration: 1913
vlan internal allocation policy ascending interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/2 interface GigabitEthernet1/0/3 interface GigabitEthernet1/0/4 interface GigabitEthernet1/0/5 interface GigabitEthernet1/0/6 interface GigabitEthernet1/0/7 interface GigabitEthernet1/0/8 interface GigabitEthernet1/0/9 interface GigabitEthernet1/0/10 interface GigabitEthernet1/0/11 interface GigabitEthernet1/0/12 interface Gi
ip classless ip http server ip http secure-server control-plane line con 0 line vty 5 15 end 1042 Link Aggregation
Status Reporting The following shows the status of various components of the switches in the above configuration. The switch prompts identify the switch on which the status is shown. To obtain accurate status, the commands below are run on the primary MLAG switch unless noted otherwise. Spanning Tree Status Old-Iron-3750#show spanning-tree MST0 Spanning tree enabled protocol mstp Root ID Priority 32768 Address 0013.c4bd.
LAG-SW#show spanning-tree Spanning tree Enabled BPDU flooding Disabled Portfast BPDU filtering Disabled mode mst CST Regional Root: 80:00:00:1E:C9:DE:B7:77 Regional Root Path Cost: 0 ###### MST 0 Vlan Mapped: 1 ROOT ID Priority 32768 Address 0013.C4BD.F080 Path Cost 5000 Root Port Po1 Hello Time 2 Sec Max Age 20 sec Forward Delay 15 sec Bridge Max Hops 20 Bridge ID Priority 32768 Address 001E.C9DE.
Gi1/0/24 Gi1/0/25 Gi1/0/26 Gi1/0/27 Gi1/0/28 Gi1/0/29 Gi1/0/30 Gi1/0/31 Gi1/0/32 Gi1/0/33 Gi1/0/34 Gi1/0/35 Gi1/0/36 Gi1/0/37 Gi1/0/38 Gi1/0/39 Gi1/0/40 Gi1/0/41 Gi1/0/42 Gi1/0/43 Gi1/0/44 Gi1/0/45 Gi1/0/46 Gi1/0/47 Gi1/0/48 Te1/0/1 Te1/0/2 Tw1/0/1 Tw1/0/2 Po1 Po2 Po3 Po4 Po5 Po6 Po7 Po8 Po9 Po10 Po11 Po12 Po13 Po14 Po15 Po16 Po17 Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled En
Po18 Po19 Po20 Po21 Po22 Po23 Po24 Po25 Po26 Po27 Po28 Po29 Po30 Po31 Po32 Po33 Po34 Po35 Po36 Po37 Po38 Po39 Po40 Po41 Po42 Po43 Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled 96.667 96.668 96.669 96.670 96.671 96.672 96.673 96.674 96.675 96.676 96.677 96.678 96.679 96.680 96.681 96.682 96.683 96.684 96.685 96.686 96.687 96.688 96.689 96.690 96.
Hello Time 2 Sec Max Age 20 sec Forward Delay 15 sec TxHoldCount 6 sec Name --------Gi1/0/1 Gi1/0/2 Gi1/0/3 Gi1/0/4 Gi1/0/5 Gi1/0/6 Gi1/0/7 Gi1/0/8 Gi1/0/9 Gi1/0/10 Gi1/0/11 Gi1/0/12 Gi1/0/13 Gi1/0/14 Gi1/0/15 Gi1/0/16 Gi1/0/17 Gi1/0/18 Gi1/0/19 Gi1/0/20 Gi1/0/21 Gi1/0/22 Gi1/0/23 Gi1/0/24 Te1/0/1 Te1/0/2 Tw1/0/1 Tw1/0/2 Po1 Po2 Po3 Po4 State -------Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled
MLAG Status MLAG-Peer-A#show vpc brief VPC config Mode................................ Keepalive config mode.......................... VPC operational Mode........................... Self Role...................................... Peer Role...................................... Peer detection................................. Operational Enabled Enabled Enabled Primary Secondary Peer detected, VPC Peer-Link details ----------------Interface...................................... Po1 Peer link status........
VPC id# 2 ----------Interface...................................... Po3 Configured Vlans............................... 1,10,11,12,13,14,15,16,17 VPC Interface State............................ Active MLAG-Peer-A#show vpc 1 VPC id# 1 ----------------Config mode.................................... Enabled Operational mode............................... Enabled Port channel...................................
MLAG-Peer-A#show vpc peer-keepalive Peer IP address................................ Source IP address.............................. UDP port....................................... Peer detection................................. Peer detection operational status.............. Peer is detected............................... 192.168.0.2 192.168.0.1 50000 Enabled Up TRUE MLAG-Peer-A#show vpc statistics peer-keepalive Total transmitted.............................. Tx successful................................
29 Data Center Bridging Features Dell Networking N4000 Series Switches This chapter describes how to manage the features developed for use in data center environments but often used in a variety of 10G applications. NOTE: The data center bridging features described in this chapter are available on the Dell Networking N4000 Series switches only.
Table 29-1. Data Center Features (Continued) Feature Description ETS Supports the ETS configuration and Application Priority TLVs, which are accepted from auto-upstream devices and propagated to auto-downstream devices. The Dell Networking N4000 Series switches support the automatic configuration of the switch with received ETS parameters. Default DCB Values Table 29-2 lists the default values for the DCB features that this chapter describes. Table 29-2.
Priority Flow Control Ordinarily, when flow control is enabled on a physical link, it applies to all traffic on the link. When congestion occurs, the hardware sends pause frames that temporarily suspend traffic flow to help prevent buffer overflow and dropped frames. PFC provides a means of pausing individual priorities within a single physical link.
Operator configuration of PFC is used only when the port is configured in a manual role. When interoperating with other equipment in a manual role, the peer equipment must be configured with identical PFC priorities and VLAN assignments. Interfaces not enabled for PFC ignore received PFC frames. Ports configured in auto-upstream or auto-downstream roles receive their PFC configuration from the configuration source and ignore any manually configured information.
PFC Configuration Page Use the PFC Configuration page to enable priority flow control on one or more interfaces and to configure which priorities are subject to being paused to prevent data loss. To display the PFC Configuration page, click Switching PFC PFC Configuration in the navigation menu. Figure 29-1. PFC Configuration PFC Statistics Page Use the PFC Statistics page to view the PFC statistics for interfaces on the switch.
Figure 29-2. PFC Statistics Configuring PFC Using the CLI Beginning in Privileged EXEC mode, use the following commands to configure PFC. NOTE: If DCBx is enabled and the switch is set to autoconfigure from a DCBX peer, configuring PFC is not necessary because the DCBx protocol automatically configures the PFC parameters. Command Purpose configure Enter global configuration mode.
Command Purpose interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. A range of interfaces can be specified using the interface range command. For example, interface range tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10, 11, and 12. datacenter-bridging Enter the Data Center Bridging mode. PFC commands are issued from within this mode.
PFC Configuration Example The network in this example handles both data and voice traffic. Because the voice traffic is time sensitive, it requires a higher priority than standard data traffic. The voice traffic uses VLAN 100 and has an 802.1p priority of 5, which is mapped to hardware queue 4. IP phones are connected to ports 3, 5, and 10, so PFC is enabled on these ports with 802.1p priority 5 traffic as no-drop. The configuration also enables VLAN tagging so that the 802.1p priority is identified.
4 Enable VLAN tagging on the ports so the 802.1p priority is identified. Trunk mode can also be enabled on port-channels.
DCB Capability Exchange The Data Center Bridging Exchange Protocol (DCBx) is used by DCB devices to exchange configuration information with directly connected peers. DCBx uses type-length-value (TLV) information elements over LLDP to exchange information, so LLDP must be enabled on the port to enable the information exchange. By default, LLDP is enabled on all ports. For more information, see "Discovering Network Devices " on page 825.
Interoperability with IEEE DCBx To be interoperable with legacy industry implementations of the DCBx protocol, The Dell Networking N4000 Series switches use a hybrid model to support both the IEEE version of DCBx (IEEE 802.1Qaz) and legacy DCBx versions. The Dell Networking N4000 Series switch automatically detects whether a peer is operating with either of the two CEE DCBx versions or the IEEE standard DCBx version (the default mode).
explicitly by the operator. These ports advertise their configuration to their peer if DCBx is enabled on that port. Incompatible peer configurations are logged and counted with an error counter. The default operating mode for each port is manual. A port that is set to manual mode sets the willing bit for DCBx client TLVs to false.
the willing parameter is disabled on auto-downstream. By default, autodownstream ports have the recommendation TLV parameter enabled. Autodownstream ports that receive internally propagated information ignore their local configuration and utilize the internally propagated information. Autodownstream ports propagate PFC, ETS, and application priority information received from the configuration source. In the Configuration Source role, the port has been manually selected to be the configuration source.
• The port role is auto-upstream. • The port is enabled with link up and DCBx enabled. • The port has negotiated a DCBx relationship with the partner. • The switch is capable of supporting the received configuration values, either directly or by translating the values into an equivalent configuration. Whether or not the peer configuration is compatible with the configured values is NOT considered.
no lldp tlv-select dcbxp pfc These commands eliminate only the DCBX TLVs from use by LLDP. They do not otherwise affect any manually configured DCBX capabilities or the normal operation of LLDP. Configuring DCBx The CLI can be used to configure DCBX on Dell Networking N4000 Series switches. Beginning in Privileged EXEC mode, use the following commands to configure DCBx. Command Purpose configure Enter global configuration mode.
Command Purpose lldp tlv-select dcbxp [pfc | applicationpriority] Override the global configuration for the LLDP DCBx TLVs on this interface. Entering the command with no parameters enables transmission of all TLVs. • pfc—Transmit the PFC configuration TLV. • application-priority—Transmit the application priority TLV.
Command Purpose Display the interface TLV configuration for all interfaces show lldp tlv-select interface {all |interface} or for the specified interface. show lldp dcbx interface Display the interface TLV configuration for all interfaces {all status |interface or for the specified interface. [detail]} Enhanced Transmission Selection Networks classify and prioritize traffic to provide different service characteristics to end user traffic flows.
NOTE: Minimum bandwidth guarantees and scheduling mechanisms apply only when the switch is congested. When the switch is not congested, packets egress the switch as soon as they are received. ETS provides a second level of scheduling for packets selected for transmission by the CoS scheduler. ETS operates at the traffic class group (TCG) level and supports sharing of bandwidth across TCGs, bandwidth assignment for each TCG, and queue discipline (drop behavior) for each TCG.
The minimum bandwidth setting can be used to override the strict priority and weighted settings. The highest numbered strict priority queue will receive no more bandwidth than 100 percent minus the sum of the minimum bandwidth percentages assigned to the other queues. If used, it is recommended that minimum bandwidth percentages only be set high enough to ensure a minimum level of service for any queue; i.e., the sum of the minimum bandwidth percentages is a fraction of 100%.
Commands This section provides information about the commands you use to manually configure and monitor ETS. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. On Dell Networking N4000 Series switches, the following steps are not required if using the DCBX protocol to obtain ETS configuration from an auto-configuration source.
ETS Configuration Example This example configures four classes of traffic: Best effort traffic CoS Queue 0 for untagged and VLAN-tagged frames with VPTs 0, 1, and 2 Lossless iSCSI traffic CoS Queues 1 & 2 for VLAN tagged frames with VPTs 3 & 4 respectively Expedited traffic CoS Queue 3 on VLAN tagged frames with VPTs 5, 6, and 7 1. Enable Trust Mode on an Interface The following command enables the use of the 802.1p priority of the incoming packet.
This example maps user priorities 0, 1, and 2 to CoS queue 0 (background or best effort traffic), user priorities 3 and 4 to CoS queues 1 and 2 (iSCSI traffic), and all other priorities to CoS queue 2 (low latency and network control traffic).
The minimum bandwidth setting on the CoS queues comes in to effect only when there is congestion among the CoS queues belonging to a single TCG. This is an optional setting and is not generally required, as the secondary scheduler has the capability of guaranteeing minimum bandwidth for a TCG.
4 5 6 0 0 0 Weighted Weighted Weighted Tail Drop Tail Drop Tail Drop 5. Map the CoS Queues to TCGs In this step, CoS queues are mapped to Traffic Class Groups (TCGs). Since TCGs are serviced from highest numbered TCG to lowest, higher priority traffic should be assigned to higher numbered TCGs. In general, strict priority traffic (typically control plane or low bandwidth, low latency traffic) is assigned the highest numbered TCG. It is recommended that WDRR queues be assigned to TCG0.
Each WDRR TCG should be assigned a nonzero weight. Weights may be configured on a single interface, a range of interfaces, or all interfaces, and must sum to 100%. It is recommended that strict priority TCGs be assigned a weight of 0%, since they are processed first and ignore the configured TCG weight.
percentage of the total bandwidth and is used to shape egress traffic bursts to no greater than the configured value. The maximum bandwidth may be configured on a single interface, range of interfaces or all interfaces. When configured to be 0, unlimited bandwidth is allowed on the TCG. It is recommended that the maximum bandwidth be configured to be greater than the minimum bandwidth or the weight or be configured to 0 (unlimited burst size).
ETS Theory of Operation First Level of Scheduling To understand the first level of scheduling, consider Table 29-1. Assume that we have eight ingress ports, each one receiving line rate traffic with one 802.1p priority each. The table shows the mapping of 802.1p priorities to the cos-queues, the min-bandwidth settings, and scheduler modes. Table 29-3. First Level of Scheduling 802.
Second Level of Scheduling To consolidate different traffic classes within different traffic types in a typical DCB environment, ETS provides an operational model for prioritization and bandwidth allocation for traffic. Figure 29-3 illustrates a typical example that consolidates three traffic types on a single 10GE link. For consolidation to be effective all traffic types must be serviced according to their requirements.
At time t2, a burst of LAN traffic is incoming at the rate of 4 Gbps, this burst is allowed to borrow the unused 0.5 Gbps bandwidth from SAN TCG and transmitted since the offered load of SAN is only 3 Gbps. At time t3, when the offered load of IPC falls to 2 Gbps and the bursty LAN traffic is at 6 Gbps, the available bandwidth for SAN and LAN is 4 Gbps each according to the TCG weights, which are set as 50% each.
Traffic is passed across stacking links using WDRR for all CoS queues. This will affect the observed behavior of ETS on egress ports scheduling traffic from over-subscribed stacking links.
console(config-if-Te1/0/1)#classofservice traffic-class-group 2 2 console(config-if-Te1/0/1)#traffic-class-group weight 30 70 0 console(config-if-Te1/0/1)#traffic-class-group strict 2 Dell Networking N4000 Series Operation When DCBx is enabled on manually configured ports, it is not necessary for the ETS parameters to match, regardless of the version of DCBX negotiated or configured. Configuration mismatches are logged.
processing strict priority traffic is skewed to be the bandwidth of the individual TCG divided by the sum of the weights of all WDRR configured TCGs. The administrator may configure other parameters to work in conjunction with the received DCBX configuration, e.g. min-bandwidth per CoS queue and minimum or maximum bandwidth per TCG.
30 MAC Addressing and Forwarding Dell Networking N1500, N2000, N3000, and N4000 Series Switches Dell Networking N-Series switches implement a MAC Learning Bridge in compliance with IEEE 802.1Q. The N-Series switches implement independent VLAN learning (IVL).
Static addresses are configured by the administrator and added to the table. Dynamic addresses are learned by examining information in the Ethernet frame. When a frame arrives on a port, the switch looks at the frame header to learn the source MAC address of the frame, then adds the address, VLAN ID, and the ingress port to the MAC address table. The address table is constantly updated as new addresses are learned, and unused addresses age out.
Managing the MAC Address Table (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage the MAC address table on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. Static Address Table Use the Static Address Table page to view MAC addresses that have been manually added to the MAC address table and to configure static MAC addresses.
Figure 30-2. Adding Static MAC Address 3 Select the interface to associate with the static address. 4 Specify the MAC address and an associated VLAN ID. 5 Click Apply. The new static address is added to the Static MAC Address Table, and the device is updated.
Global Address Table The Global Address Table page contains fields for querying information in the dynamic address table, including the interface type, MAC addresses, VLAN, and table sorting key. Packets forwarded to an address stored in the address table are forwarded directly to those ports. The Global Address Table also contains information about the aging time before a dynamic MAC address is removed from the table.
Managing the MAC Address Table (CLI) This section provides information about the commands you use to manage the MAC address table on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support.
31 DHCP Server and Relay Settings Dell Networking N2000, N3000, and N4000 Series Switches This chapter describes how to configure the switch to dynamically assign network information to hosts by using the Dynamic Host Configuration Protocol (DHCP).
How Does DHCP Work? When a host connects to the network, the host’s DHCP client broadcasts a message requesting information from any DHCP server that receives the broadcast. One or more DHCP servers respond to the request. The response includes the requested information, such as the IP address, subnet mask, and default gateway IP address. The client accepts an offer from one of the servers, and the server sends an acknowledgment to the client to confirm the transaction. Figure 31-1.
discover requests typically include options for the IP address (option 50), subnet mask (option 1), default gateway (option 3), and DNS server (option 6). These options are predefined. For options that are not predefined, the option code can be entered and the data type can be specified, along with the data that the switch should include in DHCP offers. RFC2132 specifies many of the DHCP options. Additional options are described in later RFCs.
The administrator is using a Microsoft DHCP server. Microsoft DHCP servers do not have native support for DHCP Option 82, but it can be added using the DhcpServerCalloutEntry API to retrieve the information via the DhcpHandleOptionsHook configured on the switches.
option subnet-mask 255.255.254.0; option domain-name-servers 10.1.218.3, 10.1.219.3; range dynamic-bootp 10.1.222.3 10.1.222.254; range dynamic-bootp 10.1.223.3 10.1.223.254; default-lease-time 21600; max-lease-time 43200; } } subnet 10.2.109.192 netmask 255.255.255.224 { pool { allow members of “Pool1”; range 10.2.109.194 10.2.109.222; option routers 10.2.109.193; option subnet-mask 255.255.255.224; option domain-name-servers 10.1.218.3,10.1.219.
The DHCP L2 relay feature permits L3 relay agent functionality in layer-2 switched networks. The switch supports L2 DHCP relay configuration on individual ports, link aggregation groups (LAGs) and VLANs. For information about layer-2 and layer-3 DHCP Relay, see "Layer-2 and Layer-3 Relay Features " on page 1157. Default DHCP Server Values By default, the DHCP server is disabled, and no address pools are configured.
Configuring the DHCP Server (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the DHCP server on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. DHCP Server Network Properties Use the Network Properties page to define global DHCP server settings and to configure addresses that are not included in any address pools.
Adding Excluded Addresses To exclude an address: 1 Open the Network Properties page. 2 Click Add Excluded Addresses to display the Add Excluded Addresses page. 3 In the From field, enter the first IP address to exclude from any configured address pool. 4 If the address in the From field is the only address to exclude, or if the excluded addresses are non-contiguous, leave the To field as the default value of 0.0.0.0. Otherwise, enter the last IP address to excluded from a contiguous range of IP addresses.
Deleting Excluded Addresses To remove an excluded address: 1 Open the Network Properties page. 2 Click Delete Excluded Addresses to display the Delete Excluded Addresses page. 3 Select the check box next to the address or address range to delete. Figure 31-4. Delete Excluded Addresses 4 Click Apply. Address Pool Use the Address Pool page to create the pools of IP addresses and other network information that can be assigned by the server.
Figure 31-5. Address Pool Adding a Network Pool To create and configure a network pool: 1 Open the Address Pool page. 2 Click Add Network Pool to display the Add Network Pool page. 3 Assign a name to the pool and complete the desired fields. In Figure 31-6, the network pool name is Engineering, and the address pool contains all IP addresses in the 192.168.5.0 subnet, which means a client that receives an address from the DHCP server might lease an address in the range of 192.168.5.1 to 192.168.5.254.
Figure 31-6. Add Network Pool The Engineering pool also configures clients to use 192.168.5.1 as the default gateway IP address and 192.168.1.5 and 192.168.2.5 as the primary and secondary DNS servers. NOTE: The IP address 192.168.5.1 should be added to the global list of excluded addresses so that it is not leased to a client. 4 Click Apply. Adding a Static Pool To create and configure a static pool of IP addresses: 1 Open the Address Pool page.
In Figure 31-7, the Static pool name is Lab, and the name of the client in the pool is LabHost1. The client’s MAC address is mapped to the IP address 192.168.11.54, the default gateway is 192.168.11.1, and the DNS servers the client will use have IP addresses of 192.168.5.100 and 192.168.2.5. Figure 31-7. Add Static Pool 4 Click Apply.
Address Pool Options Use the Address Pool Options page to view manually configured options. Options can be defined when an address pool is created or can be added to existing address pools. To display the Address Pool Options page, click Routing IP DHCP Server Address Pool Options in the navigation panel. Figure 31-8. Address Pool Options Defining DHCP Options To configure DHCP options: 1 Open the Address Pool page. 2 Select the Add Options check box.
Figure 31-9. Add DHCP Option 5 Click Apply. 6 To verify that the option has been added to the address pool, open the Address Pool Options page.
Figure 31-10. View Address Pool Options DHCP Bindings Use the DHCP Bindings page to view information about the clients that have leased IP addresses from the DHCP server. To display the DHCP Bindings page, click Routing IP DHCP Server DHCP Bindings in the navigation panel. Figure 31-11.
DHCP Server Reset Configuration Use the Reset Configuration page to clear the client bindings for one or more clients. Bindings can also be reset for clients that have leased an IP address that is already in use on the network. To display the Reset Configuration page, click Routing IP DHCP Server Reset Configuration in the navigation panel. Figure 31-12.
DHCP Server Statistics Use the Server Statistics page to view general DHCP server statistics, messages received from DHCP clients, and messages sent to DHCP clients. To display the Server Statistics page, click Routing IP DHCP Server Server Statistics in the navigation panel. Figure 31-14.
Configuring the DHCP Server (CLI) This section provides information about the commands used for configuring and monitoring the DHCP server and address pools. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global DHCP Server Settings Beginning in Privileged EXEC mode, use the following commands to configure settings for the DHCP server.
Configuring a Dynamic Address Pool Beginning in Privileged EXEC mode, use the following commands to create an address pool with network information that is dynamically assigned to hosts with DHCP clients that request the information. Command Purpose configure Enter Global Configuration mode. ip dhcp pool name Create a DHCP address pool and enters DHCP pool configuration mode. network network-ip [mask | prefixlength] Configure the subnet number and mask for a DHCP address pool.
Configuring a Static Address Pool Beginning in Privileged EXEC mode, use the following commands to create a static address pool and specify the network information for the pool. The network information configured in the static address pool is assigned only to the host with the hardware address or client identifier that matches the information configured in the static pool. Command Purpose configure Enter Global Configuration mode.
Command Purpose Specify the duration of the lease for an IP address that is lease {days[hours][minutes] | assigned from a DHCP server to a DHCP client. infinite} • days— Days the lease is valid (Range 0–59, Default is 1). The hours and minutes can optionally be specified after the days. • infinite — 60 day lease. The Dell Networking DHCP server does not offer infinite leases. A setting of infinite corresponds to 60 days. default-router address1 [address2....
Command Purpose clear ip dhcp conflict {address | *} Clear an address conflict from the DHCP Server database. Use * to clear all conflicts. show ip dhcp server statistics View DHCP server statistics. clear ip dhcp server statistics Reset all DHCP server statistics to zero.
5 Specify the domain name to be assigned to clients that lease an address from this pool. console(config-dhcp-pool)#domain-name engineering.dell.com console(config-dhcp-pool)#exit 6 In Global Configuration mode, add the addresses to exclude from the pool. Clients will not be assigned these IP addresses. console(config)#ip dhcp excluded-address 192.168.5.1 192.168.5.20 console(config)#ip dhcp excluded-address 192.168.5.100 7 Enable the DHCP server on the switch.
Configuring a Static Address Pool The commands in this example create an address pool that assigns the address 192.168.2.10 to the host with a MAC address of 00:1C:23:55:E9:F3. When this hosts sends a DHCP message requesting network information, the switch will offer the information configured in this example, which includes a custom DHCP option to assign the SMTP server IP address.
Lease Time........................ DNS Servers....................... Default Routers................... Domain Name....................... Option............................ 1 days 0 hrs 0 mins 192.168.2.101 192.168.2.1 executive.dell.com 69 ip 192.168.1.
DHCP Server and Relay Settings
32 IP Routing Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes how to configure routing on the switch, including global routing settings, Address Resolution Protocol (ARP), router discovery, and static routes.
Table 32-1. IP Routing Features (Continued) Feature Description ARP table The switch maintains an ARP table that maps an IP address to a MAC address. Static ARP entries can be created in the table and various ARP table settings can be managed, such as the aging time of dynamically-learned entries. ICMP Router Discovery Protocol (IRDP) Hosts can use IRDP to identify operational routers on the subnet. Routers periodically advertise their IP addresses.
Default IP Routing Values Table 32-2 shows the default values for the IP routing features this chapter describes. Table 32-2.
Table 32-2. IP Routing Defaults (Continued) Parameter Default Value Route Preference Values Preference values are as follows: • Local—0 • Static—1 • OSPF Intra—110 • OSPF Inter—110 • OSPF External—110 • RIP—120 IP Path MTU and Path MTU Discovery The IP stack maintains an IP MTU for each route in its routing table. Conceptually, the route’s path MTU defaults to the IP MTU of the outgoing interface. The IP MTU of an interface is set automatically based upon the switch MTU.
ARP Table The router maintains an ARP table that associates a MAC address and outgoing port with an IP address and VLAN. The ARP table is dynamically updated with the host MAC address and outgoing port information. ARP entries are associated with the VLAN on which the IP address or route is known. The router broadcasts an ARP request in the associated VLAN for any unknown MAC address to which it needs to route packets.
Configuring IP Routing Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring IPv4 routing features on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. IP Configuration Use the Configuration page to configure routing parameters for the switch as opposed to an interface.
IP Statistics The IP statistics reported on the Statistics page are as specified in RFC 1213. To display the page, click Routing IP Statistics in the navigation panel. Figure 32-2.
ARP Create Use the Create page to add a static ARP entry to the Address Resolution Protocol table. To display the page, click Routing ARP Create in the navigation panel. Figure 32-3.
ARP Table Configuration Use the Table Configuration page to change the configuration parameters for the Address Resolution Protocol Table. This page can also display the contents of the table. To display the page, click Routing ARP Table Configuration in the navigation panel. Figure 32-4.
Router Discovery Configuration Use the Configuration page to enter or change router discovery parameters. To display the page, click Routing Router Discovery Configuration in the navigation panel. Figure 32-5.
Router Discovery Status Use the Status page to display router discovery data for each interface. To display the page, click Routing Router Discovery Status in the navigation panel. Figure 32-6.
Route Table Use the Route Table page to display the contents of the routing table. To display the page, click Routing Router Route Table in the navigation panel. Figure 32-7.
Best Routes Table Use the Best Routes Table page to display the best routes from the routing table. To display the page, click Routing Router Best Routes Table in the navigation panel. Figure 32-8.
Route Entry Configuration Use the Route Entry Configuration page to add new and configure router routes. To display the page, click Routing Router Route Entry Configuration in the navigation panel. Figure 32-9. Route Entry Configuration Adding a Route and Configuring Route Preference To configure routing table entries: 1 Open the Route Entry Configuration page.
Figure 32-10. Router Route Entry and Preference Configuration 2 Next to Route Type, use the drop-down box to add a Default, Static, or Static Reject route. The fields to configure are different for each route type. • Default — Enter the default gateway address in the Next Hop IP Address field. • Static — Enter values for Network Address, Subnet Mask, Next Hop IP Address, and Preference. • Static Reject — Enter values for Network Address, Subnet Mask, and Preference. 3 Click Apply.
Configured Routes Use the Configured Routes page to display the routes that have been manually configured. NOTE: For a static reject route, the next hop interface value is Null0. Packets to the network address specified in static reject routes are intentionally dropped. To display the page, click Routing Router Configured Routes in the navigation panel. Figure 32-11. Configured Routes To remove a configured route, select the check box in the Remove column of the route to delete, and click Apply.
Route Preferences Configuration Use the Route Preferences Configuration page to configure the default preference for each protocol (for example 60 for static routes). These values are arbitrary values that range from 1 to 255, and are independent of route metrics. Most routing protocols use a route metric to determine the shortest path known to the protocol, independent of any other protocol. To display the page, click Routing Router Route Preferences Configuration in the navigation panel. Figure 32-12.
Configuring IP Routing Features (CLI) This section provides information about the commands used for configuring IPv4 routing on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global IP Routing Settings Beginning in Privileged EXEC mode, use the following commands to configure various global IP routing settings for the switch.
Adding Static ARP Entries and Configuring ARP Table Settings Beginning in Privileged EXEC mode, use the following commands to configure static ARP entries in the ARP cache and to specify the settings for the ARP cache. Command Purpose configure Enter global configuration mode. arp ip-address hardware- Create a static ARP entry in the ARP table. address • ip-address — IP address of a device on a subnet attached to an existing routing interface. • hardware-address — A unicast MAC address for that device.
Configuring Router Discovery (IRDP) Beginning in Privileged EXEC mode, use the following commands to configure IRDP settings. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified VLAN routing interface. The interface variable includes the interface type (vlan) and number, for example vlan 100. ip irdp Enable IRDP on the interface.
Configuring Route Table Entries and Route Preferences Beginning in Privileged EXEC mode, use the following commands to configure IRDP settings. Command Purpose configure Enter global configuration mode. ip route default Configure the default route. nextHopRtr [preference ] • nextHopRtr — IP address of the next hop router. • preference — Specifies the preference value (administrative distance) of an individual static route.
Command Purpose show ip route [ip-address [mask | prefix-length] [longer-prefixes] | protocol] View the routing table. • ip-address — Specifies the network for which the route is to be displayed and displays the best matching bestroute for the address. • mask — Subnet mask of the IP address. • prefix-length — Length of prefix, in bits. Must be preceded with a forward slash (‘/’).
IP Routing Configuration Example In this example, the Dell Networking N-Series switches are layer-3 switches with VLAN routing interfaces. VLAN routing is configured on Dell Networking N-Series Switch A and Dell Networking N-Series Switch B. This allows the host in VLAN 10 to communicate with the server in VLAN 30. A static route to the VLAN 30 subnet is configured on Switch A.
Configuring Dell Networking N-Series Switch A To configure Switch A. 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Assign an IP address to VLAN 10. This command also enables IP routing on the VLAN. console(config)#interface vlan 10 console(config-if-vlan10)#ip address 192.168.10.10 255.255.255.0 console(config-if-vlan10)#exit 3 Assign an IP address to VLAN 20. console#configure console(config)#interface vlan 20 console(config-if-vlan20)#ip address 192.168.20.20 255.255.
Configuring Dell Networking N-Series Switch B To configure Switch B: 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Assign an IP address to VLAN 20. This command also enables IP routing on the VLAN. console#configure console(config)#interface vlan 20 console(config-if-vlan20)#ip address 192.168.20.25 255.255.255.0 console(config-if-vlan20)#exit 3 Assign an IP address to VLAN 30. This command also enables IP routing on the VLAN.
IP Routing
Routing Interfaces 33 Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes the routing (layer-3) interfaces the Dell Networking N-Series switches support, which includes VLAN routing interfaces, loopback interfaces, and tunnel interfaces.
For each VLAN routing interface a static IP address can be assigned, or a network DHCP server can assign a dynamic IP address. When a port is enabled for bridging (layer-2 switching) rather than routing, which is the default, all normal bridge processing is performed for an inbound packet, which is then associated with a VLAN. Its MAC Destination Address (MAC DA) and VLAN ID are used to search the MAC address table.
What Are Tunnel Interfaces? Tunnels are a mechanism for transporting a packet across a network so that it can be evaluated at a remote location or tunnel endpoint. The tunnel, effectively, hides the packet from the network used to transport the packet to the endpoint. This allows for the transmission of packets that the transport network cannot process directly, such as in one of the following cases: • The packet protocol is not supported. • The packet is in an incompatible addressing space.
Why Are Routing Interfaces Needed? The routing interfaces this chapter describes have very different applications and uses, as this section describes. If you use the switch as a layer-2 device that handles switching only, routing interface configuration is not required. When the switch is used as a layer-2 device, it typically connects to an external layer-3 device that handles the routing functions. VLAN Routing VLAN routing is required when the switch is used as a layer-3 device.
Loopback Interfaces When packets are sent to the loopback IP address, the network should be able to deliver the packets as long as any physical interface on the switch is up. There are many cases where you need to send traffic to a switch, such as in switch management. The loopback interface IP address is a good choice for communicating with the switch in these cases because the loopback interface cannot go down when the switch is powered on and operational.
Default Routing Interface Values By default, no routing interfaces are configured. When you create a VLAN, no IP address is configured, and DHCP is disabled. After you configure an IP address on a VLAN or loopback interface, the VLAN interface is available for layer-3 routing (if enabled) and is capable of resolved ARPs and responding to pings, and the interface has the default configuration shown in Table 33-1.
Configuring Routing Interfaces (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring VLAN routing interfaces, loopback interfaces, and tunnels on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. IP Interface Configuration Use the IP Interface Configuration page to update IP interface data for this switch.
DHCP Lease Parameters Use the DHCP Lease Parameters page to view information about the network information automatically assigned to an interface by the DHCP server. To display the page, click Routing IP DHCP Lease Parameters in the navigation panel. Figure 33-3. DHCP Lease Parameters VLAN Routing Summary Use the VLAN Routing Summary page to view summary information about VLAN routing interfaces configured on the switch.
Figure 33-4. VLAN Routing Summary Tunnel Configuration Use the Tunnels Configuration page to create, configure, or delete a tunnel. To display the page, click Routing Tunnels Configuration in the navigation panel. Figure 33-5.
Tunnels Summary Use the Tunnels Summary page to display a summary of configured tunnels. To display the page, click Routing Tunnels Summary in the navigation panel. Figure 33-6.
Loopbacks Configuration Use the Loopbacks Configuration page to create, configure, or remove loopback interfaces. A secondary address for a loopback can also be set up or deleted. To display the page, click Routing Loopback Interfaces Loopback Interfaces Configuration in the navigation panel. Figure 33-7.
Loopbacks Summary Use the Loopbacks Summary page to display a summary of configured loopback interfaces on the switch. To display the page, click Routing Loopback Interfaces Loopback Interfaces Summary in the navigation panel. Figure 33-8.
Configuring Routing Interfaces (CLI) This section provides information about the commands used for configuring VLAN routing interfaces, loopbacks, and tunnels on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose ip local-proxy-arp Enable local proxy ARP on the interface to allow the switch to respond to ARP requests for hosts on the same subnet as the ARP source. bandwidth size Set the configured bandwidth on this interface to communicate the speed of the interface to higher level protocols. OSPF uses the bandwidth value to compute link cost. The range is 1–10000000.
Configuring Loopback Interfaces Beginning in Privileged EXEC mode, use the following commands to configure a loopback interface. Command Purpose configure Enter Global Configuration mode. interface loopback Create the loopback interface and enter Interface Configuration mode for the specified loopback interface. ip address ip_address subnet_mask [secondary] Configure a static IP address and subnet mask. Use the secondary keyword to specify that the address is a secondary IP address.
Configuring Tunnels Beginning in Privileged EXEC mode, use the following commands to configure a loopback interface. NOTE: For information about configuring the IPv6 interface characteristics for a tunnel, see "IPv6 Routing " on page 1397. Command Purpose configure Enter Global Configuration mode. interface tunnel tunnel-id Create the tunnel interface and enter Interface Configuration mode for the specified tunnel. tunnel mode ipv6ip [6to4] Specify the mode of the tunnel.
34 Layer-2 and Layer-3 Relay Features Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes how to configure the layer-2 (L2) DHCP relay, layer-3 (L3) DHCP relay, and IP Helper features on Dell Networking N-Series switches.
configured number, the agent discards the packet. If the giaddr field is zero, the agent must fill in this field with the IP address of the interface on which the request was received. The agent unicasts the valid packets to all configured DHCP servers. Each server responds with a unicast BOOTREPLY addressed to the relay agent closest to the client as indicated by giaddr field.
Enabling L2 Relay on VLANs L2 DHCP relay can be enabled on a particular VLAN. The VLAN is identified by a service VLAN ID (S-VID), which a service provider uses to identify a customer’s traffic while traversing the provider network to multiple remote sites. The switch uses the VLAN membership of the switch port client (the customer VLAN ID, or C-VID) to perform a lookup a corresponding S-VID. If the S-VID is enabled for DHCP Relay, then the packet can be forwarded.
specify a destination UDP port. The relay agent assumes that these entries match packets with the UDP destination ports listed in Table 34-1 (the list of default ports). Table 34-1.
When a switch receives a broadcast UDP packet on a routing interface, the relay agent verifies that the interface is configured to relay to the destination UDP port. If so, the relay agent unicasts the packet to the configured server IP addresses. Otherwise, the relay agent verifies that there is a global configuration for the destination UDP port. If so, the relay agent unicasts the packet to the configured server IP addresses. Otherwise the packet is not relayed.
Table 34-2 shows the most common protocols and their UDP port numbers and names that are relayed. Table 34-2.
Default L2/L3 Relay Values By default L2 DHCP relay is disabled. L3 relay (UDP) is enabled, but no UDP destination ports or server addresses are defined on the switch or on any interfaces. Table 34-3.
Configuring L2 and L3 Relay Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring L2 and L3 relay features on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. DHCP Relay Global Configuration Use this page to enable or disable the switch to act as a DHCP Relay agent.
DHCP Relay Interface Configuration Use this page to enable L2 DHCP relay on individual ports. NOTE: L2 DHCP relay must also be enabled globally on the switch. To access this page, click Switching DHCP Relay Interface Configuration in the navigation panel. Figure 34-2. DHCP Relay Interface Configuration To view a summary of the L2 DHCP relay configuration on all ports and LAGS, click Show All.
Figure 34-3.
DHCP Relay Interface Statistics Use this page to display statistics on DHCP Relay requests received on a selected port. To access this page, click Switching DHCP Relay Interface Statistics in the navigation panel. Figure 34-4.
DHCP Relay VLAN Configuration Use this page to enable and configure DHCP Relay on specific VLANs. To access this page, click Switching DHCP Relay VLAN Configuration in the navigation panel. Figure 34-5. DHCP Relay VLAN Configuration To view a summary of the L2 DHCP relay configuration on all VLANs, click Show All. Figure 34-6. DHCP Relay VLAN Summary DHCP Relay Agent Configuration Use the Configuration page to configure and display a DHCP relay agent.
To display the page, click Routing BOOTP/DHCP Relay Agent Configuration in the navigation panel. Figure 34-7.
IP Helper Global Configuration Use the Global Configuration page to add, show, or delete UDP Relay and Helper IP configuration To display the page, click Routing IP Helper Global Configuration in the navigation panel. Figure 34-8. IP Helper Global Configuration Adding an IP Helper Entry To configure an IP helper entry: 1. Open the IP Helper Global Configuration page. 2.
Figure 34-9. Add Helper IP Address 3. Select a UDP Destination port name from the menu or enter the UDP Destination Port ID. Select the Default Set to configure for the relay entry for the default set of protocols. NOTE: If the DefaultSet option is specified, the device by default forwards UDP Broadcast packets for the following services: IEN-116 Name Service (port 42), DNS (port 53), NetBIOS Name Server (port 137), NetBIOS Datagram Server (port 138), TACACS Server (Port 49), and Time Service (port 37). 4.
IP Helper Interface Configuration Use the Interface Configuration page to add, show, or delete UDP Relay and Helper IP configuration for a specific interface. To display the page, click Routing IP Helper Interface Configuration in the navigation panel. Figure 34-10. IP Helper Interface Configuration Adding an IP Helper Entry to an Interface To add an IP helper entry to an interface: 1. Open the IP Helper Interface Configuration page. 2.
Figure 34-11. Add Helper IP Address 3. Select the interface to use for the relay. 4. Select a UDP Destination port name from the menu or enter the UDP Destination Port ID. Select the Default Set to configure for the relay entry for the default set of protocols.
IP Helper Statistics Use the Statistics page to view UDP Relay Statistics for the switch. To display the page, click Routing IP Helper Statistics in the navigation panel. Figure 34-12.
Configuring L2 and L3 Relay Features (CLI) This section provides information about the commands used for configuring L2 and L3 relay features on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring L2 DHCP Relay Beginning in Privileged EXEC mode, use the following commands to configure switch and interface L2 DHCP relay settings.
Command Purpose dhcp l2relay remote-id Enable setting the DHCP Option 82 Remote ID for a remoteId vlan vlan-range VLAN. When enabled, the supplied string is used for the Remote ID in DHCP Option 82. The remoteId variable is a string to be used as the remote ID in the Option 82 (Range: 1 - 128 characters). exit Exit to Privileged EXEC mode. show dhcp l2relay all View L2 DHCP relay settings on the switch.
Configuring L3 Relay (IP Helper) Settings Beginning in Privileged EXEC mode, use the following commands to configure switch and interface L3 DHCP relay and IP helper settings. Command Purpose configure Enter global configuration mode. ip helper enable Use this command to enable the IP helper feature. It is enabled by default. ip helper-address server- Configure the relay of certain UDP broadcast packets address [dest-udp-port | received on any interface.
Command Purpose ip helper-address {server-address | discard} [dest-udp-port | dhcp | domain | isakmp | mobile-ip | nameserver | netbiosdgm | netbios-ns | ntp | pim-auto-rp | rip | tacacs | tftp | time] Configure the relay of certain UDP broadcast packets received on the VLAN routing interface(s). This command takes precedence over an ip helper-address command given in global configuration mode. Specify the one of the protocols defined in the command or the UDP port number.
Relay Agent Configuration Example The example in this section shows how to configure the L3 relay agent (IP helper) to relay and discard various protocols. Figure 34-13. L3 Relay Network Diagram DHCP Server 192.168.40.22 DNS Server 192.168.40.43 DHCP Server 192.168.40.35 VLAN 30 SNMP Server 192.168.23.1 L3 Switch ` DHCP Clients VLAN 10 ` ` ` VLAN 20 (No DHCP) This example assumes that multiple VLAN routing interfaces have been created, and configured with IP addresses.
console(config-if-vlan10)#ip helper-address 192.168.40.35 domain console(config-if-vlan10)#exit 3 Relay SNMP traps (port 162) received on VLAN 20 to 192.168.23.1 console(config)#interface vlan 20 console(config-if-vlan20)#ip helper-address 192.168.23.
OSPF and OSPFv3 35 Dell Networking N2000, N3000, and N4000 Series Switches This chapter describes how to configure Open Shortest Path First (OSPF) and OSPFv3. OSPF is a dynamic routing protocol for IPv4 networks, and OSPFv3 is used to route traffic in IPv6 networks. The protocols are configured separately within the software, but their functionality is largely similar for IPv4 and IPv6 networks. NOTE: In this chapter references to OSPF apply to OSPFv2 and OSPFv3 unless otherwise noted.
OSPF Overview OSPF is an Interior Gateway Protocol (IGP) that performs dynamic routing within a network. Dell Networking N-Series switches support two dynamic routing protocols: OSPF and Routing Information Protocol (RIP). Unlike RIP, OSPF is a link-state protocol. Larger networks typically use the OSPF protocol instead of RIP. What Are OSPF Areas and Other OSPF Topology Features? The top level of the hierarchy of an OSPF network is known as an OSPF domain. The domain can be divided into areas.
What Are OSPF Routers and LSAs? When a Dell Networking N-Series switch is configured to use OSPF for dynamic routing, it is considered to be an OSPF router. OSPF routers keep track of the state of the various links they send data to. Routers exchange OSPF link state advertisements (LSAs) with other routers. External LSAs provide information on static routes or routes learned from other routing protocols. OSPF defines various router types: • Backbone routers have an interface in Area 0.
OSPF Feature Details This section provides details on the following OSPF features: • Max Metric • Static Area Range Cost • LSA Pacing • LSA Pacing Max Metric RFC 3137 introduced stub router behavior to OSPFv2. As a stub, a router can inform other routers that it is not available to forward data packets.
not begin in stub router mode when OSPF is globally enabled. If the operator wants to avoid routing transients when he enables or configures OSPF, he can manually set OSPF in stub router mode. If OSPF is in startup stub router mode and encounters a resource limitation that would normally cause OSPF to become a stub router, OSPF cancels the timer to exit startup stub router and remains in stub router mode until the network administrator takes action.
Static Area Range Cost This feature allows a network operator to configure a fixed OSPF cost that is always advertised when an area range is active. This feature applies to both OSPFv2 and OSPFv3. An OSPF domain can be divided into areas to limit the processing required on each router. Area Border Routers (ABRs) advertise reachability across area boundaries. It is common to summarize the set of prefixes that an ABR advertises across an area boundary.
LSA Pacing OSPF refreshes each self-originated LSA every 30 minutes. Because a router tends to originate many LSAs at the same time, either at startup or when adjacencies are formed or when routes are first learned, LSA refreshes tend to be grouped. Further, Area Border Routers (ABRs) attached to the same area tend to originate summary LSAs into the area at the same time. This behavior leads to periodic bursts of LS Update packets.
Flood Blocking OSPF is a link state routing protocol. Routers describe their local environment in Link State Advertisements (LSAs), which are distributed throughout an area or OSPF domain. Through this process, each router learns enough information to compute a set of routes consistent with the routes computed by all other routers. Normally, OSPF floods an LSA on all interfaces within the LSA's flooding scope. Flooding ensures that all routers receive all LSAs.
Flood blocking cannot be enabled on virtual interfaces. While the feature could be allowed on virtual interfaces, it is less likely to be used on a virtual interface, since virtual interfaces are created specifically to allow flooding between two backbone routers. So the option of flood blocking on virtual interfaces is not supported. See "Configuring Flood Blocking " on page 1264 for a configuration example.
Default OSPF Values OSPF is globally enabled by default. To make it operational on the router, you must configure a router ID and enable OSPF on at least one interface. Table 35-1 shows the global default values for OSPF and OSPFv3. Table 35-1.
Table 35-2 shows the per-interface default values for OSPF and OSPFv3. Table 35-2.
Configuring OSPF Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring OSPF features on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. OSPF Configuration Use the Configuration page to enable OSPF on a router and to configure the related OSPF settings. To display the page, click Routing OSPF Configuration in the navigation panel. Figure 35-1.
OSPF Area Configuration The Area Configuration page lets you create a Stub area configuration and NSSA once you’ve enabled OSPF on an interface through Routing OSPF Interface Configuration. At least one router must have OSPF enabled for this web page to display. To display the page, click Routing OSPF Area Configuration in the navigation panel. If a Stub Area has been created, the fields in the Stub Area Information are available.
Configuring an OSPF Stub Area To configure the area as an OSPF stub area, click Create Stub Area. The pages refreshes, and displays additional fields that are specific to the stub area. Figure 35-3. OSPF Stub Area Configuration Use the Delete Stub Area button to remove the stub area.
Configuring an OSPF Not-So-Stubby Area To configure the area as an OSPF not-so-stubby area (NSSA), click NSSA Create. The pages refreshes, and displays additional fields that are specific to the NSSA. Figure 35-4. OSPF NSSA Configuration Use the NSSA Delete button to remove the NSSA area.
OSPF Stub Area Summary The Stub Area Summary page displays OSPF stub area detail. To display the page, click Routing OSPF Stub Area Summary in the navigation panel. Figure 35-5.
OSPF Area Range Configuration Use the Area Range Configuration page to configure and display an area range for a specified NSSA. To display the page, click Routing OSPF Area Range Configuration in the navigation panel. Figure 35-6.
OSPF Interface Statistics Use the Interface Statistics page to display statistics for the selected interface. The information is displayed only if OSPF is enabled. To display the page, click Routing OSPF Interface Statistics in the navigation panel. Figure 35-7.
OSPF Interface Configuration Use the Interface Configuration page to configure an OSPF interface. To display the page, click Routing OSPF Interface Configuration in the navigation panel. Figure 35-8.
OSPF Neighbor Table Use the Neighbor Table page to display the OSPF neighbor table list. When a particular neighbor ID is specified, detailed information about a neighbor is given. The information below is only displayed if OSPF is enabled. To display the page, click Routing OSPF Neighbor Table in the navigation panel. Figure 35-9.
OSPF Neighbor Configuration Use the Neighbor Configuration page to display the OSPF neighbor configuration for a selected neighbor ID. When a particular neighbor ID is specified, detailed information about a neighbor is given. The information below is only displayed if OSPF is enabled and the interface has a neighbor. The IP address is the IP address of the neighbor. To display the page, click Routing OSPF Neighbor Configuration in the navigation panel. Figure 35-10.
OSPF Link State Database Use the Link State Database page to display OSPF link state, external LSDB table, and AS opaque LSDB table information. To display the page, click Routing OSPF Link State Database in the navigation panel. Figure 35-11. OSPF Link State Database OSPF Virtual Link Configuration Use the Virtual Link Configuration page to create or configure virtual interface information for a specific area and neighbor. A valid OSPF area must be configured before this page can be displayed.
Figure 35-12. OSPF Virtual Link Creation After you create a virtual link, additional fields display, as the Figure 35-13 shows. Figure 35-13.
OSPF Virtual Link Summary Use the Virtual Link Summary page to display all of the configured virtual links. To display the page, click Routing OSPF Virtual Link Summary in the navigation panel. Figure 35-14.
OSPF Route Redistribution Configuration Use the Route Redistribution Configuration page to configure redistribution in OSPF for routes learned through various protocols. Routes learned from all available protocols, or from selected protocols, can be redistributed. To display the page, click Routing OSPF Route Redistribution Configuration in the navigation panel. Figure 35-15.
OSPF Route Redistribution Summary Use the Route Redistribution Summary page to display OSPF Route Redistribution configurations. To display the page, click Routing OSPF Route Redistribution Summary in the navigation panel. Figure 35-16.
NSF OSPF Configuration Use the NSF OSPF Configuration page to configure the non-stop forwarding (NSF) support mode and to view NSF summary information for the OSPF feature. NSF is a feature used in switch stacks to maintain switching and routing functions in the event of a stack unit failure. For information about NSF, see "What is Nonstop Forwarding? " on page 201 in the Stacking chapter. To display the page, click Routing OSPF NSF OSPF Configuration in the navigation panel. Figure 35-17.
Configuring OSPFv3 Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring OSPFv3 features on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. OSPFv3 Configuration Use the Configuration page to activate and configure OSPFv3 for a switch. To display the page, click IPv6 OSPFv3 Configuration in the navigation panel. Figure 35-18.
OSPFv3 Area Configuration Use the Area Configuration page to create and configure an OSPFv3 area. To display the page, click IPv6 OSPFv3 Area Configuration in the navigation panel. Figure 35-19.
Configuring an OSPFv3 Stub Area To configure the area as an OSPFv3 stub area, click Create Stub Area. The pages refreshes, and displays additional fields that are specific to the stub area. Figure 35-20. OSPFv3 Stub Area Configuration Use the Delete Stub Area button to remove the stub area.
Configuring an OSPFv3 Not-So-Stubby Area To configure the area as an OSPFv3 not-so-stubby area (NSSA), click Create NSSA. The pages refreshes, and displays additional fields that are specific to the NSSA. Figure 35-21. OSPFv3 NSSA Configuration Use the Delete NSSA button to remove the NSSA area.
OSPFv3 Stub Area Summary Use the Stub Area Summary page to display OSPFv3 stub area detail. To display the page, click IPv6 OSPFv3 Stub Area Summary in the navigation panel. Figure 35-22.
OSPFv3 Area Range Configuration Use the Area Range Configuration page to configure OSPFv3 area ranges. To display the page, click IPv6 OSPFv3 Area Range Configuration in the navigation panel. Figure 35-23.
OSPFv3 Interface Configuration Use the Interface Configuration page to create and configure OSPFv3 interfaces. To display the page, click IPv6 OSPFv3 Interface Configuration in the navigation panel. Figure 35-24.
OSPFv3 Interface Statistics Use the Interface Statistics page to display OSPFv3 interface statistics. Information is only displayed if OSPF is enabled. To display the page, click IPv6 OSPFv3 Interface Statistics in the navigation panel. Figure 35-25.
OSPFv3 Neighbors Use the Neighbors page to display the OSPF neighbor configuration for a selected neighbor ID. When a particular neighbor ID is specified, detailed information about that neighbor is given. Neighbor information only displays if OSPF is enabled and the interface has a neighbor. The IP address is the IP address of the neighbor. To display the page, click IPv6 OSPFv3 Neighbors in the navigation panel. Figure 35-26.
OSPFv3 Neighbor Table Use the Neighbor Table page to display the OSPF neighbor table list. When a particular neighbor ID is specified, detailed information about a neighbor is given. The neighbor table is only displayed if OSPF is enabled. To display the page, click IPv6 OSPFv3 Neighbor Table in the navigation panel. Figure 35-27.
OSPFv3 Link State Database Use the Link State Database page to display the link state and external LSA databases. The OSPFv3 Link State Database page has been updated to display external LSDB table information in addition to OSPFv3 link state information. To display the page, click IPv6 OSPFv3 Link State Database in the navigation panel. Figure 35-28.
OSPFv3 Virtual Link Configuration Use the Virtual Link Configuration page to define a new or configure an existing virtual link. To display this page, a valid OSPFv3 area must be defined through the OSPFv3 Area Configuration page. To display the page, click IPv6 OSPFv3 Virtual Link Configuration in the navigation panel. Figure 35-29.
After you create a virtual link, additional fields display, as the Figure 35-30 shows. Figure 35-30.
OSPFv3 Virtual Link Summary Use the Virtual Link Summary page to display virtual link data by Area ID and Neighbor Router ID. To display the page, click IPv6 OSPFv3 Virtual Link Summary in the navigation panel. Figure 35-31.
OSPFv3 Route Redistribution Configuration Use the Route Redistribution Configuration page to configure route redistribution. To display the page, click IPv6 OSPFv3 Route Redistribution Configuration in the navigation panel. Figure 35-32.
OSPFv3 Route Redistribution Summary Use the Route Redistribution Summary page to display route redistribution settings by source. To display the page, click IPv6 OSPFv3 Route Redistribution Summary in the navigation panel. Figure 35-33.
NSF OSPFv3 Configuration Use the NSF OSPFv3 Configuration page to configure the non-stop forwarding (NSF) support mode and to view NSF summary information for the OSPFv3 feature. NSF is a feature used in switch stacks to maintain switching and routing functions in the event of a stack unit failure. For information about NSF, see "What is Nonstop Forwarding? " on page 201 in the Stacking chapter. To display the page, click Routing OSPFv3 NSF OSPFv3 Configuration in the navigation panel. Figure 35-34.
Configuring OSPF Features (CLI) This section provides information about the commands used for configuring and viewing OSPF settings on the switch. This section does not describe all available show commands. For more information about all available OSPF commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose Control the advertisement of default routes. default-information originate [always] • always — Normally, OSPF originates a default route only [metric metric-value] if a default route is redistributed into OSPF (and default[metric-type type-value] information originate is configured). When the always option is configured, OSPF originates a default route, even if no default route is redistributed. • metric-value — The metric (or preference) value of the default route.
Command Purpose passive-interface default Configure OSPF interfaces as passive by default. This command overrides any interface-level passive mode settings.OSPF does not form adjacencies on passive interfaces but does advertise attached networks as stub networks. timers spf delay-time hold-time Specify the SPF delay and hold time. • delay-time — SPF delay time. (Range: 0–65535 seconds) • hold-time — SPF hold time. (Range: 0–65535 seconds) exit Exit to Global Configuration mode.
Configuring OSPF Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure per-interface OSPF settings. Command Purpose configure Enter global configuration mode. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ip ospf area area-id [secondaries none] Enables OSPFv2 on the interface and sets the area ID of an interface. This command supersedes the effects of network area command.
Command Purpose ip ospf dead-interval Set the OSPF dead interval for the interface. seconds The seconds variable indicates the number of seconds a router waits to see a neighbor router's Hello packets before declaring that the router is down (Range: 1–65535). This parameter must be the same for all routers attached to a network. This value should be some multiple of the Hello Interval. ip ospf transmit-delay Set the OSPF Transit Delay for the interface.
Command Purpose exit Exit to Global Configuration Mode router ospf Enter OSPF configuration mode. passive-interface vlan Make an interface passive to prevent OSPF from forming an adjacency on an interface. OSPF advertises networks attached to passive interfaces as stub networks. vlan-id network ip-address Enable OSPFv2 on interfaces whose primary IP address wildcard-mask area area- matches this command, and make the interface a member id of the specified area.
Command Purpose area area-id default-cost integer Configure the metric value (default cost) for the type 3 summary LSA sent into the stub area. Range: 1–16777215) area area-id nssa Create an NSSA for the specified area ID. area area-id nssa nosummary Configure the NSSA so that summary LSAs are not advertised into the NSSA. area area-id nssa Configure the translator role of the NSSA.
Configuring Virtual Links Beginning in Privileged EXEC mode, use the following commands to configure OSPF Virtual Links. Command Purpose configure Enter global configuration mode. router ospf Enter OSPF configuration mode. area area-id virtual-link Create the OSPF virtual interface for the specified areaid and neighbor router. The neighbor-id variable is the IP address of the neighboring router.
Command Purpose area area-id virtual-link Set the OSPF hello interval for the virtual link. neighbor-id hello-interval The seconds variable indicates the number of seconds to seconds wait before sending Hello packets from the virtual interface. (Range: 1–65535). Set the OSPF dead interval for the virtual link. area area-id virtual-link neighbor-id dead-interval The seconds variable indicates the number of seconds to seconds wait before the virtual interface is assumed to be dead.
Configuring OSPF Area Range Settings Beginning in Privileged EXEC mode, use the following commands to configure an OSPF area range. Command Purpose configure Enter global configuration mode. router ospf Enter OSPF configuration mode. area area-id range Configure a summary prefix for routes learned in a given area. ip-address mask {summarylink | nssaexternallink} [advertise |not-advertise] • area-id — Identifies the OSPF NSSA to configure.
Command Purpose distribute-list Specify the access list to filter routes received from the static | connected} switch. For information about the commands used for configuring ACLs, see "Configuring ACLs (CLI) " on page 664. accesslistname out {rip | source protocol. The ACL must already exist on the • accesslistname — The name used to identify an existing ACL. • rip — Apply the specified access list when RIP is the source protocol.
Configuring NSF Settings for OSPF Beginning in Privileged EXEC mode, use the following commands to configure the non-stop forwarding settings for OSPF. Command Purpose configure Enter global configuration mode. router ospf Enter OSPF configuration mode. nsf [ietf ] helper strict-lsa- Require that an OSPF helpful neighbor exit helper mode checking whenever a topology change occurs. Use the ietf keyword to distinguish the IETF standard implementation of graceful restart from other implementations.
Configuring OSPFv3 Features (CLI) This section provides information about the commands used for configuring OSPFv3 settings on the switch. For more information about the commands and about additional show commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global OSPFv3 Settings Beginning in Privileged EXEC mode, use the following commands to configure various global OSPFv3 settings for the switch.
Command Purpose distance ospf {external | Set the preference values of OSPFv3 route types in the inter-area | intra-area } router. distance The range for the distance variable is 1–255. Lower route preference values are preferred when determining the best route. enable Enable OSPFv3. exit-overflow-interval Specify the exit overflow interval for OSPFv3 as defined in RFC 1765.
Configuring OSPFv3 Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure per-interface OSPFv3 settings. Command Purpose configure Enter global configuration mode. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ipv6 ospf areaid area-id Enables OSPFv3 on the interface and sets the area ID of an interface. This command supersedes the effects of network area command.
Command Purpose ipv6 ospf dead-interval Set the OSPFv3 dead interval for the interface. seconds The seconds variable indicates the number of seconds a router waits to see a neighbor router's Hello packets before declaring that the router is down (Range: 1–65535). This parameter must be the same for all routers attached to a network. This value should be some multiple of the Hello Interval. ipv6 ospf transmit-delay Set the OSPFv3 Transit Delay for the interface.
Command Purpose show ipv6 ospf interface View summary information for all OSPFv3 interfaces [interface-type interface- configured on the switch or for the specified routing number] interface. show ipv6 ospf interface View per-interface OSPFv3 statistics. stats interface-type interface-number Configuring Stub Areas and NSSAs Beginning in Privileged EXEC mode, use the following commands to configure OSPFv3 stub areas and NSSAs. Command Purpose configure Enter global configuration mode.
Command Purpose area area-id nssa [noCreate and configure an NSSA for the specified area ID. redistribution] [default- • metric-value—Specifies the metric of the default route information-originate advertised to the NSSA.
Configuring Virtual Links Beginning in Privileged EXEC mode, use the following commands to configure OSPFv3 Virtual Links. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. area area-id virtual-link Create the OSPFv3 virtual interface for the specified area-id and neighbor router. The neighbor-id variable is the IP address of the neighboring router.
Configuring an OSPFv3 Area Range Beginning in Privileged EXEC mode, use the following commands to configure an OSPFv3 area range. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. area area-id range ipv6prefix/prefix-length Configure a summary prefix for routes learned in a given area. {summarylink | • area-id — Identifies the OSPFv3 NSSA to configure.
Configuring OSPFv3 Route Redistribution Settings Beginning in Privileged EXEC mode, use the following commands to configure OSPFv3 route redistribution settings. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. redistribute {static | Configure OSPFv3 to allow redistribution of routes from connected} [metric the specified source protocol/routers. metric] [metric-type {1 | • static — Specifies that the source is a static route.
Configuring NSF Settings for OSPFv3 Beginning in Privileged EXEC mode, use the following commands to configure the non-stop forwarding settings for OSPFv3. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. nsf [ietf ] helper strict-lsa- Require that an OSPFv3 helpful neighbor exit helper checking mode whenever a topology change occurs.
OSPF Configuration Examples This section contains the following examples: • Configuring an OSPF Border Router and Setting Interface Costs • Configuring Stub and NSSA Areas for OSPF and OSPFv3 • Configuring a Virtual Link for OSPF and OSPFv3 Configuring an OSPF Border Router and Setting Interface Costs This example shows how to configure the Dell Networking N-Series switch as an OSPF border router. The commands in this example configure the areas and interfaces on Border Router A shown in Figure 35-35.
To Configure Border Router A: 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Create VLANS 70, 80, and 90 and assign them to interfaces.
5 Configure the OSPF area ID, priority, and cost for each interface. NOTE: OSPF is globally enabled by default. To make it operational on the router, you configure OSPF for particular interfaces and identify which area the interface is associated with. console(config)#interface vlan 70 console(config-if-vlan70)#ip ospf area 0.0.0.
Configuring Stub and NSSA Areas for OSPF and OSPFv3 In this example, Area 0 connects directly to two other areas: Area 1 is defined as a stub area and Area 2 is defined as an NSSA area. NOTE: OSPFv2 and OSPFv3 can operate concurrently on a network and on the same interfaces (although they do not interact). This example configures both protocols simultaneously. Figure 35-36 illustrates this example OSPF configuration. Figure 35-36.
Switch A is a backbone router. It links to an ASBR (not defined here) that routes traffic outside the AS. To configure Switch A: 1 Globally enable IPv6 and IPv4 routing: console#configure console(config)#ipv6 unicast-routing console(config)#ip routing 2 Create VLANs 6 and 12 and assign them to interfaces.
To configure Switch B: 1 Configure IPv6 and IPv4 routing. The static routes are included for illustration only: Redistributed static routes, like routes distributed from other protocols, are not injected into stub areas such as Area 1: console#configure console(config)#ipv6 unicast-routing console(config)#ipv6 route 3000:44:44::/64 3000:2:3::210:18ff:fe82:c14 console(config)#ip route 10.23.67.0 255.255.255.0 10.2.3.3 2 Create VLANs 5, 10, and 17.
console(config)#router ospf console(config-router)#router-id 2.2.2.2 console(config-router)#area 0.0.0.1 stub console(config-router)#area 0.0.0.2 nssa 5 For IPv4: Enable OSPF for IPv4 on VLANs 10, 5, and 17 by globally defining the range of IP addresses associated with each interface, and then associating those ranges with Areas 1, 0, and 2, respectively. console(config-router)#network 10.1.2.0 0.0.0.255 area 0.0.0.1 console(config-router)#network 10.2.3.0 0.0.0.255 area 0.0.0.
Figure 35-37. OSPF Configuration—Virtual Link Switch B is an ABR that directly connects Area 0 to Area 1. Note that in the previous example, Switch B connected to a stub area and an NSSA. Virtual links cannot be created across stub areas or NSSAs. The following commands define a virtual link that traverses Area 1 to Switch C (5.5.5.5). To configure Switch B: 1 Configure the virtual link to Switch C for IPv4. console#configure console(config)#router ospf console(config-router)#area 0.0.0.1 virtual-link 5.5.
Switch C is a ABR that enables a virtual link from the remote Area 2 in the AS to Area 0. The following commands define a virtual link that traverses Area 1 to Switch B (2.2.2.2). To configure Switch C: 1 For IPv4, assign the router ID, create the virtual link to Switch B, and associate the VLAN routing interfaces with the appropriate areas. console(config)#router ospf console(config-router)#area 0.0.0.1 virtual-link 2.2.2.
Interconnecting an IPv4 Backbone and Local IPv6 Network In Figure 35-38, two Dell Networking L3 switches are connected as shown in the diagram. The VLAN 15 routing interface on both switches connects to an IPv4 backbone network where OSPF is used as the dynamic routing protocol to exchange IPv4 routes. OSPF allows device 1 and device 2 to learn routes to each other (from the 20.20.20.x network to the 10.10.10.x network and vice versa).
4 Set the OSPFv3 router ID. console(config)#ipv6 router ospf console(config-rtr)#router-id 1.1.1.1 console(config-rtr)#exit 5 Configure the IPv4 address and OSPF area for VLAN 15. console(config)#interface vlan 15 console(config-if-vlan15)#ip address 20.20.20.1 255.255.255.0 console(config-if-vlan15)#ip ospf area 0.0.0.0 console(config-if-vlan15)#exit 6 Configure the IPv6 address and OSPFv3 information for VLAN 2.
To configure Switch B: 1 Create the VLANs. console(config)#vlan 2,15 console(config-vlan70,80,90)#interface te1/0/1 console(config-if-Te1/0/1)#switchport mode trunk console(config-if-Te1/0/1)#interface gi1/0/1 console(config-if-Gi1/0/1)#switchport access vlan 2 2 Enable IPv4 and IPv6 routing on the switch. console(config)#ip routing console(config)#ipv6 unicast-routing 3 Set the OSPF router ID. console(config)#router ospf console(config-router)#router-id 2.2.2.
8 Configure the loopback interface. The switch uses the loopback IP address as the OSPF and OSPFv3 router ID. console(config)#interface loopback 0 console(config-if-loopback0)#ip address 2.2.2.2 255.255.255.0 console(config-if-loopback0)#exit console(config)#exit Configuring the Static Area Range Cost Figure 35-39 shows a topology for the configuration that follows. Figure 35-39. Static Area Range Cost Example Topology R3 Area 0 VLAN 103 ABR R0 VLAN 101 R1 VLAN 102 VLAN 104 R2 Area 1 1 Configure R0.
network 172.20.0.0 0.0.255.255 area 0 network 172.21.0.0 0.0.255.255 area 1 area 1 range 172.21.0.0 255.255.0.0 summarylink timers spf 3 5 exit interface vlan 101 ip address 172.21.1.10 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk description “R1” exit interface vlan 102 ip address 172.21.2.10 255.255.255.
ip routing router ospf router-id 1.1.1.1 network 172.21.0.0 0.0.255.255 area 1 timers spf 3 5 exit interface vlan 101 ip address 172.21.1.1 255.255.255.0 routing ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk exit interface vlan 104 ip address 172.21.3.1 255.255.255.
ip address 172.21.2.2 255.255.255.0 routing ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk exit interface vlan 104 ip address 172.21.3.2 255.255.255.0 routing ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/22 switchport mode trunk exit interface loopback 0 ip address 172.21.254.2 255.255.255.
switchport mode trunk exit interface loopback 0 ip address 172.21.254.2 255.255.255.255 exit exit Discussion With no area range cost specified, the range uses auto cost: (ABR-R0) #show ip ospf range 1 Prefix 172.21.0.0 Subnet Mask 255.255.0.0 Type S Action Advertise Cost Auto Active Y (ABR-R0) #show ip ospf database summary Network Summary States (Area 0.0.0.0) LS Age: 644 LS options: (E-Bit) LS Type: Network Summary LSA LS Id: 172.21.0.0 (network prefix) Advertising Router: 10.10.10.
Network Summary States (Area 0.0.0.0) LS Age: 49 LS options: (E-Bit) LS Type: Network Summary LSA LS Id: 172.21.0.0 (network prefix) Advertising Router: 10.10.10.10 LS Seq Number: 0x80000003 Checksum: 0x78f8 Length: 28 Network Mask: 255.255.0.0 Metric: 0 The cost can be set to the maximum value, 16,777,215, which is LSInfinity. Since OSPF cannot send a type 3 summary LSA with this metric (according to RFC 2328), the summary LSA is flushed. The individual routes are not readvertised.
hostname R0 line console exec-timeout 0 exit vlan 101-103 exit ip routing router ospf router-id 10.10.10.10 network 172.20.0.0 0.0.255.255 area 0 network 172.21.0.0 0.0.255.255 area 0 timers spf 3 5 exit interface vlan 101 ip address 172.21.1.10 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk description “R1” exit interface vlan 102 ip address 172.21.2.10 255.255.255.
terminal length 0 config hostname R1 line console exec-timeout 0 exit vlan 101,104 exit ip routing router ospf router-id 1.1.1.1 network 172.21.0.0 0.0.255.255 area 0 timers spf 3 5 exit interface vlan 101 ip address 172.21.1.1 255.255.255.0 routing ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk exit interface vlan 104 ip address 172.21.3.1 255.255.255.
ip routing router ospf router-id 2.2.2.2 network 172.21.0.0 0.0.255.255 area 0 timers spf 3 5 exit vlan 102,104 exit interface vlan 102 ip address 172.21.2.2 255.255.255.0 routing ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk exit interface vlan 104 ip address 172.21.3.2 255.255.255.
vlan 103 exit interface vlan 103 ip address 172.21.1.1 255.255.255.0 routing ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk exit interface loopback 0 ip address 172.21.254.2 255.255.255.255 exit exit Discussion With flood blocking disabled on all interfaces, sending a T3 summary LSA from R3 to R0 will cause R0 to forward the LSA on its interface to R1. Enabling flood blocking on R0's interface to R1 will inhibit this behavior.
OSPF and OSPFv3 1269
Configuring OSPF VRFs Dell Networking VRF is an implementation of Virtual Routing and Forwarding (VRF) for OSPF for IPv4 networks. Virtual Routing and Forwarding allows multiple independent instances for the forwarding plane to exist simultaneously. Refer to "VRF " on page 1273 for more information. VRF configuration follows the same steps as configuration for the default routing instance with two additional steps: creating the VRF instance and associating VLANs to the instance.
console(config-if-vlan100)#ip address 192.168.0.1 /24 Put the VLAN interface into the VRF: console(config-if-vlan100)#ip vrf forwarding red console(config-if-vlan100)#exit Routing interface moved from Default router instance to red router instance. Enable OSPF on the VRF, assign a network and enable OSPF for the VRF: console(config)#router ospf vrf red console(Config-router-vrf-red)#network 192.168.0.0 255.255.255.0 area 0 console(Config-router-vrf-red)#router-id 192.168.0.
Number of Active Areas......................... stub, 0 nssa) ABR Status..................................... ASBR Status.................................... Stub Router Status............................. External LSDB Overflow......................... External LSA Count............................. External LSA Checksum.......................... AS_OPAQUE LSA Count............................ AS_OPAQUE LSA Checksum......................... New LSAs Originated............................ LSAs Received.....
36 VRF Dell Networking N3000 and N4000 Series Switches NOTE: This feature is not available on Dell Networking N1500/N2000 Series switches. Virtual Routing and Forwarding (VRF) allows multiple independent instances of the forwarding plane to exist simultaneously. (The terms VRF, VRF instance, and virtual forwarding instance all refer to the same thing.) VRF allows the administrator to segment the network without incurring the costs of multiple routers. Each VRF instance operates as an independent VPN.
• ICMP echo reply configuration • ICMP error interval configuration 1274 VRF
VRF Resource Sharing Hardware resources such as routes and ARP entries are shared between VRFs. If a VRF allocates the maximum routes supported by the system, no VRF will be able to add a new route. VRF ARP Entries There is no support to reserve ARP entries per VRF instance as the system purges the least recently used ARP entry automatically. The maximum number of static ARP entries is enforced on a per VR instance basis. VRF Route Entries Routes are shared among the VR instances.
First, create the VLAN instances associated to the VRF. It is recommended that a VLAN numbering scheme be developed to allow for future growth and to assist in the easy recognition of which VLANs are associated to which VRFs.
OSPF Admin Mode................................ RFC 1583 Compatibility......................... External LSDB Limit............................ Exit Overflow Interval......................... Spf Delay Time................................. Spf Hold Time.................................. Flood Pacing Interval.......................... LSA Refresh Group Pacing Time.................. Opaque capability.............................. AutoCost Ref BW................................ Default Passive Setting.........
NSF Restart Exit Reason........................ Not attempted NSF Helper Support............................. Always NSF Helper Strict LSA Checking.................
RIP 37 Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes how to configure Routing Information Protocol (RIP) on the switch. RIP is a dynamic routing protocol for IPv4 networks. The topics covered in this chapter include: • RIP Overview • Default RIP Values • Configuring RIP Features (Web) • Configuring RIP Features (CLI) • RIP Configuration Example RIP Overview RIP is an Interior Gateway Protocol (IGP) that performs dynamic routing within a network.
What Is Split Horizon? RIP uses a technique called split horizon to avoid problems caused by including routes in updates sent to the router from which the route was originally learned. With simple split horizon, a route is not included in updates sent on the interface on which it was learned. In split horizon with poison reverse, a route is included in updates sent on the interface where it was learned, but the metric is set to infinity.
Default RIP Values RIP is globally enabled by default. To make it operational on the router, you configure and enable RIP for particular VLAN routing interfaces. Table 37-1 shows the global default values for RIP. Table 37-1. RIP Global Defaults Parameter Default Value Admin Mode Enabled Split Horizon Mode Simple Auto Summary Mode Disabled Host Routes Accept Mode Enabled Default Information Originate Disabled Default Metric None configured Route Redistribution Disabled for all sources.
Configuring RIP Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring RIP features on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. RIP Configuration Use the Configuration page to enable and configure or disable RIP in Global mode. To display the page, click Routing RIP Configuration in the navigation panel. Figure 37-1.
RIP Interface Configuration Use the Interface Configuration page to enable and configure or to disable RIP on a specific interface. To display the page, click Routing RIP Interface Configuration in the navigation panel. Figure 37-2.
RIP Interface Summary Use the Interface Summary page to display RIP configuration status on an interface. To display the page, click Routing RIP Interface Summary in the navigation panel. Figure 37-3.
RIP Route Redistribution Configuration Use the Route Redistribution Configuration page to configure the RIP Route Redistribution parameters. The allowable values for each fields are displayed next to the field. If any invalid values are entered, an alert message is displayed with the list of all the valid values. To display the page, click Routing RIP Route Redistribution Configuration in the navigation panel. Figure 37-4.
RIP Route Redistribution Summary Use the Route Redistribution Summary page to display Route Redistribution configurations. To display the page, click Routing RIP Route Redistribution Summary in the navigation panel. Figure 37-5.
Configuring RIP Features (CLI) This section provides information about the commands used for configuring RIP settings on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global RIP Settings Beginning in Privileged EXEC mode, use the following commands to configure various global RIP settings for the switch. NOTE: RIP is enabled by default. The Global RIP Settings are optional.
Configuring RIP Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure per-interface RIP settings. Command Purpose configure Enter global configuration mode. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ip rip Enable RIP on the interface. ip rip send version {rip1 Configure the interface to allow RIP control packets of the rip1c | rip2 |none} specified version(s) to be sent.
Configuring Route Redistribution Settings Beginning in Privileged EXEC mode, use the following commands to configure an OSPF area range and to configure route redistribution settings. Command Purpose configure Enter global configuration mode. router rip Enter RIP configuration mode. distribute-list Specify the access list to filter routes received from the static | connected} switch. For information about the commands used for configuring ACLs, see "Configuring ACLs (CLI) " on page 664.
Command Purpose redistribute ospf [metric Configure RIP to allow redistribution of routes from the metric] [match [internal] OSPF. [external 1] [external 2] • ospf— Specifies OSPF as the source protocol. [nssa-external 1] [nssa• metric — Specifies the metric to use when external 2]] redistributing the route. Range: 1-15. • internal — Adds internal matches to any match types presently being redistributed.
RIP Configuration Example This example includes four Dell Networking N-Series switches that use RIP to determine network topology and route information. The commands in this example configure Switch A shown in Figure 37-6. Figure 37-6. RIP Network Diagram To configure the switch: 1 Enable routing on the switch console#config console(config)#ip routing 2 Create VLANs 10, 20, and 30.
console(config-if-vlan10)#ip address 192.168.10.1 255.255.255.0 console(config-if-vlan10)#ip rip console(config-if-vlan10)#ip rip receive version both console(config-if-vlan10)#ip rip send version rip2 console(config-if-vlan10)#exit console(config)#interface vlan 20 console(config-if-vlan20)#ip address 192.168.20.1 255.255.255.
Vl10 Vl20 Vl30 192.168.10.1 192.168.10.1 192.168.10.
RIP
VRRP 38 Dell Networking N1500, N3000, and N4000 Series Switches NOTE: This feature is not available on Dell Networking N2000 Series switches. This chapter describes how to configure Virtual Routing Redundancy Protocol (VRRP) on the switch. VRRP can help create redundancy on networks in which end-stations are statically configured with the default gateway IP address.
be configured. A given port may appear as more than one virtual router to the network, also, more than one port on a switch may be configured as a virtual router. With VRRP, a virtual router is associated with one or more IP addresses that serve as default gateways. In the event that the VRRP router controlling these IP addresses (formally known as the master) fails, the group of IP addresses and the default forwarding role is taken over by a Backup VRRP router.
What Is VRRP Accept Mode? The accept mode allows the switch to respond to pings (ICMP Echo Requests) sent to the VRRP virtual IP address. The VRRP specification (RFC 3768) indicates that a router may accept IP packets sent to the virtual router IP address only if the router is the address owner. In practice, this restriction makes it more difficult to troubleshoot network connectivity problems.
With standard VRRP, the backup router takes over only if the router goes down. With VRRP interface tracking, if a tracked interface goes down on the VRRP master, the priority decrement value is subtracted from the router priority. If the master router priority becomes less than the priority on the backup router, the backup router takes over. If the tracked interface becomes up, the value of the priority decrement is added to the current router priority.
Default VRRP Values Table 38-1 shows the global default values for VRRP. Table 38-1.
Configuring VRRP Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring VRRP features on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. VRRP Configuration Use the Configuration page to enable or disable the administrative status of a virtual router. To display the page, click Routing VRRP Configuration in the navigation panel. Figure 38-1.
VRRP Virtual Router Status Use the Router Status page to display virtual router status. To display the page, click Routing VRRP Router Status in the navigation panel. Figure 38-2.
VRRP Virtual Router Statistics Use the Router Statistics page to display statistics for a specified virtual router. To display the page, click Routing VRRP Router Statistics in the navigation panel. Figure 38-3.
VRRP Router Configuration Use the Configuration page to configure a virtual router. To display the page, click Routing VRRP Router Configuration Configuration in the navigation panel. Figure 38-4.
VRRP Route Tracking Configuration Use the Route Tracking Configuration page to view routes that are tracked by VRRP and to add new tracked routes. To display the page, click Routing VRRP Router Configuration Route Tracking Configuration in the navigation panel. Figure 38-5. VRRP Route Tracking Configuration Configuring VRRP Route Tracking To configure VRRP route tracking: 1 From the Route Tracking Configuration page, click Add. The Add Route Tracking page displays.
Figure 38-6. Add Route Tracking 2 Select the virtual router ID and VLAN routing interface that will track the route. 3 Specify the destination network address (track route prefix) for the route to track. Use dotted decimal format, for example 192.168.10.0. 4 Specify the prefix length for the tracked route. 5 Specify a value for the Priority Decrement to define the amount that the router priority will be decreased when a tracked route becomes unreachable. 6. Click Apply to update the switch.
VRRP Interface Tracking Configuration Use the Interface Tracking Configuration page to view interfaces that are tracked by VRRP and to add new tracked interfaces. To display the page, click Routing VRRP Router Configuration Interface Tracking Configuration in the navigation panel. Figure 38-7. VRRP Interface Tracking Configuration Configuring VRRP Interface Tracking To configure VRRP interface tracking: 1 From the Interface Tracking Configuration page, click Add.
Figure 38-8. VRRP Interface Tracking Configuration 2 Select the virtual router ID and VLAN routing interface that will track the interface. 3 Specify the interface to track. 4 Specify a value for the Priority Decrement to define the amount that the router priority will be decreased when a tracked interface goes down. 5. Click Apply to update the switch.
Configuring VRRP Features (CLI) This section provides information about the commands used for configuring VRRP settings on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring VRRP Settings Beginning in Privileged EXEC mode, use the following commands to configure switch and interface VRRP settings.
Command Purpose vrrp vr-id timers {learn | Configure the VRRP timer settings. advertise seconds} Use the keyword learn to enable VRRP to learn the advertisement timer interval of the master router. Use the keyword advertise to set the frequency, in seconds, that an interface on the specified virtual router sends a virtual router advertisement. vrrp vr-id authentication Set the authorization details value for the virtual router {none | simple key} configured on a specified interface.
VRRP Configuration Example This section contains the following VRRP examples: • VRRP with Load Sharing • Troubleshooting VRRP • VRRP with Route and Interface Tracking • Configuring VRRP in a VRF VRRP with Load Sharing In Figure 38-9, two L3 Dell Networking N-Series switches are performing the routing for network clients. Router A is the default gateway for some clients, and Router B is the default gateway for other clients. Figure 38-9.
This example configures two VRRP groups on each router. Router A is the VRRP master for the VRRP group with VRID 10 and the backup for VRID 20. Router B is the VRRP master for VRID 20 and the backup for VRID 10. If Router A fails, Router B will become the master of VRID 10 and will use the virtual IP address 192.168.10.1. Traffic from the clients configured to use Router A as the default gateway will be handled by Router B. To configure Router A: 1 Enable routing for the switch.
9 Configure an optional description to help identify the VRRP group. console(config-if-vlan10)#vrrp 20 description backup 10 Enable the VRRP groups on the interface. console(config-if-vlan10)#vrrp 10 mode console(config-if-vlan10)#vrrp 20 mode console(config-if-vlan10)#exit console(config)#exit The only difference between the Router A and Router B configurations is the IP address assigned to VLAN 10. On Router B, the IP address of VLAN 10 is 192.168.10.2.
8 Specify the IP address that the virtual router function will use. The router is the virtual IP address owner of this address, so the priority value is 255 by default. console(config-if-vlan10)#vrrp 20 ip 192.168.10.1 9 Configure an optional description to help identify the VRRP group. console(config-if-vlan10)#vrrp 20 description backup 10 Enable the VRRP groups on the interface.
VRRP with Route and Interface Tracking In Figure 38-10, the VRRP priorities are configured so that Router A is the VRRP master, and Router B is the VRRP backup. Router A forwards IP traffic from clients to the external network through the VLAN 25 routing interface. The clients are configured to use the virtual IP address 192.168.10.15 as the default gateway. Figure 38-10.
To configure Router A: 1 Enable routing for the switch. console#config console(config)#ip routing 2 Create and configure the VLAN routing interface to use as the default gateway for network clients. This example assumes all other routing interfaces, such as the interface to the external network, have been configured. console(config)#interface vlan 10 console(config-if-vlan10)#ip address 192.168.10.1 255.255.255.0 console(config-if-vlan10)#exit 3 Enable VRRP for the switch.
10 Track the route to the 192.168.200.0 network. If it becomes unavailable, the priority of VRID 10 on Router A is decreased by 10, which is the default decrement priority value. console(config-if-vlan10)#vrrp 10 track ip route 192.168.200.0/24 console(config-if-vlan10)#exit Router B is the backup router for VRID 10. The configured priority is 195.
7 Enable preempt mode so that the router can regain its position as VRRP master if its priority is greater than the priority of the backup router. console(config-if-vlan10)#vrrp 10 preempt 8 Enable the VRRP groups on the interface. console(config-if-vlan10)#vrrp 10 mode console(config-if-vlan10)#exit console(config)#exit Configuring VRRP in a VRF In this example, a VRRP master is configured in VRF red-1. Interface gi1/0/1 on each of the VRRP peers is connected to the other switch.
10 Set the VRRP priority and accept pings: console(config-if-vlan10)#vrrp 1 priority 1 console(config-if-vlan10)#vrrp 1 accept-mode console(config-if-vlan10)#exit 11 Configure the physical interface as a VLAN 10 member: console(config)#interface Gi1/0/1 console(config-if-Gi1/0/1)#switchport access vlan 10 console(config-if-Gi1/0/1)#exit The following steps provide configure the companion VRRP peer: 1 Create a VLAN: console#configure console(config)#vlan 10 console(config-vlan)#exit 2 Create a VRF and ena
console(config-if-vlan10)#vrrp 1 priority 2 console(config-if-vlan10)#vrrp 1 accept-mode console(config-if-vlan10)#exit 11 Configure the physical interface as a VLAN 10 member: console(config)#interface Gi1/0/1 console(config-if-Gi1/0/1)#switchport access vlan 10 console(config-if-Gi1/0/1)#exit For VRRP to become active, other interfaces need to be enabled for VLAN 10 such that the VRRP peers are able to establish connectivity to each other over those interfaces as well as over Gi1/0/1.
VRRP
39 BGP Dell Networking N3000 and N4000 Series Switches NOTE: This feature is not available on Dell Networking N1500 and N2000 Series switches. BGP is enabled on Dell Networking N3000 Series switches through use of the AGGREGATION ROUTER firmware. Border Gateway Protocol (BGP) is a standardized exterior gateway pathvector or distance-vector protocol. BGP makes routing decisions based upon paths and network policies configured by the administrator.
Table 39-1. BGP-Related Terms Term Definition RTO Routing Table Object. The common routing table, or "RIB," which collects routes from all sources (local, static, dynamic) and determines the most preferred route to each destination. TCP Transmission Control Protocol Overview BGP operates by establishing adjacencies (connections) with other BGP peers (routers). BGP peers are configured manually.
Dell Networking BGP supports the following RFCs in whole or in part as indicated: • RFC 1997 – BGP Communities Attribute • RFC 2385 – Protection of BGP Sessions via the TCP MD5 Signature Option • RFC 2545 – Use of BGP-4 Multiprotocol Extensions for IPv6 InterDomain Routing • RFC 2918 – Route Refresh Capability for BGP-4 • RFC 4271 – A Border Gateway Protocol 4 (BGP-4) • RFC 4273 – Definitions of Managed Objects for BGP-4 • RFC 4456 – BGP Route Reflection: An Alternative to Full Mesh Internal BG
Autonomous Systems Dell Networking BGP supports both exterior routing (eBGP) between autonomous systems (inter-AS) and interior routing within an AS (iBGP). Dell Networking BGP is suitable for use in enterprise and data center deployments. Dell Networking switches do not have sufficient capacity to hold a full Internet routing table. Dell Networking supports BGP version 4 with 2-byte Autonomous System Numbers (ASN).
Figure 39-1. BGP Decision Process Update Update RX AdjRIB-In DEC PROC P1 (inbound policy, calc local pref) Network routes Pass redist Policy? Best route changes AcceptRIB-In yes DEC PROC P2 (best route selection) Next-hop resolution Loc-RIB DEC PROC P3 (outbound policy, incl.
Limiting Phase 2 CPU Usage In a network with a large number of prefixes, phase 2 of the decision process can consume a significant amount of time. If the BGP hold timers are configured to be shorter than the duration of the decision process, the timers can expire causing a loss of adjacency. If the decision process runs frequently, it may consume significant CPU resources, starving other processes. Two mechanisms mitigate these potential issues. First, a hold timer prevents phase 2 from running too often.
connect the peers but is not the peer's IP address. Otherwise, Dell Networking BGP sets the NEXT_HOP path attribute to the local IP address on the interface to the peer. Dell Networking BGP does not support “first party” next hop. Dell Networking does not allow the network operator to disable third party next hop. Dell Networking does not support multihop EBGP. (RFC 4271 section 5.1.
BGP Finite State Machine (FSM) Dell Networking BGP supports all mandatory FSM session attributes and the following optional session attributes (RFC 4271 section 8): • AllowAutomaticStart—Connections are automatically restarted after an error closes a connection. An adjacency to an external peer in the IDLE state is automatically started if the routing interface to that peer comes up. An adjacency to an internal peer in the IDLE state is automatically started when the peer's IP address becomes reachable.
Dell Networking BGP supports manual start and stop events. A manual start event occurs when the user first configures a peer (neighbor remote-as) or administratively enables a peer (no neighbor shutdown). A manual stop event occurs when the user administratively disables a neighbor (neighbor shutdown). Of the optional events in RFC 4271 section 8.1.2 - 8.1.
Detecting Loss of Adjacency Dell Networking optionally drops an adjacency with an external peer when the routing interface to that peer goes down. This behavior can be enabled globally or on specific interfaces using the bgp fast-external-fallover and ip bgp fast-external-fallover commands. BGP accomplishes this behavior by listening to router events.
the adjacency to the unreachable neighbor is no longer ESTABLISHED, and if an UPDATE is sent to the neighbor's update group, BGP does not try to send to the failed neighbor. When the failed adjacency is reestablished, BGP resends all routing information to the neighbor. Both internal and external fallover should happen within a second of the loss of reachability. Enabling fast fallover should relax the need to set a short hold time and send KEEPALIVE messages rapidly.
peer session (if the network administrator activates IPv6 on the peer session) and in an IPv6 update group for an IPv6 peer session. Such a configuration is probably a misconfiguration. BGP will send IPv6 NLRI to the neighbor twice. BGP assigns peers to update groups automatically. The Dell Networking UI has no configuration associated with update groups and the UI does report update group membership. Removing Private AS Numbers An organization may use private AS numbers internally.
Session parameters that may be configured in a template are as follows: Table 39-2. Configurable Session Parameters in BGP Peer Templates Parameter Description allowas-in Configure to accept routes with my ASN in the as-path. connect-retry-interval Configure the connection retry interval for the peer. description Configure a description for the peer. ebgp-multihop Configure to allow non-directly-connected eBGP neighbors. fall-over Configure fast fall-over. local-as Configure local-as.
Table 39-3. Session Parameters in BGP Peer Templates—Configurable Per-Address Family Parameter Description remove-private-as Remove private ASNs from AS_PATH when sending to inheriting peers. route-map Configure a route map for the peer. route-reflector-client Configure a peer as a route reflector client. send-community Configure this peer to send BGP communities. Resolving Interface Routes In Dell Networking, the next hop of a route is always a set of next-hop IP addresses.
routes. Delay and hold timers limit how often phase 2 of the decision process runs. This phase 2 dampening limits route origination, as does IP event dampening when interface flaps would otherwise cause rapid origination. BGP originates a default route to all neighbors if the default-information originate command is given and the default route is among the routes BGP redistributes.
• origin • MED • IGP distance to the BGP next hop Dell Networking BGP does not require ECMP next hops to be in a common AS. This behavior is enabled by default. To disable this behavior, use the no bgp always-compare-med command. When advertising to neighbors, BGP always advertises the single best path to each destination prefix, even if BGP has an ECMP route to a destination. NOTE: The maximum ECMP width is limited by the chosen SDM template.
A BGP NEXT_HOP can resolve to an ECMP IGP route. When BGP is configured to allow ECMP iBGP routes, the BGP NEXT_HOP resolves to multiple next hops. BGP retains up to the number of resolved next hops allowed for an iBGP route. For example, in Figure 39-2, R4 receives an iBGP route from internal peer R1. The BGP NEXT_HOP of this path resolves to an ECMP OSPF route through R2 and R3.
Figure 39-3. Combining iBGP Routes R100 eBGP R1 AS1 OSPF OSPF R2 iBGP OSPF R3 OSPF R4 R5 eBGP R300 R200 Address Aggregation Dell Networking BGP supports address aggregation. The network administrator can configure up to 128 aggregate addresses. BGP compares active prefixes in the local RIB to the set of aggregate addresses. To be considered a match for an aggregate address, a prefix must be more specific (i.e., have a longer prefix length) than the aggregate address.
adds a discard route to RTO with prefix and network mask equal to those defined for the aggregate address. Aggregate addresses apply to both locallyoriginated routes and routes learned from peers. Address aggregation is done prior to application of outbound policy. Thus, an active aggregate may be advertised to a neighbor, even if the outbound policy to the neighbor filters all of the aggregate's more specific routes (but permits the aggregate itself).
• If the individual routes have communities and the aggregate does not have the ATOMIC_AGGREGATE attribute set, the aggregate is advertised with the union of the communities from the individual routes. If the aggregate carries the ATOMIC_AGGREGATE attribute, the aggregate is advertised with no communities. Dell Networking BGP never aggregates paths with unknown attributes. By default, Dell Networking BGP does not aggregate paths with different MEDs, but there is a configuration option to allow this.
Inbound Policy An inbound policy is a policy applied to UPDATE messages received from peers.
When processing list terms, a match for any term indicates a match and processing stops. Routing Policy Changes When the user makes a routing policy configuration change, Dell Networking BGP automatically applies the new policy. Like any other configuration change, routing policy changes are immediately saved in the running configuration, as soon as the user enters the command.
At startup, when the saved configuration is applied, there could potentially be a lot of churn to outbound update groups and filtering of routing information. This startup churn is avoided by keeping BGP globally disabled until after the entire configuration is applied and the status of all routing interfaces is known. BGP Timers Dell Networking BGP supports the five mandatory timers described in RFC 4271 section 10.
Communities Dell Networking BGP supports BGP standard communities as defined in RFC 1997. Dell Networking supports community lists for matching routes based on community, and supports matching and setting communities in route maps. Dell Networking BGP recognizes and honors the following wellknown communities (RFC 1997): • NO_EXPORT—A route carrying this community is not advertised to external peers. • NO_ADVERTISE—A route carrying this community is not advertised to any peer.
in this state, BGP periodically checks if there is space available in the BGP routing table, and if so, runs phase 2. When space becomes available in the BGP routing table, these routes are added. RTO Full Condition If BGP computes a new route but the routing table does not accept the route because it is full, BGP flags the route as one not added to RTO. BGP periodically tries to add these routes to RTO. BGP will continue to advertise the best routes to neighbors, even if they are not added to RTO.
For this reason, if a route reflector client has an outbound neighbor routemap configured, the set statements in the route map are ignored. VRF Support Dell Networking switches that support BGP and VRFs also support BGP in VRFs. When configured in a VRF, BGP runs independent sessions to neighbors in the VRF and forwards independently.
Extended Community Attribute Structure Each Extended Community attribute has a community type code of 16 and is encoded into an 8-octet value. The first 2 octets are the attribute type and the remaining 6 octets contain the value of attribute. The values from 0 through 0x7FFF are assigned by IANA and values from 0x8000 through 0xFFFF are vendor-specific.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global Administrator (cont.) | Local Administrator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The value of the high-order octet of this extended type is either 0x01 or 0x41. The low-order octet of this extended type is used to indicate sub-types.
Route Origin Community Attribute The Route Origin Community attribute identifies one or more routers that advertise routes via BGP. The attribute is transitive across Autonomous System boundaries. The Route Origin Community attribute is used to prevent routing loops when BGP speakers are multi-homed to another site and that site uses the AS-Override feature.
If two VRFs use the same IPv4 address prefix, the router translates these into unique VPN-IPv4 address prefixes by prepending the RD (configured per VRF) to the address. The purpose of the RD is to allow the router to install unique routes with an identical IPv4 address prefix. The structuring of the RD provides no semantics. When BGP compares two such addresses, it ignores the RD structure completely and compares it as a 12-byte entity. It is recommended that each VPN within a site utilize a unique RD.
A VRF may be configured to associate all the routes that belong to the VRF with a particular Route Target attribute. Dell Networking allows a finer selection of routes with the use of Export and Import maps. Export and Import maps provides greater flexibility to the administrator where she can associate some routes of a VRF with a particular Route Target attribute and some other routes with a different Route Target attribute.
In order for two BGP speakers to exchange labeled VPN-IPv4 NLRI, they must use the BGP Capabilities Advertisement (in the OPEN message) to ensure that they both are capable of properly processing VPN-IPv4 NLRI. This is done by using capability code 1 (multiprotocol BGP), with an AFI of 1 and an SAFI of 128. The VPNv4 NLRI is encoded as specified in the above sections, where the prefix consists of an 8-byte RD followed by an IPv4 prefix.
IPv6 prefixes can be originated through route redistribution or a network command. Both can be configured with a route map to set path attributes. BGP can also originate an IPv6 default route. Default-origination can be neighbor-specific. IPv6 routes can be filtered using prefix lists, route maps with community lists, and using AS path access lists. BGP can compute IPv6 routes with up to 16 ECMP next hops.
the NEXT_HOP to one of its own global addresses before forwarding routes from an external peer with a link local address (or the implementation must do this automatically). A primary consideration in using link-local addresses is the user interface. With IPv4 addresses and global IPv6 addresses, the user interface simply identifies the neighbor by IP address: router bgp 1 neighbor neighbor neighbor neighbor 10.1.1.1 remote-as 100 10.1.1.
configuration of the specific neighbors is time-consuming and error-prone, and where security concerns are lessened due to the closed nature of the network. Configuration includes the address range on which to listen and, optionally, a peer template from which the neighbor's properties may be inherited. Because Dell Networking routing is configured on routed VLANs, it is required that dynamic neighbor peering never be configured on a multiaccess VLAN.
R3(config)#router bgp 5500 R3(config-router)#bgp log-neighbor-changes 7 The router ID is required. R3(config-router)#bgp router-id 11.11.11.11 8 Set the listen range to the local routed interface subnet and use template T1. R3(config-router)#bgp listen range 192.168.100.0/24 inherit peer T1 9 Configure template T1 to indicate an IGP peer.
Network Address of Next Hop When advertising IPv6 routes, the Network Address of Next Hop field in MP_REACH_NLRI is set according to RFC 2545. Under conditions specified in this RFC, both a global and a link local next-hop address may be included. The primary purpose of the global address is an address that can be readvertised to internal peers. The primary purpose of the link local address is for use as the next hop of routes.
Alternatively, the network administrator can configure inbound policy on the receiver to set IPv6 next hops. BGP Limitations Dell Networking BGP does not support configuration via the Web interface. Dell Networking supports the following RFCs with the exceptions listed in Table 39-4: Table 39-4. BGP Limitations Description Source Compliance A BGP speaker MUST be able to RFC 4271 section support the disabling advertisement 5.1.
Table 39-4. BGP Limitations (Continued) Description Source Compliance Dell Networking BGP can only be Dell Networking configured through the CLI. SNMP requirement support is limited to the standard MIB, which primarily provides status reporting, and a proprietary MIB which provides additional status variables. Configuration through SNMP is not supported.
BGP Configuration Examples This section includes the following configuration examples: • Enabling BGP • BGP Example • Network Example • BGP Redistribution of OSPF Example • Configuring the Multi-Exit Discriminator in BGP Advertised Routes • Configuring Communities in BGP • Configuring a Route Reflector • Campus Network MP-BGP and OSPF Configuration • Configuring MP-eBGP and Extended Communities Enabling BGP The following are rules to remember when enabling BGP: • IP routing must be enable
BGP Example This example configures iBGP between two routers using the same AS and each using their own loopback address as update-source. Router A Configuration On a router, a loopback interface is created and assigned an IP address. The router ID is assigned (the same IPv4 address as the loopback interface) and the IPv4 address of the neighbor (Router B IP address) is assigned. Finally, the neighbor's update source is assigned to the local loopback interface.
Network Example The following configuration uses the network command to inject received iBGP routes into the BGP routing table. The network mask allows subnetting and super-netting. An alternative to the network command is to use the redistribute command. Interface Gi1/0/1 is configured as a member of VLAN 10, VLAN 10 is assigned an IP address, IP routing is enabled, and BGP router 65001 is created with a router ID of 129.168.1.254. A static subnet route 129.168.0.X is created for VLAN 10.
BGP Redistribution of OSPF Example The following configuration uses the redistribute command to inject received eBGP routes into the BGP routing table. Interface Te1/0/1 is configured in trunk mode with a native VLAN 10 and VLAN 10 is assigned an IP address with a /30 subnet. BGP fast fallover is enabled for VLAN 10. IP routing is enabled and a default route is configured that points to the neighbor router. BGP router 3434 is created with a router ID of 172.16.64.1. An eBGP neighbor 216.31.219.
Configuring the Multi-Exit Discriminator in BGP Advertised Routes The following example configures an egress routing policy that sets the metric for matching routes. In the example, VLAN 10 is created, followed by an access list matching directly connected source address 5.5.5.x for which the metric will be injected into the advertised routes. A route map “Inject-MED” is created. This route map sets the match criteria as ACL MED-Hosts and configures the metric for matching routes to be 100.
console(config-router)#neighbor 129.168.0.254 remote-as 65001 console(config-router)#network 129.168.0.0 mask 255.255.0.0 routemap Inject-MED console(config0router)#redistribute connected console(config-router)#exit Configuring Communities in BGP The following example configures an egress routing policy that sets the community attribute for matching routes. In the example, VLAN 10 is created, followed by an access list Comm-Hosts matching directly connected source address 5.5.5.
console(config-if-loopback0)#ip address 129.168.1.254 /24 console(config-if-loopback0)#exit console(config)#ip routing console(config)#router bgp 65001 console(config-router)#bgp router-id 129.168.1.254 console(config-router)#neighbor 129.168.0.254 remote-as 65001 console(config-router)#neighbor 129.168.0.254 send-community console(config-router)#neighbor 129.168.0.
This iBGP neighbor is designated a route reflector client. Other iBGP neighbors can be configured as route reflector clients in order to reduce the explosion of neighbor configuration required to implement a full mesh iBGP network. console(config-router)#neighbor 129.168.0.254 remote-as 65001 console(config-router)#neighbor 129.168.0.254 update-source loopback 0 console(config-router)#neighbor 129.168.0.
Campus Network MP-BGP and OSPF Configuration Consider the topology below, which is a subset of what might be found on a small campus. This network services three customers (Red, Green, and Blue). The internet connection to the outside world is hosted in router S1. Router S2 hosts the Red and Green network. Router S3 hosts the Red and Blue network. A common service is supplied over the 192.168.99.1/24 network. Figure 39-4. Campus Network MP-BGP and OSPF Configuration S1 Lo1 – 192.168.99.1/24 Lo16 – 172.16.
Four VRFs are created on S1. Each VRF is assigned a unique route distinguisher (RD). The RDs utilized here are taken from the private ASN address space. Three of the VRFs are assigned to the Red, Green, and Blue networks and the last VRF is utilized for the common service. We use a loopback on S1 to emulate the common service network instead of a VLAN and physical interface. The VRF configuration on the loopback is identical to the case of a VLAN and physical interface.
6 Create VRF Red, import the common service, and export the Red network. S1(config)#ip vrf Red S1(config-ip-vrf-Red)#rd 65000:1 S1(config-ip-vrf-Red)#route-target export 65000:1 S1(config-ip-vrf-Red)#route-target import 65000:99 S1(config-ip-vrf-Red)#exit 7 Create VRF Shared, import the Red and Green network, and export the common service.
12 Associate the Red VRF with a VLAN routed interface. S1(config)#interface vlan 16 S1(config-if-vlan16)#ip vrf forwarding Red S1(config-if-vlan16)#ip address 172.16.0.1 255.255.255.0 S1(config-if-vlan16)#exit 13 Associate the Green VRF with a VLAN routed interface. S1(config)#interface vlan 17 S1(config-if-vlan17)#ip vrf forwarding Green S1(config-if-vlan17)#ip address 172.17.0.1 255.255.255.0 S1(config-if-vlan17)#exit 14 Associate the Blue VRF with a VLAN routed interface.
Next, configure OSPF to exchange routes with the other routers. OSPF runs in the VRFs and area 0 is used within each VRF. Each VRF is configured to redistribute BGP subnets advertised by S1. 1 Configure router Blue. S1(config)#router ospf vrf "Blue" 2 A router ID is required. S1(config-router-vrf-Blue)#router-id 172.18.0.1 3 Configure network as 'don't care'. A non-zero IP address is required. S1(config-router-vrf-Blue)#network 172.18.0.0 255.255.255.255 area 0 4 Redistribute BGP subnets.
Next, assign the VRF associated VLANs to the interfaces connected to the rest of the Red, Green, and Blue networks: 1 Configure the S1-S2 trunk. S1(config)#interface Gi1/0/13 S1(config-if-Gi1/0/13)#switchport mode trunk S1(config-if-Gi1/0/13)#switchport trunk allowed vlan 1,16-17 S1(config-if-Gi1/0/13)#exit 2 Configure the S1-S3 trunk.
7 Emulate a network in the Green VRF. The loopback network can be replaced with a VLAN-routed interface. S2(config)#interface loopback 17 S2(config-if-loopback17)#ip vrf forwarding Green S2(config-if-loopback17)#ip address 172.17.2.1 255.255.255.0 S2(config-if-loopback17)#exit 8 Create a VLAN routed interface to router S1 for VRF Red. S2(config)#interface vlan 16 S2(config-if-vlan16)#ip vrf forwarding Red S2(config-if-vlan16)#ip address 172.16.0.2 255.255.255.
4 Enable routing. S3(config)#ip routing 5 Emulate the Red network using a loopback. S3(config)#interface loopback 16 S3(config-if-loopback16)#ip vrf forwarding Red S3(config-if-loopback16)#ip address 172.16.3.1 255.255.255.0 S3(config-if-loopback16)#exit 6 Emulate the Blue network using a loopback. S3(config)#interface loopback 18 S3(config-if-loopback18)#ip vrf forwarding Blue S3(config-if-loopback18)#ip address 172.18.3.1 255.255.255.0 S3(config-if-loopback18)#exit 7 Assign VLANs to the VRFs.
This is a very simple OSPF configuration for each of the routers. In this case, a loopback is used to emulate an OSPF connected interface. If an actual VLAN-routed interface is used, declare it a passive interface in the OSPF configuration. For router S2, VRF Green and Red are configured. 1 Create an OSPF instance for VRF Green S2(config)#router ospf vrf "Green" 2 Router ID is required. S2(config-router-vrf-Green)#router-id 172.17.0.99 3 Network is all 'don't care'.
OSPF on S3 is configured similarly to S2 with VRF Red and Blue: 1 Create OSPF sessions in each VRF. Assign area 0. Router ID assignment is required. S3(config)#router ospf vrf "Blue" S3(config-router-vrf-Blue)#router-id 172.18.0.99 S3(config-router-vrf-Blue)#network 172.18.0.0 255.255.255.255 area 0 S3(config-router-vrf-Blue)#exit S3(config)#router ospf vrf "Red" S3(config-router-vrf-Red)#router-id 172.16.0.98 S3(config-router-vrf-Red)#network 172.16.0.0 255.255.255.
The VRFs should all have full connectivity. S1#show ip route vrf Red Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, K - Kernel S - Static B - BGP Derived, E - Externally Derived, IA - OSPF Inter Area E1 - OSPF External Type 1, E2 - OSPF External Type 2 N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2 S U - Unnumbered Peer, L - Leaked Route * Indicates the best (lowest metric) route for the subnet. No default gateway is C *172.16.0.0/24 C *172.16.1.0/30 O *172.16.2.0/24 O *172.
To provision MPBGP to distribute routes for the shared service, on S1 configure a loopback to emulate the common service network: 1 Set a loopback for the BGP router. S1(config)#interface loopback 0 S1(config-if-loopback0)#ip address 192.0.2.1 255.255.255.255 S1(config-if-loopback0)#exit Next, configure a BGP router and allow route redistribution to occur. Configuration of the router ID is required. 2 Configure a BGP router.
Verify that BGP maintains routes for each of the VRFs. The common service VRF "Shared" is exported via the route-target 65000:99 and imported into the Red and Green VRFs. S1(config-router)#show ip bgp vpnv4 all BGP table version is 0, local router ID is 192.0.2.1 Status codes: s suppressed, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network ------------------Route Distinguisher *>i 172.18.0.
The best routes are placed into the route table in each of the VRFs. VRF Blue does not import or export any routes and does not have access to the common services.
S1#show ip route vrf Blue Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, K - Kernel S - Static B - BGP Derived, E - Externally Derived, IA - OSPF Inter Area E1 - OSPF External Type 1, E2 - OSPF External Type 2 N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2 S U - Unnumbered Peer, L - Leaked Route * Indicates the best (lowest metric) route for the subnet. No default gateway is C *172.18.0.0/24 C *172.18.1.0/30 O *172.18.3.0/24 configured.
* Indicates the best (lowest metric) route for the subnet. No default gateway is configured. C *172.16.0.0/24 [0/0] directly connected, O *172.16.1.0/30 [110/11] via 172.16.0.1, O *172.16.2.0/24 [110/11] via 172.16.0.2, C *172.16.3.0/24 [0/0] directly connected, O E2 *192.168.99.0/24 [110/1] via 172.16.0.
Configuring MP-eBGP and Extended Communities In this configuration, router R1 is connected to router R2 (via VLAN 100 on Gi1/0/13) and router R3 (via VLAN 200 in Gi1/0/16). Router R1 (AS 5500) and R2 (AS 6500) communicate via MP-eBGP. Router R1 and R3 are both in AS 5500 and for an iBGP relationship. R3's purpose in this configuration is to show that routes received from R2 are redistributed within the IGP and to inject routes into the IGP.
R1(config-if-Gi1/0/16)#switchport access vlan 200 R1(config-if-Gi1/0/16)#exit 7 Configure the BGP router. R1(config)#router bgp 5500 R1(config-router)#bgp log-neighbor-changes 8 Configure the router ID. R1(config-router)#bgp router-id 10.10.10.10 9 This router advertises the 192.168.100.0/24 network. R1(config-router)#network 192.168.100.0 mask 255.255.255.0 10 Redistribute connected routes (10.10.10.10/32). R1(config-router)#redistribute connected 11 Configure the R2 neighbor.
3 Disable domain lookup and enable IP routing. R2(config)#no ip domain-lookup R2(config)#ip routing 4 Create a loopback for the BGP router. R2(config)#interface loopback 0 R2(config-if-loopback0)#ip address 20.20.20.20 255.255.255.255 R2(config-if-loopback0)#exit 5 Create a loopback to emulate a subnet in the VRF. This could be assigned to a real VLAN. R2(config)#interface loopback 1 R2(config-if-loopback1)#ip vrf forwarding WAN R2(config-if-loopback1)#ip address 30.30.30.30 255.255.255.
R2(config-router-af)#redistribute static R2(config-router-af)#exit 13 Advertise the VPNv4 routes (30.30.30.0/24). These routes are transmitted with the extended community attribute (2020:1). R2(config-router)#address-family vpnv4 unicast R2(config-router-af)#neighbor 172.16.10.1 send-community both R2(config-router-af)#neighbor 172.16.10.1 activate R2(config-router-af)#exit R2(config-router)#exit R2(config)#exit Router R3 Configuration 1 Configure a VLAN for connection to R1.
R3(config-router)#neighbor 192.168.100.10 remote-as 5500 9 Redistribute connected and static routes. R3(config-router)#redistribute connected R3(config-router)#redistribute static R3(config-router)#exit R3(config)#exit R3#exit Discussion Verify that the routes on R2 are being distributed to R1 and R3. This shows the R2 BGP and routing tables.
B *192.168.100.0/24 [20/0] via 172.16.10.1, Vl100 This is the resulting R1 routing table. R1#show ip route Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, K - Kernel S - Static B - BGP Derived, E - Externally Derived, IA - OSPF Inter Area E1 - OSPF External Type 1, E2 - OSPF External Type 2 N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2 S U - Unnumbered Peer, L - Leaked Route * Indicates the best (lowest metric) route for the subnet. No default gateway is configured. C *10.
20.20.20.20/32 30.30.30.0/24 172.16.10.2 172.16.10.2 6500 6500 ? ? Use the routes option to display routes received from R2. R1#show ip bgp neighbors 172.16.10.2 routes Local router ID is 10.10.10.10 Origin codes: i - IGP, e - EGP, ? - incomplete Network ------------------172.16.10.0/24 20.20.20.20/32 30.30.30.0/24 Next Hop Metric LocPref ---------------- ---------- ---------172.16.10.2 172.16.10.2 172.16.10.
40 Bidirectional Forwarding Detection Dell Networking N3000 and N4000 Series Switches NOTE: This feature is not available on Dell Networking N1500 and N2000 Series switches. Bidirectional Forwarding Detection (BFD) provides a lightweight fast failure detection mechanism to verify bidirectional connectivity between forwarding engines, which may be a single hop or multiple hops away from each other.
periodically and, if one stops receiving peer packets within the detection time limit, it considers the bidirectional path to have failed. It then notifies the application protocol of this failure. BFD allows each device to estimate how quickly it can send and receive BFD packets to agree with its neighbor upon how fast detection of failure may be performed. BFD operates between two devices on top of any underlying data protocol (network layer, link layer, tunnels, etc.
Demand mode is advantageous in cases when the overhead of a periodic protocol appears burdensome on a device, e.g., a router with a large number of BFD sessions running. Dell Networking BFD does not support demand mode. Echo Function Echo mode is an auxiliary operation that may be used with either BFD mode. When the echo function is active, a stream of BFD echo packets is transmitted in such a way that the other system loops them back through its forwarding path.
BFD Example This example configures BFD for a BGP peer session. BFD is only supported in conjunction with BGP. The BGP configuration is taken from BGP Redistribution of OSPF Example in the BGP Configuration Examples section and is not explained further here. The fast-external-fallover is not enabled in this example, as BFD will provide failure detection. 1 Enable the BFD feature.
console(config-router)#neighbor 216.31.219.19 remote-privateas 1402 console(config-router)#redistribute static console(config-router)#redistribute ospf match external 1 console(config-router)#redistribute ospf match external 2 3 Enable a BFD session on the BGP peer link: console(config-router)#neighbor 216.31.219.
Bidirectional Forwarding Detection
41 IPv6 Routing Dell Networking N3000 and N4000 Series Switches NOTE: This feature is not available on Dell Networking N1500 and N2000 Series switches. This chapter describes how to configure general IPv6 routing information on the switch, including global routing settings and IPv6 static routes.
On the Dell Networking N1500, N2000, N3000, and N4000 Series switches, IPv6 coexists with IPv4. As with IPv4, IPv6 routing can be enabled on loopback and VLAN interfaces. Each L3 routing interface can be used for IPv4, IPv6, or both. IP protocols running over L3 (for example, UDP and TCP) are common to both IPv4 and IPv6. How Does IPv6 Compare with IPv4? There are many conceptual similarities between IPv4 and IPv6 network operation.
Neighbor Discovery (ND) protocol is the IPv6 replacement for Address Resolution Protocol (ARP) in IPv4. The IPv6 Neighbor Discovery protocol is described in detail in RFC7048. Dell Networking IPv6 supports neighbor advertise and solicit, duplicate address detection, and unreachability detection. Router advertisement is part of the Neighbor Discovery process and is required for IPv6.
Default IPv6 Routing Values IPv6 is disabled by default on the switch and on all interfaces. Table 41-1 shows the default values for the IP routing features this chapter describes. Table 41-1.
Table 41-2.
Configuring IPv6 Routing Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring IPv6 unicast routing features on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. Global Configuration Use the Global Configuration page to enable IPv6 forwarding on the router, enable the forwarding of IPv6 unicast datagrams, and configure global IPv6 settings.
Interface Configuration Use the Interface Configuration page to configure IPv6 interface parameters. This page has been updated to include the IPv6 Destination Unreachables field. To display the page, click Routing IPv6 Interface Configuration in the navigation panel. Figure 41-2.
Interface Summary Use the Interface Summary page to display settings for all IPv6 interfaces. To display the page, click Routing IPv6 Interface Summary in the navigation panel. Figure 41-3.
IPv6 Statistics Use the IPv6 Statistics page to display IPv6 traffic statistics for one or all interfaces. To display the page, click Routing IPv6 IPv6 Statistics in the navigation panel. Figure 41-4.
IPv6 Neighbor Table Use the IPv6 Neighbor Table page to display IPv6 neighbor details for a specified interface. To display the page, click IPv6 IPv6 Neighbor Table in the navigation panel. Figure 41-5.
DHCPv6 Client Parameters Use the DHCPv6 Client Parameters page to view information about the network information automatically assigned to an interface by the DHCPv6 server. This page displays information only if the DHCPv6 client has been enabled on an IPv6 routing interface. To display the page, click Routing IPv6 DHCPv6 Client Lease Parameters in the navigation panel. Figure 41-6.
DHCPv6 Client Statistics Use the DHCPv6 Client Statistics page to view information about DHCPv6 packets received and transmitted on a DHCPv6 client interface. To display the page, click Routing IPv6 DHCPv6 Client Statistics in the navigation panel. Figure 41-7.
IPv6 Router Entry Configuration Use the IPv6 Route Entry Configuration page to configure information for IPv6 routes. To display the page, click Routing IPv6 IPv6 Routes IPv6 Route Entry Configuration in the navigation panel. Figure 41-8.
IPv6 Route Table Use the IPv6 Route Table page to display all active IPv6 routes and their settings. To display the page, click Routing IPv6 IPv6 Routes IPv6 Route Table in the navigation panel. Figure 41-9.
IPv6 Route Preferences Use the IPv6 Route Preferences page to configure the default preference for each protocol. These values are arbitrary values in the range of 1 to 255 and are independent of route metrics. Most routing protocols use a route metric to determine the shortest path known to the protocol, independent of any other protocol. The best route to a destination is chosen by selecting the route with the lowest preference value.
Configured IPv6 Routes Use the Configured IPv6 Routes page to display selected IPv6 routes. NOTE: For a static reject route, the next hop interface value is Null0. Packets to the network address specified in static reject routes are intentionally dropped. To display the page, click Routing IPv6 IPv6 Routes Configured IPv6 Routes in the navigation panel. Figure 41-11. Configured IPv6 Routes To remove a configured route, select the check box in the Delete column of the route to remove, and click Apply.
Configuring IPv6 Routing Features (CLI) This section provides information about the commands used for configuring IPv6 routing on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global IP Routing Settings Beginning in Privileged EXEC mode, use the following commands to configure various global IP routing settings for the switch.
Configuring IPv6 Interface Settings Beginning in Privileged EXEC mode, use the following commands to configure IPv6 settings for VLAN, tunnel, or loopback interfaces. Command Purpose configure Enter Global Configuration mode. interface {vlan | tunnel | loopback} Enter Interface Configuration mode for the specified VLAN, tunnel, or loopback interface. ipv6 enable Enable IPv6 on the interface. Configuring an IPv6 address will automatically enable IPv6 on the interface.
Configuring IPv6 Neighbor Discovery Use the following commands to configure IPv6 Neighbor Discovery settings. Command Purpose ipv6 nd prefix Configure parameters associated with network prefixes that the router advertises in its Neighbor Discovery advertisements. prefix/prefix-length [{valid-lifetime| infinite} {preferredlifetime| infinite}] [no-autoconfig] [offlink] • ipv6-prefix—IPv6 network prefix. • prefix-length—IPv6 network prefix length. • valid-lifetime—Valid lifetime of the router in seconds.
Command Purpose ipv6 nd ns-interval milliseconds Set the interval between router advertisements for advertised neighbor solicitations. The range is 1000 to 4294967295 milliseconds. ipv6 nd other-configflag Set the other stateful configuration flag in router advertisements sent from the interface. ipv6 nd managedconfig-flag Set the managed address configuration flag in router advertisements. When the value is true, end nodes use DHCPv6.
Configuring IPv6 Route Table Entries and Route Preferences Beginning in Privileged EXEC mode, use the following commands to configure IPv6 Static Routes. Command Purpose configure Enter global configuration mode. ipv6 route ipv6- Configure a static route.Use the keyword null instead of prefix/prefix-length {next- the next hop router IP address to configure a static reject hop-address | interface- route.
Command Purpose ipv6 route distance Set the default distance (preference) for static IPv6 routes. Lower route preference values are preferred when determining the best route. The default distance (preference) for static routes is 1. exit Exit to Global Config mode.
IPv6 Show Commands Use the following commands in Privileged EXEC mode to view IPv6 configuration status and related data. Command Purpose show sdm prefer Show the currently active SDM template. show sdm prefer dualipv4-and-ipv6 default Show parameters for the SDM template. show ipv6 dhcp interface vlan vlan-id View information about the DHCPv6 lease acquired by the specified interface.
IPv6 Static Reject and Discard Routes A static configured route with a next-hop of “null” causes any packet matching the route to disappear or vanish from the network. This type of route is called a “Discard” route if the router returns an ICMP “networkunreachable” message, or is called a “Reject” route if no ICMP message is returned. The Dell Networking N-Series switches support “Reject” routes, where any packets matching the route network prefix silently disappear.
• ipv6 route 2001::/16 null 254 ipv6 route 2002::/16 null 254 These address ranges are reserved and not reachable in the Internet. If for some reason you have local networks in this range, a more specific route will have precedence. Another use for the Reject route is to prevent internal hosts from communication with specific addresses or ranges of addresses. The effect is the same as an outgoing access-list with a “deny” statement.
access mode, meaning untagged incoming and outgoing packets are processed on VLAN 10. RA-Guard is enabled on interface Gi1/0/1 and then the configuration is verified with the show command.
console(config-if-Gi1/0/1)#ipv6 nd raguard attach-policy console(config-if-Gi1/0/1)#show ipv6 nd raguard policy Ipv6 RA-Guard Configured Interfaces Interface --------------Gi1/0/1 Role ------Host IPv6 Routing 1423
IPv6 Routing
42 DHCPv6 Server and Relay Settings Dell Networking N1500, N2000, N3000, and N4000 Series Switches NOTE: The DHCPv6 Server is not available on the Dell Networking N1500 Series switches. This chapter describes how to configure the switch to dynamically assign network information to IPv6 hosts by using the Dynamic Host Configuration Protocol for IPv6 (DHCPv6).
What Is a DHCPv6 Pool? DHCPv6 pools are used to specify information for DHCPv6 server to distribute to DHCPv6 clients. These pools are shared between multiple interfaces over which DHCPv6 server capabilities are configured. What Is a Stateless Server? DHCPv6 incorporates the notion of the stateless server, where DHCPv6 is not used for IP address assignment to a client; rather, it provides other networking information such as DNS or NTP information.
Figure 42-1. DHCPv6 Prefix Delegation Scenario In Figure 42-1, the Dell Networking switch acts as the Prefix Delegation (PD) server and defines one or more general prefixes to allocate and assign addresses to hosts that may be utilizing IPv6 auto-address configuration or acting as DHCPv6 clients. DHCPv6 clients may request multiple IPv6 prefixes. Also, DHCPv6 clients may request specific IPv6 prefixes.
Configuring the DHCPv6 Server and Relay (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the DHCPv6 server on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. DHCPv6 Global Configuration Use the Global Configuration page to configure DHCPv6 global parameters.
DHCPv6 Pool Configuration Use the Pool Configuration page to set up a pool of DHCPv6 parameters for DHCPv6 clients. The pool is identified with a pool name and contains IPv6 addresses and domain names of DNS servers. To display the page, click Routing IPv6 DHCPv6 Pool Configuration in the navigation panel. Figure 42-3 shows the page when no pools have been created. After a pool has been created, additional fields display. Figure 42-3.
Figure 42-4. Pool Configuration 4 From the DNS Server Address menu, select an existing DNS Server Address to associate with this pool, or select Add and specify a new server to add. 5 From the Domain Name menu, select an existing domain name to associate with this pool, or select Add and specify a new domain name. 6 Click Apply.
Prefix Delegation Configuration Use the Prefix Delegation Configuration page to configure a delegated prefix for a pool. At least one pool must be created using DHCPv6 Pool Configuration before a delegated prefix can be configured. To display the page, click Routing IPv6 DHCPv6 Prefix Delegation Configuration in the navigation panel. Figure 42-5.
DHCPv6 Pool Summary Use the Pool Summary page to display settings for all DHCPv6 Pools. At least one pool must be created using DHCPv6 Pool Configuration before the Pool Summary displays. To display the page, click Routing IPv6 DHCPv6 Pool Summary in the navigation panel. Figure 42-6.
DHCPv6 Interface Configuration Use the DHCPv6 Interface Configuration page to configure a DHCPv6 interface. To display the page, click Routing IPv6 DHCPv6 Interface Configuration in the navigation panel. The fields that display on the page depend on the selected interface mode. Figure 42-7.
Figure 42-8 shows the screen when the selected interface mode is Server. Figure 42-8. DHCPv6 Interface Configuration - Server Mode Figure 42-9 shows the screen when the selected interface mode is Relay. Figure 42-9.
DHCPv6 Server Bindings Summary Use the Server Bindings Summary page to display all DHCPv6 server bindings. To display the page, click Routing IPv6 DHCPv6 Bindings Summary in the navigation panel. Figure 42-10.
DHCPv6 Statistics Use the DHCPv6 Statistics page to display DHCPv6 statistics for one or all interfaces. To display the page, click Routing IPv6 DHCPv6 Statistics in the navigation panel. Figure 42-11.
Configuring the DHCPv6 Server and Relay (CLI) This section provides information about the commands used for configuring and monitoring the DHCP server and address pools. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global DHCP Server and Relay Agent Settings Beginning in Privileged EXEC mode, use the following commands to configure settings for the DHCPv6 server.
Command Purpose domain-name domain Set up to five DNS domain names to provide to a DHCPv6 client by the DHCPv6 server. CTRL + Z Exit to Privileged EXEC mode. show ipv6 dhcp pool [name] View the settings for all DHCPv6 pools or for the specified pool. Configuring a DHCPv6 Pool for Specific Hosts Beginning in Privileged EXEC mode, use the following commands to create a pool and/or configure pool parameters for specific DHCPv6 clients. Command Purpose configure Enter Global Configuration mode.
Configuring DHCPv6 Interface Information Beginning in Privileged EXEC mode, use the following commands to configure an interface as a DHCPv6 server or a DHCPv6 relay agent. The server and relay functionality are mutually exclusive. In other words, a VLAN routing interface can be configured as a DHCPv6 server or a DHCPv6 relay agent, but not both. Command Purpose configure Enter Global Configuration mode.
Command Purpose ipv6 dhcp server poolname [rapid-commit] [preference pref-value] Configure DHCPv6 server functionality on the interface. • pool-name — The name of the DHCPv6 pool containing stateless and/or prefix delegation parameters • rapid-commit — Is an option that allows for an abbreviated exchange between the client and server. • pref-value — Preference value—used by clients to determine preference between multiple DHCPv6 servers. (Range: 0-4294967295) CTRL + Z Exit to Privileged Exec Mode.
DHCPv6 Configuration Examples This section contains the following examples: • Configuring a DHCPv6 Stateless Server • Configuring the DHCPv6 Server for Prefix Delegation • Configuring an Interface as a DHCPv6 Relay Agent Configuring a DHCPv6 Stateless Server This example configures a DHCPv6 pool that will provide information for the DHCPv6 server to distribute to DHCPv6 clients that are members of VLAN 100.
console(config-if-vlan100)#ipv6 nd other-config-flag console(config-if-vlan100)#exit Configuring the DHCPv6 Server for Prefix Delegation In this example, VLAN routing interface 200 is configured to delegate specific prefixes to certain DHCPv6 clients. The prefix-to-DUID mapping is defined within the DHCPv6 pool. To configure the switch: 1 Create the DHCPv6 pool and specify the domain name and DNS server information. console(config)#ipv6 dhcp pool my-pool2 console(config-dhcp6s-pool)#domain-name dell.
1 Create VLAN 300 and define its IPv6 address. console(config)#interface vlan 300 console(config-if-vlan300)#ipv6 address 2001:DB8:03a::14/64 2 Configure the interface as a DHCPv6 relay agent and specify the IPv6 address of the relay server. The command also specifies that the route to the server is through the VLAN 100 routing interface.
DHCPv6 Server and Relay Settings
Differentiated Services 43 Dell Networking N2000, N3000, and N4000 Series Switches NOTE: Diffserv is not available on the Dell Networking N1500 Series switches. This chapter describes how to configure the Differentiated Services (DiffServ) feature. DiffServ enables traffic to be classified into streams and given certain QoS treatment in accordance with defined per-hop behaviors. The Diffserv feature is not supported on the Dell Networking N1500 Series switches.
How Does DiffServ Functionality Vary Based on the Role of the Switch? How you configure DiffServ support in Dell Networking N2000, N3000, and N4000 Series switches software varies depending on the role of the switch in your network: • Edge device: An edge device handles ingress traffic, flowing towards the core of the network, and egress traffic, flowing away from the core.
Dell Networking N2000, N3000, and N4000 Series switches software supports the Traffic Conditioning Policy type which is associated with an inbound traffic class and specifies the actions to be performed on packets meeting the class rules: • – Marking the packet with a given DSCP, IP precedence, or CoS value. Traffic to be processed by the DiffServ feature requires an IP header if the system uses IP Precedence or IP DSCP marking.
Configuring DiffServ (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring DiffServ features on a Dell Networking N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. DiffServ Configuration Use the DiffServ Configuration page to display the DiffServ administrative mode setting as well as the current and maximum number of rows in each of the main DiffServ private MIB tables.
Class Configuration Use the DiffServ Class Configuration page to add a new DiffServ class name, or to rename or delete an existing class. To display the page, click Quality of Service Differentiated Services Class Configuration in the navigation panel. Figure 43-2. DiffServ Class Configuration Adding a DiffServ Class To add a DiffServ class: 1 From the DiffServ Class Configuration page, click Add to display the Add Class page. Figure 43-3.
2 Enter a name for the class and select the protocol to use for class match criteria. 3 Click Apply to add the new class. 4 To view a summary of the classes configured on the switch, click Show All. Figure 43-4. View DiffServ Class Summary Class Criteria Use the DiffServ Class Criteria page to define the criteria to associate with a DiffServ class. As packets are received, these DiffServ classes are used to identify packets.
Figure 43-5.
Policy Configuration Use the DiffServ Policy Configuration page to associate a collection of classes with one or more policy statements. To display the page, click Quality of Service Differentiated Services Policy Configuration in the navigation panel. Figure 43-6. DiffServ Policy Configuration Adding a New Policy Name To add a policy: 1 From the DiffServ Policy Configuration page, click Add to display the Add Policy page.
Figure 43-7. Add DiffServ Policy 2 Enter the new Policy Name. 3 Click Apply to save the new policy. 4 To view a summary of the policies configured on the switch, click Show All. Figure 43-8.
Policy Class Definition Use the DiffServ Policy Class Definition page to associate a class to a policy, and to define attributes for that policy-class instance. To display the page, click Quality of Service Differentiated Services Policy Class Definition in the navigation panel. Figure 43-9. DiffServ Policy Class Definition To view a summary of the policy attributes, click Show All.
Figure 43-10. Policy Class Definition Packet Marking Traffic Condition Follow these steps to have packets that match the class criteria for this policy marked with a marked with either an IP DSCP, IP precedence, or CoS value: 1 Select Marking from the Traffic Conditioning drop-down menu on the DiffServ Policy Class Definition page. The Packet Marking page displays. Figure 43-11. Policy Class Definition - Attributes 2 Select IP DSCP, IP Precedence, or Class of Service to mark for this policyclass.
Policing Traffic Condition Follow these steps to perform policing on the packets that match this policy class: 1 Select Policing from the Traffic Conditioning drop-down menu on the DiffServ Policy Class Definition page to display the DiffServ Policy Policing page. Figure 43-12. Policy Class Definition - Policing The DiffServ Policy - Policing page displays the Policy Name, Class Name, and Policing Style.
Service Configuration Use the DiffServ Service Configuration page to activate a policy on a port. To display the page, click Quality of Service Differentiated Services Service Configuration in the navigation panel. Figure 43-13. DiffServ Service Configuration To view a summary of the services configured on the switch, click Show All. Figure 43-14.
Service Detailed Statistics Use the DiffServ Service Detailed Statistics page to display packet details for a particular port and class. To display the page, click Quality of Service Differentiated Services Service Detailed Statistics in the navigation panel. Figure 43-15.
Flow-Based Mirroring Use the Flow-Based Mirroring page to create a mirroring session in which the traffic that matches the specified policy and member class is mirrored to a destination port. To display the Flow-Based Mirroring page, click Switching Ports Traffic Mirroring Flow-Based Mirroring in the navigation panel. Figure 43-16.
Configuring DiffServ (CLI) This section provides information about the commands used for configuring DiffServ settings on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. DiffServ Configuration (Global) Beginning in Privileged Exec mode, use the following commands in to configure the global DiffServ mode and view related settings.
CLI Command Description match cos Add to the specified class definition a match condition for the Class of Service value. match destination-address mac Add to the specified class definition a match condition based on the destination MAC address of a packet. match dstip Add to the specified class definition a match condition based on the destination IP address of a packet.
CLI Command Description match srcip Add to the specified class definition a match condition based on the source IP address of a packet. match srcl4port Add to the specified class definition a match condition based on the source layer-4 port of a packet using a single keyword, a numeric notation, or a numeric range notation. match vlan Add to the specified class definition a match condition based on the value of the layer-2 VLAN Identifier field.
CLI Command Description match protocol Add to the specified class definition a match condition based on the value of the IP Protocol field in a packet using a single keyword notation or a numeric value notation. match source-address mac Add to the specified class definition a match condition based on the source MAC address of the packet. match srcip6 Add to the specified class definition a match condition based on the source IPv6 address of a packet.
DiffServ Policy Attributes Configuration Beginning in Privilege Exec mode, use the following commands to configure policy attributes and view related information. CLI Command Description configure Enter global configuration mode. policy-map policy-map-name Enter Policy Map Configuration mode for the specified policy.
CLI Command Description conform-color class-map-name Specify the color class for color-aware policing. [exceed-color class-map-name] The action for the policy-class-map instance must be set to police-simple before issuing the conformcolor command. drop Specify that all packets for the associated traffic stream are to be dropped at ingress. mark cos cos-value Mark all packets for the associated traffic stream with the specified class of service value (range: 0–7) in the priority field of the 802.
DiffServ Service Configuration Beginning Privilege Exec mode, use the following commands to associate a policy with an interface and view related information. CLI Command Description configure Enter Global Configuration mode. service-policy {in | out} policy-map-name Attach a policy to an interface in the inbound or outbound direction. This command can be used in either Global Configuration mode (for all system interfaces) or Interface Configuration mode (for a specific interface).
DiffServ Configuration Examples This section contains the following examples: • Providing Subnets Equal Access to External Network • DiffServ for VoIP Providing Subnets Equal Access to External Network This example shows how a network administrator can provide equal access to the Internet (or other external network) to different departments within a company. Each of four departments has its own Class B subnet that is allocated 25% of the available bandwidth on the port accessing the Internet.
The following commands show how to configure the DiffServ example depicted in Figure 43-17. 1 Enable DiffServ operation for the switch. console#config console(config)#diffserv 2 Create a DiffServ class of type all for each of the departments, and name them. Also, define the match criteria—Source IP address—for the new classes. console(config)#class-map match-all finance_dept console(config-classmap)#match srcip 172.16.10.0 255.255.255.
console(config-policy-map)#class development_dept console(config-policy-classmap)#assign-queue 4 console(config-policy-classmap)#exit console(config-policy-map)#exit 4 Attach the defined policy to 10-Gigabit Ethernet interfaces 1/0/1 through 1/0/4 in the inbound direction console(config)#interface tengigabitethernet 1/0/1 console(config-if-Te1/0/1)#service-policy in internet_access console(config-if-Te1/0/1)#exit console(config)#interface tengigabitethernet 1/0/2 console(config-if-Te1/0/2)#service-policy i
DiffServ for VoIP One of the most valuable uses of DiffServ is to support Voice over IP (VoIP). VoIP traffic is inherently time-sensitive: for a network to provide acceptable service, a guaranteed transmission rate is vital. This example shows one way to provide the necessary quality of service: how to set up a class for UDP traffic, have that traffic marked on the inbound side, and then expedite the traffic on the outbound side.
The following commands show how to configure the DiffServ example depicted in Figure 43-18. 1 Set queue 6 on all ports to use strict priority mode. This queue shall be used for all VoIP packets. Activate DiffServ for the switch. console#config console(config)#cos-queue strict 6 console(config)#diffserv 2 Create a DiffServ classifier named class_voip and define a single match criterion to detect UDP packets.
console(config)#interface tengigabitethernet 1/0/1 console(config-if-Te1/0/1)#service-policy in pol_voip console(config-if-Te1/0/1)#exit console(config)#exit 1472 Differentiated Services
Class-of-Service 44 Dell Networking N1500, N2000, N3000, and N4000 Series Switches This chapter describes how to configure the Class-of-Service (CoS) feature. The CoS queuing feature lets you directly configure certain aspects of switch queuing. This provides the desired QoS behavior for different types of network traffic when the complexities of DiffServ are not required.
Each ingress port on the switch has a default priority value (set by configuring VLAN Port Priority in the Switching sub-menu) that determines the egress queue its traffic gets forwarded to. Packets that arrive without a VLAN user priority, or packets from ports you’ve identified as “untrusted,” get forwarded according to this default. What Are Trusted and Untrusted Port Modes? Ports can be configured in “trusted” mode or “untrusted” mode with respect to ingress traffic.
How Are Traffic Queues Defined? For each queue, the following can be specified: • Minimum bandwidth guarantee—A percentage of the port’s maximum negotiated bandwidth reserved for the queue. Unreserved bandwidth can be utilized by lower-priority queues. If the sum of the minimum bandwidth is 100%, then there is no unreserved bandwidth and no sharing of bandwidth is possible.
• Weighted Random Early Detection (WRED)—Drops packets queued for transmission on an interface selectively based their drop precedence level. For each of four drop precedence levels on each WRED-enabled interface queue, the following parameters can be configured: – Minimum Threshold: A percentage of the interface queue size below which no packets of the selected drop precedence level are dropped.
Default CoS Values Table 44-1 shows the global default values for CoS. Table 44-1. CoS Global Defaults Parameter Default Value Trust Mode 802.1p User Priority 802.1p CoS value to queue mapping 802.
Configuring CoS (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring CoS features on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. Mapping Table Configuration Use the Mapping Table Configuration page to define how class of service is assigned to a packet.
To display the Queue Mapping Table for the selected Trust Mode, click the Show All link at the top of the page. The following figure shows the queue mapping table when CoS (802.1p) is selected as the Trust Mode. Figure 44-2.
Interface Configuration Use the Interface Configuration page to define the interface shaping rate for egress packets on an interface and the decay exponent for WRED queues defined on the interface. Each interface CoS parameter can be configured globally or per-port. A global configuration change is applied to all interfaces in the system. To display the Interface Configuration page, click Quality of Service Class of Service Interface Configuration in the navigation panel. Figure 44-3.
Interface Queue Configuration Use the Interface Queue Configuration page to configure egress queues on interfaces. The settings you configure control the amount of bandwidth the queue uses, the scheduling method, and the queue management method. The configuration process is simplified by allowing each CoS queue parameter to be configured globally or per-port. A global configuration change is applied to the same queue ID on all ports in the system.
To access the Interface Queue Status page, click the Show All link at the top of the page. Interface Queue Drop Precedence Configuration Use the Interface Queue Drop Precedence Configuration page to configure thresholds and scaling values for each of four drop precedence levels on a WRED-enabled interface queue. The settings you configure control the minimum and maximum thresholds and a drop probability scaling factor for the selected drop precedence level.
Figure 44-5. Interface Queue Drop Precedence Configuration To access the Interface Queue Drop Precedence Status page, click the Show All link at the top of the page.
Configuring CoS (CLI) This section provides information about the commands used for configuring CoS settings on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Mapping Table Configuration Beginning in Privileged Exec mode, use the following commands in to configure the CoS mapping tables. CLI Command Description configure Enter Global Configuration mode.
CoS Interface Configuration Commands Beginning in Privileged Exec mode, use the following commands in to configure the traffic shaping and WRED exponent values for an interface. CLI Command Description configure Enter Global Configuration mode. interface interface Enter Interface Configuration mode, where interface is replaced by gigabitethernet unit/slot/port, tengigabitethernet unit/slot/port, or port-channel port-channel number.
CLI Command Description cos-queue min-bandwidth Specify the minimum transmission bandwidth (range: 0-100% in 1% increments) for each interface queue. The sum of the configured minimum bandwidths should be less than 100% to allow for buffering of bursty traffic. cos-queue strict queue-id Activate the strict priority scheduler mode for each specified queue. The queue-id value ranges from 0 to 6. cos-queue random-detect queue-id Set the queue management type for the specified queue to WRED.
Configuring Interface Queue Drop Probability Beginning in Privileged Exec mode, use the following commands in to configure characteristics of the drop probability and view related settings. The drop probability supports configuration in the range of 0 to 10%, and the discrete values 25%, 50%, and 75%. Values not listed are truncated to the next lower value in hardware. CLI Command Description configure Enter Global Configuration mode.
CoS Configuration Example Figure 44-6 illustrates the network operation as it relates to CoS mapping and queue configuration. Four packets arrive at the ingress port te1/0/10 in the order A, B, C, and D. port te1/0/10 is configured to trust the 802.1p field of the packet, which serves to direct packets A, B, and D to their respective queues on the egress port. These three packets utilize the 802.1p to CoS Mapping Table for port te1/0/10. In this example, the 802.
Continuing this example, the egress port te1/0/8 is configured for strict priority on queue 4, and a weighted scheduling scheme is configured for queues 3-0. Assuming queue 3 has a higher minimum bandwidth than queue 1 (relative bandwidth values are shown as a percentage, with 0% indicating the bandwidth is shared according to the default weighting), the queue service order, when congested, is 4 followed by 3 followed by 1.
classes generally use the default WRR scheduling mode as opposed to strict priority, to avoid starving other traffic. For example, the following commands assign 802.1p user priority 4 to CoS queue 4 and reserves 50% of the scheduler time slices to CoS queue 4. This implies that, when the switch is congested, the scheduler will service CoS queue 4 fifty percent of the time to the exclusion of all other CoS queues, including higher-priority CoS queues.
WRED NOTE: WRED is not supported on the Dell Networking N1500 Series switch. WRED Processing Traffic ingressing the switch can be assigned to one of four drop probabilities based on a set of matching criteria. There are three drop probabilities for TCP traffic (green, yellow, and red) and one drop probability for non-TCP traffic (all colors). Users may configure the congestion thresholds at which packets queued for transmission are dropped for each color.
Exponential Weighting Constant The degree of congestion is determined by sampling the egress queue depth and calculating an average queue size. The exponential weighting constant smooths the result of the average queue depth calculation by the function: average depth = (previous queue depth * (1-1/2^n)) + (current queue depth * 1/2^n) The average queue depth is used to select the drop probability for packets queued for egress.
• Packets that are pre-colored yellow and exceed the PIR will be colored red. This does not apply to the simple algorithm since there is no yellow precoloring. • Packets that are pre-colored red remain colored red. Refer to RFC 2697 and RFC 2698 for further detail on color-aware and colorblind processing.
them as a result of exceeding the meter. Pre-colored packets are not re-colored to green or yellow by the meter. Yellow packets may be colored red as a result of exceeding the meter. Refer to RFC 2697 for further details. Two-Rate Meter Implementation The police-two-rate algorithm implements a two-rate Three-Color Marker (trTCM) per RFC 2698. The trTCM algorithm is useful in situations where a peak rate needs to be enforced separately from a committed rate.
Explicit Congestion Notification Explicit Congestion Notification (ECN) is defined in RFC 3168. Conventional TCP networks signal congestion by dropping packets. A Random Early Discard scheme provides earlier notification than tail drop. ECN marks congested packets that would otherwise have been dropped and expects a ECN capable receiver to signal congestion back to the transmitter without the need to retransmit the packet that would have been dropped.
Dell Networking implements ECN capability as part of the WRED configuration process. Eligible packets are marked by hardware based upon the WRED configuration. The network operator can configure any CoS queue to operate in ECN marking mode and can configure different discard thresholds for each color.
Example 1: SLA Configuration The following example configures a simple meter and a trTCM meter is support of a network SLA. The SLA classes are segregated by CoS class as described in the comments. 1 Define a class-map so that all traffic will be in the set of traffic “cos-any”. console#config console(config)#class-map match-all cos-any ipv4 console(config-classmap)#match any console(config-classmap)#exit 2 Define a class-map such that all traffic with a CoS value of 1 will be in the set of traffic “cos1.
6 Create a simple policer in color blind mode. Packets below the committed information rate (CIR) or committed burst size (CBS) are assigned drop precedence green. Packets that exceed the CIR (in Kbps) or CBS (in Kbytes) are colored red. Both the conform and violate actions are set to transmit as WRED is used to drop packets when congested.
• TCP packets with rates higher than the PIR/PBS or which belong to neither class CoS 1 or class CoS 2 violate the rate (red). These packets will be dropped randomly at an increasing rate between 0 and 10% when the outgoing interface is congested between 50 and 100%. • Non-TCP packets in CoS queue 0 or 1 will be dropped randomly at an increasing rate between 0 and 15% when the outgoing interface is congested between 50 and 100%.
console(config)#interface Te1/0/22 console(config-if-Te1/0/22)#service-policy in simple-policy console(config-if-Te1/0/22)#exit console(config)#interface Te1/0/23 console(config-if-Te1/0/23)#service-policy in two-rate-policy console(config-if-Te1/0/23)#exit 1500 Class-of-Service
Example 2: Long-Lived Congestion The following example enables WRED discard for non-color-aware traffic. Since a color-aware policer is not enabled, all traffic is treated as if it were colored “green.” This means that only the “green” TCP and non-TCP WRED thresholds are active. Since the default CoS queue is 1, this example is suitable as a starting point for configuring WRED on a switch using the default settings.
Example 3: Data Center TCP (DCTCP) Configuration This example globally configures a Dell Networking N2000/N3000 Series switch to utilize ECN marking of green packets queued for egress on CoS queues 0 and 1 using the DCTCP threshold as it appears in “DCTCP: Efficient Packet Transport for the Commoditized Data Center” Alizadeh, Greenberg, Maltz, Padhye, Patel, Prabhakar, Sengupta, and Sridharan, 2010. NOTE: Data center TCP requires changes to the TCP stack on both ends of the connection.
Auto VoIP 45 Dell Networking N1500, N2000, N3000, and N4000 Series Switches Voice over Internet Protocol (VoIP) allows you to make telephone calls using a computer network over a data network like the Internet. With the increased prominence of delay-sensitive applications (voice, video, and other multimedia applications) deployed in networks today, proper QoS configuration will ensure high-quality application performance.
Auto VoIP is limited to 16 active sessions and makes use of the switch CPU to classify traffic. It is preferable to use the Voice VLAN feature in larger enterprise environments as it uses the switching silicon to classify voice traffic onto a VLAN. Auto VoIP is incompatible with Voice VLAN and should not be enabled on switches on which Voice VLAN is enabled. How Does Auto VoIP Use ACLs? Auto VoIP utilizes ACL lists from the global system pool.
Configuring Auto VoIP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring Auto VoIP features on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. Auto VoIP Global Configuration Use the Global Configuration page to enable or disable Auto VoIP on all interfaces.
Figure 45-2. Auto VoIP Interface Configuration To display summary Auto VoIP configuration information for all interfaces, click the Show All link at the top of the page. Figure 45-3.
Configuring Auto VoIP (CLI) This section provides information about the commands used for configuring Auto VoIP settings on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Mapping Table Configuration Beginning in Privileged Exec mode, use the following commands in to enable Auto VoIP and view its configuration. CLI Command Description configure Enter Global Configuration mode.
Auto VoIP
IPv4 and IPv6 Multicast 46 Dell Networking N3000 and N4000 Series Switches NOTE: This feature is available only on Dell Networking N3000 and N4000 Series switches. This chapter describes how to configure and monitor layer-3 (L3) multicast features for IPv4 and IPv6, including global IP and IPv6 multicast features as well as multicast protocols, including IGMP, DVMRP, and PIM for IPv4 and MLD and PIM for IPv6.
recipient host. The IP routing protocols can route multicast traffic, but the IP multicast protocols handle the multicast traffic more efficiently with better use of network bandwidth. Applications that often send multicast traffic include video or audio conferencing, Whiteboard tools, stock distribution tickers, and IP-based television (IP/TV). What Is IP Multicast Traffic? IP multicast traffic is traffic that is destined to a host group.
239.0.0.0/8 is the locally scoped IPv4 multicast address range. Use addresses from this block for local/intra-domain multicast traffic. See RFC 2365 for further information 233.0.0.0/8 is the GLOP IPv4 public address range and is suitable for interdomain multicast traffic. See RFC 2770 for further information. 232.0.0.0/8 is the PIM-SSM IPv4 public address space and is suitable for interdomain traffic. See RFC 4608 for further information.
What Are the Multicast Protocol Roles? Hosts must have a way to identify their interest in joining any particular multicast group, and routers must have a way to collect and maintain group memberships. These functions are handled by the IGMP protocol in IPv4. In IPv6, multicast routers use the Multicast Listener Discover (MLD) protocol to maintain group membership information.
contain two ports, one on each connecting switch. A VLAN carrying multicast traffic should never traverse a multicast router, as ingress multicast traffic is layer-2-switched across the VLAN, defeating the purpose of the multicast router. Determining Which Multicast Protocols to Enable IGMP is required on any multicast router that serves IPv4 hosts. IGMP is not required on inter-router links. MLD is required on any router that serves IPv6 hosts. MLD is not required on inter-router links.
What Is IGMP? The Internet Group Management Protocol (IGMP) is used by IPv4 systems (hosts, L3 switches, and routers) to report their IP multicast group memberships to any neighboring multicast routers. The Dell Networking N1500, N2000, N3000, and N4000 Series switches performs the multicast router role of the IGMP protocol, which means it collects the membership information needed by the active multicast routing protocol. IGMP is automatically enabled when PIM or DVMRP are enabled via the CLI.
What Is MLD? Multicast Listener Discovery (MLD) protocol enables IPv6 routers to discover the presence of multicast listeners, the hosts that wish to receive the multicast data packets, on its directly-attached interfaces. The protocol specifically discovers which multicast addresses are of interest to its neighboring nodes and provides this information to the active multicast routing protocol that makes decisions on the flow of multicast data packets.
Using PIM-SM as the Multicast Routing Protocol PIM-SM is used to efficiently route multicast traffic to multicast groups that may span wide area networks and where bandwidth is constrained. PIM-SM uses shared trees by default and implements source-based trees for efficiency. PIM-SM assumes that no hosts want the multicast traffic unless they specifically ask for it.
PIM-SM Protocol Operation This section describes the workings of PIM-SM protocol per RFC 4601. The protocol operates essentially in three phases, as explained in the following sections. Phase-1: RP Tree Figure 46-1. PIM-SM Shared Tree Join • In this example, an active receiver (attached to leaf router at the bottom of the drawing) has joined multicast group “G”.
Phase-2: Register Stop Figure 46-2. PIM-SM Sender Registration—Part1 • As soon as an active source for group G sends a packet, the designated router (DR) that is attached to this source is responsible for “Registering” this source with the RP and requesting the RP to build a tree back to that router. • To do this, the source router encapsulates the multicast data from the source in a special PIM-SM message, called the Register message, and unicasts that data to the RP.
Figure 46-3. PIM-SM Sender Registration—Part 2 • As soon as the SPT is built from the Source router to the RP, multicast traffic begins to flow unencapsulated from source S to the RP. • Once this is complete, the RP Router will send a “Register Stop” message to the first-hop router to tell it to stop sending the encapsulated data to the RP.
Phase 3: Shortest Path Tree Figure 46-4. PIM-SM SPT—Part 1 • PIM-SM has the capability for last-hop routers (i.e., routers with directly connected group members) to switch to the Shortest-Path Tree and bypass the RP. This switchover is based upon an implementation-specific function called SwitchToSptDesired(S,G) in the standard and generally takes a number of seconds to switch to the SPT.
Figure 46-5. PIM-SM SPT—Part 2 • Finally, special (S, G) RP-bit Prune messages are sent up the Shared Tree to prune off this (S, G) traffic from the Shared Tree. If this were not done, (S, G) traffic would continue flowing down the Shared Tree resulting in duplicate (S, G) packets arriving at the receiver.
Figure 46-6. PIM-SM SPT—Part 3 • At this point, (S, G) traffic is now flowing directly from the first -hop router to the last-hop router and from there to the receiver. Figure 46-7.
• At this point, the RP no longer needs the flow of (S, G) traffic since all branches of the Shared Tree (in this case there is only one) have pruned off the flow of (S, G) traffic. • As a result, the RP will send (S, G) Prunes back toward the source to shut off the flow of the now unnecessary (S, G) traffic to the RP. NOTE: This will occur if the RP has received an (S, G) RP-bit Prune on all interfaces on the Shared Tree. Figure 46-8.
creates a performance problem in that it limits the number of packets that can be processed and places a high load on the CPUs in the first hop and RP routers, which can then adversely affect other router functions. Dell Networking Optimizations to PIM-SM Dell Networking N-Series switches perform the following optimizations to reduce the impact of multicast encapsulation/de-encapsulation and provide a higher level of multicast performance in the network.
sending the encapsulated Register messages. This removes the load from the CPU of the first-hop router and the RP, as they no longer need to encapsulate and de-encapsulate register messages with multicast data. These optimizations significantly reduce the load on first-hop routers and RPs to encapsulate/de-encapsulate PIM register messages and their associated multicast data. In addition, the switchover to the SPT is initiated immediately upon the first multicast packet reaching the last-hop router.
router on its RPF interface, the State Refresh message causes an existing prune state to be refreshed. State Refresh messages are generated periodically by the router directly attached to the source. What Is DVMRP? DVMRP is an interior gateway protocol that is suitable for routing multicast traffic within an autonomous system (AS). DVMRP should not be used between different autonomous systems due to limitations with hop count and scalability.
Using DVMRP as the Multicast Routing Protocol DVMRP is used to communicate multicast information between L3 switches or routers. If a Dell Networking N1500, N2000, N3000, and N4000 Series switches handles inter-VLAN routing for IP traffic, including IP multicast traffic, multicast routing might be required on the switch. DVMRP is best suited for small networks where the majority of hosts request a given multicast traffic stream.
Default L3 Multicast Values IP and IPv6 multicast is disabled by default. Table 46-2 shows the default values for L3 multicast and the multicast protocols. Table 46-2.
Table 46-2.
Configuring General IPv4 Multicast Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the L3 multicast features that are not protocol-specific on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page.
Multicast Interface Configuration Use the Interface Configuration page to configure the TTL threshold of a multicast interface. At least one VLAN routing interface must be configured on the switch before fields display on this page. To display the page, click IPv4 Multicast Multicast Interface Configuration in the navigation panel. Figure 46-10.
Multicast Route Table Use the Route Table page to view information about the multicast routes in the IPv4 multicast routing table. To display the page, click IPv4 Multicast Multicast Multicast Route Table Multicast Route Table Figure 46-11.
Multicast Admin Boundary Configuration The definition of an administratively scoped boundary is a way to stop the ingress and egress of multicast traffic for a given range of multicast addresses on a given routing interface. Use the Admin Boundary Configuration page to configure a new or existing administratively scoped boundary. To see this page, you must have configured a valid routing interface and multicast.
Multicast Admin Boundary Summary Use the Admin Boundary Summary page to display existing administratively scoped boundaries. To display the page, click IPv4 Multicast Multicast Admin Boundary Summary in the navigation panel. Figure 46-13. Multicast Admin Boundary Summary Multicast Static MRoute Configuration Use the Static MRoute Configuration page to configure a new static entry in the Mroute table or to modify an existing entry.
Multicast Static MRoute Summary Use the Static MRoute Summary page to display static routes and their configurations. To display the page, click IPv4 Multicast Multicast Static MRoute Summary in the navigation panel. Figure 46-15.
Configuring IPv6 Multicast Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the IPv6 multicast features that are not protocol-specific on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. IPv6 Multicast Route Table Use the Multicast Route Table page to view information about the multicast routes in the IPv6 multicast routing table.
Configuring IGMP and IGMP Proxy (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the IGMP and IGMP proxy features on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. IGMP Global Configuration Use the Global Configuration page to set IGMP on the system to active or inactive.
IGMP Interface Configuration Use the Interface Configuration page to configure and/or display router interface parameters. At least one valid routing interface must be configured before this page can be accessed to configure IP Multicast IGMP. To display the page, click IPv4 Multicast IGMP Routing Interface Interface Configuration in the navigation panel. Figure 46-18.
IGMP Interface Summary Use the Interface Summary page to display IGMP routing parameters and data. You must configure at least one IGMP router interface to access this page. To display the page, click IPv4 Multicast IGMP Routing Interface Interface Summary in the navigation panel. Figure 46-19. IGMP Interface Summary IGMP Cache Information Use the Cache Information page to display cache parameters and data for an IP multicast group address.
Figure 46-20.
IGMP Interface Source List Information Use the Source List Information page to display detailed membership information for an interface. Group membership reports must have been received on the selected interface for data to display information. To display the page, click IPv4 Multicast IGMP Routing Interface Source List Information in the navigation panel. Figure 46-21.
IGMP Proxy Interface Configuration The IGMP Proxy is used by IGMP Router (IPv4 system) to enable the system to issue IGMP host messages on behalf of hosts that the system discovered through standard IGMP router interfaces. Thus, this feature acts as proxy to all hosts residing on its router interfaces. Use the Interface Configuration page to configure IGMP proxy for a VLAN interface.
IGMP Proxy Configuration Summary Use the Configuration Summary page to display proxy interface configurations by interface. You must have configured at least one VLAN routing interface configured before data displays on this page. To display the page, click IPv4 Multicast IGMP Proxy Interface Configuration Summary in the navigation panel. Figure 46-23.
IGMP Proxy Interface Membership Info Use the Interface Membership Info page to display interface membership data for a specific IP multicast group address. At least one VLAN routing interface must be configured for this page to display interface membership information, and it should not be an IGMP routing interface. Also, if no group membership reports have been received on the selected interface, no data displays on this page.
Detailed IGMP Proxy Interface Membership Information Use the Interface Membership Info Detailed page to display detailed interface membership data. At least one VLAN routing interface must be configured before detailed interface membership information can be displayed, and it should not be an IGMP routing interface. Also, if no group membership reports have been received on the selected interface, then no data can be displayed.
Configuring MLD and MLD Proxy (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the MLD and MLD proxy features on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. MLD Global Configuration Use the Global Configuration page to administratively enable and disable the MLD service.
MLD Routing Interface Configuration Use the Interface Configuration page to enable selected IPv6 router interfaces to discover the presence of multicast listeners, the nodes who wish to receive the multicast data packets, on its directly attached interfaces. To access this page, click IPv6 Multicast MLD Routing Interface Interface Configuration in the navigation panel. Figure 46-27.
MLD Routing Interface Summary Use the Interface Summary page to display information and statistics on a selected MLD-enabled interface. You must configure at least one IGMP VLAN routing interface to access this page. To access this page, click IPv6 Multicast MLD Routing Interface Interface Summary in the navigation panel. Figure 46-28.
received on the selected interface in order for data to be displayed here. To access this page, click IPv6 Multicast MLD Routing Interface Cache Information in the navigation panel. Figure 46-29. MLD Routing Interface Cache Information MLD Routing Interface Source List Information The Interface Source List Information page displays detailed membership information for an interface. You must configure at least one MLD VLAN routing interface to access this page.
MLD Traffic The MLD Traffic page displays summary statistics on the MLD messages sent to and from the router. To access this page, click IPv6 Multicast MLD Routing Interface MLD Traffic in the navigation panel. Figure 46-31.
MLD Proxy Configuration When you configure an interface in MLD proxy mode, it acts as a proxy multicast host that sends MLD membership reports on one VLAN interface for MLD Membership reports received on all other MLD-enabled VLAN routing interfaces. Use the Interface Configuration page to enable and disable ports as MLD proxy interfaces. To display this page, click IPv6 Multicast MLD Proxy Interface Interface Configuration in the navigation panel. Figure 46-32.
MLD Proxy Configuration Summary Use the Configuration Summary page to view configuration and statistics on MLD proxy-enabled interfaces. To display this page, click IPv6 Multicast MLD Proxy Interface Configuration Summary in the navigation panel. Figure 46-33.
MLD Proxy Interface Membership Information The Interface Membership Information page lists each IP multicast group for which the MLD proxy interface has received membership reports. To display this page, click IPv6 Multicast MLD Proxy interface Interface Membership Info in the navigation panel. Figure 46-34.
Detailed MLD Proxy Interface Membership Information The Interface Membership Information Detailed page provides additional information about the IP multicast groups for which the MLD proxy interface has received membership reports. To display this page, click IPv6 Multicast MLD Proxy Interface Interface Membership Info Detailed in the navigation panel. Figure 46-35.
Configuring PIM for IPv4 and IPv6 (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring PIM-SM and PIM-DM for IPv4 and IPv6 multicast routing on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. NOTE: The OpenManage Switch Administrator pages to configure IPv4 multicast routing and IPv6 multicast routing is very similar.
PIM Global Status Use the Global Status page to view the administrative status of PIM-DM or PIM-SM on the switch. To display the page, click IPv4 Multicast PIM Global Status or IPv6 Multicast PIM Global Status in the navigation panel. Figure 46-37.
PIM Interface Configuration Use the Interface Configuration page to configure specific VLAN routing interfaces with PIM. To display the page, click IPv4 Multicast PIM Interface Configuration or IPv6 Multicast PIM Interface Configuration in the navigation panel. Figure 46-38.
PIM Interface Summary Use the Interface Summary page to display a PIM-enabled VLAN routing interface and its settings. To display the page, click IPv4 Multicast PIM Interface Summary or IPv6 Multicast PIM Interface Summary in the navigation panel. Figure 46-39.
Candidate RP Configuration The Candidate RP is configured on the Add Candidate RP page. Use the Candidate RP Configuration page to display and delete the configured rendezvous points (RPs) for each port using PIM. To access the page, click IPv4 Multicast PIM Candidate RP Configuration or IPv6 Multicast PIM Candidate RP Configuration. Figure 46-40.
Figure 46-41. Add Candidate RP 3 Select the VLAN interface for which the Candidate RP is to be configured. 4 Enter the group address transmitted in Candidate-RP-Advertisements. 5 Enter the prefix length transmitted in Candidate-RP-Advertisements to fully identify the scope of the group which the router supports if elected as a Rendezvous Point. 6 Click Apply Changes. The new Candidate RP is added, and the device is updated.
Static RP Configuration Use the Static RP Configuration page to display or remove the configured RP. The page also allows adding new static RPs by clicking the Add button. Only one RP address can be used at a time within a PIM domain. If the PIM domain uses the BSR to dynamically learn the RP, configuring a static RP is not required. However, the static RP can be configured to override any dynamically learned RP from the BSR.
Figure 46-43. Add Static RP 3 Enter the IP address of the RP for the group range. 4 Enter the group address of the RP. 5 Enter the group mask of the RP. 6 Check the Override option to configure the static RP to override the dynamic (candidate) RPs learned for same group ranges. 7 Click Apply. The new Static RP is added, and the device is updated.
SSM Range Configuration Use this page to display or remove the Source Specific Multicast (SSM) group IP address and group mask for the PIM router. To display the page, click IPv4 Multicast PIM SSM Range Configuration or IPv6 Multicast PIM SSM Range Configuration. Figure 46-44. SSM Range Configuration Adding an SSM Range To add the Source-Specific Multicast (SSM) Group IP Address and Group Mask (IPv4) or Prefix Length (IPv6) for the PIM router: 1 Open the SSM Range Configuration page. 2 Click Add.
Figure 46-45. Add SSM Range 3 Click the Add Default SSM Range check box to add the default SSM Range. The default SSM Range is 232.0.0.0/8 for IPv4 multicast and ff3x::/32 for IPv6 multicast. 4 Enter the SSM Group IP Address. 5 Enter the SSM Group Mask (IPv4) or SSM Prefix Length (IPv6). 6 Click Apply. The new SSM Range is added, and the device is updated.
BSR Candidate Configuration Use this page to configure information to be used if the interface is selected as a bootstrap router. To display the page, click IPv4 Multicast PIM BSR Candidate Configuration or IPv6 Multicast PIM BSR Candidate Configuration. Figure 46-46.
BSR Candidate Summary Use this page to display information about the configured BSR candidates. To display this page, click IPv4 Multicast PIM BSR Candidate Summary or IPv6 Multicast PIM BSR Elected Summary. Figure 46-47.
Configuring DVMRP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring DVMRP on a Dell Networking N1500, N2000, N3000, and N4000 Series switches. For details about the fields on a page, click at the top of the page. DVMRP Global Configuration Use the Global Configuration page to configure global DVMRP settings. It is strongly recommended that IGMP be enabled on any switch on which DVMRP is enabled.
DVMRP Interface Configuration Use the Interface Configuration page to configure a DVMRP VLAN routing interface. You must configure at least one router interface before you configure a DVMRP interface. Otherwise you see a message telling you that no router interfaces are available, and the configuration screen is not displayed. It is strongly recommended that IGMP be enabled on any interface on which DVMRP is enabled. This ensures that the multicast router behaves as expected.
DVMRP Configuration Summary Use the Configuration Summary page to display the DVMRP configuration and data for a selected interface. At least one VLAN routing interface must be configured before data can be displayed for a DVMRP interface. Otherwise, a message displays that no VLAN router interfaces are available, and the configuration summary screen is not displayed. To display the page, click IPv4 Multicast DVMRP Configuration Summary in the navigation panel. Figure 46-50.
DVMRP Next Hop Summary Use the Next Hop Summary page to display the next hop summary by Source IP. To display the page, click IPv4 Multicast DVMRP Next Hop Summary in the navigation panel. Figure 46-51.
DVMRP Prune Summary Use the Prune Summary page to display the prune summary by Group IP. To display the page, click IPv4 Multicast DVMRP Prune Summary in the navigation panel. Figure 46-52. DVMRP Prune Summary DVMRP Route Summary Use the Route Summary page to display the DVMRP route summary. To display the page, click IPv4 Multicast DVMRP Route Summary in the navigation panel. Figure 46-53.
Configuring L3 Multicast Features (CLI) This section provides information about the commands used for configuring general IPv4 multicast settings on the switch. For more information about the commands, see the Dell Networking N1500, N2000, N3000, and N4000 Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose exit Exit to Global Config mode. exit Exit to Privileged EXEC mode. show ip multicast View system-wide multicast information. show ip mcast boundary {vlan vlan-id | all} View all the configured administrative scoped multicast boundaries. show ip mcast mroute {detail | summary} View a summary or all the details of the multicast table. show mac address-table multicast [count] View information about the entries in the multicast address table.
Configuring and Viewing IPv6 Multicast Route Information Beginning in Privileged EXEC mode, use the following commands to configure static IPv6 multicast routes on the switch and to view IPv6 multicast table information. Command Purpose configure Enter global configuration mode. ip multicast Enable IPv4/IPv6 multicast routing. ipv6 mroute sourceCreate a static multicast route for a source range.
Configuring and Viewing IGMP Beginning in Privileged EXEC mode, use the following commands to configure IGMP on the switch and on VLAN routing interfaces and to view IGMP information. Command Purpose configure Enter global configuration mode. ip multicast Enable IPv4/IPv6 multicast routing. ip igmp Enable IGMP on the switch. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ip igmp Enable IGMP on the interface.
Command Purpose ip igmp startup-querycount count Set the number of queries sent out on startup —at intervals equal to the startup query interval for the interface. The range for count is 1–20. ip igmp last-memberquery-interval tenthsofseconds Configure the Maximum Response Time inserted in Group-Specific Queries which are sent in response to Leave Group messages. The range is 0–255 tenths of a second.
Configuring and Viewing IGMP Proxy Beginning in Privileged EXEC mode, use the following commands to configure the upstream VLAN routing interface as an IGMP proxy. The IGMP proxy issues host messages on behalf of the hosts that have been discovered on IGMP-enabled interfaces. The upstream interface is the interface closest to the root multicast router, which should be running IGMP. NOTE: Configure only the upstream interface as the IGMP proxy. IGMP should be enabled on all downstream interfaces.
Configuring and Viewing MLD Beginning in Privileged EXEC mode, use the following commands to configure MLD on the switch and on VLAN routing interfaces and to view IGMP information. Command Purpose configure Enter global configuration mode. ip multicast Enable IPv4/IPv6 multicast routing. ipv6 mld router Enable MLD on the switch. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ipv6 mld router Enable MLD on the interface.
Command Purpose show ipv6 mld interface [vlan vlan-id] View MLD information for all interfaces or for the specified interface. show ipv6 mld interface stats [vlan vlan-id] View MLD statistics for all interfaces or for the specified interface. show ipv6 mld groups [interface vlan vlan-id] View the registered multicast groups on the interface. show ipv6 mld membership View the list of interfaces that have registered in any multicast group.
Command Purpose show ipv6 mld-proxy View a summary of the host interface status parameters. show ipv6 mld-proxy interface View a detailed list of the host interface status parameters. This command displays information only when MLD Proxy is operational. show ipv6 mld-proxy groups View a table of information about multicast groups that MLD Proxy reported. This command displays information only when MLD Proxy is operational.
Command Purpose show ip pim interface vlan vlan-id View the PIM-DM information for the specified interface. show ip pim neighbor [interface vlan vlan-id | all] View a summary or all the details of the multicast table. Configuring and Viewing PIM-DM for IPv6 Multicast Routing Beginning in Privileged EXEC mode, use the following commands to configure PIM-DM for IPv6 multicast routing on the switch and on VLAN routing interfaces and to view PIM-DM information.
Command Purpose show ipv6 pim interface vlan vlan-id View the PIM information for the specified interface. show ipv6 pim neighbor [interface vlan vlan-id | all] View a summary or all the details of the multicast table.
Configuring and Viewing PIM-SM for IPv4 Multicast Routing Beginning in Privileged EXEC mode, use the following commands to configure PIM-SM for IPv4 multicast routing on the switch and on VLAN routing interfaces and to view PIM-SM information. Command Purpose configure Enter global configuration mode. ip routing Enable ip routing. Routing is required for PIM operation. ip pim sparse Enable PIM-SM as the multicast routing protocol on the switch. ip igmp Enable IGMP.
Command Purpose ip pim rp-candidate vlan Configure the router to advertise itself to the BSR vlan-id group-address group- router as a PIM candidate Rendezvous Point (RP) for mask [interval interval] a specific multicast group range. • vlan-id — A valid VLAN ID. • group-address — Group IP address supported by RP. • group-mask — Group subnet mask for group address. • interval — (Optional) Indicates the RP candidate advertisement interval. The range is from 1 to 16383 seconds.
Command Purpose exit Exit to Global Config mode. exit Exit to Privileged EXEC mode. show ip pim View system-wide PIM information. show ip pim interface vlan View the PIM information for the specified interface. show ip pim neighbor [interface vlan vlan-id | all] View a summary or all the details of the multicast table. show ip pim rp-hash View the RP router being selected for the specified multicast group address from the set of active RP routers.
Command Purpose ipv6 pim bsr-candidate vlan Configure the switch to announce its candidacy as a vlan-id hash-mask-length bootstrap router (BSR) [priority] [interval interval] • vlan-id — A valid VLAN ID. • hash-mask-length — The length of a mask that is to be ANDed with the group address before the hash function is called. All groups with the same seed hash correspond to the same RP. For example, if this value is 24, only the first 24 bits of the group addresses matter.
Command Purpose ipv6 pim ssm {default | Define the Source Specific Multicast (SSM) range of group-address/prefix-length} IPv6 multicast addresses. • default — Defines the SSM range access list to FF3x::/32. • group-address/prefix-length — defines the SSM range. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ipv6 pim Enable PIM on the VLAN. ipv6 enable Enable IPv6 on the VLAN. ipv6 mld router Enable MLD on the VLAN. MLD is required for IPv6 PIM.
Command Purpose show ipv6 pim rp-hash View the RP router being selected for the specified multicast group address from the set of active RP routers. The RP router for the group is selected by using a hash algorithm. show ipv6 pim bsr-router View the bootstrap router (BSR) information.
Configuring and Viewing DVMRP Information Beginning in Privileged EXEC mode, use the following commands to configure DVMRP on the switch and on VLAN routing interfaces and to view DVMRP information. Command Purpose configure Enter global configuration mode. ip dvmrp Enable DVMRP on the switch. ip multicast Enable IP multicast. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN routing interface. ip dvmrp Enable DVMRP on the interface.
L3 Multicast Configuration Examples This section contains the following configuration examples: • Configuring Multicast VLAN Routing With IGMP and PIM-SM • Configuring DVMRP Configuring Multicast VLAN Routing With IGMP and PIM-SM This example describes how to configure a Dell Networking N-Series switch with two VLAN routing interfaces that route IP multicast traffic between the VLANs. PIM and IGMP are enabled on the switch and interfaces to manage the multicast routing.
Figure 46-54. IPv4 Multicast VLAN Routing Video Server L3 Switch A (PIM RP) Port 23 Port 24 L3 Switch B L3 Switch C IGMP Join IGMP Join ` ` VLAN 10 Members ` ` VLAN 20 Members In addition to multicast configuration, this example includes commands to configure STP and OSPF on L3 Switch A. STP is configured on the ports that connects the switch to other switches. OSPF is configured to route unicast traffic between the VLANs and PIM is enabled to rout multicast traffic between the two VLANs.
console#configure console(config)#no ip igmp snooping console(config)#no ipv6 mld snooping console(config)#vlan 10,20 console(config-vlan10,20)#exit 2 Configure port 23 and 24 as trunk ports.
console(config-if-vlan20)#exit 8 Globally enable IP multicast, IGMP, and PIM-SM on the switch. console(config)#ip multicast console(config)#ip igmp console(config)#ip pim sparse 9 Configure VLAN 10 as the RP and specify the range of multicast groups for PIM-SM to control. The 239.9.x.x address is chosen as it is a locally administered address that maps to MAC addresses that do not conflict with control plane protocols. console(config)#ip pim rp-address 192.168.10.4 239.9.0.0 255.255.0.
Configuring DVMRP The following example configures two DVMRP interfaces on the switch to enable inter-VLAN multicast routing. To configure the switch: 1 Globally enable IP routing and IP multicast. console#configure console(config)#ip routing console(config)#ip multicast 2 Globally enable IGMP so that this L3 switch can manage group membership information for its directly-connected hosts.
Audio Video Bridging 47 Dell Networking N4000 Series Switches NOTE: This feature is available on Dell Networking N4000 Series switches only. Overview Audio Video Bridging (AVB) is a suite of protocols for reserving resources in the network to facilitate an end-to-end time-sensitive traffic flow. AVB uses the following protocols: • IEEE 802.1AS—Measures wire propagation time for precise synchronization. • Multiple VLAN Registration Protocol (MVRP)—Replaces the role of GVRP in dynamic VLAN creation.
Address Range Function 91:E0:F0:00:00:00–91:E0:F0:00:FD:FF Dynamic Allocation Pool 91:E0:F0:00:FE:00–91:E0:F0:00:FE:FF Locally administered pool 91:E0:F0:00:FF:00–91:E0:F0:00:FF:FF Reserved pool MMRP, MVRP and MSRP share a common framework that provides services to the individual protocols. The common framework is the Multiple Registration Protocol (MRP). MRP allows participants in an MRP application to register attributes with other participants in a Bridged LAN.
The Dell Networking N4000 AVB feature supports: • • • IEEE 802.1ak (D8.0) Multiple Registration Protocol (MRP) – MVRP—Multiple VLAN Registration Protocol – MMRP—Multiple Multicast Registration Protocol IEEE 802.1as (D7.6) – Single unit only. No support on stack members. – Clock Master – Timing propagation IEEE 802.1Qat (D6.1) – • IEEE 802.1Qav (D7.0) – • Stream Reservation Protocol (MSRP) Forwarding and Queuing Enhancements for Time-Sensitive Streams IEEE 802.1ba (D2.
MSRP MSRP provides a mechanism for the reservation of resources for specific traffic streams traversing a bridged network. MSRP categorizes AVB devices into talkers (stream sources) and listeners (stream destinations). An AVB device may be both a talker and a listener. MSRP operates via several types of announcements (MRP declarations). The announcements are propagated throughout the AVB network. Announcements may occur in any order except when noted otherwise.
MVRP MVRP provides a mechanism for the declaration of dynamic registration of VLANs and propagation of VLAN information over a bridged network. The propagation of VLAN information via MRP allows MVRP-aware devices to dynamically establish and update the set of VLANs that are active on network devices and the ports through which those devices can be reached. With MVRP both end stations and bridges may issue and revoke VLAN membership declarations.
Declarations are “alive” while at least one registration exists. Registrations can be purged by LeaveTimer if no MVRPDUs with confirmation are received within the LeaveTimer value after LeaveAll timer expiration, or by receiving an MSRPDU with the Leave event. The LeaveAll timer is running constantly. The purging time is variable and depends on when the LeaveAll timer expires after traffic has been stopped. The possible range is [LeaveTimerValue, LeaveTimerValue + LeaveAllTimerValue * 1.5].
IEEE 802.1AS IEEE 802.1AS is a protocol designed to synchronize clocks in the nodes of a distributed system that communicate in a bridged network. 802.1AS also provides a mechanism to measure link delays, which may be used to calculate end-to-end propagation delay. The IEEE 802.1AS standard specifies the protocol and procedures for ensuring that QoS requirements are met for time-sensitive applications such as audio and video. The IEEE 1588 Precision Time Protocol (PTP) forms the basis of the IEEE 802.
Figure 47-1. IEEE 802.1S Master/Slave Device Relationships Grand Master Slave Slave Master Master Slave Slave Slave The 802.1AS implementation described in this document is based on the IEEE P802.1AS/D7.6 draft standard [1]. IEEE 802.1AS time synchronization provides a common time base for sampling data streams at a source device and presenting those streams at a destination device with the same relative timing.
A device that can issue or receive IEEE 802.1AS communications is termed a “time-aware system”. A time-aware system can either be an end station device attached to a network or a bridge that interconnects end stations. Typically, an end station device has single port and a bridge has multiple ports. The segment of an 802.1AS network that enables direct communication between two time-aware systems is defined as an 802.1AS communication path. The port on time-aware end station can be a master or slave.
clock. If the best master clock is grandmaster-capable, then the clock becomes the grandmaster clock for the 802.1AS domain, generating time synchronization information periodically. The ANNOUNCE message also includes a path trace TLV that tracks the path to best master clock. Each time-aware system updates the received ANNOUNCE message by appending its clock identity to the path trace TLV.
field in the SYNC and FOLLOW_UP messages. The master sends the FOLLOW_UP message with the same sequence ID as the SYNC message. The value (t2 – t1) gives the (offset + link delay) between the master and slave. The link delay is calculated as described below. Assuming that the link delay is symmetric, the offset value can be derived from (t2 – t1). This sequence of SYNC and FOLLOW_UP messages is repeated at every SYNC transmission interval.
conveyed using the follow up message. The delay requestor captures RX timestamp of PDELAY_RESP_FOLLOWUP message (t4). This sequence is shown in the below diagram: Figure 47-3. Link Delay Measurement Sequence Delay Requestor Delay Responder t1 PDELAY_REQ t2 t3 PDELAY_RESP t4 PDELAY_RESP_FOLLOWUP T1, t2, t3, t4 After the completion of delay request/response exchange, the delay requestor has all four time stamps (t1, t2, t3, t4).
the same as the delay from responder to the requestor. The peer delay mechanism also requires that there are no transparent devices (bridges) that can add extra delay between the peers. As part of the PDELAY exchange, the requestor computes the ratio of the frequency of the responder’s local clock at the other end of the link and the frequency of the requestor’s local clock. To account for the frequency offset between the clocks at each end, the peer delay is adjusted based on the computed ratio.
In compliance with sections 11.2.3 and 11.2.4 of IEEE 802.1AS, canonical flow control (PAUSE) and Priority Flow Control (PFC) must be disabled on bridges that are enabled for PTP. This configuration is not enforced by bridge management. In-situ measurements have shown residence times of up to 10 ms and PDELAY turnaround times of up to 1 ms. AVB Configuration Example The following example configures an AVB switch. 1 Create VLAN 2. This VLAN is used to carry the MSRP traffic.
5 Globally enable IEEE 802.1AS and set the local clock type to 2 with a priority of 128. console(config)#dot1as console(config)#dot1as priority 2 128 6 Globally enable MVRP, MMRP, and MSRP and enable the periodic state machines to purge registrations periodically. Also enable MSRP talker pruning.
802.1AS Global Admin Mode...................... Grandmaster Capable............................ Best Clock Identity............................ F8:B1:56:FF:FE:0F:2B:49 Best Clock Priority1........................... Best Clock Priority2........................... Steps to Best Clock............................ Local Clock Identity........................... F8:B1:56:FF:FE:0F:2B:49 Local Clock Priority1.......................... Local Clock Priority2.......................... Grandmaster Change Count........
OpenFlow 48 Dell Networking N2000, N3000, and N4000 Series Switches Dell Networking OpenFlow Hybrid Overview The following acronyms are used in this chapter. Table 48-1. OpenFlow Acronyms Acronym Definition ICAP Ingress Content Aware Processor. This is a hardware flow matching table. The term ICAP is used synonymously with IFP. IFP Ingress Field Processor. The IFP is a hardware flow matching table. OVS Open vSwitch VCAP VLAN Content Aware Processor. This is a hardware flow matching table.
The OpenFlow 1.0 standard supports a single-table data forwarding path. Dell Networking switches support Open Vswitch proprietary extensions to enable the OpenFlow controller access to multiple forwarding tables. The OpenFlow 1.3 standard enables a multi-table data forwarding path. Dell Networking switches, however, support a single-table OpenFlow 1.3 data forwarding path. The Dell Networking OpenFlow feature has the following major functions: 1 Enabling Dell Networking OpenFlow Hybrid.
Automatic IP address selection is done in the following order of preference. 1 Loopback interfaces. 2 Routing interfaces. 3 Out-of-band interface. Dell Networking switches support IPv4 addresses for connecting to the OpenFlow controller. IPv6 addresses are not supported. If IP routing is enabled, the out-of-band interface cannot be used as the OpenFlow interface.
This section covers the following topics: • "Dell Networking OpenFlow Hybrid Principles of Operation " on page 1614 • "OpenFlow 1.0 Supported Flow Match Criteria, Actions and Status " on page 1616 • "Port Configuration, Status and Statistics " on page 1643 • "Queue Configuration and Status " on page 1644 • "Queue Configuration and Status " on page 1644 • Dell Networking OpenFlow Hybrid Supported OpenFlow messages and options.
2 The switch supports only one bridge instance. 3 In OpenFlow 1.0 mode, the switch supports several backup OpenFlow controllers. The backup controllers can exchange hello messages with the switch, but cannot add flows or monitor switch status. A vendor message is defined to allow a backup controller become a primary controller. In the OpenFlow 1.3 mode several OpenFlow controllers can manage the switch at the same time. 4 In the OpenFlow 1.
10 When the switch loses connection to the OpenFlow controller it continues to forward traffic using the flows previously programmed by the controller. When the switch reconnects to the controller, it keeps using the previously programmed flows until the OpenFlow controller tells it otherwise. 11 At boot time, when the switch does not have any flows, it forwards traffic normally using the layer-2/layer-3 forwarding rules. 12 The switch supports sending data packets to the controller.
"MAC Forwarding Table" and the "OpenFlow 1.0 Rule Table". The hardware table to which the flow is added depends on the flow table identifier specified in the OFPT_FLOW_MOD message. The flows are added, modified, and removed using the OFPT_FLOW_MOD message. The OFPT_FLOW_MOD message is handled by the Open vSwitch layer and the resulting flow modification commands are passed to Dell Networking OpenFlow Hybrid using the ofproto_class interface. Dell Networking OpenFlow Hybrid enables the OpenFlow 1.
Table 48-2. Flow Table Identifiers (Continued) ID Usage Description 32–255 Unsupported The enhanced OpenFlow 1.0 protocol only supports table IDs 0 to 31. When using multiple hardware tables, it is possible to set up the hardware so that, for example, the MAC Forwarding Table and OpenFlow 1.0 Rule Table match the same packet. If the packet matches multiple slices in the IFP, the hardware performs all non-conflicting actions on the packet. For example, the OpenFlow 1.
• "Source MAC VLAN Assignment Table " on page 1626 • "MAC Forwarding Table " on page 1627 • "Flow Addition and Modification Error Messages " on page 1630 • "Flow Status and Statistics " on page 1631 OpenFlow 1619
OpenFlow 1.0 Rule Table The OpenFlow 1.0 rule table implements many of the OpenFlow match criteria and actions defined in the OpenFlow 1.0 standard. The table is implemented in the Ingress Field Processor using slices configured in the intra-slice double-wide mode. This means that the number of rules in each IFP slice is divided in half to provide the necessary rule width. The following sections describe the match criteria and actions supported by the OpenFlow 1.0 table. • OpenFlow 1.
Table 48-3. Supported OpenFlow Match Criteria (Continued) Match Field Description Ethernet Type The Ethertype in Ethernet V2 tagged and untagged packets. VLAN ID The VLAN Identifier field in the VLAN header. The valid range for the VLAN ID is 1 to 4094. Note that all packets are tagged in the system when they are processed by the OpenFlow 1.0 classifier. The packets that entered the switch without a tag are assigned a tag either by the ingress port PVID or by the Source MAC VLAN Assignment Table.
Table 48-3. Supported OpenFlow Match Criteria (Continued) Match Field Description IP Destination Address The 4-byte IP destination address in IPv4 packets. Only packets with Ethertype 0x0800 can match to the IP Destination Address field. The OpenFlow controller is not required to explicitly set up the Ethernet Type match field. The Ethernet Type field may be wildcarded and the switch can still match IPv4 packets. The switch supports subnet masking for the IP Destination Address.
• OpenFlow 1.0 Actions The switch supports single-port and multi-port forwarding actions as well as some optional packet modifications actions. Table 48-4 defines the supported and unsupported forwarding actions. Table 48-4. Supported/Unsupported OpenFlow Forwarding Actions Forwarding Action Description Forward— Physical Port The switch can redirect traffic to one or more ports. A valid port can be a physical port or a LAG.
Table 48-4. Supported/Unsupported OpenFlow Forwarding Actions (Continued) Forwarding Action Description Forward— NORMAL This is a supported forwarding action. "NORMAL" reserved port can be either the only action in the list, or can be specified along with the "CONTROLLER" port. No packet modifications are allowed when this action is specified. The packet is forwarded according to normal layer-2 or layer-3 tables.
Table 48-4. Supported/Unsupported OpenFlow Forwarding Actions (Continued) Forwarding Action Description Modify Field The switch supports modifying certain fields in the packet. The feature can be used to give higher priority to certain packets by modifying the 802.1p and DSCP fields. The feature can also be used to implement policy based routing. The packet modifications can be made to the single-port and multi-port flows.
Source MAC VLAN Assignment Table The Source MAC VLAN Assignment table matches on SA MAC, VLAN, and Input Port. Dell Networking OpenFlow Hybrid checks the 'wildcards' field in the ofp_match structure and returns an error if any of the bits other than OFPFW_IN_PORT, OFPFW_DL_VLAN, or OFPFW_DL_SRC are set to 0. If the OpenFlow Controller specifies an unsupported action, the switch rejects the flow with an error. Table 48-5.
MAC Forwarding Table The MAC Forwarding table matches on DA MAC, SA MAC, VLAN, and Input Port. Dell Networking OpenFlow Hybrid checks the 'wildcards' field in the ofp_match structure and returns an error if any of the bits other than OFPFW_IN_PORT, OFPFW_DL_VLAN, OFPFW_DL_SRC, or OFPFW_DL_DST are set to 0. 0xFFFF, a special VLAN designator indicating that entry should match untagged traffic, cannot be used as a match criteria for VLAN ID field dl_vlan. Table 48-6.
Table 48-6. MAC Forwarding Table Match Criteria (Continued) Name Description Match Criteria/Actions Local — Multicast Match on any MAC address with the multicast bit enabled. All other bits in the destination MAC are implicitly masked. dl_vlan — Valid VLAN ID dl_dst – 01:00:00:00:00:00 — Special MAC address in_port — Valid Physical Port or LAG. dl_src — Wildcard Action Type — OFPAT_OUTPUT (Can be repeated) • port — Valid physical port or LAG.
Table 48-6. MAC Forwarding Table Match Criteria (Continued) Name Description Match Criteria/Actions Controller — VLAN Match traffic for a specific VLAN and send the packet to the OpenFlow Controller. dl_vlan — Valid VLAN ID dl_dst — Wildcard in_port — Wildcard dl_src — Wildcard Action Type — OFPAT_OUTPUT (Can be specified only one time) • port — OFPP_CONTROLLER (0xfffd) • max_len — An integer from 0 to 9216.
Flow Addition and Modification Error Messages If the switch detects a problem with a newly added flow, or is unable to add or modify a flow due to lack of hardware resources, the switch generates an error message in response to the ofproto_class Flow Put function and generates a syslog message with a text string representing the error type. Table 48-7 lists the syslog messages that can be generated by the switch in response to the flow modification requests.
Flow Status and Statistics The OpenFlow Controller uses the OFPT_STATS_REQUEST message with the type OFPST_FLOW to request flow status and statistics. The switch supports all flow match criteria in the OFPT_STATS_REQUEST defined by the OpenFlow 1.0 standard. The switch supports packet and byte counters for the OpenFlow 1.0 Rule Table and the MAC Forwarding Table. The OFPT_STATS_REPLY message includes the flow match criteria and actions. OpenFlow 1.
Flow Match Fields The available match fields for Policy ACL Flow Table flow entry types are as described in the following tables. Table 48-8. Policy ACL Flow Table Layer 2 Match Fields Field Bits Maskable Optional Description or Prerequisite IN_PORT 32 No Yes Physical or logical ingress port. ETH_SRC 48 Yes Yes Ethernet source MAC ETH_DST 48 Yes Yes Ethernet destination MAC ETH_TYPE 16 No Yes Any value except 0x86dd.
Table 48-9. Policy ACL Flow Table IPv4 Match Fields (Continued) Field Bits Maskable Optional Description or Prerequisite VLAN_PCP 3 No Yes 802.1p priority field from VLAN tag. Always has a value, will be zero if packet did not have a VLAN tag.
Table 48-10. Policy ACL Flow Table IPv6 Match Fields Field Bits Maskable Optional Description IN_PORT 32 No Yes Physical or logical ingress port. ETH_SRC 48 Yes Yes Ethernet source MAC ETH_DST 48 Yes Yes Ethernet destination MAC ETH_TYPE 16 No Yes Must be 0x86dd VLAN_VID 16 Yes Yes VLAN ID. Cannot be masked for a VLAN bridging rule that redirects to a different L2 output group. Only applicable to VLAN flow entry types. VLAN_PCP 3 No Yes 802.1p priority field from VLAN tag.
Table 48-10. Policy ACL Flow Table IPv6 Match Fields (Continued) Field Bits Maskable Optional Description TCP_DST 16 No Yes If Ethertype = 0x86dd 00 and IP_PROTO = 6 UDP_DST 16 No Yes If Ethertype = 0x86dd and IP_PROTO = 17 SCTP_DST 16 No Yes If Ethertype = 0x86dd and IP_PROTO = 132 No Yes If Ethertype = 0x86dd and IP_PROTO = 58 ICMPv6_COD 8 E Notes: The following table lists OpenFlow 1.3 match criteria that are NOT supported. Table 48-11.
Table 48-11. Match Criteria Not Supported (Continued) Field Description IPV6_ND_TLL Target link-layer for ND. IPV6_EXTHDR IPv6 Extension Header pseudo-field Action Set Actions The Policy ACL Flow Table action set supports the actions listed in Table 48-12. Table 48-12. Policy ACL Flow Table Flow Entry Action Set Name Argument Description Group Group Sets output group entry for processing the packet after this table.
Counters and Flow Expiration The Policy ACL Flow Table counters are listed in Table 48-13. Table 48-13. Policy ACL Flow Table Counters Name Bits Type Description Active Entries 32 Table Reference count of number of active entries in the table. Duration (sec) 32 Per-entry Seconds since this flow entry was installed Received Packets 64 Per-entry Number of packets that hit this flow entry. Received Bytes 64 Per-entry Number of bytes that hit this flow entry.
Group Table The group abstraction enables OpenFlow to represent a set of ports as a single entity for forwarding packets. Different types of groups are provided, to represent different abstractions such as multicasting or multipathing. Each group is composed of a set group buckets, and each group bucket contains the set of actions to be applied before forwarding to the port. Groups buckets can also forward to other groups, enabling groups to be chained together.
• The "All" group type creates an IPMC replication group that points to one or more next hops. Depending on the SA/DA/VLAN modifications actions, the next hops may be added to the IPMC group as routed or switches. (L3 Multicast group entry) • The "Select" group type creates an ECMP group object which points to one or more next hops. (L3 ECMP group entry) • The fast failover group type is unsupported. The following sections provide additional details on each of these group types.
Table 48-15. Unicast Bucket Actions (Continued) Field Argument Description Set Field MAC_DST Write the next hop destination MAC. Optional. Set Field MAC_SRC Write the source MAC corresponding to the L3 output interface. Optional. Set Field VLAN-id Write the VLAN ID corresponding to the L3 output interface. Optional. • Counters The L3 Unicast group entry counters are as shown in Table 48-16. Table 48-16.
All (L3 Multicast) Group Type L3 Multicast group entries are of OpenFlow ALL type. The action buckets describe the interfaces to which multicast packet replicas are forwarded. Figure 48-2 illustrates L3 Multicast group entries. Figure 48-2. L3 Multicast Group Entry Usage IP multicast packets are forwarded differently depending on whether they are switched or routed. Packets must be switched in the VLAN in which they came, and cannot be output to IN_PORT.
For replication of IP packets, at least one of (MAC-Src, MAC-dest and VLAN-ID) should be valid. L2 multicast is supported. It is done using IPMC L2 replication when all of (MAC-Src, MAC-dest, VLAN-ID) action bucket fields are left empty. So an "All (L3 Multicast) Group" can have a mix of buckets — few with L3 replication and few with L2 replication. To use the L2 multicast, the user should not qualify the IP fields in flow match criteria.
An L3 ECMP Group entry can be specified as a routing target instead of an L3 Unicast Group entry. Selection of an action bucket for forwarding a particular packet is hardware specific. • Action Buckets The action buckets contain the single value listed in Table 48-19. Table 48-19. L3 ECMP Group Entry Bucket Actions Field Argument Description Group Group-id May chain to an L3 Unicast Group. • Counters The L3 ECMP group entry counters are as shown in Table 48-20. Table 48-20.
The desc field in the message contains port information. This field of type ofp_ port contains the following elements: 1 port_no — Set to the MIB-2 ifIndex field for the port. 2 hw_addr — All ports in the switch have the same MAC address. The switch reports the lowest MAC assigned to the unit. This address is typically printed on the MAC address label on the switch. 3 name — A unit/slot/port designation for physical ports and LAGs. The LAGs are also identified with the symbolic name lag-.
The queue configuration reply message of type ofp_queue_get_config_reply includes an array of ofp_packet_queue structures. For each interface, the queues are numbered 0 to 7, with queue 7 representing the highest priority queue. The port queues do not have any queue properties. The OpenFlow Controller requests queue statistics using the OFPT_STATS_REQUEST message with type OFPST_QUEUE. Dell Networking OpenFlow Hybrid reports the tx_bytes, tx_packets, and tx_errors statistics for each queue.
To accommodate the scenario where the Flow Controller removes many flows and quickly adds many new flows, the OpenFlow flow database is twice the size of the hardware database. The extra headroom provides enough space to buffer the new flows before the old flows are removed from the hardware. If the OpenFlow Controller adds a flow with the same match criteria as an existing flow, Dell Networking OpenFlow Hybrid treats the new flow as a flow modification action.
Interaction between Flows and VLANs The OpenFlow Controller can add flows for any VLAN ID. The VLANs for which flows are added are created in the Dell Networking OpenFlow Hybrid VLAN database as dynamic VLANs if they are not already configured on the switch. Learning is enabled on the dynamic VLAN. The switch never adds ports to OpenFlow dynamic VLANs, but instead disables ingress and egress filtering on the ports on which the OpenFlow flows are installed.
For the switch to receive the untagged traffic and map it to the appropriate VLAN, the OpenFlow controller can install a flow that maps the incoming MAC address to the VLAN. This is done with the flow type "Phase-1Untagged-MAC" and action OFPAT_SET_VLAN_ID (see "Source MAC VLAN Assignment Table " on page 1626).
If an unknown interface is used in the match criteria for a new flow, the flow is held in the application table until the interface is attached. Dell Networking OpenFlow Hybrid does not generate any error for the flow. Once the interface is attached, the flow is added to the hardware. If the flow is already installed and the interface in the match criteria goes away, the flow is removed from the hardware.
Collect Port and Queue Status and Statistics The OpenFlow Controller can collect status and statistics for ports and queues. When ports are created, Dell Networking OpenFlow Hybrid sends an OFPT_PORT_STATUS message to the OpenFlow Controller. The status message is triggered by creation of entries in the Physical Port Table. The same tables are used for reporting port status information. The port status is updated by a separate task that periodically polls the status for all physical ports.
OpenFlow Hybrid The operation of the OpenFlow switch in a network largely depends on the functionality of the OpenFlow controller. The OpenFlow feature is a powerful tool that enables the OpenFlow controller to forward packets in the network without regard to the Layer-2 forwarding database and the IPv4 routing tables. Refer to the OpenFlow Controller documentation to understand how the switch behaves in the customer network.
Interaction with Other Switch Functions The Dell Networking OpenFlow Hybrid component interacts with multiple Dell Networking switch components by either communicating with these components or sharing common resources with the components. The following sections describe these interactions. OpenSSL The OpenFlow component establishes SSL connections to the OpenFlow controllers and OpenFlow Managers.
LAGs When physical ports become LAG members, the flows installed by the OpenFlow Controller on these ports are removed from the hardware and the flows that are installed for the LAG are activated for the new LAG member port. The reverse action takes place when the ports are removed from the LAG. Ports The OpenFlow component installs flows in the hardware and removes flows from the hardware as ports become attached and detached or join and leave the LAG.
IP Routing, IP Multicast, and Layer-2 Multicast The OpenFlow component uses the same hardware resources as the routing and IP multicast components. Namely, the OpenFlow component uses the Next-Hop entries and Multicast Group entries in the hardware. The routing and multicast Dell Networking OpenFlow Hybrid feature gracefully handles the out-of-resources errors. Port Mirroring The OpenFlow component is not active on probe ports.
Limitations, Restrictions, and Assumptions The following OpenFlow features are not supported: 1 Flow installation in the MAC Forwarding table. 2 Uplink Rate Limiting, including the flow installation in the Uplink Rate Limiter Table, traffic rate control, the rate limiter table, and the rate limiter statistics. 3 On the N4000 Series switches, flow installation is not supported if MAC ACLs exist. 4 OpenFlow functionality currently interoperates with the Open vSwitch command line utility ovs-ofctl2.3.0.
OpenFlow Configuration Example This example enables OpenFlow 1.3 on the switch and configures a connection to a controller at IPv4 address 172.16.0.3 over TCP port 3435 using no encryption on the out-of-band interface. This example presumes the out-of-band interface has obtained an IP address on the 172.16.0.X subnet. console(config)#openflow WARNING! OpenFlow does not operate on stack members. Enable OpenFlow on stand-alone switches only. console(config-of-switch)#protocol-version 1.
49 Dell Networking Python Support Dell Networking switches support installation and execution of Python applications. Python applications that are to be executed on the switch must be developed and tested offline to the maximum degree possible. The switch does not offer interactive shell access for development of Python scripts, nor does the Dell Networking switch come with all of the normal Python "batteries included" modules. A list of the included packages is in the example below.
Server IP Address.............................. Source File Path............................... Source Filename................................ Data Type...................................... Downloads application file 10.27.9.99 jmclendo/ app.tgz Application Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y File transfer in progress. Management access will be blocked for the duration of the transfer. please wait...
CAUTION: The application install command has an auto-restart parameter. Do NOT use this parameter while debugging or on any short-lived application. The switch does NOT limit restarts and attempts to restart a failed application immediately. Installing a failing or short-lived application with auto-restart enabled will result in a switch that: – cannot perform normal protocol operations at its advertised level. – is difficult to access via the console.
_LWPCookieJar _MozillaCookieJar _OpEN __builtin__ __future__ _abcoll _ast _bisect _codecs _codecs_cn _codecs_hk _codecs_iso2022 _codecs_jp _codecs_kr _codecs_tw _collections _csv _ctypes _ctypes_test _elementtree _functools _heapq _hotshot _io _json _locale _lsprof _md5 _multibytecodec _multiprocessing _osx_support _pyio _random _sha _sha256 _sha512 _socket _sre _ssl _strptime _struct _symtable _sysconfigdata _testcapi _threading_local _warnings 1660 collections colorsys commands compileall compiler conte
_weakref _weakrefset abc aifc antigravity anydbm argparse array ast asynchat asyncore atexit audiodev heapq hmac hotshot htmlentitydefs htmllib httplib ihooks imaplib imghdr imp importlib imputil inspect pwd py_compile pyclbr pydoc pydoc_data pyexpat quopri random re repr requests resource rexec wave weakref webbrowser whichdb wsgiref xdrlib xml xmllib xmlrpclib xxsubtype zipfile zipimport zlib Enter any module name to get more help.
USERNAME = 'admin' PASSWORD = 'password' ENABLE_PASSWORD = '' TIMEOUT = 3 def do_terminal_settings(tn): tn.write(TERMINAL_MONITOR) tn.read_until("#") tn.write(TERMINAL_LEN_ZERO) tn.read_until("#") def do_login(tn): print "TN object created\n" tn.read_until(LOGIN_STRING, TIMEOUT) print "Read Login Prompt\n" tn.write(USERNAME + "\n") tn.read_until(PASSWORD_STRING, TIMEOUT) print "Read Password Prompt\n" tn.write(PASSWORD + "\n") tn.read_until(">", TIMEOUT) print "Received Exec Prompt\n" tn.
Dell Networking Python Support 1663
Dell Networking Python Support
A Feature Limits and Platform Constants Table A-1 lists the feature limits and Table A-2 lists the platform constants for the Dell Networking N-Series switches. Certain platform constants may be adjusted by selecting a different SDM template. For example, both the Dell Networking N3000 Series switches and the Dell Networking N4000 Series switches support 16-wide ECMP using a non-default template. Table A-1.
Table A-1.
Table A-1.
Table A-1.
Table A-2. Platform Constants Feature N1500 Series MAC addresses assigned per system N2000 Series 4 Reference CPU ARM Cortex A9 N3000 Series 4 ARM Cortex A9 Dual Core N4000 Series 4 4 ARM NetLogic Cortex XLP308L A9 Dual Dual Core Core 1 GHz 1 GHz 1 GHz 1.
Table A-2.
Table A-2.
Table A-2.
Table A-2.
Table A-2.
Table A-2.
Table A-2.
System Process Definitions B The following process/thread definitions are intended to assist the end user in troubleshooting switch issues. Only the most often seen threads/processes are listed here. Other processes or threads may be seen occasionally but are not a cause for concern. Table B-1. System Process Definitions Name Task Summary aclClusterTask ACL tasks aclEventTask aclLogTask ARP Timer ARP tasks autoInstTask Auto Install task - USB, etc.
Table B-1.
Table B-1. System Process Definitions (Continued) Name Task Summary Dot1s transport task Spanning Tree tasks dot1s_helper_task dot1s_task dot1s_timer_task dot1xTask 802.
Table B-1. System Process Definitions (Continued) Name Task Summary hapiBpduTxTask High Level API - SDK Integration Layer hapiL2AsyncTask hapiL2FlushTask hapiL3AsyncTask hapiLinkStatusTask hapiMcAsyncTask hapiRxTask hapiTxTask hpcBroadRpcTask SDK Remote messaging task.
Table B-1.
Table B-1. System Process Definitions (Continued) Name Task Summary simPts_task System Interface Manager (time zone, system name, service port config, file transfers, ...
Table B-1. System Process Definitions (Continued) Name Task Summary TransferTask TFTP Processing trapTask Trap handler tRipTask RIP Routing tRtrDiscProcessingTask Router Discovery packet processing usbFlashDriveTask USB Flash driver processing umCfgUpdateTask Stack Management: Unit Manager tasks umWorkerTask unitMgrTask USL Worker Task USL Message processing (primarily MAC address table CLI commands) UtilTask Mgmt.
1682 System Process Definitions
C Dell SupportAssist Dell SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell Networking OS 6.3 and SupportAssist Package XYZ or later to be installed on the Dell Networking device. Dell SupportAssist is enabled by default on all Dell Networking switches.
Dell SupportAssist operates by periodically reporting switch identity (service tag and serial number), configuration, logs, status, and diagnostic information to an external SupportAssist server operated by Dell, Inc. Information is logged periodically on the SupportAssist server. It is recommended that Dell Networking customers utilizing Dell SupportAssist configure the appropriate contact information using the contact-person and contact-company commands in Support-Assist Configuration mode.
of a company or other legal entity, you are further certifying to Dell that you have appropriate authority to provide this consent on behalf of that entity. If you do not consent to the collection, transmission and/or use of the Collected Data, you may not download, install or otherwise use SupportAssist.
1686 Dell SupportAssist
Index Numerics active images, 480 10GBase-T copper uplink module, 135 address table. See MAC address table. 802. x - see IEEE802.
defined, 499 DHCP, 515 configuration file, 507 image, 505 IP address, obtaining, 504 example, 514 files, managing, 509 IP address lookup, 501 MAC address lookup, 501 setup file, 503 stopping, 509 using a USB device, 514 web-based configuration, 512 auto image download DHCP, 515 USB, 514 auto install. See auto configuration.
BPDU filtering, 85, 786 flooding, 786 guard, 85 protection, 788 bridge multicast group table, 880 bridge table, 1083 broadcast storm control. See storm control.
configuration scripts, 475, 495 connectivity fault management. See IEEE 802.1ag.
DHCP client, 1093 default VLAN, 180 OOB port, 180 DHCP relay, 81, 1093 CLI configuration, 1175 defaults, 1163 example, 1179 layer 2, 1158 layer 3, 1157 understanding, 1157 VLAN, 1159 web-based configuration, 1164 DHCP server, 59 address pool configuration, 1110 CLI configuration, 1106 defaults, 1094 examples, 1110 leases, 181 options, 1090 web-based configuration, 1095 DHCP snooping, 73, 1093 bindings database, 945 defaults, 950 example, 975 logging, 946 purpose, 950 understanding, 944 VLANs, 946 DHCPv6, 14
double-VLAN tagging, 705 energy savings, port, 592 downloading files, 482 enhanced transmission selection - see ETS DSCP value and iSCSI, 575 dual images, 60 dual IPv4 and IPv6 template, 391 duplex mode, 101, 111, 121 DVMRP, 96 configuring, 1589 defaults, 1528 example, 1594 understanding, 1526 web-based configuration, 1567 when to use, 1527 dynamic ARP inspection - see DAI dynamic LAGs, 995 dynamic VLAN creation, 308 error messages, CLI, 159 error-disabled state, 69 Etherlike statistics, 532 EtherType
and stacking, 476 downloading to the switch, 474 types, 469 uploading from the switch, 474 guest VLAN, 284, 308 GVRP, 82, 705 statistics, 533 filter assignments, authentication server, 310 H filter, DiffServ, 286 hardware description, 132 finite state machine BGP attributes, 1328 head of line blocking prevention, 76 firmware managing, 475 updating the stack, 201 upgrade example, 492 health, system, 361 firmware synchronization, stacking, 201 host name, 389 flow control configuring, 862 default,
administrator, 927 carrier network, 924 configuration (CLI), 937 configuration (web), 929 defaults, 928 defining domains and ports, 927 example, 940 MEPs and MIPs, 925 troubleshooting tasks, 928 understanding, 923 IEEE 802.1AS, 1595, 1601 IEEE 802.1d, 84 IEEE 802.1p see CoS queuing IEEE 802.1Q, 83 IEEE 802.1Qaz, 1061 IEEE 802.
IP helper, 90, 1159 IPv6 ACL configuration, 658 compared to IPv4, 1398 DHCP client, 1407-1408 DHCPv6, 92 interface configuration, 1398 management, 60 OSPFv3, 92 routes, 92 static reject and discard routes, 1420 tunnel, 91 IP multicast traffic layer 2, 869 layer 3, 1510 IPv6 multicast CLI configuration, 1574 web-based configuration, 1536 IP protocol numbers, common, 641 IPv6 routing CLI configuration, 1413 defaults, 1400 features, 92 understanding, 1397 web-based configuration, 1402 internal authentica
servers and a disk array, 587 understanding, 573 using, 574 web-based configuration, 581 ISDP CDP and, 63 CLI configuration, 841 configuring, 842 enabling, 842 example, 846 understanding, 825 web-based configuration, 829 static and dynamic, 980 statistics, 548 STP and, 982 threshold, minimum links, 991 understanding, 979 web-based configuration, 984 languages, captive portal, 318 LED 100/1000/10000Base-T port, 104, 114, 126, 138 SFP port, 104, 114, 126, 138 system, 106, 115, 127, 139 link aggregation group
LLPF defaults, 854 example, 865 understanding, 851 localization, captive portal, 318 locating the switch, 151 locator LED enabling, 151, 377 log messages, 59 log server, remote, 370 logging ACL, 634 CLI configuration, 377 considerations, 357 defaults, 358 destination for log messages, 354 example, 384 file, 369 log message format, 356 operation logs, 355 severity levels, 355 system startup logs, 355 trap log, 453 web-based configuration, 359 loopback interface, 91 configuring, 1155 purpose, 1145 understandi
mirror, ACL, 634 mirroring, flow-based, 1459 MLAG, 87, 998 MLD, 97 configuring, 1578 defaults, 1528 understanding, 1515 web-based configuration, 1546 MLD proxy configuring, 1579 MLD snooping, 95 defaults, 877, 950 understanding, 871 VLAN configuration, 912 MMRP, 1600 monitor mode, IEEE 802.
Multiple VLAN Registration Protocol, 1595, 1599 N N1500 hardware back panel, 103 front panel, 99 LEDs, 104 power consumption for PoE switches, 107 N2000 hardware back panel, 112 front panel, 109 LEDs, 114 power consumption for PoE switches, 117 N3000 hardware back panel, 123 front panel, 119 LEDs, 126 power consumption for PoE switches, 130 N4000 hardware back panel, 136 front panel, 132 LEDs, 138 network information CLI configuration, 180 default, 169 defined, 165 example, 186 purpose, 166 web-based confi
topology, 1182 trap flags, 451 understanding, 1182 web-based configuration, 1192 OSPFv3, 92 CLI configuration, 1237 difference from OSPF, 1183 global settings, 1237 interface settings, 1239 NSSA, 1250 stub area, 1250 trap flags, 452 web-based configuration, 1208 out-of-band management, 167 OOB port IP address, 182 understanding, 1515 PIM-DM configuring for IPv4 multicast, 1580 configuring for IPv6 multicast, 1581 using, 1525 PIM-SM configuring for IPv4 multicast, 1583 configuring for IPv6 multicast, 1585 u
N1500, N2000, N3000, N4000, 102 111 122 136 port control, 291 port fast, STP, 786 port LEDs N1500, 104 N2000, 114 N3000, 126 N4000, 138 port mirroring, 78 configuring, 549 mode, enabling, 524 understanding, 523 port protection diagnostically disabled state, 69 power, per-port saving modes, 598 Precision Time Protocol (PTP), 1601 priority-based flow control - see PFC private VLAN edge, 73 private VLANs, 709, 763 protected port defined, 851 example, 865 protocol filtering, Cisco, 81 protocol-based VLAN, 70
for management access control, 241 supported attributes, 243 understanding, 241 RAM log, 368 real-time clock, 390 redirect, ACL, 633 relay agent DHCP, 1157 relay agent, DHCPv6, 1426 remote logging, 380 RIP, 90 CLI configuration, 1287 defaults, 1281 determining route information, 1279 example, 1291 supported versions, 1280 understanding, 1279 web-based configuration, 1282 RMON, 63 CLI management, 551 defaults, 526 example, 563 understanding, 522 web-based configuration, 527 route reflection, 1366 BGP, 1345
configuration guidelines, 394 managing, 421 understanding, 391 security port-based CLI configuration, 295 defaults, 287, 624 examples, 300 web-based configuration, 288 setup file format, auto configuration, 503 sFlow, 62 CLI management, 551 defaults, 526 example, 561 understanding, 519 web-based management, 527 SFP port LEDs N1500, 104 N2000, 114 N3000, 126 N4000, 138 SFP+ module, 135 SFTP, managing files, 491 slots, 395 SNMP CLI configuration, 455 defaults, 435 examples, 464 MIB, 433 purpose, 435 traps, 43
failover, 65 example, 218 initiating, 202 features, 65 file management, 476 firmware synchronization, 201 firmware update, 201 MAC address table, 1084 MAC addresses, 205 NSF and, 66 NSF usage scenario, 218 preconfiguration, 220 purpose, 206 removing a switch, 200 standby, 201 switch compatibility, 197 web-based configuration, 207 static reject route, 1116 statistics Etherlike, 532 IPv6, 1405 storage arrays and iSCSI, 577 storage arrays, Compellent, 577 storm control configuring, 862 default, 854 example, 86
authorization, 273 management access control, 246 supported attributes, 247 understanding, 246 tunnels, 91 interfaces, 1143 tagging, VLAN, 704 U Telnet configuration options, 68 connecting to the switch, 154 UDP relay, 90, 1159 TFTP, image download, 487 tiered authentication, 236 time management, 58 setting in system, 432 time zone, 412 time domain reflectometry, 364 time range, 677 time-based ACLs, 634 traffic monitoring, 519 snooping, 943 traffic class queue, 575 traffic control port based, 849 upl
VLAN, 982 authenticated and unauthenticated, 282 CLI configuration, 737 defaults, 716 defining membership, 718 double, 83 double-VLAN tagging, 705 dynamic, 283 dynamically created, 308 example, 774 guest, 83, 284, 308 IP subnet-based, 82 MAC-based, 82, 704 port-based, 82, 704 private, 709, 763 protocol-based, 82, 704 RADIUS-assigned, 308 routing, 88 routing interfaces, 1141, 1153 static, 704 support, 82 switchport modes, 599 trunk port, 617 understanding, 701 voice, 83, 708 voice traffic, 708 voice, example
