Dell EMC SmartFabric OS10 User Guide Release 10.5.1 09 2020 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: About this guide......................................................................................................... 27 Conventions........................................................................................................................................................................ 27 Related Documents...........................................................................................................................................................
boot.................................................................................................................................................................................64 commit........................................................................................................................................................................... 64 configure..........................................................................................................................................
Batch mode.......................................................................................................................................................................100 batch.............................................................................................................................................................................100 Linux shell commands.................................................................................................................................
Configuration notes...................................................................................................................................................169 Configure Precision Time Protocol........................................................................................................................ 170 View PTP information...............................................................................................................................................
S4148U-ON port profiles.........................................................................................................................................269 Configure negotiation modes on interfaces............................................................................................................. 270 Configure breakout mode..............................................................................................................................................
show system...............................................................................................................................................................307 show unit-provision.................................................................................................................................................. 307 show vlan...............................................................................................................................................................
Configure multi-hop FSB......................................................................................................................................... 373 Verify multi-hop FSB configuration...................................................................................................................... 379 Sample Multi-hop FSB configuration................................................................................................................... 380 Configuration guidelines............
fip-snooping fc-map................................................................................................................................................. 422 fip-snooping port-mode...........................................................................................................................................422 FCoE commands.............................................................................................................................................................
Configure LLDP..........................................................................................................................................................473 Example: Advertise TLVs configuration...............................................................................................................480 View LLDP configuration.........................................................................................................................................
BFD commands..........................................................................................................................................................607 Border Gateway Protocol.............................................................................................................................................. 613 Sessions and peers....................................................................................................................................................
Load balancing............................................................................................................................................................ 701 Maximum ECMP groups and paths...................................................................................................................... 705 ECMP commands......................................................................................................................................................705 IPv4 routing......
Configuration.............................................................................................................................................................. 813 Create virtual router..................................................................................................................................................814 Group version........................................................................................................................................................
Multicast routing table synchronization.............................................................................................................. 889 IGMP message synchronization............................................................................................................................ 890 Egress mask............................................................................................................................................................... 890 Spanned VLAN..............
show mac address-table count extended........................................................................................................... 957 show mac address-table count nve......................................................................................................................957 show mac address-table count virtual-network................................................................................................958 show mac address-table extended..................................
802.1X port access control ...................................................................................................................................1190 Port security..............................................................................................................................................................1190 Chapter 18: OpenFlow.............................................................................................................. 1207 OpenFlow logical switch instance.....
Egress ACL filters..........................................................................................................................................................1245 VTY ACLs........................................................................................................................................................................ 1246 SNMP ACLs................................................................................................................................................
mac access-group.................................................................................................................................................... 1271 mac access-list..........................................................................................................................................................1271 permit..................................................................................................................................................................
match ip address..................................................................................................................................................... 1305 match ip next-hop...................................................................................................................................................1305 match ipv6 address.................................................................................................................................................
bandwidth..................................................................................................................................................................1358 buffer-statistics-tracking...................................................................................................................................... 1358 class.....................................................................................................................................................................
show control-plane statistics............................................................................................................................... 1380 show hardware deep-buffer-mode...................................................................................................................... 1381 show interface priority-flow-control...................................................................................................................1382 show qos interface......................
peer-routing-timeout.............................................................................................................................................. 1424 primary-priority.........................................................................................................................................................1424 show running-configuration vlt............................................................................................................................
iSCSI commands...................................................................................................................................................... 1476 Converged network DCB example............................................................................................................................ 1480 Chapter 24: sFlow.................................................................................................................... 1487 Enable sFlow................................
CLI commands for RESTCONF API...........................................................................................................................1521 rest api restconf....................................................................................................................................................... 1521 rest https cipher-suite...........................................................................................................................................
Alarm commands..................................................................................................................................................... 1580 Logging commands................................................................................................................................................. 1586 Log into OS10 device....................................................................................................................................................
1 About this guide This guide is intended for system administrators who are responsible for configuring and maintaining networks. It covers the following details: ● Installation and set up of Dell EMC SmartFabric OS10. ● Description, configuration information, and examples of features that SmartFabric OS10 supports. ● Reference information and examples on configuring protocols.
2 Change history The following table provides an overview of the changes to this guide from a previous OS10 release to the 10.5.1 release. For more information about the new features, see the respective sections. Table 1. New in 10.5.1.6 Revision Date Feature Description A01 2020–09-03 TACACS as Primary Authentication Support for TACACS as the primary authentication method. MX-IOM Hardware Replacement Procedure to replace an IOM module. Table 2. New in 10.5.1.
Table 2. New in 10.5.1.
3 Getting Started with Dell EMC SmartFabric OS10 Dell EMC SmartFabric OS10 is a network operating system (NOS) supporting multiple architectures and environments. The SmartFabric OS10 solution allows multi-layered disaggregation of network functionality. SmartFabric OS10 bundles industrystandard management, monitoring, and Layer 2 and Layer 3 networking stacks over CLI, SNMP, and REST interfaces. Users can choose their own third-party networking, monitoring, management, and orchestration applications.
Starting from Release 10.5.1.0, SmartFabric OS10 comes with a single partition. Both the active and standby software images are stored in this partition. OS10 installation and upgrade procedures continue to work as usual. However, after you install 10.5.1.0 (or later) image, if you want to downgrade to 10.5.0.0 (or earlier) image, you must backup the configuration and license files. See Downgrade to Release 10.5.0.0 or earlier releases for more information.
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Dell EMC Network Operating System (OS10) *-* *-* Copyright (c) 1999-2018 by Dell Inc. All Rights Reserved.
Download OS10 image for upgrade NOTE: For MX-Series Ethernet I/O modules, OS10 updates are packaged as Dell Upgrade Packages (DUPs) and can be downloaded from www.dell.com/support/. For information on how to download the DUP files to upgrade OS10 on an MX9116n and MX5108n switch, see the Dell EMC SmartFabric OS10 Release Notes—Release 10.5.0. To upgrade an existing OS10 image, first download a new OS10 Enterprise Edition image from DDL. 1. 2. 3. 4. 5. 6. 7. Sign into DDL using your account credentials.
4. (Optional) View the current software download status in EXEC mode. OS10# show image status 5. Cancel any staged firmware update using the image cancel command. OS10# image cancel 6. Install the OS10 standby image using the image install file-url command in EXEC mode, where filename is the name of the image file downloaded in Step 3 with the image download command; for example: OS10# image install image://OS10EE.bin NOTE: OS10 has two images: A and B.
10. Use the show version command in EXEC mode to verify that the downloaded OS10 image is installed as the current running version. OS10# show version Network Operating System OS Version: 10.5.1.0 Build Version: 10.5.1.0.123 Build Time: 2020-02-12T02:34:02+0000 System Type: Z9100-ON Architecture: x86_64 Up Time: 04:40:37 Restrictions on Upgrade to Release 10.5.1.0 or later version After you install the 10.5.1.
Example Supported Releases OS10# boot system standby 10.2.0E or later image cancel Cancels an image or firmware file download that is in progress. Syntax image cancel Parameters None Default Not configured Command Mode EXEC Usage Information The image cancel command cancels a file download from a server, such as an OS10 binary image or firmware upgrade, that is in progress. After an image download completes, the command has no effect.
● usb://filepath—Enter the path to copy from the USB file system. Default Not configured Command Mode EXEC Usage Information The image download command downloads image files to the image directory. Use the dir image command to display the contents of the image directory. OS10 SW image files are large, and occupy a significant amount of disk space.
show boot Displays boot-related information. Syntax show boot [detail] Parameters detail — (Optional) Enter to display detailed information. Default Not configured Command Mode EXEC Usage Information Use the boot system command to set the boot image for the next reboot.
2 3 3.35.5.1 2019-03-25 15:19:19 cpld-fw-mx5108n-r1.5.4.1.bin 1.5.4.1 2019-03-25 15:19:19 bios-20190225-xt-3.34.8.10a.bin 3.34.8.10 2019-03-25 15:19:19 Past Firmware Upgrade(s) Name Version Result -------------------------------------------------------onie-firmware-x86_64-dellemc_mxseries-r0.3.35.5.1-15.bin 3.35.5.1 Success onie-updater-x86_64-dellemc_mxseries-r0 3.35.1.
Installation State: install -------------------------------------------------State Detail: In progress: Installing Task Start: 2019-01-03T17:38:04Z Task End: 0000-00-00T00:00:00Z Supported Releases 10.2.0E or later show version Displays software version information. Syntax show version Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show version Network Operating System OS Version: 10.5.1.0 Build Version: 10.5.1.0.
Product Part Number : License Details ---------------Software : OS10-Enterprise Version : 10.5.1.0 License Type : PERPETUAL License Duration: Unlimited License Status : Active License location: /mnt/license/9531XC2.lic --------------------------------------------------------- Re-install license OS10 Enterprise Edition runs with a perpetual license on a device with OS10 factory-loaded. The license file is pre-installed on the switch.
To download OS10 Enterprise Edition and the license, follow the steps for an ONIE switch without an OS installed; see Download OS10 image, Installation using ONIE, and Install OS10 license. Uninstall existing OS CAUTION: To install OS10 on a switch running OS9 or another third-party OS, you must first uninstall the existing OS. The Uninstall option deletes the switch configuration and all disk partitions.
Restrictions on Downgrade from 10.5.1.x to 10.5.0.x or earlier version After rollback to release 10.5.0.x or an earlier release, the following images are available in the switch: ● Image A: 10.5.0.0 (active) ● Image B: N/A During this state, you must not use the boot system standby command and reload as the switch might get stuck in the GRUB shell. Installation using ONIE CAUTION: Installing OS10 or another OS using ONIE erases all software configurations on the switch.
Automatic installation You can automatically install an OS10 image on a Dell EMC ONIE-enabled device. This process is known as zero-touch install. After the device boots to ONIE: Install OS, ONIE auto-discovery follows these steps to locate the installer file and uses the first successful method: 1. 2. 3. 4. 5. 6. Use a statically configured path that is passed from the boot loader. Search file systems on locally attached devices, such as USB. Search the exact URLs from a DHCPv4 server.
busid passed, refusing all cards [ 5.120111] intel_rapl: driver does not support CPU family 6 model 77 [ 4.226593] systemd-fsck[493]: OS10-SYSROOT1: clean, 23571/426544 files, 312838/1704960 blocks Debian GNU/Linux 8 OS10 ttyS0 Dell EMC Networking Operating System (OS10) OS10 login: Manual installation If you do not use the ONIE-based automatic installation of an OS10 image and if a DHCP server is not available, you can manually install the image.
The ONIE auto-discovery process discovers the image file at the specified USB path, loads the software image, and reboots the switch. For more information, see the ONIE User Guide. Log in Connect a terminal emulator to the console serial port on the switch using a serial cable. Serial port settings are 115200 baud rate, 8 data bits, and no parity. To log in to an OS10 switch, power up and wait for the system to perform a power-on self-test (POST).
3. Install the license file from the workstation in EXEC mode. license install {ftp: | http: | localfs: | scp: | sftp: | tftp: | usb:} filepath/ filename ● ● ● ● ● ● ● ● ● ftp://userid:passwd@hostip/filepath — Copy from a remote FTP server. http://hostip/filepath — Copy from a remote HTTP server. http://hostip — Send a request to a remote HTTP server. localfs://filepath — Install from a local file directory. scp://userid:passwd@hostip/filepath — Copy from a remote SCP server.
3. Verify that the license is present in the home directory of your system. OS10# dir home Directory contents for folder: home Date (modified) Size (bytes) Name --------------------- ------------ ----------------------2019-02-15T00:47:25Z 3795 0A900Q2-NOSEnterprise-License.XML 4. Enter the license install command with the path to the home directory location where the license was downloaded in step 1. OS10# license install localfs://home/admin/0A900Q2-NOSEnterprise-License.XML [ 5784.
5. Check if the server is up and running. Downgrade to Release 10.5.0.0 or earlier releases In this example, the OS10 switch runs the 10.5.1.0 software and the following procedure downgrades the system to Release 10.5.0.0. NOTE: ● If the version that you are downgrading to is present in the system as the standby image, you can rollback to that release without losing any configuration or license data. Use the show boot detail command to view the standby image version. See Rollback from 10.5.1.
NOTE: ● During this stage, the show boot detail command displays the details of the previous image that was installed. The boot system active | standby command is not applicable during this state. ● If you install a new image using the image install command, the current staging image is replaced with the new image that you have installed and you cannot downgrade to the previous version. 7. Reload the new software image in EXEC mode. This command performs a fresh installation of Release 10.5.0.0. Release 10.
Manual CLI configuration Use the OS10 command-line interface to enter commands to monitor and configure an OS10 switch. Set up your switch by performing basic and advanced CLI tasks — CLI basics and Advanced CLI tasks. Then proceed with other configuration settings according to how you deploy the switch in your network. For detailed configuration and CLI information, refer to the appropriate chapter.
1. Configure the Management IP address. 2. Configure Management route. 3. Configure user name and password. Configure Management IP address To remotely access OS10, assign an IP address to the management port. Use the management interface for out-of-band (OOB) switch management. 1. Configure the management interface from CONFIGURATION mode. interface mgmt 1/1/1 2. By default, DHCP client is enabled on the Management interface. Disable the DHCP client operations in INTERFACE mode. no ip address dhcp 3.
NOTE: Management VRF is currently not supported on the MX7000 platforms. Configure management route OS10(config)# management route 10.10.20.0/24 10.1.1.1 OS10(config)# management route 172.16.0.0/16 managementethernet Configure username and password To set up remote access to OS10, create a username and password after you configure the management port and default route. The user role is a mandatory entry. Enter the password in clear text. It is converted to SHA-512 format in the running configuration.
4 CLI Basics The OS10 CLI is the software interface you use to access a device running the software — from the console or through a network connection. The CLI is an OS10-specific command shell that runs on top of a Linux-based OS kernel. By leveraging industry-standard tools and utilities, the CLI provides a powerful set of commands that you can use to monitor and configure devices running OS10.
you commit them to activate the configuration. The start transaction command applies only to the current session. Changing the configuration mode of the current session to the Transaction-Based Configuration mode does not affect the configuration mode of other CLI sessions. ● After you explicitly enter the commit command to save changes to the candidate configuration, the session switches back to the default behavior of automatically saving the configuration changes to the running configuration.
Check device status Use show commands to check the status of a device and monitor activities. Refer Related Videos section for more information. ● Enter show ? from EXEC mode to view a list of commands to monitor a device; for example: OS10# show ? acl-table-usage alarms alias bfd boot candidate-configuration class-map clock ...
-- Fan Status -FanTray Status AirFlow Fan Speed(rpm) Status ---------------------------------------------------------------1 up NORMAL 1 13195 up 2 up NORMAL 1 13151 up 3 up NORMAL 1 13239 up 4 up NORMAL 1 13239 up Related Videos Check Device Status Command help To view a list of valid commands in any CLI mode, enter ?; for example: OS10# ? alarm alias batch boot clear clock commit configure copy crypto ...
Candidate configuration When you use OS10 configuration commands in Transaction-based configuration mode, changes do not take effect immediately and are stored in the candidate configuration. The configuration changes become active only after you commit the changes using the commit command. Changes in the candidate configuration are validated and applied to the running configuration. The candidate configuration allows you to avoid introducing errors during an OS10 configuration session.
To display only interface-related configurations in the candidate configuration, use the show candidate-configuration compressed and show running-configuration compressed commands. These views display only the configuration commands for VLAN and physical interfaces. OS10# show candidate-configuration compressed interface breakout 1/1/1 map 40g-1x interface breakout 1/1/2 map 40g-1x interface breakout 1/1/3 map 40g-1x interface breakout 1/1/4 map 40g-1x ...
Prevent configuration changes You can prevent configuration changes that are made on the switch in sessions other than the current CLI session using the lock command. To prevent and allow configuration changes in other sessions, use the lock and unlock commands in EXEC mode. When you enter the lock command, users in other active CLI sessions cannot make configuration changes.
OS10(conf-range-po-3)# switchport trunk allowed vlan 2-5 OS10(conf-range-po-3)# exit OS10(config)# no interface range vlan 2-4 OS10(conf-range-po-3)# % Error: Range configuration conflict - the last command was not applied. Please commit (or discard) the rest of the configuration changes and retry. If you see the error message in bold, commit the entire configuration and then delete a sub set of VLANs.
Copy running configuration to local directory or remote server OS10# copy running-configuration {config://filepath | home://filepath | ftp://userid:passwd@hostip/filepath | scp://userid:passwd@hostip/filepath | sftp://userid:passwd@hostip/filepath | tftp://hostip/filepath} OS10# copy running-configuration scp://root:calvin@10.11.63.120/tmp/qaz.
Restore startup file from server OS10# copy scp://admin:admin@hostip/backup-9-28.xml config://startup.xml OS10# reload System configuration has been modified. Save? [yes/no]:no Reload system image Reboot the system manually using the reload command in EXEC mode. You are prompted to confirm the operation. OS10# reload System configuration has been modified.
Common OS10 commands boot Configures the OS10 image to use the next time the system boots up. Syntax boot system [active | standby] Parameters ● active — Reset the running image as the next boot image. ● standby — Set the standby image as the next boot image. Default Not configured Command Mode EXEC Usage Information Use this command to configure the OS10 image that is reloaded at boot time. Use the show boot command to verify the next boot image. The boot system command applies immediately.
Example Supported Releases OS10# configure terminal OS10(config)# 10.2.0E or later copy Copies the current running configuration to the startup configuration and transfers files between an OS10 switch and a remote device.
Example OS10# dir coredump Directory contents for folder: coredump Date (modified) Size (bytes) Name --------------------- ------------ -----------------2017-02-15T19:05:41Z 12402278 core.netconfdpro.2017-02-15_19-05-09.gz OS10# copy coredump://core.netconfd-pro.2017-02-15_19-05-09.gz scp:// os10user:os10passwd@10.11.222.1/home/os10/core.netconfd-pro.2017-02 -15_19-05-09.
● ● ● ● startup-configuration — (Optional) Delete the startup configuration. severity-profile — (Optional) Delete from severity profile directory, severity-profile://filepath. supportbundle://filepath — (Optional) Delete from the support-bundle directory. usb://filepath — (Optional) Delete from the USB file system. Default Not configured Command Mode EXEC Usage Information Use this command to remove a regular file, software image, or startup configuration.
Example (config) OS10# dir config Directory contents for Date (modified) --------------------2017-04-26T15:23:46Z folder: config Size (bytes) Name ------------ ----------26704 startup.xml OS10# dir severity-profile Date (modified) Size (bytes) --------------------- -----------2019-03-27T15:24:06Z 46741 2019-04-01T11:22:33Z 456 Supported Releases Name ------------default.xml mySevProf.xml 10.2.0E or later discard Discards changes made to the candidate configuration file.
end Returns to EXEC mode from any other command mode. Syntax end Parameters None Default Not configured Command Mode All Usage Information Use the end command to return to EXEC mode to verify currently configured settings with show commands. Example Supported Releases OS10(config)# end OS10# 10.2.0E or later exit Returns to the next higher command mode.
Supported on the MX9116n and MX5108n switches in Full-Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric Services mode starting in 10.5.0. The no version of this command resets the host name to OS10. Example Supported Releases OS10(config)# hostname R1 R1(config)# 10.3.0E or later license Installs a license file from a local or remote location.
Example Supported Releases OS10# lock 10.2.0E or later management route Configures an IPv4/IPv6 static route the Management port uses. To configure multiple management routes, repeat the command. Syntax management route {ipv4-address/mask | ipv6-address/prefix-length} {forwarding-router-address | managementethernet} Parameters ● ipv4-address/mask — Enter an IPv4 network address in dotted-decimal format (A.B.C.D), then a subnet mask in prefix-length format (/xx).
Directory contents for Date (modified) --------------------2017-04-26T15:23:46Z Supported Releases folder: config Size (bytes) Name ------------ ----------26704 startup.xml 10.2.0E or later no Disables or deletes commands in EXEC mode. Syntax no [alias | debug | support-assist-activity | terminal] Parameters ● ● ● ● Default Not configured Command Mode EXEC Usage Information Use this command in EXEC mode to disable or remove a configuration.
● -i interval — (Optional) Enter the interval in seconds to wait between sending each packet, the default is 1 second. ● -I interface-name or interface-ip-address — (Optional) Enter the source interface name without spaces or the interface IP address: ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ○ For a physical Ethernet interface, enter ethernetnode/slot/port; for example, ethernet1/1/1. ○ For a VLAN interface, enter vlanvlan-id; for example, vlan10.
Example Supported Releases OS10# ping 20.1.1.1 PING 20.1.1.1 (20.1.1.1) 56(84) bytes of data. 64 bytes from 20.1.1.1: icmp_seq=1 ttl=64 time=0.079 ms 64 bytes from 20.1.1.1: icmp_seq=2 ttl=64 time=0.081 ms 64 bytes from 20.1.1.1: icmp_seq=3 ttl=64 time=0.133 ms 64 bytes from 20.1.1.1: icmp_seq=4 ttl=64 time=0.124 ms ^C --- 20.1.1.1 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 2997ms rtt min/avg/max/mdev = 0.079/0.104/0.133/0.025 ms 10.2.
○ dont does not set the Don’t Fragment (DF) flag. ● -p pattern — (Optional) Enter a maximum of 16 pad bytes to fill out the packet you send to diagnose data-related problems in the network; for example, -p ff fills the sent packet with all 1’s. ● -Q tos — (Optional) Enter a maximum of 1500 bytes in decimal or hex datagrams to set the quality of service (QoS)-related bits. ● -s packetsize — (Optional) Enter the number of data bytes to send, from 1 to 65468, default 56.
Command Mode Usage Information Example EXEC NOTE: Use caution while using this command as it reloads the OS10 image and reboots the device. OS10# reload Proceed to reboot the system? [confirm yes/no]:y Supported Releases 10.2.0E or later show boot Displays detailed information about the boot image. Syntax show boot [detail] Parameters None Default Not configured Command Mode EXEC Usage Information The Next-Boot field displays the image that the next reload uses.
map | port-security | prefix-list | privilege | qos-map | radius-server | route | route-map | sflow | smartfabric | snmp | spanning-tree | supportassist | system-qos | tacacs-server | telemetry | trust-map | uplink-stategroup | userrole | users | virtual-network | vlt | vrf | wred-profile] Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● aaa — (Optional) Current operating AAA configuration. access-list — (Optional) Current operating access-list configuration.
● ● ● ● virtual-network — (Optional) Current operating virtual network configuration. vlt — (Optional) Current operating VLT domain configuration. vrf — (Optional) Current operating VRF configuration. wred-profile — (Optional) Current operating WRED profile configuration. Default Not configured Command Mode EXEC Usage Information None Example Example (compressed) 78 CLI Basics OS10# show candidate-configuration ! Version 10.2.
! support-assist ! policy-map type application policy-iscsi ! class-map type application class-iscsi Supported Releases 10.2.0E or later show environment Displays information about environmental system components, such as temperature, fan, and voltage.
Product Base : Product Serial Number : Product Part Number : Unit Type Part Number Rev Piece Part ID Svc Tag ---------------------------------------------------------------------------------* 1 S4148F-ON 09H9MN X01 TW-09H9MN-28298-713-0026 9531XC2 1 S4148F-ON-PWR-1-AC 06FKHH A00 CN-06FKHH-28298-6B5-03NY 1 S4148F-ON-FANTRAY-1 0N7MH8 X01 TW-0N7MH8-28298-713-0101 1 S4148F-ON-FANTRAY-2 0N7MH8 X01 TW-0N7MH8-28298-713-0102 1 S4148F-ON-FANTRAY-3 0N7MH8 X01 TW-0N7MH8-28298-713-0103 1 S4148F-ON-FANTRAY-4 0N7MH8 X01
Example OS10# show ipv6 management-route Destination ----------2001:34::0/64 2001:68::0/64 Supported Releases Gateway ------ManagementEthernet 1/1 2001:34::16 State ----Connected Active 10.2.2E or later show license status Displays license status information.
assist | system-qos | tacacs-server | telemetry | trust-map | uplink-stategroup | userrole | users | virtual-network | vlt | vrf | wred-profile] Parameters 82 CLI Basics ● ● ● ● ● aaa — (Optional) Current operating AAA configuration. access-list — (Optional) Current operating access-list configuration. as-path — (Optional) Current operating as-path configuration. bfd — (Optional) Current operating BFD configuration. bgp] — (Optional) Current operating BGP configuration.
● ● ● ● ● ● ● uplink-state-group — (Optional) Current operating Uplink State Group configuration. users — (Optional) Current operating users configuration. userrole — (Optional) Current operating user role configuration. virtual-network — (Optional) Current operating virtual network configuration. vlt — (Optional) Current operating VLT domain configuration. vrf — (Optional) Current operating VRF configuration. wred-profile — (Optional) Current operating WRED profile configuration.
no shutdown ! interface mgmt1/1/1 ip address 10.11.58.145/8 no shutdown ipv6 enable ipv6 address autoconfig ! support-assist ! policy-map type application policy-iscsi ! class-map type application class-iscsi Supported Releases 10.2.0E or later show startup-configuration Displays the contents of the startup configuration file. Syntax show startup-configuration [compressed] Parameters compressed — (Optional) View a compressed version of the startup configuration file.
UNwh8WVuxwfd9q4pWIgNs5BKH. aaa authentication local snmp-server contact http://www.dell.com/support snmp-server location "United States" ip route 0.0.0.0/0 10.11.58.1 ! interface range ethernet 1/1/1-1/1/32 switchport access vlan 1 no shutdown ! interface vlan 1 no shutdown ! interface mgmt1/1/1 ip address 10.11.58.145/8 no shutdown ipv6 enable ipv6 address autoconfig ! support-assist ! policy-map type application policy-iscsi ! class-map type application class-iscsi Supported Releases 10.2.
-- Power Supplies -PSU-ID Status Type AirFlow Fan Speed(rpm) Status ---------------------------------------------------------------1 up AC NORMAL 1 13312 up 2 fail -- Fan Status -FanTray Status AirFlow Fan Speed(rpm) Status ---------------------------------------------------------------1 up NORMAL 1 13195 up Example (nodeid) 2 up NORMAL 1 13151 up 3 up NORMAL 1 13239 up 4 up NORMAL 1 13239 up OS10# show system node-id 1 fanout-configured Interface Breakout capable Breakout state ------
4 Supported Releases up NORMAL 1 13239 up 10.2.0E or later show version Displays software version information. Syntax show version Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show version Network Operating System OS Version: 10.5.1.0 Build Version: 10.5.1.0.123 Build Time: 2020-02-12T02:34:02+0000 System Type: Z9100-ON Architecture: x86_64 Up Time: 04:40:37 10.2.
Default Not configured Command Mode EXEC Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0. Example Supported Releases OS10# system bash admin@OS10:~$ pwd /config/home/admin admin@OS10:~$ exit OS10# 10.2.0E or later system-cli disable Disables the system command.
system identifier Sets a non-default unit ID in a non-stacking configuration. Syntax system identifier system-id Parameters system-id — Enter the system ID, from 1 to 9. Default Not configured Command Mode CONFIGURATION Usage Information The system ID displays in the stack LED on the switch front panel. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0.
○ For UDP tracing, enter the destination port base that traceroute uses. The destination port number is incremented by each probe. ○ For ICMP tracing, enter the initial ICMP sequence value, incremented by each probe. ○ For TCP tracing, enter the constant destination port to connect. ○ -P protocol — (Optional) Use a raw packet of the specified protocol for traceroute. The default protocol is 253 (RFC 3692). ○ -s source_address — (Optional) Enter an alternative source address of one of the interfaces.
Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# unlock 10.2.0E or later username password role Creates an authentication entry based on a user name and password, and assigns a role to the user. Syntax username username password password role role [priv-lvl privilege-level] Parameters ● username username—Enter a text string. A maximum of 32 alphanumeric characters; one character minimum. ● password password—Enter a text string.
Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1. Example Supported Releases OS10(config)# username user05 password newpwd404 role sysadmin priv-lvl 10 10.2.0E or later write Copies the current running configuration to the startup configuration file. Syntax write {memory} Parameters memory — Copy the current running configuration to the startup configuration.
5 Advanced CLI tasks Command alias Provides information to create shortcuts for commonly used commands, see Command alias. Batch mode Provides information to run a batch file to execute multiple commands, see Batch mode. Linux shell commands Provides information to run commands from the Linux shell, see Linux shell commands. OS9 commands Provides information to enter configuration commands using an OS9 command syntax, see Using OS9 commands.
View alias output for goint OS10(config)# goint 1/1/1 OS10(conf-if-eth1/1/1)# View alias information OS10# show alias Name ---govlt goint shconfig showint shver Type ---Config Config Local Local Local Number of config aliases : 2 Number of local aliases : 3 View alias information brief. Displays the first 10 characters of the alias value. OS10# show alias brief Name Type ------govlt Config goint Config shconfig Local showint Local shver Local Value ----"vlt-domain..." "interface ..." "show runni...
● (Optional) You can enter the default values to use for the parameters defined as $n in ALIAS mode. default n input-value ● (Optional) Enter a description for the multi-line alias in ALIAS mode. description string ● Use the no form of the command to delete an alias in CONFIGURATION mode. no alias alias-name You can modify an existing multi-line alias by entering the corresponding ALIAS mode.
Number of config aliases : 1 Number of local aliases : 0 View alias information brief. Displays the first 10 characters of each line of each alias. OS10# show alias brief Name Type ------mTest Config Value ----line 1 "interface ..." line 2 "no shutdow..." line 3 "show confi..." default 1 "ethernet" default 2 "1/1/1" Number of config aliases : 1 Number of local aliases : 0 View alias detail. Displays the entire alias value.
Eth 1/1/3 up 40G A 1 Eth 1/1/4 up 40G A 1 Eth 1/1/5 up 40G A 1 Eth 1/1/6 up 40G A 1 Eth 1/1/7 up 40G A 1 Eth 1/1/8 up 40G A 1 Eth 1/1/9 up 40G A 1 Eth 1/1/10 up 40G A 1 Eth 1/1/11 up 40G A 1 Eth 1/1/12 up 40G A 1 Eth 1/1/13 up 40G A 1 Eth 1/1/14 up 40G A 1 Eth 1/1/15 up 40G A 1 Eth 1/1/16 up 40G A 1 Eth 1/1/17 up 40G A 1 Eth 1/1/18 up 40G A 1 Eth 1/1/19 up 40G A 1 Eth 1/1/20 up 40G A 1 Eth 1/1/21 up 40G A 1 Eth 1/1/22 up 40G A 1 Eth 1/1/23 up 40G A 1 Eth 1/1/24 up 40G A 1 Eth 1/1/25 up 40G A 1 Eth 1/1/26 up
default (alias) Configures default values for input parameters in a multi-line alias. Syntax default n value Parameters ● n — Enter the number of the argument, from 1 to 9. ● value — Enter the value for the input parameter. Default Not configured Command Mode ALIAS Usage Information To use special characters in the input parameter value, enclose the string in double quotation marks ("). The no version of this command removes the default value.
Usage Information Example Supported Releases The no version of this command removes the line number and the corresponding command from the multi-line alias. OS10(config)# alias mTest OS10(config-alias-mTest)# line 1 "interface $1 $2" OS10(config-alias-mTest)# line 2 "no shutdown" OS10(config-alias-mTest)# line 3 "show configuration" 10.4.0E(R1) or later show alias Displays configured alias commands available in both Persistent and Non-Persistent modes.
shconfig showint shver Local Local Local default 2 "1/1/1" "show running-configuration" "show interface $*" "show version" Number of config aliases : 3 Number of local aliases : 3 Supported Releases 10.3.0E or later Batch mode To execute a sequence of multiple commands, create and run a batch file. A batch file is an unformatted text file that contains two or more commands. Store the batch file in the home directory.
● /home/filepath — Enter the username and the filepath as follows: batch /home/username/ filename. ● config://filepath — Enter the filepath. Default Not configured Command Mode EXEC Usage Information Use this command to create a batch command file on a remote machine. Copy the command file to the home directory on your switch. This command executes commands in batch mode. OS10 automatically commits all commands in a batch file; you do not have to enter the commit command.
New user admin logged in at session 16 ! router bgp 100 ! neighbor 100.1.1.1 remote-as 104 no shutdown admin@OS10:/opt/dell/os10/bin$ User admin logged out at session 16 ● Use the ifconfig -a command to display the interface configuration. The Linux kernel port numbers that correspond to front-panel port, port-channel, and VLAN interfaces are displayed. Port-channel interfaces are in boportchannelnumber format. VLAN interfaces are in brvlan-id format. In this example, e101-001-0 identifies port 1/1/1.
System Type: Z9100-ON Architecture: x86_64 Up Time: 05:40:23 Using OS9 commands To enter configuration commands using an OS9 command syntax, use the feature config-os9-style command in CONFIGURATION mode and log out of the session. If you do not log out of the OS10 session, configuration changes made with OS9 command syntaxes do not take effect. After you log in again, you can enter OS9 commands, but only in the new session.
6 Dell EMC SmartFabric OS10 zero-touch deployment Zero-touch deployment (ZTD) allows OS10 users to automate switch deployment: ● Upgrade an existing OS10 image. ● Execute a CLI batch file to configure the switch. ● Execute a post-ZTD script to perform additional functions. ZTD is enabled by default when you boot up a switch with a factory-installed OS10 for the first time or when you perform an ONIE: OS Install from the ONIE boot menu.
● In the ZTD provisioning script, enter the URL locations of an OS10 image, CLI batch file, and/or post-ZTD script. Enter at least one URL, otherwise the ZTD fails and exits to CLI Configuration mode. ZTD guidelines ● You can store the ZTD provisioning script, OS10 image, CLI batch file, and post-ZTD script on the same server, including the DHCP server. ● Write the ZTD provisioning script in bash. ● Write the post-ZTD script in bash or Python.
When ZTD is enabled, the CLI configuration is locked. If you enter a CLI command, the error message configuration is locked displays. To configure the switch, disable ZTD by entering the ztd cancel command. OS10# configure terminal % Error: ZTD is in progress(configuration is locked). OS10# ztd cancel ZTD DHCP server configuration For ZTD operation, configure a DHCP server in the network by adding the required ZTD options; for example: option domain-name "example.org"; option domain-name-servers ns1.
# Example OS10 ZTD Provisioning Script # # #################################################################### ########## UPDATE THE BELOW CONFIG VARIABLES ACCORDINGLY ########### ########## ATLEAST ONE OF THEM SHOULD BE FILLED #################### IMG_FILE="http://50.0.0.1/OS10.bin" CLI_CONFIG_FILE="http://50.0.0.1/cli_config" POST_SCRIPT_FILE="http://50.0.0.1/no_post_script.py" ################### DO NOT MODIFY THE LINES BELOW ####################### sudo os10_ztd_start.
! logging server 10.22.0.99 Post-ZTD script As a general guideline, use a post-ZTD script to perform any additional functions required to configure and operate the switch. In the ZTD provisioning script, specify the post-ZTD script path for the POST_SCRIPT_FILE variable. You can use a script to notify an orchestration server that the ZTD configuration is complete. The server can then configure additional settings on the switch.
Reason : ZTD process completed successfully at Mon Jul 16 19:31:57 2018 ----------------------------------OS10# show ztd-status ----------------------------------ZTD Status : disabled ZTD State : failed Protocol State : idle Reason : ZTD process failed to download post script file ----------------------------------● ZTD Status — Current operational status: enabled or disabled. ● ZTD State — Current ZTD state: initialized, in-progress, successfully completed, failed, or canceled while in progress.
7 Dell EMC SmartFabric OS10 provisioning OS10 supports automated switch provisioning — configuration and monitoring — using: ● RESTCONF API — REST-like protocol that uses HTTPS connections. Use the OS10 RESTCONF API to set up the configuration parameters on OS10 switches with JavaScript Object Notation (JSON)-structured messages. You can use any programming language to create and send JSON messages; see RESTCONF API.
The inventory file contains the list of hosts on which you want to run commands. Ansible can run tasks on multiple hosts at the same time. Ansible playbooks use /etc/ansible/hosts as the default inventory file. To specify a different inventory file, use the -i filepath command as an option when you run an Ansible playbook. Ansible playbook file Using playbooks, Ansible can configure multiple devices. Playbooks are human-readable scripts that are expressed in YAML format.
After you install Ansible, verify the version by entering: $ ansible --version 2. Download and install Dell EMC Networking Ansible roles from the Ansible Galaxy web page; for example: $ ansible-galaxy install dell-networking.dellos-users $ ansible-galaxy install dell-networking.dellos-logging $ ansible-galaxy install dell-networking.dellos-ntp 3. Create a directory to store inventory and playbook files; for example: $ mkdir AnsibleOS10 4. Navigate to the directory and create an inventory file.
state: present dellos_users: - username: u1 password: Test@1347 role: sysadmin privilege: 0 state: present dellos_ntp: server: - ip: 3.3.3.3 The dellos_cfg_generate parameter creates a local copy of the configuration commands applied to the remote switch on the Ansible controller node, and saves the commands in the directory defined in the build_dir path. 8. Create a playbook file. $ vim playbook.yaml - hosts: OS10switch-1 OS10switch-2 connection: network_cli roles: - dell-networking.
8 System management System banners Provides information to configure a system login and message of the day (MOTD) text banners, see System banners. User session management Provides information to manage the active user sessions, see User session management. Telnet server Provides information to set up Telnet TCP/IP connections on the switch, see Telnet server. To set up secure, encrypted the secure shell (SSH) connections to the switch, see SSH server.
DellEMC S4148U-ON login Enter your username and password % To delete a login banner and reset it to the Dell EMC default banner, use the no banner login command. To disable the configured login banner, use the banner login disable command. Message of the day banner Configure a message of the day (MOTD) banner that displays after you log in. Enter any single delimiter character to start and end the MOTD banner.
Usage Information Example Supported Releases ● To enter a multiline banner text, use the interactive mode. Enter the command with the delimiter character and press Enter. Then enter each line and press Enter. Complete the banner configuration by entering a line that contains only the delimiter character. ● To delete a login banner and reset it to the Dell EMC default banner, use the no banner login command. To disable the configured login banner, use the banner login disable command.
Configure timeout for user sessions OS10(config)# exec-timeout 300 OS10(config)# Clear user session OS10# kill-session 3 View active user sessions OS10# show sessions Current session's operation mode: Non-transaction Session-ID User In-rpcs In-bad-rpcs Out-rpc-err Out-notify Login-time Lock -----------------------------------------------------------------------------------------3 snmp_user 114 0 0 0 2017-07-10T23:58:39Z 4 snmp_user 57 0 0 0 2017-07-10T23:58:40Z 6 admin 17 0 0 4 2017-07-12T03:55:18Z *7 admin
Example Supported Releases OS10# kill-session 3 10.3.1E or later show sessions Displays the active management sessions. Syntax show sessions Parameters None Default Not configured Command Mode EXEC Usage Information Use this command to view information about the active user management sessions.
Telnet commands ip telnet server enable Enables Telnet TCP/IP connections to an OS10 switch. Syntax ip telnet server enable Parameters None Default Disabled Command Mode CONFIGURATION Usage Information By default, the Telnet server is disabled. When you enable the Telnet server, use the IP address configured on the management or any front-panel port to connect to an OS10 switch. After you reload the switch, the Telnet server configuration is maintained.
OS10 supports standard and private SNMP MIBs, including all get requests. MIBs are hierarchically structured and use object identifiers to access managed objects. For a list of MIBs supported in the OS10 version running on a switch, see the OS10 Release Notes for the release. OS10 supports different security models and levels in SNMP communication between SNMP managers and agents. Each security model refers to an SNMP version used in SNMP messages.
Table 4. Standards MIBs (continued) Module Standard IP-FORWARD-MIB RFC 4292 IP-MIB RFC 4293 LLDP-EXT-DOT1-MIB IEEE 802.1AB LLDP-EXT-DOT3-MIB IEEE 802.1AB LLDP-MIB IEEE 802.1AB OSPF-MIB RFC 4750 OSPFV3-MIB RFC 5643 Q-BRIDGE-MIB IEEE 802.
To configure SNMPv3-specific security settings — user authentication and message encryption — use the snmp-server user command. You can generate localized keys with enhanced security for authentication and privacy (encryption) passwords. SNMP engine ID An engine ID identifies the SNMP entity that serves as the local agent on the switch. The engine ID is an octet colon-separated number; for example, 00:00:17:8B:02:00:00:01.
NOTE: Create a remote engine ID with the snmp-server engineID command before you configure a remote user with the snmp-server user command. If you change the configured engine ID for a remote device, you must reconfigure the authentication and privacy passwords for all remote users associated with the remote engine ID.
To configure a view of the MIB tree on the SNMP agent, use the snmp-server view command. To configure an SNMPv3 user's authentication and privacy settings, use the snmp-server user command. To display the configured SNMP groups, use the show snmp group command.
OS10(config)# snmp-server user n3user ngroup remote 172.31.1.
snmp-server host {ipv4–address | ipv6–address} {informs version version-number | traps version version-number | version version-number} [snmpv3-security-level] [community-name] [udp-port port-number] [dom | entity | envmon | lldp | snmp] Configure SNMP v1 or v2C traps OS10(config)# snmp-server host 10.11.73.
show snmp engineID Displays the SNMP engine ID on the switch or on remote devices that access the SNMP agent on the switch. Syntax show snmp engineID {local | remote} Parameters ● local — Display the local engine ID. ● remote — Display the SNMP engine ID of remote devices configured on the switch. Defaults None Command Mode EXEC Usage Information To configure the local engine ID or the engine ID for a remote device, use the snmp-server engineID command.
Command Mode EXEC Usage Information To configure an SNMP user, use the snmp-server user command. Example Supported Releases OS10# show snmp user User name Group Version Authentication Protocol Privacy Protocol : : : : : privuser v3group 3 MD5 AES 10.4.2.0 or later show snmp view Displays the SNMP views configured on the switch, including the SNMP object ID at which the view starts.
● You can only apply permit ACL rues to an SNMP community. deny ACL rules do not take effect if you apply them. ● To permit SNMP requests for multiple hosts, apply individual permit ACL rules for hosts or prefixes. The no version of the command removes the configured community text string. Example Supported Releases OS10(config)# snmp-server community admin rw OS10(config)# snmp-server community public ro acl snmp-read-only-acl 10.2.
Table 6. Notification types and options (continued) Notification type Notification option ○ linkup — Enable link-up traps. ○ warmstart — Enable warmstart traps when the switch reloads and the SNMP agent reinitializes. Defaults Not configured Command Mode CONFIGURATION Usage Information If you do not enter a notification-type or notification-option parameter with command, all traps are enabled. If you enter only a notification-type, all notification-option traps associated with the type are enabled.
The no version of this command resets the default engine ID values. Example OS10(config)# snmp-server engineID local 80:00:02:b8:04:61:62:63 OS10(config)# snmp-server engineID local 80:00:02:b8:04:61:62:63 % Warning: Localized passwords need to be regenerated for local user. OS10(config)# snmp-server engineID remote 1.1.1.1 0xaaffcc OS10(config)# snmp-server engineID remote 1.1.1.2 udp-port 432 0xabeecc Supported Releases 10.4.2.
Supported Releases 10.4.2.0 or later snmp-server host Configures a host to receive SNMP notifications. Syntax snmp-server host {ipv4–address | ipv6–address} {informs version versionnumber | traps version version-number | version version-number} [snmpv3security-level] [community-name] [udp-port port-number] [dom | entity | envmon | lldp | snmp] Parameters ● ● ● ● ipv4–address | ipv6–address — Enter the IPv4 or IPv6 address of the SNMP host. informs — Send inform messages to the SNMP host.
Example — Send SNMP informs to host Example — Send SNMP notifications to host Supported Releases OS10(config)# snmp-server host 1.1.1.1 informs version 2c public envmon snmp OS10(config)# snmp-server host 1.1.1.1 version 3 noauth u1 snmp lldp 10.2.0E or later snmp-server location Configures the location of the SNMP server. Syntax snmp-server location text Parameters text — Enter an alphanumeric string. A maximum of 55 characters.
○ aes — Encrypt messages using AES 128-bit algorithm. ○ des — Encrypt messages using DES 56-bit algorithm. ○ priv-password — Enter a text string used to generate the privacy key used in encrypted messages. A maximum of 32 alphanumeric characters. For an encrypted password, enter the encrypted string instead of plain text. ● localized — (SNMPv3 only) Generate an SNMPv3 authentication and/or privacy key in localized key format.
● oid-tree — Enter the SNMP object ID at which the view starts in 12-octet dotted-decimal format. ● included — (Optional) Include the MIB family in the view. ● excluded — (Optional) Exclude the MIB family from the view. Defaults Not configured Command Mode CONFIGURATION Usage Information The oid-tree value specifies the OID in the MIB tree hierarchy at which a view starts. Enter included or excluded to include or exclude the remaining part of the MIB sub-tree contents in the view.
version security level readview : 3 : noauth : read_view OS10(config)# do show snmp user User name : snuser Group : sngroup Version : 3 Authentication Protocol : SHA OS10(config)# do show snmp view view name : readview OID : 1.3.6.1.2.1.2.2 included : True view name OID excluded : snview : .1 : True System clock OS10 uses the Network Time Protocol (NTP) to synchronize the system clock with a time-serving host. When you enable NTP, it overwrites the system time.
○ standard-timezone-name — Enter a standard time zone name that is supported in Linux. To view a list of supported standard time zone names, see the Time zones and UTC offset reference section. ○ timezone-string — Enter the name of the time zone. ○ hours — Enter the hour offset from UTC, ranging from -23 to 23. ○ minutes - Enter the minute offset from UTC, ranging from 0 to 59. Set time and date OS10# clock set 13:00:00 2018-08-30 View system time and date OS10# show clock 2018-08-30T13:01:01.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7. Time zones and UTC offset (continued) Continent/Country City UTC offset US Alaska −09:00 Aleutian −10:00 Arizona −07:00 Central −06:00 Eastern −05:00 East-Indiana −05:00 Hawaii −10:00 Indiana-Starke −06:00 Michigan −05:00 Mountain −07:00 Pacific −08:00 Pacific-New −08:00 Samoa −11:00 UTC +00:00 WET +00:00 W-SU +03:00 Zulu +00:00 System Clock commands clock set Sets the system time.
clock timezone Configures the standard or user-defined time zone that OS10 applies on top of the system clock. Syntax clock timezone {standard-timezone standard-timezone-name | {timezone-string hours minutes}} Parameters ● standard-timezone-name — Enter the standard time zone name that is supported in Linux. To view a list of supported standard time zone names, see the Time zones and UTC offset reference section. ● timezone-string — Enter the name of the time zone.
Parameters None Default Etc/UTC Command Mode EXEC Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.5.0.0. Also supported in SmartFabric mode starting in release 10.5.0.1. Example Supported Releases OS10# show clock timezone Brazil/West (-04, -0400) 10.5.0 or later Network Time Protocol Network Time Protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients.
Enable NTP NTP is disabled by default. To enable NTP, configure an NTP server where the system synchronizes. To configure multiple servers, enter the command multiple times. Multiple servers may impact CPU resources. ● Enter the IP address of the NTP server where the system synchronizes in CONFIGURATION mode.
Source IP address Configure one interface IP address to include in all NTP packets. The source address of NTP packets is the interface IP address the system uses to reach the network by default. ● Configure a source IP address for NTP packets in CONFIGURATION mode. ntp source interface ○ ○ ○ ○ ○ ethernet node/slot/port[:subport]—Enter the Ethernet interface information. port-channel channel-id—Enter the port-channel ID, from 1 to 128. vlan vlan-id—Enter the VLAN ID number, from 1 to 4093.
The ntp master command enables the local switch to serve time to other client devices when the configured real-time sources are not reachable. ntp master {2–10} Configure NTP OS10(config)# OS10(config)# OS10(config)# OS10(config)# OS10(config)# ntp ntp ntp ntp ntp authenticate trusted-key 345 authentication-key 345 md5 0 5A60910FED211F02 server 1.1.1.
OS10(conf-if-eth1/1/5)# ip address 11.0.0.1/24 OS10(conf-if-eth1/1/5)# exit OS10(config)# b. Configure the NTP master IP address on the NTP server. (In the example, NTP master 11.0.0.2, is reachable only through VRF Red.) OS10(config)# ntp server 11.0.0.2 OS10(config)# do show running-configuration ntp ntp server 11.0.0.2 OS10(config)# c. Configure NTP in the VRF Red instance.
b. Configure NTP as master. OS10(config)# ntp master OS10(config)# do show running-configuration ntp ntp master 8 OS10(config)# c. Configure NTP in the VRF Red instance. OS10(config)# ntp enable vrf red “% Warning: NTP server/client will be disabled in default VRF and enabled on a red VRF” Do you wish to continue? (y/n): y OS10(config)# do show running-configuration ntp ntp master 8 ntp enable vrf red OS10(config)# 4. Verify that the NTP client (10.0.0.2) is connected to the NTP server (10.0.0.
clock wander: broadcast delay: symm. auth. delay: OS10(config)# 0.000 -50.000 0.000 NTP commands ntp authenticate Enables authentication of NTP traffic between the device and the NTP time serving hosts. Syntax ntp authenticate Parameters None Default Not configured Command Mode CONFIGURATION Usage Information Configure an authentication key for NTP traffic using the ntp authentication-key command. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S).
ntp broadcast client Configures all active interfaces to receive NTP broadcasts from an NTP server. Syntax ntp broadcast client Parameters None Default Not configured Command Mode GLOBAL CONFIGURATION Usage Information The no version of this command disables NTP broadcasts. Example Supported Releases OS10(config)# ntp broadcast client 10.2.0E or later ntp disable By default, NTP is enabled on all interfaces. Disable NTP to prevent an interface from receiving NTP packets.
ntp master Configures an NTP Master Server. Syntax ntp master stratum Parameters stratum—Enter the stratum number to identify the NTP server hierarchy, from 2 to 10. Default 8 Command Mode CONFIGURATION Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1 The no version of this command resets the value to the default.
● mgmt node/slot/port—Enter the Management port interface information. Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the configuration. Example Supported Releases OS10(config)# ntp source ethernet 1/1/24 10.2.0E or later ntp trusted-key Sets a key to authenticate the system to which NTP synchronizes with. Syntax ntp trusted-key number Parameters number—Enter the trusted key ID, from 1 to 4294967295.
● st—Peer stratum, the number of hops away from the external time source. 16 means that the NTP peer cannot reach the time source. ● when—Last time the device received an NTP packet. ● poll—Polling interval in seconds. ● reach—Reachability to the peer in octal bitstream. ● delay—Time interval or delay for a packet to complete a round-trip to the NTP time source in milliseconds. ● offset—Relative time of the NTP peer clock to the network device clock in milliseconds. ● disp—Dispersion.
broadcastdelay: authdelay: 0.000000 s 0.000000 s OS10# show ntp status system peer: system peer mode: leap indicator: stratum: precision: root distance: root dispersion: reference ID: reference time: system flags: jitter: stability: broadcastdelay: authdelay: OS10# vrf management 1.1.1.2 client 00 4 -23 0.00027 s 0.94948 s [1.1.1.2] ddc78084.f17ea38b ntp kernel stats 0.000000 s 0.000 ppm 0.000000 s 0.000000 s Tue, Nov 28 2017 6:28:20.
End-to-end Calculates the residence time of the PTP event message and updates the correction field (CF) of the transparent clock event message before forwarding the message. The ports are not in any specific state. Best master clock algorithm PTP uses the best master clock algorithm (BMCA) to compare clocks in a network. BMCA determines the status of ports in the network: ● Master—A clock that provides time to other clocks in the network. ● Slave—A clock that receives time from other clocks in the network.
○ Sync—Master sends a Sync message to distribute the time of the day. ○ Delay_Req—Slave sends a Delay_Req message to the master for end-to-end delay measurement, the requestresponse delay mechanism. ○ Pdelay_Req—Link node A sends a Pdelay_Req message to measure peer-to-peer delay. ○ Pdelay_Resp—Link node B sends a Pdelay_Resp message to measure peer-to-peer delay. ● General messages: Do not require accurate timestamps.
Supported profiles OS10 supports the following PTP profiles: ● System default profile ● G.8275.1 profile Supported transport methods OS10 supports the following PTP transport methods: ● Layer2 (Ethernet) ● IPv4 (Unicast and multicast) ● IPv6 (Unicast and multicast) For the multicast transport method, as defined in the IEEE 1588 standard, PTP uses 224.0.1.129 as the multicast destination IPv4 address. PTP uses FF0X:0:0:0:0:0:0:181 as the multicast destination IPv6 address.
NOTE: ○ Dell EMC recommends enabling PTP on the VLT port-channel member interfaces and not on the VLT port-channel interface. ○ Tagged PTP messages using the ptp vlan command are not supported on VLT port-channel member interfaces. ○ The unicast transport method is not supported on the VLT port-channel member interfaces. ● System time settings: When you enable PTP as the system time source, PTP sets the system time.
Global configurations You can configure the following settings globally. Configure the PTP clock Configure the PTP clock type on the switch and optionally specify a profile for the clock. OS10 supports the following clock types: boundary and end-to-end transparent. OS10 supports the system default profile and ITU G.8275.1 profile. The profile defines the set of parameters, allowed values of parameters, and default value of parameters.
NOTE: The PTP role is set to dynamic by default. If the role is set to dynamic, PTP uses the BMCA to select the master or slave role. Configure the PTP delay mechanism While measuring the time delay between the master and slave nodes, PTP takes into account the communication delay. This delay is measured using a delay request message from the slave and a delay response message from the master.
Configure the PTP announce message interval You can configure the time interval in units of log 2 seconds between two successive announce messages. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp announce interval 1 Configure the PTP synchronization message interval You can configure the time interval in units of log 2 seconds between two successive synchronization messages.
Mean Path Delay(ns) Offset From Master(ns) Number of Ports : 68 : 6 : 2 View the PTP local parent and grandmaster clock OS10# show ptp parent Parent Clock Idenitity Parent Port Number Grandmaster Clock Identity Grandmaster Clock Quality Class Accuracy OffsetLogScaledVariance Grandmaster Clock Priority1 Grandmaster Clock Priority2 : 00:16:00:ff:fe:00:02:00 : 1 : 00:16:00:ff:fe:00:02:00 : : : : : 6 <=100ns 0 100 128 View time scale information OS10# show ptp time-properties Current UTC Offset Valid : Fal
Delay request messages transmitted Delay request messages received Delay response messages transmitted Delay response messages received Management messages transmitted Management messages received Signaling messages transmitted Signaling messages received Interface : Ethernet1/1/23 Total number of peers : 1 Peer index : 0 Peer Clock Identity Peer Port number Peer Port Address Receiving Interface Announce messages transmitted Announce messages received Sync messages transmitted Sync messages received Follow
Example: Configure boundary clock with IPv4 multicast transport method You must connect the grandmaster clock to one of the interfaces. In this example, interface 1 is connected to the grandmaster clock. Configure a boundary clock with two PTP interfaces using IPv4 multicast transport. The interface that is connected to the grandmaster clock or the best master clock becomes the slave device. The other interface becomes the master device.
OS10(conf-ethernet1/1/1-ptp-ipv4-slave)# master 10.10.10.2 OS10(conf-ethernet1/1/1-ptp-ipv4-slave)# exit OS10(conf-if-eth1/1/1)# ptp enable 3. Enable PTP on interface 2 with IPv4 unicast transport mode. For both L2 and L3 interfaces, the configured source IP address is used as the source IP address for unicast transport from the master device to the slave device. OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/1)# ip address 30.30.30.
Example: Configure boundary clock with IPv4 unicast transport method and L3 VLAN Ensure that the interface connected to the grandmaster clock is configured as a slave device with a list of master clock IP addresses. Configure the other interface as a master clock with a list of slave device IP addresses. Both the interfaces are only reachable through the L3 VLAN. In this example: ● ● ● ● Interface 1 that is part of VLAN 100 is connected to the grandmaster clock.
● The unicast IP traffic flows through PTP-enabled interface, interface 2. The system applies hardware time stamps on PTP packets. OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# ip address 20.20.20.1/24 OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# switchport access vlan 200 OS10(conf-if-eth1/1/2)# ptp transport ipv4 unicast master OS10(conf-ethernet1/1/2-ptp-ipv4-master)# source 20.20.20.1 OS10(conf-ethernet1/1/2-ptp-ipv4-master)# slave 20.20.20.
CR1 switch 1. Configure PTP globally. CR1(config)# CR1(config)# CR1(config)# CR1(config)# CR1(config)# ptp ptp ptp ptp ptp clock boundary local-priority 127 source ipv4 10.0.0.5 source ipv6 10:0:0::6 system-time enable 2. Configure PTP on the interfaces.
CR1(conf-if-eth1/1/3:1)# ptp transport ipv4 multicast CR1(config)# interface ethernet 1/1/9:1 CR1(conf-if-eth1/1/9:1)# ptp enable CR1(conf-if-eth1/1/9:1)# ptp transport ipv4 multicast CR1(config)# interface ethernet 1/1/16:1 CR1(conf-if-eth1/1/16:1)# ptp enable CR1(conf-if-eth1/1/16:1)# ptp transport ipv4 multicast CR1(config)# interface ethernet 1/1/17:1 CR1(conf-if-eth1/1/17:1)# ptp enable CR1(conf-if-eth1/1/17:1)# ptp transport ipv4 multicast CR1(config)# interface ethernet 1/1/25:1 CR1(conf-if-eth1/1/25
CR2(conf-ethernet1/1/28:2-ptp-ipv4-slave)# master 2001:200:1:1::99 CR2(conf-ethernet1/1/28:2-ptp-ipv4-slave)# source 2001:200:1:1::5 AG1 switch 1. Configure PTP globally. AG1(config)# AG1(config)# AG1(config)# AG1(config)# ptp ptp ptp ptp clock boundary source ipv4 10.0.0.1 source ipv6 10:0:0::1 system-time enable 2. Configure PTP on the interfaces.
AG1(conf-ethernet1/1/9:1-ptp-ipv6-master)# AG1(conf-ethernet1/1/9:1-ptp-ipv6-master)# AG1(conf-ethernet1/1/9:1-ptp-ipv6-master)# AG1(conf-ethernet1/1/9:1-ptp-ipv6-master)# AG1(conf-ethernet1/1/9:1-ptp-ipv6-master)# slave 2001:101:2::2024 slave 2001:101:2::2025 slave 2001:101:2::2026 slave 2001:101:2::2027 source 2001:101:2::1 AG1(config)# interface ethernet 1/1/17:1 AG1(conf-if-eth1/1/17:1)# ptp enable AG1(conf-if-eth1/1/17:1)# ptp transport ipv4 multicast AG1(config)# interface ethernet 1/1/19:4 AG1(conf
AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-maste
TR1(conf-if-eth1/1/39)# ptp transport ipv4 multicast TR1(config)# interface ethernet 1/1/46 TR1(conf-if-eth1/1/46)# ptp enable TR1(conf-if-eth1/1/46)# ptp transport ipv4 multicast AG3 switch 1. Configure PTP globally. AG3(config)# AG3(config)# AG3(config)# AG3(config)# ptp ptp ptp ptp clock boundary source ipv4 10.0.0.3 source ipv6 10:0:0::3 system-time enable 2. Configure PTP on the interfaces.
TR2(conf-if-eth1/1/1:1)# ptp transport ipv4 multicast TR2(config)# interface ethernet 1/1/25:1 TR2(conf-if-eth1/1/25:1)# ptp enable TR2(conf-if-eth1/1/25:1)# ptp transport ipv4 multicast PTP commands clear ptp counters Resets the statistics of the PTP packets that are received at or transmitted from an interface. Syntax clear ptp counters [{ethernet node/slot/port[:subport]} | {port-channel port-channel-id}] Parameters ● ethernet node/slot/port[:subport]—Enter the Ethernet interface information.
Example Supported Releases OS10# debug ptp servo level 2 10.5.1.0 or later master Configures master clocks for the PTP slave devices. Syntax master ip-address Parameters ip-address—Specifies the IP addresses of the master clock devices. Defaults None for IP address; unicast negotiation disabled Command Mode INTERFACE CONFIGURATION - SLAVE submode Security and Access Netadmin and sysadmin Usage Information You can configure a maximum of eight master clock devices.
Supported Releases 10.5.1.0 or later ptp clock Configures the PTP clock type on the switch and specifies the profile for the clock. Syntax ptp clock {boundary | end-to-end-transparent} [profile {g8275.1 | systemdefault}] Parameters ● ● ● ● Defaults System default profile, when PTP clock is configured. Command Mode CONFIGURATION Security and Access Netadmin and sysadmin Usage Information Enables the PTP clock and configures the clock type and profile on the switch.
ptp delay-req-min-interval Configures the minimum interval between delay request messages. Syntax ptp delay-req-min-interval log2-seconds Parameters log2-seconds—Configures the logarithmic time interval in seconds between successive delay request messages. For the system default profile, enter a value from -7 to 5 (1/128 s to 32 s). For the ITU G.8275.1 profile, enter a value from -7 to 4 (1/128 s to 16 s).
Command Mode INTERFACE CONFIGURATION Security and Access Netadmin and sysadmin Usage Information The PTP protocol operates only on interfaces with a network address. Ensure that you have configured the PTP transport method for the interface using the ptp transport command. You can enable PTP on either the port channel interface or the port channel member interfaces, but not both. The no form of this command removes the configuration.
Supported Releases 10.5.1.0 or later ptp priority2 Configures the priority2 attribute for advertising PTP clock. Syntax ptp priority2 priority-number Parameters priority-number—Priority2 has the fifth precedence among the six attributes that are used in the selection of the master clock. Enter a value from 0 to 255. Defaults 128 Command Mode CONFIGURATION Security and Access Netadmin and sysadmin Usage Information The lower the value of this attribute, the higher is the priority.
Defaults None Command Mode CONFIGURATION Security and Access Netadmin and sysadmin Usage Information Supports both IPv4 and IPv6 addresses. The version of the source IP address (IPv4 or IPv6) depends on the transport mode that you configured using the ptp transport command. The IPv4 or IPv6 address that you specify must correspond to a configured L3 interface (physical, Loopback, VLAN, or port channel) and the interface must be operationally up. The no form of this command removes the configuration.
Example Supported Releases OS10(config)# ptp system-time enable 10.5.1.0 or later ptp transport Configures the PTP transport method for an interface. Syntax ptp transport {ipv4 {multicast | unicast {master [negotiation-enable] | slave [negotiation-enable]}} | ipv6 {multicast | unicast {master [negotiation-enable] | slave [negotiation-enable]}} | layer2 [address {forwardable | non-forwardable}] Parameters ● ipv4 multicast—Enables IPv4 multicast as the transport method.
The no form of this command removes the configuration. Example Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp transport ipv4 unicast master 10.5.1.0 or later ptp vlan Configures a VLAN for the PTP-enabled interface. Syntax ptp vlan vlan-id Parameters vlan-id—Specifies VLAN for the PTP interface. Defaults None Command Mode INTERFACE CONFIGURATION Security and Access Netadmin and sysadmin Usage Information You can configure only one PTP VLAN per interface.
Steps Removed : 1 Mean Path Delay(ns) : 72 Offset From Master(ns) : -14 Number of Ports : 2 ---------------------------------------------------------------------------Interface State Port Identity ---------------------------------------------------------------------------Ethernet1/1/22 Slave 68:4f:64:ff:ff:01:db:ec:1 Ethernet1/1/23 Master 68:4f:64:ff:ff:01:db:ec:2 ---------------------------------------------------------------------------Number of slave ports :1 Number of master ports :1 Example - Endto-end
show ptp counters Displays the count of the PTP packets received at or transmitted from an interface. Syntax show ptp counters [{ethernet node/slot/port[:subport]} | {port-channel port-channel-id}] Parameters ● ethernet node/slot/port—Enter the Ethernet interface information. ● port-channel port-channel-id—Enter the port channel interface number.
show ptp foreign-masters Displays PTP information about foreign masters. Syntax show ptp foreign-masters [{ethernet node/slot/port[:subport]} | {portchannel port-channel-id}] Parameters ● ethernet node/slot/port—Enter the Ethernet interface information. ● port-channel port-channel-id—Enter the port channel interface number. Defaults None Command Mode EXEC Security and Access Netadmin and sysadmin Usage Information The maximum number of foreign master data set entries is 10.
Port Identity Port State Vlan Transport Log Delay Request Minimum interval Log Announce Interval Announce Receipt Timeout Multiplier Log Sync Interval Delay Mechanism Supported Releases : : : : : : : : : 68:4f:64:ff:ff:01:db:ec:2 Master Ipv4-multicast -4 1 3 -4 End-to-end 10.5.1.0 or later show ptp parent Displays information about the local PTP parent and grandmaster clock.
Example Supported Releases OS10# show ptp peer Interface : Ethernet1/1/22 Total number of peers : 1 Peer index : 0 Peer Clock Identity Peer Port number Peer Port Address Receiving Interface Announce messages transmitted Announce messages received Sync messages transmitted Sync messages received Follow up messages transmitted Follow up messages received Delay request messages transmitted Delay request messages received Delay response messages transmitted Delay response messages received Management messages
Supported Releases 10.5.1.0 or later show ptp time-properties Displays information about the time scale. Syntax show ptp time-properties Parameters None Defaults None Command Mode EXEC Security and Access Netadmin and sysadmin Usage Information This command is not applicable for transparent clocks.
source Configures the source IP address for unicast transport from master to slave and slave to master. Syntax source ip-address Parameters ip-address—Specifies the source IP address for the PTP packets. Defaults None Command Mode ● INTERFACE CONFIGURATION - MASTER submode ● INTERFACE CONFIGURATION - SLAVE submode Security and Access Netadmin and sysadmin Usage Information This command is applicable for unicast transport mode. This configuration is required for an L2 interface.
● DHCP automatic address allocation-before you configure a DHCP address pool, you must configure a DHCP server interface with an IP address in the range that is used in the DHCP address pool. If you configure the DHCP address pool first, and then configure a DHCP server interface, to enable automatic DHCP address allocation, you must restart the DHCP service using the disable and no disable commands.
OS10(config-dhcp)# no disable OS10(config-dhcp)# Packet format and options The DHCP server listens on port 67 and transmits to port 68. The DHCP client listens on port 68 and transmits to port 67. In the DHCP packet format, configuration parameters are options in the DHCP packet in type, length, value (TLV) format. To limit the number of parameters that servers provide, hosts enter the parameters that they require and the server sends only those parameters.
DHCP Option Description User port stacking 230 — Stacking option variable that provides the DHCP server stack-port details when the DHCP offer is set End 255 — Signal of the last option in the DHCP packet DHCP server The Dynamic Host Configuration Protocol (DHCP) server provides network configuration parameters to DHCP clients on request.
DHCP server automatic address allocation OS10(config)# ip dhcp server OS10(config-dhcp)# pool Dell OS10(config-dhcp-Dell)# default-router 20.1.1.1 OS10(config-dhcp-Dell)# network 20.1.1.0/24 OS10(config-dhcp-Dell)# range 20.1.1.2 20.1.1.8 Show running configuration OS10(conf-dhcp-Dell)# do show running-configuration ... ! ip dhcp server ! pool Dell network 20.1.1.0/24 default-router 20.1.1.1 range 20.1.1.2 20.1.1.
Hostname resolution You have two choices for hostname resolution — domain name server (DNS) or NetBIOS Windows internet naming service (WINS). Both DHCP and WINS clients query IP servers to compare hostnames to IP addresses. 1. Enable DHCP server-assigned dynamic addresses on an interface in CONFIGURATION mode. ip dhcp server 2. Create an IP address pool and enter the name in DHCP mode. pool name 3. Create a domain and enter the domain name in DHCP mode. domain-name name 4.
Consider manual bindings as single-host address pools. There is no limit to the number of manual bindings, but you can only configure one manual binding per host. Manual binding entries do not display in the show ip dhcp binding output. 1. Create an address pool in DHCP mode. pool name 2. Enter the client IP address in DHCP mode. host address 3. Enter the client hardware address in DHCP mode.
View DHCP Information Use the show ip dhcp binding command to view the DHCP binding table entries. OS10# show ip dhcp binding IP Address Hardware address Lease expiration Hostname +-------------------------------------------------------------------------11.1.1.254 00:00:12:12:12:12 Jan 27 2016 06:23:45 Total Number of Entries in the Table = 1 DHCP relay agent A DHCP relay agent relays DHCP messages to and from a remote DHCP server, even if the client and server are on different IP networks.
When a switch receives DHCP renew, release, or decline messages from a client, it checks the DHCP snooping binding table for a match. If the information in the DHCP message matches the table, the switch forwards the message to the DHCP server. If the information does not match, the switch interprets the client as an unauthorized client and drops the packet.
DHCP snooping with DHCP relay In the following topology, the DHCP snooping switch is the DHCP relay agent for DHCP clients on VLAN 100. The DHCP server is reachable on VLAN 200 through eth 1/1/2. The switch forwards the client DHCP messages to the trusted DHCP server. The switch processes DHCP packets from the DHCP server before forwarding them to DHCP clients. As the rogue server is connected to the switch to the eth 1/1/3 interface which is untrusted, the switch drops DHCP packets from that interface.
DHCP snooping in a VLT environment OS10 supports DHCP snooping in a VLT environment. DHCP snooping switches in a VLT topology synchronize DHCP snooping binding information between them. The system interprets the VLTi link between VLT peers as trusted interfaces. To configure DHCP snooping in a VLT environment: ● Enable DHCP snooping on both VLT peers. ● Configure the VLT port-channel interfaces facing the DHCP server as trusted interfaces.
Enable and configure DHCP snooping globally 1. Enable DHCP snooping globally in CONFIGURATION mode. ip dhcp snooping 2. Specify physical or port-channel interfaces that have connections towards DHCP servers as trusted in INTERFACE mode. ip dhcp snooping trust Add static DHCP snooping entry in the binding table ● Add a static DHCP snooping entry in the binding table in CONFIGURATION mode.
● Remove a static DHCP snooping entry from the binding table in CONFIGURATION mode. no ip dhcp snooping binding mac mac-address vlan vlan-id interface [ethernet slot/ port/sub-port | port-channel port-channel-id] Example for removing static DHCP snooping entry in the binding table OS10(config)# no ip dhcp snooping binding mac 00:04:96:70:8a:12 vlan 100 ip 100.1.1.
DHCP server OS10(config)# interface ethernet 1/1/1 S10(conf-if-eth1/1/1)# no shutdown OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ip address 10.1.1.1/24 OS10(conf-if-eth1/1/1)# exit OS10(config)# ip dhcp server OS10(config-dhcp)# no disable OS10(config-dhcp)# pool dell_server1 OS10(config-dhcp-dell_server1)# lease 0 1 0 OS10(config-dhcp-dell_server1)# network 10.1.1.0/24 OS10(config-dhcp-dell_server1)# range 10.1.1.2 10.1.1.
DHCP snooping switch as a relay agent This example uses a simple topology with a DHCP snooping switch configured as a DHCP relay agent. A DHCP server and a DHCP client are connected to the snooping switch through different VLANs. A rogue DHCP server attempts to pose as a legitimate DHCP server. With a configuration similar to the following, the DHCP snooping switch drops packets from the rogue DHCP server which is connected to an untrusted interface.
DHCP server OS10# configure terminal OS10(config)# ip dhcp server OS10(config-dhcp)# no disable OS10(config-dhcp)# pool dell_1 OS10(config-dhcp-dell_1)# network 10.1.1.0/24 OS10(config-dhcp-dell_1)# range 10.1.1.2 10.1.1.250 OS10(config-dhcp-dell_1)# exit OS10(config-dhcp)# pool dell_2 OS10(config-dhcp-dell_2)# network 10.2.1.
● Enable DHCP snooping globally. OS10(config)# ip dhcp snooping VLAN configuration ● Create a VLAN. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown VLT configuration 1. Create a VLT domain and configure VLTi. OS10(config)# interface range ethernet 1/1/4-1/1/5 OS10(conf-range-eth1/1/4-1/1/5)# no switchport OS10(conf-range-eth1/1/4-1/1/5)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet 1/1/4-1/1/5 2. Configure a VLT MAC address.
● Create a VLAN. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown VLT configuration 1. Create a VLT domain and configure VLTi. OS10(config)# interface range ethernet 1/1/4-1/1/5 OS10(conf-range-eth1/1/4-1/1/5)# no switchport OS10(conf-range-eth1/1/4-1/1/5)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet 1/1/4-1/1/5 2. Configure a VLT MAC address. OS10(conf-vlt-1)# vlt-mac 12:5e:23:f4:23:54 3.
The following output shows that the DHCP snooping switches (VLT peers) snooped DHCP messages. The interface column displays the local VLT port channel number. OS10# show ip dhcp snooping binding Number of entries : 1 Codes : S - Static D - Dynamic IPv4 Address MAC Address Expires(Sec) Type Interface VLAN ======================================================================================= 10.1.1.
● Create another VLAN and assign an IP address to it which can communicate with the DHCP server. OS10# configure terminal OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# no shutdown OS10(conf-if-vl-200)# ip address 10.2.1.1/24 OS10(conf-if-vl-200)# exit ● Configure SW 1 as the DHCP relay agent for the clients in the VM. The IP address that you specify here is the IP address of the DHCP server OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip helper-address 10.2.1.
● Enable DHCP snooping globally. OS10(config)# ip dhcp snooping VLAN configuration ● Create a VLAN and assign an IP address to it which acts as the gateway for the VMs. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown OS10(conf-if-vl-100)# ip address OS10(conf-if-vl-100)# ip address 10.1.1.2/24 OS10(conf-if-vl-100)# exit ● Create another VLAN and assign an IP address to it which can communicate with the DHCP server.
OS10(config)# interface ethernet 1/1/1,1/1/6 OS10(conf-if-eth1/1/1,1/1/6)# no shutdown OS10(conf-if-eth1/1/1,1/1/6)# channel-group 20 ( Optional) Peer routing configuration ● Configure peer routing. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# peer-routing DHCP server VLAN configuration OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# exit OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# ip address 10.2.1.
You can configure the system to log DAI validation failures corresponding to ARP packets. DAI violations are logged at the console if it is enabled. DAI violation logging is disabled by default. If you configure an interface as trusted, the switch interprets ARP packets that ingress the interface from hosts as legitimate packets. By default, all interfaces are in DAI untrusted state. For DAI to work, enable the DHCP snooping feature on the switch. DAI is disabled by default.
10.2.1.1 10.1.1.13 10.1.1.62 00:40:50:00:00:00 00:2a:10:01:00:00 00:2a:10:01:00:01 port-channel100 port-channel100 port-channel100 vlan3001 vlan3001 vlan3001 View DAI statistics You can view valid and invalid ARP requests that the switch has received and replies that the switch has sent.
This feature filters IP traffic, based on both source IP and source MAC addresses and permits traffic only from clients found in the DHCP snooping binding table. The switch compares the following in the packet to the DHCP snooping binding table: ● ● ● ● Source MAC address Source IP address The VLAN to which the client is connected The interface (physical or port channel) to which the client is connected If there is a match, the switch forwards the packet.
You can configure a domain name and list corresponding to a non-default VRF instance. 1. Enter a domain name corresponding to a non-default VRF instance in the CONFIGURATION mode. ip domain-name vrf vrf-name server-name 2. Add names to complete unqualified hostnames corresponding to a non-default VRF instance.
Usage Information Example (IPv4) Supported Releases The DHCP server is supported only on L3 interfaces. After you configure an IP helper address, the address forwards UDP broadcasts to the DHCP server. You can configure multiple helper addresses on an interface by repeating the same command for each DHCP server address. The no version of this command returns the value to the default. The client-facing and server-facing interfaces must be in the same VRF.
Table 10. Option 82 status (continued) Example Supported Releases Enable Disable Does not add option 82 information to the packet. Disable Enable Does not add option 82 information to the packet. Disable Disable Does not add option 82 information to the packet. OS10(config)# ip dhcp relay information-option trust-downstream 10.2.0E or later show vlt mismatch Displays mismatches in a VLT domain configuration.
VLT ID : 1 VLT Unit ID Mismatch VLAN List ---------------------------------* 1 1 2 2 VLT ID : 2 VLT Unit ID Mismatch VLAN List ----------------------------------* 1 1 2 2 Example (mismatch peer routing) Example (mismatch VLAN) Example (mismatch VLT VLAN) Example (mismatch — Virtual Network (VN) name not available in the peer) Example (mismatch of VLTi and VLAN) Example (mismatch of VN mode) Example (mismatch of port and VLAN list) OS10# show vlt 1 mismatch peer-routing Peer-routing mismatch: VLT Unit
1 * 2 (vlt-port-channel10,vlan99) Virtual Network: 103 VLT Unit ID Mismatch (VLT Port,Vlan) List --------------------------------------------1 (vlt-port-channel10,vlan103) * 2 (vlt-port-channel10,vlan104) Example (mismatch of untagged interfaces) Example (Anycast MAC address) Example (Anycast MAC address not available on one of the peers) Example (Virtual network interface anycast IP address) OS10# show vlt all mismatch virtual-network Virtual Network: 104 VLT Unit ID Mismatch Untagged VLT Port-channe
1 * 2 Example (Virtual network mismatch and Anycast IP addresses mismatch) ABSENT 10.16.128.30 Interface virtual-network Anycast-IP mismatch: Virtual-network: 10 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.25 * 2 10.16.128.20 Virtual-network: 20 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.26 * 2 ABSENT Virtual-network: 30 VLT Unit ID Anycast-IP ------------------------------------1 ABSENT * 2 10.16.128.
DHCP server commands default-router address Assigns a default gateway to clients based on the IP address pool. Syntax default-router address [address2...address8] Parameters ● address — Enter an IPv4 or IPv6 address to use as the default gateway for clients on the subnet in A.B.C.D or A:B format. ● address2...address8 — (Optional) Enter up to eight IP addresses, in order of preference.
dns-server address Assigns a DNS server to clients based on the address pool. Syntax dns-server address [address2...address8] Parameters ● address — Enter the DNS server IP address that services clients on the subnet in A.B.C.D or A::B format. ● address2...address8 — (Optional) Enter up to eight DNS server addresses, in order of preference. Default Not configured Command Mode DHCP-POOL Usage Information None Example Supported Releases OS10(conf-dhcp-Dell)# dns-server 192.168.1.1 10.2.
ip dhcp server Enters DHCP configuration mode. Syntax ip dhcp server Parameters None Default Not configured Command Mode CONFIGURATION Usage Information Use the ip dhcp server command to enter the DHCP mode required to enable DHCP server-assigned dynamic addresses on an interface. Example Supported Releases OS10(config)# ip dhcp server OS10(conf-dhcp)# 10.2.0E or later lease Configures a lease time for the IP addresses in a pool.
Example Supported Releases OS10(conf-dhcp-Dell)# netbios-name-server 192.168.10.5 10.2.0E or later netbios-node-type Configures the NetBIOS node type for the DHCP client. Syntax netbios-node-type type Parameters type — Enter the NetBIOS node type: ● ● ● ● Broadcast — Enter b-node. Hybrid — Enter h-node. Mixed — Enter m-node. Peer-to-peer — Enter p-node. Default Hybrid Command Mode DHCP-POOL Usage Information The no version of this command resets the value to the default.
Usage Information Example Supported Releases Use the pool command to name the pool of available IP addresses used by a DHCP server to assign an IP address to a client and enter DHCP POOL mode. In this mode, use the network command to configure the IPv4 or IPv6 subnet from which the DHCP server assigns addresses. OS10(conf-dhcp)# pool Dell OS10(conf-dhcp-Dell)# 10.2.0E or later range Configures a range of IP addresses.
DHCP snooping commands arp inspection Enables Dynamic ARP Inspection (DAI) on a VLAN. Syntax arp inspection Parameters None Defaults Disabled Command Mode INTERFACE VLAN Usage Information Dell EMC Networking recommends enabling DAI before enabling DHCP snooping. Example Supported Releases OS10(conf-if-vl-230)# arp inspection 10.5.0 or later arp inspection-trust Configures a port as trusted so that ARP frames are not validated against the DAI database.
clear ip arp inspection statistics Clear the Dynamic ARP Inspection statistics. Syntax clear ip arp inspection statistics [vlan vlan-id] Parameters ● vlan vlan-id—Enter the VLAN ID. The range is from 1 to 4093. Defaults None Command Mode EXEC Usage Information This command is accessible to users with sysadmin and secadmin roles. Example (Global) Supported Release OS10# clear ip dhcp snooping binding 10.5.
Command Mode CONFIGURATION Usage Information When you enable this feature, the switch begins to monitor all transactions between DHCP servers and DHCP clients and use the information to build the DHCP snooping binding table. If you disable DHCP snooping, the system removes the DHCP snooping binding table. Source Address Validation and Dynamic ARP Inspection entries are also removed. This command is accessible to users with sysadmin and secadmin roles.
Before creating a static entry for a VLAN, create the VLAN. If you do not create a VLAN before creating a static entry, the system displays an error message. Before deleting a port-channel or VLAN, remove any associated DHCP snooping entries. This command is accessible to users with sysadmin and secadmin roles. The no version of this command deletes the static entry from the DHCP snooping binding table.
show ip arp inspection database Displays the contents of the DAI database. Syntax show ip arp inspection database Parameters None Defaults None Command Mode EXEC Usage Information This command displays the list of snooped hosts from which ARP packets were processed. Example OS10# show ip arp inspection database Number of entries : 3 Address Hardware Address Interface VLAN -----------------------------------------------------------------------55.2.1.
Invalid ARP packets in current interval : 0 Address Hw-Address Port VLAN First-detected-time Packetcount -----------------------------------------------------------------------------10.1.1.1 12:d3:43:a1:2e:23 ethernet1/1/1 10 00:23:14 2 Supported Releases 10.5.0 or later show ip dhcp snooping binding Displays the contents of the DHCP snooping binding table. Syntax show ip dhcp snooping binding [vlan vlan-id] Parameters ● vlan vlan-id—Enter the VLAN ID. The range is from 1 to 4093.
Example Supported Releases OS10(config)# ip domain-list jay dell.com 10.2.0E or later ip domain-name Configures the default domain and appends to incomplete DNS requests. Syntax ip domain-name [vrf vrf-name] server-name Parameters ● vrf vrf-name — (Optional) Enter vrf and then the name of the VRF to configure the domain corresponding to that VRF. ● server-name — (Optional) Enter the server name the default domain uses.
Default Not configured Command Mode CONFIGURATION Usage Information OS10 does not support sending DNS queries over a VLAN. DNS queries are sent out on all other interfaces, including the Management port. You can separately configure both IPv4 and IPv6 domain name servers. In a dual stack setup, the system sends both A (request for IPv4) and AAAA (request for IPv6) record requests to a DNS server even if you only configure this command.
● Do not run CPU intensive Docker containers. Enable Docker-CE ● Use the following commands in the OS10 Linux Shell: sudo systemctl enable docker sudo systemctl start docker NOTE: When you run the docker run command to create a container, you must use the --net=host parameter. Install a Docker image ● To pull the latest Docker image from a Docker hub: docker pull nginx Or docker pull nginx:latest NOTE: Docker downloads the latest image if you do not specify the image file name.
● Stop a running existing container: docker stop --name container-name ● Open an interactive terminal inside a container: docker exec -it --name container-name Manage volumes ● Create a Docker volume: docker volume create volume-name ● Run a Docker in a particular volume mapped to "/work" inside the container: docker run -d -it -v workvol1:/work puppet-agent /bin/bash ● Display details of a volume: docker volume inspectvolume-name ● List all the volumes in the system: docker volume ls ● Remove a volume: doc
9 Interfaces You can configure and monitor physical interfaces (Ethernet), port-channels, and virtual local area networks (VLANs) in Layer 2 (L2) or Layer 3 (L3) modes. Table 11.
Unified port groups In an OS10 unified port group, all ports operate in either Ethernet or Fibre Channel (FC) mode. You cannot mix modes for ports in the same unified port group. To activate Ethernet interfaces, configure a port group to operate in Ethernet mode and specify the port speed. To activate Fibre Channel interfaces, see Fibre Channel interfaces. S4148U-ON On the S4148U-ON switch, the available Ethernet and Fibre Channel interfaces in a port group depend on the currently configured port profile.
3. Return to CONFIGURATION mode. exit 4. Enter Ethernet Interface mode to configure other settings. Enter a single interface, a hyphen-separated range, or multiple interfaces separated by commas.
On the Z9264F-ON switch, the available Ethernet interfaces in a port group depends on the currently configured port-group profile. For details about the supported breakout modes in port-group profiles, see the profile CLI command. To enable Ethernet interfaces: 1. Configure a Z9264F-ON port group in CONFIGURATION mode. Enter 1/1 for node/slot. The port-group range is from 1 to 32. port-group node/slot/port-group 2. Configure the restricted profile in PORT-GROUP mode.
port-group1/1/1 port-group1/1/2 port-group1/1/3 port-group1/1/4 port-group1/1/5 port-group1/1/6 Eth Eth Eth Eth Eth Eth 10g-4x 10g-4x 10g-4x 100g-1x 100g-1x 100g-1x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 - Table 12.
Table 13.
port-group1/1/17 Eth 100g-1x 55 port-group1/1/18 Eth 100g-1x 56 - Table 14.
Table 14.
Table 15.
Table 15.
Table 15. Port groups and breakout modes on the S5296F-ON switch (continued) Port Group Ports Supported breakout modes ● ● ● ● 50g-2x 40g-1x 25g-4x 10g-4x To configure breakout modes: 1. Configure a port group in CONFIGURATION mode. Enter 1/1 for node/slot and the port group number. port-group node/slot/port-group 2. Configure the breakout mode in PORT-GROUP mode. mode Eth breakout-mode ● 100g-2x — Split a port group into two 100GE interface. ● 100g-1x — Set a port group to 100GE mode.
A Trunk interface carries VLAN traffic that is tagged using 802.1q encapsulation. If an Access interface receives a packet with an 802.1q tag in the header that is different from the Access VLAN ID, it drops the packet. By default, a trunk interface carries only untagged traffic on the Access VLAN. You must manually configure other VLANs for tagged traffic. 1. Select one of the two available options: ● Configure L2 trunking in INTERFACE mode and the tagged VLAN traffic that the port can transmit.
Fibre Channel interfaces OS10 unified port groups support FC interfaces. A unified port group operates in Fibre Channel or Ethernet mode. To activate FC interfaces, configure a port group to operate in Fibre Channel mode and specify the port speed. By default, FC interfaces are disabled. S4148U-ON On a S4148U-ON switch, FC interfaces are available in all port groups. The activated FC interfaces depend on the currently configured port profile. For more information, see S4148U-ON port profiles. Figure 3.
6. Apply vfabric configuration on the interface. For more information about vfabric configuration, see Virtual fabric. vfabric fabric-ID 7. Enable the FC interface in INTERFACE mode.
NOTE: The supported wavelength range is from 1528.38 nm to 1568.77 nm. OS10(conf-if-eth1/1/14)# wavelength 1530.00 2. View the optical transmission values that you configured using the following command: show interface phy-eth interface transceiver | grep "Tunable wavelength" OS10# show interface phy-eth 1/1/14 transceiver | grep "Tunable wavelength" SFP1/1/14 Tunable wavelength= 1530.
When using VLANs in a routing protocol, you must configure the no shutdown command to enable the VLAN for routing traffic. In VLANs, the shutdown command prevents L3 traffic from passing through the interface. L2 traffic is unaffected by this command. ● Configure an IP address in A.B.C.D/x format on the interface in INTERFACE mode. The secondary IP address is the interface’s backup IP address.
1. Configure the L2 VLAN scale profile in CONFIGURATION mode. scale-profile vlan 2. (Optional) Enable L3 routing on a VLAN in INTERFACE VLAN mode. mode L3 After you configure the VLAN scale profile and enable L3 routing on the respective VLANs, save the configuration and reload the switch for the scale profile settings to take effect. To reload the switch, use reload command.
Input 0 packets, 0 bytes, 0 multicast Received 0 errors, 0 discarded Output 0 packets, 0 bytes, 0 multicast Output 0 errors, Output 0 invalid protocol Time since last interface status change : 00:00:11 Port-channel interfaces Port-channels are not configured by default. Link aggregation (LA) is a method of grouping multiple physical interfaces into a single logical interface — a link aggregation group (LAG) or port-channel.
● Port-channels support 802.3ad LACP. LACP identifies similarly configured links and dynamically groups ports into a logical channel. LACP activates the maximum number of compatible ports that the switch supports in a port-channel. ● If you globally disable a spanning-tree operation, L2 interfaces that are LACP-enabled port-channel members may flap due to packet loops.
○ secondary-ip-address — Specify a secondary IP address in dotted-decimal A.B.C.D format, which acts as the interface’s backup IP address. Assign Port Channel IP Address OS10# configure terminal OS10(config)# interface port-channel 1 OS10(conf-if-po-1)# ip address 1.1.1.1/24 OS10(conf-if-po-1)# Remove or disable port-channel You can delete or disable a port-channel. 1. Delete a port-channel in CONFIGURATION mode. no interface port-channel channel-number 2.
Change hash algorithm The load-balancing command selects the hash criteria applied to traffic load balancing on port-channels. If you do not obtain even traffic distribution, use the hash-algorithm command to select the hash scheme for LAG. Rotate or shift the L2-bit LAG hash until you achieve the desired traffic distribution. ● Change the default (0) to another algorithm and apply it to LAG hashing in CONFIGURATION mode.
Configure range of port channels OS10(config)# interface range port-channel 1-25 OS10(conf-range-po-1-25)# Switch-port profiles A port profile determines the enabled front-panel ports and supported breakout modes on Ethernet and unified ports. Change the port profile on a switch to customize uplink and unified port operation, and the availability of front-panel data ports.
S4148-ON Series port profiles On the S4148-ON Series of switches, port profiles determine the available front-panel Ethernet ports and supported breakout interfaces on uplink ports. In the port profile illustration, blue boxes indicate the supported ports and breakout interfaces. Blank spaces indicate ports and speeds that are not available. ● ● ● ● ● 10GE mode is an SFP+ 10GE port or a 4x10G breakout of a QSFP+ or QSFP28 port. 25GE is a 4x25G breakout of a QSFP28 port.
S4148U-ON Ethernet modes—QSFP+ ports 27-28 and SFP+ ports 31-54: ● 10GE mode is an SFP+ 10GE port or a 4x10G breakout of a QSFP+ port. ● 40GE mode is a QSFP+ port. For example, all S4148U-ON activate support 10G speed on unified ports 1-24 and Ethernet ports 31-54, but only profile-1 and profile-2 activate QSFP+ ports 27-28 in 40GE mode with 4x10G breakouts.
To disable negotiation, use the following command: negotiation off To reset the negotiation mode to the default setting of the media you use, use one of the following commands: negotiation auto no negotiation The following examples show that the nondefault configuration is added to the running configuration: OS10(conf-if-eth1/1/50)# negotiation off OS10(conf-if-eth1/1/50)# show configuration ! interface ethernet1/1/50 no shutdown switchport access vlan 1 negotiation off flowcontrol receive on OS10(conf-if-e
Configure breakout mode Using a supported breakout cable, you can split a 40GE QSFP+ or 100GE QSFP28 Ethernet port into separate breakout interfaces. All breakout interfaces have the same speed. You can set a QSFP28 port to operate in 40GE mode with a QSFP+ transceiver. interface breakout node/slot/port map {10g-4x | 25g-4x | 40g-1x | 50g-2x | 100g-1x} ● ● ● ● ● ● node/slot/port — Enter the physical port information. 10g-4x — Split a QSFP28 or QSFP+ port into four 10G interfaces.
Enable breakout auto-configuration OS10(config)# feature auto-breakout Display breakout auto-configuration Before you plug a cable in Ethernet port 1/1/25: OS10# show interface status -----------------------------------------------------------------Port Description Status Speed Duplex Mode Vlan Tagged-Vlans -----------------------------------------------------------------Eth 1/1/1 down 0 auto Eth 1/1/2 down 0 auto A 1 Eth 1/1/25 down 0 auto A 1 Eth 1/1/29 down 0 auto A 1 After you enter feature auto-breakou
3. Reset an interface to its default configuration in CONFIGURATION mode. Enter multiple interfaces in a comma-separated string or a port range using the default interface range command. default interface {ethernet | fibrechannel} node/slot/port[:subport] 4. Enter INTERFACE mode and verify the factory-default configuration.
FEC modes supported in OS10: ● ● ● ● CL74-FC — Supports 25G and 50G CL91-RS — Supports 100G CL108-RS — Supports 25G and 50G off — Disables FEC NOTE: OS10 does not support FEC on 10G and 40G.
Auto-negotiation performs at power-up, on command from the LAN controller, on detection of a PHY error, or following Ethernet cable re-connection. During the link establishment process, both link partners indicate their EEE capabilities. If EEE is supported by both link partners for the negotiated PHY type, EEE functions independently in either direction. Changing the EEE configuration resets the interface because the device restarts Layer 1 auto-negotiation.
Port EEE Status Speed Duplex --------------------------------------------Eth 1/1/1 off up 1000M ...
clear counters interface ethernet eee Clears EEE counters on a specified Ethernet interface. Syntax clear counters interface ethernet node/slot/port[:subport] eee Parameters node/slot/port[:subport]—Enter the interface information. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# clear counters interface 1/1/48 eee Clear eee counters on ethernet1/1/48 [confirm yes/no]:yes 10.3.
Eth Eth Eth Eth Supported Releases 1/1/49 1/1/50 1/1/51 1/1/52 n/a n/a n/a n/a 10.3.0E or later show interface eee statistics Displays EEE statistics for all interfaces. Syntax show interface eee statistics Parameters None Default Not configured Command Mode EXEC Example OS10# show interface eee statistics Port EEE TxEventCount TxDuration(us) RxEventCount RxDuration(us) -----------------------------------------------------------------------------Eth 1/1/1 off 0 0 0 0 ...
Default Not configured Command Mode EXEC Example Supported Releases OS10# show interface ethernet 1/1/48 eee statistics Eth 1/1/48 EEE : on TxIdleTime(us) : 2560 TxWakeTime(us) : 5 Last Clearing : 18:45:53 TxEventCount : 0 TxDuration(us) : 0 RxEventCount : 0 RxDuration(us) : 0 10.3.0E or later View interface configuration To view basic interface information, use the show interface, show running-configuration, and show interface status commands.
0 throttles, 0 discarded, 0 Collisions, 0 wred drops Rate Info(interval 30 seconds): Input 0 Mbits/sec, 0 packets/sec, 0% of line rate Output 0 Mbits/sec, 0 packets/sec, 0% of line rate Time since last interface status change: 02:46:36 Ethernet 1/1/2 is up, line protocol is up Hardware is Eth, address is 00:0c:29:66:6b:94 Current address is 00:0c:29:66:6b:94 Pluggable media present, QSFP+ type is QSFP+ 40GBASE CR4 Wavelength is 64 Receive power reading is 0.
interface ethernet1/1/2 no ip address shutdown ! interface ethernet1/1/3 no ip address shutdown ! interface ethernet1/1/4 no ip address shutdown ... View L3 interfaces OS10# show ip interface brief Interface Name IP-Address OK Method Status Protocol ========================================================================================= Ethernet 1/1/1 unassigned NO unset up down Ethernet 1/1/2 unassigned YES unset up up Ethernet 1/1/3 3.1.1.1/24 YES manual up up Ethernet 1/1/4 4.1.1.
28 29 30 Inactive Inactive Inactive Configuration notes All Dell EMC PowerSwitches except MX-Series: OS 10.5.1.0 allows you to configure Interface names with upper case characters, but the Interface is not programmed correctly. To ensure proper configuration, always use lower case to configure Interface names.
Table 16. DOM Alarms (continued) Alarm Category Alarm Name Traps Generated? Severity Level Power reception (Rx) Rx high Y Major Rx high warning N Minor Rx low Y Major Rx low warning N Minor You can enable or disable the DOM feature, configure traps, and view the DOM status. Enable DOM and DOM traps To generate DOM alarms, do the following. 1. Enable DOM. OS10(config)# dom enable 2. Enable DOM traps.
INTEGER: 1081393 iso.3.6.1.4.1.674.11000.5000.100.4.1.3.2.3 = INTEGER: 1 iso.3.6.1.4.1.674.11000.5000.100.4.1.3.2.2 = STRING: "SET media 1/1/21 high threshold crossed, 82.00:78.00" 2018-08-21 17:38:18 [UDP: [10.11.56.49]:48521->[10.11.86.108]:162]: iso.3.6.1.2.1.1.3.0 = Timeticks: (1) 0:00:00.01 iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.4.1.674.11000.5000.100.4.1.3.1.19 iso.3.6.1.4.1.674.11000.5000.100.4.1.3.2.3 = INTEGER: 1 iso.3.6.1.4.1.674.11000.5000.100.4.1.3.2.1 = INTEGER: 1081397 iso.3.6.1.
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 Collisions, wred drops Rate Info(interval seconds): Input 0 Mbits/sec, 0 packets/sec, 0% of line rate Output 0 Mbits/sec, 0 packets/sec, 0% of line rate Time since last interface status change: 20:45:25 OS10# configure terminal OS10(config)# default mtu 9000 OS10(config)# Interface commands channel-group Assigns an interface to a port-channel group.
● An Ethernet interface is enabled using the no shutdown command; a Fibre Channel interface is disabled using the shutdown command. ● An Ethernet interface is assigned to the default VLAN. The default interface command removes all software settings and all L3, VLAN, and port-channel configurations on a physical interface. You must manually remove configured links to the interface from other software features; for example, if you configure an Ethernet interface as a discovery interface in a VLT domain.
no switchport ! interface ethernet1/1/3 no shutdown no switchport ip address 192.28.43.1/31 ipv6 address 2000:28:43::28:43:1/127 ! interface ethernet1/1/4 no shutdown no switchport ip address 192.41.43.1/31 ipv6 address 2000:41:43::41:43:1/127 OS10(conf-range-eth1/1/1-1/1/4)# exit OS10(config)# default interface range ethernet 1/1/1,1/1/2-1/1/4 Proceed to cleanup interface range config? [confirm yes/no]:yes Mar 5 22:21:12 OS10 dn_l3_core_services[590]: Node.1-Unit.
default vlan-id Reconfigures the VLAN ID of the default VLAN. Syntax default vlan-id vlan-id Parameters vlan-id — Enter the default VLAN ID number, from 1 to 4093. Default VLAN1 Command Mode CONFIGURATION Usage Information By default, VLAN1 serves as the default VLAN for switching untagged L2 traffic on OS10 ports in Trunk or Access mode. If you use VLAN1 for network-specific data traffic, reconfigure the VLAN ID of the default VLAN.
● The no version of this command deletes the description. Example Supported Releases OS10(conf-if-eth1/1/7)# description eth1/1/7 10.2.0E or later duplex Configures Duplex mode on the Management port. Syntax duplex {full | half | auto} Parameters ● full — Set the physical interface to transmit in both directions. ● half — Set the physical interface to transmit in only one direction. ● auto — Set the port to auto-negotiate speed with a connected device.
Parameters temperature | voltage | rx-power | tx-power | bias — Enter the keyword to enable DOM traps for the specified category. Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command disables the DOM traps. Example OS10# configure terminal OS10(config)# snmp-server enable traps dom temperature OS10# configure terminal OS10(config)# no snmp-server enable traps dom temperature Supported Releases 10.4.3.
Example Supported Releases OS10(config)# interface ethernet 1/1/41 OS10(conf-if-eth1/1/41)# fec CL91-RS 10.3.0E or later interface breakout Splits a front-panel Ethernet port into multiple breakout interfaces. Syntax interface breakout node/slot/port map {100g-1x | 50g-2x |40g-1x | 25g-4x | 10g-4x | 25g-4x} Parameters ● ● ● ● ● ● Default Not configured Command Mode CONFIGURATION Usage Information ● Each breakout interface operates at the configured speed; for example, 10G, 25G, or 50G.
Supported Releases 10.2.0E or later interface loopback Configures a Loopback interface. Syntax interface loopback id Parameters id — Enter the Loopback interface ID number, from 0 to 16383. Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes the Loopback interface. Example Supported Releases OS10(config)# interface loopback 100 OS10(conf-if-lo-100)# 10.2.0E or later interface mgmt Configures the Management port.
Supported Releases 10.3.0E or later interface port-channel Creates a port-channel interface. Syntax interface port-channel channel-id Parameters channel-id — Enter the port-channel ID number, from 1 to 128. Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes the interface. Example Supported Releases OS10(config)# interface port-channel 10 OS10(conf-if-po-10)# 10.2.
interface vlan Creates a VLAN interface. Syntax interface vlan vlan-id Parameters vlan-id — Enter the VLAN ID number, from 1 to 4093. Default VLAN 1 Command Mode CONFIGURATION Usage Information FTP, TFTP, MAC ACLs, and SNMP operations are not supported. IP ACLs are supported on VLANs only. The no version of this command deletes the interface. Example Supported Releases OS10(config)# interface vlan 10 OS10(conf-if-vl-10)# 10.2.
○ 25g-4x — Split a port group into four 25GE interfaces. ○ 10g-8x — Split a port group into eight 10GE interfaces. ○ 10g-4x — Split a port group into four 10GE interfaces. ● mode FC — Configure a port group in Fibre Channel mode and set the speed to: ○ ○ ○ ○ Default 32g-4x 32g-2x 32g-1x 16g-4x — — — — Split Split Split Split a a a a port port port port group group group group into into into into four 32GFC interfaces. two 32GFC interfaces, subports 1 and 3. one 32GFC interface, subport 1.
mtu Sets the link maximum transmission unit (MTU) frame size for an Ethernet L2 or L3 interface. Syntax mtu value Parameters value — Enter the maximum frame size in bytes, from 1280 to 65535. Maximum frame size for an S3000-ON is 12000, and S4000-ON is 9216. Default 1532 bytes Command Mode INTERFACE Usage Information To return to the default MTU value, use the no mtu command. If an IP packet includes a L2 header, the IP MTU must be at least 32 bytes smaller than the L2 MTU.
! interface ethernet1/1/50 no shutdown switchport access vlan 1 negotiation off flowcontrol receive on OS10(conf-if-eth1/1/50)# negotiation on OS10(conf-if-eth1/1/50)# show configuration ! interface ethernet1/1/50 no shutdown switchport access vlan 1 negotiation on flowcontrol receive on OS10(conf-if-eth1/1/50)# negotiation auto OS10(conf-if-eth1/1/50)# show configuration ! interface ethernet1/1/50 no shutdown switchport access vlan 1 flowcontrol receive on OS10(conf-if-eth1/1/50)# OS10(conf-if-eth1/1/50)#
○ 40g-1x — Set a port to 40GE mode for use with a QSFP+ 40GE transceiver. ○ 25g-4x — Split a port into four 25GE interfaces. ○ 10g-4x — Split a port into four 10GE interfaces. Default 100g-1x Command mode PORT-GROUP Usage information ● To view the currently active ports and subports, use the show port-group command. The no version of the command resets port-group interfaces to the default Ethernet port mode/speed.
Parameters ● restricted — Applies only to the odd-numbered port within the port group. The even-numbered port in the port group is disabled. Supported speeds are: ○ 100g-1x ○ 40g-1x ○ 25g-4x ○ 10g-4x ● unrestricted — Applies to both the odd-numbered and even-numbered ports within the port group. Supported speeds are: ○ 100g-1x ○ 50g-2x ○ 40g-1x Default Unrestricted Command mode PORT-GROUP Usage information Enter the profile command to configure breakout interfaces.
If a Fabric Switching Engine is in SmartFabric mode, it automatically discovers and configures an attached Fabric Expander: ● Virtual ports on the Fabric Expander and a virtual slot ID are created and mapped to 8x25GE breakout interfaces in FEM mode on the Fabric Engine. ● The unit ID is automatically discovered. ● Server traffic is transmitted through the QSFP28-DD uplink on the Fabric Expander to the Fabric Engine. If the Fabric Switching Engine is in Full Switch mode, configure the switch using the CLI.
FEC is auto, Current FEC is off Flowcontrol rx off tx off ARP type: ARPA, ARP Timeout: 60 Last clearing of "show interface" counters: 00:40:14 Queuing strategy: fifo Input statistics: 0 packets, 0 octets 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output statistics: 0 packets, 0 octets 0 64-byte pkts, 0 over 64-byte pkts, 0 over 1
show interface transceiver “Tunable wavelength” Display the configured wavelength value of the optical interface. Syntax show interface phy-eth interface transceiver | grep “Tunable wavelength” Parameters interface — Specify the interface corresponding to which you want to view the optical wavelength details. Defaults None. Command Mode EXEC PRIVILEGE Usage Information None. Example OS10# show interface phy-eth 1/1/14 transceiver | grep "Tunable wavelength" SFP1/1/14 Tunable wavelength= 1530.
Example: MX9116n Fabric Engine Example: MX5108n Ethernet switch Supported Releases OS10# show inventory media --------------------------------------------------------System Inventory Media --------------------------------------------------------Node/Slot/Port Category Media Serial Dell EMC Number Qualified --------------------------------------------------------1/1/1 FIXED INTERNAL true 1/1/2 FIXED INTERNAL true 1/1/3 FIXED INTERNAL true 1/1/4 FIXED INTERNAL true 1/1/5 FIXED INTERNAL true 1/1/6 FIXED INT
show port-channel summary Displays port-channel summary information.
1/1/1 1/1/2 1/1/3 1/1/4 1/1/5 1/1/6 1/1/7 1/1/8 1/1/9 1/1/10 Example: MX9116n Fabric Engine Example: Z9264F-ON Supported Releases Eth FC FC FC FC FC Eth Eth Eth Eth 10g-4x 16g-2x 16g-2x 16g-2x 16g-2x 16g-2x 100g-1x 40g-1x 100g-1x 40g-1x OS10(config)# show Port-group port-group1/1/1 port-group1/1/2 port-group1/1/3 port-group1/1/4 port-group1/1/5 port-group1/1/6 port-group1/1/7 port-group1/1/8 port-group1/1/9 port-group1/1/10 port-group1/1/11 port-group1/1/12 port-group1/1/13 port-group1/1/14 port-group1
reset the switch to the default port profile, use the no switch-port-profile node/slot command. Example OS10(config)# show switch-port-profile 1/1 | Node/Unit | Current | Next-boot | Default | |-------------+-------------------+-------------------| | 1/1 | profile-2 | profile-2 | profile-1 | Supported Profiles: profile-1 profile-2 profile-3 profile-4 profile-5 profile-6 Supported Releases 10.3.1E or later show system Displays the status of the DOM feature, whether it is enabled or disabled.
Parameters None Command Mode EXEC Usage Information If the Fabric Switching Engine is in Full Switch mode, you must manually configure the unit ID of an attached Fabric Expander. For more information, see Virtual ports. Use the show unit-provision command to display the assigned and unassigned unit IDs, and service tag provision name values. Use the unit-provision command to configure the Fabric Expander with an unassigned unit ID and provision name.
Usage Information This command marks a physical interface as unavailable for traffic. Disabling a VLAN or a port-channel causes different behavior. When you disable a VLAN, the L3 functions within that VLAN are disabled, and L2 traffic continues to flow. Use the shutdown command on a port-channel to disable all traffic on the port-channel, and the individual interfaces. Use the no shutdown command to enable a port-channel on the interface.
Example Supported Releases OS10(conf-if-ma-1/1/1)# speed auto 10.3.0E or later switch-port-profile Configures a port profile on the switch. The port profile determines the available front-panel ports and breakout modes. Syntax switch-port-profile node/unit profile Parameters ● node/unit — Enter switch information. For a standalone switch, enter 1/1. ● profile — Enter the name of a platform-specific profile.
■ QSFP28 unified ports 25 and 29 operate in Ethernet 100GE mode by default, and support 40GE with QSFP+ transceivers and 4x10G breakouts. QSFP28 ports 25 and 29 support 1x32GFC, 2x16GFC, and 4x8GFC in FC mode. ■ QSFP28 unified ports 26 and 30 operate in Ethernet 40GE mode by default and support 4x10G breakouts. QSFP28 ports 26 and 30 support 1x32GFC, 2x16GFC, and 4x8GFC in FC mode. ■ QSFP+ Ethernet ports operate at 40GE by default and support 4x10G breakouts. ■ SFP+ Ethernet ports operate at 10GE.
Supported Releases 10.3.0E or later switchport access vlan Assigns access VLAN membership to a port in L2 Access or Trunk mode. Syntax switchport access vlan vlan-id Parameters vlan vlan-id — Enter the VLAN ID number, from 1 to 4093. Default VLAN 1 Command Mode INTERFACE Usage Information This command enables L2 switching for untagged traffic and assigns a port interface to default VLAN1. Use this command to change the assignment of the access VLAN that carries untagged traffic.
switchport trunk allowed vlan Configures the tagged VLAN traffic that a L2 trunk interface can carry. An L2 trunk port has no tagged VLAN membership and does not transmit tagged traffic. Syntax switchport trunk allowed vlan vlan-id-list Parameters vlan-id-list — Enter the VLAN numbers of the tagged traffic that the L2 trunk port can carry. Comma-separated and hyphenated VLAN number ranges are supported.
Command Mode INTERFACE CONFIGURATION Usage Information To specify the wavelength value, you must enter exactly six digits - four before and two after the decimal point. The value must conform to the following format: ABCD.EF; for example, 1545.23. Any number that does not conform to this format is rejected including whole numbers such as 1568. However, the following type of values are accepted: 1568.00.
10 PowerEdge MX Ethernet I/O modules The Dell EMC PowerEdge MX7000 supports the following Ethernet modules: MX9116n Fabric Switching Engine, MX7116n Fabric Expander Module, and MX5108n Ethernet Switch. For detailed information, see the Dell EMC PowerEdge MX7000 documentation. ● The MX9116n Fabric Switching Engine is a scalable L2/L3 switch designed that provides high-bandwidth, low-latency 25GE networking; for example, in private cloud and software-defined storage (SDS) networks.
● ● ● ● Monitor system logs, alerts, and events. Update and manage the firmware. View the physical topology. Use power control. SmartFabric mode In SmartFabric mode, the PowerEdge MX switches operate as Layer 2 I/O aggregation devices. The OpenManage Enterprise Modular interface supports most switch configuration settings. Use SmartFabric mode to configure your switch.
Table 17. Differences between operating modes (continued) Full Switch mode SmartFabric mode All configuration changes are saved in the running configuration by default. To display the current configuration, use the show runningconfiguration command. Verify configuration changes using feature-specific show commands, such as show interface and show vlan, instead of show running-configuration.
Figure 5. MX9116n Fabric Switching Engine — QSFP28-DD port groups QSFP28-DD port groups are 1 to 12 and contain physical ports 1/1/17 to 1/1/40. Server-facing ports are 1/1/1 to 1/1/16. NOTE: By default, the port group 10 is not in the fabric expander mode; so, to use port group 10 as FEM, breakout the port group in FabricExpander mode. QSFP28-DD Ethernet interfaces support Fabric Expander mode (FEM) and native Ethernet mode.
● 10g-8x — Split a QSFP28-DD port into eight 10GE interfaces. 4. Return to CONFIGURATION mode. exit 5. Enter Ethernet Interface mode to configure other settings. Enter a single interface, a hyphen-separated range, or multiple interfaces separated by commas. interface ethernet node/slot/port[:subport] To display the Ethernet 100GE port configuration in a QSFP28-DD port group, enter the show port-group command. To display the Ethernet 25GE subport configuration, enter the show interfaces status command.
Eth Eth Eth Eth Eth Eth Eth Eth ... 1/1/21:1 1/1/21:2 1/1/21:3 1/1/21:4 1/1/22:1 1/1/22:2 1/1/22:3 1/1/22:4 down down down down down down down down 0 0 0 0 0 0 0 0 auto auto auto auto auto auto auto auto A A A A A A A A 1 1 1 1 1 1 1 1 - Virtual ports A virtual port is a logical OS10 port that connects to a downstream server and has no physical hardware location on the switch. Virtual ports are created when an MX9116n Fabric Switching Engine onboards an MX7116n Fabric Expander Module.
1 1 1 1 1 1 1 1 1 1 | | | | | | | | | | 73 74 75 76 77 78 79 80 81 82 | | | | | | SP0012 | | | | | | | | | | SP0012 | | | | | | | | | | up | | | | | | | | | | | | | | 3. Configure the unit ID for the service tag (provision name) of the Fabric Expander in CONFIGURATION mode. OS10(config)# unit-provision node/unit-id provision_name ● node/unit-id — Enter 1 for node with an unassigned unit ID from the show unit-provision output.
Eth 1/1/18:4 ... dormant You can also use the show interface command to display the Fabric Engine physical port-to-Fabric Expander virtual port mapping, and the operational status of the line. OS10# show interface ethernet 1/1/30:3 Ethernet 1/1/30:3 is up, line protocol is dormant Interface is mapped to ethernet1/77/7 5. Verify the virtual ports on the Fabric Expander that are up and connected to servers in CONFIGURATION mode.
Eth 1/82/7 Eth 1/82/8 down down 0 0 auto auto A A 1 1 - Single-density QSFP28 interfaces On the MX9116n Fabric Switching Engine module, a QSFP28 port group consists of one Ethernet 100G port. By default, QSFP28 port groups 13 and 14 (physical ports 41 and 42) operate in 1x100GE mode. For information about how to configure QSFP28-DD port groups 1 to 12 to operate in Ethernet mode, see Double-density QSFP28 interfaces.
View QSFP28 port groups and default modes OS10# show port-group Port-group Mode ... port-group1/1/13 Eth 100g-1x port-group1/1/14 Eth 100g-1x ... Ports 41 42 FEM - View QSFP28 breakout interfaces OS10# show interface status --------------------------------------------------------------------------Port Description Status Speed Duplex Mode Vlan Tagged-Vlans --------------------------------------------------------------------------...
View internal Ethernet port-server connections — MX5108n Ethernet Switch OS10# show inventory media ---------------------------------------------------------------System Inventory Media ----------------------------------------------------------Node/Slot/Port Category Media Serial Dell EMC Number Qualified ----------------------------------------------------------1/1/1 FIXED INTERNAL true 1/1/2 FIXED INTERNAL true 1/1/3 FIXED INTERNAL true 1/1/4 FIXED INTERNAL true 1/1/5 FIXED INTERNAL true 1/1/6 FIXED INTER
● Ensure that the new IOM has the same OS10 version as the faulty IOM. You can check the OS10 version by logging into the OME-Modular Graphical User Interface (GUI). NOTE: OS10 is factory-installed in the MX9116n FSE or MX5108n Ethernet Switch. If the faulty IOM has an upgraded version of OS10, you must upgrade the new IOM to the same version. To upgrade an OS10 image, see Download OS10 image for upgrade. Replace an IOM in Full-Switch VLT To replace an IOM in Full-Switch mode and part of a VLT domain: 1.
NOTE: When you remove the faulty IOM in Full-Switch mode, the CLI configurations are lost. Reapply the configurations in the new IOM using OS10 CLI. Identify the master IOM To initiate the module replacement process, identify the master IOM connected to the SmartFabric. To identify the master IOM in the SmartFabric, use the show smartfabric cluster member command. Run the command from any of the IOMs connected in the SmartFabric. The content displayed varies depending on the switch role.
Log in to the master IOM from the member To use the module replacement command, access the master IOM from the member. Use the IPv6 address of the master IOM to log in to the master IOM. After logging in to the master IOM, use the module replacement command to initiate the replacement workflow. 1. Log in to the Linux shell from EXEC mode in the connected IOM. OS10# system bash admin@MX9116N-A2:~$ 2. Log in to the master IOM using the IPv6 address displayed in the IOM.
If the IOM is not part of the SmartFabric, the system displays the following error: Enter the Username for the Admin: admin Password: No Fabric found for specified nodes. Please recheck and issue this command again. Output example when you use the module replacement command in the master IOM: admin@MX9116N-A2:~$ sfs_node_replace.
● Dell EMC OpenManage Enterprise - Modular User's Guide, Ethernet IO Modules chapter ● Dell EMC PowerEdge MX SmartFabric Services Configuration and Troubleshooting Guide You can enter SmartFabric Services show commands from the OS10 CLI to view SmartFabric configuration information. For more information, see SmartFabric commands.
11 Fibre Channel OS10 switches with Fibre Channel (FC) ports operate in one of the following modes: Direct attach (F_Port), NPIV Proxy Gateway (NPG). In the FSB mode, you cannot use the FC ports. E_Port Expansion port (E_Port) in a switch is used to connect two fiber channel switches to form a multiswitch SAN fabric. The default port mode in a multiswitch setup is F.
NOTE: OS10 supports multiple E-Nodes in F_Port mode. NOTE: Remove all the NPIV Proxy Gateways (NPG), F-Port and vfabric related configurations from startup configuration before changing the IOM operating modes. Using the discovered information, the switch installs ACL entries that provide security and point-to-point link emulation.
Configure FIP snooping 1. Enable FIP snooping globally using the feature fip-snooping command in CONFIGURATION mode. 2. Before applying FIP snooping to a VLAN, ensure that the VLAN already contains Ethernet or LAG members that are enabled with FCF Port mode. Enable FCF mode on an Ethernet or port-channel using the fip-snooping port-mode fcf command in INTERFACE mode. 3. Enable FIP snooping on the VLAN using the fip-snooping enable command in VLAN INTERFACE mode.
Enodes Sessions : 2 : 17 OS10# show fcoe sessions Enode MAC Enode Interface MAC FC-ID PORT WWPN FCF MAC FCF interface VLAN PORT WWNN FCoE aa:bb:cc:00:00:00 ethernet1/1/54 aa:bb:cd:00:00:00 port-channel5 100 0e:fc:00:01:00:01 01:00:01 31:00:0e:fc:00:00:00:00 21:00:0e:fc:00:00:00:00 aa:bb:cc:00:00:00 ethernet1/1/54 aa:bb:cd:00:00:00 port-channel5 100 0e:fc:00:01:00:02 01:00:02 31:00:0e:fc:00:00:00:00 21:00:0e:fc:00:00:00:00 OS10# show fcoe fcf FCF MAC FCF Interface VLAN FC-MAP --------------------------
1. Configure a vfabric using the vfabric fabric-ID command in CONFIGURATION mode. The switch enters vfabric CONFIGURATION mode 2. Associate a VLAN ID to the vfabric with the vlan vlan-ID command. 3. Add an FC map with the fcoe fcmap fc-map command. 4. Activate a zoneset using the zoneset activate zoneset-name command. 5. Allow access to all logged-in members in the absence of an active zoneset configuration using the zone default-zone permit command.
fibrechannel1/1/20 fibrechannel1/1/21 fibrechannel1/1/22 fibrechannel1/1/23 fibrechannel1/1/24 fibrechannel1/1/25:1 fibrechannel1/1/29:1 fibrechannel1/1/30:1 fibrechannel1/1/30:3 ========================================== To configure a vfabric in NPG mode: 1. Configure a vfabric using the vfabric fabric-ID command in CONFIGURATION mode. The switch enters vfabric CONFIGURATION mode. 2. Associate a VLAN ID to the vfabric with the vlan vlan-ID command. 3.
fcoe fka-adv-period 8 fcoe vlan-priority 3 Fibre Channel zoning Fibre Channel (FC) zoning partitions a FC fabric into subsets to restrict unnecessary interactions, improve security, and manage the fabric more effectively. Create zones and add members to the zone. Identify a member by an FC alias, world wide name (WWN), or FC ID. A zone can have a maximum of 255 unique members. Create zonesets and add the zones to a zoneset.
50:00:d3:10:00:ec:f9:1b 50:00:d3:10:00:ec:f9:05 50:00:d3:10:00:ec:f9:1f 20:35:78:2b:cb:6f:65:57 View FC zoneset configuration OS10(conf-fc-zoneset-set)# show configuration ! fc zoneset set member hba1 member hba2 OS10# show fc zoneset active vFabric id: 100 Active Zoneset: set ZoneName ZoneMember ================================================ hba2 *20:01:00:0e:1e:e8:e4:99 20:35:78:2b:cb:6f:65:57 50:00:d3:10:00:ec:f9:05 50:00:d3:10:00:ec:f9:1b 50:00:d3:10:00:ec:f9:1f hba1 *10:00:00:90:fa:b8:22:19 *21:00:0
Pinning FCoE traffic to a specific port of a portchannel You can isolate FIP and FCoE traffic by configuring a pinned port at the FCoE LAG. FCoE LAG is the port-channel used for FIP and FCoE traffic in the intermediate switches between server and storage devices. VLT provides Active/Active LAN connectivity on converged links by forwarding traffic in multiple paths to multiple upstream devices without STP blocking any of the uplinks.
Fibre Channel
Sample FSB configuration on VLT network 1. Enable the FIP snooping feature globally. OS10(config)# feature fip-snooping 2. Create the FCoE VLAN. OS10(config)#interface vlan 1001 OS10(conf-if-vl-1001)# fip-snooping enable 3. Configure the VLTi interface. OS10(config)# interface ethernet 1/1/27 OS10(conf-if-eth1/1/27)# no shutdown OS10(conf-if-eth1/1/27)# no switchport 4. Configure the VLT. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.151.
OS10(conf-if-eth1/1/1)# service-policy input type network-qos PFC OS10(conf-if-eth1/1/1)# priority-flow-control mode on OS10(config)# interface OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# ethernet 1/1/2 description uplink_port_channel_member2 no shutdown channel-group 10 mode active no switchport service-policy input type network-qos PFC priority-flow-control mode on OS10(config)# interface OS10(conf-if-eth
Discovered FCFs: OS10# show fcoe fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
8. Enable DCBX. OS10(config)# dcbx enable 9. Apply the vfabric on the interfaces.
Sample FSB configuration on non-VLT network The following examples illustrate configurations in intermediate switches in non-vlt network, to communicate with server. 1. Enable the FIP snooping feature globally. OS10(config)# feature fip-snooping 2. Create the FCoE VLAN. OS10(config)#interface vlan 1001 OS10(conf-if-vl-1001)# fip-snooping enable 3. Enable DCBX. OS10(config)# dcbx enable 4. Enable the PFC parameters on the interfaces.
OS10(conf-if-eth1/1/3)# service-policy input type network-qos PFC OS10(conf-if-eth1/1/3)# priority-flow-control mode on OS10(config)# interface OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# ethernet 1/1/4 no shutdown channel-group 20 mode active no switchport service-policy input type network-qos PFC priority-flow-control mode on View the configuration Discovered ENodes: OS10# show fcoe enode Enode MAC Enode Interface VLAN FCFs Sess
5. Create vfabric and activate the FC zoneset. OS10(config)# vfabric OS10(conf-vfabric-1)# OS10(conf-vfabric-1)# OS10(conf-vfabric-1)# 1 vlan 1001 fcoe fcmap 0xEFC00 zoneset activate zonesetA 6. Enable DCBX. OS10(config)# dcbx enable 7. Apply the vfabric on the interfaces.
----------------- ---------------- ----------------Po 10 Eth 1/1/9 Up Multiswitch fabric (E Port) E Ports are interfaces that connect the FC switches to form a multiswitch SAN fabric. These ports carry control frames between the switches to configure and maintain the fabric. An Inter-Switch Link (ISL) is created when you connect two E Ports to one another. FC ISL maintains the information in FC frames as the traffic flows between multiple switches. The multiswitch configuration sets the port mode as E.
compute the shortest path to reach a switch in the fabric. The name server service uses these routes to synchronize the name server database across the fabric. Hence, FSPF helps in building the fabric connectivity. Configure the same hold-time value on all the switches to ensure a consistent route convergence, and to avoid intermittent forwarding loop. When you configure a shorter hold-time, the route update is faster.
● ACL entries that are installed for control and data traffic use statically reserved CAM entries. Dynamic ACL space allocation is not supported. ● The switch supports zoning configurations like the F port mode. Configure the same zoning configurations on all switches in the fabric to avoid the Logical Unit Numbers (LUNs) being lost, during topology changes. Configure multiswitch fabric (E Port) This section describes the procedure to configure multiswitch fabric (E Port).
5. Configure FC interface. OS10(config)# interface fibrechannel 1/1/1 OS10(conf-if-fc1/1/1)# no shutdown OS10(conf-if-fc1/1/1)# vfabric 1 OS10(conf-if-fc1/1/1)# exit OS10(config)# interface fibrechannel 1/1/2 OS10(conf-if-fc1/1/2)# no shutdown OS10(conf-if-fc1/1/2)# vfabric 1 6. Configure the FC switch port mode. OS10(conf-if-fc1/1/2)# fc port-mode E 7. Add VLAN 1001 and fcmap to switch-1 to activate vFabric.
6. Configure the FC switch port mode. OS10(conf-if-fc1/1/2)# fc port-mode E 7. Add VLAN 1001 and fcmap to switch-2 to activate vFabric. OS10(config)# vfabric OS10(conf-vfabric-1)# OS10(conf-vfabric-1)# OS10(conf-vfabric-1)# 1 vlan 1001 fcoe fcmap 0xefc00 exit 8. Create zones. OS10(config)# fc zone zoneA OS10(config-fc-zone-zoneA)# member wwn 20:01:f4:e9:d4:f9:fc:44 OS10(config-fc-zone-zoneA)# member wwn 20:02:00:11:0d:a5:56:01 9. Create and activate a zone set.
port-group port-group port-group port-group 1/1/7 Eth 100g-1x 1/1/8 Eth 40g-1x 1/1/9 Eth 100g-1x 1/1/10 Eth 40g-1x 25 26 29 30 - ● To verify the fabric details in switch-1, run the show fc fabric command.
● To verify the fabric name server registration on switch-1, run the show fc ns fabric command.
zoneA 20:01:f4:e9:d4:f9:fc:44 20:02:00:11:0d:a5:56:01 ● To verify the vFabric in switch-1, run the show vfabric command.
Id type State code -----------------------------------------------------------------------------------10 fc1/1/3 UPSTREAM EPORT NONE 10:00:14:18:77:20:7f:cf 20:00:14:18:77:20:7f:d0 10 fc1/1/1 NONPRINPLISL EPORT NONE 10:00:14:18:77:20:7f:cf 20:00:14:18:77:20:7f:d2 OS10# ● To display the summary of principal switch election states, in switch-2, run the show fc fabric interface command.
LSR Type = 1 Advertising domain ID = 0x65(101) LSR Age = 1686 LSR Incarnation number = 0x80000024 LSR Checksum = 0x3caf Number of links = 1 NbrDomainId IfIndex NbrIfIndex Link Type Cost -------------------------------------------------------------0x77(119) 0x00001085 0x00001095 1 125 FSPF Link State Database for Vfabric-Id 1 Domain 0x77(119) LSR Type = 1 Advertising domain ID = 0x77(119) LSR Age = 1686 LSR Incarnation number = 0x80000024 LSR Checksum = 0x3caf Number of links = 1 NbrDomainId IfIndex NbrIfInd
Number of packets received: LSU 8 LSA 8 Hello 118 Error packets 0 Number of packets transmitted : LSU 8 LSA 8 Hello 119 Retransmitted LSU 0 Supported Releases 10.5.1.0 or later clear fc fabric statistics Clears the fabric statistics for all the interfaces. Syntax clear fc fabric statistics [interface type node/slot/port[:subport] | vfabric vfabric-id] Parameters ● node/slot/port[:subport]—Enter interface information. ● vfabric-id—Enter the vfabric ID.
34 32 31 33 35 Supported Releases 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10.5.1.0 or later clear fc fspf statistics Clears FSPF statistics for all the interfaces. Syntax clear fc fspf statistics [interface type node/slot/port[:subport] | vfabric vfabric-id Parameters ● node/slot/port[:subport]—Enter interface information. ● vfabric-id—Enter the vfabric ID.
Parameters ● domain-id—Enter the domain ID of the E_Port. ● domain-id-val—Valid values are from 1 to 239. Defaults Dynamic Configuration Command Mode Vfabric CONFIGURATION Usage Information ● The configurations are supported only in the multiswitch mode. The configured domain ID can be preferred or dynamic. ● If the domain ID is preferred, the switch requests preferred domain ID to the principal switch. ● You can change the domain ID only when the vfabric is in an inactive state.
● F—Multiswitch mode ● N—NPG mode Command Mode Fibre Channel INTERFACE Usage Information ● The configurations are supported only in the multiswitch mode. In F_port mode, all the ports operate as F Port. On enabling the multiswitch mode, a port works as either a F_port or an E_port. ● To change modes, disable current mode and enable the new mode. This operation leads to traffic disruption on the corresponding port. ● You can disable the multiswitch mode only if you delete the related configurations.
Usage Information Example Supported Releases ● The configurations are supported only in the multiswitch mode. ● This command configures the cost of the selected interface. Also, it configures the same cost value on both ends of the link. ● Different cost values lead to repeat the request repeatedly or even indefinitely. ● The no version of this command resets the command to default value, for the interface speed. OS10(config-if-fc-1/1/1)#fspf cost 90 10.5.1.
Parameters timeout-val—Valid values are from 0 to 65535. Defaults 0ms Command Mode VFABRIC CONFIGURATION Usage Information ● The configurations are supported only in multiswitch mode. ● This command configures the hold-time between two consecutive route computations in milliseconds, for the entire vfabric. If the specified time is shorter, the routing update is faster. However, the processor consumption increases accordingly.
Example Supported Releases OS10(conf-vfabric-)#principal-priority 3 10.5.1.0 or later r_a_tov Configures the R_A_TOV FC timer value for vfabric. Syntax r_a_tov timeout-val Parameters timeout-val—Valid values are from 5000 to 10000. Defaults 10000ms Command Mode VFabric CONFIGURATION Usage Information ● The configurations are supported only in multiswitch mode. ● This timer is used to mark the error conditions during domain ID allocation, SW-RSCN, and NS QUERY.
show fc fabric interface Shows the summary of the principal switch election states, ILS link type, port state, reason code, remote switch, and port name. Syntax show fc fabric interface Parameters None Defaults Not applicable Command Mode EXEC Usage Information ● Use this command to display the summary of principal switch election states, ILS link type, port state, remote switch, and port name.
Defaults Not applicable Command Mode GLOBAL CONFIGURATION Usage Information Use this command to display the fabric statistics for an interface.
31 33 35 Supported Releases 77 77 77 77 77 77 184 46 153 10.5.1.0 or later show fc fspf database Displays the FSPF link state database information of a switch. Syntax show fc fspf database Parameters None Defaults Not applicable Command Mode GLOBAL CONFIGURATION Usage Information Use this command to display the FSPF link state database information of a switch.
Example Supported Releases OS10#show fc fspf neighbor Vfabric-Id Interface Neighbor-DomainID State Dead-Time --------------------------------------------------------------100 fc1/1/2 0x66(102) Full 00:00:39 10.5.1.0 or later show fc fspf route Displays the server and target ports.
show fc ns fabric brief Shows the name server entries that are shared among the Fabric switches in the FC fabric briefly. Syntax show fc ns fabric brief Parameters None Defaults Not applicable Command Mode GLOBAL CONFIGURATION Usage Information Use this command to briefly display all the remote name server entries in the FC fabric.
GSNN_NN GID_FT GPN_FT GNN_FT GNN_FF GPN_FF GID_PT GID_FPN GPNN_ID GID_FF GID_DP RSCN SW_RSCN GE_PT GE_ID Supported Releases 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ReqTx 0 ReqRx 0 0 0 ReqTx 0 0 0 AccRx 0 0 0 AccTx 0 0 0 RejRx 0 0 0 RejTx 0 0 0 ReqReTx 0 0 0 10.5.1.0 or later show fc switch Shows the multiswitch mode.
FC MTU 2188 bytes LineSpeed 0 Operational Speed 0 over 20G Port type is E_Port, Max BB credit is 8 WWN is 20:01:14:18:77:20:73:cf Last clearing of "show interface" counters: 1 day 16:33:56 Input statistics: 0 frames, 0 bytes 0 class 2 good frames, 0 class 3 good frames 0 frame too long, 0 frame truncated, 0 CRC 0 link fail, 0 sync loss 0 primitive seq err, 0 LIP count 0 BB credit 0, 0 BB credit 0 packet drops Output statistics: 0 frames, 0 bytes 0 class 2 frames, 0 class 3 frames 0 BB credit 0, 0 oversize f
Active ZoneSet: zoneset5 ========================================== Members fibrechannel1/1/11 fibrechannel1/1/17 fibrechannel1/1/22 Supported Releases 10.5.1.0 or later show vfabric fspf Displays FSPF information at the vfabric level. Syntax show vfabric fspf Parameters None Defaults Not applicable Command Mode GLOBAL CONFIGURATION Usage Information Use this command to display the FSPF information of an interface.
● FCF-transit—Only the FCF advertisement and VLAN responses are snooped to learn the FCF. The FCF-transit does not learn the ENodes and session information. Configure the FCF-transit mode on the FCF-facing side of the core FSB switch. The FCF can be in NPG or F-Port mode. The access FSB switches validate the frames and installs ACLs per the FCF to allow only FCoE and FIP traffic across the FCF. NOTE: Port-pinning is not supported on ENodes connected to an FSB switch that is in FCF-transit mode.
L2switch(config)# interface ethernet 1/1/5 L2switch(conf-if-eth1/1/5)# no flowcontrol receive L2switch(conf-if-eth1/1/5)# no flowcontrol transmit b. Enable DCBX. L2switch(config)# dcbx enable c. Create a VLAN for FCoE traffic to pass through. L2switch(config)# interface vlan 777 d. Create class-maps.
L2switch(conf-if-eth1/1/5)# switchport mode trunk L2switch(conf-if-eth1/1/5)# switchport trunk allowed vlan 777 2. Configure the access FSB, FSB1. This example describes a. Disable flow control on the interfaces connected to CNA1, L2 switch, and FSB2.
FSB1(conf-if-eth1/1/31)# service-policy output type queuing ets_policy i.
e. Create class-maps. FSB2(config)# class-map type network-qos c3 FSB2(config-cmap-nqos)# match qos-group 3 FSB2(config)# class-map type queuing q0 FSB2(config-cmap-queuing)# match queue 0 FSB2(config-cmap-queuing)# exit FSB2(config)# class-map type queuing q3 FSB2(config-cmap-queuing)# match queue 3 FSB2(config-cmap-queuing)# exit f. Create policy-maps.
4. Configure the FCF. The following configuration assumes that the FCF is in F-Port mode. a. Disable flow control on the interface connected to FSB2. FCF(config)# interface ethernet 1/1/13 FCF(conf-if-eth1/1/13)# no flowcontrol receive FCF(conf-if-eth1/1/13)# no flowcontrol transmit b. Enable Fiber Channel F-Port mode globally. FCF(config)# feature fc domain-id 2 c. Create zones.
j. Apply vfabric on FSB2 and target connected interfaces. FCF(config)# interface ethernet 1/1/13 FCF(conf-if-eth1/1/13)# no shutdown FCF(conf-if-eth1/1/13)# switchport access vlan 1 FCF(conf-if-eth1/1/13)# vfabric 2 FCF(config)# interface fibrechannel 1/1/3 FCF(conf-if-fc1/1/3)# description target_connected_port FCF(conf-if-fc1/1/3)# no shutdown FCF(conf-if-fc1/1/3)# vfabric 2 k. Apply QoS configurations on the interface connected to FSB2.
-------------------------------------------------------------------------------------------------------------32:03:cf:45:00:00 Eth 1/1/31 14:18:77:20:86:ce Eth 1/1/2 777 0e:fc:00:05:00:05 05:00:05 33:00:55:2c:cf:55:00:00 23:00:55:2c:cf:55:00:00 f4:e9:d4:f9:fc:40 Eth 1/1/5 14:18:77:20:86:ce Eth 1/1/2 777 0e:fc:00:02:01:00 02:01:00 20:01:f4:e9:d4:a4:7d:c3 20:00:f4:e9:d4:a4:7d:c3 ● To verify the name server entries on the FCF, use the show fc ns switch brief command.
● VLT is configured between FSB1 and FSB2, and requires port-pinning for VLT port channels configured between access FSBs and core FSBs. The port modes are: ○ Directly-connected CNA ports—ENode ○ Ports connected to FSB3 and FSB4—FCF ● VLT is configured between FSB3 and FSB4, and requires port-pinning for VLT port channels configured between access and core FSBs.
4. Create class-maps. FSB1(config)# class-map type network-qos c3 FSB1(config-cmap-nqos)# match qos-group 3 FSB1(config)# class-map type queuing q0 FSB1(config-cmap-queuing)# match queue 0 FSB1(config-cmap-queuing)# exit FSB1(config)# class-map type queuing q3 FSB1(config-cmap-queuing)# match queue 3 FSB1(config-cmap-queuing)# exit 5. Create policy-maps.
FSB1(conf-if-eth1/1/31)# switchport access vlan 1 FSB1(conf-if-eth1/1/31)# switchport trunk allowed vlan 1001 FSB1(config)# interface port-channel 10 FSB1(conf-if-po-10)# switchport mode trunk FSB1(conf-if-po-10)# switchport access vlan 1 FSB1(conf-if-po-10)# switchport trunk allowed vlan 1001-1002 11. Apply QoS configurations on the interfaces connected to FSB2 and CNA-1. Configure the interface connected to FSB2 as pinned-port.
FSB2(config-cmap-queuing)# match queue 3 FSB2(config-cmap-queuing)# exit 5. Create policy-maps. FSB2(config)# policy-map type network-qos nqpolicy FSB2(config-pmap-network-qos)# class c3 FSB2(config-pmap-c-nqos)# pause FSB2(config-pmap-c-nqos)# pfc-cos 3 FSB2(config)# policy-map type queuing ets_policy FSB2(config-pmap-queuing)# class q0 FSB2(config-pmap-c-que)# bandwidth percent 30 FSB2(config-pmap-c-que)# class q3 FSB2(config-pmap-c-que)# bandwidth percent 70 6. Create a qos-map.
11. Apply QoS configurations on the interfaces connected to FSB4 and CNA-2. Configure the interface connected to FSB4 as pinned-port.
FSB3(config-pmap-c-nqos)# pause FSB3(config-pmap-c-nqos)# pfc-cos 3 FSB3(config)# policy-map type queuing ets_policy FSB3(config-pmap-queuing)# class q0 FSB3(config-pmap-c-que)# bandwidth percent 30 FSB3(config-pmap-c-que)# class q3 FSB3(config-pmap-c-que)# bandwidth percent 70 6. Create a qos-map. FSB3(config)# qos-map traffic-class tc-q-map1 FSB3(config-qos-map)# queue 3 qos-group 3 FSB3(config-qos-map)# queue 0 qos-group 0-2,4-7 7. Configure port channel.
FSB3(conf-if-eth1/1/45)# qos-map traffic-class tc-q-map1 FSB3(conf-if-eth1/1/45)# service-policy input type network-qos nqpolicy FSB3(conf-if-eth1/1/45)# service-policy output type queuing ets_policy FSB3(config)# interface ethernet 1/1/36 FSB3(conf-if-eth1/1/36)# flowcontrol receive off FSB3(conf-if-eth1/1/36)# priority-flow-control mode on FSB3(conf-if-eth1/1/36)# ets mode on FSB3(conf-if-eth1/1/36)# trust-map dot1p default FSB3(conf-if-eth1/1/36)# qos-map traffic-class tc-q-map1 FSB3(conf-if-eth1/1/36)#
FSB4(config-pmap-c-que)# class q3 FSB4(config-pmap-c-que)# bandwidth percent 70 6. Create a qos-map. FSB4(config)# qos-map traffic-class tc-q-map1 FSB4(config-qos-map)# queue 3 qos-group 3 FSB4(config-qos-map)# queue 0 qos-group 0-2,4-7 7. Configure port channel. FSB4(config)# interface port-channel 10 FSB4(conf-if-po-10)# no shutdown FSB4(conf-if-po-10)# vlt-port-channel 1 8. Configure VLTi interface member links.
FCF1 configuration 1. Enable Fiber Channel F-Port mode globally. FCF1(config)# feature fc domain-id 2 2. Create zones. FCF1(config)# fc zone zoneA FCF1(config-fc-zone-zoneA)# member wwn 23:05:22:11:0d:64:67:11 FCF1(config-fc-zone-zoneA)# member wwn 50:00:d3:10:00:ec:f9:00 3. Create zoneset. FCF1(config)# fc zoneset zonesetA FCF1(conf-fc-zoneset-setA)# member zoneA 4. Create a vfabric VLAN. FCF1(config)# interface vlan 1001 5. Create vfabric and activate the zoneset.
FCF1(conf-if-eth1/1/45)# FCF1(conf-if-eth1/1/45)# FCF1(conf-if-eth1/1/45)# FCF1(conf-if-eth1/1/45)# FCF1(conf-if-eth1/1/45)# ets mode on trust-map dot1p default qos-map traffic-class tc-q-map1 service-policy input type network-qos nqpolicy service-policy output type queuing ets_policy 11. Apply vfabric on the interfaces connected to FSB3 and the target.
FCF2(config-pmap-c-nqos)# pause FCF2(config-pmap-c-nqos)# pfc-cos 3 FCF2(config)# policy-map type queuing ets_policy FCF2(config-pmap-queuing)# class q0 FCF2(config-pmap-c-que)# bandwidth percent 30 FCF2(config-pmap-c-que)# class q3 FCF2(config-pmap-c-que)# bandwidth percent 70 9. Create a qos-map. FCF2(config)# qos-map traffic-class tc-q-map1 FCF2(config-qos-map)# queue 3 qos-group 3 FCF2(config-qos-map)# queue 0 qos-group 0-2,4-7 10. Apply QoS configurations on the interface connected to FSB4.
Enodes Sessions : 1 : 1 FSB2 FSB2# show fcoe sessions Enode MAC Enode Interface FCF MAC FCF interface VLAN FCoE MAC FC-ID PORT WWPN PORT WWNN -----------------------------------------------------------------------------------------------------------------------------------------------00:0e:1e:f1:f1:84 Eth 1/1/1 14:18:77:20:80:ce Po 10(Eth 1/1/44:1)1002 0e:fc:00:02:01:00 02:01:00 20:01:00:0e:1e:f1:f1:84 20:00:00:0e:1e:f1:f1:84 FSB2# show fcoe fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
00:0e:1e:f1:f1:84 0e:fc:00:02:01:00 Po 10(Eth 1/1/37) 14:18:77:20:80:ce Eth 1/1/42 02:01:00 20:01:00:0e:1e:f1:f1:84 20:00:00:0e:1e:f1:f1:84 1002 FSB4# show fcoe fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
● Before you disable the F_Port and NPG features, delete the mode-specific configurations. When you disable FSB, the system automatically removes the configurations. ● If you connect a storage device (target) to the IOM Fibrechannel port and if the port is operationally UP, then the storage device will induce a port flap until you configure the FC DirectAttach uplink (vfabric) configuration on this port.
4. Apply the vFabric configuration on the interface that connects to CNA 1. OS10(config)# interface ethernet 1/1/50 OS10(conf‐if‐eth1/1/50)# vfabric 2 5. Enable DCBX globally. OS10(config)# dcbx enable 6. Create a class map and policy map. OS10(config)# class‐map type network‐qos cmap1 OS10(config‐cmap‐nqos)# match qos‐group 3 OS10(config)# policy‐map type network‐qos pmap1 OS10(config‐pmap‐network‐qos)# class cmap1 OS10(config‐pmap‐c‐nqos)# pause OS10(config‐pmap‐c‐nqos)# pfc‐cos 3 7.
6. Create a class map and policy map. OS10(config)# class‐map type network‐qos cmap1 OS10(config‐cmap‐nqos)# match qos‐group 3 OS10(config)# policy‐map type network‐qos pmap1 OS10(config‐pmap‐network‐qos)# class cmap1 OS10(config‐pmap‐c‐nqos)# pause OS10(config‐pmap‐c‐nqos)# pfc‐cos 3 7. Disable LLFC on the interface that connects to CNA 2. OS10(config)# interface ethernet 1/1/1 OS10(conf‐if‐eth1/1/1)# no flowcontrol receive 8. Enable PFC mode on the interface that connects to CNA 2.
System log messages are received when the system closes a session for rebalancing. The log message provides the Fabric id, VLAN Id, FCoE MAC and the reason for termination. Load balancing after system reboot After reboot, upstream FC connections to the end-devices become operational first and carry more sessions than the other upstream FC connections to SAN. This requires load balancing.
Create VLAN OS10(config)# interface vlan 100 Create vFabric OS10(config)# vfabric 100 OS10(conf-vfabric-100)# vlan 100 OS10(conf-vfabric-100)# name NPG_Fabric OS10(conf-vfabric-100)# fcoe fcmap 0efc01 OS10(conf-vfabric-100)# exit Apply vFabric and FC port-mode configuration on the interface that connects to FC end point (HBA) OS10(config)# interface range fibrechannel 1/1/9,1/1/10 OS10(conf-range-fc1/1/9,1/1/10)# vfabric 100 OS10(conf-range-fc1/1/9,1/1/10)# fc port-mode F OS10(conf-range-fc1/1/9,1/1/10)# no
Apply vFabric configuration on the interface that connects to FCoE end points (CNA) OS10(config)# interface range ethernet 1/1/54,1/1/55 OS10(conf-range-eth1/1/54,1/1/55)# vfabric 100 OS10(conf-range-eth1/1/54,1/1/55)# no shut OS10(conf-range-eth1/1/54,1/1/55)# exit Apply vFabric configuration on the FC upstream interfaces OS10(config)# interface range fibrechannel 1/1/1,1/1/2 OS10(conf-range-fc1/1/1,1/1/2)# vfabric 100 OS10(conf-range-fc1/1/1,1/1/2)# no shut OS10(conf-range-fc1/1/1,1/1/2)# exit Apply FCoE
You can use manual rebalancing when you: Add new FC uplink to a balanced system Consider a topology with the following structure: ● NPG switch with two FC uplinks (fc 1/1/1 and fc 1/1/2) of the same speed (16G) ● Ports connecting to both FCoE and FC end points (eth 1/1/54, eth 1/1/55, fc 1/1/9 and fc 1/1/10) All the end points (servers) are logged in to the storage through the NPG switch. One FLOGI session is associated with each server.
Receive Fabric Discovery Request (FDISC) from an end point Consider the NPG switch with: ● two FC uplinks (fc 1/1/1 and fc 1/1/2) of different speed (8 G and 16 G) ● two ports (eth 1/1/54, eth 1/1/55) connecting the FCoE end points Each end point has one session that is associated with it. The NPG switch maps one session to each FC uplink to balance the system. Consider the end point connected to eth 1/1/55 establishes four more Fabric Discovery Sessions (FDISC).
fc alias Creates an FC alias. After creating the alias, add members to the FC alias. An FC alias can have a maximum of 255 unique members. Syntax fc alias alias-name Parameters alias-name — Enter a name for the FC alias. Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes the FC alias. To delete an FC alias, first remove it from the FC zone. Supported on the MX9116n switch in Full Switch mode starting in release 10.4.1.0.
Usage Information Example Supported Releases The no version of this command removes the FC zoneset. Supported on the MX9116n switch in Full Switch mode starting in release 10.4.1.0. Also supported in SmartFabric mode starting in release 10.5.0.1. OS10(config)# fc zoneset set OS10(conf-fc-zoneset-set)# member hba1 10.3.1E or later feature fc Enables the F_Port globally. Syntax feature fc domain-id domain-id Parameters domain-id — Enter the domain ID of the F_Port, from 1 to 239.
member (zone) Adds members to existing zones. Identify a member by an FC alias, a world wide name (WWN), or an FC ID. Syntax member {alias-name alias-name | wwn wwn-ID | fc-id fc-id} Parameters ● alias-name — Enter the FC alias name. ● wwn-ID — Enter the WWN name. ● fc-id — Enter the FC ID name. Defaults Not configured Command Mode Zone CONFIGURATION Usage Information Supported on the MX9116n switch in Full Switch mode starting in release 10.4.0E(R3S).
Example OS10# show fc alias Alias Name Alias Member ============================================== test 21:00:00:24:ff:7b:f5:c9 20:25:78:2b:cb:6f:65:57 OS10# Supported Releases 10.3.1E or later show fc interface-area-id mapping Displays the FC ID to interface mapping details.
Registered with NameServer Registered for SCN Example (brief) Supported Releases Yes No OS10# show fc ns switch brief Total number of devices = 1 Intf# Domain Enode-WWNN port-channel10(Eth 1/1/9) 4 20:00:00:90:fa:b8:22:18 FC-ID 04:00:00 Enode-WWPN 10:00:00:90:fa:b8:22:18 10.3.1E or later show fc zone Displays the FC zones and the zone members. Syntax show fc zone [zone-name] Parameters zone-name — Enter the FC zone name.
Command Mode EXEC Usage Information None Example OS10# show fc zoneset ZoneSetName ZoneName ZoneMember ========================================================= set hba1 21:00:00:24:ff:7b:f5:c8 10:00:00:90:fa:b8:22:19 21:00:00:24:ff:7f:ce:ee 21:00:00:24:ff:7f:ce:ef hba2 20:01:00:0e:1e:e8:e4:99 50:00:d3:10:00:ec:f9:1b 50:00:d3:10:00:ec:f9:05 50:00:d3:10:00:ec:f9:1f 20:35:78:2b:cb:6f:65:57 vFabric id: 100 Active Zoneset: set ZoneName ZoneMember ============================================== hba2 20:01:
zone default-zone permit Enables access between all logged-in FC nodes of the vfabric in the absence of an active zoneset configuration. Syntax zone default-zone permit Parameters None Defaults Not configured Command Mode Vfabric CONFIGURATION Usage Information A default zone advertises a maximum of 255 members in the registered state change notification (RSCN) message. The no version of this command disables access between the FC nodes in the absence of an active zoneset.
Usage Information Example Supported Releases Configure the port mode when the port is in Shut mode and when NPG mode is enabled. The no version of this command returns the port mode to default. OS10(config)# interface fibrechannel 1/1/1 OS10(conf-if-fc1/1/1)# fc port-mode F 10.4.1.0 or later feature fc npg Enables the NPG mode globally.
Po 10(Eth 1/1/9) LOGGED_IN Supported Releases 20:01:d4:ae:52:1a:ee:54 1001 Fc 1/1/25 10 10.4.0E(R1) or later show npg uplink-interface Display information in a FC upstream interface. Syntax show npg uplink-interfaces [vfabric vfabric-id [fcf-info] | [fcf-info]] Parameters ● fcf-info - FCF Availability Status, fabric name of the FC upstream switch connected, error reason, FCF advertisement delay timeout left and duplicate FC id assignment counter.
----------------------------------------------------------------------------Fc 1/1/1 01:00:01 2 8 3 3 6 6 Fc 1/1/2 01:00:02 4 16 1 9 10 15 VFabric Id : 200 Uplink Speed Intf FC Id BB Credit (Gbps) FLOGI FDISC Total Redistributed -------------------------------------------------------------------------------Fc 1/1/11 01:00:0B 2 8 3 3 6 10 Fc 1/1/12 01:00:0C 4 16 1 0 1 1 VFabric Id : 300 Uplink Speed Intf FC Id BB Credit (Gbps) FLOGI FDISC Total Redistributed --------------------------------------------------
clear fc statistics Clears FC statistics for specified vfabric or fibre channel interface. Syntax clear fc statistics [vfabric vfabric-ID | interface fibrechannel] Parameters ● vfabric-ID — Enter the vfabric ID. ● fibrechannel — Enter the fibre channel interface name. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# clear fc statistics vfabric 100 OS10# clear fc statistics interface fibrechannel1/1/25 10.4.1.
Parameters timeout - Timeout range specified in seconds. Range is 1 to 30 seconds. Default Not configured Command Mode Global config Usage Information Time to wait after the last FCF connects to the NPG switch to send the Multicast discovery Advertisement. This command is supported in NPG mode. Example Supported Releases OS10(config)# fcoe delay fcf-adv 16 10.4.0E(R1) or later In previous releases, the command is not available in full switch mode.
Table 21. Fields and Descriptions (continued) Example Fields Description FLOGI Number of Fabric Login Sessions in the FC uplink interface FDISC Number of Fabric Discovery Sessions in the FC uplink interface Load Total number of sessions (FLOGI and FDISC) in the FC uplink interface Speed Link speed of the FC uplink interface Excess Load Excess load is the absolute (Current load on the link - ((Minimum load per 8G speed in c state) * port-speed/8G)).
21:01:d4:ae:52:1a:ee:54 22:01:d4:ae:52:1a:ee:54 23:01:d4:ae:52:1a:ee:54 Fc 1/1/2 Fc 1/1/2 Fc 1/1/2 Fc 1/1/1 Fc 1/1/1 Fc 1/1/1 2 2 2 OS10#re-balance npg sessions vfabric 100 Fabric Id 100 State before Re-balancing Uplink FLOGI FDISC Load Speed Excess Intf (Gbps) Load ----------------------------------------------------------------Fc 1/1/1 1 9 10 8 7 Fc 1/1/2 3 3 6 16 0 ----------------------------------------------------------------4 12 16 24 7 ------------------------------------------------------------
● Error reason—Reason for error in the FC uplink interface. Following are few possible error reasons: 1. FC Port Down 2. No Response For FLOGI 3. Duplicate FC ID 4. FLOGI Rejected 5. Vfabric Inactive Duplicate FC IDs—Number of Duplicate address(FC ID) assignments happened in the interface. FC ID—FC-ID allocated to the initial FLOGI request from NPG switch on the interface. BB Credit—Transmit Buffer to Buffer Credit. Speed—Link speed of the FC uplink interface.
FAD Timeout Left : 0 second(s) FCF Availability Status : Yes Uplink Duplicate Intf Upstream Fabric-Name Error Reason FC-Id(s) ----------------------------------------------------------------Fc 1/1/13 20:01:d4:ae:52:1a:ee:53 NONE 1 Fc 1/1/14 20:01:d4:ae:52:7d:aa:54 NONE 0 OS10#show npg uplink-interfaces vfabric 200 fcf-info VFabric Id : 200 FAD Timeout Left : 10 second(s) FCF Availability Status : No Uplink Duplicate Intf Upstream Fabric-Name Error Reason FC-Id(s) --------------------------------------------
VFabric Id : 100 Node Intf FLOGI FDISC Re-distributed --------------------------------------------------Fc 1/1/9 1 1 2 Fc 1/1/10 1 1 2 Eth 1/1/54 1 1 2 Eth 1/1/55 1 9 10 VFabric Id : 200 Node Intf FLOGI FDISC Re-distributed --------------------------------------------------Fc 1/1/7 1 1 2 VFabric Id : 300 Node Intf FLOGI FDISC Re-distributed --------------------------------------------------Eth 1/1/51 1 9 10 Supported Releases 10.4.0E(R1) or later show fc statistics Displays the FC statistics.
show fc switch Displays FC switch parameters. Syntax show fc switch Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show fc switch Switch Mode : FPORT Switch WWN : 10:00:14:18:77:20:8d:cf 10.3.1E or later show running-config vfabric Displays the running configuration for the vfabric.
Fabric Type FPORT Fabric Id 10 VlanId 1001 FC-MAP 0EFC00 Config-State ACTIVE Oper-State UP ========================================== Switch Config Parameters ========================================== Domain ID 4 ========================================== Switch Zoning Parameters ========================================== Default Zone Mode: Deny Active ZoneSet: zoneset5 ========================================= Members fibrechannel1/1/25 port-channel10(Eth 1/1/9) Supported Releases 10.3.
Example OS10(config)# interface fibrechannel 1/1/1 OS10(conf-if-fc1/1/1)# vfabric 100 OS10(config)# interface ethernet 1/1/10 OS10(conf-if-eth1/1/10)# vfabric 200 Supported Releases 10.3.1E or later vlan Associates an existing VLAN ID to the vfabric to carry traffic. Syntax vlan vlan-ID Parameters vlan-ID — Enter an existing VLAN ID. Defaults Not configured Command Mode Vfabric CONFIGURATION Usage Information Create the VLAN ID before associating it to the vfabric.
Example OS10(config)# feature fip-snooping OS10(config)# feature fip-snooping with-cvl Supported Releases 10.4.0E(R1) or later fip-snooping enable Enables FIP snooping on a specified VLAN. Syntax fip-snooping enable Parameters None Defaults Disabled Command Mode VLAN INTERFACE Usage Information Enable FIP snooping on a VLAN only after enabling the FIP snooping feature globally using the feature fip-snooping command. OS10 supports FIP snooping on a maximum of 12 VLANs.
Command Mode INTERFACE Usage Information OS10 supports this configuration only on a switch running FSB mode, and on Ethernet and port-channel interfaces. You cannot configure FIP snooping port mode on a port channel member. Use this command to change the port mode. By default, the port mode of an interface is set to ENode. Configure the port mode only after you enable FIP snooping. Before you disable FIP snooping, reset the port mode to its default value, ENode.
Command Mode EXEC Usage Information If you do not specify the interface interface-type information, the command clears the statistics for all the interfaces and VLANs. Example Supported Releases OS10# clear fcoe statistics interface ethernet 1/1/1 OS10# clear fcoe statistics interface port-channel 5 10.4.0E(R1) or later fcoe delay fcf-adv Delay the Multicast Discovery Advertisement from FCFs to be sent to Enodes.
Parameters max-session-number — Enter the maximum number of sessions to be allowed, from 1 to 64. Defaults 32 Command Mode CONFIGURATION Usage Information The no version of this command resets the number of sessions to the default value. Example Supported Releases NOTE: This command is not available in the fabric mode of MX9116N-ON. So in MX9116N-ON, the number of FCoE sessions is always 32.
Supported Releases 10.4.0E(R3) or later re-balance fc npg sessions vfabric Re-balances the FC sessions across FC uplinks. Syntax re-balance fc npg sessions vfabric vfabric-id [dry-run][brief] Parameters None Defaults Not configured Command Mode EXEC Usage Information Triggers the load-balancing mechanism to redistribute the sessions across the FC uplinks.
Uplink FLOGI FDISC Load Speed Excess Intf (Gbps) Load ------------------------------------------------------------------Fc 1/1/1 3 3 6 8 1 Fc 1/1/2 1 9 10 16 0 ------------------------------------------------------------------4 12 16 24 1 ------------------------------------------------------------------OS10#re-balance npg sessions vfabric 100 dry-run brief Fabric Id 100 Session Displacements: Total No. of Node(s) : 4 No.
Parameters enode-mac-address — (Optional) Enter the MAC address of ENode. This option displays details pertaining to the specified ENode. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show fcoe enode Enode MAC Enode Interface VLAN FCFs Sessions ----------------- ---------------- ---- ---- -------d4:ae:52:1b:e3:cd Po 20(Eth 1/1/3) 1001 1 1 10.4.0E(R1) or later show fcoe fcf Displays details of the FCFs connected to the switch.
54:7f:ee:37:34:40 ~ 0 Supported Releases 200 0e:fc:01 4000 10.4.0E(R1) or later show fcoe pinned-port Displays the port-channel, the corresponding pinned-port configuration, and the port status if the FCoE sessions are formed. Syntax show fcoe pinned-port [port-channel port-channel-id] Parameters port-channel-id—Enter the port-channel ID to display the corresponding configuration.
show fcoe statistics Displays the statistical details of the FCoE control plane. Syntax show fcoe statistics [interface interface-type] Parameters interface-type — (Optional) Enter the type of interface. This option displays statistics of the specified interface.
show fcoe vlan Displays details of FIP-snooping VLANs. Syntax show fcoe vlan Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show fcoe vlan * = Default VLAN VLAN FC-MAP FCFs Enodes ---- ------ ---- -----*1 100 0X0EFC00 1 2 Sessions -------17 10.4.
12 Layer 2 802.1X Verifies device credentials before sending or receiving packets using the Extensible Authentication Protocol (EAP), see 802.1X Commands. Link Aggregation Control Protocol (LACP) Exchanges information between two systems and automatically establishes a link aggregation group (LAG) between the systems, see LACP Commands.
NOTE: OS10 supports only RADIUS as the back-end authentication server. The authentication process contains three devices: ● Supplicant — The device attempting to access the network performs the role of supplicant. Regular traffic from this device does not reach the network until the port associated to the device is authorized. Before that, the supplicant can only exchange 802.1x messages (EAPOL frames) with the authenticator.
6. If the identity information the supplicant provides is valid, the authentication server sends an Access Accept frame that specifies the network privileges. The authenticator changes the port state to authorize and forwards an EAP Success frame. If the identity information is invalid, the server sends an Access Reject frame. If the port state remains unauthorized, the authenticator forwards an EAP Failure frame. EAP over RADIUS 802.
Enable 802.1X 1. Enable 802.1X globally in CONFIGURATION mode. dot1x system-auth-control 2. Enter an interface or a range of interfaces in CONFIGURATION mode. interface range 3. Enable 802.1X on the supplicant interface only in INTERFACE mode. dot1x port-control auto Configure and verify 802.
Identity retransmissions If the authenticator sends a Request Identity frame but the supplicant does not respond, the authenticator waits 30 seconds and then retransmits the frame. There are several reasons why the supplicant might fail to respond—the supplicant maybe booting when the request arrived, there may be a physical layer problem, and so on. 1.
The Request Identity Retransmit interval is for an unresponsive supplicant. You can configure the interval for a maximum of 10 times for an unresponsive supplicant. 1. Configure the amount of time that the authenticator waits to retransmit a Request Identity frame after a failed authentication in INTERFACE mode from 1 to 65535, default 60 seconds.
● Place a port in the auto, force-authorized (default), or force-unauthorized state in INTERFACE mode. dot1x port-control {auto | force-authorized | force-unauthorized} Configure and verify force-authorized state OS10(conf-range-eth1/1/7-1/1/8)# dot1x port-control force-authorized OS10(conf-range-eth1/1/7-1/1/8)# do show dot1x interface ethernet 1/1/7 802.
Tx Period: Quiet Period: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: 120 seconds 120 seconds 30 seconds 30 seconds 3600 seconds 5 MULTI_HOST Initialize Initialize View interface running configuration OS10(conf-range-eth1/1/7-1/1/8)# do show running-configuration interface ...
View interface running configuration OS10(conf-range-eth1/1/7-1/1/8)# do show running-configuration interface ...
Command Mode INTERFACE Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# dot1x host-mode multi-host 10.2.0E or later dot1x max-req Changes the maximum number of requests that the device sends to a supplicant before restarting 802.1X authentication. Syntax dot1x max-req retry-count Parameters max-req retry-count — Enter the retry count for the request sent to the supplicant before restarting 802.
Parameters None Default Disabled Command Mode INTERFACE Usage Information The no version of this command disables the periodic reauthentication of 8021.X supplicants. Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# dot1x re-authentication 10.2.0E or later dot1x timeout quiet-period Sets the number of seconds that the device remains in the quiet state following a failed authentication exchange with a supplicant.
Parameters server-timeout seconds — Enter the number of seconds for the 802.1X server timeout, from 1 to 65535. Default 30 seconds Command Mode INTERFACE Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# dot1x server-timeout 60 10.2.
show dot1x Displays global 802.1X configuration information. Syntax show dot1x Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show dot1x PAE Capability: Protocol Version: System Auth Control: Auth Server: Authenticator only 2 Enable Radius 10.2.0E or later show dot1x interface Displays 802.1X configuration information.
Supported Releases 10.2.0E or later RADIUS server commands radius-server host Configures a RADIUS server and the key used to authenticate the switch on the server. Syntax radius-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] Parameters ● hostname — Enter the host name of the RADIUS server. ● ip-address — Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server.
● key 0 authentication-key — Enter the radsec shared key in plain text. ● key 9 authentication-key — Enter the radsec shared key in encrypted format. ● authentication-key — Enter the radsec shared key in plain text. It is not necessary to enter 0 before the key. Default TCP port 2083 on a RADIUS server for RADIUS over TLS communication Command Mode CONFIGURATION Usage Information For RADIUS over TLS authentication, configure the radsec shared key on the server and OS10 switch.
Command Mode CONFIGURATION Usage Information Use this command to globally configure the number of retransmit attempts allowed for authentication requests on RADIUS servers. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1. The no version of this command resets the value to the default. Example Supported Releases OS10(config)# radius-server retransmit 5 10.2.
Far-end failure detection Far-End Failure Detection (FEFD) is a protocol that detects remote data link errors in a network. FEFD uses a link layer echo protocol to detect and signal far-end failures over Ethernet and optical links. When you enable FEFD, switches periodically exchange FEFD echo frames to identify link failures.
● In the unknown state, the interface starts transmitting link state information at a regular interval. The interface state changes to bi-directional when a handshake is complete with the peer. ● When an interface is in bi-directional state, if it does not receive an echo from its peer for the time interval of three times the configured FEFD message interval, the interface state changes to unknown in Normal mode. In Aggressive mode, the interface state changes to err-disabled.
1. Do one of the following: ● Configure FEFD Normal mode globally using the fefd-global command in CONFIGURATION mode. OS10(Config)# fefd-global ● Configure FEFD Normal mode globally using the fefd-global mode normal command in CONFIGURATION mode. OS10(Config)# fefd-global mode normal ● Configure FEFD Aggressive mode globally using the fefd-global mode aggressive command in CONFIGURATION mode. OS10(Config)# fefd-global mode aggressive 2.
Display FEFD information To view FEFD information: ● To view FEFD information globally, use the show fefd command in EXEC mode. ● To view FEFD information for an interface, use the show fefd interface command in EXEC mode. The following is a sample output of FEFD global information: OS10# show fefd FEFD is globally 'ON', interval is 15 seconds, mode is Normal.
● interval—Enter the keyword and enter the FEFD interval in seconds to configure the interval between FEFD control packets on an interface. The range is from 3 to 255. The default value is 15 seconds. ● disable—Enter the keyword to disable FEFD on a specific interface when you configure FEFD globally. Default Not configured Command Mode INTERFACE Usage Information The fefd command without any arguments enables the normal mode with the default FEFD interval of 15 seconds.
Example OS10(config)# fefd-global OS10(config)# fefd-global mode aggressive OS10(config)# fefd mode interval 10 Supported Releases 10.4.3.0 or later fefd reset Resets interfaces that are in error-disabled state because FEFD is set to Aggressive mode. Syntax fefd reset [interface] Parameters ● (Optional) interface—Enter the interface name to reset the error-disabled state of the interface because FEFD is set to Aggressive mode.
Field Description ● Unknown—Shown when FEFD is enabled and changes to bi-directional after successful handshake with the peer. Also shown if the peer goes down in normal mode. ● Locally disabled—Interface contains the fefd reset command in its configuration. ● Admin Shutdown—Interface is disabled using the shutdown command. ● Line protocol is down—The state on the remote device when an interface of the local device is disabled with the shutdown command.
○ If a physical interface is a part of a static LAG, the channel-group id mode {active | passive} command is rejected on that interface. ○ If a physical interface is a part of a dynamic LAG, the channel-group id command is rejected on that interface. ● You cannot add static and dynamic members to the same LAG. ● There is a difference between the shutdown and no interface port-channel commands: ○ The shutdown command on LAG xyz disables the LAG and retains the user commands.
2. Enter INTERFACE mode. interface ethernet node/slot/port[:subport] 3. Set the channel group mode to Active in INTERFACE mode.
Sample configuration This sample topology is based on two routers—Alpha and Bravo.
Oper: State BDEGIKNO Key 1 Priority 32768 Partner Admin: State BCEGIKNP Key 0 Priority 0 Oper: State BDEGIKNO Key 1 Priority 32768 Port ethernet1/1/31 is Enabled, LACP is enabled and mode is lacp Actor Admin: State BCFHJKNO Key 1 Priority 32768 Oper: State BDEGIKNO Key 1 Priority 32768 Partner Admin: State BCEGIKNP Key 0 Priority 0 Oper: State BDEGIKNO Key 1 Priority 32768 Bravo verify LAG port configuration OS10# show interface ethernet 1/1/29 Ethernet 1/1/1 is up, line protocol is up Port is part of Port-
73342977260 over 255-byte pkts, 146685062757 over 511-byte pkts, 1.08008362381e+11 over 1023-byte pkts 226014744592 Multicasts, 1748572 Broadcasts, 138885003719 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output statistics: 296360281011 packets, 226358952945618 octets 3524494 64-byte pkts, 82594679 over 64-byte pkts, 29792079210 over 127-byte pkts 59581169090 over 255-byte pkts, 119160073632 over 511-byte pkts, 8.
System Identifier=32768,14:18:77:16:87:68 Port Identifier=32768,1176 Operational key=51 LACP_Activity=active LACP_Timeout=Long Timeout(30s) Synchronization=IN_SYNC Collecting=true Distributing=true Partner information refresh timeout=Long Timeout(90s) Actor Admin State=ADEHJLMP Actor Oper State=ADEGIKNP Neighbor: 33 MAC Address=f0:ce:10:f0:ce:10 System Identifier=4096,f0:ce:10:f0:ce:10 Port Identifier=32768,33 Operational key=51 LACP_Activity=active LACP_Timeout=Long Timeout(30s) Synchronization=IN_SYNC Col
● After the LACP fallback election, if a port with lower priority port is configured to be part of the same port channel, it would trigger reelection. Configure LACP fallback 1. Enable LACP fallback with the lacp fallback enable command in port channel INTERFACE mode. 2. Set a timer for receiving LACP PDUs using lacp fallback timeout timer-value in port channel INTERFACE mode. 3.
1. The ToR/server boots 2. The switch detects the link that is up and checks fallback enabled status. If fallback is enabled, the device waits for the timeout period for any LACP BPDUs. If there are no LACP BPDUs received within the time period, then the LAG enters into fallback mode and adds the first operationally UP port to the port channel instead of placing it in an inactive state. 3. Now the ToR/server has one port up and active. The active port sends packets to the DHCP/PXE server. 4.
LACP commands channel-group Assigns and configures a physical interface to a port channel group. Syntax channel-group number mode {active | on | passive} Parameters ● number — Enter the port channel group number (1 to 128). The maximum number of port channels is 128. ● mode — Enter the interface port channel mode. ● active — Enter to enable the LACP interface. The interface is in the Active Negotiating state when the port starts negotiations with other ports by sending LACP packets.
lacp fallback enable Enables LACP fallback mode. Syntax lacp fallback enable Parameters None Default Disabled Command Mode Port-channel INTERFACE Usage Information The no version of this command disables LACP fallback mode. Example Supported Releases OS10# configure terminal OS10(config)# interface port-channel 1 OS10(conf-if-po-1)# lacp fallback enable 10.3.2E(R3) or later lacp fallback preemption Enables or disables LACP fallback port preemption.
lacp fallback timeout Configures LACP fallback time-out period. Syntax lacp fallback timeout timer-value Parameters timer-value—Enter the timer values in seconds, ranging from 0 to 100 seconds. Default 15 seconds Command Mode Port-channel INTERFACE Usage Information The no version of this command returns the timer to default value. Example Supported Releases OS10# configure terminal OS10(config)# interface port-channel 1 OS10(conf-if-po-1)# lacp fallback timeout 20 10.3.
lacp rate Sets the rate at which LACP sends control packets. Syntax lacp rate {fast | normal} Parameters ● fast — Enter the fast rate of 1 second. ● normal — Enter the default rate of 30 seconds. Default 30 seconds Command Mode INTERFACE Usage Information Change the LACP timer rate to modify the duration of the LACP timeout. The no version of this command resets the rate to the default value. Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# lacp rate fast 10.2.
ethernet1/1/5:1 ethernet1/1/6:1 ethernet1/1/7:1 ethernet1/1/8:1 ethernet1/1/9:1 ethernet1/1/10:1 ethernet1/1/11:1 Supported Releases 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7950 7950 7950 7950 7967 7967 7948 7948 7948 7948 7961 7961 0 0 0 0 0 0 10.2.0E or later show lacp interface Displays information about specific LACP interfaces. Syntax show lacp interface ethernet node/slot/port Parameters node/slot/port — Enter the interface information.
Supported Releases 10.2.0E or later show lacp neighbor Displays information about LACP neighbors. Syntax show lacp neighbor [interface port-channel channel-number] Parameters ● interface port channel — (Optional) Enter the interface port-channel. ● channel-number — (Optional) Enter the port channel number for the LACP neighbor (1 to 128). Default Not configured Command Mode EXEC Usage Information If you do not enter the channel-number parameter, all channel groups display .
Actor Admin: State BCFHJKNO Key 1 Priority 32768 Oper: State BDEGIKNO Key 1 Priority 32768 Partner Admin: State BCEGIKNP Key 0 Priority 0 Oper: State BDEGIKMO Key 1 Priority 32768 Supported Releases 10.2.0E or later show lacp system-identifier Displays the LACP system identifier for a device.
LLDPDUs include mandatory and optional TLVs. Each LLDPDU starts with three mandatory TLVs, zero or more optional TLVs, and end of LLDPDU TLV. Mandatory TLVs OS10 supports the three mandatory TLVs. These mandatory TLVs are at the beginning of the LLDPDU in the following order: ● Chassis ID TLV ● Port ID TLV ● Time-to-live TLV Table 24. Mandatory TLVs Mandatory TLVs Type Description Chassis ID 1 Identifies the chassis. Port ID 2 Identifies a port through which the LAN device transmits LLDPDUs.
NOTE: The maximum size of the LLDPDUs supported on the transmission side is 1500 bytes. If the size of the TLVs that are transmitted exceeds 1500 bytes when adding one optional TLV of a particular type, the complete optional TLVs of that type are removed and only the optional TLVs that fit the maximum supported size are allowed. Basic TLVs Table 25. Basic TLVs TLV Type Description Port description 4 User-defined alphanumeric string that describes the port (port ID or interface description).
Table 27. 802.3 organizationally-specific TLVs (Type – 127, OUI – 00-12-0F) (continued) TLV Subtype Description ● Whether the current settings are due to auto-negotiation or manual configuration. Power through MDI 2 Not supported. Maximum frame size 4 Maximum frame size capability of the MAC and PHY. Table 28. Service tag TLV (Type – 127, OUI – 0xF8-0xB1-0x56) TLV Subtype Description Service tag 21 Indicates the service tag that is associated with the device. Table 29.
Table 30. iDRAC organizationally specific TLVs; Subtypes used in iDRAC custom TLVs (Type – 127, OUI – 0xF8-0xB1-0x56) (continued) TLV Subtype Description IOM service tag 9 Service tag ID of the IOM device. (Applicable only to blade servers.) IOM model name 10 Model name of the IOM device. (Applicable only to blade servers.) IOM slot label 11 Slot label of the IOM device. For example, A1, B1, A2, and B2 (applicable only to blade servers). IOM port number 12 Port number of the NIC.
Disable and reenable LLDP By default, LLDP is enabled globally, on each physical interface, and on management port. You can disable LLDP globally and on an interface. If you disable LLDP globally, LLDP is disabled on all interfaces irrespective of whether LLDP is previously enabled or disabled on an interface. When you enable LLDP globally, the interface-level LLDP configuration takes precedence over the global LLDP configuration. Disable LLDP ● Disable LLDP globally in CONFIGURATION mode.
Enter the time delay in seconds in CONFIGURATION mode. lldp reinit seconds Set the multiplier value for the hold time Configure the multiplier value for the hold time. The system uses the multiple value to calculate the TTL value for the LLDP advertisements. The default holdtime-multiplier value is 4. Enter the multiplier value for the hold time in CONFIGURATION mode.
2. Enable dot3 TLVs to transmit and receive LLDP packets in INTERFACE mode. lldp tlv-select dot3tlv {macphy-config | max-framesize} 3. Enable dot1 TLVs to transmit and receive LLDP packets in INTERFACE mode. lldp tlv-select dot1tlv {port-vlan-id | link-aggregation | vlan-name} Advertise VLAN Name TLVs You can configure the system to advertise the names of VLANs in LLDPDUs. Configure the VLAN names before you configure the system to advertise VLAN names. By default, this feature is disabled.
Specify names for VLANs from 1 to 10 and configure ethernet 1/1/1 interface to transmit the names of nine VLANs. The interface is not explicitly configured to transmit the name of the default VLAN which is VLAN 1.
Network Policy LLDP MED Device Type: Network connectivity Following example shows the name of VLAN 3 is deleted: OS10(conf-if-eth1/1/1)# no lldp vlan-name-tlv allowed vlan 3 Following output shows that the interface deletes VLAN 3 and starts sending the name of VLAN 9: OS10# show lldp interface ethernet 1/1/1 local-device Device ID: 34:17:eb:f2:05:c4 Port ID: ethernet1/1/1 System Name: OS10 Capabilities: Router, Bridge, Repeater System description: Dell EMC Networking OS10 Enterprise.
Enable LLDP TLVs OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# lldp tlv-select basic-tlv system-name system-description OS10(conf-if-eth1/1/2)# lldp tlv-select dot1tlv port-vlan-id Disable and enable LLDP TLVs on management ports By default, management ports advertise all LLDP TLVs except VLAN name TLV. You can disable the LLDP TLV advertisement on management ports using the following commands: ● Disable LLDP TLVs in INTERFACE mode.
When enabled in INTERFACE mode, the configuration applies to the specific interface and the system advertises the elected IP address in the management address TLV. OS10(config)#lldp management-addr-tlv ipv4 virtual-ip OS10(config-if-eth1/1/6)#lldp management-addr-tlv ipv4 virtual-ip OS10(config-if-eth1/1/6)#lldp management-addr-tlv ipv6 virtual-ip Example: Advertise TLVs configuration The following configuration example describes how to configure the system to advertise LLDP TLVs.
● View the LLDP traffic details.
View LLDP neighbors detail OS10# show lldp neighbors interface ethernet 1/1/1 detail Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 00:13:21:57:ca:40 Remote Port Subtype: Interface name (5) Remote Port ID: ethernet1/1/10 Remote Port Description: Ethernet port 1 Local Port ID: ethernet1/1/1 Locally assigned remote Neighbor Index: 3 Remote TTL: 120 Information valid for next 105 seconds Time since last information change of this neighbor: 00:00:15 Remote System Name: LLDP-pkt-gen Remote Managem
LLDP-MED Network connectivity devices and endpoint devices exchange LLDP-MED TLVs for interoperability and store advertised information. OS supports the following LLDP-MED TLVs: ● ● ● ● ● LLDP-MED capabilities Network policy Inventory management Location identification Extended power via MDI NOTE: LLDP-MED is designed for but not limited to VoIP endpoints. Table 32.
Table 33. LLDP-MED capabilities TLV (continued) Bit position TLV 2 Location ID 3 Extended power over MDI-PSE 4 Extended power over MDI-PD 5 Inventory 6-15 Reserved Table 34. LLDP-MED device types Bit position Device type 0 Not defined 1 Endpoint Class 1 2 Endpoint Class 2 3 Endpoint Class 3 4 Network connectivity 5-255 Reserved LLED-MED network policies TLVs A network policy in the context of LLDP-MED is a VLAN configuration of a device and associated L2 and L3 configurations.
Table 35. LLDP-MED Network policies TLVs (continued) Type Application Description and other appliances supporting interactive voice services. 4 Guest voice signaling Used only if guest voice control packets use a separate network policy than voice data. 5 SoftPhone voice Used for softphone applications on a device such as a personal computer or laptop. This class does not support multiple VLANs and if required, uses an untagged VLAN or a single tagged dataspecific VLAN.
Configure LLDP-MED network policy on an interface OS10(config)# lldp med network-policy 1 app voice-signaling vlan 10 vlan-type tag priority 2 dscp 1 OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# lldp med network-policy add 1 Network policy advertisement LLDP-MED is enabled on all interfaces by default. Configure OS10 to advertise LLDP-MED TLVs from configured interfaces. Define LLDP-MED network policies before applying the policies to an interface.
Supported Releases 10.2.0E or later clear lldp table Clears LLDP neighbor information for all interfaces. Syntax clear lldp table Parameters None Default Not configured Command Mode EXEC Usage Information Neighbor information clears on all interfaces. Example Supported Releases OS10# clear lldp table 10.2.0E or later lldp enable Enables or disables LLDP globally.
lldp med fast-start-repeat-count Configures the number of packets that are sent during the activation of the fast start mechanism. Syntax lldp-med fast-start-repeat-count number Parameters number — Enter the number of packets sent during the activation of the fast start mechanism, from 1 to 10. Default 3 Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# lldp med fast-start-repeat-count 5 10.2.
● ● ● ● ● ● ○ video-conferencing — Voice conference network-policy application ○ video-signaling — Video signaling network-policy application vlan vlan-id — Enter the VLAN number for the selected application, from 1 to 4093. vlan-type — Enter the type of VLAN the application uses. tag — Enter a tagged VLAN number. untag — Enter an untagged VLAN number. priority priority — Enter the user priority set for the application. dscp dscp value — Enter the DSCP value set for the application.
Supported Releases 10.2.0E or later lldp port-description-tlv advertise Specifies whether to advertise the interface description or the port id in the port description TLV. Syntax lldp port-description-tlv advertise [description | port-id] Parameters ● description — Advertise interface description. ● port-id — Advertise port id. Default Interface description is advertised.
Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(config)# lldp reinit 5 10.2.0E or later lldp timer Configures the rate in seconds at which LLDP packets send to the peers. Syntax lldp timer seconds Parameters seconds — Enter the LLDP timer rate in seconds, from 5 to 254. Default 30 seconds Command Mode CONFIGURATION Usage Information The no version of this command sets the LLDP timer back to its default value.
Parameters ● ipv4 — Select ipv4 for the VLT peers to send the virtual IPv4 address in the management TLV. ● ipv6 — Select ipv6 for the VLT peers to send the virtual IPv6 address in the management TLV. Default Disabled Command Mode ● CONFIGURATION ● INTERFACE Usage Information When enabled in CONFIGURATION mode, the system advertises the elected IP address in the management address TLV of all the interfaces.
Default Enabled Command Mode INTERFACE Usage Information The no version of this command disables TLV transmission. Example Supported Releases OS10(conf-if-eth1/1/3)# lldp tlv-select dot3tlv macphy-config 10.2.0E or later lldp transmit Enables the transmission of LLDP packets on a specific interface.
show lldp interface Displays the LLDP information that is advertised from a specific interface. Syntax show lldp interface ethernet node/slot/port[:subport] [local—device | med] Parameters ● ethernet node/slot/port[:subport] — Enter the Ethernet interface information. ● local-device — Enter the interface to view the local-device information. ● med — Enter the interface to view the MED information.
Supported Releases 10.2.0E or later show lldp errors Displays the LLDP errors that are related to memory allocation failures, queue overflows, and table overflows. Syntax show lldp errors Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Release OS10# Total Total Total show lldp errors Memory Allocation Failures: 0 Input Queue Overflows: 0 Table Overflows: 0 10.2.
ethernet1/1/22 ethernet1/1/23 ethernet1/1/24 ethernet1/1/25 ethernet1/1/26 ethernet1/1/27 ethernet1/1/28 ethernet1/1/29 ethernet1/1/30 ethernet1/1/31 ethernet1/1/32 Supported Releases | | | | | | | | | | | Yes| Yes| Yes| Yes| Yes| Yes| Yes| Yes| Yes| Yes| Yes| Yes| Yes| Yes| Yes| Yes| Yes| Yes| Yes| Yes| Yes| Yes| No| No| No| No| No| No| No| No| No| No| No| No| No| No| No| No| No| No| No| No| No| No| No No No No No No No No No No No 10.2.
Originator: Switch Service Tag: B8D1XC2 Product Base: base1 Product Serial Number: sn1 Product Part Number: pn1 Example (Interface) Supported Releases OS10# show lldp neighbors interface ethernet 1/1/1 Loc PortID Rem Host Name Rem Port Id Rem Chassis Id ----------------------------------------------------------------------ethernet1/1/1 OS10 ethernet1/1/2 4:17:eb:f7:06:c4 10.2.0E or later show lldp timers Displays the LLDP hold time, delay time, and update frequency interval configuration information.
Supported Releases 10.2.0E or later show lldp traffic Displays LLDP traffic information including counters, packets that are transmitted and received, discarded packets, and unrecognized TLVs. Syntax show lldp traffic [interface ethernet node/slot/port[:subport]] Parameters interface ethernet node/slot/port[:subport] — (Optional) Enter the Ethernet interface information to view the LLDP traffic.
Example Supported Releases OS10# show network-policy profile 10 Network Policy Profile 10 voice vlan 17 cos 4 Interface: none Network Policy Profile 30 voice vlan 30 cos 5 Interface: none Network Policy Profile 36 voice vlan 4 cos 3 Interface: ethernet 1/1/1,ethernet 1/1/3-5 10.2.0E or later Media Access Control All Ethernet switching ports maintain media access control (MAC) address tables. Each physical device in your network contains a MAC address.
● View the contents of the MAC address table in EXEC mode. show mac address-table {dynamic | static} [address mac-address | vlan vlan-id | interface {ethernet node/slot/port[:subport] | port-channel number}] [count [vlan vlan-id] [interface {type node/slot/port[:subport] | port-channel number}] ○ ○ ○ ○ dynamic — (Optional) Displays dynamic MAC address table entry information. static — (Optional) Displays static MAC address table entry information.
Parameters ● all — (Optional) Delete all MAC address table entries. ● address mac_addr — (Optional) Delete a configured MAC address from the address table in nn:nn:nn:nn:nn:nn format. ● vlan vlan-id — (Optional) Delete all entries based on the VLAN number from the address table, from 1 to 4093. ● interface — (Optional) Clear the interface type: ○ ethernet node/slot/port[:subport] — Delete the Ethernet interface configuration from the address table.
Command Mode CONFIGURATION Usage Information If you configure the switchport port-security command on an interface, you can configure MAC address learning limit, sticky MAC address, and control MAC move. The no version of this command resets the value to the default.
Example (Dynamic) OS10# show mac address-table dynamic VlanId Mac Address Type 1 90:b1:1c:f4:a6:8f dynamic Example (Ethernet) Supported Releases Interface ethernet1/1/3 OS10# show mac address-table interface ethernet 1/1/3 VlanId Mac Address Type Interface 1 66:38:3a:62:31:3a dynamic ethernet1/1/3 10.2.0E or later Spanning-tree protocol This section describes how spanning-tree features work and also about the different variants of STP.
Mode specific functionality Enable and disable STP Spanning Tree Protocol (STP) is enabled by default on the switches. You can disable the STP globally on the switch or at the interface level. Disabling spanning tree at an instance level causes all the port members of that instance to disable the spanning tree. This moves the port to the Forwarding / Blocking state based on the operational status of the ports. Use the spanning-tree disable command to disable the STP.
● The interface and all member ports are disabled in the hardware. ● When the port is added to the port channel that is in the Error Disable state, the new member port is disabled in the hardware. ● When the port is removed from the port channel that is in the Error Disable state, the system clears the Error_Disabled state on the physical port and enables it in the hardware. To clear the Error Disabled state: ● Use the shutdown command on the interface.
ethernet1/1/7 128.56 128.56 128 500 FWD 500 32769 90b1.1cf4.
View detect and recovery details OS10# show errdisable detect Error-Disable Cause Detect Status ----------------------------------------------bpduguard Enabled OS10# show errdisable recovery Error-Disable Recovery Timer Interval: 300 seconds Error-Disable Reason Recovery Status --------------------------------------------------bpduguard Enabled Recovery Time left Interface Errdisable Cause (seconds) --------------------------------------------------------------------ethernet 1/1/1:1 bpduguard 273 ethernet 1
When the number of calls exceeds the configured threshold, MSTP ignores further (VLAN-list, port) based flush and starts the MAC flush timer. When the timer starts, the system blocks all further flush indications. When the timer expires for that specific instance, the system triggers instance-based flushing. The default MAC flush threshold value for MSTP is 5. Rapid-PVST Rapid-PVST allows (VLAN, port) based flush until the number of calls sent is equal to the MAC flush threshold value that is configured.
MST region name The configured name and revisions must be identical among all devices. If the region name is blank, a and revision name was configured on one device and was not configured or was configured differently on another — spelling and capitalization count. MST instances Verify the VLAN-to-MST instance mapping using the show commands. If you see extra MST instances in the Sending or Received logs, an additional MST instance was configured on one router but not the others.
ethernet1/1/7 128.56 128.56 128 500 FWD 500 32769 90b1.1cf4.a625 Common STP commands This section explains about the common commands in STP. STP variant specific commands are explained in the individual sections under RSTP, MSTP, and Rapid-PVST. There are two sets of STP related commands. ● STP commands that are common and can be used irrespective of the STP variant enabled on the device. ● STP commands that are specific to the particular STP variant.
errdisable detect cause bpduguard Configures the port to be shut down or moves the port to blocked state on detecting a BPDU guard violation. Syntax errdisable detect cause bpduguard Parameters None Default Enabled Command Mode CONFIGURATION Usage Information This command applies only to STP-enabled ports. The command takes effect only when the BPDU guard is configured on a port. When the detect cause option is enabled, the port is shut down whenever there is a BPDU guard violation.
Usage Information This command applies only to STP-enabled ports. The command takes effect only when the BPDU guard is configured on a port. The recovery timer value is applicable only for shutdown case. For blocking case, the default value of 300 seconds is used. The recovery timer starts whenever there is a BPDU guard violation. The no version of the command resets the timer to the default value. Example Supported Releases OS10(config)# errdisable recovery interval 45 10.4.2.
spanning-tree bpduguard Enables or disables the BPDU guard on an interface. Syntax spanning-tree bpduguard {enable | disable} Parameters ● enable — Enables the BPDU guard filter on an interface. ● disable — Disables the BPDU guard filter on an interface. Default Disabled Command Mode INTERFACE Usage Information BPDU guard prevents a port from receiving BPDUs. If the port receives a BPDU, it is placed in the ErrorDisabled state.
Supported Releases 10.2.0E or later spanning-tree link-type Sets the spanning-tree link-type for faster convergence. Syntax spanning-tree link-type {auto | point-to-point | shared} Parameters ● auto — Enter the keyword to sets the link-type based on the duplex setting of the interface. ● point-to-point—Specifies that the interface is a point-to-point or full-duplex link. ● shared—Specifies that the interface is a half-duplex medium.
Parameters ● rstp — Sets STP mode to RSTP. Default Rapid-PVST Command Mode CONFIGURATION Usage Information All STP instances stop in the previous STP mode and restart in the new mode. You can also change to RSTP/MST mode. Example Supported Releases OS10(config)# spanning-tree mode rstp 10.2.0E or later spanning-tree port Sets the port type as the EdgePort.
---------------------------------------bpduguard Enabled MLL violation Enabled MAC-move-violation Enabled Recovery Time Left Interface Errdisable Cause (seconds) -------------------------------------------------------------------------ethernet1/1/1:1 bpduguard 30 ethernet1/1/1:2 bpduguard 1 ethernet1/1/10 bpduguard/mac-learning-limit/mac-move 10 port-channel100 Mac-learning-limit 50 port-channel128 mac-move 49 Supported Releases 10.4.2.
Each VLAN is assigned an incremental default bridge priority. For example, if VLAN 1 is assigned a bridge priority value of 32769, then VLAN 2 (if created) is assigned a bridge priority value of 32770; similarly, VLAN 10 (if created) is assigned a bridge priority value of 32778, and so on. All three instances have the same forwarding topology. NOTE: Z9332F-ON supports a total of 64 instances, of which 3 VLANs are used for internal purposes.
Load balance and root selection By default, all VLANs use the same forwarding topology — R2 is elected as the root and all 10G Ethernet ports have the same cost. Bridge priority can be modified for each VLAN to enable different forwarding topologies. To achieve Rapid-PVST load balancing, assign a different priority on each bridge. Enable Rapid-PVST By default, Rapid-PVST is enabled and creates an instance during VLAN creation.
ethernet1/1/27 128.216 128 500 BLK 0 32769 3417.ec37.1400 128.56 ethernet1/1/28 128.224 128 500 BLK 0 32769 3417.ec37.1400 128.64 Interface Name Role PortID Prio Cost Sts Cost Link-type Edge -------------------------------------------------------------------------------------------ethernet1/1/5 Altr 128.40 128 500 BLK 500 AUTO No ethernet1/1/6 Altr 128.48 128 500 BLK 500 AUTO No ethernet1/1/7 Desg 128.56 128 500 FWD 500 AUTO No ethernet1/1/8 Altr 128.64 128 500 BLK 500 AUTO No ethernet1/1/9 Altr 128.
ethernet1/1/5 ethernet1/1/6 Desg Desg 128.276 128.280 128 128 500 500 FWD FWD 0 0 AUTO AUTO No No View brief configuration OS10# show spanning-tree brief Spanning tree enabled protocol rapid-pvst with force-version rstp VLAN 1 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 4097, Address 90b1.1cf4.a523 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 4097, Address 90b1.1cf4.
spanning-tree vlan vlan-id root primary command ensures that the switch has the lowest bridge priority value by setting the predefined value of 24,576. If an alternate root bridge is required, use the spanning-tree vlan vlan-id root secondary command. The command sets the priority for the switch to the predefined value of 28,672. If the primary root bridge fails, the command ensures that the alternate switch becomes the root bridge.
View Rapid-PVST global parameters OS10# show spanning-tree active Spanning tree enabled protocol rapid-pvst with force-version rstp VLAN 1 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32769, Address 90b1.1cf4.a523 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32769, Address 90b1.1cf4.
Usage Information Example Supported Releases The media speed of a LAN interface determines the STP port path cost default value. OS10(conf-if-eth1/1/4)# spanning-tree vlan 10 cost 1000 10.2.0E or later spanning-tree vlan disable Disables spanning tree on a specified VLAN. Syntax spanning-tree vlan vlan-id disable Parameters vlan-id — Enter the VLAN ID number, from 1 to 4093.
Usage Information Forces a bridge that supports Rapid-PVST to operate in an STP-compatible mode. Example Supported Releases OS10(config)# spanning-tree rpvst force-version stp 10.2.0E or later spanning-tree vlan hello-time Sets the time interval between generation and transmission of Rapid-PVST BPDUs. Syntax spanning-tree vlan vlan-id hello-time seconds Parameters ● vlan-id — Enter the VLAN ID number, from 1 to 4093. ● seconds — Enter a hello-time interval value in seconds, from 1 to 10.
Parameters max-age seconds — Enter a maximum age value in seconds, from 6 to 40. Default 20 seconds Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree vlan 10 max-age 10 10.2.0E or later spanning-tree vlan priority Sets the priority value for Rapid-PVST. Syntax spanning-tree vlan vlan-id priority priority value Parameters priority priority value — Enter a bridge-priority value in increments of 4096, from 0 to 61440.
● root — Designate the bridge as the primary or secondary root. ● primary — Designate the bridge as the primary or root bridge. ● secondary — Designate the bridge as the secondary or secondary root bridge. Default Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree vlan 1 root primary 10.2.0E or later spanning-tree rapid-pvst force-version Configures a forced version of spanning-tree to transmit BPDUs.
● Re-enable RSTP globally for all L2 interfaces in CONFIGURATION mode. no spanning-tree disable Enable at interface ● Remove an interface from the RSTP topology in INTERFACE mode. spanning-tree disable ● Re-enable an interface in INTERFACE mode. no spanning-tree disable View all port participating in RSTP OS10# show spanning-tree Spanning tree enabled protocol rstp with force-version rstp Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 3417.4455.
ethernet1/1/18 128.328 128 200000000 BLK 0 0 0000.0000.0000 ethernet1/1/19 128.332 128 200000000 BLK 0 0 0000.0000.0000 ethernet1/1/20 128.336 128 200000000 BLK 0 0 0000.0000.0000 ethernet1/1/21 128.340 128 200000000 BLK 0 0 0000.0000.0000 ethernet1/1/22 128.344 128 200000000 BLK 0 0 0000.0000.0000 ethernet1/1/23 128.348 128 200000000 BLK 0 0 0000.0000.0000 ethernet1/1/24 128.352 128 200000000 BLK 0 0 0000.0000.0000 ethernet1/1/25 128.356 128 200000000 BLK 0 0 0000.0000.0000 ethernet1/1/26 128.
View current global parameter values OS10# show spanning-tree active Spanning tree enabled protocol rstp with force-version rstp Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 90b1.1cf4.9b8a Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 90b1.1cf4.
Root bridge selection RSTP determines the root bridge. Assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. ● Assign a number as the bridge priority or designate it as the primary or secondary root bridge in CONFIGURATION mode. Configure the priority value range, from 0 to 65535 in multiples of 4096, default 32768. The lower the number assigned, the more likely the bridge becomes the root bridge.
Spanning tree enabled protocol rstp with force-version rstp Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 90b1.1cf4.9b8a Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 90b1.1cf4.9b8a We are the root Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------------------------------------------------------------------ethernet1/1/1 244.
spanning-tree rstp forward-time Configures a time interval for the interface to wait in the Blocking state or Learning state before moving to the Forwarding state. Syntax spanning-tree rstp forward-time seconds Parameters seconds — Enter the number of seconds an interface waits in the Blocking or Learning States before moving to the Forwarding state, from 4 to 30.
Supported Releases 10.4.0E(R1) or later spanning-tree rstp max-age Configures the time period the bridge maintains configuration information before refreshing the information by recomputing the RSTP topology. Syntax max-age seconds Parameters seconds — Enter a maximum age value in seconds, from 6 to 40. Default 20 seconds Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree rstp max-age 10 10.2.
Configuring MST is a four-step process: 1. Enable MST, if the current running spanning-tree protocol (STP) version is not MST. 2. (Optional) Map the VLAN to different instances in such a way that the traffic is load balanced well and the link utilization is efficient. 3. Ensure the same region name is configured in all the bridges running MST. 4. (Optional) Configure the revision number. The revision number is the same on all the bridges.
1. Enter an instance number in CONFIGURATION mode. spanning tree mst configuration 2. Enter the MST instance number in MULTIPLE-SPANNING-TREE mode, from 0 to 63. For Z9332F-ON platform, the MULTIPLE-SPANNING-TREE mode is from 0 to 61. instance instance-number 3. Enter the VLAN and IDs to participate in the MST instance in MULTIPLE-SPANNING-TREE mode, from 1 to 4096.
ethernet1/1/4:4 128.35 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.35 ethernet1/1/5 128.40 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.40 ethernet1/1/6 128.48 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.48 ethernet1/1/7 128.56 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.56 ethernet1/1/8 128.64 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.64 ethernet1/1/9 128.72 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.72 ethernet1/1/10 128.80 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.80 ethernet1/1/11 128.
ethernet1/1/3 AUTO No ethernet1/1/4:1 AUTO No ethernet1/1/4:2 AUTO No ethernet1/1/4:3 AUTO No ethernet1/1/4:4 AUTO No ethernet1/1/5 AUTO No ethernet1/1/6 AUTO No ethernet1/1/7 AUTO No ethernet1/1/8 AUTO No ethernet1/1/9 AUTO No ethernet1/1/10 AUTO No ethernet1/1/11 AUTO No ethernet1/1/12 AUTO No ethernet1/1/13 AUTO No ethernet1/1/14 AUTO No ethernet1/1/15 AUTO No ethernet1/1/16 AUTO No ethernet1/1/17 AUTO No ethernet1/1/18 AUTO No ethernet1/1/19 AUTO No ethernet1/1/20 AUTO No ethernet1/1/21 AUTO No ethernet
You can set the priority value to 0 to force a switch to become the root switch. Value 0 is the highest priority. ● Assign a bridge priority number to a specific instance in CONFIGURATION mode, from 0 to 61440 in increments of 4096, default 32768.
1 2 100 200-300 Modify parameters The root bridge sets the values for forward-delay, hello-time, max-age, and max-hops and overwrites the values set on other MST bridges. Forward-time Time an interface waits in the Discarding state and Learning state before it transitions to the Forwarding state. Hello-time Interval in which the bridge sends MST BPDUs. Max-age Length of time the bridge maintains configuration information before it refreshes that information by recomputing the MST topology.
Interface parameters Adjust two interface parameters to increase or decrease the likelihood that a port becomes a forwarding port. Port cost Interface type value. The greater the port cost, the less likely the port is a forwarding port. Port priority Influences the likelihood that a port is selected as a forwarding port if several ports have the same port cost.
Supported Releases 10.2.0E or later name Assigns a name to the MST region. Syntax name region-name Parameters region-name — Enter a name for an MST region. A maximum of 32 characters. Default System MAC address Command Mode MULTIPLE-SPANNING-TREE Usage Information By default, the MST protocol assigns the system MAC address as the region name. Two MST devices within the same region must share the same region name, including matching case.
Usage Information Example Supported Releases The MSTP determines the root bridge but you can assign one bridge a lower priority to increase the probability it being the root bridge. A lower priority-value increases the probability of the bridge becoming a root bridge. The no version of this command resets the value to the default. OS10(config)# spanning-tree mst 0 priority 0 OS10(config)# spanning-tree mst 2 root primary 10.2.
Supported Releases 10.2.0E or later spanning-tree mst disable Disables spanning tree on the specified MST instance. Syntax spanning-tree mst instance-number disable Parameters instance-number—Enter the instance number, from 0 to 63.For Z9332F-ON platform, enter a MST instance value from 0 to 61. Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command enables spanning tree on the specified MST instance.
Supported Releases 10.2.0E or later spanning-tree mst hello-time Sets the time interval between generation and transmission of MSTP BPDUs. Syntax spanning-tree mst hello-time seconds Parameters seconds — Enter a hello-time interval value in seconds, from 1 to 10. Default 2 seconds Command Mode CONFIGURATION Usage Information Dell EMC recommends increasing the hello-time for large configurations, especially configurations with multiple ports.
Example Supported Releases OS10(config)# spanning-tree mst max-age 10 10.2.0E or later spanning-tree mst max-hops Configures the maximum hop count for a BPDU to travel before it is discarded. Syntax spanning-tree mst max-hops number Parameters number — Enter a maximum hop value, from 6 to 40. Default 20 Command Mode CONFIGURATION Usage Information A device receiving BPDUs waits until the max-hops value expires before discarding it.
Parameters ● instance-number — (Optional) Displays MST instance information, from 0 to 63. For Z9332F-ON platform, enter a MST instance value from 0 to 61. ● brief — (Optional) Displays MST instance summary information. ● guard — (Optional) Displays which guard is enabled and the current port state. ● virtual-interface—(Optional) Displays MST information specific to VLT.
ethernet1/1/2 ethernet1/1/3 ethernet1/1/4 ethernet1/1/5 ethernet1/1/6 ethernet1/1/7 ethernet1/1/8 ...
NOTE: The IOM cluster running 10.5.x and 10.4.x does not work as expected when the untagged VLAN is not VLAN1 on the server ports. Use the show vlan command to verify that the interface is part of the default VLAN (VLAN 1).
Create VLAN OS10(config)# interface vlan 108 Delete VLAN OS10(config)# no interface vlan 108 View configured VLANs OS10# show interface vlan Vlan 1 is up, line protocol is up Address is , Current address is Interface index is 69208865 Internet address is not set MTU 1532 bytes LineSpeed auto Flowcontrol rx off tx off ARP type: ARPA, ARP Timeout: 240 Last clearing of "show interface" counters Queueing strategy: fifo Time since last interface status change: Vlan 200 is up, line protocol is up Address is , Cur
Configure port in Access mode OS10(config)# interface ethernet 1/1/9 OS10(config-if-eth1/1/9)# switchport mode access OS10(config-if-eth1/1/9)# switchport access vlan 604 Show running configuration OS10# show running-configuration ... ! interface ethernet1/1/5 ... switchport access vlan 604 no shutdown ! interface vlan1 no shutdown ... Trunk mode A trunk port can be a member of multiple VLANs set up on an interface. A trunk port transmits traffic for all VLANs.
Do not assign an IP address to the default VLAN (VLAN 1). NOTE: However, the zero-touch deployment (ZTD) application requires this functionality. While ZTD is in progress, the system assigns an IP address to the default VLAN to establish connectivity. After ZTD is complete, the system removes the IP address that is assigned to the default VLAN. You can place VLANs and other logical interfaces in L3 mode to receive and send routed traffic. 1. Create a VLAN in CONFIGURATION mode, from 1 to 4093.
● View the VLAN status and configuration information in EXEC mode. show vlan ● View the VLAN interface configuration in EXEC mode. show interface vlan ● View the VLAN interface configuration for a specific VLAN ID in EXEC mode.
View interface configuration for specific VLAN OS10# show interface vlan 320 Vlan 320 is up, line protocol is up Address is , Current address is Interface index is 69209184 Internet address is not set MTU 1532 bytes LineSpeed auto Flowcontrol rx off tx off ARP type: ARPA, ARP Timeout: 240 Last clearing of "show interface" counters Queueing strategy: fifo Time since last interface status change: VLAN Scaling When VLANs are created, traffic class is specified for each VLAN that maps the VLAN traffic to a spe
Usage Information ● To use special characters as a part of the description string, enclose the string in double quotes. ● To use comma as a part of the description string add double back slash before the comma. Example Supported Releases OS10(config)# interface vlan 3 OS10(conf-if-vl-3)# description vlan3 10.2.0E or later interface vlan Creates a VLAN interface. Syntax interface vlan vlan-id Parameters vlan-id — Enter the VLAN ID number, from 1 to 4093.
Port monitoring Port monitoring monitors ingress or egress traffic of one port to another for analysis. A monitoring port (MG) or destination port is the port where the monitored traffic is sent for analysis. A monitored port (MD) or source port is the source interface that is monitored for traffic analysis. NOTE: This feature is not supported on the Z9332F-ON platform. The different types of port monitoring are: ● Local port monitoring—Port monitoring is done in the same switch.
Configure source and destination port, and traffic direction OS10(conf-mon-local-1)# source interface ethernet 1/1/7-1/1/8 rx OS10(conf-mon-local-1)# destination interface ethernet1/1/1 OS10(conf-mon-local-1)# no shut View configured monitoring sessions In the State field, true indicates that the port is enabled. In the Reason field, Is UP indicates that hardware resources are allocated. OS10# show monitor session all S.
● ● ● ● The member port of the reserved VLAN must have the MTU and IPMTU value as MAX+4 to hold the VLAN tag parameter. To associate with the source session, the reserved VLAN can have up to four member ports. To associate with the destination session, the reserved VLAN can have multiple member ports. The reserved VLAN cannot have untagged ports. Reserved L2 VLAN ● MAC address learning in the reserved VLAN is automatically disabled.
Create remote monitoring session OS10(config)# monitor session 10 type rpm-source OS10(conf-mon-rpm-source-10)# Configure source and destination port, and traffic direction OS10(conf-mon-rpm-source-10)# source interface vlan 10 rx OS10(conf-mon-rpm-source-10)# destination remote-vlan 100 OS10(conf-mon-rpm-source-10)# no shut View monitoring session OS10(conf-mon-rpm-source-10)# do show monitor session all S.
3. Configure source and destination IP addresses, and protocol type in MONITOR-SESSION mode. source-ip source ip-address destination-ip destination ip-address [gre-protocol protocol-value] 4. Configure TTL and DSCP values in MONITOR-SESSION mode. ip {ttl ttl-number | dscp dscp-number} 5. Enable the monitoring interface in MONITOR-SESSION mode.
4. Define access-list rules using seq, permit, and deny statements in CONFIG-ACL mode. ACL rules describe the traffic to monitor. seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte]] [fragments] [threshold-in-msgs count] [capture session session-id] 5. Return to CONFIGURATION mode. exit 6. Apply the flow-based monitoring ACL to the monitored source port in CONFIGURATION mode. The access list name can have a maximum of 140 characters.
Table 36. RPM on VLT scenarios (continued) Scenario Recommendation no shutdown remote-span ! 2. Create an L2 ACL for the RPM VLAN - RPM session and attach it to VLTi LAG interface. ! mac access-list rpm seq 10 permit any any capture session 10 vlan 100 ! interface ethernet 1/1/1 no shutdown switchport access vlan 1 mac access-group rpm in ! 3. Create a flow-based RPM session on the peer VLT device to monitor the VLTi LAG interface as the source.
Table 36. RPM on VLT scenarios (continued) Scenario Recommendation intermediate devices. The packet analyzer connects to the ToR switch. Mirror a VLT LAG to any orphan port on the same VLT device. If the packet analyzer directly connects to the VLT peer The packet analyzer connects to the local VLT device through where the source session is configured, use local port the orphan port. monitoring instead of RPM.
destination Sets the destination where monitored traffic is sent to. The monitoring session can be local or RPM. Syntax destination {interface interface-type | remote-vlan vlan-id} Parameters interface-type—Enter the interface type for a local monitoring session. ● ethernet node/slot/port[:subport]—Enter the Ethernet interface information as the destination. ● port-channel id-number—Enter a port-channel number as the destination, from 1 to 128.
ip Configures the IP time-to-live (TTL) value and the differentiated services code point (DSCP) value for the ERPM traffic. Syntax ip {ttl ttl-number | dscp dscp-number} Parameters ● ttl-number—Enter the TTL value, from 1 to 255. ● dscp-number—Enter the DSCP value, from 0 to 63. Default ● TTL: 255 ● DSCP: 0 Command Mode MONITOR-SESSION (ERPM) Usage Information The no version of this command removes the configured TTL and DSCP values.
show monitor session Displays information about a monitoring session. Syntax show monitor session {session-id | all} Parameters ● session-id—Enter the session ID number, from 1 to 18. ● all—View all monitoring sessions. Default All Command Mode EXEC Usage Information In the State field, true indicates that the port is enabled.
Supported Releases 10.2.0E or later source Configures a source for port monitoring. The monitoring session can be: local, RPM, or ERPM. Syntax source interface interface-type {both | rx | tx} Parameters ● interface-type—Enter the interface type: ○ ethernet node/slot/port[:subport]—Enter the Ethernet interface information as the monitored source. ○ port-channel id-number—Enter the port-channel interface number as the monitored source, from 1 to 128.
Example Supported Releases OS10(config)# monitor session 10 OS10(conf-mon-erpm-source-10)# source-ip 10.16.132.181 destination-ip 172.16.10.11 gre-protocol 35006 10.4.
13 Layer 3 Bidirectional forwarding detection (BFD) Provides rapid failure detection in links with adjacent routers (see BFD commands). Border Gateway Protocol (BGP) Provides an external gateway protocol that transmits inter-domain routing information within and between autonomous systems (see BGP Commands). Equal Cost Multi- Provides next-hop packet forwarding to a single destination over multiple best paths (see ECMP Path (ECMP) Commands).
2. Add the management interface using the interface management command in VRF CONFIGURATION mode. Configure management VRF OS10(config)# ip vrf management OS10(conf-vrf)# interface management You can enable various services in both management or default VRF instances. The services that are supported in the management and default VRF instances are: Table 37.
Configuration notes All Dell EMC PowerSwitches except MX-Series, S4200-Series, S5200 Series, and Z9332F-ON: Before you assign the management port to the management VRF instance, you must remove all configured settings on the management port, including the IP address. Perform this action from the console. Removing the IP address disconnects all existing SSH and Telnet sessions on the switch.
Configure non-default VRF instances In addition to a management VRF instance and default VRF, OS10 also supports non-default VRF instances. You can create a maximum of 512 non-default VRF instances. While you can assign management interfaces only to the management VRF instance, you can assign any physical or logical interface – VLAN, port channel, or loopback, to a non-default VRF instance. When you create a new non-default VRF instance, OS10 does not assign any interface to it.
INTERFACE CONFIGURATION ip vrf forwarding vrf-test Before assigning a n interface to a VRF instance, ensure that no IP address is configured on the interface. 3. Assign an IPv4 address to the interface. INTERFACE CONFIGURATION ip address 10.1.1.1/24 4. Assign an IPv6 address to the interface. INTERFACE CONFIGURATION ipv6 address 1::1/64 You can also auto configure an IPv6 address using the ipv6 address autoconfig command. Assign an interface back to the default VRF instance Table 38.
no ipv6 address 4. Assign the management interface back to the default VRF instance. CONFIGURATION VRF no interface management Deleting a non-default VRF instance Before deleting a non-default VRF instance, ensure all the dependencies and associations corresponding to that VRF instance are first deleted or disabled. The following procedure describes how to delete a non-default VRF instance: After deleting all dependencies, you can delete the non-default VRF instances that you have created.
Figure 7. Setup VRF Interfaces Router 1 ip vrf blue ! ip vrf orange ! ip vrf green ! interface ethernet 1/1/1 no shutdown switchport mode trunk switchport access vlan 1 switchport trunk allowed vlan 128,192,256 flowcontrol receive off ! interface ethernet1/1/2 no shutdown no switchport ip vrf forwarding blue ip address 20.0.0.
no switchport ip vrf forwarding orange ip address 30.0.0.1/24 ! interface ethernet1/1/4 no shutdown no switchport ip vrf forwarding green ip address 40.0.0.1/24 ! interface vlan128 mode L3 no shutdown ip vrf forwarding blue ip address 1.0.0.1/24 ! interface vlan192 mode L3 no shutdown ip vrf forwarding orange ip address 2.0.0.1/24 ! ! interface vlan256 mode L3 no shutdown ip vrf forwarding green ip address 3.0.0.1/24 ! ip route vrf green 31.0.0.0/24 3.0.0.
ip vrf forwarding orange ip address 2.0.0.2/24 ! interface vlan256 mode L3 no shutdown ip vrf forwarding green ip address 3.0.0.2/24 ! ip route vrf green 30.0.0.0/24 3.0.0.
Router 2 show command output OS10# show ip vrf VRF-Name blue Interfaces Eth1/1/5 Vlan128 default Mgmt1/1/1 Vlan1,24-25,200 green Eth1/1/7 Vlan256 orange Eth1/1/6 Vlan192 OS10# show ip route vrf blue Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, * - candidate default, + - summary route, > - non-active route Gateway of las
Static route leaking Route leaking enables routes that are configured in a default or non-default VRF instance to be made available to another VRF instance. You can leak routes from a source VRF instance to a destination VRF instance. The routes need to be leaked in both source and destination VRFs to achieve end-to-end traffic flow. If there are any connected routes in the same subnet as statically leaked routes, then the connected routes take precedence.
OS10(config)# do show ip route vrf VRF1 Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, * - candidate default, + - summary route, > - non-active route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change --------------------------------------------------------------------------------------------------C 120
CONFIGURATION ip vrf destination-vrf-name ip route-import 1:1 The routes that you exported from the source VRF instance are now available in the destination VRF instance. Route leaking using route maps You can leak routes in one VRF instance to another VRF instance using route maps. To leak routes in one VRF instance using route maps: 1. Enter the VRF from which you want to leak routes using route targets. CONFIGURATION ip vrf source-vrf-name ip vrf VRF-A 2. Configure the IP prefix.
ip route-import route-target ip route-import 1:1 OS10(config)#interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ip vrf forwarding VRF1 OS10(conf-if-eth1/1/1)# ip address 120.0.0.1/24 OS10(config)#interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# ip vrf forwarding VRF2 OS10(conf-if-eth1/1/2)# ip address 140.0.0.1/24 OS10(config)#ip route vrf VRF1 160.0.0.0/24 120.0.0.
2. Configure loopback interfaces. Assign the loopback interfaces as source interfaces for the VRF. VTEP1(config)# interface loopback 2 VTEP1(conf-if-lo-2)# ip vrf forwarding GREEN VTEP1(conf-if-lo-2)# ip address 51.1.1.1/32 VTEP1(conf-if-lo-2)# exit VTEP1(config)# interface loopback 3 VTEP1(conf-if-lo-3)# ip vrf forwarding RED VTEP1(conf-if-lo-3)# ip address 52.1.1.
Example: Route leaking between VRFs with symmetric IRB routing With symmetric IRB routing, the virtual networks to which the hosts are connected might be disjoint or stretched virtual networks. A disjoint virtual network does not span across VTEPs whereas a stretched virtual network spans across VTEPs. In this example, the virtual networks are disjoint. ● ● ● ● VTEP1 has virtual network 10 configured in tenant VRF GREEN. VTEP2 has virtual network 20 configured in tenant VRF RED.
VTEP1(config)# ip vrf RED VTEP1(conf-vrf)# update-source-ip loopback 3 VTEP1(conf-vrf)# exit 3. Leak the client-connected networks to the tenant VRF to which the client is connected. VTEP1(config)# ip route vrf RED 10.1.1.0/24 interface virtual-network 10 VTEP1(config)# ip route vrf RED 51.1.1.2/32 interface loopback 2 4. Advertise the client network-leaked routes through EVPN type-5 routes to the server-connected VRF.
VRF commands interface management Adds a management interface to the management VRF instance. Syntax interface management Parameters None Default Not configured Command Mode VRF CONFIGURATION Usage Information The no version of this command removes the management interface from the management VRF instance. Example Supported Releases OS10(config)# ip vrf management OS10(conf-vrf)# interface management 10.4.
Command Mode CONFIGURATION Usage Information The no version of this command removes the domain name from the management or non-default VRF instance. Example Supported Releases OS10(config)# ip domain-name vrf management dell.com or OS10(config)# ip domain-name vrf blue dell.com 10.4.0E(R1) or later ip vrf Create a non-default VRF instance. Syntax ip vrf vrf-name Parameters ● vrf-name—Enter the name of the non-default VRF that you want to create.
ip host vrf Configures a hostname for the management VRF instance or a non-default VRF instance and maps the hostname to an IPv4 or IPv6 address. Syntax ip host vrf {management | vrf-name} hostname {IP-address | Ipv6–address} Parameters ● management—Enter the keyword management to configure a hostname for the management VRF instance. ● vrf-name—Enter the name of the non-default VRF instance to configure a hostname for that VRF instance. ● hostname—Enter the hostname.
Command Mode CONFIGURATION Usage Information The no version of this command removes the name server from the management or non-default VRF instance. Example Supported Releases OS10(config)# ip name-server vrf management or OS10(config)# ip name-server vrf blue 10.4.0E(R1) or later ip route-import Imports an IPv4 route into a VRF instance from another VRF instance.
ipv6 route-import Imports an IPv6 route into a VRF instance from another VRF instance. Syntax [no] ipv6 route-import route-target Parameters ● route-target—Enter the route-target of the VRF instance. Default Not configured Command Mode VRF CONFIG Usage Information You can import IPv6 routes corresponding only to a nondefault or a default VRF instance. You cannot import IPv6 routes that belong to a management VRF instance into another VRF instance.
Example Supported Releases OS10(config)# ip scp vrf management OS10(config)# ip scp vrf vrf-blue 10.4.0E(R1) or later ip sftp vrf Configures an SFTP client for the management or non-default VRF instance. Syntax ip sftp vrf {management | vrf vrf-name} Parameters ● management — Enter the keyword to configure an SFTP client for a management VRF instance. ● vrf vrf-name — Enter the keyword then the name of the VRF to configure an SFTP client for that non-default VRF instance.
Command Mode CONFIGURATION Usage Information Enter the ip vrf management command only in non-transaction-based configuration mode. Do not use transaction-based mode. The no version of this command removes the management VRF instance configuration. Example Supported Releases OS10(config)# ip vrf management OS10(conf-vrf)# 10.4.0E(R1) or later show hosts vrf Displays the host table in the management or non-default VRF instance.
Example OS10# show ip vrf VRF-Name default Interfaces Mgmt1/1/1 Eth1/1/1-1/1/2 Vlan1 management OS10# show ip vrf management VRF-Name Interfaces management Supported Releases 10.4.0E(R1) or later update-source-ip Configures a source IP interface for any leaked route in a VRF instance. Syntax update-source-ip interface interface-id To undo this configuration, use the no update-source-ip command. Parameters ● interface interface-id — Enter the loopback interface identifier.
Bidirectional forwarding detection (BFD) is not supported on the S5148F-ON switch. BFD session states To establish a BFD session between two routers, enable BFD on both sides of the link. BFD routers can operate in both active and passive roles. ● The active router starts the BFD session. Both routers can be active in the same session. ● The passive router does not start a session. It only responds to a request for session initialization from the active router.
BFD three-way handshake A BFD session requires a three-way handshake between neighboring routers. In the following example, the handshake assumes: ● One router is active, and the other router is passive. ● This is the first session established on this link. ● The default session state on both ports is Down. 1. The active system sends a steady stream of control packets to indicate that its session state is Down until the passive system responds.
NOTE: Dell EMC recommends that: ● For the S4100-ON series platform, you configure a BFD interval of 500 ms with multiplier of 3 or higher for multidimensional scaled configurations. ● For other series switches, you configure a BFD interval of 200 ms with a multiplier of 4 or higher for multidimensional scaled configurations. Configure BFD globally Before you configure BFD for static routing or a routing protocol, configure BFD globally on each router, including the global BFD session settings.
BFD for BGP In a BGP core network, BFD enables faster network reconvergence. BFD rapidly detects communication failures in BGP fastforwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers. BFD for BGP is supported on physical, portchannel, and VLAN interfaces. BFD for BGP does not support the BGP multihop feature. Before configuring BFD for BGP, first configure BGP on the interconnecting routers. For more information, see Border Gateway Protocol.
OS10(conf-router-bgp-2)# bfd all-neighbors interval 200 min_rx 200 multiplier 6 role active BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays. Incoming BFD control packets received from the BGP neighbor are assigned to the highest priority queue within the control plane policing (CoPP) framework to avoid BFD packets drops due to queue congestion. BFD notifies BGP of any failure conditions that it detects on the link.
Enter a BGP template with neighborhood name in ROUTER-BGP mode. Configure BFD sessions with all neighbors which inherit the template in ROUTER-TEMPLATE mode. For more information on how to use BGP templates, see Peer templates. The global BFD session parameters configured in Step 1 are used. template template-name bfd no shutdown 4. Verify the BFD for BGP configuration in EXEC mode.
Number of packets received from neighbor: 7138 Number of packets sent to neighbor: 7138 Verify BFD for BGP OS10(config-router-bgp-101)# show ip bgp summary BGP router identifier 30.1.1.2 local AS number 101 Global BFD is enabled Neighbor AS MsgRcvd MsgSent Up/Down State/Pfx 20.1.1.1 101 781 777 11:16:13 0 30.1.1.1 101 787 779 11:15:35 0 OS10(config-router-bgp-101)# show ip bgp neighbors BGP neighbor is 20.1.1.1, remote AS 101, local AS 101 internal link BGP version 4, remote router ID 30.1.1.
Enable BFD Globally To enable BFD globally: Enable BFD globally. bfd enable CONFIGURATION Mode Establishing BFD sessions with OSPFv2 neighbors You can establish BFD sessions with all OSPF neighbors at one go. Alternatively, you can also establish BFD sessions with OSPF neighbors corresponding to a single OSPF interface. To establish BFD sessions with OSPFv2 neighbors: 1. Enable BFD globally bfd enable CONFIGURATION Mode 2. Enter ROUTER-OSPF mode router ospf ospf-instance CONFIGURATION Mode 3.
6. Establish BFD session with OSPFv2 neighbors in a single OSPF interface in a non-default VRF instance. ip ospf bfd all-neoghbors VRF CONFIGURATION Mode 7. Enter ROUTER-OSPF mode in a non-default VRF instance. router ospf ospf-instance vrf vrf-name 8. Establish BFD sessions with all OSPFv2 instances in a non-default VRF. bfd all-neighbors OS10# show running-configuration ospf ! interface vlan200 no shutdown ip vrf forwarding red ip address 20.1.1.1/24 ip ospf 200 area 0.0.0.
state. Disabling BFD does not trigger a change in BFD clients; a final Admin Down packet is sent before the session is terminated. To disable BFD sessions, use the following commands: 1. Disable BFD sessions with all OSPF neighbors. no bfd all-neighbors ROUTER-OSPF Mode 2.
3. Associate a non-default VRF with the interface you have entered. ip vrf forwarding vrf1 INTERFACE CONFIGURATION Mode 4. Assign an IP address to the VRF. ip address ip-address VRF CONFIGURATION Mode 5. Attach the interface to an OSPF area. ipv6 ospf ospf-instance area area-address VRF CONFIGURATION Mode 6. Establish BFD session with OSPFv3 neighbors in a single OSPF interface in a non-default VRF instance. ipv6 ospf bfd all-neoghbors VRF CONFIGURATION Mode 7.
To re-enable BFD, disabled the interface alone using the following commands: ● no ipv6 ospf bfd all-neighbors command ● ipv6 ospf bfd all-neighbors BFD for Static routes The static route BFD feature enables association of static routes with a BFD session to monitor the static route reachability. Depending on the status of the BFD session, the static routes are added to or deleted from the Routing Information Base (RIB).
These parameters are configured for all static routes. If you change a parameter, the change affects all sessions for static routes. To change parameters for static route sessions, use the following command. ● Change the parameters for all static route sessions in CONFIGURATION mode. ip route bfd interval milliseconds min_rx milliseconds multiplier value role [active | passive] Enter the time interval for sending and receiving BFD control packets; from 50 to 1000.
NOTE: By default, OSPF uses the following BFD parameters for its neighbors: min_tx = 200 msec, min_rx = 200 msec, multiplier = 3, role = active. Enable BFD for specific static routes To enable BFD for specific static routes: ● Configure static routes on both local and remote routers. Configure static route in such a way that the next-hop interfaces point to each other.
BFD commands bfd Enables BFD sessions with specified neighbors. Syntax bfd Parameters None Default Not configured Command Mode ROUTER-NEIGHBOR ROUTER-TEMPLATE Usage Information Example ● Use the bfd command to configure BFD sessions with a specified neighbor or neighbors which inherit a BGP template. Use the neighbor {ip-address | ipv6-address} command in ROUTERBGP mode to specify the neighbor. Use the template template-name command in ROUTERBGP mode to specify a BGP template.
The number of consecutive packets that must be received from a BFD peer before BFD considers it as down is 3. The BFD role is active. Command Mode ● ROUTER-BGP ● ROUTER-OSPF ● ROUTER-OSPFv3 Usage Information ● Use this command to configure BFD sessions between discovered neighbors. The BFD session parameters you configure override the global session parameters configured with the bfd interval command.
bfd interval Configures parameters for all BFD sessions on the switch. Syntax bfd interval milliseconds min_rx milliseconds multiplier number role {active | passive} Parameters ● interval milliseconds — Enter the time interval for sending control packets to BFD peers; from 50 to 1000. Dell EMC recommends using more than 100 milliseconds. ● min_rx milliseconds — Enter the maximum waiting time for receiving control packets from BFD peers, from 50 to 1000.
The BFD role is active Command Mode CONFIG-INTERFACE Usage Information ● This command can be used to enable or disable BFD for an interface associated with OSPFv2. Interface level BFD configuration takes precedent over the OSPF global level BFD configuration. If there is no BFD configuration present at the interface level global OSPF BFD configuration will be inherited. Example Supported releases (conf-if-eth1/1/1)#ip ospf bfd all-neighbors 10.4.
Parameters ● vrf vrf-name — Enter vrf and then the name of the VRF to configure static route in that VRF. ● interval milliseconds — Enter the time interval for sending control packets to BFD peers; from 50 to 1000. Dell EMC recommends using more than 100 milliseconds. ● min_rx milliseconds — Enter the minimum waiting time for receiving control packets from BFD peers, from 50 to 1000. Dell EMC recommends using more than 100 milliseconds.
Example Supported releases OS10(config)# ipv6 route bfd interval 250 min_rx 250 multiplier 4 role active 10.4.2E or later show bfd neighbors Displays information about BFD neighbors from all interfaces using the default VRF. Syntax show bfd neighbors [active | detail | interface] Parameters ● detail — (Optional) View detailed information about BFD neighbors. ● active — (Optional) View information about the active BFD neighbors whose state is up.
Number of packets received from neighbor: 7138 Number of packets sent to neighbor: 7138 OS10#show bfd neighbors active * - Active session role ----------------------------------------------------------------------------------LocalAddr RemoteAddr Interface State RxInt TxInt Mult VR ---------------------------------------------------------------------------------* 100.100.1.1 100.100.1.2 ethernet1/1/26:1 up 200 200 3 re * 100.100.3.1 100.100.3.2 ethernet1/1/26:3 up 200 200 3 de * 200.1.1.2 200.1.1.
BGPv4 supports classless interdomain routing (CIDR) with aggregate routes and AS paths. CIDR defines a network using a prefix consisting of an IP address and mask, resulting in efficient use of the IPv4 address space. Using aggregate routes reduces the size of routing tables. Path-vector routing BGP uses a path-vector protocol that maintains dynamically updated path information. Path information updates which return to the originating node are detected and discarded.
Established Keepalive messages exchange, and after a successful receipt, the router is in the Established state. Keepalive messages continue to send at regular periods. The keepalive timer establishes the state to verify connections. After the connection is established, the router sends and receives keepalive, update, and notification messages to and from its peer. Peer templates Peer templates allow BGP neighbors to inherit the same outbound policies.
1. Router B receives an advertisement from Router A through EBGP. Because the route is learned through EBGP, Router B advertises it to all its IBGP peers — Routers C and D. 2. Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D (an IBGP peer) and Router D has already learned it through IBGP from Router B. 3. Router D does not advertise the route to Router C because Router C is a nonclient peer.
Selection criteria Best path selection criteria for BGP attributes: 1. Prefer the path with the largest WEIGHT attribute, and prefer the path with the largest LOCAL_PREF attribute. 2. Prefer the path that is locally originated using the network command, redistribute command, or aggregateaddress command. Routes originated using a network or redistribute command are preferred over routes that originate with the aggregate-address command. 3.
Multiexit discriminators If two autonomous systems connect in more than one place, use a multiexit discriminator (MED) to assign a preference to a preferred path. MED is one of the criteria used to determine best path—other criteria may also impact selection. One AS assigns the MED a value. Other AS uses that value to decide the preferred path. Assume that the MED is the only attribute applied and there are two connections between AS 100 and AS 200. Each connection is a BGP session.
Path source: I - internal, a - aggregate, c - confed-external, r - redistributed n - network S - stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *>I 1.1.1.0/24 17.1.1.2 0 0 0 i *>I 2.2.2.0/24 17.1.1.2 0 0 0 ? *>I 3.3.3.0/24 17.1.1.2 0 0 0 e AS path and next-hop The AS path is the AS list that all the prefixes that are listed in the update have passed through. The BGP speaker adds the local AS number when advertising to an EBGP neighbor.
More path support More path (Add-Path) reduces convergence times by advertising multiple paths to its peers for the same address prefix without replacing existing paths with new ones. By default, a BGP speaker advertises only the best path to its peers for a given address prefix. If the best path becomes unavailable, the BGP speaker withdraws its path from its local router information base (RIB) and recalculates a new best path. This situation requires both IGP and BGP convergence and is a lengthy process.
AS number migration You can transparently change the AS number of an entire BGP network. Changing the AS number ensures that the routes propagate throughout the network while migration is in progress. When migrating one AS to another and combining multiple AS, an EBGP network may lose its routing to an IBGP if the AS number changes. Migration is difficult as all IBGP and EBGP peers of the migrating network must be updated to maintain network reachability.
receives all route updates from all BGP peers that are graceful restart capable, the graceful restart is complete. BGP sessions become operational again. Configure Border Gateway Protocol BGP is disabled by default. To enable the BGP process and start to exchange information, assign an AS number and use commands in ROUTER-BGP mode to configure a BGP neighbor.
3. Add a remote AS in ROUTER-NEIGHBOR mode, from 1 to 65535 for 2-byte or 1 to 4294967295 for 4-byte. remote-as as-number 4. Enable the BGP neighbor in ROUTER-NEIGHBOR mode. no shutdown 5. (Optional) Add a description text for the neighbor in ROUTER-NEIGHBOR mode. description text To reset the configuration when you change the configuration of a BGP neighbor, use the clear ip bgp * command. To view the BGP status, use the show ip bgp summary command.
Capabilities received from neighbor for IPv4 Unicast: MULTIPROTO_EXT(1)ROUTE_REFRESH(2)CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast: MULTIPROTO_EXT(1)ROUTE_REFRESH(2)CISCO_ROUTE_REFRESH(128) Prefixes accepted 3, Prefixes advertised 0 Connections established 3; dropped 2 Closed by neighbor sent 00:03:26 ago Local host: 5.1.1.2, Local port: 43115 Foreign host: 5.1.1.
BGP over unnumbered interfaces As BGP relies on TCP for connection between peers, the interface that connects to the peer requires a unique IP address. Assigning an IP address to every interface may exhaust the available pool of IP addresses and is error prone. Unnumbered interfaces are the interfaces without unique IP addresses. BGP unnumbered interfaces use the extended next hop encoding (ENHE) feature, which is defined by RFC 5549.
OS10(config-router-bgp-100)# neighbor interface ethernet 1/1/1 OS10(config-router-neighbor)# no shutdown Example outputs for viewing unnumbered BGP interfaces OS10# show ip bgp BGP local RIB : Routes to be Added , Replaced , Withdrawn BGP local router ID is 14.233.209.
If a BGP-v4 neighbor wants to carry ipv6 prefix information, it activates the IPv6 address-family. For a BGP-v6 neighbor to carry ipv4 prefix, it activates the IPv4 address-family. 1. Enable support for the IPv6 unicast family in CONFIG-ROUTER-BGP mode. address family ipv6 unicast 2. Enable IPv6 unicast support on a BGP neighbor/template in CONFIG-ROUTER-BGP-AF mode.
OS10(config-router-bgp-100-vrf)# address-family ipv6 unicast OS10(configure-router-bgpv6-vrf-af)# distance bgp 21 201 250 Peer templates To configure multiple BGP neighbors at one time, create and populate a BGP peer template. An advantage of configuring peer templates is that members of a peer template inherit the configuration properties of the template and share the update policy. Always create a peer template and assign a name to it before adding members to the peer template.
To display the peer-group configuration assigned to a BGP neighbor, use the show ip bgp peer-group peer-groupname command. The show ip bgp neighbor command output does not display peer-group configurations.
View running configuration OS10# show running-configuration bgp ! router bgp 64601 bestpath as-path multipath-relax bestpath med missing-as-worst non-deterministic-med router-id 100.0.0.8 ! template leaf_v4 description peer_template_1_abcd ! address-family ipv4 unicast distribute-list leaf_v4_in in distribute-list leaf_v4_out out route-map set_aspath_prepend in ! neighbor 100.5.1.1 description leaf_connected_ebgp_neighbor bfd inherit template leaf_v4 remote-as 64802 no shutdown ! neighbor 100.6.1.
● For peers with an IP address: inherit template template-name ● For peers with unnumbered interfaces: inherit template template-name inherit-type {ebgp | ibgp} 8. Enable the neighbor in ROUTER-BGP mode. neighbor ip-address 9. Enable the peer-group in ROUTER-NEIGHBOR mode. no shutdown A neighbor may keep its configuration after it is added to a peer group if the neighbor configuration is more specific than the peer group and if the neighbor configuration does not affect outgoing updates.
OS10(config-router-neighbor)# fall-over OS10(config-router-neighbor)# no shutdown Verify neighbor fall-over on neighbor OS10(config-router-neighbor)# do show ip bgp neighbors 3.1.1.1 BGP neighbor is 3.1.1.1, remote AS 100, local AS 100 internal link BGP version 4, remote router ID 3.3.3.
! remote-as 102 Configure password You can enable message digest 5 (MD5) authentication with a password on the TCP connection between two BGP neighbors. Configure the same password on both BGP peers. When you configure MD5 authentication between two BGP peers, each segment of the TCP connection is verified and the MD5 digest is checked on every segment sent on the TCP connection. Configuring a password for a neighbor establishes a new connection.
password 9 01320afb39f49134882b0a9814fe6e8e228f616f60a35958844775314c00f0e5 remote-as 10 no shutdown Peer 2 in ROUTER-NEIGHBOR mode OS10# configure terminal OS10(config)# interface ethernet 1/1/5 OS10(conf-if-eth1/1/5)# no switchport ip OS10(conf-if-eth1/1/5)# ip address 11.1.1.2/24 OS10(conf-if-eth1/1/5)# router bgp 20 OS10(config-router-bgp-20)# neighbor 11.1.1.
no shutdown ! address-family ipv6 unicast activate OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# show configuration ! interface ethernet1/1/1 ip address 3.1.1.3/24 no switchport no shutdown ipv6 address 3::3/64 OS10(conf-if-eth1/1/1)# shutdown OS10(conf-if-eth1/1/1)# do show ip bgp summary BGP router identifier 11.11.11.11 local AS number 300 Neighbor AS Down State/Pfx 3.1.1.
When a BGP neighbor connection with authentication rejects a passive peer-template, the system prevents another passive peer-template on the same subnet from connecting with the BGP neighbor. To work around this constraint, change the BGP configuration or change the order of the peer template configuration. You can restrict the number of passive sessions the neighbor accepts using the limit command. 1.
3. Return to ROUTER-BGP mode. exit 4. Enter a template name to assign to the peer-groups in ROUTER-BGP mode. A maximum of 16 characters. template template-name 5. Enter a local-as number for the peer in ROUTER-TEMPLATE mode. local-as as number [no prepend] 6. Add a remote AS in ROUTER-TEMPLATE mode (1 to 65535 for 2 bytes, 1 to 4294967295 for 4 bytes). remote-as as-number Allow external routes from neighbor OS10(config)# router bgp 10 OS10(conf-router-bgp-10)# neighbor 32.1.1.
dampening ! neighbor 17.1.1.
Additional paths The add-path command is disabled by default. 1. Assign an AS number in CONFIGURATION mode. router bgp as-number 2. Enter a neighbor and IP address (A.B.C.D) in ROUTER-BGP mode. neighbor ip-address 3. Enter Address Family mode in ROUTER-NEIGHBOR mode. address-family {[ipv4 | ipv6] [unicast]) 4. Allow the specified neighbor to send or receive multiple path advertisements in ROUTER-BGP mode.
2. Change the LOCAL_PREF value for routes meeting the criteria of this route map in ROUTE-MAP mode, then return to CONFIGURATION mode. set local-preference value exit 3. Enter ROUTER-BGP mode. router bgp as-number 4. Enter the neighbor to apply the route map configuration in ROUTER-BGP mode. neighbor {ip-address} 5. Apply the route map to the neighbor’s incoming or outgoing routes in ROUTER-BGP-NEIGHBOR-AF mode. route-map map-name {in | out) 6.
3. Return to ROUTER-BGP mode. exit 4. Assign a weight value to the peer-group in ROUTER-BGP mode. template template name 5. Set a weight value for the route in ROUTER-TEMPLATE mode. weight weight Modify weight attribute OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor OS10(config-router-neighbor)# weight OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# template OS10(config-router-template)# weight 10.1.1.
5. Enter Address Family mode. address-family {[ipv4 | ipv6] [unicast]} 6. Create a route-map, and assign a filtering criteria in ROUTER-BGP-TEMPLATE-AF mode. route-map map-name {in | out} Filter BGP route OS10(config)# router bgp 102 OS10(conf-router-bgp-102)# neighbor 40.1.1.
Aggregate routes OS10 provides multiple ways to aggregate routes in the BGP routing table. At least one route of the aggregate must be in the routing table for the configured aggregate route to become active. AS_SET includes AS_PATH and community information from the routes that are included in the aggregated route. 1. Assign an AS number in CONFIGURATION mode. router bgp as-number 2. Enter Address Family mode in ROUTER-BGP mode. address-family {[ipv4 | ipv6] [unicast]} 3.
OS10(conf-router-bgp-65501)# neighbor 1.1.1.2 OS10(conf-router-neighbor)# remote-as 65502 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-65501)# neighbor 2.1.1.2 OS10(conf-router-neighbor)# remote-as 65503 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-65501)# neighbor 3.1.1.
● ip-address [mask]— Enter the IP address and mask. ● filter-list as-path-name — Enter the name of an AS-PATH ACL. ● regexp regular-expression — Enter a regular express to match on. When you change the best path selection method, path selections for the existing paths remain unchanged until you reset it by using the clear ip bgp command in EXEC mode.
timers 120 200 no shutdown Neighbor soft-reconfiguration BGP soft-reconfiguration allows for fast route changes. Changing routing policies requires a reset of BGP sessions or the TCP connection, for the policies to take effect. Resets cause undue interruption to traffic due to the hard reset of the BGP cache, and the time it takes to reestablish the session. BGP soft-reconfiguration allows for policies to apply to a session without clearing the BGP session.
Redistribute iBGP route to OSPF When you configure the system redistribute BGP routes to OSPF, by default, the system redistributes only the eBGP routes. To redistribute iBGP routes to OSPF, configure a route-map and apply it to the redistribute command under the OSPF configuration. Sample configuration The following sample topology has two switches, Core 1 and Core 2, that are connected to each other and share routes using OSPF.
neighbor 10.10.9.1 remote-as 20 address-family ipv4 unicast allowas-in 1 Configuration on Core 2 Core 2 has OSPF configured which forms neighbor adjacency with Core 1. interface ethernet1/1/1 no shutdown no switchport ip address 10.10.30.3/24 ip router ospf 10 area 0.0.0.0 no shutdown ! ! router ospf 10 router-id 3.3.3.3 Sample IPv6 configuration The following sample topology has two switches, Core 1 and Core 2, that are connected to each other and share routes using OSPF.
activate allowas-in 1 Configuration on Core 2 Core 2 has OSPF configured which forms neighbor adjacency with Core 1. interface Ethernet 1/1/1 no switchport ipv6 address 2035::2/64 ipv6 ospf 10 area 0.0.0.0 no shutdown ! router ospfv3 10 router-id 3.3.3.3 Example - BGP in a VLT topology The following spine-leaf VLT topology runs BGP for Layer 3 communication.
1. Configure a VLAN interface on which the BGP session has to be formed with VLT peers. Spine1(config)# interface vlan101 Spine1(conf-if-vl-101)# ip address 10.0.1.1/29 Spine1(conf-if-vl-101)# mtu 9216 Spine1(conf-if-vl-101)# exit 2. Configure port channel interfaces between Spine and VLT peers. Add it as part of the created VLAN.
Leaf1(config)# interface ethernet1/1/1 Leaf1(conf-if-eth1/1/1)# channel-group 1 mode active Leaf1(conf-if-eth1/1/1)# exit 4. Configure VLT port-channels with ToR 1 and ToR 2.
Leaf2(conf-if-vl-201)# mtu 9216 Leaf2(conf-if-vl-201)# exit Leaf2(config)# interface vlan301 Leaf2(conf-if-vl-301)# ip address 10.0.3.2/29 Leaf2(conf-if-vl-301)# mtu 9216 Leaf2(conf-if-vl-301)# exit 3. Configure VLT port-channel with Spine 1.
ToR1(conf-if-vl-201)# mtu 9216 ToR1(conf-if-vl-201)# exit 2. Configure a port channel interface between ToR1 and VLT peers. Add it as part of the above created VLAN.
ToR2(conf-if-vl-2001)# ip address 172.16.2.1/24 ToR2(conf-if-vl-2001)# exit ToR2(config)# interface ethernet1/1/3 ToR2(conf-if-eth1/1/3)# mtu 9216 ToR2(conf-if-eth1/1/3)# switchport mode trunk ToR2(conf-if-eth1/1/3)# switchport trunk allowed vlan 3001 ToR2(conf-if-eth1/1/3)# exit 4. Configure the iBGP neighbor with VLT peers and advertise the host subnet. ToR2(config)# router bgp 65201 ToR2(config-router-bgp-65201)# router-id 10.3.1.
1. Configure an IP address on leaf-facing interfaces.
2. Configure BGP neighbors. This example uses passive peering which simplifies neighbor configuration. Spine2(config)# router bgp 65101 Spine2(config-router-bgp-65101)# router-id 10.0.0.2 Spine2(config-router-bgp-65101)# template passive_v4_pod1 Spine2(config-router-template)# remote-as 65201 Spine2(config-router-template)# listen 10.2.1.
2. Configure an IP address on ToR-facing interfaces. Leaf2(config)# interface Leaf2(conf-if-eth1/1/1)# Leaf2(conf-if-eth1/1/1)# Leaf2(conf-if-eth1/1/1)# Leaf2(conf-if-eth1/1/1)# Leaf2(conf-if-eth1/1/1)# ethernet1/1/3 description Leaf2-ToR1 no switchport mtu 9216 ip address 10.4.1.0/31 exit 3. Configure BGP neighbors. Leaf2(config)# router bgp 65201 Leaf2(config-router-bgp-65201)# router-id 10.0.1.2 Leaf2(config-router-bgp-65201)# neighbor 10.1.1.
1. Configure an IP address on spine-facing interfaces. Leaf4(config)# interface Leaf4(conf-if-eth1/1/1)# Leaf4(conf-if-eth1/1/1)# Leaf4(conf-if-eth1/1/1)# Leaf4(conf-if-eth1/1/1)# Leaf4(conf-if-eth1/1/1)# Leaf4(config)# interface Leaf4(conf-if-eth1/1/2)# Leaf4(conf-if-eth1/1/2)# Leaf4(conf-if-eth1/1/2)# Leaf4(conf-if-eth1/1/2)# Leaf4(conf-if-eth1/1/2)# ethernet1/1/1 description Leaf4-Spine1 no switchport mtu 9216 ip address 10.1.2.
3. Configure BGP neighbors, and advertise the host subnet. ToR1(config)# router bgp 65301 ToR1(config-router-bgp-65301)# router-id 10.0.2.1 ToR1(config-router-bgp-65301)# address-family ipv4 unicast ToR1(configure-router-bgpv4-af)# network 172.16.1.0/24 ToR1(configure-router-bgpv4-af)# exit ToR1(config-router-bgp-65301)# neighbor 10.3.1.0 ToR1(config-router-neighbor)# remote-as 65201 ToR1(config-router-neighbor)# no shutdown ToR1(config-router-neighbor)# exit ToR1(config-router-bgp-65301)# neighbor 10.4.1.
BGP commands activate Enables the neighbor or peer group to be the current address-family identifier (AFI). Syntax activate Parameters None Default Not configured Command Mode ROUTER-BGP-NEIGHBOR-AF Usage Information This command exchanges IPv4 or IPv6 address family information with an IPv4, IPv6, and L2VPN neighbor. IPv4 unicast Address family is enabled by default. To activate IPv6 address family for IPv6 neighbor, use the activate command.
● ipv6 unicast — Enter an IPv6 unicast address family. Default None Command Mode ROUTER-BGP Usage Information This command applies to all IPv4 or IPv6 peers belonging to the template or neighbors only. The no version of this command deletes the subsequent address-family configuration.
aggregate-address Summarizes a range of prefixes to minimize the number of entries in the routing table. Syntax aggregate-address address/mask [as-set] [summary-only] [advertise-map mapname] {attribute-map route-map-name] [suppress-map route-map-name] Parameters ● ● ● ● ● address/mask — Enter the IP address and mask. as-set — (Optional) Generates AS set-path information. summary-only — (Optional) Filters more specific routes from updates.
always-compare-med Compares MULTI_EXIT_DISC (MED) attributes in the paths that are received from different neighbors. Syntax always-compare-med Parameters None Default Disabled Command Mode ROUTER-BGP Usage Information After you use this command, use the clear ip bgp * command to recompute the best path. The no version of this command resets the value to the default.
● mutlipath-relax — Enter to include prefixes received from different AS paths during multipath calculation. Default Enabled Command Mode ROUTER-BGP Usage Information To enable load-balancing across different EBGP peers, configure the mutlipath-relax option. If you configure both ignore or multipath-relax options simultaneously, a system-generated error message appears. The no version of this command disables configuration.
Usage Information If you do not receive the same router ID for multiple paths, select the path that you received first. If you received the same router ID for multiple paths, ignore the path information. The no version of this command resets the value to the default. NOTE: To configure these settings for a nondefault VRF instance, first enter the ROUTER-CONFIGVRF sub mode using the following commands: 1. Enter the ROUTER BGP mode using the router bgp as-number command. 2.
Parameters ● * — Enter to clear all BGP sessions. ● soft — (Optional) Enter to configure and activate policies without resetting the BGP TCP session — BGP soft reconfiguration. ● in — (Optional) Enter to activate only ingress (inbound) policies. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# clear ip bgp * 10.3.0E or later clear ip bgp dampening Clears the path information of the dampened and undampened prefixes.
Example (All Prefixes) Example (IPv4) Example (Given Prefix) Supported Releases OS10# clear ip bgp flap-statistics OS10# clear ip bgp 1.1.15.4 flap-statistics OS10# clear ip bgp flap-statistics 1.1.15.0/24 10.3.0E or later connection-retry-timer Configures the timer to retry the connection to BGP neighbor or peer group. Syntax connection-retry-timer retry-timer-value Parameters retry-timer-value — Enter the time interval in seconds, ranging from 10 to 65535.
2. From the ROUTER BGP mode, enter the ROUTER BGP VRF mode using the vrf vrf-name command. Example (Identifier) Example (Peers) Supported Releases OS10(conf-router-bgp-2)# confederation identifier 1 OS10(conf-router-bgp-2)# confederation peers 2 10.3.0E or later client-to-client Enables route reflection between clients in a cluster. Syntax client-to-client {reflection} Parameters reflection — Enter to enable reflection of routes allowed in a cluster.
2. From the ROUTER BGP mode, enter the ROUTER BGP VRF mode using the vrf vrf-name command. Example Supported Releases OS10(conf-router-bgp-10)# cluster-id 3.3.3.3 10.3.0E or later bgp dampening Enables BGP route-flap dampening and configures the dampening parameters. Syntax bgp dampening [half-life | reuse-limit | suppress-limit | max-suppress-time | route-map-name] Parameters ● half-life — (Optional) Enter the half-life time, in minutes, after which the penalty decreases.
Supported Releases OS10 legacy command. description Configures a description for the BGP neighbor or for peer template. Syntax description text Parameters text — Enter a description for the BGP neighbor or peer template. Default None Command Mode ROUTER-BGP-NEIGHBOR ROUTER-BGP-TEMPLATE Usage Information Example Supported Releases ● To use special characters as a part of the description string, enclose the string in double quotes.
default-originate Configures the default route to a BGP peer or neighbor. Syntax default—originate [route-map route-map-name] Parameters route-map route-map-name—(Optional) Enter a route-map name. A maximum of 140 characters. Default Enabled Command Mode ROUTER-BGP-NEIGHBOR-AF ROUTER-TEMPLATE-AF Usage Information Example Supported Releases The no version of this command removes the default route.
Non-default VRF OS10(config-router-bgp-100)# vrf blue OS10(config-router-bgp-100-vrf)# address-family ipv4 OS10(configure-router-bgpv4-vrf-af)# distance bgp 21 OS10(config-router-bgp-100-vrf)# address-family ipv6 OS10(configure-router-bgpv6-vrf-af)# distance bgp 21 Supported Releases unicast 200 200 unicast 201 250 10.4.2.0 or later distribute-list Distributes BGP information through an established prefix list.
ebgp-multihop Allows eBGP neighbors on indirectly connected networks. Syntax ebgp-multihop hop count Parameters hop count — Enter a value for the number of hops, from 1 to 255. Default 1 for eBGP. 255 for iBGP. Command Mode ROUTER-NEIGHBOR Usage Information This command avoids installation of default multihop peer routes to prevent loops and creates neighbor relationships between peers. Networks indirectly connected are not valid for best path selection.
enable fall-over, BGP tracks IP reachability to the peer remote address and the peer local address. Whenever either address becomes unreachable — no active route exists in the routing table for peer IPv6 destinations or local address — BGP brings down the session with the peer. The no version of this command disables fall-over. Example Supported Releases OS10(conf-router-neighbor)# fall-over 10.3.
Example Supported Releases OS10(conf-router-bgp-10)# graceful-restart role receiver-only 10.3.0E or later inherit template Configures a peer group template name that the neighbors use to inherit peer-group configuration. Syntax inherit template template-name [inherit-type {ibgp | ebgp}] Parameters ● template-name — Enter a template name. A maximum of 16 characters. ● inherit-type {ibgp | ebgp} —To associate a template to an unnumbered peer, specify the inherit-type. The options are ibgp and ebgp.
local-as Configures a local AS number for a peer. Syntax local-as as-number [no-prepend] [replace-as] Parameters ● as-number—Enter the local AS number, from 1 to 4294967295. ● no-prepend—(Optional) Enter so that local AS values are not prepended to the AS_PATH attribute. ● replace-as—(Optional) Enter so that globally-configured AS values are not prepended to the AS_PATH attribute.
maximum-paths Configures the maximum number of equal-cost paths for load sharing. Syntax maximum-paths [ebgp number | ibgp number] maxpaths Parameters ● ebgp—Enable multipath support for external BGP routes. ● ibgp—Enable multipath support for internal BGP routes. ● number—Enter the number of parallel paths, from 1 to 64. Default 64 paths Command Mode ROUTER-BGP Usage Information Dell EMC recommends not using multipath and add path simultaneously in a route reflector.
neighbor Creates a remote IP or unnumbered peer and enters Neighbor Configuration mode. Syntax neighbor {ip-address | interface interface-type} Parameters ● ip-address—Enter the IPv4 or IPv6 address of the neighbor. ● interface interface-type—Enter the interface that connects to an unnumbered neighbor. ● unnumbered-auto—Configure one or more BGP auto unnumbered neighbors. Default Not configured Command Mode CONFIG-ROUTER-BGP Usage Information Create a remote peer with the BGP neighbor.
Usage Information The no version of this command removes the network. Example Supported Releases OS10(conf-router-bgpv4-af)# OS10(config-router-bgp-64601)# address-family ipv4 unicast OS10(configure-router-bgpv4-af)# network 192.168.1.0/24 OS10(configure-router-bgpv4-af)# do commit 10.3.0E or later next-hop-self Disables the next-hop calculation for a neighbor.
outbound-optimization Enables outbound optimization for IBGP peer-group members. Syntax outbound-optimization Parameters None Default Not configured Command Mode ROUTER-BGP Usage Information Enable or disable outbound optimization dynamically to reset all neighbor sessions. When you enable outbound optimization, all peers receive the same update packets. The next-hop address chosen as one of the addresses of neighbor’s reachable interfaces is also the same for the peers.
Parameters ● connected — Enter to redistribute routes from physically connected interfaces. ● imported-bgp-routes {vrf vrf-name} [route-map map-name] — Enter to redistribute leaked BGPv4 routes. ● route-map map name — (Optional) Enter the name of a configured route-map. ● ospf process-id — Enter a number for the OSPF process (1 to 65535). ● static — Enter to redistribute manually configured routes.
remove-private-as Removes private AS numbers from receiving outgoing updates. Syntax remove-private-as Parameters None Defaults Disabled Command Mode CONFIG-ROUTER-NEIGHBOR CONFIG-ROUTER-TEMPLATE Usage Information Example Supported Releases None OS10(config)# router bgp 300 OS10(config-router-bgp-300)# template ebgppg OS10(config-router-template)# remove-private-as 10.4.1.0 or later route-map Applies an established route-map to either incoming or outbound routes of a BGP neighbor or peer group.
Usage Information Example Supported Releases The device configures as a route reflector, and the BGP neighbors configure as clients in the routereflector cluster. The no version of this command deletes all clients of a route reflector—the router no longer functions as a route reflector. OS10(conf-router-template)# route-reflector-client 10.3.0E or later router bgp Enables BGP and assigns an AS number to the local BGP speaker. Syntax router bgp as-number Parameters as-number—Enter the AS number range.
send-community Sends a community attribute to a BGP neighbor or peer group. Syntax send-community {extended | standard} Parameters ● extended — Enter an extended community attribute. ● standard — Enter a started community attribute. Default Not configured Command Mode ROUTER-NEIGHBOR Usage Information A community attribute indicates that all routes with the same attributes belong to the same community grouping.
Usage Information Example None OS10# show ip bgp 1.1.1.0/24 BGP routing table entry for 1.1.1.0/24 Paths: (1 available, table Default-IP-Routing-Table.) Received from : 3.1.1.1(3.3.3.33) Best AS_PATH : 100 Next-Hop : 3.1.1.1, Cost : 0 Origin INCOMPLETE, Metric 0, LocalPref 100, Weight Route-reflector origin : 0.0.0.0 0, confed-external The following displays the next hop as an unnumbered neighbor with ethernet1/1/1 as the connected interface. OS10# show ip bgp 31.1.1.0/24 BGP routing table entry for 31.
Default Not configured Command Mode EXEC Usage Information ● vrf vrf-name — (OPTIONAL) Enter vrf and then the name of the VRF to view routes that are affected by a specific community list corresponding to that VRF. ● Network — Displays the network ID where the route is dampened. ● From — Displays the IP address of the neighbor advertising the dampened route. ● Reuse — Displays the HH:MM:SS until the dampened route is available.
show ip bgp ipv4 unicast Displays route information for BGP IPv4 routes. Syntax show ip bgp [vrf vrf-name] ipv4 unicast [summary | neighbors [ip-address | interface interface-type] [advertised-routes | dampened-paths | flapstatistics | denied-routes | routes]]] Parameters ● vrf vrf-name — (OPTIONAL) Enter vrf then the name of the VRF to view IPv4 unicast summary information corresponding to that VRF. ● summary — Displays IPv4 unicast summary information.
*> 0 41.1.1.0/24 0 fe80::3617:ebff:fef1:dc5e 10 0 OS10# show ip bgp ipv4 unicast neighbors interface ethernet 1/1/1 deniedroutes BGP local router ID is 40.1.1.2 Status codes: D denied Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path D 51.1.1.0/24 fe80::3617:ebff:fef1:dc5e 0 0 0 10 Summary information for unnumbered neighbors: OS10# show ip bgp ipv4 unicast summary BGP router identifier 89.101.17.
Default Not configured Command Mode EXEC Usage Information None Example OS10# show BGP router Neighbor 80.1.1.2 ip bgp ipv6 unicast summary identifier 80.1.1.1 local AS number 102 AS MsgRcvd MsgSent Up/Down State/Pfx 800 8 4 00:01:10 5 OS10# show ip bgp ipv6 unicast neighbors interface ethernet 1/1/1 advertised-routes BGP local router ID is 40.1.1.
Path source: I - internal, a - aggregate, c - confed-external, r - redistributed/network, S - stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 41::/64 ethernet 1/1/1 0 100 32768 ? Supported Releases 10.3.0E or later show ip bgp neighbors Displays information that BGP neighbors exchange.
Example OS10# show ip bgp neighbors BGP neighbor is 2.2.2.2, remote AS 200, local AS 100 external link Member of peer-group ebgppg for session parameters BGP version 4, remote router ID 2.2.2.
ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) 4_OCTET_AS(65) MP_L2VPN_EVPN(1) EXTENDED_NEXTHOP_ENCODING(5) Capabilities received from neighbor for IPv6 Unicast: MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) 4_OCTET_AS(65) MP_L2VPN_EVPN(1) EXTENDED_NEXTHOP_ENCODING(5) Capabilities advertised to neighbor for IPv4 Unicast: MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) 4_OCTET_AS(65) MP_L2VPN_EVPN(1) EXTENDED_NEXTHOP_ENCODING(5) Capabilities advertised to neighbor for IPv6 Unicast: MULTI
*>55:0:0:7::/64 192:168:1::1 100i *>55:0:0:8::/64 192:168:1::1 100i *>55:0:0:9::/64 192:168:1::1 100i *>172:16:1::/64 192:168:1::1 100? Total number of prefixes: 11 OS10# Example received-routes Example deniedroutes Example routes Example unnumbered neighbors 0 0 0 0 0 0 0 0 0 0 0 0 OS10# show ip bgp ipv6 unicast neighbors 172:16:1::2 BGP local router ID is 100.1.1.
Last read 00:21:08 seconds Hold time is 180, keepalive interval is 60 seconds Configured hold time is 180, keepalive interval is 60 seconds Fall-over disabled Received 20 messages 1 opens, 0 notifications, 0 updates 19 keepalives, 0 route refresh requests Sent 20 messages 1 opens, 1 notifications, 0 updates 18 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast: M
Example deniedroutes from unnumbered neighbors Example Global AS OS10# show ip bgp neighbors interface ethernet 1/1/1 denied-routes BGP local router ID is 40.1.1.2 Status codes: D denied Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path D 51.1.1.0/24 fe80::3617:ebff:fef1:dc5e 0 0 0 10 OS10# show ip bgp neighbors 30.1.1.1 BGP neighbor is 30.1.1.1, remote AS 500, local AS 200 no-prepend replace-as external link BGP version 4, remote router ID 20.20.20.
Neighbor 17.1.1.2 AS 7 MsgRcvd 7 MsgSent 6 Up/Down 00:01:54 State/Pfx 5 OS10# show ip bgp peer-group bg1 Peer-group bg1, remote AS 0 BGP version 4 Minimum time between advertisement runs is 30 seconds For address family: Unicast BGP neighbor is bg1, peer-group external Update packing has 4_OCTET_AS support enabled Number of peers in this group 2 Peer-group members: 40.1.1.2 ethernet 1/1/1 OS10# show ip bgp peer-group bg1 summary BGP router identifier 14.233.209.
Example OS10# show BGP router Neighbor 80.1.1.2 ip bgp summary identifier 80.1.1.1 local AS number 102 AS MsgRcvd MsgSent Up/Down State/Pfx 800 24 23 00:09:15 5 Example for unnumbered peer: OS10# show ip bgp summary BGP router identifier 89.101.17.125 local AS number 100 Neighbor AS MsgRcvd MsgSent Up/Down State/Pfx ethernet1/1/1 200 19 19 00:15:34 0 Supported Releases 10.2.0E or later show ip route Displays information about IPv4 BGP routing table entries.
show ipv6 route Displays information about IPv6 BGP routing table entries. Syntax show ipv6 route [vrf vrf-name] bgp Parameters ● vrf vrf-name — Enter vrf and then the name of the VRF to view information that is exchanged between BG neighbors corresponding to that VRF Default Not configured Command Mode EXEC Usage Information This command displays information about IPv6 BGP routing table entries.
template Creates a peer-group template to assign it to BGP neighbors. Syntax template template-name Parameters template-name — Enter a peer-group template name. A maximum of 16 characters. Default Not configured Command Mode CONFIG-ROUTER-BGP Usage Information Members of a peer-group template inherit the configuration properties of the template and share the same update policy. The no version of this command deletes a peer-template configuration.
Usage Information When you configure the update—source loopback command for a template, all the neighbors belonging to the template inherit the feature. Example Supported Releases OS10(config)# router bgp 10 OS10(conf-router-bgp-10)# neighbor OS10(conf-router-bgp-10)# neighbor 1.1.15.4 OS10(conf-router-neighbor)# update-source Loopback 1 10.3.0E or later vrf Enters the CONFIG-ROUTER-VRF command mode.
Configure the hash algorithm in CONFIGURATION mode. hash-algorithm ecmp {crc | crc16cc | crc32LSB | crc32MSB | xor | xor1 | xor2 | xor4 | xor8 | random} Change hash algorithm OS10(config)# hash-algorithm ecmp crc Restrictions on ECMP Static Routes When you configure static route leaking, all the Equal-cost multipath (ECMP) static routes from the source do not leak to the destination VRF instance. Only a single ECMP route, normally the best ECMP route, leaks to the destination VRF instance.
Resilient hashing To increase bandwidth and for load balancing, traffic distributes across the next hops of an ECMP group or member ports of a port channel. OS10 uses a hash algorithm to determine a hash key. The egress port in a port channel or the next hop in an ECMP group is selected based on the hash key modulo the number of ports in a port channel or next hops in an ECMP group, respectively.
Examples Normal traffic flow without resilient hashing Traffic flow with resilient hashing enabled When you enable resilient hashing for ECMP groups, the flow-map table is created with 64 paths (the OS10 default maximum number of ECMP paths) and traffic is equally distributed. In the following example, traffic 1 maps to next hop 'A'; traffic 2 maps to next hop 'C'; and traffic 3 maps to next hop 'B.
Member link is added However, when a new member link is added, resilient hashing completes minimal remapping for better load balancing, as shown: Important notes ● Resilient hashing on port channels applies only for unicast traffic. ● For resilient hashing on ECMP groups, the ECMP path must be in multiples of 64. Before you enable resilient hashing, ensure that the maximum ECMP path is set to a multiple of 64. You can configure this value using the ip ecmp-group maximum-paths command.
Maximum ECMP groups and paths The maximum number of ECMP groups supported on the switch depends on the maximum ECMP paths configured on the switch. To view the maximum number of ECMP groups and paths, use the show ip ecmp-group details command. OS10# show ip ecmp-group details Maximum Number of ECMP Groups : 256 Maximum ECMP Path per Group : 64 Next boot configured Maximum ECMP Path per Group : 64 The default value for the maximum number of ECMP paths per group is 64.
Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● ● Default crc Command Mode CONFIGURATION Usage Information The hash value calculated with this command is unique to the entire system. Different hash algorithms are based on the number of port-channel members and packet values. The default hash algorithm yields the most balanced results in various test scenarios, but if the default algorithm does not provide a satisfactory distribution of traffic, use this command to designate another algorithm.
Parameters value — Enter a link bundle trigger threshold value, from 0 to 100. Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command disables the configuration. Example Supported Releases OS10(config)# link-bundle-utilization trigger-threshold 80 10.2.0E or later load-balancing Distributes or load balances incoming traffic using the default parameters in the hash algorithm.
Example (IP Selection) Supported Releases OS10(config)# load-balancing ip-selection destination-ip source-ip 10.2.0E or later show enhanced-hashing resilient-hashing Displays the status of the enhanced-hashing command. Syntax show enhanced-hashing resilient-hashing {lag | ecmp} Parameters lag | ecmp—Enter the keyword to view enhanced-hashing for a port channel or ECMP group.
Command Mode EXEC Usage Information None Example Supported Releases OS10# show ip ecmp-group details Maximum Number of ECMP Groups : 256 Maximum ECMP Path per Group : 64 Next boot configured Maximum ECMP Path per Group : 64 10.4.3.0 or later show load-balance Displays the global traffic load-balance configuration.
1. Enter the interface type information to assign an IP address in CONFIGURATION mode. interface interface ● ethernet—Physical interface ● port-channel—Port-channel ID number ● vlan—VLAN ID number ● loopback—Loopback interface ID ● mgmt—Management interface 2. Enable the interface in INTERFACE mode. no shutdown 3. Remove the interface from the default VLAN in INTERFACE mode. no switchport 4. Configure a primary IP address and mask on the interface in INTERFACE mode.
Configure static routing You can configure a manual or static route for open shortest path first (OSPF). ● Configure a static route in CONFIGURATION mode. ip route ip-prefix/mask {next-hop | interface interface [route-preference]} ○ ○ ○ ○ ○ ip-prefix—IPv4 address in dotted decimal in A.B.C.D format. mask—Mask in slash prefix-length format (/X). next-hop—Next-hop IP address in dotted decimal in A.B.C.D format.
These entries do not age, and you can only remove them manually. To remove a static ARP entry, use the no arp ipaddress command. Configure static ARP entries OS10(config)# interface ethernet 1/1/6 OS10(conf-if-eth1/1/6)# ip arp 10.1.1.5 08:00:20:b7:bd:32 View ARP entries OS10# show ip arp interface ethernet 1/1/6 Address Hardware address Interface Egress Interface -------------------------------------------------------------10.1.1.
● *—Clear the entire IP routing table. This option refreshes all the routes in the routing table. Traffic flow is affected for all the routes in the switch. ● A.B.C.D/mask —Specify the IP route to remove from the IP routing table. This option refreshes all the routes in the routing table. Traffic flow is affected only for the specified route in the switch. Default Not configured Command Mode EXEC Usage Information This command does not remove the static routes from the routing table.
ip arp Configures static ARP and maps the IP address of the neighbor to a MAC address. Syntax ip arp mac-address Parameters mac-address — Enter the MAC address of the IP neighbor in A.B.C.D format. Default Not configured Command Mode INTERFACE Usage Information Do not use Class D (multicast) or Class E (reserved) IP addresses. Zero MAC addresses (00:00:00:00:00:00) are invalid. The no version of this command disables the IP ARP configuration.
ip route Assigns a static route on the network device. Syntax ip route [vrf vrf-name] dest-ip-prefix mask {next-hop [ interface interface-type] [route-preference]} [bfd] Parameters ● vrf vrf-name — (Optional) Enter vrf and then the name of the VRF to configure a static route corresponding to that VRF. Use this VRF option after the ip route keyword to configure a static route on that specific VRF. ● dest-ip-prefix — Enter the destination IP prefix in dotted decimal A.B.C.D format.
Example (IP Address) OS10# show ip arp 192.168.2.2 Address Hardware address Interface Egress Interface -------------------------------------------------------------------192.168.2.2 90:b1:1c:f4:a6:e6 ethernet1/1/49:1 ethernet1/1/49:1 Example (Static) OS10# show ip arp summary Total Entries Static Entries Dynamic Entries ------------------------------------------------------3994 0 3994 OS10# show ip arp 192.168.2.
B - BGP, IN - internal BGP, EX - external BGP O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, > - non-active route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change -----------------------------------------------------------------C 10.1.1.0/24 via 10.1.1.1 vlan100 0/0 01:16:56 B EX 10.1.2.0/24 via 10.1.2.1 vlan101 20/0 01:16:56 O 10.1.3.0/24 via 10.1.3.
Enable or disable IPv6 By default: ● IPv6 forwarding is enabled on physical Ethernet interfaces, VLANs, and port groups. IPv6 forwarding is disabled only when you enable IPv6 address autoconfiguration on an interface and set it in host mode using the ipv6 address autoconfig command. ● IPv6 forwarding is permanently disabled on the management Ethernet interface so that it remains in Host mode and does not operate as a router regardless of the ipv6 address autoconfig setting.
In the following example, all the addresses are valid and equivalent: ● ● ● ● ● ● 2001:0db8:0000:0000:0000:0000:1428:57ab 2001:0db8:0000:0000:0000::1428:57ab 2001:0db8:0:0:0:0:1428:57ab 2001:0db8:0:0::1428:57ab 2001:0db8::1428:57ab 2001:db8::1428:57ab Write IPv6 networks using CIDR notation. An IPv6 network or subnet is a contiguous group of IPv6 addresses which must be a power of two. The initial bits of addresses, which are identical for all hosts in the network, are the network's prefix.
Configure network prefix OS10(config)# interface ethernet 1/1/8 OS10(conf-if-eth1/1/8)# ipv6 address 2001:FF21:1:1::/64 eui64 Configure link-local address OS10(config)# interface ethernet 1/1/8 OS10(conf-if-eth1/1/8)# ipv6 address FE80::1/64 link-local Stateless autoconfiguration When an interface comes up, OS10 uses stateless autoconfiguration to generate a unique link-local IPv6 address with a FE80::/64 prefix and an interface ID generated from the MAC address.
1. Enable IPv6 neighbor discovery and sending ICMPv6 RA messages in Interface mode. ipv6 nd send-ra 2. (Optional) Configure IPv6 neighbor discovery options in Interface mode. ● ipv6 nd hop-limit hops — (Optional) Sets the hop limit advertised in RA messages and included in IPv6 data packets sent by the router, from 0 to 255; default 64. 0 indicates that no hop limit is specified by the router.
Configure advertised IPv6 prefixes OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ipv6 nd prefix default lifetime infinite infinite OS10(conf-if-eth1/1/1)# ipv6 nd prefix 2002::/64 Duplicate address discovery To determine if an IPv6 unicast address is unique before assigning it to an interface, an OS10 switch sends a neighbor solicitation message. If the process of duplicate address discovery (DAD) detects a duplicate address in the network, the address does not configure on the interface.
Gateway of last resort is not set Destination Gateway Dist/Metric Last Change -------------------------------------------------------------------------S 2111:dddd:eee::22/12via 2001:db86:fff::2 ethernet1/1/1 1/1 00:01:24 IPv6 destination unreachable By default, when no matching entry for an IPv6 route is found in the IPv6 routing table, a packet drops and no error message is sent. You can enable the capability to send an IPv6 destination unreachable error message to the source without dropping the packet.
IPv6 commands clear ipv6 neighbors Deletes all entries in the IPv6 neighbor discovery cache or neighbors of a specific interface. Static entries are not removed. Syntax clear ipv6 neighbors [vrf vrf-name] [ipv6-address | interface | virtualnetwork vn-id | all] Parameters ● vrf vrf-name — (Optional) Enter vrf then the name of the VRF to clear the neighbor corresponding to that VRF. If you do not specify this option, the neighbors in the default VRF clear.
ipv6 address Configures a global unicast IPv6 address on an interface. Syntax ipv6 address ipv6–address/prefix-length Parameters ipv6-address/prefix-length — Enter a full 128-bit IPv6 address with the network prefix length, including the 64-bit interface identifier. Defaults None Command Mode INTERFACE Usage Information An interface can have multiple IPv6 addresses.
Command Mode INTERFACE Usage Information The no version of this command disables DHCP operations on the interface. Example Supported Releases NOTE: Dell EMC Networking does not recommend configuring both a static IPv6 address and DHCPv6 on the same interface. OS10(config)# interface mgmt 1/1/1 OS10(conf-if-ma-1/1/1)# ipv6 address dhcp 10.3.0E or later ipv6 enable Enables and disables IPv6 forwarding on an interface configured with an IPv6 address.
ipv6 address link-local Configures a link-local IPv6 address on the interface to use instead of the link-local address that is automatically configured with stateless autoconfiguration. Syntax ipv6 address ipv6-prefix link-local Parameters ipv6-prefix — Enter an IPv6 prefix in x:x::y/mask format. Defaults None Command Mode INTERFACE Usage Information ● An interface can have only one link-local address.
Usage Information Example: Disable DAD Example: Enable DAD on link-local address Supported Releases ● An OS10 switch sends a neighbor solicitation message to determine if an autoconfigured IPv6 unicast link-local address is unique before assigning it to an interface. If the process of duplicate address discovery (DAD) detects a duplicate address in the network, the link-local address does not configure. Other IPv6 addresses are still active on the interface.
ipv6 nd max-ra-interval Sets the maximum time interval between sending RA messages. Syntax ipv6 nd max-ra-interval seconds Parameters ● max-ra-interval seconds—Enter a time interval in seconds, from 4 to 1800. Defaults 600 seconds Command Mode INTERFACE Usage Information The no version of this command restores the default time interval that is used to send RA messages. Example Supported Releases OS10(config)# interface ethernet 1/2/3 OS10(conf-if-eth1/2/3)# ipv6 nd max-ra-interval 300 10.4.
ipv6 nd prefix Configures the IPv6 prefixes that are included in messages to neighboring IPv6 routers. Syntax ipv6 nd prefix {ipv6-prefix | default} [no-advertise] [no autoconfig] [nortr-address] [off-link] [lifetime {valid-lifetime seconds | infinite} {preferred-lifetime seconds | infinite}] Parameters ● ipv6-prefix — Enter an IPv6 prefix in x:x::y/mask format to include the prefix in RA mesages. Include prefixes that are not already in the subnets on the interface.
ipv6 nd ra-lifetime Sets the lifetime of the default router in RA messages. Syntax ipv6 nd ra-lifetime seconds Parameters ● ra-lifetime seconds — Enter a lifetime value in milliseconds, from 0 to 9000 milliseconds. Defaults Three times the max-ra-interval value Command Mode INTERFACE Usage Information The no version of this command restores the default lifetime value. 0 indicates that this router is not used as the default router.
ipv6 nd send-ra Enables sending ICMPv6 RA messages. Syntax ipv6 nd send-ra Parameters None Defaults RA messages are disabled. Command Mode INTERFACE Usage Information ● Using ICMPv6 RA messages, the Neighbor Discovery Protocol (NDP) advertises the IPv6 addresses of IPv6-enabled interfaces and learns of any address changes in IPv6 neighbors.
ipv6 unreachables Enables generating error messages on an interface for IPv6 packets with unreachable destinations. Syntax ipv6 unreachables Parameters None Defaults ICMPv6 unreachable messages are not sent. Command Mode INTERFACE Usage Information ● By default, when no matching entry for an IPv6 route is found in the IPv6 routing table, the packet drops and no error message is sent.
show ipv6 route Displays IPv6 routes. Syntax show ipv6 route [vrf vrf-name] [all | bgp | connected | static | A::B/mask | summary] Parameters ● vrf vrf-name — (Optional) Enter vrf then the name of the VRF to display IPv6 routes corresponding to that VRF. If you do not specify this option, routes corresponding to the default VRF display. ● all—(Optional) Displays all routes including nonactive routes. ● bgp—(Optional) Displays BGP route information.
Supported Releases 10.2.0E or later show ipv6 interface brief Displays IPv6 interface information. Syntax show ipv6 interface brief Parameters brief — Displays a brief summary of IPv6 interface information. Defaults None Command Mode EXEC Usage Information Use the do show ipv6 interface brief command to view IPv6 interface information in other modes.
Areas, networks, and neighbors The backbone of the network is Area 0, also called Area 0.0.0.0, the core of any AS. All other areas must connect to Area 0. An OSPF backbone distributes routing information between areas. It consists of all area border routers and networks not wholly contained in any area and their attached routers. The backbone is the only area with a default area number. You configure all other areas Area ID. If you configure two nonbackbone areas, you must enable the B bit in OSPF.
Backbone router A backbone router (BR) is part of the OSPF Backbone, Area 0, and includes all ABRs. The BR includes routers connected only to the backbone and another ABR, but are only part of Area 0—shown as Router I in the example. Area border router Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to. It may keep multiple copies of the link state database.
DRs and BDRs are configurable. If you do not define the DR or BDR, OS10 assigns them per the protocol. To determine which routers are the DR and BDR, OSPF looks at the priority of the routers on the segment. The default router priority is 1. The router with the highest priority is elected DR. If there is a tie, the router with the higher router ID takes precedence. After the DR is elected, the BDR is elected the same way. A router with a router priority set to zero cannot become a DR or BDR.
OSPF route limit OS10 supports up to 16,000 OSPF routes. Within this range, the only restriction is on intra-area routes that scale only up to 1000 routes. Other OSPF routes can scale up to 16 K. Shortest path first throttling Use shortest path first (SPF) throttling to delay SPF calculations during periods of network instability. In an OSPF network, a topology change event triggers an SPF calculation that is performed after a start time.
Enable SPF throttling (OSPFv3) OS10(config)# router ospfv3 10 OS10(config-router-ospf-10)# timers spf 2000 3000 4000 View OSPFv2 SPF throttling OS10(config-router-ospf-100)# do show ip ospf Routing Process ospf 100 with ID 12.1.1.
5. Assign an IP address to the interface in INTERFACE mode. ip address ip-address/mask 6. Enable OSPFv2 on an interface in INTERFACE mode. ip ospf process-id area area-id ● process-id—Enter the OSPFv2 process ID for a specific OSPF process, from 1 to 65535. ● area-id—Enter the OSPFv2 area ID as an IP address (A.B.C.D) or number, from 1 to 65535.
● area-id—Enter the OSPFv2 area ID as an IP address (A.B.C.D) or number, from 1 to 65535. Enable OSPFv2 configuration OS10(config)# ip vrf vrf-blue OS10(config-vrf-blue)# router ospf 100 vrf-blue OS10(conf-router-ospf-100)# exit OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# no shutdown OS10(conf-if-eth1/1/2)# no switchport OS10(conf-if-eth1/1/2)# ip vrf forwarding vrf-blue OS10(conf-if-eth1/1/1)# ip address 11.1.1.1/24 OS10(conf-if-eth1/1/1)# ip ospf 100 area 0.0.0.
2. Configure an area as a stub area in ROUTER-OSPF mode. area area-id stub [no-summary] ● area-id—Enter the OSPF area ID as an IP address in A.B.C.D format or number, from 1 to 65535. ● no-summary—(Optional) Enter to prevent an ABR from sending summary LSA to the stub area. Configure stub area OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# area 10.10.5.1 stub View stub area configuration OS10# show ip ospf Routing Process ospf 10 with ID 130.6.196.
You can disable a passive interface using the no ip ospf passive command. Fast convergence Fast convergence sets the minimum origination and arrival LSA parameters to zero (0), allowing rapid route calculation. A higher convergence level can result in occasional loss of OSPF adjacency. Convergence level 1 meets most convergence requirements. The higher the number, the faster the convergence, and the more frequent the route calculations and updates.
2. Change the cost associated with OSPF traffic on the interface in INTERFACE mode, from 1 to 65535. The default depends on the interface speed. ip ospf cost 3. Change the time interval, from 1 to 65535, that the router waits before declaring a neighbor dead in INTERFACE mode. The default time interval is 40. The dead interval must be four times the hello interval and must be the same on all routers in the OSPF network. ip ospf dead-interval seconds 4.
○ route-map map-name—Enter the name of a configured route map.
When you enable graceful restart, the restarting device retains the routes learned by OSPF in the forwarding table. To reestablish OSPF adjacencies with neighbors, the restart OSPF process sends a grace LSA to all neighbors. In response, the helper router enters Helper mode and sends an acknowledgement back to the restarting device. OS10 supports graceful restart Helper mode. Use the graceful-restart role helper-only command to enable Helper mode in ROUTER OSPF mode.
● Are the OSPF routes included in the routing table in addition to the OSPF database? ● Are you able to ping the IPv4 address of adjacent router interface? Troubleshooting OSPF with show commands ● View a summary of all OSPF process IDs enabled in EXEC mode. show running-configuration ospf ● View summary information of IP routes in EXEC mode. show ip route summary ● View summary information for the OSPF database in EXEC mode.
Usage Information Example Supported Releases The cost is also referred as reference-bandwidth or bandwidth. Use the area default-cost command on the border routers at the edge of a stub area. The no version of this command resets the value to the default. OS10(conf-router-ospf-10)# area 10.10.1.5 default-cost 10 10.2.0E or later area nssa Defines an area as a NSSA.
Parameters ● area-id—Set the OSPF area ID as an IP address in A.B.C.D format or number, from 1 to 65535. ● no-summary—(Optional) Prevents an ABR from sending summary LAs into the stub area. Default Not configured Command Mode ROUTER-OSPF Usage Information The no version of this command deletes a stub area. Example Supported Releases OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# area 10.10.1.5 stub 10.2.
clear ip ospf statistics Clears OSPF traffic statistics. Syntax clear ip ospf [instance-number] [vrf vrf-name] statistics Parameters ● instance-number — (Optional) Enter an OSPF instance number, from 1 to 65535. ● vrf vrf-name — (Optional) Enter the keyword vrf followed by the name of the VRF to clear OSPF traffic statistics in that configured VRF.
default-metric Assigns a metric value to redistributed routes for the OSPF process. Syntax default-metric number Parameters number — Enter a default-metric value, from 1 to 16777214. Default Not configured Command Mode ROUTER-OSPF Usage Information The no version of this command disables the default-metric configuration. Example Supported Releases OS10(conf-router-ospf-10)# default-metric 2000 10.2.
ip ospf area Attaches an interface to an OSPF area. Syntax ip ospf process-id area area-id Parameters ● process-id — Set an OSPF process ID for a specific OSPF process, from 1 to 65535. ● area area-id — Enter the OSPF area ID in dotted decimal A.B.C.D format or enter an area ID number, from 1 to 65535. Default Not configured Command Mode INTERFACE Usage Information The no version of this command removes an interface from an OSPF area.
ip ospf dead-interval Sets the time interval since the last hello-packet was received from a router. After the interval elapses, the neighboring routers declare the router dead. Syntax ip ospf dead-interval seconds Parameters seconds — Enter the dead interval value in seconds, from 1 to 65535. Default 40 seconds Command Mode INTERFACE Usage Information The dead interval is four times the default hello-interval by default. The no version of this command resets the value to the default.
ip ospf mtu-ignore Disables MTU size detection on received Database Descriptor (DBD) packets when forming OSPFv3 adjacency. Syntax ip ospf mtu-ignore Parameters None Default Not configured Command Mode INTERFACE Usage Information If the MTU size of the peer interface is greater than the local interface, switches that run OSPF do not form adjacencies with neighbors. Use this command to override this behavior and form adjacency.
network information corresponding to these loopback interfaces is still announced in OSPF LSAs that are sent through other interfaces configured for OSPF. Example Supported Releases OS10(conf-if-eth1/1/6)# ip ospf passive 10.2.0E or later ip ospf priority Sets the priority of the interface to determine the DR for the OSPF network. Syntax ip ospf priority number Parameters number — Enter a router priority number, from 0 to 255.
Example Supported Releases OS10(conf-if-eth1/1/4)# ip ospf transmit-delay 5 10.2.0E or later log-adjacency-changes Enables logging of syslog messages regarding changes in the OSPF adjacency state. Syntax log-adjacency-changes Parameters None Default Disabled Command Mode ROUTER-OSPF Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# log-adjacency-changes 10.2.
Supported Releases 10.2.0E or later redistribute Redistributes information from another routing protocol or routing instance to the OSPFv2 process. Syntax redistribute {bgp as-number| imported-ospf-routes | connected | static} [route-map map-name] Parameters ● as-number — Enter an autonomous number to redistribute BGP routing information throughout the OSPF instance, from 1 to 4294967295. ● connected — Enter the information from the connected active routes on interfaces to redistribute.
Parameters ● instance-number—Enter a router OSPF instance number, from 1 to 65535. ● vrf vrf-name — Enter the keyword vrf followed by the name of the VRF to configure an OSPF instance in that VRF. Default Not configured Command Mode CONFIGURATION Usage Information Assign an IP address to an interface before using this command. The no version of this command deletes an OSPF instance. Example Supported Releases OS10(config)# router ospf 10 vrf vrf-test 10.2.
Usage Information You can isolate problems with external routes. External OSPF routes are calculated by adding the LSA cost to the cost of reaching the ASBR router. If an external route does not have the correct cost, this command determines if the path to the originating router is correct. ASBRs that are not in directly connected areas display. You can determine if an ASBR is in a directly connected area by the flags. For ASBRs in a directly connected area, E flags are set.
show ip ospf database asbr-summary Displays information about AS boundary LSAs. Syntax show ip ospf [process-id] database asbr-summary Parameters ● process-id—(Optional) Displays the AS boundary LSA information for a specified OSPF process ID. If you do not enter a process ID, this applies only to the first OSPF process. ● vrf vrf-name — (Optional) Displays the AS boundary LSA information for a OSPF process ID corresponding to the specified VRF.
● ● ● ● ● ● ● ● ● ● Example Options — Displays the optional capabilities available on the router. LS Type — Displays the LS type. Link State ID — Identifies the router ID. Advertising Router — Identifies the advertising router’s ID. LS Seq Number — Identifies the LS sequence number. This identifies old or duplicate LSAs. Checksum — Displays the Fletcher checksum of an LSA’s complete contents. Length — Displays the LSA length in bytes. Network Mask — Identifies the network mask implemented on the area.
Example OS10# show ip ospf 10 database network OSPF Router with ID (111.2.1.1) (Process ID 10) Network (Area 0.0.0.0) LS age: 1356 Options: (No TOS-capability, No DC, E) LS type: Network Link State ID: 110.1.1.2 Advertising Router: 112.2.1.1 LS Seq Number: 0x80000008 Checksum: 0xd2b1 Length: 32 Network Mask: /24 Attached Router: 111.2.1.1 Attached Router: 112.2.1.1 Supported Releases 10.2.0E or later show ip ospf database nssa external Displays information about the NSSA-External Type 7 LSA.
TOS: 0 Metric: 16777215 Forward Address: 0.0.0.0 External Route Tag: 0 LS age: 70 Options: (No TOS-Capability, No DC, No Type 7/5 translation) LS type: NSSA External Link State ID: 0.0.0.0 Advertising Router: 2.2.2.2 LS Seq Number: 0x80000001 Checksum: 0x2526 Length: 36 Network Mask: /0 Metric Type: 1 TOS: 0 Metric: 0 Forward Address: 0.0.0.0 External Route Tag: 0 LS age: 65 Options: (No TOS-Capability, No DC, No Type 7/5 translation) LS type: NSSA External Link State ID: 12.1.1.0 Advertising Router: 2.2.2.
show ip ospf database opaque-area Displays information about the opaque-area Type 10 LSA. Syntax show ip ospf [process-id] [vrf vrf-name] database opaque-area Parameters ● process-id — (Optional) Displays the opaque-area Type 10 information for an OSPF process ID. If you do not enter a process ID, this command applies only to the first OSPF process. ● vrf vrf-name — (Optional) Displays the opaque-area Type 10 information for an OSPF process ID corresponding to a VRF.
● ● ● ● ● ● Example Advertising Router — Identifies the advertising router’s ID. LS Seq Number — Identifies the LS sequence number. This identifies old or duplicate LSAs. Checksum — Displays the Fletcher checksum of an LSA’s complete contents. Length — Displays the LSA length in bytes. Opaque Type — Identifies the Opaque type field, the first 8 bits of the LS ID. Opaque ID — Identifies the Opaque type-specific ID, the remaining 24 bits of the LS ID.
Advertising Router: 2.2.2.2 LS Seq Number: 0x80000007 Checksum: 0x9DA1 Length: 28 Opaque Type: 8 Opaque ID: 65793 Supported Releases 10.2.0E or later show ip ospf database router Displays information about the router Type 1 LSA. Syntax show ip ospf process-id [vrf vrf-name] database router Parameters ● process-id — (Optional) Displays the router Type 1 LSA for an OSPF process ID. If you do not enter a process ID, this command applies only to the first OSPF process.
TOS 0 Metric: 1 Link connected to: a Transit Network (Link ID) Designated Router address: 111.2.1.1 (Link Data) Router Interface address: 111.2.1.1 Number of TOS metric: 0 TOS 0 Metric: 1 Supported Releases 10.2.0E or later show ip ospf database summary Displays the network summary Type 3 LSA routing information. Syntax show ip ospf [process-id] [vrf vrf-name] database summary Parameters ● process-id—(Optional) Displays LSA information for a specific OSPF process ID.
show ip ospf interface Displays the configured OSPF interfaces. You must enable OSPF to display output. Syntax show ip ospf interface [process-id] [vrf vrf-name] interface or show ip ospf [process-id] [vrf vrf-name] interface [interface] Parameters ● process-id — (Optional) Displays information for an OSPF process ID. If you do not enter a process ID, this command applies only to the first OSPF process. ● vrf vrf-name — (Optional) Displays information for an OSPF instance corresponding to a VRF.
show ip ospf statistics Displays OSPF traffic statistics. Syntax ● show ip ospf [instance-number] [vrf vrf-name] statistics [interface interface] Parameters ● instance-number — (Optional) Enter an OSPF instance number, from 1 to 65535. ● vrf vrf-name — (Optional) Enter the keyword vrf followed by the name of the VRF to display OSPF traffic statistics corresponding to that VRF.
Parameters ● process-id — (Optional) Displays OSPF process information. If you do not enter a process ID, this applies only to the first OSPF process. ● vrf vrf-name — (Optional) Displays the routers in the directly connected OSPF areas in the configured VRF. Default Not configured Command Mode EXEC Usage Information The “E” flag output indicates the router listed is an ASBR. The “B” flag indicates that the router listed is an ABR.
Example Supported Releases OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# timers lsa arrival 2000 10.2.0E or later timers spf Enables shortest path first (SPF) throttling to delay an SPF calculation when a topology change occurs. Syntax timers spf [start-time [hold-time [max-wait]]] Parameters ● start-time — Sets the initial SPF delay in milliseconds, from 1 to 600000; default 1000.
Parameters ● start-interval — Sets the minimum interval between initial sending and re-sending the same LSA in milliseconds, from 0 to 600,000. ● hold-interval — Sets the next interval to send the same LSA in milliseconds. This is the time between sending the same LSA after the start-interval is attempted, from 1 to 600,000. ● max-interval — Sets the maximum amount of time the system waits before sending the LSA in milliseconds, from 1 to 600,000. .
OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ipv6 ospfv3 300 area 0.0.0.0 Enable OSPFv3 in a non-default VRF instance 1. Create the non-default VRF instance in which you want to enable OSPFv3: ip vrf vrf-name CONFIGURATION Mode 2. Enable OSPFv3 in the non-default VRF instance that you created earlier and configure an OSPFv3 instance in VRF CONFIGURATION mode. router ospfv3 instance-number vrf vrf-name 3.
Assign Router ID You can assign a router ID for the OSPFv3 process. Configure an arbitrary value in the IP address format for each router. Each router ID must be unique. Use the fixed router ID for the active OSPFv3 router process. Changing the router ID brings down the existing OSPFv3 adjacency. The new router ID becomes effective immediately. ● Assign the router ID for the OSPFv3 process in ROUTER-OSPFv3 mode.
ADV Router Age Seq# Fragment ID Link count Bits ------------------------------------------------------------------199.205.134.103 32 0x80000002 0 1 202.254.156.15 33 0x80000002 0 1 B Net Link States (Area 0.0.0.2) ADV Router Age Seq# Link ID Rtr count ---------------------------------------------------------202.254.156.15 38 0x80000001 12 2 Inter Area Prefix Link States (Area 0.0.0.2) ADV Router Age Seq# Prefix ----------------------------------------------------------------202.254.156.
Interface OSPFv3 Parameters To avoid routing errors, interface parameter values must be consistent across all interfaces. For example, set the same time interval for the hello packets on all routers in the OSPF network to prevent misconfiguration of OSPF neighbors. 1. Enter the interface to change the OSPFv3 parameters in CONFIGURATION mode. interface interface-name 2. Change the cost associated with OSPFv3 traffic on the interface in INTERFACE mode, from 1 to 65535.
Default route You can generate an external default route and distribute the default information to the OSPFv3 routing domain. ● Generate the default route, using the default-information originate [always] command in ROUTER-OSPFv3 mode.
○ sha1 — Enable secure hash algorithm 1 (SHA-1) authentication. ○ key — Enter the text string used in the authentication type. All neighboring OSPFv3 routers must share the key to exchange information. Only a non-encrypted key is supported. For MD5 authentication, the non-encrypted key must be 32 plain hex digits. For SHA-1 authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not supported.
Configure IPsec authentication for OSPFv3 area Prerequisite: Before you enable IPsec authentication for an OSPFv3 area, enable OSPFv3 globally on the router. ● Enable IPsec authentication for OSPFv3 packets in an area in Router-OSPFv3 mode. area area-id ○ ○ ○ ○ ○ authentication ipsec spi number {MD5 | SHA1} key area area-id — Enter an area ID as a number or IPv6 prefix. ipsec spi number — Enter a unique security policy index (SPI) value, from 256 to 4294967295.
area 0.0.0.1 encryption ipsec spi 401 esp des 1234567812345678 md5 12345678123456781234567812345678 Troubleshoot OSPFv3 You can troubleshoot OSPFv3 operations and check questions for typical issues that interrupt a process.
Usage Information ● Before you enable IPsec authentication for an OSPFv3 area, you must enable OSPFv3 globally on each router. ● All OSPFv3 routers in the area must share the same authentication key to exchange information. Only a non-encrypted key is supported. For MD5 authentication, the non-encrypted key must be 32 plain hex digits. For SHA1 authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not supported.
● no-summary—(Optional) Prevents an ABR from sending summary LAs into the stub area. Default Not configured Command Mode ROUTER-OSPFv3 Usage Information The no version of this command deletes a stub area. Example Supported Releases OS10(config)# router ospfv3 10 OS10(conf-router-ospfv3-10)# area 10.10.1.5 stub 10.3.0E or later auto-cost reference-bandwidth Calculates default metrics for the interface based on the configured auto-cost reference bandwidth value.
clear ipv6 ospf statistics Clears OSPFv3 traffic statistics. Syntax clear ipv6 ospf [instance-number] [vrf vrf-name] statistics Parameters ● instance-number — (Optional) Enter an OSPFv3 instance number, from 1 to 65535. ● vrf vrf-name — (Optional) Enter the keyword vrf followed by the name of the VRF to clear OSPFv3 statistics in that VRF.
ipv6 ospf area Attaches an interface to an OSPF area. Syntax ipv6 ospf process-id area area-id Parameters ● process-id—Enter an OSPFv3 process ID for a specific OSPFv3 process, from 1 to 65535. ● area-id—Enter the OSPFv3 area ID in dotted decimal A.B.C.D format or enter an area ID number, from 1 to 65535. Default Not configured Command Mode INTERFACE Usage Information The no version of this command removes an interface from an OSPFv3 area.
ipv6 ospf cost Changes the cost associated with the OSPFv3 traffic on an interface Syntax ipv6 ospf cost cost Parameters cost — Enter a value as the OSPFv3 cost for the interface, from 1 to 65335. Default Based on bandwidth reference Command Mode INTERFACE Usage Information If not configured, the interface cost is based on the auto-cost command. This command configures OSPFv3 over multiple vendors to ensure that all routers use the same cost value.
Usage Information Example ● Before you enable IPsec authentication on an OSPFv3 interface, you must enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area. ● When you configure encryption on an interface, both IPsec encryption and authentication are enabled. You cannot configure encryption if you have already configured an interface for IPsec authentication using the ipv6 ospf authentication ipsec command.
To remove a neighborship after it is formed using the ipv6 ospf mtu-ignore command, use the clear ipv6 ospf process command. Example Supported Releases OS10(conf-if-eth1/1/17)# ipv6 ospf mtu-ignore 10.5.1.0 or later ipv6 ospf network Sets the network type for the interface. Syntax ipv6 ospf network {point-to-point | broadcast} Parameters ● point-to-point — Sets the interface as part of a point-to-point network. ● broadcast — Sets the interface as part of a broadcast network.
Parameters number — Enter a router priority number, from 0 to 255. Default 1 Command Mode INTERFACE Usage Information When two routers attached to a network attempt to become the DR, the one with the higher router priority takes precedence. The no version of this command resets the value to the default. Example Supported Releases OS10(config)# interface ethernet 1/1/6 OS10(conf-if-eth1/1/6)# ipv6 ospf priority 4 10.3.
Parameters ● as-number — Enter an autonomous number to redistribute BGP routing information throughout the OSPFv3 instance, from 1 to 4294967295. ● route-map name — Enter the name of a configured route-map. ● connected — Enter the information from the connected active routes on interfaces to redistribute. ● static — Enter the information from static routes on interfaces redistribute.
Supported Releases 10.3.0E or later show ipv6 ospf Displays OSPFv3 instance configuration information. Syntax show ipv6 ospf [instance-number] Parameters instance-number — (Optional) View OSPFv3 information for a specified instance number, from 1 to 65535. Default None Command Mode EXEC Usage Information None Example Supported Releases OS10# show ipv6 ospf Routing Process ospfv3 200 with ID 1.1.1.
● ● ● ● Example Supported Releases Rtr Count—Displays the router count. Dest RtrID—Displays the destination router ID. Interface—Displays the interface type. Prefix—Displays the prefix details. OS10# show ipv6 ospf database OSPF Router with ID (10.0.0.2) (Process ID 200) Router Link States (Area 0.0.0.0) ADV Router Age Seq# Fragment ID Link count Bits ------------------------------------------------------------------1.1.1.1 1610 0x80000144 0 1 B 2.2.2.2 1040 0x8000013A 0 1 10.0.0.
Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 2.2.2.2(Designated Router) Supported Releases 10.3.0E or later show ipv6 ospf neighbor Displays a list of OSPFv3 neighbors connected to the local router. Syntax show ipv6 ospf [vrf vrf-name] neighbor Parameters ● vrf vrf-name — Enter the keyword vrf followed by the name of the VRF to display a list of OSPFv3 neighbors in that VRF.
rx-ls-ack 0 rx-ls-ack-bytes 0 Transmit Statistics tx-hello 1054 tx-hello-bytes 37944 tx-db-des 0 tx-db-des-bytes 0 tx-ls-req 0 tx-ls-req-bytes 0 tx-ls-upd 0 tx-ls-upd-bytes 0 tx-ls-ack 0 tx-ls-ack-bytes 0 Error packets (Receive statistics) bad-src 0 dupe-id 0 hello-err 0 mtu-mismatch 0 nbr-ignored 0 resource-err 0 bad-lsa-len 0 lsa-bad-type 0 lsa-bad-len 0 lsa-bad-cksum 0 hello-tmr-mismatch 0 dead-ivl-mismatch 0 options-mismatch 0 nbr-admin-down 0 own-hello-drop 0 self-orig 0 wrong-length 0 version-mismatch
Supported Releases 10.4.0E(R1) or later Object tracking manager OTM allows you to track the link status of Layer 2 (L2) interfaces, and the reachability of IPv4 and IPv6 hosts. You can increase the availability of the network and shorten recovery time if an object state goes Down. Object tracking monitors the status of tracked objects and communicates any changes made to interested client applications. OTM client applications are virtual router redundancy protocol (VRRP) and policy-based routing (PBR).
Interface tracking You can create an object that tracks the line-protocol state of an L2 interface, and monitors its operational up or down status. You can configure up to 500 objects. Each object is assigned a unique ID. When the link-level status goes down, the tracked resource status is also considered Down. If the link-level status goes up, the tracked resource status is also considered Up.
1. Configure object tracking in CONFIGURATION mode. track object-id 2. Enter the host IP address for reachability of an IPv4 or IPv6 route in OBJECT TRACKING mode. [ip | ipv6] host-ip-address reachability 3. Configure the time delay used before communicating a change in the status of a tracked route in OBJECT TRACKING mode. delay [up seconds] [down seconds] 4. Track the host by checking the reachability periodically in OBJECT TRACKING mode. reachability-refresh interval 5.
View tracked objects You can view the status of currently tracked L2 or L3 interfaces, or the IPv4 or IPv6 hosts. View brief object tracking information OS10# show track brief TrackID Resource Parameter Status LastChange --------------------------------------------------------------------------------1 line-protocol ethernet1/1/1 DOWN 2017-02-03T08:41:25Z1 2 ipv4-reachablity 1.1.1.
Example Supported Releases OS10(conf-track-100)# delay up 200 down 100 10.3.0E or later interface line-protocol Configures an object to track a specific interface's line-protocol status. Syntax interface interface line-protocol Parameters interface — Enter the interface information: ● ● ● ● ● ethernet — Physical interface. port-channel — Enter the port-channel identifier. vlan — Enter the VLAN identifier. loopback — Enter the Loopback interface identifier. mgmt — Enter the Management interface.
Usage Information None Example Supported Releases OS10(config)# track 200 OS10(conf-track-200)# ipv6 10::1 reachability 10.3.0E or later reachability-refresh Configures a polling interval for reachability tracking. Syntax reachability-refresh interval Parameters interval — Enter the polling interval value. A maximum of 3600 seconds. Defaults 0 seconds Command Mode CONFIGURATION Usage Information Set the interval to 0 to disable the refresh.
track Configures and manages tracked objects. Syntax track object-id Parameters object-id — Enter the object ID to track. A maximum of 500. Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes the tracked object from an interface. Example Supported Releases OS10# track 100 10.3.
Configure IPv6 access-list to match route-map OS10(config)# ipv6 access-list acl8 OS10(conf-ipv6-acl)# permit ipv6 10::10 any Set address to match route-map You can set an IPv4 or IPv6 address to match a route-map. 1. Enter the IPv4 or IPv6 address to match and specify the access-list name in Route-Map mode. match {ip | ipv6} address access-list-name 2. Set the next-hop IP address in Route-Map mode.
Verify IPv4 PBR configuration OS10# show ip policy abc Interface Route-map ----------------------ethernet1/1/1 abc ethernet1/1/3 abc vlan100 abc Verify IPv6 PBR configuration OS10# show ipv6 policy abc Interface Route-map ------------------------ethernet1/1/1 abc ethernet1/1/3 abc vlan100 abc View current PBR statistics show route-map pbr-sample pbr-statistics route-map pbr-sample, permit, sequence 10 Policy routing matches: 84 packets Policy-based routing per VRF Configure PBR per VRF instance for both IP
NOTE: If the next-hop is reachable on the specified VRF instance, the packet is redirected; otherwise, the packet follows the regular routing flow. 6. Apply the route-map to the interface. interface interface-type {ip | ipv6} policy route-map route-map-name 7. View the route-map information. show route-map OS10(conf-if-vl-40)# do show route-map route-map test, permit, sequence 10 Match clauses: ip address (access-lists): acl1 Set clauses: ip vrf red next-hop 1.1.1.
● Create a VLAN and assign an IP address to it which acts as the gateway for the hosts in the VM. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown OS10(conf-if-vl-100)# ip address 10.1.1.1/24 OS10(conf-if-vl-100)# exit ● Create another VLAN, and assign an IP address to it. OS10# configure terminal OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# no shutdown OS10(conf-if-vl-200)# ip address 10.2.1.1/24 OS10(conf-if-vl-200)# exit VLT configuration 1.
Apply the policy on the traffic ingress interface and the VLTi interfaces of both VLT peers. OS10(config)# ip access-list PBR-A2C OS10(conf-ipv4-acl)# permit ip 10.10.10.0/24 any OS10(config-ipv4-acl)# exit OS10(config)# route-map Map1 OS10(conf-route-map)# match ip address PBR-A2C OS10(conf-route-map)# set ip next-hop 10.10.20.
PBR configuration Apply the policy on the VLTi interfaces of both VLT peers. OS10(config)# ip access-list PBR-A2C OS10(conf-ipv4-acl)# permit ip 10.10.10.0/24 any OS10(conf-route-map)# route-map Map1 OS10(conf-route-map)# match ip address PBR-A2C OS10(conf-route-map)# set ip next-hop 10.10.20.10 OS10(conf-route-map)# exit OS10(config)# interface ethernet 1/1/4-1/1/6 OS10(conf-if-eth1/1/4-1/1/6)# ip policy route-map Map1 Sample configuration Consider a scenario where traffic from source IP address 1.1.1.
Track route reachability Track IPv4 or IPv6 reachablility using object tracking. To configure tracking over the routes that are reachable through a VRF instance: 1. Configure object tracking. track track-id OS10(config)# track 200 2. Configure reachability of the next-hop address through the VRF instance. ip ip-address reachablility vrf vrf-name OS10(conf-track-200)# OS10(conf-track-200)# ip 1.1.1.1 reachability vrf red OS10(conf-track-200)#exit 3. Configure the route-map.
● Create an ACL and define what should be enabled for PBR processing. ip access-list TEST-ACL seq 10 permit tcp any any eq 80 seq 20 permit tcp any any eq 443 seq 30 permit tcp any any eq 21 seq 40 permit icmp any any ● Create an ACL and define what should be excluded from PBR processing. ip access-list TEST-ACL-DENY seq 10 permit tcp 10.99.0.0/16 10.0.0.0/8 eq 80 seq 20 permit tcp 10.99.0.0/16 10.0.0.0/8 eq 443 seq 30 permit tcp 10.99.0.0/16 10.0.0.0/8 eq 21 seq 40 permit icmp 10.99.0.0/16 10.0.0.
route-map test, permit, sequence 10 Match clauses: ip address (access-lists): acl1 Set clauses: ip vrf red next-hop 1.1.1.1 track-id 200 ! PBR commands clear route-map pbr-statistics Clears all PBR counters. Syntax clear route-map [map-name] pbr-statistics Parameters map-name—Enter the name of a configured route-map. A maximum of 140 characters. Defaults None Command Mode EXEC Usage Information None Example Supported Releases OS10# clear route-map map1 pbr-statistics 10.3.
Example Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ip policy route-map map1 10.3.0E or later route-map pbr-statistics Enables counters for PBR statistics. Syntax route-map [map-name] pbr-statistics Parameters map-name—Enter the name of a configured route-map. A maximum of 140 characters. Defaults Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# route-map map1 pbr-statistics 10.3.
set next-hop track Tracks the next-hop IPv4 or IPv6 address object. Syntax set {ip | ipv6} vrf [vrf-name] next-hop address track track-id Parameters ● address—Enter an IPv4 or IPv6 address. ● vrf vrf-name — Enter the keyword then the name of the VRF to track the next-hop reachable through that VRF. ● track-id—(Optional) Enter the track ID of the PBR object.
Example Supported Releases OS10# show route-map map1 pbr-statistics 10.3.0E or later Virtual Router Redundancy Protocol VRRP allows you to form virtual routers from groups of physical routers on your local area network (LAN). These virtual routing platforms—master and backup pairs—provide redundancy during hardware failure. VRRP also allows you to easily configure a virtual router as the default gateway to all your hosts. It also avoids the single point of failure of a physical router.
The example shows a typical network configuration using VRRP. Instead of configuring the hosts on network 10.10.10.0 with the IP address of either Router A or Router B as the default router, the default router of all hosts is set to the IP address of the virtual router. When any host on the LAN segment requests Internet access, it sends packets to the IP address of the virtual router.
interface ethernet 1/1/5 ip address 10.10.10.1/24 ! vrrp-group 254 no shutdown ... Group version Configure a VRRP version for the system. Define either VRRPv2 — vrrp version 2 or VRRPv3 — vrrp version 3. ● Configure the VRRP version for IPv4 in INTERFACE mode. vrrp version Configure VRRP version 3 OS10(config)# vrrp version 3 1. Set the switch with the lowest priority to vrrp version 2. 2. Set the switch with the highest priority to vrrp version 3. 3. Set all switches from vrrp version 2 to vrrp version 3.
1. Configure a VRRP group in INTERFACE mode, from 1 to 255. vrrp-group vrrp-id 2. Configure virtual IP addresses for this VRRP ID in INTERFACE-VRRP mode. A maximum of 10 IP addresses. virtual-address ip-address1 [...ip-address10] Configure virtual IP address OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ip address 10.1.1.1/24 OS10(conf-if-eth1/1/1)# vrrp-group 10 OS10(conf-eth1/1/1-vrid-10)# virtual-address 10.1.1.
Configure virtual IP address in a VRF You can configure a VRRP group in a non-default VRF instance and assign a virtual address to this group. To configure VRRP under a specific VRF: 1. Create the non-default VRF in which you want to configure VRRP. ip vrf vrf-name CONFIGURATION Mode 2. In the VRF Configuration mode, enter the desired interface. interface interface-id VRF CONFIGURATION Mode 3. Remove the interface from L2 switching mode. no switchport INTERFACE CONFIGURATION Mode 4.
Set VRRP group priority OS10(config)# interface ethernet 1/1/5 OS10(conf-if-eth1/1/5)# vrrp-group 254 OS10(conf-eth1/1/5-vrid-254)# priority 200 Verify VRRP group priority OS10(conf-eth1/1/5-vrid-254)# do show vrrp 254 Interface : ethernet1/1/5 IPv4 VRID : 254 Primary IP Address : 10.1.1.1 State : master-state Virtual MAC Address : 00:00:5e:00:01:01 Version : version-3 Priority : 200 Preempt : Hold-time : Authentication : no-authentication Virtual IP address : 10.1.1.
You must configure all virtual routers in the VRRP group with the same settings. Configure all routers with preempt enabled or configure all with preempt disabled. 1. Create a virtual router for the interface with the VRRP identifier in INTERFACE mode, from 1 to 255. vrrp-group vrrp-id 2. Prevent any backup router with a higher priority from becoming the Master router in INTERFACE-VRRP mode.
Change advertisement interval OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# vrrp-group 1 OS10(conf-eth1/1/1-vrid-1)# advertise-interval centisecs 200 View running configuration OS10(conf-eth1/1/1-vrid-1)# do show running-configuration ! Version 10.1.9999P.2281 ! Last configuration change at Jul 26 12:22:33 2016 ! aaa authentication system:local ! interface ethernet1/1/1 ip address 10.1.1.
Configure interface tracking OS10(config)# track 10 OS10(conf-track-10)# interface ethernet 1/1/7 line-protocol View running configuration OS10(conf-track-10)# do show running-configuration ! Version 10.1.9999P.2281 ! Last configuration change at Jul 27 03:24:01 2016 ! aaa authentication system:local ! interface ethernet1/1/1 ip address 10.1.1.1/16 no switchport no shutdown ! vrrp-group 1 priority 200 virtual-address 10.1.1.
● centisecs centisecs — (Optional) Enter a value in multiples of 25, from 25 to 4075. Default 1 second or 100 centisecs Command Mode INTERFACE-VRRP Usage Information Dell EMC recommends keeping the default setting for this command. If you change the time interval between VRRP advertisements on one router, change it on all routers. The no version of this command sets the VRRP advertisements timer interval back to its default value, 1 second or 100 centisecs.
Parameters number — Enter a priority value, from 1 to 254. Default 100 Command Mode INTERFACE-VRRP Usage Information To guarantee that a VRRP group becomes master, configure the priority of the VRRP group to the 254, which is the highest priority. OS10 does not support priority 255. The no version of this command resets the value to the default of 100. Example Supported Releases OS10(conf-eth1/1/5-vrid-254)# priority 200 10.2.0E or later show vrrp Displays VRRP group information.
track Assigns a unique identifier to track an object. Syntax track track-id [priority cost [value]] Parameters ● track-id — Enter the object tracking resource ID number, from 1 to 500. ● priority cost value — (Optional) Enter a cost value to subtract from the priority value, from 1 to 254. Default 10 Command Mode INTERFACE-VRRP Usage Information If you disable the interface, the cost value subtracts from the priority value and forces a new master election.
● ip-address2...ip-address10 — (Optional) Enter up to nine additional IP addresses of virtual routers, separated by a space. The IP addresses must be on the same subnet as the interface’s primary IP address. Default Enabled Command Mode INTERFACE-VRRP Usage Information The VRRP group only becomes active and sends VRRP packets when you configure a virtual IP address. When you delete the virtual address, the VRRP group stops sending VRRP packets.
vrrp-ipv6-group Assigns a VRRP group identification number to an IPv6 interface. Syntax vrrp-ipv6–group vrrp-id Parameters vrrp-id — Enter a VRRP group identification number, from 1 to 255. Default Not configured Command Mode INTERFACE-VRRP Usage Information The VRRP group only becomes active and sends VRRP packets when you configure a virtual IP address. When you delete the virtual address, the VRRP group stops sending VRRP packets.
14 Multicast Multicast is a technique that allows networking devices to send data to a group of interested receivers in a single transmission. For instance, this technique is widely used for streaming videos. Multicast allows you to more efficiently use network resources, specifically for bandwidth-consuming services such as audio and video transmission.
NOTE: Layer 3 (L3) PIM and IGMP multicast is not supported on the S3048-ON switch. IGMP and Multicast Listener Discovery (MLD) snooping is supported on all switches. Configure multicast routing Configuring multicast routing is a two-step process that involves configuring multicast routing and enabling PIM sparse mode (PIM-SM) on a Layer 3 (L3) interface. The following procedure describes how to configure multicast routing.
With multicast flood control, multicast frames, whose destination is not known, are forwarded only to the designated mrouter port. OS10 learns of the mrouter interface dynamically based on the interface where an IGMP membership query is received. You can also statically configure the mrouter interface using the ip igmp snooping mrouter and ipv6 mld snooping mrouter commands.
Enable multicast flood control Multicast flood control is enabled on OS10 by default. If it is disabled, use the following procedure to enable multicast flood control: 1. Configure IGMP snooping. To know how to configure IGMP snooping, see the IGMP snooping section. 2. Configure MLD snooping. To know how to configure MLD snooping, see the MLD Snooping section. 3. Enable the multicast flood control feature.
● Multicast address-and-source-specific query—To learn if any of the sources from the specified list for a multicast source has any listeners.
When the IGMP querier receives a leave message, it sends a group-specific query message to ensure if any other host in the network is interested in the multicast flow. By default, the group-specific query messages are sent every 1000 milliseconds. You can configure this value using the ip igmp last-member-query-interval command.
To view IGMP-enabled interfaces: OS10# show ip igmp interface Vlan103 is up, line protocol is up Internet address is 2.1.1.2 IGMP is enabled on interface IGMP version is 3 IGMP query interval is 60 seconds IGMP querier timeout is 130 seconds IGMP last member query response interval is 1000 ms IGMP max response time is 10 seconds IGMP immediate-leave is disabled on this interface IGMP joins count: 0 IGMP querying router is 2.1.1.1 Vlan105 is up, line protocol is up Internet address is 3.1.1.
NOTE: OS10 supports IGMP snooping only with proxy reporting. OS10 does not relay the IGMP join packets received from hosts as is. Instead, OS10 generates, bundles, and sends IGMP join packets to mrouter port based on the version of IGMP queries received from IGMP routers. Proxy reporting reduces the number of IGMP control packets sent to the multicast router.
View IGMP snooping information OS10# show ip igmp snooping groups Total Number of Groups: 480 IGMP Connected Group Membership Group Address Interface Mode 225.1.0.0 vlan3531 IGMPv2-Compat Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 225.1.0.1 vlan3531 IGMPv2-Compat Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 225.1.0.2 vlan3531 IGMPv2-Compat Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 225.1.0.
Supported Releases 10.4.3.0 or later ip igmp immediate-leave Enables IGMP immediate leave. Syntax ip igmp immediate-leave Parameters None Default None Command Mode INTERFACE Usage Information The querier sends some group-specific queries when it receives a leave message before deleting the group from the membership database. If you need to immediately delete a group from the membership database, use the ip igmp immediate-leave command. The no version of this command disables IGMP immediate leave.
Usage Information Example Supported Releases None OS10# configure terminal OS10# interface vlan12 OS10(conf-if-vl-12)# ip igmp query-interval 60 10.4.3.0 or later ip igmp query-max-resp-time Configures the maximum query response time advertised in general queries. Syntax ip igmp query-max-resp-time seconds Parameters seconds—Enter the amount of time in seconds, from 1 to 25.
Usage Information Example Supported Releases When you enable IGMP snooping globally, the configuration applies to all VLAN interfaces. You can disable IGMP snooping on specified VLAN interfaces. The no version of this command disables IGMP snooping on the specified VLAN interface. OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no ip igmp snooping 10.4.0E(R1) or later ip igmp snooping fast-leave Enables fast leave in IGMP snooping for specified VLAN.
Usage Information Example Supported Releases The no version of this command removes the multicast router configuration from the VLAN member port. OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip igmp snooping mrouter interface ethernet 1/1/1 10.4.0E(R1) or later ip igmp snooping querier Enables IGMP querier processing for the specified VLAN interface.
Usage Information The no version of this command resets the query response time to default value. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip igmp snooping query-max-resp-time 15 10.4.1.0 or later ip igmp version Configures IGMP version. Syntax ip igmp version version-number Parameters version-number—Enter the version number as 2 or 3.
225.1.1.1 225.1.1.2 225.1.1.3 225.1.1.4 225.1.1.5 225.1.1.6 225.1.1.7 225.1.1.8 225.1.1.9 225.1.1.10 225.1.1.11 225.1.1.12 225.1.1.13 225.1.1.14 225.1.1.15 225.1.1.
show ip igmp snooping groups Displays IGMP snooping group membership details. Syntax show ip igmp snooping groups [detail | [vlan vlan-id [detail | ipaddress]]] Parameters ● vlan-id—(Optional) Enter the VLAN ID, from 1 to 4093. ● detail—(Optional) Enter detail to display the IGMPv3 source information. ● ip-address—(Optional) Enter the IP address of the multicast group.
225.1.0.2 00:01:30 Member-ports 225.1.0.3 00:01:30 Member-ports 225.1.0.4 00:01:30 Member-ports 225.1.0.5 00:01:30 Member-ports 225.1.0.6 00:01:30 Member-ports 225.1.0.7 00:01:30 Member-ports 225.1.0.8 00:01:30 Member-ports 225.1.0.9 00:01:30 Member-ports 225.1.0.
ethernet1/1/52:1 Include Interface vlan3041 Group 232.11.0.2 Source List 101.41.0.21 Member Port Mode port-channel51 Include --more-Example (with VLAN and multicast IP address) Supported Releases 1d:20:26:08 00:01:46 Uptime 1d:20:26:07 Expires 00:01:41 OS10# show ip igmp snooping groups vlan 3041 232.11.0.0 detail Interface vlan3041 Group 232.11.0.0 Source List 101.41.0.
IGMP snooping is enabled on interface IGMP snooping query interval is 60 seconds IGMP snooping querier timeout is 130 seconds IGMP snooping last member query response interval is 1000 ms IGMP Snooping max response time is 10 seconds IGMP snooping fast-leave is disabled on this interface IGMP snooping querier is disabled on this interface Multicast snooping flood-restrict is enabled on this interface Vlan3 is up, line protocol is up IGMP version is 3 IGMP snooping is enabled on interface IGMP snooping query
vlan3035 vlan3036 vlan3037 vlan3038 vlan3039 vlan3040 vlan3041 vlan3042 vlan3043 vlan3044 vlan3045 vlan3046 vlan3047 vlan3048 vlan3049 vlan3050 vlan3051 vlan3052 --more-- port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 <
● (Optional) Configure the time interval for sending MLD general queries with the ipv6 mld snooping queryinterval query-interval-time command in VLAN INTERFACE mode. ● (Optional) Configure the maximum time for responding to a query advertised in MLD queries using the ipv6 mld snooping query-max-resp-time query-response-time command in VLAN INTERFACE mode.
MLD snooping fast-leave is disabled on this interface MLD snooping querier is disabled on this interface OS10# show ipv6 mld snooping interface vlan 2 Vlan2 is up, line protocol is up MLD version is 2 MLD snooping is enabled on interface MLD snooping query interval is 60 seconds MLD snooping querier timeout is 130 seconds MLD snooping last member query response interval is 1000 ms MLD snooping max response time is 10 seconds MLD snooping fast-leave is disabled on this interface MLD snooping querier is disab
ipv6 mld snooping fast-leave Enables fast leave in MLD snooping for specified VLAN. Syntax ipv6 mld snooping fast-leave Parameters None Default Disabled Command Mode VLAN INTERFACE Usage Information The fast leave option allows the MLD snooping switch to remove an interface from the multicast group immediately on receiving the leave message. The no version of this command disables the fast leave functionality.
ipv6 mld snooping querier Enables MLD querier on the specified VLAN interface. Syntax ipv6 mld snooping querier Parameters None Default Not configured Command Mode VLAN INTERFACE Usage Information The no version of this command disables the MLD querier on the VLAN interface. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ipv6 mld snooping querier 10.4.1.0 or later ipv6 mld snooping query-interval Configures the time interval for sending MLD general queries.
ipv6 mld version Configures the MLD version. Syntax ipv6 mld version version-number Parameters version-number—Enter the version number as 1 or 2. Default 2 Command Mode VLAN INTERFACE Usage Information The no version of this command resets the version number to the default value. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ipv6 mld version 1 10.4.1.0 or later show ipv6 mld snooping groups Displays MLD snooping group membership details.
Compat 00:01:56 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 ff0e:225:2::2 vlan3532 MLDv1Compat 00:01:56 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52
ethernet1/1/52:1 Include 2d:11:50:36 00:01:25 Uptime 2d:11:50:17 2d:11:50:36 2d:11:50:36 Expires 00:01:29 00:01:25 00:01:38 OS10# show ipv6 mld snooping groups vlan 3041 detail Interface vlan3041 Group ff02::2 Source List -Member Port Mode Uptime port-channel31 Exclude 2d:11:57:08 Expires 00:01:44 Interface vlan3041 Group ff3e:232:b:: Source List 2001:101:29::1b Member Port Mode port-channel31 Include ethernet1/1/51:1 Include ethernet1/1/52:1 Include Uptime 2d:11:50:17 2d:11:50:36 2d:11:50:36 Expi
Example OS10# show ipv6 mld snooping interface vlan 3031 Vlan3031 is up, line protocol is up MLD version is 2 MLD snooping is enabled on interface MLD snooping query interval is 60 seconds MLD snooping querier timeout is 130 seconds MLD snooping last member query response interval is 1000 ms MLD snooping max response time is 10 seconds MLD snooping fast-leave is disabled on this interface MLD snooping querier is disabled on this interface OS10# show ipv6 mld snooping interface vlan 2 Vlan2 is up, line prot
PIM terminology Table 40. PIM terminology Terminology Definition Rendezvous point (RP) The RP is a single root node that the shared tree uses, called the rendezvous point. (*, G) (*, G) refers to an entry in the PIM table for a group. (S, G) (S, G) refers to an entry in the PIM table for a source and group on the RP tree (RPT). (S, G, RPT) (S, G, RPT) refers to an entry in the RP tree. First hop router (FHR) The FHR is the router that is directly connected to the multicast source.
You must enable PIM-SM on each of the participating interfaces. Be sure to have multicast routing enabled on the system. To do this, use the ip multicast-routing command from CONFIGURATION mode. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip pim sparse-mode PIM-SSM PIM-SSM uses source-based trees. A separate multicast distribution tree is built for each multicast source that sends data to a multicast group.
You can use the show ip pim ssm-range command to view the groups added in PIM-SSM configuration. OS10# show ip pim ssm-range Group Address / MaskLen 236.0.0.0 / 8 Configure expiry timers for S, G entries You can configure expiry timers for S, G entries globally. The S, G entries expire in 210 seconds by default.
To view the RP for a multicast group range, use the show ip pim rp mapping command. OS10# show ip pim rp mapping PIM Group-to-RP Mappings Group(s): 230.1.1.1/32 RP:14.1.1.1, v2 Info source: 42.1.1.1, via bootstrap, priority 255 expires: 00:01:53 Group(s): 231.1.1.1/32 RP: 9.1.1.1, v2 Info source: 42.1.1.1, via bootstrap, priority 254 expires: 00:01:54 Configure dynamic RP using the BSR mechanism You can configure a subset of PIM routers within the domain as candidate BSRs (C-BSRs).
■ Do not use deny rules in the ACL that is used for RP candidate because it does not have any significance. To configure dynamic RP using the BSR mechanism: 1. Configure a candidate BSR using the ip pim bsr-candidate command. OS10# configure terminal OS10(config)# interface ethernet 1/1/9 OS10(conf-if-eth1/1/9)# ip address 10.1.1.
Next Cand_RP_advertisement in 00:00:50 RP: 10.1.2.8(loopback10) To view RP-mapping details: OS10# show ip pim rp mapping Group(s) : 225.1.1.0/24 RP : 10.1.2.8, v2 Info source: 10.1.1.8, via bootstrap, priority 0 expires: 00:00:00 4. (Optional) Configure the RP timers. OS10(config)# ip pim rp-candidate-timers loopback 10 advt-interval 10 hold-time 25 To view candidate RP details: OS10# show ip pim bsr-router This system is the Bootstrap Router (v2) BSR address: 10.1.1.
Command Mode EXEC PRIVILEGE Usage Information When you run this command on a node, it deletes: ● All the multicast routes from the PIM tree information base (TIB) ● The entire multicast route table and all the entries in the data plane With VLT multicast routing, when you run this command on a local VLT node, it deletes: ● All the multicast routes from the local PIM TIB ● All the local mroute entries in the data plane ● The synchronized mroute entries from the VLT peer node Example Supported Releases O
Usage Information The system advertises the IP address of the specified interface as the BSR IP address in BSR messages. The no form of the command removes the router from being the candidate BSR. Do not specify the parameters in the no form of the command. Example Supported Releases OS10# configure terminal OS10(config)# ip pim vrf red bsr-candidate loopback 10 hash-mask-len 31 priority 11 10.5.0 or later ip pim bsr-candidate-timers Configures the time interval between candidate BSR advertisements.
Supported Releases 10.5.0 or later ip pim dr-priority Changes the designated router (DR) priority for the interface. Syntax ip pim dr-priority priority-value Parameters priority-value—Enter a number from 0 to 4294967295. Default 1 Command Mode INTERFACE CONFIGURATION Usage Information The router with the highest value assigned to an interface becomes the DR. If two interfaces have the same DR priority value, the interface with the highest IP address becomes the DR.
● [override]—Overrides BSR updates with static RP for groups with the same prefix length. Default None Command Mode CONFIGURATION Usage Information First hop routers use this address to send register packets on behalf of the source multicast hosts. The RP addresses are stored in the order in which they are entered. The RP is chosen based on a longer prefix match for a group. You can specify the range of group addresses for which a given node is configured as an RP.
ip pim rp-candidate-timers Configures the time interval between periodic candidate RP advertisements.
Supported Releases 10.4.3.0 or later ip pim sparse-mode sg-expiry-timer Enables expiry timers globally for all sources. Syntax ip pim [vrf vrf-name] sparse-mode sg-expiry-timer seconds Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. ● seconds—Enter the number of seconds the S, G entries are retained. The range is from 211 to 65535 seconds. Default 210 seconds Command Mode CONFIGURATION Usage Information This command configures the expiry timers for all S, G entries.
Example OS10# show ip pim bsr-router PIMv2 Bootstrap information BSR address: 101.0.0.1 BSR Priority: 199, Hash mask length: 31 Expires: 00:00:24 This system is a candidate BSR Candidate BSR address: 104.0.0.1, priority: 99, hash mask length: 31 Next Cand_RP_advertisement in 00:00:15 RP: 104.0.0.1(loopback101) Supported Releases 10.5.0 or later show ip pim interface Displays information about IP PIM-enabled interfaces.
Examples OS10# show ip pim mcache vlt PIM Multicast Routing Cache Table Flags: S - Synced (*, 225.1.1.1), flags: S Incoming interface: Vlan 502 outgoing interface list: Vlan 2002 (S) (2.2.2.2, 225.1.1.1), flags: S Incoming interface: Vlan 501 outgoing interface list: Vlan 1000, Vlan 2003 (S) OS10# show ip pim mcache PIM Multicast Routing Cache Table (*, 225.1.1.1) Incoming interface : vlan105 Outgoing interface list : vlan121 (101.1.1.10,225.1.1.
show ip pim rp Displays brief information about all multicast group to RP mappings. Syntax show ip pim [vrf vrf-name] rp [mapping | group-address] Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. ● mapping—Enter the keyword mapping to display the multicast groups to RP mapping and information about how RP is learned. ● group-address—Enter the multicast group address mask in dotted-decimal format to view the RP for a specific group (A.B.C.D).
Example Supported Releases OS10# show ip pim ssm-range Group Address / MaskLen 224.1.1.1 / 32 10.4.3.0 or later show ip pim summary Displays PIM summary. Syntax show ip pim [vrf vrf-name] summary Parameters vrf vrf-name—Enter the keyword vrf, then the name of the VRF.
show ip pim tib Displays the PIM tree information base (TIB). Syntax show ip pim [vrf vrf-name] tib [group-address [source-address]] Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. ● group-address—Enter the group address in dotted-decimal format (A.B.C.D). ● source-address—Enter the source address in dotted-decimal format (A.B.C.D).
Usage Information Example Supported Releases PIM uses unicast routing to check the multicast source reachability. PIM examines the distance of each route. The route with the shortest distance is the one that PIM selects for reachability. OS10# show ip rpf RPF information for 101.1.1.10 RPF interface: vlan103 RPF neighbor: 2.1.1.1 RPF route/mask: 101.1.1.0/255.255.255.0 RPF type: Unicast RPF information for 171.1.1.1 RPF interface: vlan105 RPF neighbor: 3.1.1.1 RPF route/mask: 171.1.1.0/255.255.255.
FHR(config)# interface ethernet 1/1/31 FHR(conf-if-eth1/1/31)# no switchport FHR(conf-if-eth1/1/31)# ip address 3.3.3.2/24 FHR(conf-if-eth1/1/31)# ip pim sparse-mode FHR(conf-if-eth1/1/31)# ip ospf 1 area 0 FHR(conf-if-eth1/1/31)# exit FHR(config)# FHR(config)# interface ethernet 1/1/17 FHR(conf-if-eth1/1/17)# FHR(conf-if-eth1/1/17)# no switchport FHR(conf-if-eth1/1/17)# ip address 2.2.2.
RP(conf-if-eth1/1/43)# exit RP(config)# RP(config)# interface loopback 0 RP(conf-if-lo-0)# ip address 192.168.1.25/32 RP(conf-if-lo-0)# ip ospf 1 area 0 RP(conf-if-lo-0)# exit RP(config)# ip pim rp-address 192.168.1.25 group-address 224.0.0.0/4 RP(config)# end RP# RP# configure terminal RP(config)# router ospf 1 RP(config-router-ospf-1)# end The show ip pim interface command displays the PIM-enabled interfaces in RP.
The show ip pim interface command displays the PIM-enabled interfaces in LHR. LHR# show ip pim interface Address Interface Ver/Mode Nbr Count Query Intvl DR Prio DR ---------------------------------------------------------------------------2.2.2.1 ethernet1/1/1 v2/S 1 30 1 2.2.2.2 1.1.1.1 ethernet1/1/26:1 v2/S 1 30 1 1.1.1.2 15.1.1.1 vlan2001 v2/S 0 30 1 15.1.1.1 The show ip pim neighbor command displays the PIM neighbor of LHR and the interface to reach the neighbor.
Incoming interface: ethernet1/1/31, RPF neighbor 3.3.3.2 Outgoing interface list: IGMP and PIM states in LHR node The show ip igmp groups command output displays the IGMP database. LHR# show ip igmp groups Total Number of Groups: 1 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires Last Reporter 224.1.1.1 vlan2001 IGMPv2-Compat 00:00:01 00:01:59 15.1.1.
Sample configuration on R1: R1# configure terminal R1(config)# ip vrf red R1(conf-vrf)# end R1# configure terminal R1(config)# interface port-channel 11 R1(conf-if-po-11)# no switchport R1(conf-if-po-11)# ip vrf forwarding red R1(conf-if-po-11)# end R1# configure terminal R1(config)# interface ethernet 1/1/6 R1(conf-if-eth1/1/6)# no ip vrf forwarding R1(conf-if-eth1/1/6)# no switchport R1(conf-if-eth1/1/6)# channel-group 11 R1(conf-if-eth1/1/6)# end R1# configure terminal R1(config)# interface ethernet 1/1/
Sample configuration on R2: R2# configure terminal R2(config)# ip vrf red R2(conf-vrf)# end R2# configure terminal R2(config)# interface vlan 2001 R2(conf-if-vl-2001)# ip vrf forwarding red R2(conf-if-vl-2001)# end R2# configure terminal R2(config)# interface ethernet 1/1/40:1 R2(conf-if-eth1/1/40:1)# no ip vrf forwarding R2(conf-if-eth1/1/40:1)# switchport mode trunk R2(conf-if-eth1/1/40:1)# switchport trunk allowed vlan 2001 R2(conf-if-eth1/1/40:1)# end R2# configure terminal R2(config)# interface port-ch
R2# configure terminal R2(config)# ip access-list test R2(config-ipv4-acl)# permit ip any 224.1.1.0/24 R2(config-ipv4-acl)# exit R2(config)# ip pim vrf red ssm-range test R2(config)# end Verify the configuration To verify the configuration, use the following show commands on R1: The show ip pim vrf red neighbor command displays the PIM neighbor of R1 and the interface through which the neighbor is reached.
Incoming interface: port-channel11, RPF neighbor 193.1.1.1 Outgoing interface list: vlan2001 Forward/Sparse 00:00:06/Never The show ip pim vrf red neighbor command displays the PIM neighbor of R2 and the interface through which the neighbor is reached. R2# show ip pim vrf red neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority / Mode ------------------------------------------------------------------------193.1.1.
Multicast VRF sample configuration This section describes how to configure IPv4 multicast in a non-default VRF instance using the topology shown in the following illustration. Perform the following configuration on each of the nodes, R1, R2, R3, and R4.
R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# no ip vrf forwarding no switchport channel-group 11 end R1# configure terminal R1(config)# interface ethernet 1/1/7 R1(conf-if-eth1/1/7)# no switchport R1(conf-if-eth1/1/7)# interface ethernet 1/1/7 R1(conf-if-eth1/1/7)# ip vrf forwarding red R1(conf-if-eth1/1/7)# ip address 201.1.1.
R2(conf-vrf)# end R2# configure terminal R2(config)# interface vlan 1001 R2(conf-if-vl-1001)# ip vrf forwarding red R2(conf-if-vl-1001)# end R2# configure terminal R2(config)# interface ethernet 1/1/21:4 R2(conf-if-eth1/1/21:4)# switchport mode trunk R2(conf-if-eth1/1/21:4)# switchport trunk allowed vlan 1001 R2(conf-if-eth1/1/21:4)# end R2# configure terminal R2(config)# interface ethernet 1/1/12:1 R2(conf-if-eth1/1/12:1)# no switchport R2(conf-if-eth1/1/12:1)# ip vrf forwarding red R2(conf-if-eth1/1/12:1)
R3(conf-if-eth1/1/12)# switchport trunk allowed vlan 1001 R3(conf-if-eth1/1/12)# end R3# configure terminal R3(config)# interface port-channel 12 R3(conf-if-po-12)# no switchport R3(conf-if-po-12)# ip vrf forwarding red R3(conf-if-po-12)# end R3# configure terminal R3(config)# interface ethernet 1/1/5 R3(conf-if-eth1/1/5)# no ip vrf forwarding R3(conf-if-eth1/1/5)# no switchport R3(conf-if-eth1/1/5)# channel-group 12 R3(conf-if-eth1/1/5)# end R3# configure terminal R3(config)# interface vlan 1001 R3(conf-if
R3(config)# ip pim vrf red rp-address 182.190.168.224 group-address 224.0.0.
R4(conf-if-po-12)# end R4# configure terminal R4(config)# interface Lo0 R4(conf-if-lo-0)# ip vrf forwarding red R4(conf-if-lo-0)# ip address 4.4.4.
--------------------------------224.1.1.1 182.190.168.224 R1# show ip pim vrf red rp mapping Group(s) : 224.0.0.0/4, Static RP : 182.190.168.224, v2 R1# show ip pim vrf red mcache PIM Multicast Routing Cache Table (201.1.1.1, 224.1.1.1) Incoming interface : ethernet1/1/7 Outgoing interface list : port-channel11 Rendezvous point (R3) R3# show ip pim vrf red neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority / Mode ---------------------------------------------------------------------------192.
--------------------------------224.1.1.1 182.190.168.224 R3# show ip pim vrf red tib PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 224.1.1.1), uptime 00:04:41, expires 00:00:00, RP 182.190.168.224, flags: S Incoming interface: Null, RPF neighbor 0.0.0.
(*, 224.1.1.1), uptime 00:05:44, expires 00:00:15, RP 182.190.168.224, flags: SCJ Incoming interface: port-channel12, RPF neighbor 194.1.1.1 Outgoing interface list: vlan2001 Forward/Sparse 00:05:44/Never (201.1.1.1, 224.1.1.1), uptime 00:02:58, expires 00:00:31, flags: CT Incoming interface: port-channel11, RPF neighbor 193.1.1.1 Outgoing interface list: vlan2001 Forward/Sparse 00:02:58/Never R4# show ip pim vrf red mcache PIM Multicast Routing Cache Table (*, 224.1.1.
● Provides traffic resiliency in the event of a VLT node failure. The traffic is forwarded until the PIM protocol reconverges and builds a new tree. IGMP message synchronization VLT nodes use the VLTi link to synchronize IGMP messages across their peers. Any IGMP join message that is received on one of the VLT nodes synchronizes with the peer node. Therefore, the IGMP tables are identical in a VLT domain.
Sample configuration on core: core# configure terminal core(config)# ip multicast-routing core(config)# ip pim rp-address 103.0.0.3 group-address 224.0.0.0/4 core(config)# router ospf 100 core(config-router-ospf-100)# exit core(config)# interface ethernet 1/1/32:1 core(conf-if-eth1/1/32:1)# no shutdown core(conf-if-eth1/1/32:1)# no switchport core(conf-if-eth1/1/32:1)# ip address 16.0.0.
12.0.0.1 12.0.0.2 vlan12 vlan12 00:01:06/00:01:43 00:01:03/00:01:42 v2 v2 10 10 / S / S PIM states in core The output of the show ip pim tib command. core# show ip pim tib PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 225.1.1.1), uptime 00:04:16, expires 00:00:00, RP 103.0.0.
AG1(config)# interface ethernet 1/1/32:1 AG1(conf-if-eth1/1/32:1)# no shutdown AG1(conf-if-eth1/1/32:1)# no switchport AG1(conf-if-eth1/1/32:1)# ip address 16.0.0.1/24 AG1(conf-if-eth1/1/32:1)# flowcontrol receive off AG1(conf-if-eth1/1/32:1)# ip pim sparse-mode AG1(conf-if-eth1/1/32:1)# ip ospf 100 area 0.0.0.0 AG1(conf-if-eth1/1/32:1)# exit AG1(config)# interface vlan 11 AG1(conf-if-vlan-11)# no shutdown AG1(conf-if-vlan-11)# ip address 11.0.0.
The show ip igmp groups command output displays the IGMP database. AG1# show ip igmp groups Total Number of Groups: 1 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires Last Reporter 225.1.1.1 vlan11 Exclude 00:01:55 00:01:53 0.0.0.0 The show ip pim tib command output displays the PIM tree information base (TIB).
The show ip pim mcache command displays the multicast route entries. AG1# show ip pim mcache PIM Multicast Routing Cache Table (*, 225.1.1.1) Incoming interface : vlan12 Outgoing interface list : vlan11 (16.0.0.10, 225.1.1.1) Incoming interface : vlan12 Outgoing interface list : vlan11 The show ip pim mcache vlt command displays multicast route entries. AG1# show ip pim mcache vlt PIM Multicast Routing Cache Table Flags: S - Synced (*, 225.1.1.
AG2(conf-if-vlan-12)# ip ospf 100 area 0.0.0.0 AG2(conf-if-vlan-12)# exit AG2(config)# interface vlan 13 AG2(conf-if-vlan-13)# no shutdown AG2(conf-if-vlan-13)# ip address 13.0.0.2/24 AG2(conf-if-vlan-13)# ip pim sparse-mode AG2(conf-if-vlan-13)# ip pim dr-priority 1000 AG2(conf-if-vlan-13)# ip ospf 100 area 0.0.0.0 AG2(conf-if-vlan-13)# ip ospf cost 4000 AG2(conf-if-vlan-13)# exit AG2(config)# interface loopback 102 AG2(conf-if-lo-102)# no shutdown AG2(conf-if-lo-102)# ip address 102.0.0.
Outgoing interface list: vlan11 Forward/Sparse 00:02:15/Never The show ip pim mcache command output displays multicast route entries. AG2# show ip pim mcache PIM Multicast Routing Cache Table (*, 225.1.1.1) Incoming interface : vlan12 Outgoing interface list : vlan11 AG2# show ip pim mcache vlt PIM Multicast Routing Cache Table Flags: S - Synced (*, 225.1.1.
Sample configuration on TOR: TOR# configure terminal TOR(config)# ip igmp snooping enable TOR(config)# interface vlan 11 TOR(conf-if-vlan-11)# no shutdown TOR(conf-if-vlan-11)# exit TOR(config)# interface port-channel 11 TOR(conf-if-po-11)# no shutdown TOR(conf-if-po-11)# switchport mode trunk TOR(conf-if-po-11)# switchport access vlan 1 TOR(conf-if-po-11)# switchport trunk allowed vlan 11 TOR(conf-if-po-11)# exit TOR(config)# interface ethernet 1/1/32:1 TOR(conf-if-eth1/1/32:1)# no shutdown TOR(conf-if-eth
● ● ● ● CR1, CR2, AG1, AG2, AG3, and AG4 are multicast routers. CR1 and CR2 are the BSR and RP nodes. TR1 and TR2 are IGMP-enabled L2 nodes. OSPFv2 is the unicast routing protocol. CR1 switch 1. Configure RSTP. CR1(config)# spanning-tree disable 2. Configure the VLT domain.
CR1(conf-vlt-128)# CR1(conf-vlt-128)# CR1(conf-vlt-128)# CR1(conf-vlt-128)# CR1(conf-vlt-128)# backup destination 10.222.208.160 discovery-interface ethernet1/1/27:2 peer-routing primary-priority 1 vlt-mac 9a:00:00:aa:aa:aa 3. Configure a port channel interface towards AG1 and AG2.
● VLAN 1001 towards AG1 and AG2 CR1(config)# interface vlan 1001 CR1(conf-if-vl-1001)# ip address 10.1.2.5/24 CR1(conf-if-vl-1001)# ip ospf 1 area 0.0.0.0 CR1(conf-if-vl-1001)# ip pim sparse-mode CR1(conf-if-vl-1001)# ip igmp snooping mrouter interface port-channel11 ● VLAN 1101 towards AG3 CR1(config)# interface vlan 1101 CR1(conf-if-vl-1101)# ip address 10.1.3.5/24 CR1(conf-if-vl-1101)# ip ospf 1 area 0.0.0.
3. Configure a port channel interface towards AG1 and AG2. CR2(config)# interface port-channel 11 CR2(config)# interface ethernet 1/1/1:1 CR2(conf-if-eth1/1/1:1)# channel-group 11 mode active CR2(config)# interface ethernet 1/1/9:1 CR2(conf-if-eth1/1/9:1)# channel-group 11 mode active CR2(config)# interface port-channel 11 CR2(conf-if-po-11)# vlt-port-channel 11 4. Configure a port channel interface towards AG3.
CR2(conf-if-vl-1001)# ip pim sparse-mode CR2(conf-if-vl-1001)# ip igmp snooping mrouter interface port-channel11 ● VLAN 1151 towards AG3 CR2(config)# interface vlan 1151 CR2(conf-if-vl-1151)# ip address 10.110.1.5/24 CR2(conf-if-vl-1151)# ip ospf 1 area 0.0.0.0 CR2(conf-if-vl-1151)# ip pim sparse-mode CR2(conf-if-vl-1151)# ip ospf cost 65535 CR2(conf-if-vl-1151)#ip igmp snooping mrouter interface port-channel22 ● VLAN 1251 towards AG4 CR2(config)# interface vlan 1251 CR2(conf-if-vl-1251)# ip address 10.192.
AG1(conf-if-eth1/1/1:1)# channel-group 11 mode active AG1(config)# interface ethernet 1/1/3:1 AG1(conf-if-eth1/1/3:1)# channel-group 11 mode active AG1(config)# interface port-channel 11 AG1(conf-if-po-11)# vlt-port-channel 11 AG1(conf-if-po-11)# spanning-tree disable 4. Configure a port channel interface towards AG3 and AG4.
10. Configure the interfaces as VLAN trunk ports and specify the allowed VLANs.
AG2(config)# interface ethernet 1/1/17:1 AG2(conf-if-eth1/1/17:1)# channel-group 41 mode active 6. Configure Loopback interface and enable PIM-SM. AG2(config)# interface loopback 1 AG2(conf-if-lo-1)# ip address 10.1.100.2/32 AG2(conf-if-lo-1)# ip pim sparse-mode 7. Enable multicast routing on the default VRF. AG2(config)# ip multicast-routing 8. Configure OSPF for unicast routing.
AG3 switch 1. Configure RSTP. AG3(config)# spanning-tree mode rstp AG3(config)# spanning-tree rstp priority 8192 2. Configure the VLT domain. AG3(config)# interface ethernet 1/1/25:1 AG3(conf-if-eth1/1/25:1)# no switchport AG3(config)#vlt-domain 1 AG3(conf-vlt-255)# backup destination 10.222.208.39 AG3(conf-vlt-255)# discovery-interface ethernet1/1/25:1 AG3(conf-vlt-255)# peer-routing AG3(conf-vlt-255)# primary-priority 1 AG3(conf-vlt-255)# vlt-mac f0:ce:10:f0:ce:10 3.
AG3(conf-if-vl-1101)# ip pim sparse-mode AG3(conf-if-vl-1101)# ip igmp snooping mrouter interface port-channel21 ● VLAN 1151 towards CR2 AG3(config)# interface vlan 1151 AG3(conf-if-vl-1151)# ip address 10.110.1.3/24 AG3(conf-if-vl-1151)# ip ospf 1 area 0.0.0.0 AG3(conf-if-vl-1151)# ip pim sparse-mode AG3(conf-if-vl-1151)# ip igmp snooping mrouter interface port-channel22 ● VLAN 1301 towards AG1 and AG2 AG3(config)# interface vlan 1301 AG3(conf-if-vl-1301)# ip address 10.112.1.
AG4(conf-vlt-255)# peer-routing AG4(conf-vlt-255)# primary-priority 65535 AG4(conf-vlt-255)# vlt-mac f0:ce:10:f0:ce:10 3. Configure a port channel interface towards CR1. AG4(config)# interface port-channel 31 AG4(config)# interface ethernet 1/1/1:1 AG4(conf-if-eth1/1/1:1)# channel-group 31 mode active 4. Configure a port channel interface towards CR2. AG4(config)# interface port-channel 32 AG4(config)# interface ethernet 1/1/4:1 AG4(conf-if-eth1/1/4:1)# channel-group 32 mode active 5.
AG4(conf-if-vl-1301)# ip pim sparse-mode AG4(conf-if-vl-1301)# ip igmp snooping mrouter interface port-channel1 ● VLAN 2001 towards TR2 AG4(config)# interface vlan 2001 AG4(conf-if-vl-2001)# ip address 192.168.1.4/24 AG4(conf-if-vl-2001)# ip pim sparse-mode AG4(conf-if-vl-2001)# ip igmp snooping mrouter interface port-channel1 10. Configure the interfaces as VLAN trunk ports and specify the allowed VLANs.
TR1(conf-if-eth1/1/31)# switchport trunk allowed vlan 2001 TR1(conf-if-eth1/1/31)# spanning-tree port type edge TR1(config)# interface ethernet 1/1/32 TR1(conf-if-eth1/1/32)# switchport mode trunk TR1(conf-if-eth1/1/32)# switchport trunk allowed vlan 2001 TR1(conf-if-eth1/1/32)# spanning-tree port type edge TR2 switch 1. Configure RSTP. TR2(config)# spanning-tree mode rstp 2. Configure a port channel interface towards AG3.
The show ip pim neighbor command displays the PIM neighbor of the node and the interface to reach the neighbor. CR1# show ip pim neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority / Mode ------------------------------------------------------------------------------------10.1.1.6 vlan100 00:24:19/00:01:25 v2 4294967295 / DR S 10.1.3.3 vlan1101 00:20:28/00:01:18 v2 1 / S 10.1.4.4 vlan1201 00:18:21/00:01:24 v2 1 / S 10.1.2.1 vlan1001 00:22:12/00:01:36 v2 1 / S 10.1.2.
(172.16.1.201, 225.1.0.0), uptime 01:24:45, expires 00:02:46, flags: CTP Incoming interface: vlan100, RPF neighbor 0.0.0.0 Outgoing interface list: The show ip pim mcache command displays the multicast route entries. CR1# show ip pim mcache PIM Multicast Routing Cache Table (192.168.1.201, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan1 (192.168.1.202, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan1 (172.16.1.201, 225.1.0.
--------------------------------225.1.0.0 10.1.100.6 CR1# show ip pim rp mapping Group(s) : 225.0.0.0/8 RP : 10.1.100.5, v2 Info source: 10.1.100.5, via bootstrap, priority 100 expires: 00:00:56 Group(s) : 225.0.0.0/8 RP : 10.1.100.6, v2 Info source: 10.1.100.5, via bootstrap, priority 100 expires: 00:01:07 The show ip igmp snooping groups command displays the IGMP database. CR1# show ip igmp snooping groups Total Number of Groups: 320 CR1# show ip igmp snooping groups vlan 1 225.1.0.
TIB Summary: 20/20 (*,G) entries in PIM-TIB/MFC 39/39 (S,G) entries in PIM-TIB/MFC 39/0 (S,G,Rpt) entries in PIM-TIB/MFC 2 RP 3 sources 16 Register states Message Summary: 208/885 Joins/Prunes sent/received 60/0 Candidate-RP advertisements sent/received 310/405 BSR messages sent/received 205 Null Register messages received 268/181 Register-stop messages sent/received Data path event summary: 11 last-hop switchover messages received 28/28 pim-assert messages sent/received 186/79 register messages sent/receiv
Outgoing interface list : vlan1 (192.168.1.202, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan1 (172.16.1.201, 225.1.0.0) Incoming interface : vlan1 Outgoing interface list : vlan1001 vlan1251 The show ip pim mcache vlt command displays the multicast route entries synchronized between the VLT peers. CR2# show ip pim mcache vlt PIM Multicast Routing Cache Table Flags: S - Synced (192.168.1.201, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan1 (192.168.1.
The show ip igmp snooping groups command displays the IGMP database. CR2# show ip igmp snooping groups Total Number of Groups: 320 CR2# show ip igmp snooping groups vlan 1 225.1.0.0 detail Interface vlan1 Group 225.1.0.0 Source List -Member Port Mode Uptime Expires port-channel1000 IGMPv2-Compat 01:57:20 00:01:39 ethernet1/1/28:4 IGMPv2-Compat 01:57:31 00:01:39 AG1 The show ip pim interface command displays the PIM-enabled interfaces on the node.
0/459 Register-stop messages sent/received Data path event summary: 20 last-hop switchover messages received 23/159 pim-assert messages sent/received 499/0 register messages sent/received VLT Multicast summary: 0(*,G) synced entries in MFC 0(S,G) synced entries in MFC 0(S,G,Rpt) synced entries in MFC The show ip pim tib command displays the PIM tree information base (TIB).
(192.168.1.201, 225.1.0.0) Incoming interface : vlan2001 Outgoing interface list : vlan1001 vlan2002 vlan2003 vlan2004 vlan2005 (192.168.1.202, 225.1.0.0) Incoming interface : vlan2001 Outgoing interface list : vlan1001 vlan2002 vlan2003 vlan2004 vlan2005 (172.16.1.201, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan2002 vlan2003 vlan2004 vlan2005 The show ip pim mcache vlt command displays the multicast route entries synchronized between the VLT peers.
BSR Priority: 199, Hash mask length: 31 Expires: 00:00:23 The show ip pim rp mapping command displays information about all multicast group-to-RP mappings. AG1# show ip pim rp Group RP --------------------------------225.1.0.0 10.1.100.6 AG1# show ip pim rp mapping Group(s) : 225.0.0.0/8 RP : 10.1.100.5, v2 Info source: 10.1.100.5, via bootstrap, priority 100 expires: 00:00:45 Group(s) : 225.0.0.0/8 RP : 10.1.100.6, v2 Info source: 10.1.100.
The show ip pim summary command displays the PIM summary.
The show ip pim mcache command displays the multicast route entries. AG2# show ip pim mcache PIM Multicast Routing Cache Table (*, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan2002 vlan2003 vlan2004 vlan2005 (192.168.1.201, 225.1.0.0) Incoming interface : vlan2001 Outgoing interface list : vlan1001 vlan2002 vlan2003 vlan2004 vlan2005 (192.168.1.202, 225.1.0.0) Incoming interface : vlan2001 Outgoing interface list : vlan1001 vlan2002 vlan2003 vlan2004 vlan2005 (172.16.1.201, 225.1.
Incoming interface : vlan1001 Outgoing interface list : vlan2002 (S) vlan2003 (S) vlan2004 (S) vlan2005 (S) The show ip pim bsr-router command displays information about the BSR. AG2# show ip pim bsr-router PIMv2 Bootstrap information BSR address: 10.1.100.5 BSR Priority: 199, Hash mask length: 31 Expires: 00:00:26 The show ip pim rp mapping command displays information about all multicast group-to-RP mappings. AG2# show ip pim rp Group RP --------------------------------225.1.0.0 10.1.100.
-----------------------------------------------------------------------10.112.1.1 vlan1301 00:22:45/00:01:24 v2 1 / S 10.112.1.2 vlan1301 00:20:24/00:01:20 v2 1 / S 10.112.1.4 vlan1301 00:21:09/00:01:20 v2 1 / DR S 192.168.1.4 vlan2001 00:22:47/00:01:22 v2 4294967295 / DR S 192.168.1.3 vlan2001 00:20:22/00:01:22 v2 4294967290 / S 192.168.1.1 vlan2001 00:21:07/00:01:23 v2 1 / S 10.110.1.5 vlan1151 00:22:58/00:01:16 v2 1 / DR S 10.1.3.
(192.168.1.201, 225.1.0.0), uptime 01:26:40, expires 00:00:52, flags: CTP Incoming interface: vlan2001, RPF neighbor 0.0.0.0 Outgoing interface list: (192.168.1.202, 225.1.0.0), uptime 01:26:40, expires 00:00:52, flags: CTP Incoming interface: vlan2001, RPF neighbor 0.0.0.0 Outgoing interface list: The show ip pim mcache command displays the multicast route entries. AG3# show ip pim mcache PIM Multicast Routing Cache Table (192.168.1.201, 225.1.0.
AG4 The show ip pim interface command displays the PIM-enabled interfaces on the node. AG4# show ip pim interface Address Interface Ver/Mode Nbr Count Query Intvl DR Prio DR -----------------------------------------------------------------------------10.1.4.4 vlan1201 v2/S 1 30 1 10.1.4.5 10.112.1.4 vlan1301 v2/S 3 30 1 10.112.1.4 192.168.1.1 vlan2001 v2/S 3 30 1 192.168.1.4 10.192.168.4 vlan1251 v2/S 1 30 1 10.192.168.
PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 225.1.0.0), uptime 01:40:17, expires 00:00:58, RP 10.1.100.6, flags: SCJ Incoming interface: vlan1251, RPF neighbor 10.192.168.
--------------------------------225.1.0.0 10.1.100.6 AG4# show ip pim rp mapping Group(s) : 225.0.0.0/8 RP : 10.1.100.5, v2 Info source: 10.1.100.5, via bootstrap, priority 100 expires: 00:01:02 Group(s) : 225.0.0.0/8 RP : 10.1.100.6, v2 Info source: 10.1.100.5, via bootstrap, priority 100 expires: 00:00:43 The show ip igmp snooping groups command displays the IGMP database. AG4# show ip igmp snooping groups Total Number of Groups: 1600 AG4# show ip igmp snooping groups vlan 2001 225.1.0.
225.1.0.2 vlan2001 00:01:36 Member-ports :ethernet1/1/21,ethernet1/1/22 IGMPv2-Compat <> VLT multicast routing commands show vlt inconsistency ip mcache Displays information about mismatched IIF routes between the local and peer VLT nodes. Syntax show vlt inconsistency ip mcache [vrf vrf-name] Parameters vrf vrf-name—(Optional) Enter the keyword then the name of the VRF to display information about mismatched IIF routes corresponding to that non-default VRF.
Supported Releases 930 Multicast 10.5.
15 VXLAN A virtual extensible LAN (VXLAN) extends Layer 2 (L2) server connectivity over an underlying Layer 3 (L3) transport network in a virtualized data center. A virtualized data center consists of virtual machines (VMs) in a multi-tenant environment. OS10 supports VXLAN as described in RFC 7348. VXLAN provides a L2 overlay mechanism on an existing L3 network by encapsulating the L2 frames in L3 packets.
● Z9332F-ON Configuration notes All Dell EMC PowerSwitches except MX-Series, S4200-Series, S5200 Series, and Z9332F-ON: In a static VXLAN, overlay routing is supported on: ● ● ● ● ● S4100-ON Series S4200-ON Series S5200-ON Series S4048T-ON S6010-ON VXLAN concepts Network virtualization overlay (NVO) An overlay network extends L2 connectivity between server virtual machines (VMs) in a tenant segment over an underlay L3 IP network.
● Ideally suited for existing tenant VLANs that stretch over an IP fabric using VXLAN. Port-scoped VLAN A Port,VLAN pair that maps to a virtual network ID (VNID) in OS10. Assign an individual member interface to a virtual network either with an associated tagged VLAN or as an untagged member. Using a portscoped VLAN, you can configure: ● The same VLAN ID on different access interfaces to different virtual networks. ● Different VLAN IDs on different access interfaces to the same virtual network.
2. Configure an IP address on the Loopback interface in INTERFACE mode. The IP address allows the source VTEP to send VXLAN frames over the L3 transport network. ip address ip-address/mask 3. Return to CONFIGURATION mode. exit 4. Enter NVE mode from CONFIGURATION mode. NVE mode allows you to configure the VXLAN tunnel endpoint on the switch. nve 5. Configure the Loopback interface as the source tunnel endpoint for all virtual networks on the switch in NVE mode. source-interface loopback number 6.
1. Assign a VLAN to the virtual network in VLAN Interface mode. interface vlan vlan-id virtual-network vn-id 2. Configure port interfaces as trunk members of the VLAN in Interface mode. interface ethernet node/slot/port[:subport] switchport mode trunk switchport trunk allowed-vlan vlan-id exit The local physical ports assigned to the VLAN transmit packets over the virtual network.
● To use a port-scoped VLAN to add untagged member ports to a virtual network: 1. Create a reserved VLAN ID to assign untagged traffic on member interfaces to a virtual network in CONFIGURATION mode. The VLAN ID is used internally for all untagged member interfaces on the switch that belong to virtual networks. virtual-network untagged-vlan untagged-vlan-id 2. Configure port interfaces as trunk members and remove the access VLAN in Interface mode.
The interface IP address must be unique on each VTEP, including VTEPs in VLT pairs. You can configure an IPv6 address on the virtual-network interface. Different virtual-network interfaces you configure on the same VTEP must have virtualnetwork IP addresses in different subnets. If you do not assign the virtual-network interface to a tenant VRF, it is assigned to the default VRF. interface virtual-network vn-id ip vrf forwarding tenant-vrf-name ip address ip-address/mask no shutdown exit 4.
Table 41. MAC address for all VTEPs (continued) Virtual network VTEP Anycast gateway MAC address VNID 12 VTEP 1 00.11.22.33.44.55 VTEP 2 00.11.22.33.44.55 VTEP 3 00.11.22.33.44.55 VTEP 1 00.11.22.33.44.55 VTEP 2 00.11.22.33.44.55 VTEP 3 00.11.22.33.44.55 VNID 13 ● Configure a unique IP address on the virtual-network interface on each VTEP across all virtual networks. Configure the same anycast gateway IP address on all VTEPs in a virtual-network subnet. For example: Table 42.
Configure VLT (Optional) To use VXLAN in a VLT domain, configure the VLT domain — including the VLT Interconnect (VLTi) interfaces, backup heartbeat, and VLT MAC address — as described in the OS10 Enterprise Edition User Guide in the Virtual link trunking section. Required VLT VXLAN configuration: ● The IP address of the VTEP source Loopback interface must be same on the VLT peers.
VLAN 137 ---------MAC 00:00:00:00:00:02 is missing from Node(s) 2 Run "show vlt d1 mismatch ..." commands to identify configuration issues L3 VXLAN route scaling The S4100-ON series, S5200-ON series, S4048T-ON, S4248-ON series, and S6010-ON switches support native VxLAN routing — routing in and out of tunnels (RIOT). RIOT requires dedicated hardware resources reserved for overlay routing. You cannot use these dedicated resources for underlay routing.
● View the hardware resources available for overlay routing in different profiles; for example, in the S5200-ON series: OS10# show hardware overlay-routing-profile mode all Mode Overlay Next-hop Underlay Next-hop Underlay L3 RIF Entries Entries default-overlay-routing 8192 57344 14336 disable-overlay-routing 0 65536 16384 balanced-overlay-routing 32768 32768 8192 scaled-overlay-routing 53248 12288 Overlay L3 RIF Entries 2048 Entries 0 8192 12288 4096 ● View the currently configured overlay routing prof
View the VXLAN virtual network OS10# show virtual-network Codes: DP - MAC-learn Dataplane, CP - MAC-learn Controlplane, UUD - Unknown-Unicast-Drop Un-tagged VLAN: 888 Virtual Network: 60000 VLTi-VLAN: 2500 Members: VLAN 1000: port-channel1, ethernet1/1/9, ethernet1/1/10 VLAN 2500: port-channel1000 VxLAN Virtual Network Identifier: 16775000 Source Interface: loopback100(222.222.222.222) Remote-VTEPs (flood-list): 55.55.55.55(DP),77.1.1.
IP Address: 2.2.2.2, State: up, Encap: VxLAN VNI list: 10000(DP), 200(DP), 300(DP) View the VXLAN statistics on the remote VTEPs OS10# show nve remote-vtep counters Remote-VTEP Input (Packets/Bytes) Output (Packets/Bytes) ---------------------------------------------------------------------10.10.10.10 857/8570 257/23709 20.20.20.
C 1000:100:10:41::/64 via 1000:100:10:41::4 virtual-network60064 0/0 00:37:06 C 1000:100:10:61::/64 via 1000:100:10:61::4 virtual-network60096 0/0 00:37:05 VXLAN MAC addresses Use the show mac address-table virtual-network or show mac address-table extended commands to display the MAC addresses learned on a VXLAN virtual network or learned on both VXLAN virtual networks and legacy VLANs.
Table 44. Display VXLAN MAC addresses (continued) Command Description {ethernet node/slot/port:subport | port-channel number} | vn-id] dynamic: Displays the number of dynamic MAC addresses learned on all or a specified virtual network. local: Displays the number of locally-learned MAC addresses. remote: Displays the number of remote MAC addresses learned on all or a specified virtual network. static: Displays the number of static MAC addresses learned on all or a specified virtual network.
Table 45. Clear VXLAN MAC addresses (continued) Command Description clear mac address-table dynamic nve remote-vtep ip-address Clears all MAC addresses learned from the specified remote VTEP. VXLAN commands hardware overlay-routing-profile Configures the number of reserved ARP table entries for VXLAN overlay routing.
Default Not configured Command mode CONFIGURATION Usage information Configure a virtual-network router interface to enable hosts connected to a virtual network to route traffic to hosts on another virtual network in the same VRF. The virtual-network IP address must be unique on each VTEP, including VTEPs in VLT pairs. Example Supported releases OS10(config)# interface virtual-network 10000 OS10(config-if-vn-10000)# ip vrf forwarding tenant1 OS10(config-if-vn-10000)# ip address 10.1.0.
member-interface Assigns untagged or tagged VLAN traffic on a member interface to a virtual network. Syntax member-interface {ethernet node/slot/port[:subport] | port-channel number} {vlan-tag vlan-id | untagged} Parameters ethernet node/slot/ port[:subport ] Assign the specified interface to a virtual network. port-channel number Assign the specified port channel to a virtual network. untagged Assign untagged traffic on an interface or port channel to a virtual network.
Command mode VIRTUAL-NETWORK VXLAN-VNI Usage information After you configure the remote VTEP, the VXLAN virtual network is enabled to start sending server traffic. You can configure multiple remote VTEPs. All broadcast, multicast, and unknown unicast (BUM) traffic received on an access interface is replicated on remote VTEPs. The no version of this command removes the configured value. Example Supported releases OS10(config-vn-vxlan-vni)# remote-vtep 20.20.20.
Usage information Example Supported releases Use this command to display the virtual-network IP address used for routing traffic in a virtual network. Traffic counters also display. show interface virtual-network 102 Virtual-network 102 is up, line protocol is up Address is 14:18:77:25:6f:84, Current address is 14:18:77:25:6f:84 Interface index is 66 Internet address is 12.12.12.
Parameters ● ip-address — Enter IP address of a remote VTEP. Default Not configured Command mode EXEC Usage information Use this command to display input and output statistics for VXLAN traffic on a remote VTEP. A VTEP is identified by its IP address. Use the clear nve remote-vtep [ip-address] counters command to clear VXLAN packet statistics. Example Supported releases OS10# show nve remote-vtep counters Peer Input (Packets/Bytes) 10.10.10.10 857/8570 20.20.20.
Members: VLAN 1000: port-channel1, ethernet1/1/9, ethernet1/1/10 VLAN 2500: port-channel1000 VxLAN Virtual Network Identifier: 16775000 Source Interface: loopback100(222.222.222.222) Remote-VTEPs (flood-list): 55.55.55.55(DP),77.1.1.1(DP) Supported releases 10.4.2.0 or later show virtual-network counters Displays packet statistics for virtual networks. Syntax show virtual-network [vn-id] counters Parameters vn-id Enter a virtual-network ID, from 1 to 65535.
Example Supported releases OS10# show virtual-network interface 1/1/3 vlan 100 counters Virtual-Network Input (Packets/Bytes) Output (Packets/Bytes) 2000 457/3570 277/13709 10.4.2.0 or later show virtual-network interface Displays the VXLAN virtual networks and server VLANs where a port is assigned. Syntax Parameters show virtual-network interface {ethernet node/slot/port:subport | portchannel number} interface ethernet node/slot/ port[:subport ] Enter the port information for an Ethernet interface.
show vlan (virtual network) Displays the VLANs assigned to virtual networks. Syntax show vlan Parameters None Default Not configured Command mode EXEC Usage information Use this command to display the VLAN port interfaces that transmit VXLAN packets over a virtual network.
virtual-network Creates a virtual network for VXLAN tunneling. Syntax Parameters virtual-network vn-id vn-id Enter the virtual-network ID, from 1 to 65535. Default Not configured Command mode CONFIGURATION Usage information The virtual network operates as a L2 bridging domain. To add a VXLAN to the virtual network, use the vxlan-vni command. The no version of this command removes the configured virtual network. Example Supported releases OS10(config)# virtual-network 1000 OS10(config-vn)# 10.4.2.
VXLAN MAC commands clear mac address-table dynamic nve remote-vtep Clears all MAC addresses learned from a remote VTEP. Syntax clear mac address-table dynamic nve remote-vtep ip-address Parameters remote-vtep ip-address Clear MAC addresses learned from the specified remote VTEP. Default Not configured Command mode EXEC Usage information To display the MAC addresses learned from a remote VTEP, use the show mac address-table nve remote-vtep command.
Example Supported releases OS10# clear mac address-table dynamic virtual-network 10.4.2.0 or later show mac address-table count extended Displays the number of MAC addresses learned on all VLANs and VXLAN virtual networks. Syntax Parameters show mac address-table count extended [interface {ethernet node/slot/ port:subport | port-channel number}] interface ethernet node/slot/ port[:subport ] Display the number of MAC addresses learned on all VLANs and VXLANs on the specified interface.
Static Address (User-defined) Count : Total MAC Addresses in Use: 0 1 OS10# show mac address-table count nve remote-vtep 32.1.1.1 MAC Entries for all vlans : Dynamic Address Count : 2 Static Address (User-defined) Count : 0 Total MAC Addresses in Use: 2 Supported releases 10.4.2.0 or later show mac address-table count virtual-network Displays the number of MAC addresses learned on virtual networks.
Parameters address macaddress Display only information about the specified MAC address. interface ethernet node/slot/ port[:subport ] Display only MAC addresses learned on the specified interface. interface port-channel number Display only MAC addresses learned on the specified port channel. static Display only static MAC addresses. dynamic Display only dynamic MAC addresses. Default Not configured Command mode EXEC Usage information By default, MAC learning from a remote VTEP is enabled.
Example OS10# show mac address-table nve remote-vtep 32.1.1.1 Virtual-Network VNI MAC Address Type Remote-VTEP --------------------------------------------------------------10000 9999 00:00:00:00:00:77 dynamic VxLAN(32.1.1.1) 20000 19999 00:00:00:00:00:88 dynamic VxLAN(32.1.1.1) OS10# show mac address-table nve vxlan-vni 9999 Virtual-Network VNI MAC Address Type Remote-VTEP --------------------------------------------------------------10000 9999 00:00:00:00:00:77 dynamic VxLAN(32.1.1.
Supported releases 10.4.2.0 or later Example: VXLAN with static VTEP This example uses a typical Clos leaf-spine topology with static VXLAN tunnel endpoints (VTEPs) in VLT dual-homing domains. The individual switch configuration shows how to set up an end-to-end VXLAN. The underlay IP network routes advertise using OSPF. ● On VTEPs 1 and 2, access ports are assigned to the virtual network using a switch-scoped VLAN configuration.
VTEP 1 Leaf Switch 1. Configure the underlay OSPF protocol. Do not configure the same IP address for the router ID and the source loopback interface in Step 2. OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 172.16.0.1 OS10(config-router-ospf-1)# exit 2. Configure a Loopback interface. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# ip ospf 1 area 0.0.0.0 OS10(conf-if-lo-0)# exit 3.
OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# ethernet1/1/6 no shutdown channel-group 20 mode active no switchport exit 7. Configure upstream network-facing ports. OS10(config)# interface OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# ethernet1/1/1 no shutdown no switchport mtu 1650 ip address 172.16.1.0/31 ip ospf 1 area 0.0.0.
OS10(conf-uplink-state-group-1)# upstream port-channel10 OS10(conf-uplink-state-group-1)# upstream port-channel20 OS10(conf-uplink-state-group-1)# exit 9. Configure overlay IP routing Create the tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure the anycast L3 gateway MAC address for all VTEPs. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing with an anycast gateway IP address for each virtual network.
OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 5. Assign a switch-scoped VLAN to a virtual network. OS10(config)# interface OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config)# interface OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config-if-vl-100)# vlan100 virtual-network 10000 no shutdown exit vlan200 virtual-network 20000 no shutdown exit 6. Configure access ports as VLAN members.
Configure a VLT port channel. OS10(config)# interface port-channel10 OS10(conf-if-po-10)# vlt port-channel 10 OS10(conf-if-po-10)# exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# vlt port-channel 20 OS10(conf-if-po-20)# exit Configure VLTi member links.
VTEP 3 Leaf Switch 1. Configure the underlay OSPF protocol. Do not configure the same IP address for the router ID and the source loopback interface in Step 2. OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 172.18.0.1 OS10(config-router-ospf-1)# exit 2. Configure a Loopback interface. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.2.1/32 OS10(conf-if-lo-0)# ip ospf 1 area 0.0.0.0 OS10(conf-if-lo-0)# exit 3.
7. Add access ports to the VXLAN virtual networks. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# member-interface port-channel 10 vlan-tag 100 OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# member-interface port-channel 20 untagged OS10(config-vn-20000)# exit NOTE: This step shows how to add access ports using port-scoped VLAN-to-VNI mapping. You can also add access ports using a switch-scoped VLAN-to-VNI mapping.
OS10(conf-if-eth1/1/4)# no switchport OS10(conf-if-eth1/1/4)# exit Configure a VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.3 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:dd:cc:ff:ee OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
3. Configure the Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 4. Configure VXLAN virtual networks with a static VTEP.
OS10(config)# interface OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# ethernet1/1/2 no shutdown no switchport mtu 1650 ip address 172.19.2.0/31 ip ospf 1 area 0.0.0.0 exit 9. Configure VLT Configure VLTi VLAN for the VXLAN virtual network.
Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast L3 gateway for all VTEPs in all virtual networks. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing with an anycast gateway IP address for each virtual network. OS10(config)# interface virtual-network 10000 OS10(config-if-vn-10000)# ip vrf forwarding tenant1 OS10(config-if-vn-10000)# ip address 10.1.0.234/16 OS10(config-if-vn-10000)# ip virtual-router address 10.1.0.
Spine Switch 2 1. Configure downstream ports on underlay links to leaf switches. OS10(config)# interface OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# ethernet1/1/1 no shutdown no switchport ip address 172.16.2.1/31 ip ospf 1 area 0.0.0.
Configure and operate static VXLANs and BGP EVPNs for VXLAN in the same way: ● ● ● ● Manually configure the overlay and underlay networks. Manually configure each virtual network and VNI. Manually configure access port membership in a virtual network. Existing routing protocols provision and learn underlay reachability to VTEP peers. However, static VXLANs and BGP EVPNs for VXLAN differ as described: Table 46.
Figure 13. BGP EVPN topology Leaf nodes Leaf nodes are typically top-of-rack (ToR) switches in a data center network. They act as the VXLAN tunnel endpoints and perform VXLAN encapsulation and decapsulation. Leaf nodes also participate in the MP-BGP EVPN to support control plane and data plane functions. Control plane functions include: ● Initiate and maintain route adjacencies using any routing protocol in the underlay network. ● Advertise locally learned routes to all MP-BGP EVPN peers.
● Does not perform VXLAN encapsulation or decapsulation. The BGP EVPN running on each VTEP listens to the exchange of route information in the local overlay, encodes the learned routes as BGP EVPN routes, and injects them into BGP to advertise to the peers. Tunnel endpoints advertise as Type 3 EVPN routes. MAC/IP addresses advertise as Type 2 EVPN routes. EVPN instance An EVPN instance (EVI) spans across the VTEPs that participate in an Ethernet VPN.
Configure BGP EVPN for VXLAN To set up BGP EVPN service in a VXLAN overlay network: 1. Configure the VXLAN overlay network. If you enable routing for VXLAN virtual networks, Integrated Routing and Bridging (IRB) for BGP EVPN is automatically enabled. For more information, see Configure VXLAN. 2. Configure BGP to advertise EVPN routes. 3. Configure EVPN, including the VNI, RD, and RT values associated with the EVPN instance. 4. Verify the BGP EVPN configuration. Configuration 1.
c. Use the local Loopback address as the source address in BGP packets sent to the neighbor in ROUTER-BGP-NEIGHBOR mode. update-source loopback0 d. Send an extended community attribute to the BGP neighbor in ROUTER-BGP-NEIGHBOR mode. send-community extended e. Enable the peer session with the BGP neighbor in ROUTER-BGP-NEIGHBOR mode. no shutdown f. Configure the L2 VPN EVPN address family for VXLAN host-based routing to the BGP peer in ROUTER-BGP-NEIGHBOR mode. address-family l2vpn evpn g.
a. Enable the EVPN control plane in CONFIGURATION mode. evpn b. Enable auto-EVI creation for overlay virtual networks in EVPN mode. Auto-EVI creation is supported only if BGP EVPN is used with 2-byte AS numbers and if at least one BGP instance is enabled with the EVPN address family. No further manual configuration is allowed in auto-EVI mode. auto-evi ● Manual EVI configuration mode a. Enable the EVPN control plane in CONFIGURATION mode. evpn b. Manually create an EVPN instance in EVPN mode.
Display the BGP neighbors in the EVPN instances OS10# show ip bgp neighbors 110.111.170.102 BGP neighbor is 110.111.170.102, remote AS 100, local AS 100 internal link BGP version 4, remote router ID 110.111.170.
50 50 00:00:00:aa:aa:aa 00:00:00:cc:cc:cc rmt lcl 0 0 55.1.1.3 ethernet1/1/8:1 VXLAN BGP EVPN routing This section describes how EVPN implements overlay routing between L2 segments associated with EVIs belonging to the same tenant on a VTEP. IETF draft draft-ietf-bess-evpn-inter-subnet-forwarding-05 describes EVPN inter-subnet forwarding, Integrated Routing and Bridging (IRB), and how to use EVPN with IP routing between L2 tenant domains.
be associated with an IP address; routing is set up in the data plane using the egress VTEP's MAC address. This behavior is known as IP-VRF to IP-VRF interface-less routing. The ingress VTEP does not have to be configured with every destination virtual network; it must have the ARP and MAC addresses only to the egress VTEP, not to each host connected to the VTEP. For this reason, symmetric IRB routing allows the overlay network to scale larger than asymmetric routing.
4. (Optional) To redistribute EVPN routes to a BGP or OSPF neighbor, configure the redistribution of L2VPN EVPN routes into BGP or OSPF IPv4/IPv6 routes on a border leaf VTEP in ROUTER-BGP or ROUTER-OSPF mode; for example: OS10(config)# router bgp 101 OS10(conf-router-bgp-101)# vrf blue OS10(conf-router-bgp-101-vrf)# address-family ipv4 unicast OS10(configure-router-bgpv4-af)# redistribute l2vpn evpn [route-map map-name] 5. Verify the VXLAN BGP EVPN with symmetric IRB configuration.
4.4.4.4 5.5.5.5 14:18:77:25:6f:4d 00:00:01:00:a3:b4 Display the learned EVPN Type 5 routes OS10# show ip bgp l2vpn evpn BGP local RIB : Routes to be Added , Replaced , Withdrawn BGP local router ID is 95.0.0.4 Status codes: s suppressed, S stale, d dampened, h history, * valid, > best Path source: I - internal, a - aggregate, c - confed-external, r - redistributed/network, S - stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight *>r Route distinguisher: 4.4.4.
Both VTEPs in a VLT pair advertise identical EVPN routes, which provides redundancy if one of the VTEP peers fails. To set up redundant EVPN route advertisement, configure the same EVI, RD, and RT values for each VNI on both VTEPs in a VLT pair, including: ● In auto-EVI mode, this identical configuration is automatically ensured if the VNID-to-VNI association is the same on both VTEP peers. ● In manual EVI mode, you must configure the same EVI-to-VNID association on both VTEP peers.
VXLAN BGP commands activate (l2vpn evpn) Enables the exchange of L2 VPN EVPN address family information with a BGP neighbor or peer group. Syntax activate Parameters None Default Not configured Command Mode ROUTER-BGP-NEIGHBOR-AF Usage Information Use this command to exchange L2 VPN EVPN address information for VXLAN host-based routing with a BGP neighbor. The IPv4 unicast address family is enabled by default. Use the no activate command to disable an address family with a neighbor.
Example (IPv4) Example (IPv6) Example (l2vpn) Supported Releases OS10(config-router-neighbor)# address-family ipv4 unicast OS10(conf-router-bgp-neighbor-af)# allowas-in 5 OS10(conf-router-template)# address-family ipv6 unicast OS10(conf-router-bgp-template-af)# allowas-in 5 OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# allowas-in 3 10.3.0E or later sender-side-loop-detection Enables the sender-side loop detection process for a BGP neighbor.
Usage information Examples Use this command to display the BGP routes used for the L2VPN EVPN address family in EVPN instances on the switch. OS10# show ip bgp l2vpn evpn BGP local RIB : Routes to be Added , Replaced , Withdrawn BGP local router ID is 110.111.170.
BGP neighbor is fe80::76e6:e2ff:fef6:99a9 via vlan30, remote AS 100, local AS 200 external link BGP version 4, remote router ID 125.12.57.
Invalid Nexthop 0, Invalid AS-PATH length 0 Wellknown community 0, Locally originated 0 Local host: fe80::76e6:e2ff:fef5:a43e, Local port: 45926 Foreign host: fe80::76e6:e2ff:fef6:99a9, Foreign port: 179 OS10# show ip bgp l2vpn evpn summary BGP router identifier 89.101.17.125 local AS number 100 Neighbor AS MsgRcvd MsgSent Up/Down State/Pfx ethernet1/1/1 200 19 19 00:15:34 0 Supported releases 10.4.2.
Command mode EVPN Usage information In deployments running BGP with 2-byte or 4-byte autonomous systems, auto-EVI automatically creates EVPN instances when you create a virtual network on a VTEP in the overlay network. In auto-EVI mode, the RD and RT values automatically generate: ● For a 2-byte autonomous system: ○ The RD auto-configures as Type 1 from the overlay network source IP address and the autogenerated EVI index.
Supported releases 10.5.1.0 or later evi Creates an EVPN instance (EVI) in EVPN mode. Syntax evi id Parameters id Enter the EVPN instance ID, from 1 to 65535. Default Not configured Command mode EVPN Usage information If an MP-BGP network uses 4-byte autonomous systems or to specify the RD and RT values, manually configure EVPN instances and associate each EVI with the overlay VXLAN virtual network.
Usage information A RD maintains the uniqueness of an EVPN route between different EVPN instances. Configure a route distinguisher in a tenant VRF used for EVPN symmetric IRB traffic. The RD auto-configures as Type 1 from the overlay network source IP address and the auto-generated EVPN instance ID. The rd auto command is not supported in EVPN-VRF mode. When you create a VRF in EVPN mode, the RD is automatically generated. The rd A.B.C.D:[1-65535] command is supported in EVPN-VRF mode in 10.5.
auto Configure the RT import and export values to automatically generate. asn4 (Optional) Advertises a 4-byte AS number in RT values. Default Not configured Command mode EVPN-EVI and EVPN-VRF Usage information A RT determines how EVPN routes distribute among EVPN instances. Configure each RT with an import and export value. When the EVPN routes advertise, the RT export value configured for export attaches to each route.
Parameters id — (Optional) Enter the EVPN instance ID, from 1 to 65535. Default Not configured Command mode EXEC Usage information Use this command to verify EVPN instance status, associated VXLAN virtual networks and the RD and RT values the BGP EVPN routes use in the EVI. The status of integrated routing and bridging (IRB) and the VRF used for EVPN traffic also display.
EVI 811 next-hop 80.80.1.8 MAC Entries : Remote MAC Address Count : 2 Supported releases 10.4.2.0 or later show evpn mac-ip Displays the BGP EVPN Type 2 routes used for host MAC-IP address binding. Syntax show evpn mac-ip [count | evi evi [mac-address mac-address] | mac-address mac-address | next-hop ip-address] Parameters ● count — Displays the total number of MAC addresses in EVPN MAC-IP address binding. ● evi evi — Enter an EVPN instance ID, from 1 to 65535.
104 104 104 104 14:18:77:25:4d:b9 14:18:77:25:4d:b9 14:18:77:25:6e:b9 14:18:77:25:6e:b9 rmt rmt lcl lcl 0 0 0 0 14.14.14.1 2001:14::14:1 14.14.14.2 2001:14::14:2 95.0.0.3 95.0.0.3 OS10# show evpn mac-ip evi 101 mac-address 14:18:77:0c:e5:a3 Type EVI 101 101 -(lcl): Local (rmt): remote Mac-Address 14:18:77:0c:e5:a3 14:18:77:0c:e5:a3 Type rmt rmt Seq-No 0 0 Host-IP Interface/Next-Hop 11.11.11.3 95.0.0.5 2001:11::11:3 95.0.0.
Command mode EXEC Usage information Use this command to verify the tenant VRF instances used in EVPN instances to exchange BGP EVPN routes in VXLANs. Example show evpn vrf VXLAN-VNI 102 103 104 106 105 101 Supported releases EVI 102 103 104 106 105 101 Virtual-Network-Instance 102 103 104 106 105 101 VRF-Name blue default blue default blue default 10.4.3.0 or later show evpn vrf l3-vni Displays the configuration of the tenant VRF instances used for symmetric IRB.
show evpn vxlan-vni Displays the VXLAN overlay network for EVPN instances. Syntax show evpn vxlan-vni [vni] Parameters vni — (Optional) Enter the VXLAN virtual-network ID, from 1 to 16,777,215. Default Not configured Command mode EXEC Usage information Use this command to verify the VXLAN virtual network and bridge domain used by an EVPN instance. Example OS10# show evpn vxlan-vni VXLAN-VNI 100 Supported releases EVI 65447 Bridge-Domain 65447 10.4.2.
Usage Information Example Supported Releases Configure a non-default VRF for symmetric IRB for each tenant VRF. The tenant VRF is created using the ip vrf command when you enable overlay routing with IRB; see Enable overlay routing between virtual networks. OS10(config)# evpn OS10(config-evpn)# vrf vrf-blue 10.5.1 or later Example: VXLAN with BGP EVPN The following VXLAN with BGP EVPN example uses a Clos leaf-spine topology with VXLAN tunnel endpoints (VTEPs).
Figure 15. VXLAN BGP EVPN use case VTEP 1 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface.
3. Configure VXLAN virtual networks. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4. Assign VLAN member interfaces to the virtual networks.
OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(config-router-bgp-af)# redistribute connected OS10(config-router-bgp-af)# exit 8. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.16.1.
12. Configure VLT. Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.0/31 OS10(config-if-vl-4000)# exit Configure the VLT port channel.
Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network 10000 ip vrf forwarding tenant1 ip address 10.1.0.231/16 ip virtual-router address 10.1.0.
OS10(conf-if-eth1/1/5)# exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# switchport access vlan 200 OS10(conf-if-po-20)# exit OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# ethernet1/1/6 no shutdown channel-group 20 mode active no switchport exit 6. Configure upstream network-facing ports.
OS10(config-router-neighbor)# update-source loopback1 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# no activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# activate OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor
OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports. OS10(config)# uplink-state-group OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# 1 enable downstream ethernet1/1/1-1/1/2 upstream port-channel10 upstream port-channel20 exit Configure iBGP IPv4 peering between VLT peers.
OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4. Configure unused VLAN ID for untagged membership. OS10(config)# virtual-network untagged-vlan 1000 5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 9. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.18.1.1 OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor 172.18.2.
OS10(config-evpn-evi-10000)# route-target auto OS10(config-evpn-evi-10000)# exit OS10(config-evpn)# evi 20000 OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn)# exit vni 20000 rd auto route-target auto exit 13. Configure VLT. Configure a VLTi VLAN for the virtual network.
Configure iBGP IPv4 peering between VLT peers. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.16.250.11 OS10(config-router-neighbor)# remote-as 100 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 14. Configure IP routing in the overlay network. Create the tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address.
5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 10. Configure a Loopback interface for BGP EVPN peering different from the VLT peer IP address. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.19.0.
Configure a VLTi VLAN for the virtual network. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vlti-vlan 100 OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(conf-vn-20000)# vlti-vlan 200 OS10(conf-vn-20000)# exit Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.
Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network 10000 ip vrf forwarding tenant1 ip address 10.1.0.234/16 ip virtual-router address 10.1.0.
OS10(conf-router-bgp-101)# neighbor 172.17.1.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.18.1.
OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-bgp-101)# neighbor 172.19.0.
OS10(conf-router-bgp-101)# neighbor 172.18.2.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.19.2.
OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# send-community extended OS10(conf-router-neighbor)# update-source loopback1 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit
64 bytes from 10.2.0.10: icmp_seq=4 ttl=63 time=0.944 ms 64 bytes from 10.2.0.10: icmp_seq=5 ttl=63 time=0.806 ms --- 10.2.0.10 ping statistics --5 packets transmitted, 5 received, 0% packet loss, time 4078ms rtt min/avg/max/mdev = 0.806/0.851/0.944/0.051 ms root@HOST-A:~# 5. Check connectivity between host A and host C. root@HOST-A:~# ping 10.1.0.20 -c 5 PING 10.1.0.20 (10.1.0.20) 56(84) bytes of 64 bytes from 10.1.0.20: icmp_seq=1 ttl=64 64 bytes from 10.1.0.20: icmp_seq=2 ttl=64 64 bytes from 10.1.0.
Figure 16. VXLAN BGP EVPN with multiple AS VTEP 1 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface.
3. Configure VXLAN virtual networks. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4. Assign VLAN member interfaces to the virtual networks.
OS10(config-router-bgp-99)# address-family ipv4 unicast OS10(config-router-bgp-af)# redistribute connected OS10(config-router-bgp-af)# exit 8. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-99)# neighbor 172.16.1.1 OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-99)# neighbor 172.16.2.
OS10(config-evpn-evi-20000)# route-target 100:20000 import OS10(config-evpn-evi-20000)#exit OS10(config-evpn)# 12. Configure VLT. Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.0/31 OS10(config-if-vl-4000)# exit Configure the VLT port channel.
Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network10000 ip vrf forwarding tenant1 ip address 10.1.0.231/16 ip virtual-router address 10.1.0.
OS10(config)# interface OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# ethernet1/1/5 no shutdown channel-group 10 mode active no switchport exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# switchport access vlan 200 OS10(conf-if-po-20)# exit OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# ethern
OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# no activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-99)# neighbor 172.202.0.
OS10(conf-if-eth1/1/4)# no switchport OS10(conf-if-eth1/1/4)# exit Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.2 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
2. Configure the Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure VXLAN virtual networks. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4.
OS10(conf-if-eth1/1/1)# mtu 1650 OS10(conf-if-eth1/1/2)# ip address 172.18.2.0/31 OS10(conf-if-eth1/1/2)# exit 8. Configure eBGP. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# router-id 172.18.0.1 OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 9. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.18.1.
OS10(config-evpn-evi-10000)# rd 192.168.2.1:10000 OS10(config-evpn-evi-10000)# route-target 99:10000 import OS10(config-evpn-evi-10000)# route-target 100:10000 both OS10(config-evpn-evi-10000)#exit OS10(config-evpn)# evi 20000 OS10(config-evpn-evi-20000)# vni 20000 OS10(config-evpn-evi-20000)# rd 192.168.2.1:20000 OS10(config-evpn-evi-20000)# route-target 99:20000 import OS10(config-evpn-evi-20000)# route-target 100:20000 both OS10(config-evpn-evi-20000)#exit OS10(config-evpn)# 13. Configure VLT.
Configure iBGP IPv4 peering between VLT peers. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.16.250.11 OS10(config-router-neighbor)# remote-as 100 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 14. Configure IP routing in the overlay network. Create the tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address.
5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 10. Configure a Loopback interface for BGP EVPN peering different from the VLT peer IP address. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.19.0.1/32 OS10(conf-if-lo-1)# exit 11. Configure BGP EVPN peering. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.201.0.
OS10(conf-vn-20000)# vlti-vlan 200 OS10(conf-vn-20000)# exit Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.11/31 OS10(config-if-vl-4000)# exit Configure VLT port channels.
Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network10000 ip vrf forwarding tenant1 ip address 10.1.0.234/16 ip virtual-router address 10.1.0.
OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# exit 4. Configure a Loopback interface for BGP EVPN peering. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.201.0.1/32 OS10(conf-if-lo-1)# exit 5. Configure BGP EVPN peer sessions. OS10(config)# router bgp 101 OS10(conf-router-bgp-101)# neighbor 172.16.0.
Spine Switch 2 1. Configure downstream ports on the underlay links to the leaf switches.
OS10(conf-router-neighbor)# update-source loopback1 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-bgp-102)# neighbor 172.17.0.
2. Verify EVPN configurations and EVPN parameters. LEAF1# show evpn evi EVI : 10000, State : up Bridge-Domain : Route-Distinguisher : Route-Targets : Inclusive Multicast : IRB : EVI : 20000, State : up Bridge-Domain : Route-Distinguisher : Route-Targets : Inclusive Multicast : IRB : LEAF1# Virtual-Network 10000, VNI 10000 1:192.168.1.1:10000 0:99:10000 both, 0:100:10000 import 192.168.2.1 Enabled(tenant1) Virtual-Network 20000, VNI 20000 1:192.168.1.1:20000 0:99:10000 both, 0:100:10000 import 192.168.2.
rtt min/avg/max/mdev = 0.640/0.669/0.707/0.041 ms root@HOST-A:~# NOTE: Follow Steps 1 to 6 to check ping connectivity between combinations of other hosts, and between hosts through different virtual-network IP addresses. Example: VXLAN BGP EVPN — Centralized L3 gateway The following VXLAN with BGP EVPN example uses a centralized Layer 3 gateway to perform virtual-network routing. It is based on the sample configuration in Example: VXLAN BGP EVPN — Multiple AS topology.
Figure 17. VXLAN BGP EVPN with centralized L3 gateway NOTE: This centralized L3 gateway example for VXLAN BGP EVPN uses the same configuration steps as in Example: VXLAN BGP EVPN — Multiple AS topology. Configure each spine and leaf switch as in the Multiple AS topology example, except: ● Because VTEPs 1 and 2 operate only in Layer 2 VXLAN mode, do not configure IP switching in the overlay network.
Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network10000 ip vrf forwarding tenant1 ip address 10.1.0.233/16 ip virtual-router address 10.1.0.
S4048T-ON, S6010-ON, and the S4100-ON series, routing after decapsulation is performed only between virtual networks. You can connect an egress virtual network to a VLAN in an external router, which connects to the external network. In the following example, VLT domain 1 is a VLT VTEP. VLT domain 2 is the border leaf VLT VTEP pair. All virtual networks in the data center network are configured in all VTEPs with virtual-network IP and anycast IP gateway addresses.
Figure 18. VXLAN BGP EVPN with border leaf gateway NOTE: This border leaf gateway example for VXLAN BGP EVPN uses the same configuration steps as in Example: VXLAN BGP EVPN — Multiple AS topology. Configure each spine and leaf switch as in the Multiple AS topology example and add the following additional configuration steps on each VTEP. VTEP 1 Leaf Switch 1. Configure a dedicated VXLAN virtual network.
2. Configure routing on the virtual network. OS10(config)# interface virtual-network 500 OS10(conf-if-vn-10000)# ip vrf forwarding tenant1 OS10(conf-if-vn-10000)# ip address 10.5.0.231/16 3. Configure a static route for outbound traffic sent to the anycast MAC address of the dedicated virtual network. OS10(config)#ip route 0.0.0.0/0 10.5.0.100 VTEP 2 Leaf Switch 1. Configure a dedicated VXLAN virtual network.
5. Configure a static route for outbound traffic sent to VLAN 200. OS10(config)#ip route 0.0.0.0/0 10.10.0.3 VTEP 4 Leaf Switch 1. Configure a dedicated VXLAN virtual network. OS10(config)# virtual-network 500 OS10(config-vn-500)# vxlan-vni 500 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit 2. Configure an anycast gateway MAC address on the boder leaf VTEP. This MAC address must be different from the anycast gateway MAC address configured on non-border-leaf VTEPs.
VTEP 1 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface.
3. Configure the VXLAN virtual network. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit 4. Assign VLAN member interfaces to the virtual network. Use a switch-scoped VLAN-to-VNI mapping: OS10(config)# interface OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config-if-vl-100)# vlan100 virtual-network 10000 no shutdown exit 5. Configure access ports as VLAN members for a switch-scoped VLAN-to-VNI mapping.
OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 9. Configure a Loopback interface for BGP EVPN peering different from the VLT peer IP address. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.16.0.1/32 OS10(conf-if-lo-1)# exit 10. Configure BGP EVPN peering. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.201.0.
OS10(conf-if-eth1/1/3)# no switchport OS10(conf-if-eth1/1/3)# exit OS10(config)# interface OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# ethernet1/1/4 no shutdown no switchport exit Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.1 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
15. Configure advertisement of connected networks through EVPN type-5 routes. OS10(config)# evpn OS10(config-evpn)# vrf tenant1 OS10(config-evpn-vrf-tenant1)# advertise ipv4 connected OS10(config-evpn-vrf-tenant1)# exit VTEP 2 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using the same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2.
OS10(conf-if-eth1/1/2)# ip address 172.17.2.0/31 OS10(conf-if-eth1/1/2)# exit 7. Configure eBGP. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# router-id 172.17.0.1 OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 8. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.17.1.
11. Configure EVPN for the VXLAN virtual network. Configure the EVPN instance, RD, and RT using auto-EVI mode. OS10(config)# evpn OS10(config-evpn)# auto-evi OS10(config-evpn)# exit 12. Configure VLT. Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.1/31 OS10(config-if-vl-4000)# exit Configure the VLT port channel.
Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual network. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network 10000 ip vrf forwarding tenant1 ip address 10.1.0.232/16 ip virtual-router address 10.1.0.100 no shutdown exit 14. Configure symmetric IRB.
OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# ethernet1/1/6 no shutdown channel-group 20 mode active no switchport exit 6. Add the access ports to the virtual network. OS10(config)# virtual-network 20000 OS10(config-vn-20000)# member-interface port-channel 20 untagged OS10(config-vn-20000)# exit 7. Configure upstream network-facing ports.
OS10(config-router-neighbor)# update-source loopback1 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# no activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# activate OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor
Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.3 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ff:ee OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
OS10(conf-if-eth1/1/7)# switchport mode trunk OS10(conf-if-eth1/1/7)# switchport trunk allowed vlan 200 17. Configure advertisement of the connected networks via EVPN Type-5 routes. OS10(config)# evpn OS10(config-evpn)# vrf tenant1 OS10(config-evpn-vrf-tenant1)# advertise ipv4 connected OS10(config-evpn-vrf-tenant1)# exit 18. Configure BGP session with external router on the border-leaf VTEPs. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# vrf tenant1 OS10(config-router-bgp-100-vrf)# neighbor 10.
VTEP 4 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.2.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure the VXLAN virtual network.
OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 9. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.19.1.1 OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor 172.19.2.
OS10(config-evpn-evi-20000)# route-target auto OS10(config-evpn-evi-20000)# exit OS10(config-evpn)# exit 13. Configure VLT. Configure a VLTi VLAN for the virtual network. OS10(config)# virtual-network 20000 OS10(conf-vn-20000)# vlti-vlan 200 OS10(conf-vn-20000)# exit Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.
Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual network. OS10(config)# interface OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# virtual-network 20000 ip vrf forwarding tenant1 ip address 10.2.0.234/16 ip virtual-router address 10.2.0.100 no shutdown exit 15. Configure symmetric IRB.
With connected routes of virtual networks present in an individual VTEP advertised as type-5 routes, the border-leaf router has information about all the virtual networks present in the pod.
3. Configure eBGP IPv4 peer sessions on the P2P links. OS10(conf-router-bgp-101)# neighbor 172.16.1.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.17.1.
OS10(conf-router-bgp-101)# neighbor 172.18.0.
OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.17.2.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.18.2.
OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-bgp-101)# neighbor 172.19.0.
4. Check connectivity between host A and host B. root@HOST-A:~# ping 10.2.0.20 -c 5 PING 10.2.0.10 (10.2.0.10) 56(84) bytes of 64 bytes from 10.2.0.10: icmp_seq=1 ttl=63 64 bytes from 10.2.0.10: icmp_seq=2 ttl=63 64 bytes from 10.2.0.10: icmp_seq=3 ttl=63 64 bytes from 10.2.0.10: icmp_seq=4 ttl=63 64 bytes from 10.2.0.10: icmp_seq=5 ttl=63 data. time=0.824 time=0.847 time=0.835 time=0.944 time=0.806 ms ms ms ms ms --- 10.2.0.
Example - VXLAN BGP EVPN symmetric IRB with unnumbered BGP peering The following BGP EVPN example uses a Clos leaf-spine topology with BGP over unnumbered interfaces. The following explains how the network is configured: ● External BGP (eBGP) over unnumbered interfaces is used to exchange both IPv4 routes and EVPN routes. ● You need not configure IP addresses on links that connect Spine and Leaf switches. BGP Unnumbered peering works without an IP address configuration on Spine-Leaf links.
● On leaf switches 1 and 2, access ports are assigned to a virtual network using a switch-scoped VLAN. EVPN for the overlay VXLAN is configured using auto-EVI mode. ● On leaf switches 3 and 4, access ports are assigned to a virtual network using a port-scoped VLAN. EVPN for the overlay VXLAN is configured using manual EVI mode with RT and RD values configured in auto mode.
OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-101)# neighbor interface ethernet1/1/4 OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit Spine Switch 2 configuration 1. Configure downstream ports as unnumbered interfaces.
OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit VTEP Leaf Switch 1 configuration 1. Configure a loopback interface for the VXLAN underlay using the same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the loopback interface as the VXLAN source tunnel interface.
OS10(config-router-bgp-af)# redistribute connected OS10(config-router-bgp-af)# exit 8. Configure a BGP unnumbered neighbor over network facing ports. Use a template to simplify the configuration on multiple interfaces. These neighbors are configured to carry IPv4 address family (default) and L2VPN EVPN address family.
● Configure UFD with uplink VLT ports and downlink network ports. OS10(config)# uplink-state-group OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# 1 enable downstream ethernet1/1/1-1/1/2 upstream port-channel10 exit ● Configure iBGP unnumbered peering between VLT peers with both IPv4 and L2VPN EVPN address families.
2. Configure the loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure the VXLAN virtual network. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn)# exit 4. Assign VLAN member interfaces to the virtual network. Use a switch-scoped VLAN-to-VNI mapping.
OS10(config-router-bgp-201)# neighbor interface ethernet1/1/2 OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit 9. Configure EVPN for the VXLAN virtual network. Configure the EVPN instances using Auto EVI mode and Disable ASN in the generated RT.
OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit 11. Configure IP routing in overlay network. ● Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit ● Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 ● Configure routing on the virtual network.
OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# no switchport access vlan OS10(conf-if-po-20)# exit OS10(config)# interface ethernet1/1/6 OS10(conf-if-eth1/1/6)# no shutdown OS10(conf-if-eth1/1/6)# channel-group 20 mode active OS10(conf-if-eth1/1/6)# exit 6. Add the access ports to the virtual network. OS10(config)# virtual-network 20000 OS10(config-vn-20000)# member-interface port-channel 20 untagged OS10(config-vn-20000)# exit 7.
NOTE: Use the disable-rt-asn command to autoderive RT that does not include the ASN in the RT value. This allows auto RT to be used even if the Clos leaf-spine design has separate ASN for each leaf node. Configure this command only when all the VTEPs are OS10 switches. 11. Configure VLT. ● Configure a VLTi VLAN for the virtual network.
● Create the tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit ● Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 ● Configure routing on the virtual network. OS10(config)# interface OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# virtual-network 20000 ip vrf forwarding tenant1 ip address 10.2.0.233/16 ip virtual-router address 10.2.0.100 no shutdown exit 13.
4. Configure an unused VLAN ID for untagged membership. OS10(config)# virtual-network untagged-vlan 1000 5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(config-evpn)# evi 20000 OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn)# exit vni 20000 rd auto route-target auto exit NOTE: Use the disable-rt-asn command to autoderive RT that does not include the ASN in the RT value. This allows auto RT to be used even if the Clos leaf-spine design has separate ASN for each leaf node. Configure this command only when all the VTEPs are OS10 switches. 11. Configure VLT.
OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit 12. Configure IP routing in the overlay network. ● Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit ● Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 ● Configure routing on the virtual network.
Asymmetric to Symmetric IRB migration steps 1. Make the spines to send overlay traffic only to Leaf-2 by making Leaf-1 advertise VTEP IP with a higher metric in the underlay network. Leaf-1 configuration a. Configure route-map with prefix-list to set the metric higher for the VTEP IP. Leaf-1(config)# ip prefix-list vtep_ip seq 10 permit 10.10.10.
2. Spines would now send the overlay traffic destined to VLT domain 1 (Rack1) only to Leaf-2. 3. Configure Symmetric IRB mode in Leaf-2. Leaf-2 configuration a. Configure router-mac. Leaf-2(config)# evpn Leaf-2(config-evpn)# router-mac 02:10:10:10:10:10 b. Configure IP VRF with L3 VNI. Leaf-2(config-evpn)# vrf BLUE Leaf-2(config-evpn-vrf-VRF001)# vni 65001 c. Configure RT (auto or manual) and RD (optional, default is auto). Leaf-2(config-evpn-vrf-BLUE)# route-target auto d.
b. Default route configured in VTEPs pointing to border leaf using an intermediate VNI could be removed. Default route or external routes could now be advertised to the VTEPs from border leaf using advertise commands under EVPN-IPVRF mode. Controller-provisioned VXLAN OS10 supports VXLAN provisioning using an Open vSwitch Database (OVSDB) controller. Currently, the only supported OVSDB controller is the VMware NSX controller.
Configure controller-provisioned VXLAN To configure the NSX controller, follow these steps on each OS10 VTEP: 1. Configure the source interface used for controller-based VXLAN provisioning. Assign an IPv4 address to a loopback interface. Assign the loopback interface to an NVE instance. The loopback interface must belong to the default VRF. For detailed information, see the Configure source IP address on VTEP. 2. Configure NSX controller reachability. 3.
When the interface is assigned, you cannot: ● remove the interface from Switchport Trunk mode ● add the interface as a member of any VLAN ● remove the interface from the controller configuration if the interface has active port-scoped VLAN (Port,VLAN) pairs configured by the controller To assign an interface to be managed by the OVSDB controller: 1. Configure an interface from CONFIGURATION mode. OS10(config)# interface ethernet 1/1/1 2. Configure L2 trunking in INTERFACE mode.
Since VTEP relies on service nodes to replicate BUM traffic, we need a mechanism to monitor the connectivity between the VTEP and the service nodes. BFD can be used to monitor the connectivity between the VTEP and service nodes, and detects failures. The NSX controller provides parameters, such as the minimum TX and RX interval, and the multiplier, to initiate the BFD session between the VTEP and the service nodes. To establish a BFD session, enable the BFD on the controller and the VTEP.
● Show output with details about the replicators available for the VNID. OS10# show nve replicators vnid 10009 Codes: * - Active Replicator BFD Status:Enabled Replicators State ----------------------2.2.2.3 Up 2.2.2.2* Up *— indicates the replicator to which the VTEP sends the BUM traffic for the specific VNID. Configure and control VXLAN from VMware vCenter You can configure and control VXLAN from the VMware vCenter GUI. Complete the following steps: 1.
If successfully establishing connectivity between the VTEP and the NSX controller, the console displays the current connection status between the controller and the management IP address of the VTEP. 3. Create a logical switch. You can create a logical network that acts as the forwarding domain for virtualized and nonvirtualized server workloads on the physical and virtual infrastructure. The following steps configure the logical switch for NSX controller management. a.
4. Create a logical switch port that provides a logical connection point for a VM interface (VIF) and a L2 gateway connection to an external network. 5. (Optional) Enable or disable BFD globally. The following steps enable or disable BFD configuration in the controller. a. Click Service Definitions from the left navigation pane. b. Click the Hardware Devices tab. c. Click the Edit button in the BFD Configuration. d.
After you configure a VMware NSX controller on a server VM, connect to the controller from the VXLAN gateway switch. For more information about the NSX controller configuration in the VTEP, see Configure a connection to an OVSDB controller. For more information about NSX controller configuration, see the NSX User Guide from VMware. Example: VXLAN with a controller configuration This example shows a simple NSX controller and an hardware OS10 VTEP deployed in VXLAN environment.
● Configure the NSX controller in VMware vCenter. For more information about configuring the NSX controller using the GUI, see the Configure and control VXLAN from the VMware vCenter. You must configure an OS10 VTEP with the controller configuration so that the VTEP can communicate with the NSX controller. The NSX controller handles configurations and control plane operations in the VXLAN environment. VTEP 1 1. Configure the OSPF protocol in the underlay.
3. Create an NVE instance and configure a Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback 1 4. Specify the NSX controller reachability information. OS10(config-nve)# controller ovsdb OS10(config-nve-ovsdb)# ip 10.16.140.182 port 6640 ssl OS10(config-nve-ovsdb)# max-backoff 10000 OS10(config-nve-ovsdb)# exit 5. Assign interfaces to be managed by the controller.
----------------------13.0.0.5 Up 13.0.0.3 Up 13.0.0.2 Up To view the remote VTEP status, use the show nve remote-vtep command. OS10# show nve remote-vtep IP Address: 13.0.0.2, State: up, Encap: VxLAN VNI list: ,6000 IP Address: 13.0.0.3, State: up, Encap: VxLAN VNI list: ,6000 IP Address: 13.0.0.5, State: up, Encap: VxLAN VNI list: ,6000 IP Address: 202.0.0.
VNI list: ,6000 IP Address: 13.0.0.5, VNI list: ,6000 IP Adress: 200.0.0.1, VNI list: 6000 State: up, Encap: VxLAN State: up, Encap: Vxlan VXLAN Controller commands controller ovsdb Changes the mode to CONFIGURATION-NVE-OVSDB from where you can configure the controller parameters. Syntax controller ovsdb Parameters None Default None Command mode CONFIGURATION-NVE Usage information The controller configuration initiates the OVSDB service on the OS10 switch.
Supported releases 10.4.3.0 or later max-backoff Configures a time interval, in milliseconds (ms). This is the duration the switch waits between the connection attempts to the controller. Syntax max-backoff interval Parameters interval—Enter the amount of time, in ms. This is the duration the switch waits between the connection attempts to the controller, from 1000 to 180000 ms.
Parameters None Default None Command mode EXEC Usage information This command is available only for the sysadmin and secadmin roles. This command generates the SSL certificate and restarts the OVSDB server to start using the newly generated certificate. Example Supported releases OS10# nve controller ssl-key-generate 10.4.3.0 or later show nve controller Displays information about the controller and the controller-managed interfaces.
VQQIDAJDQTEVMBMGA1UECgwMT3BlbiB2U3dpdGNoMREwDwYDVQQLDAhzd2l0Y2hj YTE7MDkGA1UEAwwyT1ZTIHN3aXRjaGNhIENBIENlcnRpZmljYXRlICgyMDE4IFNl cCAyMyAwMzo0NzoyMCkwHhcNMTgwOTI0MTYzMDUyWhcNMjgwOTIxMTYzMDUyWjCB iTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQKDAxPcGVuIHZTd2l0 Y2gxHzAdBgNVBAsMFk9wZW4gdlN3aXRjaCBjZXJ0aWZpZXIxNTAzBgNVBAMMLGRl bGwgaWQ6MGVlZmUwYWMtNGJjOC00MmVmLTkzOTEtN2RlMmMwY2JmMTJjMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsMlD4c4fWwy+5t6VScjizlkFsNzE BOK5PJyI3B6ReRK/J14Fdxio1YmzG0YObjxiwjpUYEsqPL3Nvh0f10KMq
show ovsdb-tables mac-local-ucast Displays information about local MAC address entries including each MAC address, IP address, local switch name, and VNID. Syntax show ovsdb-tables mac-local-ucast Parameters None Default None Command mode EXEC Usage information This command is available only for netadmin, sysadmin, and secadmin roles.
Example Supported releases OS10# show ovsdb-tables manager Count : 3 Manager table _uuid inactivity_probe is_connected max_backoff other_config status target ------------------------------------ ---- ------------ ---------------------- ------------------------------478ec8ca-9c5a-4d29-9069-633af6c48002 [] false 1000 {} {state=BACKOFF} "ssl:10.16.140.171:6640" 52f2b491-6372-43e0-98ed-5c4ab0ca8542 [] true 1000 {} {sec_since_connect="37831", sec_since_disconnect="37832", state=ACTIVE} "ssl:10.16.140.
16 UFT modes A switch in a Layer 2 (L2) network may require a larger MAC address table size, while a switch in a Layer 3 (L3) network may require a larger routing table size. Unified forwarding table (UFT) offers the flexibility to configure internal L2/L3 forwarding table sizes. OS10 supports several UFT modes for the forwarding tables. By default, OS10 selects a UFT mode that provides a reasonable size for all tables.
Table 51. UFT Modes — Table Size for Z9264F-ON UFT Mode L2 MAC Table Size L3 Host Table Size L3 Routes Table Size Scaled-l2–switch 270336 8192 32768 Scaled-l3–hosts 8192 270336 32768 Scaled-l3–routes 8192 8192 262144 Default 139264 139264 32768 Table 52.
L3 Host Entries L3 Route Entries : : 147456 32768 212992 98304 View UFT information for all modes OS10# show hardware forwarding-table mode all Mode default scaled-l2 scaled-l3-routes L2 MAC Entries 163840 294912 32768 L3 Host Entries 147456 16384 16384 L3 Route Entries 32768 32768 131072 scaled-l3-hosts 98304 212992 98304 IPv6 extended prefix routes IPv6 addresses that contain prefix routes with mask between /64 to /128 are called as IPv6 extended prefix routes.
Syntax hardware forwarding-table mode {scaled-l2 | scaled-l3-routes | scaled-l3hosts} Parameters ● scaled-l2 —Enter the L2 MAC address table size. ● scaled-l3-routes — Enter the L3 routes table size. ● scaled-l3-hosts — Enter the L3 hosts table size. Defaults The default parameters vary according to the platform. See UFT modes on page 1105. Command Mode CONFIGURATION Usage Information Configure the sizes of internal L2 and L3 forwarding tables for your requirements of the network environment.
L2 MAC Entries L3 Host Entries L3 Route Entries Supported Releases : : : 163840 147456 32768 98304 212992 98304 10.3.0E or later show hardware forwarding-table mode all Displays table sizes for the hardware forwarding table modes.
17 Security Dell EMC SmartFabric OS10 has several security features to protect the usability and integrity of the data available in the switch. OS10 also has security features to the user network from attacks and restrict network traffic. Switch security Dell EMC SmartFabric OS10 has various inbuilt security features to secure the administrative access to the switch. User management OS10 controls the user access to the switch and what can they do after login based on the set roles and privileges.
Assign user role To limit OS10 system access, assign a role when you configure each user. ● Enter a user name, password, and role in CONFIGURATION mode. username username password password role role ○ username username — Enter a text string. A maximum of 32 alphanumeric characters; 1 character minimum. ○ password password — Enter a text string. A maximum of 32 alphanumeric characters; 9 characters minimum.
The linuxadmin password configured from the CLI takes precedence across reboots over the password configured from the Linux shell. Verify the linuxadmin password using the show running-configuration command. OS10# show running-configuration system-user linuxadmin password $6$5DdOHYg5$JCE1vMSmkQOrbh31U74PIPv7lyOgRmba1IxhkYibppMXs1KM4Y.gbTPcxyMP/PHUkMc5rdk/ ZLv9Sfv3ALtB61 Disable linuxadmin user To disable or lock the linuxadmin user, use the system-user linuxadmin disable command in CONFIGURATION mode.
○ configure — Accesses class-map, DHCP, logging, monitor, openflow, policy-map, QOS, support-assist, telemetry, CoS, Tmap, UFD, VLT, VN, VRF, WRED, and alias modes. ○ interface — Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range, port-channel, and VLAN modes. ○ route-map — Accesses route-map mode. ○ router — Accesses router-bgp and router-ospf modes. ○ line — Accesses line-vty mode. ● priv-lvl privilege-level — Enter the number of a privilege level, from 2 to 14.
○ configure — Accesses class-map, DHCP, logging, monitor, openflow, policy-map, QOS, support-assist, telemetry, CoS, Tmap, UFD, VLT, VN, VRF, WRED, and alias modes. ○ interface — Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range, port-channel, and VLAN modes. ○ route-map — Accesses route-map mode. ○ router — Accesses router-bgp and router-ospf modes. ○ line — Accesses line-vty mode. ● priv-lvl privilege-level — Enter the number of a privilege level, from 2 to 14.
When a user is locked out due to exceeding the maximum number of failed login attempts, other users can still access the switch. By default, lockout-period minutes is 0; no lockout period is configured. Failed login attempts do not lock out a user.
Display password rules OS10# show running-configuration password-attributes password-attributes min-length 7 character-restriction upper 4 numeric 2 Disable strong password check OS10(config)# password-attributes min-length 7 character-restriction upper 4 numeric 2 OS10(config)# username admin2 password 4newhire4 role sysadmin %Error: Password fail: it does not contain enough DIFFERENT characters OS10(config)# enable password 0 4newhire4 priv-lvl 5 %Error: Password it does not contain enough DIFFERENT chara
User management commands disable Lowers the privilege level. Syntax disable privilege-level Parameters ● privilege-level—Enter the privilege level, from 0 to 15. Defaults 1 Command Mode Privileged EXEC Usage Information If you do not specify a privilege level, the system assigns level 1. Example OS10# disable OS10# disable 6 Supported Releases 10.4.3.0 or later enable Enables a specific privilege level.
○ 0 — Use an unencrypted password. ○ sha-256 — Use a SHA-256 encrypted password. ○ sha-512 — Use a SHA-512 encrypted password. ● priv-lvl privilege-level — Enter a privilege number from 1 to 15. Defaults Not configured Command Mode CONFIGURATION Usage Information To increase the required password strength, create stronger password rules using the passwordattributes command. The no version of this command removes a privilege-level password.
To reset parameters to their default values, use the no password-attributes command. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1. Example Supported Releases OS10(config)# password-attributes min-length 6 character-restriction upper 2 lower 2 numeric 2 10.4.
Command Mode CONFIGURATION Usage Information For users assigned to sysadmin, netadmin, and secadmin roles, you cannot configure a privilege level less than 2. If a command that you associate with a privilege level has a space, enter the command in double quotes ("). If a command does not have a space or if it has keywords separated by a hyphen, double quotes are not required. The no version of this command removes a command from a privilege level.
show users Displays information for all users logged into OS10. Syntax show users Parameters None Default Not configured Command Mode EXEC Usage Information Updated the command to display the privilege levels of all users on OS10 version .
system-user linuxadmin password Configures a password for the linuxadmin user. Syntax system-user linuxadmin password {clear-text-password | hashed-password} Parameters None Defaults Not configured Command Mode CONFIGURATION Usage Information Use this command to set a clear-text or hashed-password for the linuxadmin user. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.3.0. Also supported in SmartFabric mode starting in release 10.5.0.1.
○ sysadmin — Full access to all commands in the system, exclusive access to commands that manipulate the file system, and access to the system shell. A system administrator can create user IDs and user roles. ○ secadmin — Full access to configuration commands that set security policy and system access, such as password strength, AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic keys, login statistics, and log information.
● There is no default user role. ● The default privilege levels are level 1 for netoperator, and level 15 for sysadmin, secadmin, and netadmin. Command Mode CONFIGURATION Usage Information By default, the password must be at least nine alphanumeric characters. Only the following special characters are supported: ! # % & ' ( ) ; < = > [ ] * + - . / : ^ _ Enter the password in clear text. It is converted to SHA-512 format in the running configuration. For backward compatibility with OS10 releases 10.3.
● Configure the AAA authentication method in CONFIGURATION mode. aaa authentication login {console | default} {local | group radius | group tacacs+} ○ console—Configure authentication methods for console logins. ○ default—Configure authentication methods for nonconsole such as SSH and Telnet logins. ○ local—Use the local username, password, and role entries configured with the username password role command. ○ group radius—Configure RADIUS servers using the radius-server host command.
= string. Valid values for Dell-group-name are sysadmin, secadmin, netadmin, and netoperator. Use the VSA Dellgroup-name values when you create users on a Radius or TACACS+ server. For detailed information about how to configure vendor-specific attributes on a RADIUS or TACACS+ server, see the respective RADIUS or TACACS+ server documentation.
● Configure the number of times OS10 retransmits a RADIUS authentication request in CONFIGURATION mode, from 0 to 100 retries; the default is 3. radius-server retransmit retries ● Configure the timeout period used to wait for an authentication response from a RADIUS server in CONFIGURATION mode, from 0 to 1000 seconds; the default is 5.
ip radius source-interface mgmt 1/1/1 ... Delete RADIUS server OS10# no radius-server host 1.2.4.5 RADIUS over TLS authentication Traditional RADIUS-based user authentication runs over UDP and uses the MD5 message-digest algorithm for secure communications. To provide enhanced security in RADIUS user authentication exchanges, RFC 6614 defines the RADIUS over Transport Layer Security (TLS) protocol.
● Configure a TACACS+ authentication server in CONFIGURATION mode. By default, a TACACS+ server uses TCP port 49 for authentication. tacacs-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] Re-enter the tacacs-server host command multiple times to configure more than one TACACS+ server. If you configure multiple TACACS+ servers, OS10 attempts to connect in the order you configured them.
% Error: local authentication not configured After upgrading to 10.5.1 from an earlier release, there is no change in the AAA authentication configuration when this configuration has the local authentication method configured. After upgrading to 10.5.1 in MX-series platforms, the local authentication method is appended to the authentication list when local authentication is not configured.
Enable AAA accounting To record information about all user-entered commands, use the AAA accounting feature — not supported for RADIUS accounting. AAA accounting records login and command information in OS10 sessions on console connections using the console option and remote connections using the default option, such as Telnet and SSH.
Example Supported Releases OS10(config)# aaa accounting commands all console start-stop logging group tacacs+ 10.4.1.0 or later aaa authentication login Configures the AAA authentication method for console, SSH, and Telnet logins. Syntax aaa authentication login {console | default} {local | group radius | group tacacs+} Parameters ● console — Configure authentication methods for console logins. ● default — Configure authentication methods for SSH and Telnet logins.
● console — Configure authorization for console-entered commands. ● default — Configure authorization for non-console-entered commands and commands entered in non-console sessions, such as in SSH and VTY. ● local — Use the local username, password, and role entries configured with the username password role command for command authorization. ● group tacacs+ — Use the TACACS+ servers configured with the tacacs-server host command for command authorization.
tacacs-server host Configures a TACACS+ server and the key used to authenticate the switch on the server. Syntax tacacs-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] Parameters ● hostname — Enter the host name of the TACACS+ server. ● ip-address — Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the TACACS+ server. ● key 0 authentication-key — Enter an authentication key in plain text. A maximum of 42 characters.
radius-server host Configures a RADIUS server and the key used to authenticate the switch on the server. Syntax radius-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] Parameters ● hostname — Enter the host name of the RADIUS server. ● ip-address — Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server. ● key 0 authentication-key — Enter an authentication key in plain text. A maximum of 42 characters.
Usage Information For RADIUS over TLS authentication, configure the radsec shared key on the server and OS10 switch. The show running-configuration output displays both the unencrypted and encrypted key in encrypted format. Configure global settings for the timeout and retransmit attempts allowed on a RADIUS over TLS servers using the radius-server retransmit and radius-server timeout commands. RADIUS over TLS authentication requires that X.
Supported Releases 10.2.0E or later radius-server vrf Configures the RADIUS server for the management or non-default VRF instance. Syntax radius-server vrf {management | vrf-name} Parameters ● management — Enter the keyword to configure the RADIUS server for the management VRF instance. ● vrf-name — Enter the keyword then the name of the VRF to configure the RADIUS server for that non-default VRF instance.
Parameters interface: ● ● ● ● ● ethernet node/slot/port[:subport] — Enter a physical Ethernet interface. loopback number — Enter a Loopback interface, from 0 to 16383. mgmt 1/1/1 — Enter the management interface. port-channel channel-id — Enter a port-channel ID, from 1 to 28. vlan vlan-id — Enter a VLAN ID, from 1 to 4093. Default Not configured. Command Mode CONFIGURATION Usage Information By default, no source interface is configured.
● Enable bootloader protection in EXEC mode. Use the boot protect enable command to configure a username and password. You can configure up to three users per switch. OS10# boot protect enable username root password calvin Disable bootloader protection for a specified user by using the boot protect disable command.
● If the validation of the kernel and OS10 system binary files succeeds, OS10 loads successfully. NOTE: If you are installing OS10 image using zero touch deployment (ZTD): ● Secure boot is disabled after ZTD reloads the switch. ● ZTD cannot validate the image with Dell public key (PKI/sha256/GPG keys) and hence cannot perform secure installation of the OS10 image.
Validate OS10 image file on demand You can validate an OS10 image file at any time using the image verify command in EXEC mode. OS10 verifies the signature of the image files using hash-based authentication, GNU privacy guard (Gn uPG or GPG)-based signatures, or digital signatures (PKI-signed). image verify image://PKGS_OS10-Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin pki signature tftp://10.16.127.7/users/PKGS_OS10-Enterprise-10.4.9999EX.3342stretchinstaller-x86_64.bin.sha256.
Or $ onie-nos-install image_url sha256 signature_filepath The OS10 image installer verifies the signature of the image files using hash-based authentication or digital signatures (PKIsigned). The image files are installed after they are successfully validated. View certificate information Use the show secure-boot pki-certificates command in EXEC mode to view the certificate information.
1. Boot into ONIE. 2. Install a valid OS10 image using the onie-nos-install command. For more information, see Installation using ONIE. OS10 system binary validation fails for one installed OS10 image If the system binary validation fails for one of the installed images, you can log into OS10 CLI EXEC mode. You cannot access CONFIGURATION mode. The following log message appears when you use the show logging log-file command: Dell EMC (OS10) %SECURE_BOOT: OS10 sytem file integrity failed.
Parameters ● username — Enter the username to provide access to bootloader protection. ● password — Enter a password for the specified username. Default Disabled Command Mode EXEC Usage Information You can enable bootloader protection by executing this command. You can configure a maximum of three username / password pairs for bootloader protection. Example Supported Releases OS10# boot protect enable username root password calvin 10.4.3.
Widgits Pty Ltd Validity GMT Certificate Key Id Version Number Serial Number Signature Algorithm Issuer Widgits Pty Ltd Validity GMT Supported Releases : Aug : : : : : 1 11:45:39 2019 GMT - Jul 31 11:45:39 2020 124 3 (0x2) 17154672033164819608 (0xee11a353271dfc98) sha256WithRSAEncryption C=IN, ST=Some-State, L=some-city, O=Internet : Aug 1 11:45:39 2019 GMT - Jul 31 11:45:39 2020 10.5.1.0 or later show secure-boot Displays the secure boot or file integrity status.
● file-system-integrity—Validate the OS10 system binaries. ● startup-config—Validate the startup configuration file.
Security and Access Sysadmin, secadmin, netadmin Command Mode EXEC Usage Information This CLI is available only when you enable secure boot. If the startup configuration file is deleted or compromised, use the protected version of the startup configuration file to restore the configuration during a reboot. Example Supported Releases OS10# secure-boot protect startup-config 10.5.1.0 or later secure-boot enable Enables secure boot.
Usage Information Example-sha256 Example-GPG key Example-PKI Supported Releases This command verifies the signature of the OS10 image file using hash-based authentication, GNU privacy guard (Gn uPG or GPG)-based signatures, or digital signatures (PKI-signed). For GPG validation, before you validate the OS10 image, use the image gpg-key command to install the GPG key in the switch keyring. OS10# image verify image://PKGS_OS10-Enterprise-10.4.9999EX.3342stretchinstaller-x86_64.
tftp://10.16.127.7/users/PKGS_OS10-Enterprise-10.4.9999EX.3342stretchinstaller-x86_64.bin.gpg Example - PKI signature Supported Releases OS10# image secure-install image://PKGS_OS10Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin pki signature tftp://10.16.127.7/users/PKGS_OS10-Enterprise-10.4.9999EX.3342stretchinstaller-x86_64.bin.sha256.base64 public-key tftp://10.16.127.7/users/ DellOS10.cert.pem 10.5.1.0 or later image gpg-key key-server Installs the GPG key into the switch GPG key ring.
● Password-less login is disabled by default. To enable, use the username sshkey or username sshkey filename commands. ● Configure the list of cipher algorithms using the ip ssh server cipher cipher-list command. ● Configure key exchange algorithms using the ip ssh server kex key-exchange-algorithm command. ● Configure hash message authentication code (HMAC) algorithms using the ip ssh server mac hmac-algorithm command.
1. Create access lists with permit or deny filters; for example: OS10(config)# ip access-list snmp-read-only-acl OS10(config-ipv4-acl)# permit ip 172.16.0.0 255.255.0.0 any OS10(config-ipv4-acl)# exit OS10(config)# 2. Apply ACLs to an SNMP community in CONFIGURATION mode.
OS10(config-ipv4-acl)# exit OS10(config)# 2. Enter VTY mode using the line vty command in CONFIGURATION mode. OS10(config)# line vty OS10(config-line-vty)# 3. Apply the access lists to the VTY line with the {ip | ipv6} access-class access-list-name command in LINEVTY mode.
Example Supported Releases OS10(config)# ip ssh server challenge-response-authentication 10.3.0E or later ip ssh server cipher Configures the list of cipher algorithms in the SSH server. Syntax ip ssh server cipher cipher-list Parameters cipher-list — Enter a list of cipher algorithms. Separate entries with a blank space. The cipher algorithms supported by the SSH server are: ● ● ● ● ● ● ● ● ● ● ● ● 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.
Example Supported Releases OS10(config)# ip ssh server hostbased-authentication 10.3.0E or later ip ssh server kex Configures the key exchange algorithms used in the SSH server. Syntax ip ssh server kex key-exchange-algorithm Parameters key-exchange-algorithm — Enter the supported key exchange algorithms separated by a blank space. The SSH server supports these key exchange algorithms: ● ● ● ● ● ● ● ● ● ● curve25519-sha256 curve25519-sha256@libssh.
● ● ● ● ● ● ● ● ● ● ● ● hmac-sha2-512 umac-64@openssh.com umac-128@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com hmac-ripemd160-etm@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com Default ● ● ● ● ● ● ● ● ● ● hmac-sha1 hmac-sha2-256 hmac-sha2-512 umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha2-256-etm@openssh.
ip ssh server port Configures the SSH server listening port. Syntax ip ssh server port port-number Parameters port-number — Enter the listening port number, from 1 to 65535. Default 22 Command Mode CONFIGURATION Usage Information TSupported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1. The no version of this command removes the configuration.
show ip ssh Displays the SSH server information. Syntax show ip ssh Parameters None Default Not configured Command Mode EXEC Usage Information Use this command to view information about the established SSH sessions. Example OS10# show ip ssh SSH Server: Enabled -------------------------------------------------SSH Server Ciphers: chacha20-poly1305@openssh.com,aes128-ctr, aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256gcm@openssh.com SSH Server MACs: umac-64-etm@openssh.
uvZ8gzRxTuM16Qr+RxBLJ7/OzkjNIN1/8Ok+8aJtCoJKbcYaduMjmhVNrNUW5TUXoCnp1XNRpkJ zgS7Lt47yi86rqrTCAQW4eSYJIJs4+4ql9b4MF2D3499Ofn8uS82Mjtj0Nl01lbTbP3gsF4YYdB WaFqp root@OS10 Supported Releases 10.4.1.0 or later username sshkey Enables SSH password-less login using the public key of a remote client. The remote client is not prompted to enter a password. Syntax username username sshkey sshkey-string Parameters ● username — Enter the user name.
Parameters ● username — Enter an OS10 user name who logs in on a remote client. This value is the user name configured using the username password role command. ● filepath — Enter the absolute path name of the local file containing the public keys used by remote devices to log in to the OS10 switch. Default The default SSH public keys are an RSA key generated using 2048 bits, an ECDSA key with 256 bits, and an Ed2559 key with 256 bits.
Example Supported Releases OS10# crypto ssh-key generate rsa 4096 Host key already exists. Overwrite [confirm yes/no]:yes Generated 4096-bit RSA key OS10# 10.4.1.0 or later login concurrent-session limit Configures the maximum number of concurrent login sessions allowed for a user ID. Syntax login concurrent-session limit number Parameters limit number — Enter the limit of concurrent login sessions, from 1 to 12.
Usage Information The no version of this command removes the filter. Example Supported Releases OS10(config)# line vty OS10(config-line-vty)# ipv6 access-class permit10 10.4.0E(R1) or later ip access-class Filters connections in a virtual terminal line using an IPv4 access list. Syntax ip access-class access-list-name Parameters access-list-name — Enter the access list name.
To disable login statistics, use the no login-statistics enable command. Audit log To monitor user activity and configuration changes on the switch, enable the audit log. Only the sysadmin and secadmin roles can enable, view, and clear the audit log. The audit log records configuration and security events, including: ● User logins and logouts on the switch, failed logins, and concurrent login attempts by a user ● User-based configuration changes recorded with the user ID, date, and time of the change.
Switch management statistics commands login-statistics enable Enables the display of login statistics to users. Syntax login-statistics enable Parameters None Default Disabled Command Mode CONFIGURATION Usage Information Only the sysadmin and secadmin roles have access to this command. When enabled, user login information, including the number of successful and failed logins, role changes, and the last time a user logged in, displays after a successful login.
Supported Releases 10.4.0E(R1) or later clear logging audit Deletes all events in the audit log. Syntax clear logging audit Parameters None Defaults Not configured Command Mode EXEC Usage Information To display the contents of the audit log, use the show logging audit command. Example Supported Releases OS10# clear logging audit Proceed to clear all audit log messages [confirm yes/no(default)]:yes 10.4.3.0 or later show logging audit Displays audit log entries.
Supported Releases 10.4.3.0 or later logging audit enable Enables recording of configuration and security event in the audit log. Syntax logging audit enable Parameters None Defaults Not configured Command Mode CONFIGURATION Usage Information Audit log entries are saved locally and sent to configured Syslog servers. Only the sysadmin and secadmin roles can enable the audit log. The no version of the command disables audit log recording.
Certificate revocation list (CRL) A CA-signed document that contains a list of certificates that are no longer valid, even though they have not yet expired. For example, when a new certificate is generated for a server, and the old certificate is no longer supported. Certificate signing request (CSR) After generating a key pair, a switch signs a request to obtain a certificate using its secret private key, and sends the request to a certificate authority.
To import a CA server certificate: 1. Use the copy command to download an X.509v3 certificate created by a CA server using a secure method, such as HTTPS, SCP, or SFTP. Copy the CA certificate to the local directory on the switch, such as home:// or usb://. 2. Use the crypto ca-cert install command to install the certificate. When you install a CA certificate, specify the local path where the certificate is stored.
eb:74:e2:11:56:ed:4b:68:fc:53:2e:d4:94:f6:f5: e4:77:d9:b6:e8:4a:91:b7:da:46:18:51:bf:e4:b6: 3e:6a:47:ab:77:f6:93:b7:d0:9a:c8:fa:ba:ae:ed: 6a:fd:81:54:c8:76:13:1b:57:74:d6:02:78:d7:98: 38:e6:c5:9b:64:03:b2:76:93:fd:8c:9f:54:c9:a3: 04:a9:0c:b7:e2:bb:02:50:3f:e0:08:33:32:89:55: 95:9b:30:6c:73:7d:be:63:f1:6c:da:4d:92:41:d0: f5:d6:bf:e3:c0:da:98:ae:24:37:ed:07:63:86:a1: cc:da:3b:45:d4:a9:80:e2:d6:ab:c1:ae:2a:99:32: 9d:ba:fe:88:38:f2:02:d1:b3:78:43:17:7e:6e:b1: a2:17:85:bd:5f:4a:52:90:96:4d:bc:19:85:ed:9d: 49:77:
Certificate revocation Before the switch and an external device, such as a RADIUS or TLS server, set up a secure connection, they present CA-signed certificates to each other. The certificate validation allows peers to authenticate each other's identity, and is followed by checking to ensure that the certificate has not been revoked by the issuing CA. A certificate includes the URL and other information about the certificate distribution point (CDP) that issued the certificate.
OS10# show crypto crl -------------------------------------| Manually installed CRLs | -------------------------------------Network_Solutions_Certificate_Authority.0.crl.pem -------------------------------------| Downloaded CRLs | -------------------------------------- Request and install host certificates OS10 also supports the switch obtaining its own X.509v3 host certificate. In this procedure, you generate a certificate signing request (CSR) and a private key.
● If necessary, re-enter the command to generate multiple certificate-key pairs for different applications on the switch. You can configure a certificate-key pair in a security profile. Using different certificate-key pairs is necessary if you want to change the certificate-key pair for a specified application without out interrupting other critical services. For example, RADIUS over TLS may use a different certificate-key pair than SmartFabric services.
NOTE: For security reasons, the private key file is copied to an internal, secure location and removed from the viewable file system. Example: Download and install trusted certificate and private key OS10# copy scp:///tftpuser@10.11.178.103:/tftpboot/certs/Dell_host1_CA1.pem home:// Dell_host1_CA1.pem password: OS10# copy scp:///tftpuser@10.11.178.103:/tftpboot/certs/Dell_host1_CA1.key home:// Dell_host1_CA1.key password: OS10# crypto cert install cert-file home://Dell_host1_CA1.
Netscape Cert Type: SSL Client, S/MIME Netscape Comment: OpenSSL Generated Client Certificate X509v3 Subject Key Identifier: 4A:20:AA:E1:69:BF:BE:C5:66:2E:22:71:70:B4:7E:32:6F:E0:05:28 X509v3 Authority Key Identifier: keyid:A3:39:CB:C7:76:86:3B:05:44:34:C2:6F:90:73:1F:5F:64:55:5C:76 X509v3 Key Usage: critical Delete trusted certificate OS10# OS10# crypto cert delete Dell_host1_CA1.pem Certificate and keys were successfully deleted.
● Install a self-signed certificate and key file in EXEC mode. crypto cert install cert-file home://cert-filename key-file {key-path | private} [password passphrase] [fips] ○ cert-file cert-path specifies a source location for a downloaded certificate; for example, home://s4048-001cert.pem or usb://s4048-001-cert.pem. ○ key-file {key-path | private} specifies the local path to retrieve the downloaded or locally generated private key.
25:9f:d9:39:60:5c:49:b0:ad Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 X509v3 Subject Alternative Name: DNS:dell.domain.
OS10(config-sec-profile)# certificate dv-fedgov-s6010-1 OS10(config-sec-profile)# revocation-check OS10(config-sec-profile)# peer-name-check OS10(config-sec-profile)# exit OS10(config)# OS10(config)# radius-server host radius-server-2.test.com tls security-profile radiusprof key radsec OS10(config)# end OS10# show running-configuration crypto security-profile ! crypto security-profile radius-prof certificate dv-fedgov-s6010-1 OS10# show running-configuration radius-server radius-server host radius-server-2.
CommonName = GeoTrust Universal CA IssuerName = GeoTrust Universal CA 2. Generate a CSR, copy the CSR to a CA server, download the signed certificate, and install the host certificate. OS10# crypto cert generate request cert-file home://s4048-001.csr key-file home:// tsr6.key cname "Top of Rack 6" altname "IP:10.0.0.6 DNS:tor6.dell.com" email admin@dell.com organization "Dell EMC" orgunit Networking locality "Santa Clara" state California country US length 1024 Processing certificate ...
OS10# copy scp://CAadmin:secret@172.11.222.1/s4048-001.crt usb://s4048-001-crt.pem OS10# crypto cert install crt-file usb://s4048-001-crt.pem key-file usb://s4048-001crt.key This will replace the already installed host certificate. Do you want to proceed ? [yes/no(default)]:yes Processing certificate ... Host certificate installed successfully. 3. Configure an X.509v3 security profile.
cluster security-profile Creates a security profile for a cluster application. Syntax cluster security-profile profile-name Parameters profile-name — Enter the name of the security profile; a maximum of 32 characters. Default Not configured Command mode CONFIGURATION Usage information When you enable VLT or a fabric automation application, switches that participate in the cluster use secure channels to communicate with each other. OS10 installs a default X.
Default Not configured Command mode EXEC Usage information Before using the crypto ca-cert install command, copy the certificate to the home directory on the switch using a secure connection, such as HTTPS, SCP, or SFTP. After successful installation, the subject and issuer of the CA certificate are displayed. To delete a trusted certificate, use the crypto ca-cert delete command. Example Supported releases OS10# crypto ca-cert install home://GeoTrust_Universal_CA.crt Processing certificate ...
crypto cert delete Deletes an installed host certificate and the private key created with it. Syntax crypto cert delete filename [fips] Parameters ● filename — Enter the file name of the host certificate as displayed in the show crypto cert command. ● fips — (Optional) Delete a FIPS-compliant certificate-key pair. To verify whether a certificate is non-FIPS or FIPS-compliant., use the show crypto cert command.
common-name value does not match the device’s presented identity, a signed certificate does not validate. ● email email-address — Enter a valid email address used to communicate with the organization. ● validity days — Enter the number of days that the certificate is valid. For a CSR, validity has no effect. For a self-signed certificate, the default is 3650 days or 10 years. ● length bit-length — Enter a bit value for the keyword length.
crypto cert install Installs a host certificate and private key on the switch. A host certificate may be trusted from a CA or self-signed. Syntax crypto cert install cert-file cert-path key-file {key-path | private} [password passphrase] [fips] Parameters ● cert-file cert-path — Enter the local path to where the downloaded certificate is stored. You can enter a full path or a relative path; for example, home://s4048-001-cert.pem or usb:// s4048-001-cert.pem or flash://certs/s4810-001-request.crt.
Example Supported Releases OS10# crypto crl delete COMODO_Certification_Authority.0.crl.pem 10.5.0 or later crypto crl install Installs the Certificate Revocation List files that you copied to the switch. Syntax crypto crl install crl-path [crl-filename] Parameters ● crl-path — Enter the path to the directory where the CRL is downloaded. ● crl-filename — (Optional) Enter the CRL filename that you copied to the switch.
If you enable FIPS using the crypto fips enable command, RADIUS over TLS operates in FIPS mode. In FIPS mode, RADIUS over TLS requires that a FIPS-compliant certificate and key pair are installed on the switch. Example Supported releases OS10# crypto fips enable 10.4.3.0 or later crypto security-profile Creates an application-specific security profile. Syntax crypto security-profile profile-name Parameters profile-name — Enter the name of the security profile; a maximum of 32 characters.
Default Not configured Command mode SEC-PROFILE Usage information Use the revocation-check command to enable the verification of certificates presented by external devices for a PKI-enablled application on the switch. Use the show crypto crl command to display the CRLs installed on the switch and used to ensure the validity and trustworthiness of certificates from external devices. The no version of the command disables CRL checking in a security profile.
c2:3a:b5:b9:21:82:1c:25:45:f4:7e:84:f9:d3:af: 28:06:0b:8d:da:72:c1:41:1a:ca:c1:63:de:d6:25: ef:f8:ec:a7:93:88:e0:a0:4f:93:14:81:a6:e8:90: 31:7a:b8:53:4c:52:44:e1:5c:6a:aa:94:b6:0d:eb: 73:b8:18:21:d5:9c:a4:73:a4:54:16:5b:af:b0:35: 0d:36:ff:cb:72:04:63:d1:df:48:59:d3:e9:51:e1: cb:2a:61:20:ee:31:25:51:68:0e:be:98:c3:22:98: 29:f9:13:03:c4:2d:bb:4a:d2:cf:7d:00:f9:4c:2e: 46:70:e3:ab:e7:3c:91:b0:c9:f7:48:89:ea:e7:df: 4f:f4:f5:fc:3a:17:dc:f8:8c:48:e5:aa:03:84:d7: 20:7b:55:2e:73:63:85:1c:97:a1:bb:96:95:a1:d3: ae:0c:
Command mode EXEC Usage information To delete a certificate, use the crypto cert delete filename command. Example OS10# show crypto cert -------------------------------------| Installed non-FIPS certificates | -------------------------------------Dell_host1_CA1.pem -------------------------------------| Installed FIPS certificates | -------------------------------------OS10# show crypto cert Dell_host1_CA1.
show crypto crl Displays the list of installed Certificate Revocation List files. Syntax show crypto crl [crl-filename] Parameters ● crl-filename — (Optional) Enter a CRL filename with the .pem extension. Default Not configured Command Mode EXEC Usage Information Use the show crypto crl command to verify the CRLs installed on the switch. In the show output: Example ● Manually installed CRLs are installed using the crypto crl install command.
Access control lists Access control lists (ACLs) restrict network traffic using policies and improve network performance. For more information about ACL, see Access control lists. DHCP snooping DHCP snooping protects your network from attacks by monitoring the DHCP messages and blocking untrusted or rogue DHCP servers. For more information about DHCP snooping, see DHCP snooping. 802.1X port access control 802.
A MAC address movement happens when the system detects the same MAC address on an interface which it has already learned through another port security-enabled interface on the same broadcast domain. MAC address movement is not allowed for secure static and sticky MAC addresses. By default, MAC address movement for dynamically-learned MAC address is disabled on the system. Secure dynamic MAC address movement is allowed between port-security-enabled and port-security-disabled interfaces.
To enable port security on an interface: 1. Enter the following command in INTERFACE mode: switchport port-security 2. Enable port security in CONFIGURATION-PORT-SECURITY mode: no disable NOTE: To disable the port security feature on an interface, use the disable command in CONFIGURATION-PORTSECURITY mode. Configure the MAC address learning limit After you enable port security on an interface, the interface can learn one secure MAC address by default.
To enable sticky MAC address learning on an interface: Enter the following command in INTERFACE PORT SECURITY mode: sticky NOTE: Before enabling sticky MAC address learning, ensure that you restrict the number of MAC address that an interface can learn using the mac-learn limit command.
● To clear the error-disabled state of all interfaces that was caused by a MAC address learning limit violation, use the following command in CONFIGURATION mode: errdisable reset cause mac-learn-limit violation ● To clear the error-disabled state of all interfaces that was caused by a MAC address movement violation, use the following command in CONFIGURATION mode: errdisable reset cause mac-move-violation ● To clear the error-disabled state of all interfaces that was caused by all violation incidents, use t
To view the statically-configured secure MAC addresses, use the following command in EXEC mode: show mac address-table secure {{dynamic | static | sticky} {vlan vlan-id | interface {ethernet node/slot/port[:subport] | port-channel}}} View statically-configured secure MAC addresses example OS10# show mac address-table secure sticky VlanId 1 1 1 MAC Address 4c:76:25:e5:4f:51 4c:76:25:e5:4f:55 4c:76:25:e5:4f:59 Type sticky sticky sticky Interface ethernet1/1/5 ethernet1/1/6 ethernet1/1/7 os10# show mac add
Sticky MAC Addresses Secure Dynamic MAC addresses :10 :0 Interface name : eth1/1/10 Port Security Port Status Mac learn limit Mac-learn-limit-Violation action Sticky Mac-move-allow mac-move-violation action Aging Total MAC Addresses Secure static MAC Addresses Sticky MAC Addresses Secure Dynamic MAC addresses :Enabled :Error-Disable :100 :Shutdown :Disabled :Not Allowed :shutdown-both :Enabled :11 :0 :0 :11 OS10# show switchport port-security interface ethernet 1/1/1 Global Port-security status :Enab
----------------------------------------------------------------------ethernet1/1/1:1 bpduguard 30 ethernet1/1/1:2 bpduguard 1 ethernet1/1/10 bpduguard/mac-learn limit/mac-move 10 port-channel100 Mac-learn limit 50 port-channel128 mac-move 49 Related Videos Port security on SmartFabric OS10 Port security commands clear mac address-table secure Clears sticky and dynamic secure MAC address entries from the MAC address table.
Parameters ● mac-learn-limit-violation — Brings up an error disabled interface that exceeded the maximum number of MAC addresses that it can learn. ● mac-move-violation — Brings up an error disabled interface that was brought down due to station move violation. Default Automatic recovery is disabled Command Mode CONFIGURATION Usage Information The no version of this command disables automatic recovery.
If the system contains more static MAC addresses than the MAC address learn limit, the system displays an error message. You can delete a few static MAC addresses or increase the number of MAC addresses the port can learn. If the total number of dynamic MAC addresses on an interface is greater than the newly configured MAC learn limit, the dynamic MAC addresses are flushed. Example Supported Releases OS10(config-if-port-sec)# mac-learn limit 100 10.5.1.
Example Supported Releases OS10(config-if-port-sec)# mac-move allow 10.5.1.0 or later mac-move violation Configures station move violation actions. Syntax mac-move violation {drop | log | shutdown-both | shutdown-offending | shutdown-original} Parameters ● drop — Drops the received packet when an interface detects the same MAC address that the system has already learned on a different interface.
Example (VLAN) Example (PortChannel) Supported Releases OS10(config)# mac address-table static 34:17:eb:f2:ab:c6 vlan 1 interface ethernet 1/1/30 OS10(config)# mac address-table static 34:17:eb:02:8c:33 vlan 10 interface port-channel 1 10.2.0E or later show switchport port-security Displays port security information of interfaces.
Sticky MAC Addresses Secure Dynamic MAC addresses :0 :11 OS10# show switchport port-security interface ethernet 1/1/1 Global Port-security status :Enable Interface name : ethernet1/1/1 Port Security Port Status Mac-learn-limit MaC-learn-limit-Violation Action Sticky Mac-move-allow Mac-move-violation Aging Total MAC Addresses Secure static MAC Addresses Sticky MAC Addresses Secure Dynamic MAC addresses :Enabled :Error-Disable :1024 :Shutdown :Enabled :Not Allowed :shutdown-both :Disbaled :10 :0 :10 :0
Supported Releases 10.5.1.0 or later switchport port-security (global) Enables the port security feature on the system globally. Syntax switchport port-security Parameters None Default Port security is enabled globally. Command Mode ● CONFIGURATION Usage Information After you enable the port security feature on the system globally, enable port security on the required interfaces using this command in INTERFACE CONFIGURATION mode.
Example Supported Releases OS10(config-if-port-sec)# aging on 10.5.1.0 or later show mac address-table secure Displays information about the secure MAC addresses in the MAC address table. Syntax show mac address-table secure {{dynamic | static | sticky} {vlan vlan-id | interface {ethernet node/slot/port[:subport] | port-channel}} | address mac-address} Parameters ● ● ● ● ● dynamic — Displays secure dynamic MAC address table entries. static — Displays secure static MAC address table entries.
Usage Information Example The Errdisable Cause column displays one or more reasons for the error-disabled state of an interface. If an interface is put in to error disabled state for multiple reasons, the interface does not come up unless you enable automatic recovery for all reasons.
Supported Releases 1206 Security 10.1.
18 OpenFlow Switches implement the control plane and data plane in the same hardware. Software-defined network (SDN) decouples the software (control plane) from the hardware (data plane). A centralized SDN controller handles the control plane traffic and hardware configuration for data plane flows. The SDN controller is the "brain" of an SDN.
The ONOS controller does not encode the DSCP flow entry values that are matched according to the Openflow 1.0 specification. Hence when you install a flow entry in OpenFlow 1.0, that matches the IP DSCP, the ONOS controller sets an incorrect flow-entry encoding value for IP DSCP. OpenFlow logical switch instance In OpenFlow-only mode, you can configure only one logical switch instance. After you enable OpenFlow mode, create a logical switch instance. The logical switch instance is disabled by default.
Flow table An OpenFlow flow table consists of flow entries. Each flow table entry contains the following fields: Table 56. Supported fields Fields Support match_fields Supported priority Supported counters Supported instructions Supported timeouts Supported cookie Not supported Group table Not supported Meter table Not supported Instructions Each flow entry contains a set of instructions that execute when a packet matches the entry. Table 57.
Table 58. Supported action sets (continued) Action set Support decrement TTL Not supported set Supported (selective fields) qos Not supported group Not supported output Supported Action types An action type associates with each packet. Table 59.
Table 60.
Table 60. Supported counters (continued) Required/Optional Counter Bits Support Optional In-band packet count 64 Not supported Optional In-band byte count 64 Not supported Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● In the show interface vlan command output, the VLAN octet counters are not displayed accurately. ● If a packet hits two ACL tables, the counter with higher priority statistics gets incremented and the other actions are merged and applied.
Connection setup TCP Table 64. Supported modes Modes Supported/Not supported Connection interruption ● fail-secure-mode—Supported ● fail-standalone-mode—Not supported TLS encryption Supported Multiple controller Not supported Auxiliary connections Not supported Number of logical switches One Supported controllers REST APIs on ● RYU ● ONOS Flow table modification messages Table 65.
Table 66.
Table 67.
Table 67. Supported fields (continued) Flow match fields Supported/Not supported OFPXMT_OFB_PBB_ISID = 37 Not supported OFPXMT_OFB_TUNNEL_ID = 38 Not supported OFPXMT_OFB_IPV6_EXTHDR = 39 Not supported Action structures Table 68.
Table 69. Supported capabilities (continued) Capabilities Supported/Not supported OFPC_GROUP_STATS = 1 << 3 Not supported OFPC_IP_REASM = 1 << 5 Not supported OFPC_QUEUE_STATS = 1 << 6 Not supported OFPC_PORT_BLOCKED = 1 << 8 Not supported Multipart message types Table 70.
Table 70.
Property type Table 72.
Packet-in reasons Table 75. Supported reasons Packet-in reasons Supported/Not supported OFPR_NO_MATCH = 0 Supported OFPR_ACTION = 1 Supported OFPR_INVALID_TTL = 2 Not supported Flow-removed reasons Table 76. Supported reasons Flow-removed reasons Supported/Not supported OFPRR_IDLE_TIMEOUT = 0 Supported OFPRR_HARD_TIMEOUT = 1 Supported OFPRR_DELETE = 2 Supported OFPRR_GROUP_DELETE = 3 Not supported Error types from switch to controller Table 77.
Table 77.
Table 77.
Table 77.
Table 77.
NOTE: OS10 supports applications based on OpenFlow versions 1.0 and 1.3. ● Switching loop removal Consider the case of a single broadcast domain where switching loops are common. This issue occurs because of redundant paths in an L2 network. Switching loops create broadcast storms with broadcasts and multicasts being forwarded out of every switch port. Every switch in the network repeatedly re-broadcasts the messages and floods the entire network.
i. Configure one of the front-panel ports as the management port. OS10# configure terminal OS10 (config)# openflow OS10 (config-openflow)# in-band-mgmt interface ethernet 1/1/1 OS10 (config-openflow)# ii. Configure an IPv4 address on the front-panel management port. OS10# configure terminal OS10 (config)# interface ethernet 1/1/1 OS10 (conf-if-eth1/1/1)# ip address 11.1.1.1/24 OS10 (conf-if-eth1/1/1)# no shutdown iii. Configure the logical switch instance, of-switch-1.
cert.pem config://../openflow/cacert.pem OS10# copy scp://username:password@server-ip/full-path-to-the-certificates/switchcert.pem config://../openflow/sc-cert.pem OS10# copy scp://username:password@server-ip/full-path-to-the-certificates/switchprivkey.pem config://../openflow/sc-privkey.pem where server-ip refers to the server where you have stored the certificates, and username and password refers to the credentials you need to access the server with the certificates. 3.
OS10 (config-openflow-switch)# controller ipv4 10.11.63.
Usage Information Use this command to convert any one of the front-panel ports as the management interface. This port is not part of the OpenFlow logical switch instance. All the ports are L2 ports by default. If you configure one of the front-panel ports as the management interface, the port becomes an L3 port. You can configure an L3 IPv4 address only to the front-panel port that you have specified in this command. Ensure that you have IP connectivity between the specified port and the controller.
NOTE: For a list of available commands when the switch is in the OpenFlow-only mode, see CLI commands available in the OpenFlow-only mode. Example OS10 (config-openflow)# mode openflow-only OS10 (config-openflow)# Supported Releases 10.4.1.0 or later openflow Enters OPENFLOW configuration mode. Syntax openflow Parameters None Default None Command Mode CONFIGURATION Usage Information All OpenFlow configurations are performed in this mode. The no form of this command prompts a switch reload.
protocol-version Specifies protocol version the logical switch interface uses. Syntax protocol-version version Parameters version—Choose from one of the following: ● negotiate—Enter the keyword to negotiate versions 1.0 or 1.3 with the controller. The highest of the supported versions is selected. ● 1.0—Specify the logical switch instance OpenFlow protocol version as 1.0. ● 1.3—Specify the logical switch instance OpenFlow protocol version as 1.3.
For example, when you configure a rate of 1000 PPS and a burst of 300 packet bursts per second, the packets can egress on the connection at rates of up to 2000 PPS and 600 packet bursts per second. The no form of this command disables rate limiting on the controller connection. NOTE: This command is a software rate limiting command and applies only to the OpenFlow channel connection between the controller and the logical switch instance. This command is not related to the switch's data-plane rate limits.
show openflow flows Displays OpenFlow flows for a specific logical switch instance. Syntax show openflow switch logical-switch-name flows Parameters logical-switch-name—Enter the logical switch instance name to view flow information.
YES COPPER ethernet1/1/2 YES COPPER ethernet1/1/3:1 NO FIBER ethernet1/1/3:2 NO FIBER ethernet1/1/3:3 NO FIBER ethernet1/1/3:4 NO FIBER ethernet1/1/4 YES COPPER ethernet1/1/5:1 NO FIBER ethernet1/1/5:2 NO FIBER ethernet1/1/5:3 NO FIBER ethernet1/1/5:4 NO FIBER ethernet1/1/6 NO NONE ethernet1/1/7 NO NONE ethernet1/1/8 YES COPPER ethernet1/1/9 NO NONE ethernet1/1/10 NO NONE ethernet1/1/11 YES COPPER ethernet1/1/12 YES COPPER ethernet1/1/13 NO NONE ethernet1/1/14 NO NONE ethernet1/1/15 NO NONE ethernet1/1/16 N
NO NONE ethernet1/1/32 NO NONE Supported Releases 125 PORT_UP(CLI) LINK_DOWN 0MB FD 10.4.1.0 or later show openflow switch Displays OpenFlow parameters for the switch instance.
Example Supported Releases OS10# show openflow switch ice controllers Logical switch name: ice Total Controllers: 2 Controller: 1 Target: 10.16.132.59:6653 Protocol: TCP Connected: YES Role: Master Last_error: Connection timed out State: ACTIVE sec_since_disconnect: 0 Controller: 2 Target: [2001::2]:6653 Protocol: TCP Connected: YES Role: Equal Last_error: Connection timed out State: ACTIVE sec_since_disconnect: 0 10.4.1.
● The ntp subcommand under the interface command is not applicable when the switch is in OpenFlow mode. ● The ip and ipv6 subcommands under the interface command are applicable only when you configure the interface as the management port using the in-band-mgmt command. ● The ip and ipv6 commands must be used only in In-Band mode (using the in-band-mgmt command). Table 78.
Table 78. Modes and CLI commands (continued) Mode Available CLI commands scale-profile support-assist system tacacs-server trust username userrole EXEC All commands The following debug commands are not available: ● debug iscsi ● debug radius ● debug tacacs+ LAG INTERFACE CONFIGURATION LAG is not supported. LOOPBACK INTERFACE CONFIGURATION Loopback interface is not supported.
19 Access Control Lists OS10 uses two types of access policies — hardware-based ACLs and software-based route-maps. Use an ACL to filter traffic and drop or forward matching packets. To redistribute routes that match configured criteria, use a route-map. ACLs ACLs are a filter containing criterion to match; for example, examine internet protocol (IP), transmission control protocol (TCP), or user datagram protocol (UDP) packets, and an action to take such as forwarding or dropping packets at the NPU.
Destination MAC packet address MAC address range—address-mask in 3x4 dotted hexadecimal notation, and any to denote that the rule matches all destination addresses. Packet protocol Set by its EtherType field contents and assigned protocol number for all protocols. VLAN ID Set in the packet header Class of service Present in the packet header IPv4/IPv6 and MAC ACLs apply separately for inbound and outbound packets.
○ DST_IPv6—Destination address ○ SRC_IPv6—Source address ○ IP_TYPE—IP Type; for example, IPv4 or IPv6 ○ IP_PROTOCOL—TCP, UDP, and so on ○ L4_DST_PORT—Destination port ● MAC qualifiers: ○ ○ ○ ○ ○ ○ ○ OUT_PORT—Egress CPU port SRC_MAC—Source MAC address DST_MAC—Destination MAC address ETHER_TYPE—Ethertype OUTER_VLAN_ID—VLAN ID IP_TYPE—IP type OUTER_VLAN_PRI—DOT1P value IP fragment handling OS10 supports a configurable option to explicitly deny IP-fragmented packets, particularly for the second and subsequent
TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all TCP non-first fragments from host 10.1.1.1 are permitted. All other IP packets that are non-first fragments are denied.
Auto-generated sequence number If you are creating an ACL with only one or two filters, you can let the system assign a sequence number based on the order you configure the filters. The system assigns sequence numbers to filters using multiples of ten values. ● Configure a deny or permit filter to examine IP packets in IPV4-ACL mode. {deny | permit} {source mask | any | host ip-address} [count [byte]] [fragments] ● Configure a deny or permit filter to examine TCP packets in IPV4-ACL mode.
Rules apply in order: ● ● ● ● Ingress L3 ACL Ingress L2 ACL Egress L3 ACL Egress L2 ACL NOTE: In ingress ACLs, L2 has a higher priority than L3 and in egress ACLs, L3 has a higher priority than L2. Table 79.
seq 110 permit tcp any any fin syn rst psh ack urg count (0 packets) seq 120 deny icmp 20.1.6.0/24 any fragment count (0 packets) seq 130 permit 150 any any dscp 63 count (0 packets) To view the number of packets matching the ACL, use the count option when creating ACL entries. ● Create an ACL that uses rules with the count option, see Assign sequence number to filter. ● Apply the ACL as an inbound or outbound ACL on an interface in CONFIGURATION mode, and view the number of packets matching the ACL.
You can use an egress ACL filter to restrict egress traffic. For example, when you isolate denial of service (DoS) attack traffic to a specific interface, and apply an egress ACL filter to block the DoS flow from exiting the network, you protect downstream devices. 1. Apply an egress access-list on the interface in INTERFACE mode. ip access-group access-group-name out 2. Return to CONFIGURATION mode. exit 3. Create the access-list in CONFIGURATION mode. ip access-list access-list-name 4.
Clear access-list counters Clear IPv4, IPv6, or MAC access-list counters for a specific access-list or all lists. The counter counts the number of packets that match each permit or deny statement in an access-list. To get a more recent count of packets matching an access-list, clear the counters to start at zero. If you do not configure an access-list name, all IP access-list counters clear. To view access-list information, use the show access-lists command. ● Clear IPv4 access-list counters in EXEC mode.
● Route-maps use commands to decide what to do with traffic. To remove the match criteria in a route-map, use the no match command. ● In a BGP route-map, if you repeat the same match statements; for example, a match metric, with different values in the same sequence number, only the last match and set values are taken into account.
Match clauses: ip address prefix-list p1 Set clauses: route-map test3, deny, sequence 10 Match clauses: ip address prefix-list p2 Set clauses: route-map test4, permit, sequence 10 Match clauses: ip address prefix-list p2 Set clauses: Match routes Configure match criterion for a route-map. There is no limit to the number of match commands per route map, but keep the number of match filters in a route-map low. The set commands do not require a corresponding match command.
● Enter an ORIGIN attribute in ROUTE-MAP mode. set origin {egp | igp | incomplete} ● Enter a tag value for the redistributed routes in ROUTE-MAP mode, from 0 to 4294967295. set tag tag-value ● Enter a value as the route’s weight in ROUTE-MAP mode, from 0 to 65535. set weight value Check set conditions OS10(config)# route-map ip permit 1 OS10(conf-route-map)# match metric 2567 Continue clause Only BGP route-maps support the continue clause.
If you configure the flow-based enable command and do not apply an ACL on the source port or the monitored port, both flow-based monitoring and port mirroring do not function. Flow-based monitoring is supported only for ingress traffic. The show monitor session session-id command displays output that indicates if a particular session is enabled for flow-monitoring. View flow-based monitoring OS10# show monitor session 1 S.
seq 15 deny udp any any capture session 2 count bytes (0 bytes) seq 20 deny tcp any any capture session 3 count bytes (0 bytes) View monitor sessions OS10(conf-if-eth1/1/1)# show monitor session all S.
1022 1024 USER_IPV4_ACL Shared:1 G2 2 3 1021 1024 USER_IPV6_ACL Shared:2 G4 1 2 510 512 PBR_V6 Shared:2 G10 1 1 511 512 SYSTEM_FLOW Shared:2 G0 49 49 975 1024 ISCSI_SNOOPING Shared:1 G8 12 12 500 512 FCOE Shared:2 G6 55 55 457 512 -----------------------------------------------------------------------------------------------------Egress ACL utilization Hardware Pools -----------------------------------------------------------------------------------------------------Pool ID App(s) Used rows Free rows Max ro
ACL logging You can configure ACLs to filter traffic, drop or forward packets that match certain conditions. The ACL logging feature allows you to get additional information about packets that match an access control list entry (ACE) applied on an interface in inbound direction. OS10 creates a log message that includes additional information about the packet, when a matching packet hits a log-enabled ACL entry.
Example Supported Releases OS10# clear ip access-list counters 10.2.0E or later clear ipv6 access-list counters Clears IPv6 access-list counters for a specific access-list. Syntax clear ipv6 access-list counters [access-list-name] Parameters access-list-name — (Optional) Enter the name of the IPv6 access-list to clear counters. A maximum of 140 characters. Default Not configured Command Mode EXEC Usage Information If you do not enter an access-list name, all IPv6 access-list counters clear.
● ● ● ● ● ● ● ● ● ● ● ● ● ● icmp — (Optional) Enter the ICMP address to deny. ip — (Optional) Enter the IP address to deny. tcp — (Optional) Enter the TCP address to deny. udp — (Optional) Enter the UDP address to deny. A.B.C.D — Enter the IP address in dotted decimal format. A.B.C.D/x — Enter the number of bits to match to the dotted decimal address. any — (Optional) Enter the keyword any to specify any source or destination IP address.
Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases OS10(config)# ipv6 access-list ipv6test OS10(conf-ipv6-acl)# deny ipv6 any any capture session 1 10.2.0E or later deny (MAC) Configures a filter to drop packets with a specific MAC address.
● fragment — (Optional) Use ACLs to control packet fragments. ● log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases OS10(config)# ip access-list egress OS10(conf-ipv4-acl)# deny icmp any any capture session 1 10.2.
○ count — (Optional) Count packets the filter processes. ○ byte — (Optional) Count bytes the filter processes. ○ dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63. ○ fragment — (Optional) Use ACLs to control packet fragments. ● host ip-address — (Optional) Enter the IPv4 address to use a host address only. Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment.
Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● A.B.C.D — Enter the IPv4 address in A.B.C.D format. A.B.C.D/x — Enter the number of bits to match in A.B.C.D/x format. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ip-address — (Optional) Enter the keyword and the IPv4 address to use a host address only. ack — (Optional) Set the bit as acknowledgement. fin — (Optional) Set the bit as finish—no more data from sender. psh — (Optional) Set the bit as push.
● operator — (Optional) Enter a logical operator to match the packets on the specified port number. The following options are available: ○ ○ ○ ○ ○ eq — Equal to gt — Greater than lt — Lesser than neq — Not equal to range — Range of ports, including the specified port numbers. Default Not configured Command Mode IPV6-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter.
Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases OS10(config)# ip access-list testflow OS10(conf-ipv4-acl)# deny udp any any capture session 1 10.2.0E or later deny udp (IPv6) Configures a filter to drop UDP IPv6 packets that match filter criteria.
description Configures an ACL description. Syntax description text Parameters text — Enter the description text string. A maximum of 80 characters. Default Disabled Command Modes IPV4-ACL, IPV6-ACL, MAC-ACL Usage Information Example Supported Releases ● To use special characters as a part of the description string, enclose the string in double quotes. ● To use comma as a part of the description string add double back slash before the comma.
Usage Information Example Supported Releases None OS10(config)# ip access-list acl1 10.2.0E or later ip as-path access-list Create an AS-path ACL filter for BGP routes using a regular expression. Syntax ip as-path access-list name {deny | permit} regexp-string Parameters ● name — Enter an access list name. ● deny | permit — Reject or accept a matching route. ● regexp-string — Enter a regular expression string to match an AS-path route attribute.
Example Supported Release OS10(config)# ip community-list standard STD_LIST deny local-AS 10.3.0E or later ip community–list standard permit Creates a standard community list for BGP to permit access. Syntax ip community-list standard name permit {aa:nn | no-advertise | local-as | no-export | internet} Parameters ● name — Enter the name of the standard community list used to identify one more deny groups of communities.
ip extcommunity-list standard permit Creates an extended community list for BGP to permit access. Syntax ip extcommunity-list standard name permit {4byteas-generic | rt | soo} Parameters ● name — Enter the name of the community list used to identify one or more permit groups of extended communities. ● rt — Enter the route target. ● soo — Enter the route origin or site-of-origin.
Usage Information The no version of this command removes the specified prefix-list. Example Supported Release OS10(config)# ip prefix-list denyprefix deny 10.10.10.2/16 le 30 10.3.0E or later ip prefix-list permit Creates a prefix-list to permit route filtering from a specified network address. Syntax ip prefix-list name permit [A.B.C.
ip prefix-list seq permit Configures a filter to permit route filtering from a specified prefix list. Syntax ipv6 prefix-list [name] seq num permit A::B/x [ge | le} prefix-len Parameters ● ● ● ● ● ● Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix list. Example Supported Release name — Enter the name of the prefix list. num — Enter the sequence list number. A.B.C.
Parameters access-list-name — Enter the name of an IPv6 access list. A maximum of 140 characters. Default Not configured Command Mode CONFIGURATION Usage Information None Example Supported Release OS10(config)# ipv6 access-list acl6 10.2.0E or later ipv6 prefix-list deny Creates a prefix list to deny route filtering from a specified IPv6 network address.
ipv6 prefix-list permit Creates a prefix-list to permit route filtering from a specified IPv6 network address. Syntax ipv6 prefix-list prefix-list-name permit {A::B/x [ge | le] prefix-len} Parameters ● ● ● ● ● Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix-list. Example Supported Release prefix-list-name — Enter the IPv6 prefix-list name. A::B/x — Enter the IPv6 address to permit.
● le — Enter to indicate the network address is less than or equal to the range specified. ● prefix-len — Enter the prefix length. Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix-list. Example Supported Release OS10(config)# ipv6 prefix-list TEST seq 65535 permit AB10::1/128 ge 30 10.3.0E or later mac access-group Configures a MAC access group.
Supported Releases 10.2.0E or later permit Configures a filter to allow packets with a specific IPv4 address. Syntax permit [protocol-number | icmp | ip | tcp | udp] [A.B.C.D | A.B.C.D/x | any | host ip-address] [A.B.C.D | A.B.C.D/x | any | host ip-address] [capture | count | dscp value | fragment | log] Parameters ● protocol-number — (Optional) Enter the protocol number identified in the IP header, from 0 to 255. ● icmp — (Optional) Enter the ICMP address to permit.
● ● ● ● ● ● ● ● any — (Optional) Enter the keyword any to specify any source or destination IP address. host ip-address — (Optional) Enter the IPv6 address to use a host address only. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Permit a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments.
permit icmp Configures a filter to permit all or specific ICMP messages. Syntax permit icmp [A.B.C.D | A.B.C.D/x | any | host ip-address] [[A.B.C.D | A.B.C.D/x | any | host ip-address] [capture | count | dscp value | fragment | log] Parameters ● ● ● ● ● ● ● ● ● ● Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter.
Supported Releases 10.2.0E or later permit ip Configures a filter to permit all or specific packets from an IPv4 address. Syntax permit ip [A.B.C.D | A.B.C.D/x | any | host ip-address] [[A.B.C.D | A.B.C.D/x | any | host ip-address] [capture | count | dscp value | fragment | log] Parameters ● ● ● ● ● ● ● ● ● ● Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment.
Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases OS10(conf-ipv6-acl)# permit ipv6 any any count capture session 1 10.2.0E or later permit tcp Configures a filter to permit TCP packets meeting the filter criteria. Syntax permit tcp [A.B.C.D | A.B.C.D/x | any | host ip-address [operator]] [[A.B.C.D | A.B.C.
permit tcp (IPv6) Configures a filter to permit TCP packets meeting the filter criteria. Syntax permit tcp [A::B | A::B/x | any | host ipv6-address [eq | lt | gt | neq | range]] [A::B | A:B/x | any | host ipv6-address [eq | lt | gt | neq | range]] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● A::B — Enter the IPv6 address in hexadecimal format separated by colons. ● A::B/x — Enter the number of bits that must match the IPv6 address.
● fragment — (Optional) Use ACLs to control packet fragments. ● log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. ● operator — (Optional) Enter a logical operator to match the packets on the specified port number. The following options are available: ○ ○ ○ ○ ○ eq — (Optional) Permit packets which are equal to. lt — (Optional) Permit packets which are less than. gt — (Optional) Permit packets which are greater than.
○ neq — Not equal to ○ range — Range of ports, including the specified port numbers. Default Not configured Command Mode IPV6-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases OS10(conf-ipv6-acl)# permit udp any any capture session 1 count 10.2.0E or later remark Specifies an ACL entry description.
Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter, or use the no seq sequence-number command if you know the filter’s sequence number. Example Supported Releases OS10(config)# ip access-list testflow OS10(conf-ipv4-acl)# seq 10 deny tcp any any capture session 1 log 10.2.
seq deny (MAC) Assigns a sequence number to a deny filter in a MAC access list while creating the filter. Syntax seq sequence-number deny {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} [protocol-number | capture | cos | count [byte] | vlan] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● nn:nn:nn:nn:nn:nn — Enter the source MAC address.
Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter, or use the no seq sequence-number command if you know the filter’s sequence number. Example Supported Releases OS10(config)# ip access-list egress OS10(conf-ipv4-acl)# seq 5 deny icmp any any capture session 1 log 10.2.
● ● ● ● ● ● ● ● ● A.B.C.D/x — Enter the number of bits that must match the dotted decimal address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ip-address — (Optional) Enter the IPv4 address to use a host address only. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63.
seq deny tcp Assigns a filter to deny TCP packets while creating the filter. Syntax seq sequence-number deny tcp [A.B.C.D | A.B.C.D/x | any | host ip-address [operator]] [[A.B.C.D | A.B.C.D/x | any | host ip-address [operator] ] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.C.
Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A::B — Enter the IPv6 address in hexadecimal format separated by colons. ● A::B/x — Enter the number of bits that must match the IPv6 address. ● any — (Optional) Enter the keyword any to specify any source or destination IP address. ● host ip-address — (Optional) Enter the IPv6 address to use a host address only. ● ack — (Optional) Set the bit as acknowledgement.
● ● ● ● ● ● ● ● ● ● ● ● fin — (Optional) Set the bit as finish—no more data from sender. psh — (Optional) Set the bit as push. rst — (Optional) Set the bit as reset. syn — (Optional) Set the bit as synchronize. urg — (Optional) Set the bit set as urgent. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63.
● ● ● ● dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. operator — (Optional) Enter a logical operator to match the packets on the specified port number.
Supported Releases 10.2.0E or later seq permit (IPv6) Assigns a sequence number to permit IPv6 packets, while creating a filter. Syntax seq sequence-number permit protocol-number [A::B | A::B/x | any | host ipv6-address] [A::B | A:B/x | any | host ipv6-address] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214.
○ ○ ○ ○ cos — (Optional) Enter the CoS value, from 0 to 7. count — (Optional) Enter the count packets the filter processes. byte — (Optional) Enter the count bytes the filter processes. vlan — (Optional) Enter the VLAN number, from 1 to 4093. Default Not configured Command Mode MAC-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment.
seq permit icmp (IPv6) Assigns a sequence number to allow ICMP messages while creating the filter. Syntax seq sequence-number permit icmp [A::B | A::B/x | any | host ipv6-address] [A::B | A:B/x | any | host ipv6-address] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A::B — Enter the IPv6 address in hexadecimal format separated by colons.
Usage Information Example Supported Releases OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter, or use the no seq sequence-number command if you know the filter’s sequence number. OS10(config)# ip access-list egress OS10(conf-ipv4-acl)# seq 5 permit ip any any capture session 1 log 10.2.0E or later seq permit ipv6 Assigns a sequence number to allow packets while creating the filter.
● any — (Optional) Enter the keyword any to specify any source or destination IP address. ● host ip-address — (Optional) Enter the IPv4 address to use a host address only. ● operator — (Optional) Enter a logical operator to match the packets on the specified port number. The following options are available: ● ● ● ● ● ● ● ● ● ● ● ● ○ eq — Equal to ○ gt — Greater than ○ lt — Lesser than ○ neq — Not equal to ○ range — Range of ports, including the specified port numbers.
● ● ● ● ● ● ● ● ● ● ● ● ○ neq — Not equal to ○ range — Range of ports, including the specified port numbers. ack — (Optional) Set the bit as acknowledgment. fin — (Optional) Set the bit as finish—no more data from sender. psh — (Optional) Set the bit as push. rst — (Optional) Set the bit as reset. syn — (Optional) Set the bit as synchronize. urg — (Optional) Set the bit set as urgent. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes.
● ● ● ● ● ● ● urg — (Optional) Set the bit set as urgent. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged.
Command Mode IPV6-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter, or use the no seq sequence-number command if you know the filter’s sequence number. Example Supported Releases OS10(config)# ipv6 access-list egress OS10(conf-ipv6-acl)# seq 5 permit udp any any capture session 1 log 10.2.0E or later show access-group Displays IP, MAC, or IPv6 access-group information.
show access-lists Displays IP, MAC, or IPv6 access-list information. Syntax show {ip | mac | ipv6} access-lists {in | out} access-list-name Parameters ● ● ● ● ● Default Not configured Command Mode EXEC Usage Information None Example (MAC In) Example (MAC Out) Example (IP In) Example (IP Out) Example (IPv6 In) 1296 ip — View IP access list information. mac — View MAC access list information. ipv6 — View IPv6 access list information.
ethernet 1/1/3 seq 5 permit ipv6 11::/32 any log count (0 packets) Example (IPv6 Out) Example (IP In Control-plane ACL) Example (IPv6 In - Control-plane ACL) Example (MAC In - Control-plane ACL) Supported Releases OS10# show ipv6 access-lists out Egress IPV6 access list bbb Active on interfaces : ethernet1/1/1 ethernet1/1/2 seq 10 permit any any Egress IPV6 access list ggg Active on interfaces : ethernet 1/1/1 seq 5 permit ipv6 11::/32 any count (0 packets) OS10# show ip access-lists in Ingress IP acce
Ingress ACL utilization - Pipe 0 Hardware Pools -------------------------------------------------------------------Pool ID App(s) Used rows Free rows Max rows -------------------------------------------------------------------0 SYSTEM_FLOW 98 414 512 1 SYSTEM_FLOW 98 414 512 2 SYSTEM_FLOW 98 414 512 3 USER_IPV4_ACL 4 508 512 4 USER_IPV4_ACL 4 508 512 5 FREE 0 512 512 6 USER_IPV6_ACL 4 508 512 7 USER_IPV6_ACL 4 508 512 8 USER_IPV6_ACL 4 508 512 9 USER_L2_ACL 4 508 512 10 USER_L2_ACL 4 508 512 11 FREE 0 512 5
1 SYSTEM_FLOW 98 414 512 2 SYSTEM_FLOW 98 414 512 3 USER_IPV4_ACL 0 512 512 4 USER_IPV4_ACL 0 512 512 5 FREE 0 512 512 6 USER_IPV6_ACL 0 512 512 7 USER_IPV6_ACL 0 512 512 8 USER_IPV6_ACL 0 512 512 9 USER_L2_ACL 0 512 512 10 USER_L2_ACL 0 512 512 11 FREE 0 512 512 -----------------------------------------------------------------------------------------------------Service Pools -----------------------------------------------------------------------------------------------------App Allocated pools App group Co
Service Pools -----------------------------------------------------------------------------------------------------App Allocated pools App group Configured rules Used rows Free rows Max rows ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------S6010-ON platform OS10# show acl-table-usage detail Ingress ACL utilization Hardware Pools ----------------------------
Used rows Free rows Max rows -----------------------------------------------------------------------------------------------------USER_L2_ACL_EGRESS Shared:1 G1 1 2 254 256 USER_IPV4_EGRESS Shared:1 G0 1 2 254 256 USER_IPV6_EGRESS Shared:2 G2 1 2 254 256 Supported Releases 10.4.2 and later show ip as-path-access-list Displays the configured AS path access lists. Syntax show ip as-path-access-list [name] Parameters name — (Optional) Specify the name of the AS path access list.
show ip extcommunity-list Displays the configured IP external community lists in alphabetic order. Syntax show ip extcommunity-list [name] Parameters name — (Optional) Enter the name of the extended IP external community list. A maximum of 140 characters. Defaults None Command Mode EXEC Usage Information None Example Supported Releases OS10# show ip extcommunity-list Standard Extended Community List hello permit RT:1:1 deny SOO:1:4 10.3.
Usage Information Example Supported Releases None OS10# show logging access-list ACL Logging Threshold : 10 Interval : 5 10.4.3.0 or later Route-map commands continue Configures the next sequence of the route map. Syntax continue seq-number Parameters seq-number — Enter the next sequence number, from 1 to 65535. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes a match.
Parameters ● community-list-name — Enter the name of a configured community list. ● exact-match — (Optional) Select only those routes with the specified community list name. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes the community match filter. Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# match community commlist1 exact-match 10.3.
Supported Releases 10.2.0E or later match ip address Configures a filter to match routes based on IP addresses specified in IP prefix lists. Syntax match ip address {prefix-list prefix-list-name | access-list-name} Parameters ● prefix-list-name — Enter the name of the configured prefix list. A maximum of 140 characters. ● access-list-name — Enter the name of the configured access list. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes a match.
Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# match ipv6 address test100 10.3.0E or later match ipv6 next-hop Configures a filter to match based on the next-hop IPv6 addresses specified in IP prefix lists. Syntax match ipv6 next-hop prefix-list prefix-list Parameters prefix-list — Enter the name of the configured prefix list. A maximum of 140 characters.
Usage Information Example Supported Releases The no version of this command deletes the match. OS10(config)# route-map bgp OS10(conf-route-map)# match origin egp 10.3.0E or later match route-type Configures a filter to match routes based on how the route is defined. Syntax match route-type {{external {type-1 | type-2} | internal | local } Parameters ● external — Match only on external OSPF routes. Enter the keyword then one of the following: ○ type–1 — Match only on OSPF Type 1 routes.
Parameters ● map-name — Enter the name of the route-map. A maximum of 140 characters. ● sequence-number — (Optional) Enter the number to identify the route-map for editing and sequencing number from 1 to 65535. The default is 10. ● permit — (Optional) Set the route-map default as permit. ● deny — (Optional) Set the route default as deny.
Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# set comm-list comlist1 delete 10.3.0E or later set community Sets the community attribute in BGP updates. Syntax set community {none | community-number} Parameters ● none — Enter to remove the community attribute from routes meeting the route map criteria. ● community-number — Enter the community number in aa:nn format, where aa is the AS number, 2 bytes, and nn is a value specific to that AS.
Defaults None Command Mode ROUTE-MAP Usage Information To add communities in an extcommunity list to the EXTCOMMUNITY attribute in a BGP route, use the set extcomm-list add command. Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# set extcomm-list TestList delete 10.3.0E or later set extcommunity Sets the extended community attributes in a route map for BGP updates.
set metric Set a metric value for a routing protocol. Syntax set metric [+ | -] metric-value Parameters ● + — (Optional) Add a metric value to the redistributed routes. ● - — (Optional) Subtract a metric value from the redistributed routes. ● metric-value — Enter a new metric value, from 0 to 4294967295. Default Not configured Command Mode ROUTE-MAP Usage Information To establish an absolute metric, do not enter a plus or minus sign before the metric value.
Supported Releases 10.2.0E or later set next-hop Sets an IPv4 or IPv6 address as the next-hop. Syntax set {ip | ipv6} next-hop ip-address Parameters ip-address — Enter the IPv4 or IPv6 address for the next-hop. Default Not configured Command Mode ROUTE-MAP Usage Information If you apply a route-map with the set next-hop command in ROUTER-BGP mode, it takes precedence over the next-hop-self command used in ROUTER-NEIGHBOR mode.
Command Mode CONFIGURATION Usage Information The no version of this command deletes the set clause from a route map. Example Supported Releases OS10(conf-route-map)# set tag 23 10.2.0E or later set weight Set the BGP weight for the routing table. Syntax set weight weight Parameters weight — Enter a number as the weight the route uses to meet the route map specification, from 0 to 65535. Default Default router-originated is 32768 — all other routes are 0.
20 Quality of service Quality of service (QoS) reserves network resources for highly critical application traffic with precedence over less critical application traffic. QoS prioritizes different types of traffic and ensures quality of service. You can control the following traffic flow parameters: Delay, Bandwidth, Jitter, and Drop. Different QoS features control the traffic flow parameters, as the traffic traverses a network device from ingress to egress interfaces.
Configuring QoS is a three-step process: 1. Create class-maps to classify the traffic flows. The following are the different types of class-maps: ● ● ● ● ● qos (default)—Classifies ingress data traffic. queuing —Classifies egress queues. control-plane—Classifies control-plane traffic. network-qos—Classifies traffic-class IDs for ingress buffer configurations. application —Classifies application-type traffic. The reserved policy-map policy-iscsi defines the actions for class-iscsi traffic. 2.
Ingress traffic classification Ingress traffic can either be data or control traffic. OS10 groups network traffic into different traffic classes, from class 0 to 7 based on various parameters. Grouping traffic into different classes helps to identify and prioritize traffic as it goes through the switch. NOTE: Traffic class is also called as QoS group. By default, OS10 does not classify data traffic. OS10 assigns the default traffic class ID 0 to all data traffic.
2. Define the set of dot1p values mapped to traffic-class, the qos-group ID. OS10(config-tmap-dot1p-map)# qos-group 3 dot1p 0-4 OS10(config-tmap-dot1p-map)# qos-group 5 dot1p 5-7 3. Verify the map entries. OS10# show qos maps type trust-map-dot1p example-dot1p-trustmap-name DOT1P Priority to Traffic-Class Map : example-dot1p-trustmap-name Traffic-Class DOT1P Priority ------------------------------3 0-4 5 5-7 4. Apply the map on a specific interface or on system-qos, global level.
Table 82. Default DSCP trust map (continued) DSCP values Traffic class ID Color 32-35 4 G 36-39 4 Y 40-43 5 G 44-47 5 Y 48-51 6 G 52-55 6 Y 56-59 7 G 60-62 7 Y 63 7 R NOTE: You cannot modify the default DSCP trust map. User–defined DCSP trust map You can override the default mapping by creating a user-defined DSCP trust map. All the unspecified DSCP entries map to the default traffic class ID 0 and color G. Configure user–defined DSCP trust map 1. Create a DSCP trust map.
● Interface level OS10(conf-if-eth1/1/1)# trust-map dscp example-dscp-trustmap-name ● System-qos level OS10(config-sys-qos)# trust-map dscp example-dscp-trustmap-name ACL-based classification Classify the ingress traffic by matching the packet fields using ACL entries. Classify the traffic flows based on QoS-specific fields or generic fields, using IP or MAC ACLs. Create a class-map template to match the fields.
1. Create a user defined dscp or dot1p trust-map. OS10(config)# trust dscp-map userdef-dscp OS10(config-tmap-dscp-map)# qos-group 3 dscp 15 OS10(config-tmap-dscp-map)# qos-group 5 dscp 30 2. Apply user-defined trust map to an interface or in system QoS. OS10(conf-if-eth1/1/1)# trust-map dscp userdef-dscp or OS10(config)# system qos OS10(config-sys-qos)# trust-map dscp userdef-dscp 3. Create a class-map and attach it to a policy where trust is configured. This example uses 802.
○ ICMPv6-RS-NS is mapped to queue 5 ○ iSCSI is mapped to queue 0 The rate limit configuration in CoPP policy before upgrade is automatically remapped to queues 6, 5, and 0 respectively after upgrade. For example, in release 10.4.1, the following policy configuration is applied on queue 5, which in 10.4.1 is mapped to ARP_REQ, ICMPV6_RS, ICMPV6_NS, and ISCSI protocols: policy-map type control-plane test ! class test set qos-group 5 police cir 300 pir 300 After upgrade to release 10.4.
The following table lists the CoPP protocol mappings to queues, and default rate limits and buffer sizes on the S4148FE-ON platform. The number of control-plane queues is dependent on the hardware platform. Table 84. CoPP: Protocol mappings to queues, and default rate limits and buffer sizes - from release 10.4.
For information about the current protocol to queue mapping and the rate-limit configured per queue, see show control-plane info. Configure control-plane policing Rate-limiting the protocol CPU queues requires configuring control-plane type QoS policies. ● Create QoS policies, class maps and policy maps, for the desired CPU-bound queue. ● Associate the QoS policy with a particular rate-limit. ● Assign the QoS service policy to control plane queues.
● CPU queues support shaping instead of rate limiting. ● Port shaping, storm control rate shaping, and CoPP rates are converted to kbps internally, even when configured in pps. Assign service-policy Rate controlling the traffic towards CPU requires configuring the control-plane type policy. To enable CoPP, apply the defined policy-map to CONTROL-PLANE mode. 1. Enter CONTROL-PLANE mode from CONFIGURATION mode. control-plane 2.
Configure protocol to queue remapping You can re-map protocols or applications to queues that are mapped to unused protocols or applications. The show control-plane info default command output displays default protocol-to-queue mapping. VRRP is mapped to queue 17 by default. 1. Create a control-plane type class-map. OS10(config)# class-map type control-plane example-cmap-protocol-queue-remap 2. Apply the match criteria by specifying the names of the protocols or applications.
View configuration Use show commands to display the protocol traffic assigned to each control-plane queue and the current rate-limit applied to each queue. Use the show command output to verify the CoPP configuration.
12 13 14 15 16 17 18 19 2779 0 1265 422 0 0 0 0 462189 0 108790 36075 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Egress traffic classification Egress traffic is classified into different queues based on the traffic-class ID marked on the traffic flow. Set the traffic class ID for a flow by enabling trust or by classifying ingress traffic and mark it with a traffic class ID using a policy map. By default, the value of traffic class ID for all the traffic is 0. The order of precedence for a qos-map is: 1.
● Interface level OS10(conf-if-eth1/1/1)# qos-map traffic-class tc-q-map ● System-qos level OS10(config-sys-qos)# qos-map traffic-class tc-q-map Choose all traffic classified for a queue 1. Create a queuing type class-map to match queue 5. OS10(config)# class-map type queuing q5 2. Define the queue to match. OS10(config-cmap-queuing)# match queue 5 Policing traffic Use policing to limit the rate of ingress traffic flow.
OS10(config-pmap-c-qos)# set qos-group 3 OS10(config-pmap-c-qos)#police cir 4000 pir 6000 3. Apply the QoS type policy-map to an interface. OS10(config)# interface ethernet 1/1/15 OS10(conf-if-eth1/1/15)# service-policy input type qos example-flow-policer Mark Traffic You can select a flow and mark it with a traffic class ID. Traffic class IDs identify the traffic flow when the traffic reaches egress for queue scheduling. Mark traffic 1. Create a QoS type class-map to match the traffic flow.
2. Modify the policy-map to update the DSCP field. OS10(config)# policy-map modify-dscp OS10(config-pmap-qos)# class cmap-dscp-3 OS10(config-pmap-c-qos)# set qos-group 3 OS10(config-pmap-c-qos)# set dscp 10 Shaping traffic You can shape the rate of egress traffic. When you enable rate shaping, the system buffers all traffic exceeding the specified rate until the buffer memory is exhausted.
5. Configure a queuing class in POLICY-MAP mode. class example-que-cmap-name 6. Assign a bandwidth percent, from 1 to 100 to nonpriority queues in POLICY-MAP-CLASS-MAP mode.
1. Apply the policy-map to the interface in INTERFACE mode or all interfaces in SYSTEM-QOS mode. system qos OR interface ethernet node/slot/port[:subport] 2. Enter the output service-policy in SYSTEM-QOS mode or INTERFACE mode.
● Inter-frame gap—variable The rate adjustment feature is disabled by default. To enable rate adjustment, use the qos-rate-adjust value_of_rate_adjust command. For example: qos-rate-adjust 8 If you have configured WDRR and shaping on a particular queue, the queue can become congested. You should configure the QoS rate adjust value considering the overhead field size to avoid traffic drops on uncongested queues.
When you enable priority flow control (PFC) on the ports, all the PFC-enabled queues and priority-groups use the buffers from the lossless pool. You must use the network QoS policy type to configure PFC on the ports. OS10 dedicates a separate buffer pool for CPU traffic. All default reserved buffers for the CPU port queues are from the CPU pool. The remaining buffers are shared across all CPU queues. You can modify the buffer settings of CPU queues.
Table 88. Default setting for LLFC (continued) Speed 10G 25G 40G 50G 100G Default dynamic shared buffer threshold (alpha value) 9KB 9KB 9KB 9KB 9KB NOTE: The supported speed varies for different platforms. After the reserved buffers are used, each LLFC starts consuming shared buffers from the lossless pool with the alpha value determining the threshold except for the S4200-ON series platform.
1. Create a queuing type class-map to match the queue. OS10(config)# class-map type queuing example-cmap-eg-buffer OS10(config-cmap-queuing)# match queue 1 2. Create a queuing type policy-map to define the actions for queues, such as a buffer configuration and threshold.
After you configure Deep Buffer mode, the system displays a warning stating that the configuration takes effect only after saving it in the startup configuration and reloading the switch. NOTE: To disable Deep Buffer mode, use the no form of the command. Disabling Deep Buffer mode takes effect only after saving it in the startup configuration and reloading the switch. 2. Save Deep Buffer mode in the startup configuration in EXEC mode. write memory 3. Reload the switch in EXEC mode.
configured minimum threshold. The early drop ensures that only some of TCP sources slow down, which avoids global TCP re-synchronization. ● Weighted random early detection (WRED)—This allows different drop-probabilities and thresholds for each color — red, yellow, green — of traffic. You can configure the drop characteristics for three different flows by assigning the colors to the flow.
5. Exit WRED CONFIGURATION mode. OS10(config-wred)#exit 6. Create a QoS class-map. OS10(config)# class-map type queuing example-cmap-wred-1 OS10(config-cmap-queuing)# match queue 2 7. Enter QOS POLICY-MAP mode and create a queuing policy type. OS10(config)#policy-map type queuing example-pmap-wred-1 OS10(config-pmap-queuing)# class example-cmap-wred-1 8. Assign a WRED profile to the specified queue. OS10(config-pmap-c-que)#random-detect example-wred-prof-1 9. Exit CLASS MAP and POLICY MAP modes.
● RoCE v1 – An Ethernet layer protocol that allows for communication between two hosts that are in the same Ethernet broadcast domain. ● RoCE v2 – An Internet layer protocol that allows RoCE v2 packets to be routed, called Routable RoCE (RRoCE). To enable RoCE, configure the QoS service policy on the switch in ingress and egress directions on all the interfaces. For more information about this configuration, see Configure RoCE on the switch.
NOTE: When you use the pause command without any parameters, the system uses the default buffer settings. To modify the buffer settings, use the pause command and specify the buffer size, pause threshold, and resume threshold. See Priority flow control and the pause command for more information. 6. Create queuing-type class-maps and policy-map for enhanced transmission selection (ETS), bandwidth, and ECN configurations. See Enhanced transmission selection and Bandwidth allocation for more information.
c. Specify the allowed VLANs on the trunk port. OS10 (conf-if-eth1/1/1)# switchport trunk allowed vlan 55 d. Apply the network-qos type policy-map to the interface. OS10 (conf-if-eth1/1/1)# service-policy input type network-qos policy_pfcdot1p3 e. Apply the queuing policy to egress traffic on the interface. OS10 (conf-if-eth1/1/1)# service-policy output type queuing policy_2Q f. Enable ETS on the interface. OS10 (conf-if-eth1/1/1)# ets mode on g. Apply the qos-map for ETS configurations on the interface.
● To view the buffer utilization at the egress interface, use the show qos egress buffer-stats command: OS10# show qos egress buffer-stats interface ethernet 1/1/4 ● To view the PFC configuration, operational status, and statistics on the interface, use the show interface interface-name priority-flow-control details command: OS10(config)# show interface ethernet 1/1/15 priority-flow-control details ● To view the ECN markings on an interface, use the show queuing statistics interface interface-name wred comm
The following examples show each device in this network and their respective configuration: SW1 configuration VXLAN configuration — SW1 OS10# configure terminal OS10(config)# interface vlan 3000 OS10(conf-if-vl-3000)# exit OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# exit OS10(config)# interface loopback 1 OS10(conf-if-lo-1)# ip address 1.1.1.1/32 OS10(conf-if-lo-1)# exit OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 8.8.8.
OS10(config)# configure terminal OS10(config)# nve OS10(conf-nve)# source-interface loopback 1 OS10(conf-nve)# exit OS10(config)# virtual-network 5 OS10(conf-vn-5)# vxlan-vni 1000 OS10(conf-vn-vxlan-vni)# remote-vtep 2.2.2.
WRED and ECN configuration — SW1 OS10# configure terminal OS10(config)# wred w1 OS10(config-wred)# random-detect ecn OS10(config-wred)# random-detect color green minimum-threshold 100 maximum-threshold 500 drop-probability 100 OS10(config-wred)# random-detect color yellow minimum-threshold 100 maximum-threshold 500 drop-probability 100 OS10(config-wred)# random-detect color red minimum-threshold 100 maximum-threshold 500 drop-probability 100 OS10(config-wred)# exit OS10(config)# class-map type queuing cq OS
OS10(config-router-ospf-1)# router-id 9.9.9.
OS10(config)# policy-map type network-qos llfc OS10(config-pmap-network-qos)# class llfc OS10(config-pmap-c-nqos)# pause buffer-size 120 pause-threshold 50 resume-threshold 12 OS10(config-pmap-c-nqos)# end OS10# configure terminal OS10(config)# interface range ethernet 1/1/1,1/1/20,1/1/31,1/1/32 OS10(conf-range-eth1/1/1,1/1/20,1/1/31,1/1/32)# flowcontrol transmit on OS10(conf-range-eth1/1/1,1/1/20,1/1/31,1/1/32)# flowcontrol receive on OS10(conf-range-eth1/1/1,1/1/20,1/1/31,1/1/32)# service-policy input typ
VXLAN configuration — VLT peer 2 OS10(config)# configure terminal OS10(config)# interface vlan 3000 OS10(conf-if-vl-3000)# ip address 5.5.5.3/24 OS10(conf-if-vl-3000)# exit OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# exit OS10(config)# interface loopback 1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 2.2.2.2/32 OS10(conf-if-lo-1)# exit OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 10.10.10.
OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# service-policy input type network-qos p5 OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# trust-map dot1p t1 OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# end LLFC configuration — VLT peer 2 Instead of PFC, you can configure LLFC as follows: OS10# configure terminal OS10(config)# class-map type network-qos llfc OS10(config-cmap-nqos)# match qos-group 0-7 OS10(config-cmap-nqos)# exit OS10(config)# policy-map type network-qos llfc OS10(config-pmap-network-qos)#
NOS# NOS# configure terminal NOS(config)# interface ethernet 1/1/3 NOS(conf-if-eth1/1/3)# switchport mode trunk NOS(conf-if-eth1/1/3)# switchport trunk allowed vlan 200 NOS(conf-if-eth1/1/3)# end NOS# NOS# configure terminal NOS(config)# interface port-channel 2 NOS(conf-if-po-2)# switchport mode trunk NOS(conf-if-po-2)# switchport trunk allowed vlan 200 NOS(conf-if-po-2)# end PFC configuration — ToR device NOS# configure terminal NOS(config)# trust dot1p-map t1 NOS(config-tmap-dot1p-map)# qos-group 0 dot1p
NOS(config-wred)# random-detect color red minimum-threshold 100 maximum-threshold 500 drop-probability 100 NOS(config-wred)# exit NOS(config)# class-map type queuing cq NOS(config-cmap-queuing)# match queue 5 NOS(config-cmap-queuing)# exit NOS(config)# policy-map type queuing pq NOS(config-pmap-queuing)# class cq NOS(config-pmap-c-que)# random-detect w1 NOS(config-pmap-c-que)# end NOS# configure terminal NOS(config)# interface range ethernet 1/1/1,1/1/2,1/1/3 NOS(conf-range-eth1/1/1,1/1/2,1/1/3)# flowcontro
● Detecting microburst congestions ● Monitoring buffer utilization and historical trends ● Determining optimal sizes and thresholds for the ingress or egress shared buffers and headroom on a given port or queue based on real-time data NOTE: BST is not supported on the S4248F-ON platforms. After you disable BST, be sure to clear the counter using the clear qos statistics type buffer-statisticstracking command.
Eth 1/1/21 0 0, 1 0, 2 down Eth 1/1/22 0 0, 1 0, 2 down Eth 1/1/23 0 0, 1 0, 2 down Eth 1/1/24 0 0, 1 0, 2 down Eth 1/1/25 3 0, 1 1, 3 up Eth 1/1/26 3 0, 1 1, 3 down Eth 1/1/27 3 0, 1 1, 3 down Eth 1/1/28 3 0, 1 1, 3 down Eth 1/1/29 0 0, 1 0, 2 down Eth 1/1/30 0 0, 1 0, 2 down Eth 1/1/31 0 0, 1 0, 2 down Eth 1/1/32 0 0, 1 0, 2 down Eth 1/1/33 1 2, 3 0, 2 up Eth 1/1/34 2 2, 3 1, 3 up View information for a single interface: OS10# show qos
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/15 1/1/16 1/1/17:1 1/1/19:1 1/1/19:2 1/1/19:3 1/1/19:4 1/1/21:1 1/1/21:2 1/1/21:3 1/1/21:4 1/1/23 1/1/24 1/1/25:1 1/1/25:2 1/1/25:3 1/1/25:4 1/1/27:1 1/1/27:2 1/1/27:3 1/1/27:4 1/1/29:1 1/1/29:2 1/1/29:3 1/1/29:4 1/
View information for a single interface: OS10# show qos port-map details interface ethernet 1/1/1 --------------------------------------------------------------------------Interface Port Pipe Ingress MMU Egress MMU Oper Status --------------------------------------------------------------------------Eth 1/1/1:1 0 0, 1 0, 2 up MX9116n output example: OS10# show qos port-map details --------------------------------------------------------------------------Interface Port Pipe Ingress MMU Egress MMU Oper Status
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/27:1 1/1/27:2 1/1/27:3 1/1/27:4 1/1/28:1 1/1/28:2 1/1/28:3 1/1/28:4 1/1/29:1 1/1/29:2 1/1/29:3 1/1/29:4 1/1/30:1 1/1/30:2 1/1/30:3 1/1/30:4 1/1/31:1 1/1/31:2 1/1/31:3 1/1/31:4 1/1/32:1 1/1/32:2 1/1/32:3 1/1/32:4 1/1/33:1 1/1/33:2 1/1/33:3 1/1/33:4 1/1/34:1 1/1/34:2 1/1/34:3 1/1/34:4 1/1/35
QoS commands bandwidth Assigns a percentage of weight to the queue. Syntax bandwidth percent value Parameters percent value — Enter the percentage assignment of bandwidth to the queue, from 1 to 100. Default Not configured Command Mode POLICY-MAP CLASS-MAP Usage Information If you configure this command, you cannot use the priority command for the class. Example Supported Releases OS10(config-pmap-c-que)# bandwidth percent 70 10.2.
Usage Information If you define a class-map under a policy-map, the qos, queuing, or control-plane type is the same as the policy-map. You must create this map in advance. The only exception to this rule is when the policy-map type is trust, where the class type must be qos. Example Supported Releases OS10(conf-pmap-qos)# class c1 10.2.0E or later class-map Creates a QoS class-map that filters traffic to match packets to the corresponding policy created for your network.
clear qos statistics type Clears all queue counters, including PFC, for control-plane, qos, and queueing. Syntax clear qos statistics type {{qos | queuing | control-plane | bufferstatistics-tracking} [interface ethernet node/slot/port[:subport]]} Parameters ● ● ● ● qos—Clears qos type statistics. queuing—Clears queueing type statistics. control-plane—Clears control-plane type statistics. buffer-statistics-tracking—Clears the peak buffer usage count statistics on all interfaces and service pools.
control-plane-buffer-size Configures the buffer size for the CPU pool. Syntax control-plane-buffer-size size-of-buffer-pool Parameters size-of-buffer-pool—Enter the buffer size in KB, from 620 KB to 900 KB. Default None Command Mode SYSTEM-QOS Usage Information This command configures the buffer size of the CPU pool. The system allocates a buffer size for the CPU pool from the total system buffer.
Usage Information Applicable only for the S4200-ON series switches. Deep Buffer mode configuration takes effect only after you save it in the startup configuration and reboot the switch. The no version of this command disables Deep Buffer mode. Example Supported Releases OS10(config)# hardware deep-buffer-mode 10.4.3.0 or later match Configures match criteria for the QoS policy.
Supported Releases 10.2.0E or later match cos Matches a cost of service (CoS) value to L2 dot1p packets. Syntax match [not] cos cos-value Parameters ● cos-value — Enter a CoS value, from 0 to 7. ● not — Enter not to cancel the match criteria. Default Not configured Command Modes CLASS-MAP Usage Information You cannot have two match statements with the same filter-type. If you enter two match statements with the same filter-type, the second statement overwrites the first statement.
● ● ● ● ip — Enter to use IPv4 as the match precedence rule. ipv6 — Enter to use IPv6 as the match precedence rule. ip-any — Enter to use both IPv4 and IPv6 as the match precedence rule. precedence precendence-list — Enter a precedence-list value, from 0 to 7. Default Not configured Command Mode CLASS-MAP Usage Information You cannot enter two match statements with the same filter-type. If you enter two match statements with the same filter-type, the second statement overwrites the first statement.
mtu Calculates the buffer size allocation for matched flows. Syntax mtu size Parameters size — Enter the size of the buffer (1500 to 9216). Default 9216 Command Mode POLICY-MAP-CLASS-MAP Usage Information The no version of this command returns the value to the default. Example Supported Releases OS10(conf-pmap-nqos-c)# mtu 2500 10.3.0E or later pause Enables a pause based on buffer limits for the port to start or stop communication to the peer.
pfc-cos Configures priority flow-control for cost of service (CoS). Syntax pfc-cos cos-value Parameters cos-value — Enter a single, comma-delimited, or hyphenated range of CoS values for priority flowcontrol to enable, from 0 to 7. NOTE: The range 0-7 is invalid. All other ranges, including 0-6 and 1-7 are valid. Default Not configured Command Mode POLICY-MAP-CLASS-MAP Usage Information To configure link-level flow-control, do not configure pfc-cos for the matched class for this policy.
Default 832 KB Command Mode SYSTEM-QOS Usage Information The no version of this command returns the value to the default. Example Supported Releases OS10(conf-sys-qos)# pfc-shared-buffer-size 2000 10.3.0E or later pfc-shared-headroom-buffer-size Configures the shared headroom size for absorbing the packets after pause frames generate.
Usage Information Example Supported Releases If you do not provide the peak-rate pir values, the committed-rate cir values are taken as the pir values. Only the ingress QoS policy type supports this command. For control-plane policing, the rate values are in pps. OS10(conf-pmap-c-qos)# police cir 5 bc 30 pir 20 be 40 10.2.0E or later policy-map Enters QoS POLICY-MAP mode and creates or modifies a QoS policy-map.
priority-flow-control mode Enables or disables Priority Flow-Control mode on an interface. Syntax priority-flow-control mode [on] Parameters ● on — (Optional) Enables Priority Flow-Control mode. Default Disabled Command Mode INTERFACE Usage Information Before enabling priority flow-control on a interface, verify a matching network-qos type policy is configured with the pfc-cos value for an interface.
Usage Information If the trust map does not define DSCP values to any traffic class, those flows map to the default traffic class 0. If some of the DSCP values are already mapped to an existing traffic class, you will see an error. The no version of this command returns the value to the default. Example Supported Releases OS10(conf-tmap-dscp-qos)# qos-group 5 dscp 42 10.3.0E or later qos-map traffic-class Creates a user-defined trust map for queue mapping.
○ 45 KB (10G)/111 KB (40G) if the queue is priority flow control enabled ○ 2 KB (10G)/8 KB (40G) if the queue is lossy/link-level flow control ○ If this is a priority flow-control queue, this configuration is invalid ○ Only supported for POLICY-MAP-CLASS-MAP (pmap-c-queue) mode ● thresh-mode — (Optional) Buffer threshold mode. ● dynamic thresh-alpha-value — (Optional) Enter the value indexes to calculate the shared threshold to the enabled dynamic shared buffer threshold, from 0 to 10.
queue qos-group Configures a dot1p traffic class to a queue. Syntax queue number [qos-group dot1p-values] Parameters ● queue number — Enter the traffic single value queue ID, from 0 to 7. ● qos-group dot1p-values — (Optional) Enter either single, comma-delimited, or a hyphenated range of dot1p values, from 0 to 7. Default 0 Command Mode TRUST-MAP Usage Information If the trust map does not define traffic class values to a queue, those flows map to the default queue 0.
Example Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# random-detect test_wred 10.4.0E(R1) or later random-detect (queue) Assigns a WRED profile to the specified queue. Syntax random-detect wred-profile-name Parameters wred-profile-name — Enter the name of an existing WRED profile. Default Not configured Command Mode PMAP-C-QUE Usage Information The no version of this command removes the WRED profile from the queue.
Parameters None Default Not configured Command Mode WRED CONFIGURATION Usage Information The no version of this command disables ECN. Example Supported Releases OS10(config)# wred test_wred OS10(config-wred)# random-detect ecn 10.4.0E(R1) or later random-detect ecn Enables ECN for the system globally. Syntax random-detect ecn Default Not configured Command Mode SYSTEM QOS Usage Information The no version of this command disables ECN globally.
random-detect weight Configures the exponential weight value used to calculate the average queue depth for the WRED profile. Syntax random-detect weight weight-value Parameters weight-value — Enter a value for the weight, from 1 to 15. Default Not configured Command Mode WRED CONFIGURATION Usage Information The no version of this command removes the weight factor from the WRED profile. Example Supported Releases OS10(config)# wred test_wred OS10(config-wred)# random-detect weight 10 10.4.
Parameters cos-value — Enter a CoS value, from 0 to 7. Default Not configured Command Mode POLICY-MAP-CLASS-MAP Usage Information You cannot enter two set statements with the same action-type. If you enter two set statements with the same action-type, the second statement overwrites the first. When class-map type is qos, the qosgroup corresponds to data queues 0 to 7. Example Supported Releases OS10(conf-pmap-c-qos)# set cos 6 10.2.
shape Shapes the outgoing traffic rate. Syntax shape {min {kbps | mbps | pps} min-value [burst-size]} {max {kbps | mbps | pps} max-value [max-burst-size]} Parameters ● ● ● ● ● ● ● Default Maximum burst size is 50 kb or 200 packets Command Mode POLICY-MAP-CLASS-MAP Usage Information This command only supports the ingress QoS policy type. You must enter both the minimum and maximum values. If you enter the rate value in pps, the burst provided is in packets.
show control-plane buffers Displays the pool type, reserved buffer size, and the maximum threshold value for each of the CPU queues.
show control-plane buffer-stats Displays the control plane buffer statistics for each of the CPU queues. Syntax show control-plane buffer-stats Parameters None Default A predefined default profile exists.
show control-plane info Displays control-plane queue mapping and rate limits. Syntax show control-plane info [default] Parameters default—Enter the keyword default to view the default protocol-to-queue mapping and default rate limits for the particular platform. Default Not configured Command Mode EXEC Usage Information Monitors statistics for the control-plane and to troubleshoot CoPP.
Usage Information Example Supported Releases None OS10# show control-plane statistics Queue Packets Bytes Dropped Packets 0 0 0 0 1 0 0 0 2 0 0 0 3 0 0 0 4 0 0 0 5 0 0 0 6 3 204 0 7 6 408 0 8 0 0 0 9 0 0 0 10 0 0 0 11 0 0 0 12 0 0 0 13 0 0 0 14 0 0 0 15 0 0 0 16 0 0 0 17 0 0 0 18 0 0 0 19 0 0 0 20 0 0 0 21 0 0 0 22 0 0 0 OS10# Dropped Bytes 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10.2.
Example: switch reloaded OS10# show hardware deep-buffer-mode Deep Buffer Mode Configuration Status ------------------------------------------Current-boot Settings : Enabled Next-boot Settings Supported Releases : Enabled 10.4.3.0 or later show interface priority-flow-control Displays the priority flow-control, operational status, CoS bitmap, and statistics per port.
Example Supported Releases OS10# show qos interface ethernet 1/1/10 Ethernet 1/1/10 unknown-unicast-storm-control : 100 pps multicast-storm-control : 200 pps broadcast-storm-control : Disabled flow-control-rx: Enabled flow-control-tx: Disabled Service-policy (Input)(qos): p1 10.2.0E or later show policy-map Displays information on all existing policy-maps.
Supported Releases 10.2.0E or later show qos egress buffers interface Displays egress buffer configurations. Syntax show qos egress buffers interface [interface node/slot/port[:subport]] Parameters ● interface — (Optional) Enter the interface type. ● node/slot/port[:subport] — (Optional) Enter the port information.
Unicast Unicast Unicast Unicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Supported Releases 4 5 6 7 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0 0 0 0 10.4.3.0 or later show qos egress buffer-stats interface Displays the buffers statistics for the egress interface. Syntax show qos egress buffer-stats interface [interface node/slot/port[:subport]] [detail] Parameters ● interface — (Optional) Enter the interface type.
Command Mode EXEC Usage Information Supported platforms include Z9100-ON series, Z9200-ON series, S5200-ON series, and MX9116n. Example Supported Releases OS10# show qos headroom-pool buffer-statistics-tracking Headroom Pool Buffers-Usage --------------------------------0 0 1 0 2 0 3 0 10.4.3.0 or later show qos ingress buffers interface Displays interface buffer configurations.
show qos ingress buffer-statistics-tracking Displays ingress priority group level peak buffer usage count in bytes for the given priority group on a given interface. Syntax show qos ingress buffer-statistics-tracking interface ethernet [node/slot/ port] [priority-group {0-7}] [detail] Parameters ● node/slot/port—Enter the port information. ● [priority-group {0-7}]—Enter the priority-group keyword, followed by the group number.
Group buffers buffers buffers -----------------------------------------------0 9360 681824 35984 1 0 0 0 2 0 0 0 3 0 0 0 4 0 0 0 5 0 0 0 6 0 0 0 7 0 0 0 Supported Releases 10.3.0E or later show qos maps Displays the active system trust map. Syntax show qos maps type {tc-queue | trust-map-dot1p | trust-map dscp} trust-mapname Parameters ● ● ● ● Default Not configured Command Mode EXEC Usage Information None Example (dot1p) 1388 dot1p — Enter to view the dot1p trust map.
------------------------------DOT1P Priority to Traffic-Class Map : dot1p-trustmap1 Traffic-Class DOT1P Priority ------------------------------0 2 1 3 2 4 3 5 4 6 5 7 6 1 DSCP Priority to Traffic-Class Map : dscp-trustmap1 Traffic-Class DSCP Priority ------------------------------0 8-15 2 16-23 1 0-7 Default Dot1p Priority to Traffic-Class Map Traffic-Class DOT1P Priority ------------------------------0 1 1 0 2 2 3 3 4 4 5 5 6 6 7 7 Default Dscp Priority to Traffic-Class Map Traffic-Class DSCP Priority ----
show qos maps (Z9332F-ON) Displays the QoS maps configuration of the dot1p-to-traffic class, DSCP-to-traffic class, and traffic-class to queue mapping in the device. Syntax show qos maps type tc-queue Parameters ● ● ● ● Default NA Command Mode EXEC Usage Information The command applies to the Z9332F-ON only. The command provides priority-to-traffic-class and trafficclass-to-queue mapping, both default and user configured.
Eth 1/1/4 1 2, 3 0, 2 up Eth 1/1/5 2 2, 3 1, 3 up Eth 1/1/6 2 2, 3 1, 3 up Eth 1/1/7 2 2, 3 1, 3 up Eth 1/1/8 2 2, 3 1, 3 up Eth 1/1/9 1 2, 3 0, 2 up Eth 1/1/10 1 2, 3 0, 2 up Eth 1/1/11 1 2, 3 0, 2 up Eth 1/1/12 1 2, 3 0, 2 up Eth 1/1/13 2 2, 3 1, 3 down Eth 1/1/14 2 2, 3 1, 3 down Eth 1/1/15 2 2, 3 1, 3 down Eth 1/1/16 2 2, 3 1, 3 down Eth 1/1/17 3 0, 1 1, 3 down Eth 1/1/18 3 0, 1 1, 3 down Eth 1/1/19 3 0, 1 1, 3 down Eth 1/1/
Eth 1/1/1 1 2, 3 0, 2 up Z9264F-ON switch: OS10# show qos port-map details --------------------------------------------------------------------------Interface Port Pipe Ingress MMU Egress MMU Oper Status --------------------------------------------------------------------------Eth 1/1/1:1 0 0, 1 0, 2 up Eth 1/1/3:1 1 2, 3 0, 2 up Eth 1/1/3:2 1 2, 3 0, 2 up Eth 1/1/3:3 1 2, 3 0, 2 up Eth 1/1/3:4 1 2, 3 0, 2 up Eth 1/1/5:1 1 2, 3 0, 2 down Eth 1/1/5:2 1 2, 3 0, 2 down Eth 1/1/5:3 1 2, 3 0, 2 down Eth 1/1
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/37:4 1/1/39:1 1/1/39:2 1/1/39:3 1/1/39:4 1/1/41:1 1/1/41:2 1/1/41:3 1/1/41:4 1/1/43 1/1/44 1/1/45 1/1/46 1/1/47 1/1/48 1/1/49 1/1/50 1/1/51:1 1/1/51:2 1/1/51:3 1/1/51:4 1/1/53 1/1/54 1/1/55 1/1/56 1/1/57:1 1/1/57:2 1/1/57:3 1/1/57:4 1/1/59 1/1/60 1/1/61 1/1/62 1/1/63 1/1/64 1/1/65 1/1/66 1 1 1 1 1 0 0 0 0 0 0 0 0 1 1 2 2 3 3 3 3 3 3 3 3 2 2 2 2 2 2 2 2 3 3
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1394 Quality of service 1/1/17:2 1/1/17:3 1/1/17:4 1/1/18:1 1/1/18:2 1/1/18:3 1/1/18:4 1/1/19:1 1/1/19:2 1/1/19:3 1/1/19:4 1/1/20:1 1/1/20:2 1/1/20:3 1/1/20:4 1/1/21:1 1/1/21:2 1/1/21:3 1/1/21:4 1/1/22:1 1/1/22:2 1/1/22:3
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/36 1/1/37 1/1/38 1/1/39 1/1/40 1/1/41:1 1/1/41:2 1/1/41:3 1/1/41:4 1/1/42:1 1/1/42:2 1/1/42:3 1/1/42:4 1/1/43:1 1/1/43:2 1/1/43:3 1/1/43:4 1/1/44:1 1/1/44:2 1/1/44:3 1/1/44:4 2 0 2 0 2 2 2 2 2 0 0 0 0 2 2 2 2 0 0 0 0 2, 0, 2, 0, 2, 2, 2, 2, 2, 0, 0, 0, 0, 2, 2, 2, 2, 0, 0, 0, 0, 3 1 3 1 3 3 3 3 3 1 1 1 1 3 3 3 3 1 1 1 1 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 3 2 3 2 3 3 3 3 3 2 2 2 2 3 3 3 3
Command Mode EXEC Usage Information None Example Supported Releases OS10# show qos service-pool buffer-statistics-tracking Service Pool Ingress Buffers Egress Buffers --------------------------------------------------0 0 0 1 0 0 2 0 0 3 0 0 10.4.3.0 or later show qos system Displays the QoS configuration applied to the system.
The following command is supported on platforms such as the Z9100-ON, Z9264F-ON, and MX9116n: OS10# show qos system ingress buffer detail All values are in kb Total buffers Total lossless buffers Maximum lossless buffers Total shared lossless buffers Total used shared lossless buffers Total lossy buffers Total shared lossy buffers Total used shared lossy buffers MMU 0 Total lossy buffers Total shared lossy buffers Total used shared lossy buffers MMU 1 Total lossy buffers Total shared lossy buffers Total use
Supported Releases 10.3.0E or later show qos wred-profile Displays the details of WRED profile configuration. Syntax show qos wred—profile [wred-profile-name] Parameters wred-profile-name — (Optional) Enter the Ethernet interface information. Default Not configured Command Mode EXEC Usage Information None Example Example (S4200) — When ECN is enabled globally.
Example Example (wred) Example (queue) Supported Releases OS10# show queuing statistics interface ethernet 1/1/1 Interface ethernet1/1/1 Queue Packets Bytes Packets Dropped-Bytes 0 0 0 0 0 1 0 0 0 0 2 0 0 0 0 3 0 0 0 0 4 0 0 0 0 5 0 0 0 0 6 0 0 0 0 7 0 0 0 0 Dropped- OS10# show queuing statistics interface ethernet 1/1/1 wred Interface ethernet1/1/1 (All queues) Description Packets Bytes Output 0 0 Dropped 0 0 Green Drop 0 0 Yellow Drop 0 0 Red Drop 0 0 ECN marked count 0 0 OS10# show queuing statisti
Supported Releases 10.2.0E or later trust dot1p-map Creates a user-defined trust map for dot1p flows. Syntax trust dot1p-map map-name Parameters map-name — Enter the name of the dot1p trust map. A maximum of 32 characters. Default Not configured Command Mode CONFIGURATION Usage Information If you enable trust, traffic obeys the dot1p map. default-dot1p-trust is a reserved trust-map name. The no version of this command returns the value to the default.
during no traffic flow. Verify the correct policy maps are applied. The no version of this command returns the value to the default. The no version of this command removes the applied trust map from the interface or system QoS.
21 Virtual Link Trunking Virtual Link Trunking (VLT) is a Layer 2 aggregation protocol used between an end device such as a server and two or more connected network devices. VLT helps to aggregate ports terminating on multiple switches. OS10 currently supports VLT port channel terminations on two different switches. VLT: ● ● ● ● ● ● ● ● ● Provides node-level redundancy by using the same port channel terminating on multiple upstream nodes.
Optimized forwarding with VRRP To ensure the same behavior on both sides of the VLT nodes, VRRP requires state information coordination. VRRP Active-Active mode optimizes L3 forwarding over VLT. By default, VRRP ActiveActive mode is enabled on all the VLAN interfaces. VRRP Active-Active mode enables each peer to locally forward L3 packets, resulting in reduced traffic flow between peers over the VLTi link. Spanning-Tree Protocol VLT ports support RSTP, RPVST+, and MSTP.
● If the primary peer fails, the secondary peer takes the primary role. If the primary peer (with the lower priority) later comes back online, it is assigned the secondary role (there is no preemption). ● In a VLT domain, the peer network devices must run the same OS10 software version. NOTE: A temporary exception is allowed during the upgrade process. See the Dell EMC SmartFabric OS 10.5.0.x Release Notes for more information. ● Configure the same VLT domain ID on peer devices.
The following shows a scenario where VLT Peer A is being reloaded or going down: Until LACP convergence happens, the server continues to forward traffic to VLT Peer A resulting in traffic loss for a longer time interval.
These PDUs notify the server to direct the traffic to VLT Peer B hence minimizing traffic loss. Configure VLT Verify that both VLT peer devices are running the same operating system version. For VRRP operation, configure VRRP groups and L3 routing on each VLT peer. Configure the following settings on each VLT peer device separately: 1. To prevent loops in a VLT domain, Dell EMC Networking recommends enabling STP globally using the spanning-tree mode command.
NOTE: If a VLT peer is reloaded, it automatically becomes the secondary peer regardless of the VLT primary-priority setting. 4. Configure VLTi interfaces with the no switchport command. 5. Configure the VLTi interfaces on each peer using the discovery-interface command. After you configure both sides of the VLTi, the primary and secondary roles in the VLT domain are automatically assigned if primary priority is not configured. NOTE: Dell EMC recommends that you disable flow-control on discovery interfaces.
RPVST+ configuration Configure RPVST+ on both the VLT peers. This creates an RPVST+ instance for every VLAN configured in the system. With RPVST+ configured on both VLT nodes, OS10 supports a maximum of 60 VLANs. The RPVST+ instances in the primary VLT peer control the VLT port channels on both the primary and secondary peers. NOTE: RPVST+ is the default STP mode running on the switch. Use the following command only if you have another variant of the STP running on the switch.
RSTP configuration ● Enable RSTP on each peer node in CONFIGURATION mode.
instance instance-number vlan from-vlan-id — to-vlan-id 4. Configure the MST revision number, from 0 to 65535. MULTIPLE-SPANNING-TREE revision revision-number 5. Configure the MST region name. MULTIPLE-SPANNING-TREE name name-string The following example shows that both VLT nodes are configured with the same MST VLAN-to-instance mapping.
Number of transitions to forwarding state: 1 Edge port: No (default) Link Type: Point-to-Point BPDU Sent: 2714, Received: 1234 Port 2001 (VLT-LAG -1(vlt-portid-1)) of MSTI 0 is designated Forwarding Port path cost 200000, Port priority 128, Port Identifier 128.2001 Designated root priority: 32768, address: 34:17:44:55:66:7f Designated bridge priority: 32768, address: 90:b1:1c:f4:a5:23 Designated port ID: 128.
Peer 2 OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# exit OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# no switchport OS10(conf-if-eth1/1/2)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet1/1/1-1/1/2 Configure the VLT MAC address You can manually configure the VLT MAC address. Configure the same VLT MAC address on both the VLT peer switches to avoid any unpredictable behavior during a VLT failover.
Configure the VLT backup link using the backup destination {ip-address | ipv6 ipv6–address} [vrf management] [interval interval-time]. The interval range is from 1 to 30 seconds. The default interval is 30 seconds. Irrespective of the interval that is configured, when the VLTi link fails, the system checks for the heartbeat connection without waiting for the timed intervals, thus allowing faster convergence.
For example, as shown, after the VLTi is down, VLT peer1 learns the MAC address of Host 2: VLT Peer 2 is not synchronized with the MAC address of Host 2 because the VLTi link is down. When traffic from Host 1 is sent to VLT Peer 2, VLT Peer 2 floods the traffic. When the VLT backup link is enabled, the secondary VLT Peer 2 identifies the node liveliness through the backup link. If the primary is up, the secondary peer brings down VLT port channels.
Role of VLT backup link in the prevention of loops during VLTi failure When the VLTi is down, STP may fail to detect any loops in the system. This failure creates a data loop in an L2 network. As shown, STP is running in all three switches: In the steady state, VLT Peer 1 is elected as the root bridge. When the VLTi is down, both the VLT nodes become primary. In this state, VLT Peer 2 sends STP BPDU to TOR assuming that TOR sends BPDU to VLT Peer 1.
When the VLT backup link is enabled, the secondary VLT peer identifies the node liveliness of primary through the backup link. If the primary VLT peer is up, the secondary VLT peer brings down the VLT port channels. In this scenario, the STP opens up the orphan port and there is no loop in the system, as shown: Configure a VLT port channel A VLT port channel, also known as a virtual link trunk, links an attached device and VLT peer switches. OS10 supports a maximum of 128 VLT port channels per node. 1.
Configure VLT port channel — peer 1 OS10(config)# interface port-channel 20 OS10(conf-if-po-20)# vlt-port-channel 20 Configure VLT port channel — peer 2 OS10(config)# interface port-channel 20 OS10(conf-if-po-20)# vlt-port-channel 20 Configure VLT peer routing VLT peer routing enables optimized routing where packets destined for the L3 endpoint of the VLT peer are locally routed. VLT supports unicast routing of both IPv4 and IPv6 traffic. To enable VLT unicast routing, both VLT peers must be in L3 mode.
Migrate VMs across data centers with eVLT OS10 switches support movement of virtual machines (VMs) across data centers using VRRP Active-Active mode. Configure symmetric VRRP with the same VRRP group ID and virtual IP in VLANs stretched or spanned across data centers. VMs use the VRRP Virtual IP address of the VLAN as Gateway IP. As the VLAN configurations are symmetric across data centers, you can move the VMs from one data center to another.
● Configure VRRP on L2 links between core routers: C1(config)# interface vlan 100 C1(conf-if-vl-100)# ip address 10.10.100.1/24 C1(conf-if-vl-100)# vrrp-group 10 C1(conf-vlan100-vrid-10)# priority 250 C1(conf-vlan100-vrid-10)# virtual-address 10.10.100.
D1(config)# interface ethernet 1/1/4 D1(conf-if-eth1/1/4)# channel-group 10 D1(conf-if-eth1/1/4)# exit ● Configure OSPF on L3 side of core router: D1(config)# router ospf 100 D1(config-router-ospf-100)# redistribute connected D1(conf-router-ospf-100)# exit D1(config)# interface vlan 200 D1(conf-if-vl-200)# ip ospf 100 area 0.0.0.
● Add members to port channel 20: C2(config)# interface C2(conf-if-eth1/1/5)# C2(conf-if-eth1/1/5)# C2(config)# interface C2(conf-if-eth1/1/6)# C2(conf-if-eth1/1/6)# ethernet 1/1/5 channel-group 20 exit ethernet 1/1/6 channel-group 20 exit Sample configuration of D2: ● Configure VRRP on L2 links between core routers: D2(config)# interface vlan 100 D2(conf-if-vl-100)# ip address 10.10.100.4/24 D2(conf-if-vl-100)# vrrp-group 10 D2(conf-vlan100-vrid-10)# virtual-address 10.10.100.
View VLT information To monitor the operation or verify the configuration of a VLT domain, use a VLT show command on primary and secondary peers. ● View detailed information about the VLT domain configuration in EXEC mode, including VLTi status, local and peer MAC addresses, peer-routing status, and VLT peer parameters. show vlt domain-id ● View the role of the local and remote VLT peer in EXEC mode. show vlt domain-id role ● View any mismatches in the VLT configuration in EXEC mode.
delay-restore Configures a time interval to delay bringing up the VLT ports after reload or peer-link restoration between the VLT peer switches. Syntax delay-restore seconds Parameters seconds — Enter a delay time, in seconds, to delay bringing up VLT ports after the VLTi link is detected, from 1 to 1200.
peer-routing Enables optimized routing where packets destined for the L3 endpoint of the VLT peer are locally routed. Syntax peer-routing Parameters None Default Disabled Command Mode VLT-DOMAIN Usage Information The no version of this command disables peer routing. Example Supported Releases OS10(conf-vlt-1)# peer-routing 10.2.0E or later peer-routing-timeout Configures the delay after which, the system disables peer routing when the peer is not available.
● If the heartbeat is up and the VLTi link goes down between the VLT peers, both the VLT peers retain their primary and secondary roles. However, the VLT port channel on the secondary VLT peer shuts down. NOTE: When you configure a priority for VLT peers using this command, the configuration does not take effect immediately. The primary priority configuration comes into effect the next time election is triggered. Example Supported Releases OS10(conf-vlt-1)#primary-priority 2 10.4.1.
Boundary: No, Bpdu-filter: Disable, Bpdu-Guard: Disable, Shutdown-on-Bpdu-Guard-violation: No Root-Guard: Disable, Loop-Guard: Disable Bpdus (MRecords) Sent: 11, Received: 7 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID --------------------------------------------------------------------------------------------VFP(VirtualFabricPort) 0.1 0 1 FWD 0 32768 0078.7614.6062 0.
Example (MSTP information on VLT) OS10# show spanning-tree virtual-interface detail Port 1 (VFP(VirtualFabricPort)) of MSTI 0 is designated Forwarding Port path cost 0, Port priority 128, Port Identifier 128.1 Designated root priority: 32768, address: 34:17:44:55:66:7f Designated bridge priority: 32768, address: 90:b1:1c:f4:a5:23 Designated port ID: 128.
VLT Delay-Restore timer : 90 seconds Remaining time : 60 seconds Delay-Restore Orphan-Port enabled interfaces Eth1/1/10-1/1/15,1/1/17,1/1/20 : Po10-15,17,20 Delay-Restore Orphan-Port Ignore VLTi Fail enabled interfaces : Eth1/1/12-1/1/14,1/1/20 Po10-12,Po17 WHEN DELAY-RESTORE TIMER HAS EXPIRED/NOT-RUNNING: OS10# show vlt 1 delay-restore-orphan-port VLT Delay-Restore timer : 90 seconds Delay-Restore Orphan-Port enabled interfaces : Eth1/1/8 Eth1/1/10 Po1 Po4 Delay-Restore Orphan-Port Ignore VLTi F
show vlt mac-inconsistency Displays inconsistencies in dynamic MAC addresses learned between VLT peers across spanned-VLANs. Syntax show vlt mac-inconsistency Parameters None Default Not configured Command Mode EXEC Usage Information Use this command to check for a mismatch of MAC address table entries between VLT peers. Use this command only when you observe network convergence issues. To verify VLT configuration mismatch issues on peer switches, use the show vlt domain-name mismatch command.
Usage Information The * in the mismatch output indicates a local node entry.
Example (mismatch — Virtual Network (VN) name not available in the peer) Example (mismatch of VLTi and VLAN) Example (mismatch of VN mode) Example (mismatch of port and VLAN list) OS10# show vlt all mismatch virtual-network Virtual Network Name Mismatch: VLT Unit ID Mismatch Virtual Network List ---------------------------------------------------------------------------1 10,104 * 2 OS10# show vlt all mismatch virtual-network Virtual Network: 100 VLT Unit ID Configured VLTi-Vlans -------------------------
Virtual-network: 10 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.25 * 2 10.16.128.20 Virtual-network: 20 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.26 * 2 10.16.128.30 Example (Anycast IP addresses not configured on one of the virtual networks on both peers) show vlt 1 mismatch virtual-network Interface virtual-network Anycast-IP mismatch: Virtual-network: 10 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.
Example (mismatch dhcprelay) Supported Releases OS10# show vlt 1 mismatch dhcp-relay DHCP Relay Mismatch: Global Relay Configuration Mismatch -------------------------------------------------------------------VLT Unit ID Option-82 Link-Selection Server-Override VSS ---------------------------------------------------------------------------------* 1 Enabled 2 Disabled Interface Relay Configuration Mismatch -------------------------------------------------------------------Interface: virtual-network10000 VL
VLT Unit ID Port-Channel Status Configured ports Active ports --------------------------------------------------------------------* 1 port-channel1 down 2 0 2 port-channel1 down 2 0 VLT ID : 2 VLT Unit ID Port-Channel Status Configured ports Active ports --------------------------------------------------------------------* 1 port-channel2 down 1 0 2 port-channel2 down 1 0 VLT ID : 3 VLT Unit ID Port-Channel Status Configured ports Active ports ----------------------------------------------------------------
vlt-mac Configures a MAC address for all peer switches in a VLT domain. Syntax vlt-mac mac-address Parameters mac-address — Enter a MAC address for the topology in nn:nn:nn:nn:nn:nn format. Default Not configured Command Mode VLT-DOMAIN Usage Information Use this command to minimize the time required to synchronize the default MAC address of the VLT domain on both peer devices when one peer switch reboots.
22 Uplink Failure Detection Uplink failure detection (UFD) indicates the loss of upstream connectivity to servers connected to the switch. A switch provides upstream connectivity for devices, such as servers. If the switch loses upstream connectivity, the downstream devices also lose connectivity. However, the downstream devices do not generally receive an indication that the upstream connectivity was lost because connectivity to the switch is still operational. To solve this issue, use UFD.
Configure uplink failure detection Consider the following before configuring an uplink-state group: ● ● ● ● ● ● ● ● ● ● ● An uplink-state group is considered to be operationally up if it has at least one upstream interface in the Link-Up state. An uplink-state group is considered to be operationally down if it has no upstream interfaces in the Link-Up state. You can assign a physical port or a port channel to an uplink-state group. You can assign an interface to only one uplink-state group at a time.
● If you do not assign upstream interfaces to an uplink-state group, the downstream interfaces are not disabled. Configuration: 1. Create an uplink-state group in CONFIGURATION mode. uplink-state-group group-id 2. Configure the upstream and downstream interfaces in UPLINK-STATE-GROUP mode. upstream {interface-type | interface-range[ track-vlt-status ] | VLTi} downstream {interface-type | interface-range} 3. (Optional) Disable uplink-state group tracking in UPLINK-STATE-GROUP mode. no enable 4.
Eth 1/1/5(Dwn) Eth 1/1/9:2(Dwn) Eth 1/1/9:3(Dwn) OS10#show uplink-state-group 1 detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled (NA): Not Available *: VLT port-channel, V: VLT status, P: Peer Operational status ^: Tracking status Uplink State Group : 1 Name: iscsi_group, Status: Enabled, Up Upstream Interfaces : eth1/1/35(Up) *po10(V:Up, ^P:Dwn) VLTi(NA) Downstream Interfaces : eth1/1/2(Up) *po20(V: Up,P: Up) OS10#show uplink-state-group 2 detail (Up): Interface up (Dwn): Interfa
Table 92. UFD on VLT network (continued) Event VLT action on primary node VLT action on secondary node UFD action VLTi Link is operationally up with heartbeat up No action VLT module sends VLT portchannel enable request to Interface Manager (IFM) for both uplink and downlink. UFD receives operationally up of upstream VLT port-channel and sends clear error-disable of downstream VLT portchannel to IFM. Reboot of VLT secondary peer No action After reboot, runs the delay restore timer.
Sample configurations of UFD on VLT The following examples show some of the uplink-state groups on VLT. In the following illustration, both the upstream and downstream members are part of VLT port-channels. The uplink-state group includes both the VLT port-channels as members. In the following example, the upstream member is part of VLT port-channel and the downstream member is an orphan port. The uplink-state group includes the VLT port-channel, VLT node, and the downstream port.
OS10 does not support adding a VLTi link member to the uplink-state group. You can add the VLTi link as upstream member to an uplink-state group using the upstream VLTi command. If the VLTi link is not available in the system, OS10 allows adding the VLTi link as an upstream member. In this case, UFD starts tracking the operational status of the VLTi link when the link is available. Until the VLTi link is available, the show uplink-state-group details command displays the status of the link as NA.
UFD commands clear ufd-disable Overrides the uplink-state group configuration and brings up the downstream interfaces. Syntax clear ufd-disable {interface interface-type | uplink-state-group group-id} Parameters ● interface-type — Enter the interface type. ● group-id — Enter the uplink state group ID, from 1 to 32. Default None Command Mode EXEC Usage Information This command manually brings up a disabled downstream interface that is in an UFD-disabled error state.
Example Supported Releases OS10(config)# uplink-state-group 1 OS10(conf-uplink-state-group-1)# downstream ethernet 1/1/1 10.4.0E(R3) or later downstream auto-recover Enables auto-recovery of the disabled downstream interfaces. Syntax downstream auto-recover Parameters None Default Enabled Command Mode UPLINK-STATE-GROUP Usage Information The no version of this command disables the auto-recovery of downstream interfaces.
Example Supported Releases OS10(config)# uplink-state-group 1 OS10(conf-uplink-state-group-1)# enable 10.4.0E(R3) or later name Configures a descriptive name for the uplink-state group. Syntax name string Parameters string — Enter a description for the uplink-state group. A maximum of 32 characters. Default Not configured Command Mode UPLINK-STATE-GROUP Usage Information The no version of this command removes the descriptive name.
Command Mode EXEC Usage Information None Example OS10# show uplink-state-group Uplink State Group: 9, Status: Enabled,down OS10# show uplink-state-group 9 Uplink State Group: 9, Status: Enabled,down OS10# Example (detail) OS10# show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 1 Status : Enabled,up Name : UFDGROUP1 Defer Time : 10 second(s) Upstream Interfaces : Eth 1/1/7:1(Up) Downstream Interfaces: Eth 1/1/1(Dwn) Eth 1/1/2(Dwn)
uplink-state-group Creates an uplink-state group and enables upstream link tracking. Syntax uplink-state-group group-id Parameters group-id — Enter a unique ID for the uplink-state group, from 1 to 32. Default None Command Mode CONFIGURATION Usage Information The no version of this command removes the uplink-state group. Example Supported Releases OS10(config)# uplink-state-group 1 10.4.
23 Converged data center services OS10 supports converged data center services, including IEEE 802.1 data center bridging (DCB) extensions to classic Ethernet. DCB provides I/O consolidation in a data center network. Each network device carries multiple traffic classes while ensuring lossless delivery of storage traffic with best-effort for local area network (LAN) traffic and latency-sensitive scheduling of service traffic. ● 802.1Qbb — Priority flow control ● 802.
Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● Provisioning PFC is not supported when deep buffer mode is enabled. ● Configure the traffic class ID to queue mapping policy on egress interfaces. ● You cannot enable PFC on all the physical interfaces, when you have split the ports to multiple breakout interfaces. For more information, see the 'PFC configuration notes' section in the Dell EMC SmartFabric OS10 User Guide.
● Apply the default trust map specifying that dot1p values are trusted in SYSTEM-QOS or INTERFACE mode. trust-map dot1p default Configure a non-default dot1p-priority-to-traffic class mapping 1. Configure a trust map of dot1p traffic classes in CONFIGURATION mode. A trust map does not modify ingress dot1p values in output flows. Assign a qos-group to trusted dot1p values in TRUST mode using 1-to-1 mappings. Dot1p priorities are 0 to 7.
Default TC-to-queue mapping format The following is the format for Z9332F-ON: Default Traffic-Class to Queue Map Traffic Class Queue Number --------------------------------------------0 0 0-2 0 1 1 3-5 1 2 2 6-7 2 3 3 4 4 5 5 6 6 7 7 Type Unicast Multicast Unicast Multicast Unicast Multicast Unicast Unicast Unicast Unicast Unicast The following is the default TC-to-Queue Mapping format: Default Traffic-Class to Queue Map Traffic-Class Queue number Type ---------------------------------------0 0 Both 1 1 B
4. (Optional) Configure the PFC shared buffer for lossless traffic. Create PFC dot1p traffic classes 1. Create a network-qos class map to classify PFC traffic classes in CONFIGURATION mode, from 1 to 7. Specify the traffic classes using the match qos-group command. QoS-groups map 1:1 to traffic classes 1 to 7; for example, qos-group 1 corresponds to traffic class 1. Enter a single value, a hyphen-separated range, or multiple qos-group values separated by commas in CLASS-MAP mode.
PFC is enabled on traffic classes with dot1p 3 and 4 traffic. The two traffic classes require different ingress queue processing. In the network-qos pp1 policy map, class cc1 uses customized PFC buffer size and pause frame settings; class cc2 uses the default settings.
1 2 3 4 5 6 7 - - - - - - - - - - - - - - - - - - - - 9360 static 12779520 - View PFC system buffer configuration OS10# show qos system ingress buffer All values are in kb Total buffers Total lossless buffers Maximum lossless buffers Total shared lossless buffers Total used shared lossless buffers Total lossy buffers Total shared lossy buffers Total used shared lossy buffers - 12187 0 5512 0 11567 11192 0 OS10# show qos system egress buffer All values are in kb Total buffers - 121
pause Configures the ingress buffer size and buffer threshold limit for pause and resume operations. Syntax pause [buffer-size kilobytes pause-threshold kilobytes resume-threshold kilobytes] Parameters ● buffer-size kilobytes — Enter the reserved (guaranteed) ingress-buffer size in kilobytes for PFC dot1p traffic, from 0 to 7787.
mapping, see PFC configuration notes. A PFC traffic class requires a 1-to-1 mapping — only one dot1p value is mapped to a qos-group number. Example Example (policymap) Supported Releases OS10(config)# class-map type network-qos cc1 OS10(conf-cmap-nqos)# match qos-group 3 OS10(conf-cmap-nqos)# exit OS10(config)# policy-map type network-qos pp1 OS10(conf-pmap-network-qos)# class cc1 OS10(conf-pmap-c-nqos)# pfc-cos 3 10.3.
queue-limit Sets the static and dynamic thresholds that are used to limit the shared-buffer size of PFC traffic-class queues. Syntax queue-limit {thresh-mode [static kilobytes | dynamic weight]} Parameters ● thresh-mode —Specifies the Buffer threshold mode. ● static kilobytes — Enter the static followed by the fixed shared-buffer limit available for PFC traffic-class queues in kilobytes, from 0 to 7787.
Supported Releases 10.3.0E or later Enhanced transmission selection ETS provides customized bandwidth allocation to 802.1p classes of traffic. Assign different amounts of bandwidth to Ethernet, FCoE, or iSCSI traffic classes that require different bandwidth, latency, and best-effort treatment during network congestion. ETS divides traffic into different priority groups using their 802.1p priority value.
ETS is disabled by default on all interfaces. 1. Configure trust maps of dot1p and DSCP values in CONFIGURATION mode. A trust map does not modify ingress values in output flows. Assign a qos-group, traffic class from 0 to 7, to trusted dot1p/DSCP values in TRUST mode. A qos-group number is used only internally to schedule classes of ingress traffic. Enter multiple dot1p and dscp values in a hyphenated range or separated by commas.
7. Apply the qos trust policy to ingress traffic in SYSTEM-QOS or INTERFACE mode. service-policy input type qos trust-policy—map-name 8. Apply the queuing policy to egress traffic in SYSTEM-QOS or INTERFACE mode. service-policy output type queuing policy—map-name 9. Enable ETS globally in SYSTEM-QOS mode or on an interface/interface range in INTERFACE mode. NOTE: If you have not enabled PFC on all the interfaces, this configuration at the global level is not required. Enable ETS on the specific interfaces.
Dscp-tc-mapping : dscp_map1 tc-queue-mapping : tc-q-map1 View QoS maps: traffic-class to queue mapping OS10# show qos maps Traffic-Class to Queue Map: tc-q-map1 queue 0 qos-group 0 queue 1 qos-group 1 Traffic-Class to Queue Map: dot1p_map1 qos-group 0 dot1p 0-3 qos-group 1 dot1p 4-7 DSCP Priority to Traffic-Class Map : dscp_map1 qos-group 0 dscp 0-31 qos-group 1 dscp 32-63 ETS commands ets mode on Enables ETS on an interface.
DCBX configuration notes ● DCBX is a prerequisite for using DCB features, such as PFC and ETS, to exchange link-level configurations in a converged network. ● DCBX, when deployed in topologies, enables lossless operation for FCoE or iSCSI traffic. In these scenarios, all network devices in the topology must have DCBX-enabled. ● DCBX uses LLDP to advertise and automatically negotiate the administrative state and PFC or ETS configuration with directly connected DCB peers.
● OS10 supports DCBX versions CEE and IEEE2.5. ● If ETS and PFC are enabled, DCBX advertises ETS configuration, ETS recommendation, and PFC configuration. When you configure application-specific parameters such as FCoE or iSCSI to be advertised, DCBX advertises the respective Application Priority TLVs. ● A DCBX-enabled port operates only in a manual role. In this mode, the port operates only with user-configured settings and does not autoconfigure with DCB settings that are received from a DCBX peer.
Interface ethernet1/1/3 Port Role is Manual DCBX Operational Status is Disabled Reason: Port Shutdown Is Configuration Source? FALSE Local DCBX Compatibility mode is AUTO Local DCBX Configured mode is AUTO Peer Operating version is Not Detected Local DCBX TLVs Transmitted: erpfi 0 Input PFC TLV pkts, 0 Output PFC TLV pkts, 0 Error PFC 0 Input ETS Conf TLV Pkts, 0 Output ETS Conf TLV Pkts, 0 0 Input ETS Reco TLV pkts, 0 Output ETS Reco TLV pkts, 0 0 Input Appln Priority TLV pkts, 0 Output Appln Priority Prio
Priority TLV Pkts Total Total Total Total DCBX DCBX DCBX DCBX Frames transmitted 0 Frames received 0 Frame errors 0 Frames unrecognized 0
Local ISCSI PriorityMap is 0x10 Remote ISCSI PriorityMap is 0x10 220 Input TLV pkts, 350 Output TLV pkts, 0 Error pkts 71 Input Appln Priority TLV pkts, 80 Output Appln Priority TLV pkts, 0 Error Appln Priority TLV Pkts View DCBX ETS TLV status OS10# show lldp dcbx interface ethernet 1/1/15 ets detail Interface ethernet1/1/15 Max Supported PG is 8 Number of Traffic Classes is 8 Admin mode is on Admin Parameters : -----------------Admin is enabled PG-grp Priority# Bandwidth TSA ------------------------------
DCBX commands dcbx enable Enables DCBX globally on all interfaces. Syntax dcbx enable Parameters None Default Disabled Command Mode CONFIGURATION Usage Information DCBX is disabled at a global level and enabled at an interface level by default. For DCBX to be operational, DCBX must be enabled at both the global and interface levels. Enable DCBX globally using the dcbx enable command to activate the exchange of DCBX TLV messages with PFC, ETS, and iSCSI configurations.
Command Mode INTERFACE Usage Information In Auto mode, a DCBX-enabled port detects an incompatible DCBX version on a peer device port and automatically reconfigures a compatible version on the local port. The no version of this command disables the DCBX version. Example Supported Releases OS10(conf-if-eth1/1/2)# dcbx version cee 10.3.0E or later debug dcbx Enables DCBX debugging.
Supported Releases 10.3.0E or later show debug dcbx Displays the list of debug options that are enabled for DCBX. Syntax show debug dcbx Parameters None Command Mode EXEC Usage Information None Example OS10# show debug dcbx Dcbx debug settings: debug dcbx all no debug dcbx events interface mgmt debug dcbx pdu in interface ethernet 1/1/1 Supported Releases 10.5.1.0 or later show lldp dcbx Displays the DCBX configuration and PFC or ETS TLV status on an interface.
Local DCBX Configured mode is AUTO Peer Operating version is Not Detected Local DCBX TLVs Transmitted: erpfi 0 Input PFC TLV pkts, 0 Output PFC TLV pkts, 0 Error PFC pkts 0 Input ETS Conf TLV Pkts, 0 Output ETS Conf TLV Pkts, 0 Error ETS Conf TLV Pkts 0 Input ETS Reco TLV pkts, 0 Output ETS Reco TLV pkts, 0 Error ETS Reco TLV Pkts 0 Input Appln Priority TLV pkts, 0 Output Appln Priority TLV pkts, 0 Error Appln Priority TLV Pkts Total Total Total Total DCBX DCBX DCBX DCBX Frames transmitted 0 Frames receiv
--------------------------------------------------------------------Interface ethernet1/1/15 Port Role is Manual DCBX Operational Status is Enabled Is Configuration Source? FALSE Local DCBX Compatibility mode is IEEEv2.5 Local DCBX Configured mode is IEEEv2.5 Peer Operating version is IEEEv2.
5 6 7 0% 0% 0% SP SP SP Oper status is init ETS DCBX Oper status is Up State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled 5 Input Conf TLV Pkts, 2 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 5 Input Reco TLV Pkts, 2 Output Reco TLV Pkts, 0 Error Reco TLV Pkts Example (PFC detail) OS10# show lldp dcbx interface ethernet 1/1/15 pfc detail Interface ethernet1/1/15 Admin mode is on Admin is enabled, Priority list is 4,5,6,7 Remote is enabled, Priority list is 4,5,6,
In an iSCSI session, a switch connects CNA servers (iSCSI initiators) to a storage array (iSCSI targets) in a SAN or TCP/IP network. iSCSI optimization running on the switch uses dot1p priority-queue assignments to ensure that iSCSI traffic receives priority treatment. iSCSI configuration notes ● Enable iSCSI optimization so the switch autodetects and autoconfigures Dell EMC EqualLogic storage arrays that are directly connected to an interface.
1. Configure an interface or interface range to detect a connected storage device. interface ethernet node/slot/port:[subport] interface range ethernet node/slot/port:[subport]-node/slot/port[:subport] 2. Enable the interface to support a storage device that is directly connected to the port and not automatically detected by iSCSI. Use this command for storage devices that do not support LLDP.
OS10(config)# iscsi target port 3261 ip-address 10.1.1.
● Starting from release 10.4.1.1, when you perform a fresh installation of OS10, iSCSI autoconfig is enabled and flowcontrol receive is set to on. However, when you upgrade from an earlier release to release 10.4.1.1 or later, the existing iSCSI configuration is retained and the flowcontrol receive could be set to on or off, depending on the iSCSI configuration before the upgrade.
Command Mode CONFIGURATION Usage Information iSCSI optimization automatically detects storage arrays and autoconfigures switch ports with the iSCSI parameters that are received from a connected device. The no version of this command disables iSCSI autodetection. Starting from release 10.4.1.1, when you perform a fresh installation of OS10, iSCSI autoconfig is enabled and flow control receive is set to on. However, when you upgrade from an earlier release to release 10.4.1.
iscsi session-monitoring enable Enables iSCSI session monitoring. Syntax iscsi session-monitoring enable Parameter None Default Disabled Command Mode CONFIGURATION Usage Information To configure the aging timeout in iSCSI monitoring sessions, use the iscsi aging time command. To configure the TCP ports that listen for connected storage devices in iSCSI monitoring sessions use the iscsi target port command. The no version of this command disables iSCSI session monitoring.
Example Supported Releases OS10(conf-if-eth1/1/1)# lldp tlv-select dcbxp-appln iscsi 10.3.0E or later show iscsi Displays the current configured iSCSI settings. Syntax show iscsi Parameters None Command Mode EXEC Usage Information This command output displays global iSCSI configuration settings. To view target and initiator information use the show iscsi session command.
Initiator:iqn.1991-05.com.microsoft:win-rlkpjo4jun2 Up Time:00:00:16:02(DD:HH:MM:SS) Time for aging out:29:23:59:35(DD:HH:MM:SS) ISID:400001370000 Initiator Initiator Target Target Connection IP Address TCP Port IP Address TCP Port ID ---------------------------------------------------------10.10.10.210 54835 10.10.10.40 3260 1 Supported Releases 10.3.0E or later show iscsi storage-devices Displays information about the storage arrays directly attached to OS10 ports.
Configure DCBX globally on a switch to enable the exchange of DCBX TLV messages with PFC, ETS, and iSCSI configurations. OS10# configure terminal OS10(config)# dcbx enable 2. PFC configuration (global) PFC is enabled on traffic classes with dot1p 4, 5, 6, and 7 traffic. All the traffic classes use the default PFC pause settings for shared buffer size and pause frames in ingress queue processing in the network-qos policy map. The trust-map dot1p default honors (trusts) all dot1p ingress traffic.
OS10(config-qos-map)# exit OS10(config)# class-map type queuing cmap1 OS10(config-cmap-queuing)# match queue 0 OS10(config-cmap-queuing)# exit OS10(config)# class-map type queuing cmap2 OS10(config-cmap-queuing)# match queue 1 OS10(config-cmap-queuing)# exit OS10(config)# policy-map type queuing pmap1 OS10(config-pmap-queuing)# class cmap1 OS10(config-pmap-c-que)# bandwidth percent 30 OS10(config-pmap-c-que)# exit OS10(config-pmap-queuing)# class cmap2 OS10(config-pmap-c-que)# bandwidth percent 70 OS10(conf
Peer Operating version is IEEEv2.5 Local DCBX TLVs Transmitted: ERPfI 4 Input PFC TLV pkts, 3 Output PFC TLV pkts, 0 Error PFC pkts 2 Input ETS Conf TLV Pkts, 27 Output ETS Conf TLV Pkts, 0 Error ETS Conf TLV Pkts 2 Input ETS Reco TLV pkts, 27 Output ETS Reco TLV pkts, 0 Error ETS Reco TLV Pkts Total Total Total Total DCBX DCBX DCBX DCBX Frames transmitted 0 Frames received 0 Frame errors 0 Frames unrecognized 0 8.
Remote Willing Status is disabled Local Parameters : ------------------Local is enabled PG-grp Priority# Bandwidth TSA -----------------------------------------------0 0,1,2,3, 30% ETS 1 4,5,6,7 70% ETS 2 0% ETS 3 0% ETS 4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Oper status is init ETS DCBX Oper status is Up State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled 2 Input Conf TLV Pkts, 27 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 2 Input Reco TLV Pkts, 27 Output Reco TLV Pkt
-------------------------------------ISCSI TLV Tx Status is enabled Local ISCSI PriorityMap is 0x40 Remote ISCSI PriorityMap is 0x10 4 Input TLV pkts, 3 Output TLV pkts, 0 Error pkts 4 Input Appln Priority TLV pkts, 3 Output Appln Priority TLV pkts, 0 Error Appln Priority TLV Pkts 12. DCBX configuration (interface) This example shows how to configure and verify different DCBX versions.
0 OS10(conf-if-eth1/1/53)# dcbx version cee OS10(conf-if-eth1/1/53)# show configuration ! interface ethernet1/1/53 switchport access vlan 1 no shutdown dcbx version ieee service-policy input type network-qos test trust-map dot1p default service-policy output type queuing pmap1 ets mode on qos-map traffic-class tmap2 trust-map dot1p tmap1 priority-flow-control mode on OS10(conf-if-eth1/1/53)# do show lldp dcbx interface ethernet 1/1/53 E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS R
24 sFlow sFlow is a standard-based sampling technology embedded within switches and routers that monitors network traffic. It provides traffic monitoring for high-speed networks with many switches and routers.
● Enable sFlow in CONFIGURATION mode. sflow enable ● Disable sFlow in CONFIGURATION mode.
sflow collector 10.16.150.1 agent-addr 10.16.132.67 6767 max-datagram-size 800 sflow collector 10.16.153.176 agent-addr 3.3.3.3 6666 ! interface ethernet1/1/1 sflow enable ! Collector configuration Configure the IPv4 or IPv6 address for the sFlow collector. When you configure the collector, enter a valid and reachable IPv4 or IPv6 address. You can configure a maximum of two sFlow collectors. If you specify two collectors, samples are sent to both.
Global default extended maximum header size: 128 bytes Global extended information enabled: none 1 collector(s) configured Collector IP addr:4.4.4.1 Agent IP addr:1.1.1.1 UDP port:6343 VRF:RED 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected Polling-interval configuration The polling interval for an interface is the number of seconds between successive samples of counters sent to the collector. You can configure the duration for polled interface statistics.
● Set the sampling rate in CONFIGURATION mode, from 4096 to 65535. The default is 32768. sflow sample-rate sampling-size ● Disable packet sampling in CONFIGURATION mode. no sflow sample-rate ● View the sampling rate in EXEC mode.
OS10(config)# sflow source-interface loopback 1 OS10(config)# sflow source-interface vlan 10 View sFlow running configuration OS10# sflow sflow sflow sflow show running-configuration sflow enable all-interfaces source-interface vlan10 collector 5.1.1.1 agent-addr 4.1.1.1 6343 collector 6.1.1.1 agent-addr 4.1.1.1 6343 OS10(config)#show running-configuration interface vlan ! interface vlan1 no shutdown ! interface vlan10 no shutdown ip address 10.1.1.
● View the sFlow running configuration in EXEC mode. OS10# show running-configuration sflow sflow enable sflow max-header-size 80 sflow polling-interval 30 sflow sample-rate 4096 sflow collector 10.16.150.1 agent-addr 10.16.132.67 6767 max-datagram-size 800 sflow collector 10.16.153.176 agent-addr 3.3.3.3 6666 ! interface ethernet1/1/1 sflow enable ! sFlow commands sflow collector Configures an sFlow collector IP address where sFlow datagrams are forwarded. You can configure a maximum of two collectors.
Default Disabled Command Mode CONFIGURATION Usage Information The no version of this command to disables sFlow.
sflow sample-rate Configures the sampling rate. Syntax sflow sample-rate value Parameter value — Enter the packet sample rate, from 4096 to 65535. The default is 32768. Default 32768 Command Mode CONFIGURATION Usage Information Sampling rate is the number of packets skipped before the sample is taken. For example, if the sampling rate is 4096, one sample generates for every 4096 packets observed. The no version of the command resets the sampling rate to the default value.
Parameter interface type — (Optional) Enter either ethernet or port-channel for the interface type. Command Mode EXEC Usage Information OS10 does not support statistics for UDP packets dropped and samples received from the hardware.
25 Telemetry Network health relies on performance monitoring and data collection for analysis and troubleshooting. Network data is often collected with SNMP and CLI commands using the pull mode. In pull mode, a management device sends a get request and pulls data from a client. As the number of objects in the network and the metrics grow, traditional methods limit network scaling and efficiency. Using multiple management systems further limits network scaling.
BGP peers Table 95. BGP peers YANG Container Minimum sampling interval (milliseconds) infra-bgp/peer-state/peer-status 0 Buffer statistics Table 96. Buffer statistics YANG Container Minimum sampling interval (milliseconds) base-qos/queue-stat 15000 base-qos/priority-group-stat 15000 base-qos/buffer-pool-stat 15000 base-qos/buffer-pool 15000 Device information Table 97.
Table 100. Port-channel (lag) member ports YANG Container Minimum sampling interval (milliseconds) dell-base-if-cmn/if/interfaces 0 System statistics Table 101. System statistics YANG Container Minimum sampling interval (milliseconds) system-status/current-status 15000 Configure telemetry NOTE: To set up a streaming telemetry collector, download and use the OS10 telemetry .proto files from the Dell EMC Support site.
Table 102. Pre-configured sensor group (continued) Pre-configured sensor group Minimum sampling interval (milliseconds) System 15000 Configure a destination group A destination group defines the destination servers to which streaming telemetry data is sent. 1. Enter the destination group name in TELEMETRY mode. A maximum of 32 characters. OS10(conf-telemetry)# destination-group group-name 2. Enter the IPv4 or IPv6 address and transport-service port number in DESTINATION-GROUP mode.
6. Configure the gRPC transport protocol used to stream data to a destination in SUBSCRIPTION-PROFILE mode. gRPC with Transport Security Layer (TLS) certificates enabled is the default transport protocol. To disable TLS certificate exchange, use the transport grpc no-tls command. OS10(conf-telemetry-sp-subscription)# transport protocol [no-tls] After you configure a subscription profile, the telemetry agent starts collecting data and streaming it to destination devices.
Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The connection 10.11.56.204:40001 is in connected state View destination group OS10# show telemetry destination-group Telemetry Status : enabled -- Telemetry Destination Groups -Group : dest1 Destination : 10.11.56.
buffer device environment interface lag system 15000 300000 300000 180000 0 300000 Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The connection 10.11.56.204:40001 is in connected state Verify telemetry in running configuration OS10# show running-configuration telemetry ! telemetry enable ! destination-group dest1 destination 10.11.56.
telemetry Enters Telemetry configuration mode to configure streaming telemetry. Syntax telemetry Parameters None Default Telemetry is disabled on the switch. Command mode CONFIGURATION Usage information Enable and disable streaming telemetry in Telemetry mode. Example Supported releases OS10(config)# telemetry OS10(conf-telemetry)# 10.4.3.0 or later enable Enables telemetry on the switch. Syntax enable Parameters None Default Telemetry is disabled.
destination Configures a destination management device that receives streaming telemetry. Syntax destination {ip-address | domain-name} port-number Parameters ● ip-address — Enter the IPv4 or IPv6 address of the destination device. You can enter a fully qualified domain name (FQDN). The destination domain name resolves to an IP address — see System domain name and list. ● domain-name — Enter the fully qualified domain name of the destination device. A maximum of 32 characters.
Command mode SUBSCRIPTION-PROFILE Usage information A subscription profile associates destination groups and sensor groups. A destination group defines the destination servers to which streaming telemetry data is sent. The no version of this command removes the configured group from the subscription profile. Example Supported releases OS10(conf-telemetry)# subscription-profile subscription-1 OS10(conf-telemetry-sp-subscription-1)# destination-group dest1 10.4.3.
● oc-vlan — Enter oc-vlan to assign Openconfig VLAN statistics sensor group to the subscription profile. ● oc-vrrp — Enter oc-vrrp to assign Openconfig VRRP statistics sensor group to the subscription profile. ● sampling-interval — Enter the interval in milliseconds used to collect data samples. The range is 0 to 4294967295. The default is 15000.
Usage information The no version of the command removes the configured encoding format from a subscription profile. Example Supported releases OS10(conf-telemetry)# subscription-profile subscription-1 OS10(conf-telemetry-sp-subscription-1)# encoding gpb 10.4.3.0 or later transport Configures the transport protocol used to stream telemetry data to a remote management device.
Example Supported releases OS10(conf-telemetry)# subscription-profile subscription-1 OS10(conf-telemetry-sp-subscription-1)# source-interface ethernet 1/1/1 10.4.3.0 or later show telemetry Displays the configured destination-group, sensor-group, and subscription profiles for streaming telemetry. Syntax show telemetry [destination-group [group-name] | sensor-group [group-name] | subscription-profile [profile-name]] Parameters ● destination-group — Display only destination groups or a specified group.
Group : oc-device Sensor Path : openconfig-platform/components/component Sensor Path : openconfig-network-instance/network-instances/ networkinstance Group : oc-environment Sensor Path : openconfig-platform/components/component Group : oc-interface Sensor Path : openconfig-interfaces/interfaces/interface Group : oc-lacp Sensor Path : openconfig-lacp/lacp Group : oc-lag Sensor Path : openconfig-interfaces/interfaces/interface Group : oc-lldp Sensor Path : openconfig-lldp/lldp Group : oc-stp Sensor Path : ope
Sensor Path : if/interfaces-state/interface/statistics Sensor Path : dell-base-if-cmn/if/interfaces-state/interface Group : lag Sensor Path : dell-base-if-cmn/if/interfaces Group : system Sensor Path : system-status/current-status Group : oc-bfd Sensor Path : openconfig-bfd/bfd Group : oc-bgp Sensor Path : openconfig-bgp/bgp/neighbors/neighbor Sensor Path : openconfig-bgp/bgp/rib/afi-safis/afi-safi Group : oc-buffer Sensor Path : openconfig-qos/qos/interfaces/interface Group : oc-device Sensor Path : openco
Subscription profile with openconfig model sensor group ======================================================= OS10# show telemetry subscription-profile Telemetry Status : enabled -- Telemetry Subscription Profile -Name : subscription-2 Destination Groups(s) : dest2 Sensor-group Sample-interval ----------------------------------oc-bfd 15000 oc-bgp 15000 oc-buffer 15000 oc-device 15000 oc-environment 15000 oc-interface 15000 oc-lacp 15000 oc-lag 0 oc-lldp 15000 oc-stp 15000 oc-system 15000 oc-vendor-ufd 1
-- Telemetry Destination Groups -Group : dest1 Destination : 10.11.56.
Destination Groups(s) : dest1 Sensor-group Sample-interval ----------------------------------bgp 300000 bgp-peer 0 buffer 15000 device 300000 environment 300000 interface 180000 lag 0 system 300000 Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The connection 10.11.56.
26 RESTCONF API RESTCONF is a representational state transfer (REST)-like protocol that uses HTTPS connections. Use the OS10 RESTCONF API to set up the configuration parameters on OS10 switches using JavaScript Object Notation (JSON)-structured messages. Use any programming language to create and send JSON messages. The examples in this chapter use curl. The OS10 RESTCONF implementation complies with RFC 8040. You can use the RESTCONF API to configure and monitor an OS10 switch.
● ecdhe-rsa-with-aes-128-gcm-SHA256 ● ecdhe-rsa-with-aes-256-gcm-SHA384 rest https cipher-suite 4. Enable RESTCONF API in CONFIGURATION mode. rest api restconf RESTCONF API configuration OS10(config)# rest https server-certificate name OS10.dell.
Error {"ietf-restconf:errors":{"error":[{"error-type":"rpc","error-tag":"invalid-value","errorapp-tag":"data-invalid","error-path":"/classifier-entry","error-message":"unknown resource instance","error-info":{"bad-value":"/restconf/data/dell-diffserv-classifier:classifierentry=test","error-number":388}}]}} POST request curl -i -k -H "Accept: application/json" -H "Content-Type: application/json" -u $USER_NAME:$PASSWORD -d '{"dell-diffserv-classifier:classifier-entry": [{"name":"test","mtype":"qos","match":"m
interface ethernet 1/1/1 Restconf request(s): curl -i -k -H "Accept: application/json" -H "Content-Type: application/json" -u $USER_NAME:$PASSWORD -d '{"ietf-interfaces:interfaces":{"interface": [{"name":"ethernet1/1/1","type":"iana-if-type:ethernetCsmacd"}]}}' -X PATCH https:// $MGMT_IP/restconf/data/ietf-interfaces:interfaces REST-TRANSLATE-OS10(conf-if-eth1/1/1)# description "ethernet 1/1/1" CLI command: description "ethernet 1/1/1" Restconf request(s): curl -i -k -H "Accept: application/json" -H "Conten
REST-TRANSLATE-OS10# CLI commands generate Multiple RESTCONF requests: ● If the command updates multiple objects (within same module or across modules), the command translates into multiple RESTCONF requests. It is because the target resource in the URI can only be a single object. ● If the command performs multiple operations in a single request (merge and delete on leafs), the CLI first generates a DELETE request and then PATCH with the remaining objects.
CLI command: no ip ospf 1 area 100 Restconf request(s): curl -i -k -H"Accept: application/json"-H"Content-Type: application/json"-u $USER_NAME:$PASSWORD -X DELETE https://$MGMT_IP/restconf/data/ietf-interfaces:interfaces/ interface/dell-ospf-v2:ospf-info/dell-ospf-v2:proc-id curl -i -k -H"Accept: application/json"-H"Content-Type: application/json"-u $USER_NAME:$PASSWORD -X DELETE https://$MGMT_IP/restconf/data/ietf-interfaces:interfaces/ interface/dell-ospf-v2:ospf-info/dell-ospf-v2:area-id curl -i -k -H"Ac
On successful login, JSON data returns 'access_token' and 'refresh_token' as keys. You can parse the data and save the token values for subsequent requests. $ export ACCESS_TOKEN="abc.123.xyz" $ export REFRESH_TOKEN="efg.456.uvw" The following is an example of a RS256 signed token: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNTUzNjcyMjcxfQ.
rest https cipher-suite Limits the ciphers to encrypt and decrypt REST HTTPS data. Syntax rest https cipher-suite cipher-list Parameters cipher-list — Enter the ciphers supported in a REST API HTTPS session. Separate multiple entries with a blank space. Valid cipher suites are: ● ● ● ● dhe-rsa-with-aes-128-gcm-SHA256 dhe-rsa-with-aes-256-gcm-SHA384 ecdhe-rsa-with-aes-128-gcm-SHA256 ecdhe-rsa-with-aes-256-gcm-SHA384 Default All cipher suites installed with OS10 are supported.
● The no version of the command removes the configured RESTCONF HTTPS session timeout. Example Supported Releases OS10(config)# rest https session timeout 60 10.4.1.0 or later cli mode rest-translate Enable RESTCONF translation mode in CLI session. Syntax cli mode rest-translate Parameters None Default None Command Mode Exec Usage Information This command enables translation of CLI command into equivalent RESTCONF requests in the current session.
Example OS10# show cli mode Current CLI session mode : rest-translate Translated requests are available as supportbundle:// restconf_requests_1132.txt OS10# Supported Releases 10.5.1.0 or later rest authentication token validity Configures the validity duration for the tokens. Syntax rest authentication token validity minutes Parameters minutes — Enter the validity duration (0 to 1200 minutes) for the REST Access Token. 0 indicates that the token has no expiry.
rest authentication token algorithm Configures the token signing algorithm. Syntax rest authentication token algorithm[HS256 | RS256 | ES256] Parameters hs256, rs256, es256 — Enter the algorithm standard to be used to sign the tokens. Default RS256 Command Mode CONFIGURATION Usage Information This command updates the token signing algorithm. The no version of the command resets to the default value.
● When a RESTCONF query is in progress, you cannot configure any CLI commands until a RESTCONF query is complete. ● It is recommended to use POST request instead of PUT, to replace the target data resources. View XML structure of CLI commands To use the RESTCONF API to configure and monitor an OS10 switch, create an HTTPS request with data parameters in JSON format. The JSON data parameters correspond to the same parameters in the XML structure of an OS10 command.
Reply: OS10(config)# do no debug cli netconf RESTCONF API Examples Some common RESTCONF API operations include configuring system hostname, and interfaces such as loopback interface. The examples in this section use curl commands to send the HTTPS request.
true, "description":"loopback interface", "name":"loopback1"}]}' Configure a loopback interface IP address RESTCONF endpoint JSON content /restconf/data/interfaces/interface/loopback1 { } Parameters Example 1528 "dell-ip:ipv4":{ "address": { "primary-addr":"6.6.6.6/24" } } ● primary-addr ip-address/prefix-length — Enter the loopback IP address in dotteddecimal A.B.C.D/x format. curl -X POST -k -u admin:admin "https://10.11.86.
27 Troubleshoot Dell EMC SmartFabric OS10 Critical workloads and applications require constant availability. Dell EMC Networking offers tools to help you monitor and troubleshoot problems before they happen.
* 1 S4148F-ON 985 006 10 1 S4148F-ON-PWR-1-AC 1 S4148F-ON-FANTRAY-1 1 S4148F-ON-FANTRAY-2 1 S4148F-ON-FANTRAY-3 1 S4148F-ON-FANTRAY-4 09H9MN X01 TW-09H9MN-28298-713-0026 06FKHH 0N7MH8 0N7MH8 0N7MH8 0N7MH8 A00 X01 X01 X01 X01 CN-06FKHH-28298-6B5-03NY TW-0N7MH8-28298-713-0101 TW-0N7MH8-28298-713-0102 TW-0N7MH8-28298-713-0103 TW-0N7MH8-28298-713-0104 9531XC2 198 Boot information Display system boot and image information. ● View all boot information in EXEC mode.
30452 admin 1 root 2 root 3 root 5 root 7 root 8 root 10 root 11 root 12 root 13 root 14 root 15 root 16 root 17 root 19 root 20 root 21 root 22 root 23 root 24 root 25 root --more-- 20 20 20 20 0 20 20 20 20 20 rt rt rt rt 20 0 0 20 0 20 0 25 0 0 0 0 -20 0 0 0 0 0 0 0 0 0 0 -20 -20 0 -20 0 -20 5 22076 112100 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2524 5840 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2100 3032 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 R S S S S R S S S S S S S S S S S S S S S S 6.1 0.0 0.
Capture packets from Ethernet interface $ tcpdump -i e101-003-0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on e101-003-0, link-type EN10MB (Ethernet), capture size 262144 bytes 01:39:22.457185 IP 3.3.3.1 > 3.3.3.4: ICMP echo request, id 5320, seq 26, length 64 01:39:22.457281 IP 3.3.3.1 > 3.3.3.
When you execute a traceroute, the output shows the path a packet takes from your device to the destination IP address. It also lists all intermediate hops (routers) that the packet traverses to reach its destination, including the total number of hops traversed. Check IPv4 connectivity OS10# ping 172.31.1.255 Type Ctrl-C to abort. Sending 5, 100-byte ICMP Echos to 172.31.1.255, timeout is 2 seconds: Reply to request 1 from 172.31.1.208 0 ms Reply to request 1 from 172.31.1.
1 3ffe:501:ffff:100:201:e8ff:fe00:4c8b 000.000 ms 000.000 ms 000.000 ms View solution ID Dell EMC networking switches that are part of a larger solution require a solution identifier (ID). To view the solution ID including the product base, product serial number, and product part number, use the following show commands: View inventory OS10# show inventory Product : S6000-ON Description : S6000-ON 32x40GbE QSFP+ Interface Module Software version : 10.4.
Software version : 10.4.9999EX Product Base : ECS Gen3 Product Serial Number : APM001123456789 Product Part Number : 900-590-001 ----------------------------------------------------------------<
Node Id MAC Number of MACs Up Time : : : : 1 14:18:77:15:c3:e8 256 1 day 00:48:58 -- Unit 1 -Status System Identifier Down Reason Digital Optical Monitoring System Location LED Required Type Current Type Hardware Revision Software Version Physical Ports BIOS System CPLD Master CPLD Slave CPLD : : : : : : : : : : up 1 unknown disable off S4148F S4148F X01 10.5.1.0 48x10GbE, 2x40GbE, 4x100GbE : 3.33.0.0-3 : 0.4 : 0.10 : 0.
location-led system Changes the location LED of the system. Syntax location-led system {node-id | node-id/unit-id} {on | off} Parameters ● node-id | node-id/unit-id — Enter the system ID. ● on | off — Set the system LED to be on or off. Default Not configured Command Mode EXEC Usage Information Use this command to change the location LED for the specified system ID. Example Supported Releases OS10# location-led system 1 on OS10# location-led system 1 off 10.3.
show diag Displays diagnostic information for port adapters and modules. Syntax show diag Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show diag 00:00.0 Host bridge: Intel Corporation Atom processor C2000 SoC Transaction Router (rev 02) 00:01.0 PCI bridge: Intel Corporation Atom processor C2000 PCIe Root Port 1 (rev 02) 00:02.0 PCI bridge: Intel Corporation Atom processor C2000 PCIe Root Port 2 (rev 02) 00:03.
Thermal sensors Unit Sensor-Id Sensor-name Temperature -----------------------------------------------------------------------------1 1 CPU On-Board temp sensor 32 1 2 Switch board temp sensor 28 1 3 System Inlet Ambient-1 temp sensor 27 1 4 System Inlet Ambient-2 temp sensor 25 1 5 System Inlet Ambient-3 temp sensor 26 1 6 Switch board 2 temp sensor 31 1 7 Switch board 3 temp sensor 41 1 8 NPU temp sensor 43 Supported Releases 10.2.0E or later show hash-algorithm Displays hash algorithm information.
1 1 Supported Releases S4148F-ON-FANTRAY-3 S4148F-ON-FANTRAY-4 0N7MH8 0N7MH8 X01 X01 TW-0N7MH8-28298-713-0103 TW-0N7MH8-28298-713-0104 10.2.0E or later show processes View process CPU utilization information. Syntax show processes node-id node-id-number [pid process-id] Parameters ● node-id-number — Enter the Node ID number as 1. ● process-id — (Optional) Enter the process ID number, from 1 to 2147483647.
khelper 21 root kdevtmpfs 22 root 23 root khungtaskd 24 root writeback 25 root --more-- 20 0 0 0 0 S 0.0 0.0 0:00.00 0 -20 20 0 0 0 0 0 0 S 0 S 0.0 0.0 0.0 0.0 0:00.00 netns 0:00.41 0 -20 0 0 0 S 0.0 0.0 0:00.00 0 0 0 S 0.0 0.0 0:00.00 ksmd 25 5 OS10# show processes node-id 1 pid 1019 top - 09:21:58 up 5 days, 8 min, 2 users, load average: 0.18, 0.30, 0.31 Tasks: 1 total, 0 running, 1 sleeping, 0 stopped, 0 zombie %Cpu(s): 9.7 us, 3.9 sy, 0.3 ni, 85.8 id, 0.0 wa, 0.0 hi, 0.
-- Power Supplies -PSU-ID Status Type AirFlow Fan Speed(rpm) Status ---------------------------------------------------------------1 up AC NORMAL 1 13312 up 2 fail -- Fan Status -FanTray Status AirFlow Fan Speed(rpm) Status ---------------------------------------------------------------1 up NORMAL 1 13195 up Example (nodeid) 2 up NORMAL 1 13151 up 3 up NORMAL 1 13239 up 4 up NORMAL 1 13239 up OS10# show system node-id 1 fanout-configured Interface Breakout capable Breakout state ------
Supported Releases 3 up NORMAL 1 13239 up 4 up NORMAL 1 13239 up 10.2.0E or later traceroute Displays the routes that packets take to travel to an IP address. Syntax traceroute [vrf {management | vrf-name}] host [-46dFITnreAUDV] [-f first_ttl] [-g gate,...
1 10.11.97.254 (10.11.97.254) 4.298 ms 4.417 ms 4.398 ms 2 10.11.3.254 (10.11.3.254) 2.121 ms 2.326 ms 2.550 ms 3 10.11.27.254 (10.11.27.254) 2.233 ms 2.207 ms 2.391 ms 4 Host65.hbms.com (63.80.56.65) 3.583 ms 3.776 ms 3.757 ms 5 host33.30.198.65 (65.198.30.33) 3.758 ms 4.286 ms 4.221 ms 6 3.GigabitEthernet3-3.GW3.SCL2.ALTER.NET (152.179.99.173) 4.428 ms 2.593 ms 3.243 ms 7 0.xe-7-0-1.XL3.SJC7.ALTER.NET (152.63.48.254) 3.915 ms 3.603 ms 3.790 ms 8 TenGigE0-4-0-5.GW6.SJC7.ALTER.NET (152.63.49.254) 11.
6. At the root prompt, enter usermod -s /bin/bash linuxadmin to enable the linuxadmin user. root@OS10: /# usermod -s /bin/bash linuxadmin 7. Verify the linuxadmin password status by entering the passwd -S linuxadmin command. If the password is locked, L is displayed following linuxadmin in the command output. Unlock the password by entering the passwd -u linuxadmin command.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Dell EMC Network Operating System (OS10) *-* *-* Copyright (c) 1999-2018 by Dell Inc. All Rights Reserved. *-* *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*This product is protected by U.S. and international copyright and intellectual property laws. Dell EMC and the Dell EMC logo are trademarks of Dell Inc.
s4048t-1# configure terminal s4048t-1(config)# 9. Configure the recovered password for the user name using the username password role command in CONFIGURATION mode; for example: s4048t-1(config)# username admin password admin12345 role sysadmin Restore factory defaults To restore your system factory defaults, reboot the system to ONIE: Uninstall OS mode. CAUTION: Restoring factory defaults erases any installed operating system and requires a long time to erase storage.
SupportAssist The SupportAssist feature monitors the devices in your network that run the Dell EMC Networking Operating System. This feature offers an extra layer of service to your IT support capabilities by: ● Identifying issues and helping you resolve them quickly. ● Proactively monitoring the network and minimizing the risk of downtime. SupportAssist periodically collects information about configuration, inventory, logs, and so on, from the network devices.
2. Accept the EULA. OS10(config)# eula-consent support-assist accept 3. Enter SupportAssist mode from CONFIGURATION mode. OS10(config)# support-assist OS10(conf-support-assist)# 4. (Required) Specify the SupportAssist server URL or IP address in SUPPORT-ASSIST mode, and specify your Dell Digital Locker (DDL) credentials to access the SupportAssist server. This account must have entitlements to the OS10 switch in DDL. You can enter default to specify the SupportAssist server URL (https://esrs3.emc.com).
Configure SupportAssist company OS10(conf-support-assist)# contact-company name ExampleCompanyName OS10(conf-support-assist-ExampleCompanyName)# address city San Jose state California country USA zipcode 95125 OS10(conf-support-assist-ExampleCompanyName)# street-address "123 Example Street" "Bldg 999" OS10(conf-support-assist-ExampleCompanyName)# territory Sales Set contact information Configure contact details in SUPPORT-ASSIST mode.
○ hourly min number—Enter the time to schedule an hourly task, from 0 to 59. ○ daily hour number min number—Enter the time to schedule a daily task, from 0 to 23 hours and 0 to 59 minutes. ○ weekly day-of—week number hour number min number—Enter the time to schedule a weekly task, from 0 to 6 days, 0 to 23 hours, and 0 to 59 minutes. ○ monthly day number hour number min number—Enter the time to schedule a monthly task, from 1 to 31 days, 0 to 23 hours, and 0 to 59 minutes.
16:15:19 event-notification 16:04:39 keep-alive 17:30:03 Success 2019-06-13 16:04:35 2019-06-13 Success 2019-06-13 18:00:00 2019-06-13 Server Status : Last KeepAlive Status Last KeepAlive Successful Last KeepAlive Failed at Last MFT Status : Last MFT Successful at : Last MFT Failed at : : Failed at : 2019-06-13 17:30:03 : 2019-06-13 18:00:03 Success 2019-06-13 16:15:19 Never View EULA license OS10# show support-assist eula SUPPORTASSIST ENTERPRISE - SOFTWARE TERMS *** IMPORTANT INFORMATION - PLEASE
View SupportAssist logs To view a list of SupportAssist activities with the ESRS and TechDirect servers, use the following show command: OS10# show support-assist logs 1 Thu Jun 27 15:32:46 UTC 2019 2 Fri Jun 28 03:11:46 UTC 2019 3 Fri Jun 28 03:11:55 UTC 2019 4 Fri Jun 28 03:11:58 UTC 2019 5 Fri Jun 28 05:08:49 UTC 2019 6 Fri Jun 28 03:00:00 UTC 2019 7 Fri Jun 29 03:00:00 UTC 2019 8 Fri Jun 29 03:11:46 UTC 2019 9 Fri Jun 30 05:13:37 UTC 2019 error 10 Fri Jun 30 05:14:00 UTC 2019 11 Fri Jun 30 05:14:03 UTC
Table 104.
Table 104.
Table 104.
Table 104.
Table 104.
Table 104.
Table 104. Country names and codes (continued) Country name Country code Western Sahara ESH Yemen YEM Zambia ZMB Zimbabwe ZWE SupportAssist commands eula-consent Accepts or rejects the SupportAssist end-user license agreement (EULA). Syntax eula—consent {support-assist} {accept | reject} Parameters ● support-assist — Enter to accept or reject the EULA for the service. ● accept — Enter to accept the EULA-consent. ● reject — Enter to reject EULA-consent.
Example Supported Releases OS10# show eula-consent support-assist EULA support-assist : Accepted 10.2.0E or later show support-assist warranty Displays warranty information for the OS10 switch and the relevant service contracts. Syntax show support-assist warranty Parameters None Default None Command Mode EXEC Usage Information This command displays the warranty information for the OS10 switch and the relevant service contracts.
10 Fri Jun 30 05:14:00 UTC 2019 Alert bundle upload failed due to communication error 11 Fri Jun 30 05:14:03 UTC 2019 Alert bundle uploaded to ESRS Server Supported Releases 10.5.1.0 or later support-assist Enters SupportAssist subconfiguration mode. Syntax support-assist Parameters None Default Not applicable Command Mode CONFIGURATION Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S).
○ min number—Enter the keyword and specify the minute to schedule the task, 0–59. Default None Command Mode EXEC Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1 The no version of this command removes the configuration.
Parameters None Default Enabled Command Mode SUPPORT-ASSIST Usage Information This command enables data collection for the specified activity. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0. The no version of this command disables the activity.
Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0. Example Supported Releases OS10(conf-support-assist)# server url default username youremailid@example.com password Password1 10.2.0E or later show configuration Displays the SupportAssist configuration currently running on the device.
976dbcf6cce4bd298375e15bb989a9a6e6ee51d130d446ce3c25ade72a6f99fc6 source-interface mgmt1/1/1 ! contact-company name "Example Company Name" street-address No:123 Example Street Bldg 999 address city San Jose state California country USA zipcode 95125 territory Global ! contact-person first Firstname last Lastname email-address primary youremail@example.com alternate alternate_email@example.com phone primary 0001234567 alternate 1234567890 preferred-method email Supported Releases 10.2.
Usage Information Use this command to view the SupportAssist status. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0.
● vlan vlan-id—Enter a VLAN ID, from 1 to 4093. Default Not configured. Command Mode SUPPORT-ASSIST Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0. The no version of this command removes the configuration.
Parameters ● first firstname — Enter the keyword and the first name of the contact person. Use double quotes for more than one first name. ● last lastname — Enter the keyword and the last name of the contact person. Default Not configured Command Mode SUPPORT-ASSIST Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0. The no version of this command removes the configuration.
SupportAssist person commands email-address Configures the email address of the contact person. Syntax email—address primary email-id [alternate email-id] Parameters email-id—Enter the email address of the contact person. Default Not configured Command Mode SUPPORT-ASSIST Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0.
Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0. The no version of this command removes the configuration.
Apr 19 17:0:9: %Node.1-Unit.1:PRI:OS10 %log-notice:SUPPORT_BUNDLE_COMPLETED: generate support-bundle execution has completed successfully:All Plugin options enabled Support bundle generation failure Apr 19 17:0:14: %Node.1-Unit.1:PRI:OS10 %log-notice:SUPPORT_BUNDLE_FAILURE: Failure in generate support-bundle execution:All Plugin options disabled Apr 19 17:0:14: %Node.1-Unit.
● MAJOR—A major error had occurred and requires escalation or notification. For example, a major alarm may trigger if an interface failure occurs, such as a port channel being down. ● MINOR—A minor error or noncritical condition occurred that, if left unchecked, might cause system service interruption or performance degradation. A minor alarm requires monitoring or maintenance. ● WARNING—A warning condition was observed, but it may or may not result in an error condition.
Configure custom severity profile To modify the severity of events or disable event notification: Your user account must have any one of the following privileges: System admin (sysadmin), security admin (secadmin), or network admin (netadmin). 1. Use the dir command to view the list of available severity profiles in the severity-profile:// partition.
Delete custom severity profile You can delete custom severity profiles that you no longer need. However, you cannot delete the default or active severity profile. To delete a custom severity profile, use the delete severity-profile://profile-name command. For example: OS10# delete severity-profile://mySevProf_1.xml System logging You can change the system logging default settings using the severity level to control the type of system messages that log.
● Reenable any logging command in CONFIGURATION mode. no logging enable Enable server logging for log notice OS10(config)# logging server 10.11.86.139 severity log-notice System logging over TLS To provide enhanced security and privacy in the logged system messages sent to a syslog server, you can use the Transport Layer Security (TLS) protocol.
You determine if the certificate-key pair is generated as FIPS-compliant. Do not use FIPS-compliant certificate-key pairs outside of FIPS mode. When FIPS mode is enabled, you can still generate CSRs for non-FIPS certificates for use with non-FIPS applications. Be sure to install these certificates as non-FIPS with the crypto cert install command. 3. Configure a security profile for system logging over TLS using an X.509v3 certificate. a. Create a Syslog security profile in CONFIGURATION mode.
-------------------------------------| Installed non-FIPS certificates | -------------------------------------clientcert.crt -------------------------------------| Installed FIPS certificates | -------------------------------------OS10(config)# crypto security-profile dellprofile OS10(config-sec-profile)# certificate clientcert OS10(config-sec-profile)# exit OS10(config)# logging security-profile dellprofile OS10(config)# logging server 10.11.86.
dn_infra_afs dn_issu dn_l2_services dn_l2_services_ dn_l2_services_ dn_l2_services_ dn_l2_services_ dn_l3_core_serv dn_l3_service dn_lacp dn_lldp dn_mgmt_entity_ --More-- Environmental monitoring Monitors the hardware environment to detect temperature, CPU, and memory utilization.
Alarm commands alarm acknowledge Acknowledges an active alarm. Syntax alarm acknowledge sequence-number Parameters ● sequence-number — Acknowledge the alarm corresponding to the sequence number. Default Not configured Command Mode EXEC Usage Information Use the show alarm command to view all active alarms. Use active alarm sequence numbers to acknowledge specific alarms. Example Supported Releases OS10# alarm acknowledge 1 10.4.
Example OS10# show alarms Sq No Severity Name Timestamp Source ------------------------------------------------------------------- -----7563 critical EQM_MORE_PSU_FAULT 19:26:16 2019 /pus/1 7566 warning EQM_TML_MINOR_CROSSED 19:30:22 2019 /pus/1 7569 information L2_SERV_LACP_CMS_CPS_SEND_FAIL 19:55:40 2019 /pus/1 Supported Releases Fri Jul 26 Fri Jul 26 Fri Jul 26 10.2.0E or later show alarms acknowledged Displays all acknowledged alarms.
Active-alarm details - 732 ------------------------------------------Sequence Number: 732 Severity: critical Source: /psu/2 Name: EQM_MORE_PSU_FAULT Description: psu 2 is not working correctly Raise-time: Mon Jul 29 06:12:30 2019 Ack-time: New: true Acknowledged: false ------------------------------------------Alarm is acknowledged: OS10# show alarms details Active-alarm details - 732 ------------------------------------------Sequence Number: 732 Severity: critical Source: /psu/2 Name: EQM_MORE_PSU_FAULT De
show alarms severity Displays all active alarms corresponding to a specific severity level. Syntax show alarms severity severity Parameters severity — Set the alarm severity: ● ● ● ● critical — Critical alarm severity. major — Major alarm severity. minor — Minor alarm severity. warning — Warning alarm severity.
show alarms summary Displays the summary of all active alarms. Syntax show alarms summary Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show alarms summary Active-alarm Summary ------------------------------------------Total-count: 2 Critical-count: 0 Major-count: 1 Minor-count: 1 Warning-count: 0 ------------------------------------------10.2.
Example (reverse) Example (sequence) Example (details) Example (summary) 3 2 Raised Raised EQM_MORE_PSU_FAULT Sun 10-07-2018 18:39:44 /psu/2 EQM_FANTRAY_FAULT Sun 10-07-2018 16:39:42 /fantray/3 OS10# Sq No ----1 2 3 4 5 6 show event history reverse State Name Timestamp -------- ------------------ ----------------------Stateless SYSTEM_REBOOT Sun 10-07-2018 15:39:41 Raised EQM_FANTRAY_FAULT Sun 10-07-2018 16:39:42 Raised EQM_MORE_PSU_FAULT Sun 10-07-2018 18:39:44 Raised EQM_MORE_PSU_FAULT Sun 10-07-2
show event severity-profile Displays the active severity profile and the profile that becomes active after a system restart. Syntax show event severity-profile Parameters None Default None Command Mode EXEC Usage Information None Example Supported Releases OS10# show event severity-profile Severity Profile Details -----------------------Currently Active : default Active after restart : mySevProf.xml 10.5.0 or later Logging commands clear logging Clears messages in the logging buffer.
● log-info—Set to informational messages. ● log-debug—Set to debug messages. Default Log-notice Command Mode CONFIGURATION Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1. To set the severity to the default level, use the no logging console severity command. The default severity level is log-notice.
● log-info — Set to informational messages. ● log-debug — Set to debug messages. Default Log-notice Command Mode CONFIGURATION Usage Information To reset the log-file severity to the default level, use the no logging log-file severity command. The default severity level is log-notice. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1.
Parameters profile-name — Enter the name of the Syslog over TLS security profile created with the crypto security-profile profile-name command; a maximum of 32 characters. Default Not configured Command mode CONFIGURATION Usage information Use this command to specify the configured crypto security profile to use to send system messages to a remote server over TLS. TLS requires an X.509v3 certificate-key pair installed on the switch.
Supported Releases 10.5.0 or later show logging Displays system logging messages by log file, process-names, or summary. Syntax show logging {log-file [process-name | line-numbers] | process-names} Parameters ● process-name — (Optional) Enter the process-name to use as a filter in syslog messages. ● line-numbers — (Optional) Enter the number of lines to include in the logging messages, from 1 to 65535.
Usage Information Example Supported Releases The output from this command is the /var/log/syslog file. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1. OS10# show trace May 23 17:10:03 OS10 base_nas: [NETLINK:NHEVENT]:ds_api_linux_neigh.
Enter new UNIX password: enter a new password Retype new UNIX password: re-enter the new password Linux OS10 3.16.7-ckt20 #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2017-05-01) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Where can I find additional installation information for my specific device? See the Setup Guide shipped with your device or the platform-specific Installation Guide on the Dell EMC Support page at dell.com/support.
Use the show running-configuration command. How do I view summary information for the OSPF database? Use the show ip ospf database command. How do I view configuration of OSPF neighbors connected to the local router? Use the show ip ospf neighbor command. System management How can I view the current interface configuration? Use the show running-configuration command to view all currently configured interfaces.
● % Error: Not enough buffers are available, to enable pause for all pfc-cos values in the policymap for this interface ● % Warning: Not enough buffers are available, for lossy traffic. Expect lossy traffic drops, else reconfigure the pause buffers Monitoring How can I check if SupportAssist is enabled? Use the show support-assist status command to view current configuration information. How can I view a list of alarms? Use the show alarms details to view a list of all system alarms.
28 Support resources The Dell EMC Support site provides a range of documents and tools to assist you with effectively using Dell EMC devices. Through the support site you can obtain technical information regarding Dell EMC products, access software upgrades and patches, download available management software, and manage your open cases. The Dell EMC support site provides integrated, secure access to these services. To access the Dell EMC Support site, go to www.dell.com/support/.
Index B bgp unnumbered 1071