FTOS Configuration Guide for the S4820T System FTOS Version 9.2(0.0) and 9.2(0.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2013 Dell Inc.
Contents 1 About this Guide........................................................................................................................ 31 Audience.................................................................................................................................................................31 Conventions............................................................................................................................................................ 31 Related Documents.
Configuring Privilege Levels................................................................................................................................... 53 Creating a Custom Privilege Level....................................................................................................................53 Removing a Command from EXEC Mode..........................................................................................................53 Moving a Command from EXEC Privilege Mode to EXEC Mode.
Related Configuration Tasks............................................................................................................................ 72 Enabling Ethernet CFM........................................................................................................................................... 72 Creating a Maintenance Domain............................................................................................................................72 Creating a Maintenance Association...
Configuring a Standard IP ACL Filter..............................................................................................................102 Configure an Extended IP ACL..............................................................................................................................103 Configuring Filters with a Sequence Number................................................................................................ 103 Configuring Filters Without a Sequence Number................
Troubleshooting BFD......................................................................................................................................150 9 Border Gateway Protocol IPv4 (BGPv4)..............................................................................153 Autonomous Systems (AS)................................................................................................................................... 153 Sessions and Peers.........................................................
Configuring an IP Extended Community List.................................................................................................. 189 Filtering Routes with Community Lists........................................................................................................... 189 Manipulating the COMMUNITY Attribute...................................................................................................... 190 Changing MED Attributes.....................................................
CAM Optimization................................................................................................................................................. 226 Applications for CAM Profiling............................................................................................................................. 226 LAG HashingLAG Hashing Based on Bidirectional Flow................................................................................226 Troubleshoot CAM Profiling..........................
Configuring DCBx........................................................................................................................................... 255 Verifying the DCB Configuration...........................................................................................................................259 PFC and ETS Configuration Examples...................................................................................................................
Link Bundle Monitoring.........................................................................................................................................294 Managing ECMP Group Paths........................................................................................................................295 Creating an ECMP Group Bundle................................................................................................................... 295 Modifying the ECMP Group Threshold.................
Configuring and Adding the Member VLANs................................................................................................. 322 Setting the FRRP Timers.................................................................................................................................324 Clearing the FRRP Counters........................................................................................................................... 324 Viewing the FRRP Configuration...............................
IGMP Version 2...............................................................................................................................................345 IGMP Version 3...............................................................................................................................................347 Configure IGMP....................................................................................................................................................
Loopback Interfaces.............................................................................................................................................367 Null Interfaces...................................................................................................................................................... 368 Port Channel Interfaces........................................................................................................................................
Clearing Interface Counters........................................................................................................................... 390 22 Internet Protocol Security (IPSec)..................................................................................... 393 Configuring IPSec ................................................................................................................................................ 393 23 IPv4 Routing..............................................
Protocol Overview................................................................................................................................................ 411 Extended Address Space............................................................................................................................... 411 Stateless Autoconfiguration...........................................................................................................................411 IPv6 Headers..........................
Multi-Topology IS-IS.............................................................................................................................................438 Transition Mode............................................................................................................................................. 438 Interface Support........................................................................................................................................... 438 Adjacencies..............
Setting the Aging Time for Dynamic Entries.................................................................................................. 477 Configuring a Static MAC Address................................................................................................................ 478 Displaying the MAC Address Table............................................................................................................... 478 MAC Learning Limit....................................................
Relevant Management Objects............................................................................................................................ 508 30 Multicast Source Discovery Protocol (MSDP).................................................................515 Protocol Overview................................................................................................................................................ 515 Anycast RP.................................................................
Modifying Global Parameters............................................................................................................................... 546 Modifying the Interface Parameters.................................................................................................................... 547 Configuring an EdgePort.......................................................................................................................................
Enabling IPv6 Unicast Routing....................................................................................................................... 591 Assigning IPv6 Addresses on an Interface.................................................................................................... 592 Assigning Area ID on an Interface.................................................................................................................592 Assigning OSPFv3 Process ID and Router ID Globally..............
37 Private VLANs (PVLAN)........................................................................................................621 Private VLAN Concepts........................................................................................................................................ 621 Using the Private VLAN Commands......................................................................................................................622 Configuration Task List..........................................
Applying a WRED Profile to Traffic................................................................................................................ 656 Displaying Default and Configured WRED Profiles........................................................................................ 656 Displaying WRED Drop Statistics...................................................................................................................656 Pre-Calculating Available QoS CAM Space................................
AAA Accounting................................................................................................................................................... 689 Configuration Task List for AAA Accounting..................................................................................................689 AAA Authentication..............................................................................................................................................
Implementation Information........................................................................................................................... 730 Enabling Layer 2 Protocol Tunneling..............................................................................................................731 Specifying a Destination MAC Address for BPDUs....................................................................................... 731 Setting Rate-Limit BPDUs...............................................
Copying the Startup-Config Files to the Server via FTP................................................................................. 752 Copying the Startup-Config Files to the Server via TFTP............................................................................... 753 Copy a Binary File to the Startup-Configuration.............................................................................................753 Additional MIB Objects to View Copy Statistics...........................................
Remove Units or Front End Ports from a Stack.....................................................................................................783 Removing a Unit from an S-Series Stack....................................................................................................... 783 Removing Front End Port Stacking.................................................................................................................784 Troubleshoot an S-Series Stack......................................
Disabling NTP on an Interface....................................................................................................................... 810 Configuring a Source IP Address for NTP Packets........................................................................................810 Configuring NTP Authentication.................................................................................................................... 811 FTOS Time and Date...................................................
VLT on Core Switches.................................................................................................................................... 842 Enhanced VLT.................................................................................................................................................842 VLT Terminology...................................................................................................................................................
Offline Diagnostics................................................................................................................................................897 Important Points to Remember...................................................................................................................... 897 Running Offline Diagnostics........................................................................................................................... 897 Trace Logs.............................
About this Guide 1 This guide describes the protocols and features the Dell Networking operating system (FTOS) supports and provides configuration instructions and examples for implementing them. This guide supports the S4820T system platform. The S4820T platform is available with FTOS version 8.3.7.0 and beyond. S4820T stacking is supported with FTOS version 8.3.7.1 and beyond. Though this guide contains information on protocols, it is not intended to be a complete reference.
Configuration Fundamentals 2 The Dell Networking operating system (FTOS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for the Z9000, S4810, and S4820T except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
Beneath CONFIGURATION mode are submodes that apply to interfaces, protocols, and features. The following example shows the submode command structure. Two sub-CONFIGURATION modes are important when configuring the chassis for the first time: • INTERFACE submode is the mode in which you configure Layer 2 and Layer 3 protocols and IP services specific to an interface.
CLI Command Mode Prompt Access Command Loopback Interface FTOS(conf-if-lo-0)# interface (INTERFACE modes) Management Ethernet Interface FTOS(conf-if-ma-0/0)# interface (INTERFACE modes) Null Interface FTOS(conf-if-nu-0)# interface (INTERFACE modes) Port-channel Interface FTOS(conf-if-po-0)# interface (INTERFACE modes) Tunnel Interface FTOS(conf-if-tu-0)# interface (INTERFACE modes) VLAN Interface FTOS(conf-if-vl-0)# interface (INTERFACE modes) STANDARD ACCESS-LIST FTOS(config-std-nacl)
CLI Command Mode Prompt Access Command ROUTER OSPFV3 FTOS(confipv6router_ospf)# ipv6 router ospf ROUTER RIP FTOS(conf-router_rip)# router rip SPANNING TREE FTOS(config-span)# protocol spanning-tree 0 TRACE-LIST FTOS(conf-trace-acl)# ip trace-list CLASS-MAP FTOS(config-class-map)# class-map CONTROL-PLANE FTOS(conf-controlcpuqos)# control-plane-cpuqos DCB POLICY FTOS(conf-dcb-in)# (for input policy) dcb-input for input policy dcb-output for output policy FTOS(conf-dcb-out)# (for output
CLI Command Mode Prompt Access Command VRRP FTOS(conf-if-interfacetype-slot/port-vrid-vrrpgroup-id)# vrrp-group u-Boot FTOS(=>)# Press any key when the following line appears on the console during a system boot: Hit any key to stop autoboot: UPLINK STATE GROUP FTOS(conf-uplink-stategroup-groupID)# uplink-state-group The following example shows how to change the command mode from CONFIGURATION mode to PROTOCOL SPANNING TREE.
interface GigabitEthernet 4/17 no ip address no shutdown Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree. Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command: • To list the keywords available in the current mode, enter ? at the prompt or after a keyword.
Short-Cut Key Combination Action CNTL-A Moves the cursor to the beginning of the command line. CNTL-B Moves the cursor back one character. CNTL-D Deletes character at cursor. CNTL-E Moves the cursor to the end of the line. CNTL-F Moves the cursor forward one character. CNTL-I Completes a keyword. CNTL-K Deletes all characters from the cursor to the end of the command line. CNTL-L Re-enters the previous command.
• show run | grep ethernet does not return that search result because it only searches for instances containing a non-capitalized “ethernet.” • show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and “ethernet.” The grep command displays only the lines containing specified text. The following example shows this command used in combination with the show linecard all command.
• On the system that telnets into the switch, this message appears: % Warning: The following users are currently configuring the system: User "" on line console0 • On the system that is connected over the console, this message appears: % Warning: User "" on line vty0 "10.11.130.
Getting Started 3 This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) during which the route processor module (RPM), switch fabric module (SFM), and line card status light emitting diodes (LEDs) blink green. The system then loads the Dell Networking operating system (FTOS). Boot messages scroll up the terminal window during this process.
Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port.Use a rollover (crossover) cable to connect the S4810 console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
• Create a host name. CONFIGURATION mode hostname name Example of the hostname Command FTOS(conf)#hostname R1 R1(conf)# Accessing the System Remotely You can configure the system to access it remotely by Telnet or SSH. • The S4820T has a dedicated management port and a management routing table that is separate from the IP routing table. • You can manage all Dell Networking products in-band via the front-end data ports through interfaces assigned an IP address as well.
Configure a Management Route Define a path from the system to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the system through the management port. To configure a management route, use the following command. • Configure a management route to the network from which you are accessing the system. CONFIGURATION mode management route ip-address/mask gateway – ip-address: the network address in dotted-decimal format (A.B.
* 7 is for inputting a password that is already encrypted using a DES hash. Obtain the encrypted password from the configuration file of another Dell Networking system. * 5 is for inputting a password that is already encrypted using an MD5 hash. Obtain the encrypted password from the configuration file of another Dell Networking system. Configuration File Management Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the system from EXEC Privilege mode.
Example of Copying a File to an FTP Server FTOS#copy flash://FTOS-EF-8.2.1.0.bin ftp://myusername:mypassword@10.10.10.10/ /FTOS/FTOS-EF-8.2.1.0 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 27952672 bytes successfully copied Example of Importing a File to the Local System core1#$//copy ftp://myusername:mypassword@10.10.10.10//FTOS/ FTOS-EF-8.2.1.0.bin flash:// Destination file name [FTOS-EF-8.2.1.0.bin.
copy running-config startup-config duplicate FTOS Behavior: If you create a startup-configuration on an RPM and then move the RPM to another chassis, the startupconfiguration is stored as a backup file (with the extension .bak), and a new, empty startup-configuration file is created. To restore your original startup-configuration in this situation, overwrite the new startup-configuration with the original one using the copy startup-config.bak startup-config command.
12 -rw7276 13 -rw7341 14 -rw- 27674906 15 -rw- 27674906 --More-- Jul Jul Jul Jul 20 20 06 06 2007 2007 2007 2007 01:52:40 15:34:46 19:52:22 02:23:22 startup-config.bak startup-config boot-image boot-flash View Configuration Files Configuration files have three commented lines at the beginning of the file, as shown in the following example, to help you track the last time any user made a change to the file, which user made the changes, and when the file was last saved to the startup-configuration.
In the following example, the default storage location is changed to the external Flash of the primary RPM. File management commands then apply to the external Flash rather than the internal Flash. The bold lines show that no file system is specified and that the file is saved to an external flash.
Management 4 Management is supported on the S4820T Dell Networking platform. This chapter describes the different protocols or services used to manage the Dell Networking system. Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1.
Allowing Access to CONFIGURATION Mode Commands To allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGURATION mode. A user that enters CONFIGURATION mode remains at his privilege level and has access to only two commands, end and exit. You must individually specify each CONFIGURATION mode command you want to allow access to using the privilege configure level level command.
Example of EXEC Privilege Commands FTOS(conf)#do show run priv ! privilege exec level 3 capture privilege exec level 3 configure privilege exec level 4 resequence privilege exec level 3 capture bgp-pdu privilege exec level 3 capture bgp-pdu max-buffer-size privilege configure level 3 line privilege configure level 3 interface FTOS(conf)#do telnet 10.11.80.201 [telnet output omitted] FTOS#show priv Current privilege level is 3.
Applying a Privilege Level to a Username To set the user privilege level, use the following command. • Configure a privilege level for a user. CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command. • Configure a privilege level for a user.
Configuration Task List for System Log Management There are two configuration tasks for system log management: • Disable System Logging • Send System Messages to a Syslog Server Disabling System Logging By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the console, and the syslog servers. To disable system logging, use the following commands. • Disable all logging except on the console.
Changing System Logging Settings You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands, you control the number of system messages logged. To specify the system logging settings, use the following commands. • Specify the minimum severity level for logging to the logging buffer.
Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
– local7 (for local use) – lpr (for line printer system messages) – mail (for mail system messages) – news (for USENET news messages) – sys9 (system use) – sys10 (system use) – sys11 (system use) – sys12 (system use) – sys13 (system use) – sys14 (system use) – syslog (for syslog messages) – user (for user programs) – uucp (UNIX to UNIX copy protocol) To view nondefault settings, use the show running-config logging command in EXEC mode.
– level severity-level: the range is from 0 to 7. The default is 2. Use the all keyword to include all messages. – limit: the range is from 20 to 300. The default is 20. To view the logging synchronous configuration, use the show config command in LINE mode. Enabling Timestamp on Syslog Messages By default, syslog messages do not include a time/date stamp stating when the error or message was created. To enable timestamp, use the following command. • Add timestamp to syslog messages.
Example of Viewing FTP Configuration FTOS#show running ftp ! ftp-server enable ftp-server username nairobi password 0 zanzibar FTOS# Configuring FTP Server Parameters After you enable the FTP server on the system, you can configure different parameters. To specify the system logging settings, use the following commands. • Specify the directory for users using FTP to reach the system. CONFIGURATION mode ftp-server topdir dir • The default is the internal flash directory.
• Configure a password. CONFIGURATION mode • ip ftp password password Enter a username to use on the FTP client. CONFIGURATION mode ip ftp username name To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for Enable FTP Server. Terminal Lines You can access the system remotely and restrict access to the system by creating user profiles. Terminal lines on the system provide different means of accessing the system.
Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authenticate a user on a terminal line. A combination of authentication methods is called a method list. If the user fails the first authentication method, FTOS prompts the next method until all methods are exhausted, at which point the connection is terminated. The available authentication methods are: enable Prompt for the enable password.
Setting Time Out of EXEC Privilege Mode EXEC time-out is a basic security feature that returns FTOS to EXEC mode after a period of inactivity on the terminal lines. To set time out, use the following commands. • • Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the time-out period to 0. LINE mode exec-timeout minutes [seconds] Return to the default time-out values.
FTOS>exit FTOS#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin FTOS# Lock CONFIGURATION Mode FTOS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2). You can set two types of lockst: auto and manual.
Recovering from a Forgotten Password on the S4820T System If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted for a password to re-enter. Use the following commands if you forget your password. 1. Log onto the system using the console. 2. Power-cycle the chassis by switching off all of the power modules and then switching them back on. 3. Hit any key to abort the boot process.
(during bootup) hit any key NOTE: You must enter the CLI commands. The system rejects them if they are copied and pasted. 4. Set the system parameters to ignore the enable password when the system reloads. uBoot mode setenv enablepwdignore true 5. Reload the system. uBoot mode reset 6. Configure a new enable password. CONFIGURATION mode enable {secret | password} 7. Save the running-config to the startup-config.
802.1ag 5 802.1ag is available only on the S4820T platforms. Ethernet operations, administration, and maintenance (OAM) are a set of tools used to install, monitor, troubleshoot, and manage Ethernet infrastructure deployments. Ethernet OAM consists of three main areas: • Service layer OAM — IEEE 802.1ag connectivity fault management (CFM) • Link layer OAM — IEEE 802.
Maintenance Domains Connectivity fault management (CFM) divides a network into hierarchical maintenance domains, as shown in the following illustration. A CFM maintenance domain is a management space on a network that a single management entity owns and operates. The network administrator assigns a unique maintenance level (from 0 to 7) to each domain to define the hierarchical relationship between domains.
Figure 3. Maintenance Points Maintenance End Points A maintenance end point (MEP) is a logical entity that marks the end point of a domain. There are two types of MEPs defined in 802.1ag for an 802.1 bridge: • Up-MEP — monitors the forwarding path internal to a bridge on the customer or provider edge. On Dell Networking systems, the internal forwarding path is effectively the switch fabric and forwarding engine. • Down-MEP — monitors the forwarding path external another bridge.
Implementation Information Because the S-Series has a single MAC address for all physical/LAG interfaces, only one MEP is allowed per MA (per VLAN or per MD level). Configuring the CFM To configure the CFM, follow these steps: 1. Configure the ecfmacl CAM region using the cam-acl command. Refer toConfigure Ingress Layer 2 ACL SubPartitions. 2. Enable Ethernet CFM. 3. Create a Maintenance Domain. 4. Create a Maintenance Association. 5. Create Maintenance Points. 6. Use CFM tools: a.
show ethernet cfm domain [name | brief] Example of Viewing Configured Maintenance Domains FTOS# show ethernet cfm domain Domain Name: customer Level: 7 Total Service: 1 Services MA-Name VLAN CC-Int My_MA 200 10s X-CHK Status enabled Domain Name: praveen Level: 6 Total Service: 1 Services MA-Name VLAN CC-Int Your_MA 100 10s X-CHK Status enabled Creating a Maintenance Association A Maintenance association (MA) is a subdivision of an MD that contains all managed entities corresponding to a single end-to-en
Configure Up- MEPs on ingress ports, ports that send traffic towards the bridge relay. Configure Down-MEPs on egress ports, ports that send traffic away from the bridge relay. 1. Create an MEP. INTERFACE mode ethernet cfm mep {up-mep | down-mep} domain {name | level } ma-name name mepid mep-id The range is from 1 to 8191. 2. Display configured MEPs and MIPs.
Displaying the MP Databases CFM maintains two MP databases: • MEP Database (MEP-DB): Every MEP must maintain a database of all other MEPs in the MA that have announced their presence via CCM. • MIP Database (MIP-DB): Every MIP must maintain a database of all other MEPs in the MA that have announced their presence via CCM. To display the MEP and MIP databases, use the following commands. • Display the MEP Database.
• to detect unauthorized MEPs in a maintenance domain CCMs are multicast Ethernet frames sent at regular intervals from each MEP. They have a destination address based on the MD level (01:80:C2:00:00:3X where X is the MD level of the transmitting MEP from 0 to 7). All MEPs must listen to these multicast MAC addresses and process these messages. MIPs may optionally process the CCM messages the MEPs originate and construct a MIP CCM database.
Enabling Cross-Checking To enable cross-checking, use the following commands. 1. Enable cross-checking. ETHERNET CFM mode mep cross-check enable The default is Disabled. 2. Start the cross-check operation for an MEP ETHERNET CFM mode mep cross-check mep-id 3. Configure the amount of time the system waits for a remote MEP to come up before the cross-check operation is started.
Figure 5. MPLS Core Link trace messages carry a unicast target address (the MAC address of an MIP or MEP) inside a multicast frame. The destination group address is based on the MD level of the transmitting MEP (01:80:C2:00:00:3[8 to F]). The MPs on the path to the target MAC address reply to the LTM with an LTR, and relays the LTM towards the target MAC until the target MAC is reached or TTL equals 0. • Send a Linktrace message.
The default is 100. The range is from 1 to 4095 entries. Display the Link Trace Cache. • EXEC Privilege mode • show ethernet cfm traceroute-cache Delete all Link Trace Cache entries.
• Enable SNMP trap messages for Ethernet CFM.
Received: 0 Rcvd Out Of Order: 0 Received Bad MSDU: 0 Transmitted: 0 Example of Viewing CFM Statistics by Port FTOS#show ethernet cfm port-statistics interface gigabitethernet 0/5 Port statistics for port: Gi 0/5 ================================== RX Statistics ============= Total CFM Pkts 75394 CCM Pkts 75394 LBM Pkts 0 LTM Pkts 0 LBR Pkts 0 LTR Pkts 0 Bad CFM Pkts 0 CFM Pkts Discarded 0 CFM Pkts forwarded 102417 TX Statistics ============= Total CFM Pkts 10303 CCM Pkts 0 LBM Pkts 0 LTM Pkts 3 LBR Pkts 0 L
802.1X 6 802.1X is supported on the S4820T platforms. 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 7. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
4. The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests that the supplicant prove that it is who it claims to be, using a specified method (an EAP-Method). The challenge is translated and forwarded to the supplicant by the authenticator. 5.
Figure 9. EAP Over RADIUS RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Enabling 802.1X Enable 802.1X globally. Figure 10. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode.
Example of Verifying that 802.1X is Enabled Globally The bold lines show that 802.1X is enabled. FTOS#show running-config | find dot1x dot1x authentication ! [output omitted] ! interface TenGigabitEthernet 2/1 no ip address dot1x authentication no shutdown ! FTOS# View 802.1X configuration information for an interface using the show dot1x interface command. Example of Verifying 802.1X is Enabled on an Interface The bold lines show that 802.1X is enabled on all ports unauthorized by default.
dot1x tx-period number The range is from 1 to 65535 (1 year) • The default is 30. Configure a maximum number of times the authenticator re-transmits a Request Identity frame. INTERFACE mode dot1x max-eap-req number The range is from 1 to 10. The default is 2. The example in Configuring a Quiet Period after a Failed Authentication shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and re-transmits a maximum of 10 times.
Re-Auth Interval: Max-EAP-Req: 10 Auth Type: Auth PAE State: Backend State: 3600 seconds SINGLE_HOST Initialize Initialize Forcibly Authorizing or Unauthorizing a Port IEEE 802.1X requires that a port can be manually placed into any of three states: • ForceAuthorized — an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network. Placing the port in this state is same as disabling 802.1X on the port.
Re-Authenticating a Port You can configure the authenticator for periodic re-authentication. After the supplicant has been authenticated, and the port has been authorized, you can configure the authenticator to re-authenticate the supplicant periodically. If you enable re-authentication, the supplicant is required to re-authenticate every 3600 seconds, but you can configure this interval. You can configure a maximum number of re-authentications as well.
• Terminate the authentication process due to an unresponsive supplicant. INTERFACE mode dot1x supplicant-timeout seconds The range is from 1 to 300. • The default is 30. Terminate the authentication process due to an unresponsive authentication server. INTERFACE mode dot1x server-timeout seconds The range is from 1 to 300. The default is 30.
The illustration shows the configuration on the Dell Networking system before connecting the end user device in black and blue text, and after connecting the device in red text. The blue text corresponds to the preceding numbered steps on dynamic VLAN assignment with 802.1X. Figure 11. Dynamic VLAN Assignment 1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication). 2.
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate themselves.
FTOS(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 FTOS(conf-if-Te-2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown FTOS(conf-if-Te-2/1)# View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest VLAN or using the show dot1x interface command from EXEC Privilege mode. Example of Viewing Configured Authentication 802.
Access Control Lists (ACLs) 7 This chapter describes access control lists (ACLs), prefix lists, and route-maps. • Access control lists (ACLs), Ingress IP and MAC ACLs , and Egress IP and MAC ACLs are supported on the S4820T platform. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
NOTE: Hot lock ACLs are supported for Ingress ACLs only. CAM Usage The following section describes CAM allocation and CAM optimization. • User Configurable CAM Allocation • CAM Optimization User Configurable CAM Allocation User configurable CAM allocations are supported on the S4820T platform. Allocate space for IPV6 ACLs by using the cam-acl command in CONFIGURATION mode. The CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 13 FP blocks.
If you enable counters on IP ACL rules that are already configured, those counters are reset when a new rule is inserted or prepended. If a rule is appended, the existing counters are not affected. This is applicable to the following features: • • • L2 Ingress Access list L2 Egress Access list L3 Egress Access list NOTE: IP ACLs are supported over VLANs in FTOS version 6.2.1.1 and higher. ACLs and VLANs There are some differences when assigning ACLs to a VLAN rather than a physical port.
FTOS(conf)#interface gig 1/0 FTOS(conf-if-gi-1/0)#service-policy input pmap IP Fragment Handling FTOS supports a configurable option to explicitly deny IP fragmented packets, particularly second and subsequent packets. It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable to all Layer protocols (permit/deny ip/tcp/udp/icmp). • Both standard and extended ACLs support IP fragments.
• If a packet's FO > 0, the packet is permitted. • If a packet's FO = 0, the next ACL entry is processed. Deny ACL line with L3 information only, and the fragments keyword is present: If a packet's L3 information does match the L3 information in the ACL line, the packet's FO is checked. • If a packet's FO > 0, the packet is denied. • If a packet's FO = 0, the next ACL line is processed. In this first example, TCP packets from host 10.1.1.1 with TCP destination port equal to 24 are permitted.
ip access-list standard access-listname 2. Configure a drop or forward filter. CONFIG-STD-NACL mode seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte]] [order] [fragments] NOTE: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five. When you use the log keyword, the CP logs details about the packets that match.
{deny | permit} {source [mask] | any | host ip-address} [count [byte]] [order] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details. The following example shows a standard IP ACL in which FTOS assigns the sequence numbers.
seq sequence-number {deny | permit} {ip-protocol-number | icmp | ip | tcp | udp} {source mask | any | host ip-address} {destination mask | any | host ip-address} [operator port [port]] [count [byte]] [order] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details.
Configuring Filters Without a Sequence Number If you are creating an extended ACL with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured. FTOS assigns filters in multiples of five. To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the following commands: • Configure a deny or permit filter to examine IP packets.
For the following features, if you enable counters on rules that have already been configured and a new rule is either inserted or prepended, all the existing counters are reset: • L2 ingress access list • L3 egress access list • L2 egress access list If a rule is simply appended, existing counters are not affected. Table 6. L2 and L3 Filtering on Switched Packets L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Deny Deny L3 ACL denies. Deny Permit L3 ACL permits.
3. Apply an IP ACL to traffic entering or exiting an interface. INTERFACE mode ip access-group access-list-name {in} [implicit-permit] [vlan vlan-range] NOTE: The number of entries allowed per ACL is hardware-dependent. For detailed specification about entries allowed per ACL, refer to your line card documentation. 4. Apply rules to the new ACL.
no shutdown FTOS(conf-if-gige0/0)#end FTOS#configure terminal FTOS(conf)#ip access-list extended abcd FTOS(config-ext-nacl)#permit tcp any any FTOS(config-ext-nacl)#deny icmp any any FTOS(config-ext-nacl)#permit 1.1.1.2 FTOS(config-ext-nacl)#end FTOS#show ip accounting access-list ! Extended Ingress IP access list abcd on gigethernet 0/0 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.2 Configure Egress ACLs Egress ACLs are supported on the S4820T platform.
Applying Egress Layer 3 ACLs (Control-Plane) By default, packets originated from the system are not filtered by egress ACLs. For example, if you initiate a ping session from the system and apply an egress ACL to block this type of traffic on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and CPU-forwarded traffic.
• A prefix list without any permit or deny filters allows all routes. • An “implicit deny” is assumed (that is, the route is dropped) for all route prefixes that do not match a permit or deny filter in a configured prefix list. • After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route.
! ip prefix-list juba seq 12 deny 134.23.0.0/16 seq 15 deny 120.0.0.0/8 le 16 seq 20 permit 0.0.0.0/0 le 32 FTOS(conf-nprefixl)# NOTE: The last line in the prefix list Juba contains a “permit all” statement. By including this line in a prefix list, you specify that all routes not matching any criteria in the prefix list are forwarded. To delete a filter, use the no seq sequence-number command in PREFIX LIST mode.
Example of the show ip prefix-list detail Command FTOS>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 seq 5 deny 100.100.1.0/24 (hit count: 0) seq 6 deny 200.200.1.0/24 (hit count: 0) seq 7 deny 200.
Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands. • Enter OSPF mode. CONFIGURATION mode • router ospf Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded. CONFIG-ROUTER-OSPF mode • distribute-list prefix-list-name in [interface] Apply a configured prefix list to incoming routes.
Rules Resquencing Rules After Resequencing: seq 5 permit any host 1.1.1.1 seq 10 permit any host 1.1.1.2 seq 15 permit any host 1.1.1.3 seq 20 permit any host 1.1.1.4 Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs, prefix lists, and MAC ACLs. To resequence an ACL or prefix list, use the following commands. You must specify the list name, starting number, and increment when using these commands.
they have the same number before and after the command is entered. Remark 4 is incremented as a rule, and all rules have retained their original positions. Example of Resequencing ACLs When Remarks and Rules Have Different Numbers FTOS(config-ext-nacl)# show config ! ip access-list extended test remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.
• When a match is found, the packet is forwarded and no more route-map sequences are processed. – If a continue clause is included in the route-map sequence, the next or a specified route-map sequence is processed after a match is found. Configuration Task List for Route Maps Configure route maps in ROUTE-MAP mode and apply the maps in various commands in ROUTER RIP and ROUTER OSPF modes. The following list includes the configuration tasks for route maps, as described in the following sections.
level stub-area FTOS# To delete all instances of that route map, use the no route-map map-name command. To delete just one instance, add the sequence number to the command syntax. Example of Deleting Instances of a Route Map FTOS(conf)#no route-map zakho 10 FTOS(conf)#end FTOS#show route-map route-map zakho, permit, sequence 20 Match clauses: interface GigabitEthernet 0/1 Set clauses: tag 35 level stub-area FTOS# The following example shows a route map with multiple instances.
Example of the match Command to Match All Specified Values FTOS(conf)#route-map force permit 10 FTOS(config-route-map)#match tag 1000 FTOS(config-route-map)#match metric 2000 In the following example, instance 10 permits the route having a tag value of 1000 and instances 20 and 30 deny the route having a tag value of 1000. In this scenario, FTOS scans all the instances of the route-map for any permit statement. If there is a match anywhere, the route is permitted.
• CONFIG-ROUTE-MAP mode match ip next-hop {access-list-name | prefix-list prefix-list-name} Match next-hop routes specified in a prefix list (IPv6). • CONFIG-ROUTE-MAP mode match ipv6 next-hop {access-list-name | prefix-list prefix-list-name} Match source routes specified in a prefix list (IPv4). • CONFIG-ROUTE-MAP mode match ip route-source {access-list-name | prefix-list prefix-list-name} Match source routes specified in a prefix list (IPv6).
• set metric {+ | - | metric-value} Specify an OSPF or ISIS type for redistributed routes. • CONFIG-ROUTE-MAP mode set metric-type {external | internal | type-1 | type-2} Assign an IP address as the route’s next hop. • CONFIG-ROUTE-MAP mode set next-hop ip-address Assign an IPv6 address as the route’s next hop. • CONFIG-ROUTE-MAP mode set ipv6 next-hop ip-address Assign an ORIGIN attribute. • CONFIG-ROUTE-MAP mode set origin {egp | igp | incomplete} Specify a tag for the redistributed routes.
match metric 255 set level backbone Configure a Route Map for Route Tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol. As the route enters a different routing domain, it is tagged. The tag is passed along with the route as it passes through different routing protocols. You can use this tag when the route leaves a routing domain to redistribute those routes again.
Bidirectional Forwarding Detection (BFD) 8 Bidirectional forwarding detection (BFD) is supported only on the S4820T platform. BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 12. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description NOTE: FTOS does not currently support multi-point sessions, Demand mode, authentication, or control plane independence; these bits are always clear. Detection Multiplier The number of packets that must be missed in order to declare a session down. Length The entire length of the BFD packet. My Discriminator A random number generated by the local system to identify the session. Your Discriminator A random number generated by the remote system to identify the session.
Asynchronous mode In Asynchronous mode, both systems send periodic control messages at an agreed upon interval to indicate that their session status is Up.’ Demand mode If one system requests Demand mode, the other system stops sending periodic control packets; it only sends a response to status inquiries from the Demand mode initiator. Either system (but not both) can request Demand mode at any time. NOTE: FTOS supports Asynchronous mode only.
Figure 13.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 14.
Configure BFD This section contains the following procedures. • Configuring BFD for Physical Ports • Configure BFD for Static Routes • Configure BFD for OSPF • Configure BFD for OSPFv3 • Configure BFD for IS-IS • Configure BFD for BGP • Configure BFD for VRRP • Configuring Protocol Liveness • Troubleshooting BFD Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only.
bfd enable R1(conf)# Establishing a Session on Physical Ports To establish a session, enable BFD at the interface level on both ends of the link, as shown in the following illustration. The configuration parameters do not need to match. Figure 15. Establishing a BFD Session on Physical Ports 1. Enter interface mode. CONFIGURATION mode interface 2. Assign an IP address to the interface if one is not already assigned. INTERFACE mode ip address ip-address 3.
Remote Addr: 2.2.2.
Disabling and Re-Enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured. If you disable BFD, all of the sessions on that interface are placed in an Administratively Down state ( the first message example), and the remote systems are notified of the session state change (the second message example). To disable and re-enable BFD on an interface, use the following commands. • Disable BFD on an interface.
Establishing Sessions for Static Routes Sessions are established for all neighbors that are the next hop of a static route. Figure 16. Establishing Sessions for Static Routes To establish a BFD session, use the following command. • Establish BFD sessions for all neighbors that are the next hop of a static route. CONFIGURATION mode ip route bfd To verify that sessions have been created for static routes, use the show bfd neighbors command.
ip route bfd interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information. Disabling BFD for Static Routes If you disable BFD, all static route BFD sessions are torn down. A final Admin Down packet is sent to all neighbors on the remote systems, and those neighbors change to the Down state. To disable BFD for static routes, use the following command.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 17. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Establish sessions with all OSPF neighbors.
Example of Verifying Sessions with OSPF Neighbors The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Gi 2/1 Up 100 100 3 O * 2.2.3.1 2.2.3.
Configure BFD for OSPFv3 BFD for OSPFv3 is only supported on the S4820T platform. BFD for OSPFv3 provides support for IPV6. Configuring BFD for OSPFv3 is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPFv3 neighbors. Related Configuration Tasks • Changing OSPFv3 Session Parameters • Disabling BFD for OSPFv3 Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role.
Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface. Sessions are only established when the OSPFv3 adjacency is in the Full state. To establish BFD with all OSPFv3 neighbors or with OSPFv3 neighbors on a single interface, use the following commands. • Establish sessions with all OSPFv3 neighbors. ROUTER-OSPFv3 mode bfd all-neighbors Establish sessions with OSPFv3 neighbors on a single interface.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 18. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. • ROUTER-ISIS mode bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
* Ad Dn C I - ISIS O R - Active session role Admin Down CLI OSPF Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Gi 2/1 Up 100 100 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
Prerequisites Before configuring BFD for BGP, you must first configure the following settings: 1. Configure BGP on the routers that you want to interconnect, as described in Border Gateway Protocol IPv4 (BGPv4). 2. Enable fast fall-over for BGP neighbors to reduce convergence time (the neighbor fall-over command), as described in BGP Fast Fall-Over. Establishing Sessions with BGP Neighbors Before configuring BFD for BGP, you must first configure BGP on the routers that you want to interconnect.
BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays. Incoming BFD control packets received from the BGP neighbor are assigned to the highest priority queue within the control plane policing (COPP) framework to avoid BFD packets drops due to queue congestion. BFD notifies BGP of any failure conditions that it detects on the link. Recovery actions are initiated by BGP.
The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally configured with the bfd all-neighbors command or configured for the peer group to which the neighbor belongs. • Disable a BFD for BGP session with a specified neighbor. ROUTER BGP mode • neighbor {ip-address | peer-group-name} bfd disable Remove the disabled state of a BFD for BGP session with a specified neighbor.
Example of Verifying BGP Configuration R2# show running-config bgp ! router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors Example of Viewing All BFD Neighbors R2# show bfd neighbors * - Active session role Ad Dn - Admin Down B - BGP C - CLI I - ISIS O - OSPF R - Static Route (RTM) M - MPLS V - VRRP LocalAddr * 1.1.1.3 * 2.2.2.3 * 3.3.3.3 RemoteAddr 1.1.1.
Neighbor Discriminator: 11 Local Addr: 2.2.2.3 Local MAC Addr: 00:01:e8:66:da:34 Remote Addr: 2.2.2.
Example of Viewing BFD Summary Information The bold line shows the message displayed when you enable BFD for BGP connections. R2# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 2 BGP table version is 0, main routing table version 0 BFD is enabled, Interval 100 Min_rx 100 Multiplier 3 Role Active 3 neighbor(s) using 24168 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 1.1.1.2 2.2.2.2 3.3.3.
Foreign host: 2.2.2.2, Foreign port: 179 E1200i_ExaScale# R2# show ip bgp neighbors 2.2.2.3 BGP neighbor is 2.2.2.3, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ... Neighbor is using BGP neighbor mode BFD configuration Peer active in peer-group outbound optimization ... R2# show ip bgp neighbors 2.2.2.4 BGP neighbor is 2.2.2.
Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 20. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. • Establish sessions with all VRRP neighbors.
* - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) V - VRRP LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.5.1 2.2.5.2 Gi 4/25 Down 1000 1000 3 V To view session state information, use the show vrrp command. Example of Viewing VRRP Session State Information The bold line shows the VRRP BFD session. R1(conf-if-gi-4/25)#do show vrrp -----------------GigabitEthernet 4/1, VRID: 1, Net: 2.2.5.1 State: Backup, Priority: 1, Master: 2.2.5.
• Disable all VRRP sessions on an interface. • INTERFACE mode no vrrp bfd all-neighbors Disable all VRRP sessions in a VRRP group. • VRRP mode bfd disable Disable a particular VRRP session on an interface. INTERFACE mode no vrrp bfd neighbor ip-address Configuring Protocol Liveness Protocol liveness is a feature that notifies the BFD manager when a client protocol is disabled. When you disable a client, all BFD sessions for that protocol are torn down.
The following example displays hexadecimal output from the debug bfd packet command. Example of Output from the debug bfd packet Command RX packet dump: 20 c0 03 18 00 00 00 05 00 00 00 04 00 01 86 a0 00 01 86 a0 00 00 00 00 00:34:13 : Sent packet for session with neighbor 2.2.2.2 on Gi 4/24 TX packet dump: 20 c0 03 18 00 00 00 04 00 00 00 05 00 01 86 a0 00 01 86 a0 00 00 00 00 00:34:14 : Received packet for session with neighbor 2.2.2.
Border Gateway Protocol IPv4 (BGPv4) 9 Border gateway protocol IPv4 (BGPv4) version 4 (BGPv4) is supported on the S4820T platform. This chapter provides a general description of BGPv4 as it is supported in the Dell Networking operating system (FTOS). BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS).
Figure 21. Interior BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 22. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor.
Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies. In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in.
Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and its client peers form a route reflection cluster. Because BGP speakers announce only the best route for a given prefix, route reflector rules are applied after the router makes its best path decision. • If a route was received from a nonclient peer, reflect the route to all client peers. • If the route was received from a client peer, reflect the route to all nonclient and all client peers.
• Origin • AS Path • Next Hop Best Path Selection Criteria Paths for active routes are grouped in ascending order according to their neighboring external AS number (BGP best path selection is deterministic by default, which means the bgp non-deterministic-med command is NOT applied). The best path in each group is selected based on specific criteria. Only one “best path” is selected at a time. If any of the criteria results in more than one path, BGP moves on to the next option in the list.
Figure 24. BGP Best Path Selection Best Path Selection Details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3. Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command. a. Routes originated with the Originated via a network or redistribute commands are preferred over routes originated with the aggregate-address command. 4.
7. Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths. 8. Prefer the path with the lowest IGP metric to the BGP if next-hop is selected when synchronization is disabled and only an internal path remains. 9. FTOS deems the paths as equal and does not perform steps 9 through 11, if the following criteria is met: a. the IBGP multipath or EBGP multipath are configured (the maximum-path command). b.
Figure 25. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 26. Multi-Exit Discriminators NOTE: With FTOS version 8.3.1.0, configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
AS Path The AS path is the list of all ASs that all the prefixes listed in the update have passed through. The local AS number is added by the BGP speaker when advertising to a eBGP neighbor. The AS path is shown in the following example. The origin attribute is shown following the AS path information (shown in bold).
Implement BGP with FTOS The following sections describe how to implement BGP on FTOS. Additional Path (Add-Path) Support BGP add-path is supported on the S4820T platform. The add-path feature reduces convergence times by advertising multiple paths to its peers for the same address prefix without replacing existing paths with new ones. By default, a BGP speaker advertises only the best path to its peers for a given address prefix.
Ignore Router-ID for Some Best-Path Calculations FTOS version 8.3.1.0 and later allows you to avoid unnecessary BGP best-path transitions between external paths under certain conditions. The bgp bestpath router-id ignore command reduces network disruption caused by routing and forwarding plane changes and allows for faster convergence. Four-Byte AS Numbers FTOS version 7.7.1 and later supports 4-Byte (32-bit) format when configuring autonomous system numbers (ASNs).
ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS numbers less than 65536 appear in integer format (asplain); AS numbers equal to or greater than 65536 appear in the decimal format (asdot+). For example, the AS number 65526 appears as 65526 and the AS number 65546 appears as 1.10. Dynamic AS Number Notation Application FTOS version 8.3.1.0 applies the ASN notation type change dynamically to the running-config statements.
Figure 27. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances FTOS BGP management information base (MIB) support with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website. NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web page.
• To return all values on an snmpwalk for the f10BgpM2Peer sub-OID, use the -C c option, such as snmpwalk -v 2c -C c -c public. • An SNMP walk may terminate pre-maturely if the index does not increment lexicographically. Dell Networking recommends using options to ignore such errors. • Multiple BPG process instances are not supported. Thus, the f10BgpM2PeerInstance field in various tables is not used to locate a peer.
Item Default Graceful Restart feature Disabled Local preference 100 MED 0 Route Flap Damping Parameters half-life = 15 minutes reuse = 750 suppress = 2000 max-suppress-time = 60 minutes Distance external distance = 20 internal distance = 200 local distance = 200 Timers keepalive = 60 seconds holdtime = 180 seconds Add-path Disabled Enabling BGP By default, BGP is not enabled on the system. FTOS supports one autonomous system (AS) and assigns the AS number (ASN).
NOTE: Use it only if you support 4-Byte AS numbers or if you support AS4 number representation. If you are supporting 4-Byte ASNs, enable this command. Disable 4-Byte support and return to the default 2-Byte format by using the no bgp four-octet-assupport command. You cannot disable 4-Byte support if you currently have a 4-Byte ASN configured. Disabling 4-Byte AS numbers also disables ASDOT and ASDOT+ number representation. All AS numbers are displayed in ASPLAIN format.
BGP table version is 1, main routing table version 1 1 network entrie(s) using 132 bytes of memory 1 paths using 72 bytes of memory BGP-RIB over all using 73 bytes of memory 1 BGP path attribute entrie(s) using 72 bytes of memory 1 BGP AS-PATH entrie(s) using 47 bytes of memory 5 neighbor(s) using 23520 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 10.10.21.1 10.10.32.3 100.10.92.9 192.168.10.1 192.168.12.
Last read 17:12:40, hold time is 180, keepalive interval is 60 seconds Received 0 messages, 0 notifications, 0 in queue Sent 0 messages, 0 notifications, 0 in queue Received 0 updates, Sent 0 updates Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP table version 0, neighbor version 0 0 accepted prefixes consume 0 bytes Prefix advertised 0, rejected 0, withdrawn 0 Connections established 0; dropped 0 Last reset never No active TCP connection FTOS# Example of Verifying
NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If you do not implement 4-Byte AS numbers, only ASPLAIN representation is supported. Only one form of AS number representation is supported at a time. You cannot combine the types of representations within an AS. To configure AS4 number representations, use the following commands. • Enable ASPLAIN AS Number representation.
neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.250 no shutdown 5332332 9911991 65057 18508 12182 7018 46164 i Configuring Peer Groups To configure multiple BGP neighbors at one time, create and populate a BGP peer group. An advantage of peer groups is that members of a peer group inherit the configuration properties of the group and share same update policy.
After you create a peer group, you can use any of the commands beginning with the keyword neighbor to configure that peer group. When you add a peer to a peer group, it inherits all the peer group’s configured parameters.
When you disable a peer group, all the peers within the peer group that are in the ESTABLISHED state move to the IDLE state. To view the status of peer groups, use the show ip bgp peer-group command in EXEC Privilege mode, as shown in the following example.
• Enable BGP Fast Fail-Over. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} fail-over To verify fast fail-over is enabled on a particular BGP neighbor, use the show ip bgp neighbors command. Because fast fail-over is disabled by default, it appears only if it has been enabled (shown in bold). Example of Verifying that Fast Fail-Over is Enabled on a BGP Neighbor FTOS#sh ip bgp neighbors BGP neighbor is 100.100.100.
fail-over enabled BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 100.100.100.100* FTOS# router bgp neighbor neighbor neighbor neighbor neighbor neighbor neighbor FTOS# 65517 test peer-group test fail-over test no shutdown 100.100.100.100 remote-as 65517 100.100.100.100 fail-over 100.100.100.100 update-source Loopback 0 100.100.100.
Maintaining Existing AS Numbers During an AS Migration The local-as feature smooths out the BGP network migration operation and allows you to maintain existing ASNs during a BGP network migration. When you complete your migration, be sure to reconfigure your routers with the new information and disable this feature. • Allow external routes from this neighbor. CONFIG-ROUTERBGP mode neighbor {IP address | peer-group-name local-as as number [no prepend] – Peer Group Name: 16 characters.
• Allow this neighbor ID to use the AS path the specified number of times. CONFIG-ROUTER-BGP mode neighbor {IP address | peer-group-name} allowas-in number – Peer Group Name: 16 characters. – Number: 1 through 10. Format: IP Address: A.B.C.D. You must Configure Peer Groups before assigning it to an AS. The lines shown in bold are the number of times ASN 65123 can appear in the AS path (allows–in 9).
• Deletes all routes from the peer if forwarding state information is not saved. • Speeds convergence by advertising a special update packet known as an end-of-RIB marker. This marker indicates the peer has been updated with all routes in the local RIB.
• Local router supports graceful restart for this neighbor or peer-group as a receiver only. CONFIG-ROUTER-BGP mode • neighbor {ip-address | peer-group-name} graceful-restart [role receiver-only] Set the maximum time to retain the restarting neighbor’s or peer-group’s stale paths. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} graceful-restart [stale-path-time time-in-seconds] The default is 360 seconds.
0x4014154 0x4013914 0x5166d6c 0x5e62df4 0x3a1814c 0x567ea9c 0x6cc1294 0x6cc18d4 0x5982e44 0x67d4a14 0x559972c 0x59cd3b4 0x7128114 0x536a914 0x2ffe884 0x2ff7284 0x2ff7ec4 0x2ff8544 0x736c144 0x3b8d224 0x5eb1e44 0x5cd891c --More-- 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 2 26 75 2 1 162 2 31 2 10 3 1 99 4 3 1 10 1 9 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 701 701 209 701 209 209 209 701 209 701 209 209 209
As seen in the following example, the expressions are displayed when using the show commands. To view the ASPATH ACL configuration, use the show config command in CONFIGURATION AS-PATH ACL mode and the show ip as-path-access-list command in EXEC Privilege mode. For more information about this command and route filtering, refer to Filtering BGP Routes. The following example applies access list Eagle to routes inbound from BGP peer 10.5.5.2.
redistribute isis [level-1 | level-1-2 | level-2] [metric value] [route-map map-name] Configure the following parameters: • – level-1, level-1-2, or level-2: Assign all redistributed routes to a level. The default is level-2. – metric value: The value is from 0 to 16777215. The default is 0. – map-name: name of a configured route map. Include specific OSPF routes in IS-IS.
IETF RFC 1997 defines the COMMUNITY attribute and the predefined communities of INTERNET, NO_EXPORT_SUBCONFED, NO_ADVERTISE, and NO_EXPORT. All BGP routes belong to the INTERNET community. In the RFC, the other communities are defined as follows: • All routes with the NO_EXPORT_SUBCONFED (0xFFFFFF03) community attribute are not sent to CONFED-EBGP or EBGP peers, but are sent to IBGP peers within CONFED-SUB-AS. • All routes with the NO_ADVERTISE (0xFFFFFF02) community attribute must not be advertised.
deny 14551:666 FTOS# Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1. Create a extended community list and enter the EXTCOMMUNITY-LIST mode. CONFIGURATION mode ip extcommunity-list extcommunity-list-name 2. Two types of extended communities are supported.
CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2. Configure a match filter for all routes meeting the criteria in the IP community or IP extended community list. CONFIG-ROUTE-MAP mode match {community community-list-name [exact] | extcommunity extcommunitylist-name [exact]} 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number AS-number: 0 to 65535 (2-Byte) or 1 to 4294967295 (4-Byte) or 0.1 to 65535.
3. – community-number: use AA:NN format where AA is the AS number (2 or 4 Bytes) and NN is a value specific to that autonomous system. – local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED and are not sent to EBGP peers. – no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE and are not advertised. – no-export: routes with the COMMUNITY attribute of NO_EXPORT. – none: remove the COMMUNITY attribute. – additive: add the communities to already existing communities.
Changing MED Attributes By default, FTOS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths from the same AS. To change how the MED attribute is used, enter any or all of the following commands. • Enable MED comparison in the paths from neighbors with different ASs. CONFIG-ROUTER-BGP mode bgp always-compare-med • By default, this comparison is not performed. Change the bestpath MED selection.
5. Apply the route map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode. Changing the NEXT_HOP Attribute You can change how the NEXT_HOP attribute is used.
The show ip bgp network command includes multipath information for that network. • Enable multiple parallel paths. CONFIG-ROUTER-BGP mode maximum-paths {ebgp | ibgp} number Filtering BGP Routes Filtering routes allows you to implement BGP policies. You can use either IP prefix lists, route maps, AS-PATH ACLs or IP community lists (using a route map) to control which routes the BGP neighbor or peer group accepts and advertises.
5. Filter routes based on the criteria in the configured prefix list. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} distribute-list prefix-list-name {in | out} Configure the following parameters: – ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. – prefix-list-name: enter the name of a configured prefix list. – in: apply the prefix list to inbound routes. – out: apply the prefix list to outbound routes.
– in: apply the route map to inbound routes. – out: apply the route map to outbound routes. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode. Filtering BGP Routes Using AS-PATH Information To filter routes based on AS-PATH information, use these commands. 1. Create a AS-PATH ACL and assign it a name. CONFIGURATION mode ip as-path access-list as-path-name 2.
bgp cluster-id cluster-id • You can have multiple clusters in an AS. Configure the local router as a route reflector and the neighbor or peer group identified is the route reflector client. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-reflector-client When you enable a route reflector, FTOS automatically enables route reflection to all clients.
• Specifies the confederation ID. CONFIG-ROUTER-BGP mode bgp confederation identifier as-number • – as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). Specifies which confederation sub-AS are peers. CONFIG-ROUTER-BGP mode bgp confederation peers as-number [... as-number] – as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). All Confederation routers must be either 4 Byte or 2 Byte. You cannot have a mix of router ASN support.
– half-life: the range is from 1 to 45. Number of minutes after which the Penalty is decreased. After the router assigns a Penalty of 1024 to a route, the Penalty is decreased by half after the half-life period expires. The default is 15 minutes. – reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is less than the reuse value, the flapping route is once again advertised (or no longer suppressed).
To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. The following example shows how to configure values to reuse or restart a route. In the following example, default = 15 is the set time before the value decrements, bgp dampening 2 ? is the set re-advertise value, bgp dampening 2 2000 ? is the suppress value, and bgp dampening 2 2000 3000 ? is the time to suppress a route. Default values are also shown.
• Configure timer values for a BGP neighbor or peer group. CONFIG-ROUTER-BGP mode neighbors {ip-address | peer-group-name} timers keepalive holdtime – keepalive: the range is from 1 to 65535. Time interval, in seconds, between keepalive messages sent to the neighbor routers. The default is 60 seconds. – • holdtime: the range is from 3 to 65536. Time interval, in seconds, between the last keepalive message and declaring the router dead. The default is 180 seconds.
• – neighbor-address: Clears the neighbor with this IP address. – AS Numbers: Peers’ AS numbers to be cleared. – ipv4: Clears information for the IPv4 address family. – peer-group-name: Clears all members of the specified peer group. Enable soft-reconfiguration for the BGP neighbor specified. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} soft-reconfiguration inbound BGP stores all the updates received by the neighbor but does not reset the peer-session.
Enabling MBGP Configurations Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of routes: one set for unicast routing and one set for multicast routing. The routes associated with multicast routing are used by the protocol independent multicast (PIM) to build data distribution trees. MBGP for IPv4 multicast is supported on the S4820T platform. FTOS MBGP is implemented per RFC 1858. You can enable the MBGP feature per router and/or per peer/peer-group.
• View information about BGP route being dampened. • EXEC Privilege mode debug ip bgp dampening [in | out] View information about local BGP state changes and other BGP events. • EXEC Privilege mode debug ip bgp [ip-address | peer-group peer-group-name] events [in | out] View information about BGP KEEPALIVE messages. • EXEC Privilege mode debug ip bgp [ip-address | peer-group peer-group-name] keepalive [in | out] View information about BGP notifications received from or sent to neighbors.
43 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) For address family: IPv4 Unicast BGP table version 1395, neighbor version 1394 Prefixes accepted 1 (consume 4 bytes), 0 withdrawn by p
Example of the show capture bgp-pdu neighbor Command FTOS#show capture bgp-pdu neighbor 20.20.20.2 Incoming packet capture enabled for BGP neighbor 20.20.20.
Sample Configurations The following example configurations show how to enable BGP and set up some peer groups. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes. The following illustration shows the configurations described on the following examples.
R1(conf-if-gi-1/21)#no shutdown R1(conf-if-gi-1/21)#show config ! interface GigabitEthernet 1/21 ip address 10.0.1.21/24 no shutdown R1(conf-if-gi-1/21)#int gig 1/31 R1(conf-if-gi-1/31)#ip address 10.0.3.31/24 R1(conf-if-gi-1/31)#no shutdown R1(conf-if-gi-1/31)#show config ! interface GigabitEthernet 1/31 ip address 10.0.3.31/24 no shutdown R1(conf-if-gi-1/31)#router bgp 99 R1(conf-router_bgp)#network 192.168.128.0/24 R1(conf-router_bgp)#neighbor 192.168.128.2 remote 99 R1(conf-router_bgp)#neighbor 192.168.
interface GigabitEthernet 2/11 ip address 10.0.1.22/24 no shutdown R2(conf-if-gi-2/11)#int gig 2/31 R2(conf-if-gi-2/31)#ip address 10.0.2.2/24 R2(conf-if-gi-2/31)#no shutdown R2(conf-if-gi-2/31)#show config ! interface GigabitEthernet 2/31 ip address 10.0.2.2/24 no shutdown R2(conf-if-gi-2/31)# R2(conf-if-gi-2/31)#router bgp 99 R2(conf-router_bgp)#network 192.168.128.0/24 R2(conf-router_bgp)#neighbor 192.168.128.1 remote 99 R2(conf-router_bgp)#neighbor 192.168.128.1 no shut R2(conf-router_bgp)#neighbor 192.
R3(conf-if-gi-3/11)#show config ! interface GigabitEthernet 3/11 ip address 10.0.3.33/24 no shutdown R3(conf-if-lo-0)#int gig 3/21 R3(conf-if-gi-3/21)#ip address 10.0.2.3/24 R3(conf-if-gi-3/21)#no shutdown R3(conf-if-gi-3/21)#show config ! interface GigabitEthernet 3/21 ip address 10.0.2.3/24 no shutdown R3(conf-if-gi-3/21)# R3(conf-if-gi-3/21)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#network 192.168.128.0/24 R3(conf-router_bgp)#neighbor 192.168.128.
! router bgp 99 network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 peer-group AAA neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 peer-group BBB neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.3 no shutdown R1# R1#show ip bgp summary BGP router identifier 192.168.
Notification History 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:00:57 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Local host: 192.168.128.1, Local port: 179 Foreign host: 192.168.128.2, Foreign port: 65464 BGP neighbor is 192.168.128.3, remote AS 100, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
neighbor 192.168.128.3 no shutdown R2(conf-router_bgp)#end R2# R2#show ip bgp summary BGP router identifier 192.168.128.
R3#show ip bgp neighbor BGP neighbor is 192.168.128.1, remote AS 99, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
BGP neighbor is 192.168.128.3, remote AS 100, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
Content Addressable Memory (CAM) 10 Content addressable memory (CAM) is supported on the S4820T platform. CAM is a type of memory that stores information in the form of a lookup table. On Dell Networking systems, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies. On Dell Networking systems, there are one or two CAM (Dual-CAM) modules per port-pipe depending on the type of line card.
CAM Profile Description Available Microcodes: default. unified-default Maintains the CAM allocations for the IPv4 FIB while allocating more CAM space for the Ingress and Egress Layer 2 ACL and IPv4 ACL regions. Available Microcodes: ipv6-extacl. ipv4-64k-ipv6 Provides IPv6 functionality; an alternate to ipv6-extacl that redistributes CAM space from the IPv4FIB to IPv4Flow and IPv6FIB. Available Microcodes: ipv6-extacl. The size of CAM partitions is measured in entries.
NOTE: Not all CAM profiles and microcodes are available for all systems. For details regarding available profiles for each system, refer to the Command Line Interface Reference Guide. Microcode Description default Distributes CAM space for a typical deployment. lag-hash-align For applications that require the same hashing for bi-directional traffic (for example, VoIP call or P2P file sharing). For port-channels, this microcode maps both directions of a bi-directional flow to the same output link.
selected, non-EJ cards will be in problem state after reload # After reload: 00:04:46: %RPM0-P:CP %CHMGR-3-PROFILE_MISMATCH: Mismatch: line card 1 has mismatch CAM profile or microcode Example 1: EF Line Card with EG Chassis Profile (Card Problem) R1#show linecard 1 brief -- Line card 1 -Status : card problem - mismatch cam profile Next Boot : online Required Type : E48TF - 48-port 10/100/1000Base-T line card with RJ-45 interfaces (EF) Current Type : E48TF - 48-port 10/100/1000Base-T line card with RJ-45 i
Important Points to Remember • All line cards within a single system must have the same CAM profile; this profile must match the system CAM profile (the profile on the primary RPM). – • FTOS automatically reconfigures the CAM profile on line cards and the secondary RPM to match the system CAM profile by saving the correct profile on the card and then rebooting it. The CAM configuration is applied to entire system when you use the CONFIGURATION mode commands.
NOTE: There are 16 FP blocks, but the system flow requires three blocks that cannot be reallocated. The following table lists the default CAM allocation settings. Table 11.
3. Verify that the new settings will be written to the CAM on the next boot. EXEC Privilege mode show cam-acl 4. Reload the system. EXEC Privilege mode reload Test CAM Usage The test cam-usage command is supported on the S4820T platform. This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs. Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy.
Flow : 0 entries EgACL : 0 entries MicroCode Name : Default --More-- : 0 entries : 0 entries : Default To view brief output of the show cam-profile command, use the summary option. The show running-config cam-profile command shows the current profile and microcode. NOTE: If you select the CAM profile from CONFIGURATION mode, the output of this command does not reflect any changes until you save the running-configuration and reload the chassis.
Example of Viewing CAM-ACL Settings (S4820T) FTOS#show cam-acl -- Chassis Cam ACL -Current Settings(in block sizes) L2Acl : 4 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 FcoeAcl : 0 iscsiOptAcl : 2 -- Stack unit 0 -Current Settings(in block sizes) L2Acl : 4 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 FcoeAcl : 0 iscsiOptAcl : 2 FTOS# View CAM Usage View the amount of CAM space ava
| | | --More-- | IN-L3 ACL | IN-L3 FIB | IN-L3-SysFlow | | | 12288 | 262141 | 2878 | 2 | 12286 14 | 262127 44 | 2834 Return to the Default CAM Configuration Return to the default CAM Profile, microcode, IPv4Flow, or Layer 2 ACL configuration using the keyword default from EXEC Privilege mode or CONFIGURATION mode, as shown in the following example.
• If the packet has more than five MPLS labels, hashing is based on the source and destination MAC address. To enable this type of hashing, use the default CAM profile with the microcode lag-hash-mpls. LAG Hashing Based on Bidirectional Flow To hash LAG packets such that both directions of a bidirectional flow (for example, VoIP or P2P file sharing) are mapped to the same output link in the LAG bundle, use the default CAM profile with the microcode lag-hash-align.
Control Plane Policing (CoPP) 11 Control plane policing (CoPP) is supported on the S4820T platform. Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 30. CoPP Implemented Versus CoPP Not Implemented Configure Control Plane Policing The S4820T can process a maximum of 4200 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first.
CoPP policies are assigned on a per-protocol or a per-queue basis, and are assigned in CONTROL-PLANE mode to each port-pipe. CoPP policies are configured by creating extended ACL rules and specifying rate-limits through QoS policies. The ACLs and QoS policies are assigned as service-policies. Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP.
FTOS(conf)#ip access-list extended bgp cpu-qos FTOS(conf-ip-acl-cpuqos)#permit bgp FTOS(conf-ip-acl-cpuqos)#exit FTOS(conf)#mac access-list extended lacp cpu-qos FTOS(conf-mac-acl-cpuqos)#permit lacp FTOS(conf-mac-acl-cpuqos)#exit FTOS(conf)#ipv6 access-list ipv6-icmp cpu-qos FTOS(conf-ipv6-acl-cpuqos)#permit icmp FTOS(conf-ipv6-acl-cpuqos)#exit FTOS(conf)#ipv6 access-list ipv6-vrrp cpu-qos FTOS(conf-ipv6-acl-cpuqos)#permit vrrp FTOS(conf-ipv6-acl-cpuqos)#exit Example of Creating the QoS Input Policy FTOS(c
Configuring CoPP for CPU Queues Controlling traffic on the CPU queues does not require ACL rules, but does require QoS policies. CoPP for CPU queues converts the input rate from kbps to pps, assuming 64 bytes is the average packet size, and applies that rate to the corresponding queue. Consequently, 1 kbps is roughly equivalent to 2 pps. The basics for creating a CoPP service policy is to create QoS policies for the desired CPU bound queue and associate it with a particular rate-limit.
-------------Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7 FTOS# ----------1300 300 300 300 2000 400 400 1100 To view the queue mapping for each configured protocol, use the show ip protocol-queue-mapping command.
Data Center Bridging (DCB) 12 Data center bridging (DCB) is supported on the S4820T platform. NOTE: DCB is not supported when you use 10GBaseT ports for stacking. Ethernet Enhancements in Data Center Bridging The following section describes DCB. In the Dell Networking operating system (FTOS) version 8.3.12.0, the S4820T system supports loading two DCB_Config files: FCoE_DCB_Config and iSCSI_DCB_Config. These files are located in the root directory flash:/CONFIG_TEMPLATE.
InterProcess Communication (IPC) traffic InterProcess Communication (IPC) traffic within high-performance computing clusters to share information. Server traffic is extremely sensitive to latency requirements. To ensure lossless delivery and latency-sensitive scheduling of storage and service traffic and I/O convergence of LAN, storage, and server traffic over a unified fabric, IEEE data center bridging adds the following extensions to a classical Ethernet network: • 802.
• PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface. However, only two lossless queues are supported on an interface: one for Fibre Channel over Ethernet (FCoE) converged traffic and one for Internet Small Computer System Interface (iSCSI) storage traffic. Configure the same lossless queues on all ports.
Table 13. ETS Traffic Groupings Traffic Groupings Description Priority group A group of 802.1p priorities used for bandwidth allocation and queue scheduling. All 802.1p priority traffic in a group must have the same traffic handling requirements for latency and frame loss. Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7. Group bandwidth Percentage of available bandwidth allocated to a priority group.
• Discovery of DCB capabilities on peer-device connections. • Determination of possible mismatch in DCB configuration on a peer link. • Configuration of a peer device over a DCB link. DCBx requires the link layer discovery protocol (LLDP) to provide the path to exchange DCB parameters with peer devices. Exchanged parameters are sent in organizationally specific TLVs in LLDP data units. For more information, refer to Link Layer Discovery Protocol (LLDP).
For DCB to operate effectively, you can classify ingress traffic according to its dot1p priority so that it maps to different data queues. The dot1p-queue assignments used are shown in the following table. To enable DCB, enable either the iSCSI optimization configuration or the FCoE configuration. For information to configure iSCSI optimization, refer to Enable and Disable iSCSI Optimization. For information to configure FCoE, refer to Step 1 in Configuring FIP Snooping.
dot1p Value in the Incoming Frame Egress Queue Assignment 4 2 5 3 6 3 7 3 Configuring Priority-Based Flow Control PFC provides a flow control mechanism based on the 802.1p priorities in converged Ethernet traffic received on an interface and is enabled by default when you enable DCB. As an enhancement to the existing Ethernet pause mechanism, PFC stops traffic transmission for specified priorities (Class of Service (CoS) values) without impacting other priority classes.
pfc mode on The default is PFC mode is on. 5. (Optional) Enter a text description of the input policy. DCB INPUT POLICY mode description text The maximum is 80 characters. 6. Exit DCB input policy configuration mode. DCB INPUT POLICY mode exit 7. Enter interface configuration mode. CONFIGURATION mode interface type slot/port 8. Apply the input policy with the PFC configuration to an ingress interface. INTERFACE mode dcb-policy input policy-name 9.
• In a switch stack, configure all stacked ports with the same PFC configuration. A DCB input policy for PFC applied to an interface may become invalid if you reconfigure dot1p-queue mapping (refer to the Create Input Policy Maps section in the Quality of Service (QoS) chapter). This situation occurs when the new dot1pqueue assignment exceeds the maximum number (2) of lossless queues supported globally on the switch.
You can configure the size of the PFC buffer for all switches in a stack or all port pipes on a specified stack unit by entering the following commands on the master switch. • Configure the PFC buffer for all switches in the stack. CONFIGURATION mode [no] dcb stack-unit all pfc-buffering pfc-port {1-64} pfc-queues {1-2} By default, the PFC buffer is enabled on all ports on the stack unit.
• When allocating bandwidth or configuring a queue scheduler for dot1p priorities in a priority group on a DCBx CIN interface, take into account the CIN bandwidth allocation (refer to Configuring Bandwidth Allocation for DCBx CIN) and dot1p-queue mapping (QoS dot1p Traffic Classification and Queue Assignment).
The configuration of bandwidth allocation and strict-queue scheduling is not supported at the same time for a priority group. If both are configured, the configured bandwidth allocation is ignored for priority-group traffic when you apply the output policy on an interface (refer to Applying an ETS Output Policy for a Priority Group to an Interface). Bandwidth assignment in a dot.1p priority-queue: By default, equal bandwidth is assigned to each port queue and each dot1p priority in a priority group.
5. Repeat Steps 1 to 4 to configure all remaining dot1p priorities in an ETS priority group. FTOS Behavior: A priority group consists of 802.1p priority values that are grouped for similar bandwidth allocation and scheduling, and that share latency and loss requirements. All 802.1p priorities mapped to the same queue must be in the same priority group. Configure all 802.
FTOS Behavior: Create a DCB output policy to associate a priority group with an ETS output policy with scheduling and bandwidth configuration. You can apply a DCB output policy on multiple egress ports. The ETS configuration associated with 802.1p priority traffic in a DCB output policy is used in DCBx negotiation with ETS peers. When you apply an ETS output policy to an interface, ETS-configured scheduling and bandwidth allocation take precedence over any configured settings in the QoS output policies.
Configuring Bandwidth Allocation for DCBx CIN After you apply an ETS output policy to an interface, if the DCBx version used in your data center network is CIN, you may need to configure a QoS output policy to overwrite the default CIN bandwidth allocation. This default setting divides the bandwidth allocated to each port queue equally between the dot1p priority traffic assigned to the queue. For more information, refer to Allocating Bandwidth to Queue.
A dcb-policy input stack-unit all command overwrites any previous dcb-policy input stackunit stack-unit-id configurations. Similarly, a dcb-policy input stack-unit stack-unit-id command overwrites any previous dcb-policy input stack-unit all configuration. Entering the no dcb-policy input stack-unit all command removes all DCB input policies applied to stacked ports and resets PFC to its default settings.
• Detects DCB mis-configuration in a peer device; that is, when DCB features are not compatibly configured on a peer device and the local switch. Mis-configuration detection is feature-specific because some DCB features support asymmetric configuration. • Reconfigures a peer device with the DCB configuration from its configuration source if the peer device is willing to accept configuration.
Configuration source The port is configured to serve as a source of configuration information on the switch. Peer DCB configurations received on the port are propagated to other DCBx auto-configured ports. If the peer configuration is compatible with a port configuration, DCBx is enabled on the port. On a configuration-source port, the link with a DCBx peer is enabled when the port receives a DCB configuration that can be internally propagated to other auto-configured ports.
compatible. For example, PFC uses an symmetric exchange of parameters between DCBx peers. Configuration Source Election When an auto-upstream or auto-downstream port receives a DCB configuration from a peer, the port first checks to see if there is an active configuration source on the switch. • If a configuration source already exists, the received peer configuration is checked against the local port configuration. If the received configuration is compatible, the DCBx marks the port as DCBx-enabled.
• The switch reboots. • The link is reset (goes down and up). • User-configured CLI commands require the version negotiation to restart. • The peer times out. • Multiple peers are detected on the link. If you configure a DCBx port to operate with a specific version (the DCBx version {cee | cin | ieeev2.5} command in the Configuring DCBx), DCBx operations are performed according to the configured version, including fast and slow transmit timers and message formats.
DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
– config-source: configures the port to serve as the configuration source on the switch. – manual: configures the port to operate only on administer-configured DCB parameters. The port does not accept a DCB configuration received from a peer or a local configuration source. The default is Manual. 5. On manual ports only: Configure the PFC and ETS TLVs advertised to DCBx peers.
– auto: configures all ports to operate using the DCBx version received from a peer. – cee: configures a port to use CEE (Intel 1.01). cin configures a port to use Cisco-Intel-Nuova (DCBx 1.0). – ieee-v2.5: configures a port to use IEEE 802.1Qaz (Draft 2.5). The default is Auto. NOTE: To configure the DCBx port role the interfaces use to exchange DCB information, use the DCBx port-role command in INTERFACE Configuration mode (Step 3). 4.
DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs. LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface. DSM_DCBx_PEER_VERSION_CONFLICT: A local port expected to receive the IEEE, CIN, or CEE version in a DCBx TLV from a remote peer but received a different, conflicting DCBx version.
Verifying the DCB Configuration To display DCB configurations, use the following show commands. Table 14. Displaying DCB Configurations Command Output show dot1p-queue mapping Displays the current 802.1p priority-queue mapping. show dcb [stack-unit unit-number] Displays the data center bridging status, number of PFCenabled ports, and number of PFC-enabled queues. On the master switch in a stack, you can specify a stack-unit number. The range is from 0 to 5.
Example of the show qos dcb-input Command FTOS(conf)# show qos dcb-input dcb-input pfc-profile pfc link-delay 32 pfc priority 0-1 dcb-input pfc-profile1 no pfc mode on pfc priority 6-7 Example of the show qos dcb-output Command FTOS# show qos dcb-output dcb-output ets priority-group san qos-policy san priority-group ipc qos-policy ipc priority-group lan qos-policy lan Example of the show qos priority-groups Command FTOS#show qos priority-groups priority-group ipc priority-list 4 set-pgid 2 Example of the sh
Local FCOE PriorityMap is 0x8 Local ISCSI PriorityMap is 0x10 Remote FCOE PriorityMap is 0x8 Remote ISCSI PriorityMap is 0x8 0 Input TLV pkts, 1 Output TLV pkts, 0 Error pkts, 0 Pause Tx pkts, 0 Pause Rx pkts The following table describes the show interface pfc summary command fields. Table 15. show interface pfc summary Command Description Fields Description Interface Interface type with stack-unit and port number.
Fields Description Application Priority TLV: FCOE TLV Tx Status Status of FCoE advertisements in application priority TLVs from local DCBx port: enabled or disabled. Application Priority TLV: ISCSI TLV Tx Status Status of ISCSI advertisements in application priority TLVs from local DCBx port: enabled or disabled. Application Priority TLV: Local FCOE Priority Map Priority bitmap used by local DCBx port in FCoE advertisements in application priority TLVs.
3 4 5 6 7 4,5,6,7 0 % - SP - Remote Parameters : ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# Bandwidth TSA -----------------------------------------------0 1 0,1,2 100% ETS 2 3 0 % SP 3 4,5,6,7 0 % SP 4 5 6 7 Oper status is init ETS DCBx Oper status is Down State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled 0 Input Conf TLV Pkts, 1955 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 0 Input Reco TLV Pkts,
Local is enabled TC-grp Priority# Bandwidth TSA 0 0,1,2,3,4,5,6,7 100% ETS 1 0% ETS 2 0% ETS 3 0% ETS 4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Priority# Bandwidth TSA 0 13% ETS 1 13% ETS 2 13% ETS 3 13% ETS 4 12% ETS 5 12% ETS 6 12% ETS 7 12% ETS Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 0T LIVnput Traffic Class TLV Pkts, 0 Output Traffic Class TLV Pkts, 0 Error Traffic Class Pkts Example of the
0 1 2 3 4 5 6 7 0,1,2,3,4,5,6,7 100% 0% 0% 0% 0% 0% 0% 0% Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output Traffic Class TLV Pkts ETS ETS ETS ETS ETS ETS ETS ETS TSA ETS ETS ETS ETS ETS ETS ETS ETS Pkts, 0 Error Conf TLV Pkts Traffic Class TLV Pkts, 0 Error The following table describes the show interface ets det
Field Description • • Recommend: Remote ETS configuration parameters were received from peer. Internally propagated: ETS configuration parameters were received from configuration source. ETS DCBx Oper status Operational status of ETS configuration on local port: match or mismatch.
4 5 6 7 8 - - Stack unit 1 stack port all Max Supported TC Groups is 4 Number of Traffic Classes is 1 Admin mode is on Admin Parameters: -------------------Admin is enabled TC-grp Priority# Bandwidth TSA -----------------------------------------------0 0,1,2,3,4,5,6,7 100% ETS 1 2 3 4 5 6 7 8 Example of the show interface DCBx detail Command (IEEE) FTOS(conf-if-te-0/17-lldp)#do sho int te 2/12 dc d E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Rec
disabled ----------------------------------------------------------------------Interface TenGigabitEthernet 1/14 Remote Mac Address 00:01:e8:8a:df:a0 Port Role is Auto-Upstream DCBx Operational Status is Enabled Is Configuration Source? FALSE Local DCBx Compatibility mode is CEE Local DCBx Configured mode is CEE Peer Operating version is CEE Local DCBx TLVs Transmitted: ErPFi Local DCBx Status ----------------DCBx Operational Version is 0 DCBx Max Version Supported is 0 Sequence Number: 1 Acknowledgment Num
Field Description Local DCBx TLVs Transmitted Transmission status (enabled or disabled) of advertised DCB TLVs (see TLV code at the top of the show command output). Local DCBx Status: DCBx Operational Version DCBx version advertised in Control TLVs. Local DCBx Status: DCBx Max Version Supported Highest DCBx version supported in Control TLVs. Local DCBx Status: Sequence Number Sequence number transmitted in Control TLVs.
Figure 35. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
dot1p Value in the Incoming Frame Priority Group Assignment 4 IPC 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment. Priority Group Bandwidth Assignment IPC 5% SAN 50% LAN 45% PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic.
FTOS(conf-qos-policy-out)# bandwidth-percentage 5 FTOS(conf-qos-policy-out)# exit Example of Configuring a DCB Output Policy to Apply ETS (Bandwidth Allocation and Scheduling) to IPC, SAN, and LAN Priority Traffic FTOS(conf)# dcb-output ets FTOS(conf-dcb-out)# priority-group san qos-policy san FTOS(conf-dcb-out)# priority-group lan qos-policy lan FTOS(conf-dcb-out)# priority-group ipc qos-policy ipc Example of Applying DCB Input and Output Policies to an Interface FTOS(conf)# interface tengigabitethernet 0/
In this example, the configured ETS bandwidth allocation and scheduler behavior is as follows: Unused bandwidth usage: Strict-priority groups: Normally, if there is no traffic or unused bandwidth for a priority group, the bandwidth allocated to the group is distributed to the other priority groups according to the bandwidth percentage allocated to each group.
Dynamic Host Configuration Protocol (DHCP) 13 Dynamic host configuration protocol (DHCP) is available on the S4820T platform. DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Specifies the domain name servers (DNSs) that are available to the client. Domain Name Option 15 Specifies the domain name that clients should use when resolving hostnames via DNS. IP Address Lease Time Option 51 DHCP Message Type Option 53 Specifies the amount of time that the client is allowed to use an assigned IP address.
Assign an IP Address using DHCP The following section describes DHCP and the client in a network. When a client joins a network: 1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters. 2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters.
Implementation Information The following describes DHCP implementation. • Dell Networking implements DHCP based on RFC 2131 and RFC 3046. • IP source address validation is a sub-feature of DHCP Snooping; the Dell Networking operating system (FTOS) uses access control lists (ACLs) internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP source address validation.
DHCP Server Responsibility Description Responding To Client Requests DHCP servers respond to different types of requests from clients, primarily, granting, renewing, and terminating leases. Providing Administration Services DHCP servers include functionality that allows an administrator to implement policies that govern how DHCP performs its other tasks.
Related Configuration Tasks • Configure a Method of Hostname Resolution • Creating Manual Binding Entries • Debugging the DHCP Server • Using DHCP Clear Commands Excluding Addresses from the Address Pool The DHCP server assumes that all IP addresses in a DHCP address pool are available for assigning to DHCP clients. You must specify the IP address that the DHCP server should not assign to clients. To exclude an address, follow this step. • Exclude an address range from DHCP assignment.
Using NetBIOS WINS for Address Resolution Windows internet naming service (WINS) is a name resolution service that Microsoft DHCP clients use to correlate host names to IP addresses within a group of networks. Microsoft DHCP clients can be one of four types of NetBIOS nodes: broadcast, peer-to-peer, mixed, or hybrid. 1. Specify the NetBIOS WINS name servers, in order of preference, that are available to Microsoft Dynamic Host Configuration Protocol (DHCP) clients.
Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands. • Clear DHCP binding entries for the entire binding table. EXEC Privilege mode. • clear ip dhcp binding Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode. clear ip dhcp binding ip address Configure the System to be a Relay Agent This feature is available on the S4820T platform.
Figure 38. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
ICMP redirects are not sent ICMP unreachables are not sent Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: • The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (FTOS version and a configuration file).
• An entry in the DHCP snooping table is not added for a DHCP client interface. DHCP Server A switch can operate as a DHCP client and a DHCP server. DHCP client interfaces cannot acquire a dynamic IP address from the DHCP server running on the switch. Acquire a dynamic IP address from another DHCP server. Virtual Router Redundancy Protocol (VRRP) Do not enable the DHCP client on an interface and set the priority to 255 or assign the same DHCP interface IP address to a VRRP virtual group.
Configure Secure DHCP The following feature is available on the S4820T platform, except where noted. DHCP as defined by RFC 2131 provides no authentication or security mechanisms. Secure DHCP is a suite of features that protects networks that use dynamic address allocation from spoofing and attacks. • Option 82 • DHCP Snooping • Dynamic ARP Inspection • Source Address Validation Option 82 RFC 3046 (the relay agent information option, or Option 82) is used for class-based IP address assignment.
When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages — containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on a trusted port, it adds an entry to the table.
clear ip dhcp snooping binding Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. • Display the contents of the binding table. EXEC Privilege mode show ip dhcp snooping View the DHCP snooping statistics with the show ip dhcp snooping command.
Total number of Entries in the table : 4 Dynamic ARP Inspection Dynamic address resolution protocol (ARP) inspection prevents ARP spoofing by forwarding only ARP frames that have been validated against the DHCP binding table. ARP is a stateless protocol that provides no authentication mechanism. Network devices accept ARP requests and replies from any device. ARP replies are accepted even when no request was sent.
Configuring Dynamic ARP Inspection To enable dynamic ARP inspection, use the following commands. 1. Enable DHCP snooping. 2. Validate ARP frames against the DHCP snooping binding table. INTERFACE VLAN mode arp inspection To view entries in the ARP database, use the show arp inspection database command.
Source Address Validation Using the DHCP binding table, FTOS can perform three types of source address validation (SAV). Table 19. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table. DHCP MAC Source Address Validation Verifies a DHCP packet’s source hardware address matches the client hardware address field (CHADDR) in the payload.
Enabling IP+MAC Source Address Validation The following feature is available on the S4820T platform. IP source address validation (SAV) validates the IP source address of an incoming packet against the DHCP snooping binding table. IP+MAC SAV ensures that the IP source address and MAC source address are a legitimate pair, rather than validating each attribute individually. You cannot configure IP+MAC SAV with IP SAV. 1. Allocate at least one FP block to the ipmacacl CAM region.
Equal Cost Multi-Path (ECMP) 14 Equal cost multi-path (ECMP) is supported on theS4820T platform. ECMP for Flow-Based Affinity ECMP for flow-based affinity is available on theS4820T platform. Flow-based affinity includes the following: • Link Bundle Monitoring Configuring the Hash Algorithm TeraScale has one algorithm that is used for link aggregation groups (LAGs), ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features.
Configuring the Hash Algorithm Seed Deterministic ECMP sorts ECMPs in order even though RTM provides them in a random order. However, the hash algorithm uses as a seed the lower 12 bits of the chassis MAC, which yields a different hash result for every chassis. This behavior means that for a given flow, even though the prefixes are sorted, two unrelated chassis can select different hops.
Managing ECMP Group Paths Managing ECMP group paths is supported only on the S4820T platform. Configure the maximum number of paths for an ECMP route that the L3 CAM can hold to avoid path degeneration. When you do not configure the maximum number of routes, the CAM can hold a maximum ECMP per route. To configure the maximum number of paths, use the following command. NOTE: Save the new ECMP settings to the startup-config (write-mem) then reload the system for the new settings to take effect.
link-bundle-distribution trigger-threshold {percent} The range is from 1 to 90%. • The default is 60%. Display details for an ECMP group bundle. EXEC mode show link-bundle-distribution ecmp-group ecmp-group-id The range is from 1 to 64. NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indices are generated in even numbers (0, 2, 4, 6...
FCoE Transit 15 The Fibre Channel over Ethernet (FCoE) Transit feature is supported on the S4820T switch on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces or in a S4820T switch stack.
The following table lists the FIP functions. Table 20. FIP Functions FIP Function Description FIP VLAN discovery FCoE devices (ENodes) discover the FCoE VLANs on which to transmit and receive FIP and FCoE traffic. FIP discovery FCoE end-devices and FCFs are automatically discovered. Initialization FCoE devices learn ENodes from the FLOGI and FDISC to allow immediate login and create a virtual link with an FCoE switch.
FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be transmitted between an FCoE end-device and an FCF. An Ethernet bridge that provides these functions is called a FIP snooping bridge (FSB). On a FIP snooping bridge, ACLs are created dynamically as FIP login frames are processed.
Figure 40. FIP Snooping on an S4810 Switch The following sections describe how to configure the FIP snooping feature on a switch that functions as a FIP snooping bridge so that it can perform the following functions: 300 • Allocate CAM resources for FCoE (optional in FTOS version 9.1[0.0]). • Perform FIP snooping (allowing and parsing FIP frames) globally on all VLANs or on a per-VLAN basis.
• Process FIP VLAN discovery requests and responses, advertisements, solicitations, FLOGI/FDISC requests and responses, FLOGO requests and responses, keep-alive packets, and clear virtual-link messages. FIP Snooping in a Switch Stack FIP snooping supports switch stacking as follows: • A switch stack configuration is synchronized with the standby stack unit. • Dynamic population of the FCoE database (ENode, Session, and FCF tables) is synchronized with the standby stack unit.
Important Points to Remember • Enable DCBx on the switch before enabling the FIP Snooping feature. • To enable the feature on the switch, configure FIP Snooping. • To allow FIP frames to pass through the switch on all VLANs, enable FIP snooping globally on a switch. • A switch can support a maximum eight VLANs. Configure at least one FCF/bridge-to-bridge port mode interface for any FIP snooping-enabled VLAN. • You can configure multiple FCF-trusted interfaces in a VLAN.
established by the switch-bridge only when the FC-MAP value on the FCF matches the FC-MAP value on the FIP snooping bridge. Configure a Port for a Bridge-to-Bridge Link If a switch port is connected to another FIP snooping bridge, configure the FCoE-Trusted Port mode for bridge-bridge links. Initially, all FCoE traffic is blocked. Only FIP frames with the ALL_FCF_MAC and ALL_ENODE_MAC values in their headers are allowed to pass.
FIP Snooping Restrictions The following restrictions apply when you configure FIP snooping. • The maximum number of FCoE VLANs supported on the switch is eight. • The maximum number of FIP snooping sessions supported per ENode server is 32. To increase the maximum number of sessions to 64, use the fip-snooping max-sessions-per-endomac command. • The maximum number of FCFs supported per FIP snooping-enabled VLAN is twelve.
Displaying FIP Snooping Information Use the following show commands to display information on FIP snooping, . Table 22. Displaying FIP Snooping Information Command Output show fip-snooping sessions [interface vlan vlan-id] Displays information on FIP-snooped sessions on all VLANs or a specified VLAN, including the ENode interface and MAC address, the FCF interface and MAC address, VLAN ID, FCoE MAC address and FCoE session ID number (FC-ID), worldwide node name (WWNN) and the worldwide port name (WWPN).
FCoE MAC 0e:fc:00:01:00:01 0e:fc:00:01:00:02 0e:fc:00:01:00:03 0e:fc:00:01:00:04 0e:fc:00:01:00:05 FC-ID 01:00:01 01:00:02 01:00:03 01:00:04 01:00:05 Port WWPN 31:00:0e:fc:00:00:00:00 41:00:0e:fc:00:00:00:00 41:00:0e:fc:00:00:00:01 41:00:0e:fc:00:00:00:02 41:00:0e:fc:00:00:00:03 Port WWNN 21:00:0e:fc:00:00:00:00 21:00:0e:fc:00:00:00:00 21:00:0e:fc:00:00:00:00 21:00:0e:fc:00:00:00:00 21:00:0e:fc:00:00:00:00 The following table describes the show fip-snooping sessions command fields. Table 23.
Field Description FC-ID Fibre Channel session ID assigned by the FCF. Example of the show fip-snooping fcf Command FTOS# show fip-snooping fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No. of Enodes ------------------- ---- ------------------- ------------54:7f:ee:37:34:40 Po 22 100 0e:fc:00 4000 2 The following table describes the show fip-snooping fcf command fields. Table 25. show fip-snooping fcf Command Description Field Description FCF MAC MAC address of the FCF.
Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number of of of of of of of of of of of of of of of of of of of Multicast Discovery Solicits Unicast Discovery Solicits FLOGI FDISC FLOGO Enode Keep Alive VN Port Keep Alive Multicast Discovery Advertisement Unicast Discovery Advertisement FLOGI Accepts FLOGI Rejects FDISC Accepts FDISC Rejects FLOGO Accepts FLOGO Rejects CVL FCF Discovery Timeouts VN Port Session Timeouts Session
Field Description Number of FLOGI Number of FIP-snooped FLOGI request frames received on the interface. Number of FDISC Number of FIP-snooped FDISC request frames received on the interface. Number of FLOGO Number of FIP-snooped FLOGO frames received on the interface. Number of ENode Keep Alives Number of FIP-snooped ENode keep-alive frames received on the interface. Number of VN Port Keep Alives Number of FIP-snooped VN port keep-alive frames received on the interface.
Example of the show fip-snooping vlan Command FTOS# show fip-snooping vlan * = Default VLAN VLAN ---*1 100 FC-MAP -----0X0EFC00 FCFs ---1 Enodes -----2 Sessions -------17 FCoE Transit Configuration Example The following illustration shows an S4810 switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 41.
Example of Enabling the FIP Snooping Feature on the Switch (FIP Snooping Bridge) FTOS(conf)# feature fip-snooping Example of Enabling FIP Snooping on the FCoE VLAN FTOS(conf)# interface vlan 10 FTOS(conf-if-vl-10)# fip-snooping enable Example of Enabling an FC-MAP Value on a VLAN FTOS(conf-if-vl-10)# fip-snooping fc-map 0xOEFC01 NOTE: Configuring an FC-MAP value is only required if you do not use the default FC-MAP value (0x0EFC00).
Enabling FIPS Cryptography 16 Federal information processing standard (FIPS) cryptography is supported on the S4820T platform. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms. This feature provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce.
When you enable FIPS mode, the following actions are taken: • If enabled, the SSH server is disabled. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed. • Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. • FIPS mode is enabled. – If you enable the SSH server when you enter the fips mode enable command, it is re-enabled for version 2 only.
Reload Type : normal-reload [Next boot : normal-reload] -- Unit 0 -Unit Type Status Next Boot Required Type Current Type Master priority Hardware Rev Num Ports Up Time FTOS Version Jumbo Capable POE Capable FIPS Mode Burned In MAC No Of MACs ... : : : : : : : : : : : : : : : Management Unit online online S4810 - 52-port GE/TE/FG (SE) S4810 - 52-port GE/TE/FG (SE) 0 3.0 64 7 hr, 3 min 4810-8-3-7-1061 yes no enabled 00:01:e8:8a:ff:0c 3 Disabling FIPS Mode The following describes disabling FIPS mode.
Force10 Resilient Ring Protocol (FRRP) 17 Force10 resilient ring protocol (FRRP) is supported on the S4820T platform. FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
two instances of FRRP running on it: one for each ring. The example topology that follows shows R3 assuming the role of a Transit node for both FRRP 101 and FRRP 202. Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. • The Master node transmits ring status check frames at specified intervals.
Concept Ring Protocol Timers Ring Status Ring Health-Check Frame (RHF) Explanation • Pre-Forwarding State — A transition state before moving to the Forward state. Control traffic is forwarded but data traffic is blocked. The Master node Secondary port transitions through this state during ring bring-up. All ports transition through this state when a port comes up. • Disabled State — When the port is disabled or down, or is not on the VLAN.
• Each ring has only one Master node; all others are transit nodes. FRRP Configuration These are the tasks to configure FRRP.
interface vlan vlan-id VLAN ID: from 1 to 4094. 2. Tag the specified interface or range of interfaces to this VLAN. CONFIG-INT-VLAN mode. tagged interface slot/ port {range} Interface: – For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. – For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
• All VLANS must be in Layer 2 mode. • Tag control VLAN ports. Member VLAN ports, except the Primary/Secondary interface, can be tagged or untagged. • The control VLAN must be the same for all nodes on the ring. To create the Members VLANs for this FRRP group, use the following commands on all of the Transit switches in the ring. 1. Create a VLAN with this ID number. CONFIGURATION mode. interface vlan vlan-id VLAN ID: the range is from 1 to 4094. 2.
6. Enable this FRRP group on this switch. CONFIG-FRRP mode. no disable Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time 3 times the Hello-Interval. • Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode. timer {hello-interval|dead-interval} milliseconds – Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500).
Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • • • • • Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same control VLAN. There can be only one Master node for any FRRP group. You can configure FRRP on Layer 2 interfaces only. Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP.
! interface GigabitEthernet 2/31 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! interface Vlan 201 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 2/14 secondary GigabitEthernet 2/31 controlvlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface GigabitEthernet 3/14 no ip address switchport no shutdown ! interface GigabitEthernet 3/21 no ip address swi
GARP VLAN Registration Protocol (GVRP) 18 GARP VLAN registration protocol (GVRP) is supported on the S4820T platform. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GVRP, defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches.
exchanged. In the following example, that type of port is referred to as a VLAN trunk port, but it is not necessary to specifically identify to the Dell Networking operating system (FTOS) that the port is a trunk port. Figure 42. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
gvrp enable Example of Configuring GVRP FTOS(conf)#protocol gvrp FTOS(config-gvrp)#no disable FTOS(config-gvrp)#show config ! protocol gvrp no disable FTOS(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. • Enable GVRP on a Layer 2 interface.
Example of the gvrp registration Command FTOS(conf-if-gi-1/21)#gvrp registration fixed 34,35 FTOS(conf-if-gi-1/21)#gvrp registration forbidden 45,46 FTOS(conf-if-gi-1/21)#show conf ! interface GigabitEthernet 1/21 no ip address switchport gvrp enable gvrp registration fixed 34-35 gvrp registration forbidden 45-46 no shutdown FTOS(conf-if-gi-1/21)# Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings.
• Boot the Chassis with a Single RPM • Boot the Chassis with Dual RPMs • Automatic and Manual RPM Failover • Support for RPM Redundancy by FTOS Version • RPM Synchronization 331
19 High Availability (HA) High availability (HA) is supported on the S4820T platform. HA is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. To support all the features within the HA collection, you should have the latest boot code. The following table lists the boot code requirements as of this FTOS release. Table 27. Boot Code Requirements Component Boot Code S4820T RPM 2 .8.2.0 S4820T Line Card 2 .8.2.
Boot the Chassis with a Single RPM You can boot the chassis with one RPM and later add a second RPM, which automatically becomes the standby RPM. FTOS displays the following message when the standby RPM is online. %RPM-2-MSG:CP0 %POLLMGR-2-ALT_RPM_STATE: Alternate RPM is present %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is in Standby State. Boot the Chassis with Dual RPMs When you boot the system with two RPMs installed, the RPM in slot R0 is the primary RPM by default.
Example of Boot Failure on Standby RPM System failed to boot up. Please reboot the chassis !!! 00:12:46: %RPM1-U:CP %TME-0-RPM BRINGUP FAIL: FTOS failed to bring up the system Communication between RPMs is not up, check the software version and reboot chassis. FTOS(standby)(bootfail)# Automatic and Manual RPM Failover RPM failover is the process of the standby RPM becoming the primary RPM. FTOS fails over to the standby RPM when: 1. Communication is lost between the standby and primary RPMs. 2.
Support for RPM Redundancy by FTOS Version FTOS supports increasing levels of RPM redundancy (warm and hot) as described in the table below. Table 29. Support for RPM Redundancy by FTOS Version Platform Failover Type Failover Behavior S4820T Hot Failover Only the failed RPM reboots. All the line cards and SFMs remain online. All application tasks are spawned on the secondary RPM before failover. The running configuration is synchronized at runtime so it does not need to be reapplied during failover.
To view which RPM is the primary, use the show running-config redundancy command from EXEC Privilege mode, as shown in the example in the Forcing an RPM Failover. Forcing an RPM Failover To force an RPM failover, use the following command. Use this feature when you are replacing an RPM and when you are performing a warm upgrade. • To trigger an RPM failover between RPMs.
Online Insertion and Removal You can add, replace, or remove chassis components while the chassis is operating. This section contains the following sub-sections: • RPM Online Insertion and Removal • Linecard Online Insertion and Removal RPM Online Insertion and Removal Dell Networking systems are functional with only one RPM. If you insert a second RPM, it comes online as the standby RPM. To see SFM status information, use the show sfm all command.
FTOS(conf)#%RPM0-P:CP %CHMGR-2-CARD_DOWN: Line card 0 down - card removed FTOS(conf)#do show linecard all -- Line cards -Slot Status NxtBoot ReqTyp CurTyp Version Ports --------------------------------------------------------------------------0 not present E48VB [output omitted] Pre-Configuring a Line Card Slot You may also pre-configure an empty line card slot with a logical line card. To pre-configure an empty line card slot, use the following command.
Example of Verifying Line Card Configuration After Clearing Mismatch Status %RPM0-P:CP %CHMGR-5-CARDDETECTED: Line card 0 present %RPM0-P:CP %CHMGR-3-CARD_MISMATCH: Mismatch: line card 0 is type E48VB - type E48TB required FTOS#show linecard all -- Line cards -Slot Status NxtBoot ReqTyp CurTyp Version Ports --------------------------------------------------------------------------0 type mismatch online E48TB E48VB 7-5-1-71 48 [output omitted] FTOS(conf)#linecard 0 E48VB Aug 6 14:25:22: %RPM0-P:CP %IFMGR-1-D
FTOS supports graceful restart for the following protocols: • Border gateway • Open shortest path first • Protocol independent multicast — sparse mode • Intermediate system to intermediate system Software Resiliency During normal operations, FTOS monitors the health of both hardware and software components in the background to identify potential failures, even before these failures manifest.
• Kernel core dump is the central component of an operating system that manages system processors and memory allocation and makes these facilities available to applications. A kernel core dump is the contents of the memory in use by the kernel at the time of an exception. System Log Event messages provide system administrators diagnostics and auditing information. FTOS sends event messages to the internal buffer, all terminal lines, the console, and optionally to a syslog server.
• Enable process restartability for a process or task. CONFIGURATION mode • process restartable [process] [try number] [timestamp hours] Display the processes and tasks configured for restart. EXEC Privilege When a process restarts, FTOS displays a message similar to the following message.
Internet Group Management Protocol (IGMP) 20 Internet group management protocol (IGMP) is supported on the S4820T platform. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. IGMP is a Layer 3 multicast protocol that hosts use to join or leave a multicast group.
Figure 43. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet. 2.
IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. • Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers. • To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered.
Figure 45. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Figure 46. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-andspecific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
Figure 47. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1. Enable multicast routing using the ip multicast-routing command. 2. Enable a multicast routing protocol.
• Fast Convergence after MSTP Topology Changes • Designating a Multicast Router Interface Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. • View IGMP-enabled interfaces. EXEC Privilege mode show ip igmp interface Example of the show ip igmp interface Command FTOS#show ip igmp interface gig 7/16 GigabitEthernet 7/16 is up, line protocol is up Internet address is 10.87.3.
Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command. • View both learned and statically configured IGMP groups. EXEC Privilege mode show ip igmp groups Example of the show ip igmp groups Command FTOS(conf-if-gi-1/0)#do sho ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Uptime 224.1.1.1 GigabitEthernet 1/0 00:00:03 224.1.2.1 GigabitEthernet 1/0 00:56:55 Expires Never 00:01:22 Last Reporter CLI 1.1.1.
• ip igmp query-max-resp-time Adjust the last member query interval. INTERFACE mode ip igmp last-member-query-interval Adjusting the IGMP Querier Timeout Value If there is more than one multicast router on a subnet, only one is elected to be the querier, which is the router that sends queries to the subnet. 1. Routers send queries to the all multicast systems address, 224.0.0.1. Initially, all routers send queries. 2.
EXEC Privilege mode show ip igmp interface View the enable status of this feature using the command from EXEC Privilege mode, as shown in the example in Selecting an IGMP Version. IGMP Snooping IGMP snooping enables switches to use information in IGMP packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers.
• Configuring the Switch as Querier Example of ip igmp snooping enable Command FTOS(conf)#ip igmp snooping enable FTOS(conf)#do show running-config igmp ip igmp snooping enable FTOS(conf)# Removing a Group-Port Association To configure or view the remove a group-port association feature, use the following commands. • Configure the switch to remove a group-port association after receiving an IGMP Leave message. INTERFACE VLAN mode • ip igmp fast-leave View the configuration.
Configuring the Switch as Querier To configure the switch as a querier, use the following command. Hosts that do not support unsolicited reporting wait for a general query before sending a membership report. When the multicast source and receivers are in the same VLAN, multicast traffic is not routed and so there is no querier. Configure the switch to be the querier for a VLAN so that hosts send membership reports and the switch can generate a forwarding table by snooping.
Interfaces 21 This chapter describes interface types, both physical and logical, and how to configure them with FTOS. • 10/100/1000 Mbps Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet interfaces are supported on the S4820T platform.
Interface Types The following table describes different interface types.
Last clearing of "show interface" counters 00:09:54 Queueing strategy: fifo Input Statistics: 0 packets, 0 bytes 0 Vlans 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 3 packets, 192 bytes, 0 underruns 3 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0
no ip address shutdown Enabling a Physical Interface After determining the type of physical interfaces available, to enable and configure the interfaces, enter INTERFACE mode by using the interface interface slot/port command. 1. Enter the keyword interface then the type of interface and slot/port information. CONFIGURATION mode interface interface 2. – For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/port information.
• Configuring Layer 2 (Interface) Mode • Management Interfaces • Auto-Negotiation on Ethernet Interfaces • Adjusting the Keepalive Timer • Clearing Interface Counters Overview of Layer Modes On all systems running FTOS, you can place physical interfaces, port channels, and VLANs in Layer 2 mode or Layer 3 mode. By default, VLANs are in Layer 2 mode.
Configuring Layer 2 (Interface) Mode To configure an interface in Layer 2 mode, use the following commands. • Enable the interface. INTERFACE mode • no shutdown Place the interface in Layer 2 (switching) mode. INTERFACE mode switchport For information about enabling and configuring the Spanning Tree Protocol, refer to Spanning Tree Protocol (STP). To view the interfaces in Layer 2 mode, use the show interfaces switchport command in EXEC mode.
Configuring Layer 3 (Interface) Mode To assign an IP address, use the following commands. • Enable the interface. INTERFACE mode • no shutdown Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/xx). Add the keyword secondary if the IP address is the interface’s backup IP address. You can only configure one primary IP address per interface.
• • If a route in the EIS table conflicts with a front-end port route, the front-end port route has precedence. Due to protocol, ARP packets received through the management port create two ARP entries (one for the lookup in the EIS table and one for the default routing table). Configuring EIS EIS is compatible with the following protocols: DNS, FTP, NTP, RADIUS, sFlow, SNMP, SSH, Syslog, TACACS, Telnet, and TFTP. To enable and configure EIS, use the following commands: 1. Enter EIS mode.
The following rules apply to having two IPv6 addresses on a management interface: • IPv6 addresses on a single management interface cannot be in the same subnet. • IPv6 secondary addresses on management interfaces: – across a platform must be in the same subnet. – must not match the virtual IP address and must not be in the same subnet as the virtual IP.
To view the Primary RPM Management port, use the show interface Managementethernet command in EXEC Privilege mode. If there are two RPMs, you cannot view information on that interface. Configuring Management Interfaces on the S-Series You can manage the S-Series from any port. To configure an IP address for the port, use the following commands. There is no separate management routing table, so configure all routes in the IP routing table (the ip route command). • Configure an IP address.
NOTE: To monitor VLAN interfaces, use Management Information Base for Network Management of TCP/IP-based internets: MIB-II (RFC 1213). NOTE: You cannot simultaneously use egress rate shaping and ingress rate policing on the same VLAN. FTOS supports Inter-VLAN routing (Layer 3 routing in VLANs). You can add IP addresses to VLANs and use them in routing protocols in the same manner that physical interfaces are used.
• Delete a Loopback interface. CONFIGURATION mode no interface loopback number Many of the same commands found in the physical interface are also found in the Loopback interfaces. For more information, refer to Configure ACLs to Loopback. Null Interfaces The Null interface is another virtual interface. There is only one Null interface. It is always up, but no traffic is transmitted through this interface. To enter INTERFACE mode of the Null interface, use the following command.
Port Channel Implementation FTOS supports static and dynamic port channels. • Static — Port channels that are statically configured. • Dynamic — Port channels that are dynamically configured using the link aggregation control protocol (LACP). For details, refer to Link Aggregation Control Protocol (LACP). There are 128 port-channels with eight members per channel. As soon as you configure a port channel, FTOS treats it like a physical interface. For example, IEEE 802.
Configuration Tasks for Port Channel Interfaces To configure a port channel (LAG), use the commands similar to those found in physical interfaces. By default, no port channels are configured in the startup configuration.
A logical port channel interface cannot have flow control. Flow control can only be present on the physical interfaces if they are part of a port channel. NOTE: The S4820T supports jumbo frames by default (the default maximum transmission unit (MTU) is 1554 bytes). To configure the MTU, use the mtu command from INTERFACE mode.
0 throttles, 0 discarded Rate info (interval 5 minutes): Input 00.01Mbits/sec, 2 packets/sec Output 81.60Mbits/sec, 133658 packets/sec Time since last interface status change: 04:31:57 FTOS> When more than one interface is added to a Layer 2-port channel, FTOS selects one of the active interfaces in the port channel to be the primary port. The primary port replies to flooding and sends protocol data units (PDUs). An asterisk in the show interfaces port-channel brief command indicates the primary port.
channel-member GigabitEthernet 1/8 no shutdown FTOS(conf-if-portch)#no chann gi 1/8 FTOS(conf-if-portch)#int port 5 FTOS(conf-if-portch)#channel gi 1/8 FTOS(conf-if-portch)#sho conf ! interface Port-channel 5 no ip address channel-member GigabitEthernet 1/8 shutdown FTOS(conf-if-portch)# Configuring the Minimum Oper Up Links in a Port Channel You can configure the minimum links in a port channel (LAG) that must be in “oper up” status to consider the port channel to be in “oper up” status.
show vlan Assigning an IP Address to a Port Channel You can assign an IP address to a port channel and use port channels in Layer 3 routing protocols. To assign an IP address, use the following command. • Configure an IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] – ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in slash format (/24). – secondary: the IP address is the interface’s backup IP address.
To change the IP traffic load-balancing default, use the following command. • Replace the default IP 4-tuple method of balancing traffic over a port channel. CONFIGURATION mode [no] load-balance {ip-selection [dest-ip | source-ip]} | {mac [dest-mac | source-dest-mac | source-mac]} | {tcp-udp enable} | {ing-port} You can select one, two, or all three of the following basic hash methods: – ip-selection [dest-ip | source-ip] — Distribute IP traffic based on the IP destination or source address.
• lsb — always uses the least significant bit of the hash key to compute the egress port. Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range.
Example of the interface range Command (Multiple Ranges) FTOS(conf)#interface range tengigabitethernet 0/5 - 10 , tengigabitethernet 0/1 , vlan 1 FTOS(conf-if-range-te-0/5-10,te-0/1,vl-1)# Exclude Duplicate Entries The following is an example showing how duplicate entries are omitted from the interface-range prompt.
CONFIGURATION mode define interface-range macro_name {vlan vlan_ID - vlan_ID} | {{gigabitethernet | tengigabitethernet | fortyGigE} slot/interface interface} [ , {vlan vlan_ID - vlan_ID} {{gigabitethernet | tengigabitethernet | fortyGigE} slot/interface - interface}] Define the Interface Range The following example shows how to define an interface-range macro named “test” to select Fast Ethernet interfaces 5/1 through 5/4.
• l — Page up • T — Increase refresh interval (by 1 second) • t — Decrease refresh interval (by 1 second) • c — Clear screen • a — Page down • q — Quit Example of the monitor interface Command FTOS#monitor interface gi 3/1 FTOS uptime is 1 day(s), 4 hour(s), 31 minute(s) Monitor time: 00:00:00 Refresh Intvl.
To test and display TDR results, use the following commands. 1. To test for cable faults on the GigabitEthernet cable. EXEC Privilege mode tdr-cable-test gigabitethernet / Between two ports, do not start the test on both ends of the cable. Enable the interface before starting the test. Enable the port to run the test or the test prints an error message. 2. Displays TDR test results.
for all practical purposes of routing, the interface is deemed to be “down.” After the interface becomes stable and the penalty decays below a certain threshold, the interface comes up again and the routing protocols re-converge. Link dampening: • reduces processing on the CPUs by reducing excessive interface flapping. • improves network stability by penalizing misbehaving interfaces and redirecting traffic.
Clearing Dampening Counters To clear dampening counters and accumulated penalties, use the following command. • Clear dampening counters. clear dampening Example of the clear dampening Command FTOS# clear dampening interface Gi 0/1 FTOS# show interfaces dampening GigabitEthernet0/0 InterfaceStateFlapsPenaltyHalf-LifeReuseSuppressMax-Sup Gi 0/1Up00205001500300 Link Dampening Support for XML View the output of the following show commands in XML by adding | display xml to the end of the command.
• View all LAG link bundles being monitored. show running-config ecmp-group Using Ethernet Pause Frames for Flow Control Ethernet pause frames and threshold settings are supported on the S4820T platform. Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it. The destination sends a PAUSE frame back to the source, stopping the sender’s transmission for a period of time.
The discard threshold should be larger than the buffer threshold so that the buffer holds at least hold at least three packets. Enabling Pause Frames Enable Ethernet pause frames flow control on all ports on a chassis or a line card. If not, the system may exhibit unpredictable behavior. NOTE: Changes in the flow-control values may not be reflected automatically in the show interface output.
Table 31. Layer 2 Overhead Layer 2 Overhead Difference Between Link MTU and IP MTU Ethernet (untagged) 18 bytes VLAN Tag 22 bytes Untagged Packet with VLAN-Stack Header 22 bytes Tagged Packet with VLAN-Stack Header 26 bytes Link MTU and IP MTU considerations for port channels and VLANs are as follows. Port Channels: • All members must have the same link MTU value and the same IP MTU value.
NOTE: As a best practice, Dell Networking recommends keeping auto-negotiation enabled. Only disable autonegotiation on switch ports that attach to devices not capable of supporting negotiation or where connectivity issues arise from interoperability issues. For 10/100/1000 Ethernet interfaces, the negotiation auto command is tied to the speed command. Autonegotiation is always enabled when the speed command is set to 1000 or auto.
Gi 0/3 Down Gi 0/4 Force10Port Up Gi 0/5 Down Gi 0/6 Down Gi 0/7 Up Gi 0/8 Down Gi 0/9 Down Gi 0/10 Down Gi 0/11 Down Gi 0/12 Down [output omitted] Auto 1000 Mbit Auto Auto 1000 Mbit Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto -30-130 --1502,1504,1506-1508,1602 ------ In the previous example, several ports display “Auto” in the Speed field, including port 0/1. In the following example, the speed of port 0/1 is set to 100Mb and then its auto-negotiation is disabled.
• Change the default interval between keepalive messages. INTERFACE mode • keepalive [seconds] View the new setting. INTERFACE mode show config View Advanced Interface Information The following options have been implemented for the show [ip | running-config] interfaces commands for (only) linecard interfaces. When you use the configured keyword, only interfaces that have non-default configurations are displayed.
Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG. The following example shows how to configure rate interval when changing the default value.
0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 100 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Time since last interface status change: 1d23h42m Dynamic Counters By default, counting is enabled for IPFLOW, IPACL, L2ACL, L2FIB.
– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. – For a VLAN, enter the keyword vlan then a number. – (OPTIONAL) To clear statistics for all VRRP groups configured, enter the keyword vrrp. Enter a number from 1 to 255 as the vrid.
Internet Protocol Security (IPSec) 22 Internet protocol security (IPSec) is available on the S4820Tplatform. IPSec is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel.
crypto ipsec transform-set myXform-seta esp-authentication md5 espencryption des 2. Define the crypto policy. CONFIGURATION mode crypto ipsec policy myCryptoPolicy 10 ipsec-manual transform-set myXform-set session-key inbound esp 256 auth encrypt session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.
IPv4 Routing 23 IPv4 routing is supported on the S4820T platform. FTOS supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking operating system (FTOS).
• Configure Static Routes for the Management Interface (optional) For a complete listing of all commands related to IP addressing, refer to the FTOS Command Line Interface Reference Guide. Assigning IP Addresses to an Interface Assign primary and secondary IP addresses to physical or logical (for example, [virtual local area network [VLAN] or port channel) interfaces to enable IP communication between the system and hosts connected to that interface.
no shutdown ! FTOS(conf-if)# Configuring Static Routes A static route is an IP address that you manually configure and that the routing protocol does not learn, such as open shortest path first (OSPF). Often, static routes are used as backup routes in case other dynamically learned routes are unreachable. You can enter as many static IP addresses as necessary. To configure a static route, use the following command. • Configure a static IP address.
FTOS installs a next hop that is on the directly connected subnet of current IP address on the interface (for example, if interface gig 0/0 is on 172.31.5.0 subnet, FTOS installs the static route). FTOS also installs a next hop that is not on the directly connected subnet but which recursively resolves to a next hop on the interface's configured subnet. For example, if gig 0/0 has ip address on subnet 2.2.2.0 and if 172.31.5.43 recursively resolves to 2.2.2.0, FTOS installs the static route.
Enabling Directed Broadcast By default, FTOS drops directed broadcast packets destined for an interface. This default setting provides some protection against denial of service (DoS) attacks. To enable FTOS to receive directed broadcasts, use the following command. • Enable directed broadcast. INTERFACE mode ip directed-broadcast To view the configuration, use the show config command in INTERFACE mode. Resolution of Host Names Domain name service (DNS) maps host names to IP addresses.
f00-3 FTOS> (perm, OK) - IP 192.71.23.1 To view the current configuration, use the show running-config resolve command. Specifying the Local System Domain and a List of Domains If you enter a partial domain, FTOS can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. FTOS searches the host table first to resolve the partial domain.
Tracing the route to www.force10networks.com (10.11.84.18), 30 hops max, 40 byte packets ---------------------------------------------------------------------TTL Hostname Probe1 Probe2 Probe3 1 10.11.199.190 001.000 ms 001.000 ms 002.000 ms 2 gwegress-sjc-02.force10networks.com (10.11.30.126) 005.000 ms 001.000 ms 001.000 ms 3 fw-sjc-01.force10networks.com (10.11.127.254) 000.000 ms 000.000 ms 000.000 ms 4 www.dell.com (10.11.84.18) 000.000 ms 000.000 ms 000.
– interface: enter the interface type slot/port information. These entries do not age and can only be removed manually. To remove a static ARP entry, use the no arp ipaddress command. To view the static entries in the ARP cache, use the show arp static command in EXEC privilege mode. Example of the show arp Command FTOS#show arp Protocol Address Age(min) Hardware Address Interface VLAN CPU -------------------------------------------------------------------------------Internet 10.1.2.
NOTE: Transit traffic may not be forwarded during the period when deleted ARP entries are resolved again and reinstalled in CAM. Use this option with extreme caution. ARP Learning via Gratuitous ARP Gratuitous ARP can mean an ARP request or reply. In the context of ARP learning via gratuitous ARP on FTOS, the gratuitous ARP is a request.
Figure 48. ARP Learning via ARP Request Beginning with FTOS version 8.3.1.0, when you enable ARP learning via gratuitous ARP, the system installs a new ARP entry, or updates an existing entry for all received ARP requests. Figure 49. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP. It only updates the ARP entry for the Layer 3 interface with the source IP of the request.
• The range is from 1 to 20. Set the exponential timer for resending unresolved ARPs. CONFIGURATION mode arp backoff-time The default is 30. • The range is from 1 to 3600. Display all ARP entries learned via gratuitous ARP. EXEC Privilege mode show arp retries ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply).
UDP Helper User datagram protocol (UDP) helper allows you to direct the forwarding IP/UDP broadcast traffic by creating special broadcast addresses and rewriting the destination IP address of packets to match those addresses. Configure UDP Helper Configuring FTOS to direct UDP broadcast is a two-step process: 1. Enable UDP helper and specify the UDP ports for which traffic is forwarded. Refer to Enabling UDP Helper. 2. Configure a broadcast address on interfaces that will receive UDP broadcast traffic.
Configuring a Broadcast Address To configure a broadcast address, use the following command. • Configure a broadcast address on an interface. ip udp-broadcast-address Example of Configuring a Broadcast Address FTOS(conf-if-vl-100)#ip udp-broadcast-address 1.1.255.255 FTOS(conf-if-vl-100)#show config ! interface Vlan 100 ip address 1.1.0.1/24 ip udp-broadcast-address 1.1.255.255 untagged GigabitEthernet 1/2 no shutdown To view the configured broadcast address for an interface, use show interfaces command.
2. If you enable UDP helper (using the ip udp-helper udp-port command), and the UDP destination port of the packet matches the UDP port configured, the system changes the destination address to the configured broadcast 1.1.255.255 and routes the packet to VLANs 100 and 101. If you do not configure an IP broadcast address (using the ip udp-broadcast-address command) on VLANs 100 or 101, the packet is forwarded using the original destination IP address 255.255.255.255.
Figure 51. UDP Helper with Subnet Broadcast Addresses UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces. In the following illustration, Packet 1 has a destination IP address that matches the configured broadcast address of VLAN 100 and 101.
Troubleshooting UDP Helper To display debugging information for troubleshooting, use the debug ip udp-helper command. Example of the debug ip udp-helper Command FTOS(conf)# debug ip udp-helper 01:20:22: Pkt rcvd on Gi 5/0 with IP DA (0xffffffff) will be sent on Gi 5/1 Gi 5/2 Vlan 3 01:44:54: Pkt rcvd on Gi 7/0 is handed over for DHCP processing. When using the IP helper and UDP helper on the same interface, use the debug ip dhcp command. Example Output from the debug ip dhcp Command Packet 0.0.0.
IPv6 Routing 24 Internet protocol version 6 (IPv6) routing is supported on the S4820T platform. NOTE: The IPv6 basic commands are supported on all platforms. However, not all features are supported on all platforms, nor for all releases. To determine the FTOS version supporting which features and platforms, refer to Implementing IPv6 with FTOS. IPv6 is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage.
NOTE: FTOS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS). By default, RA response messages are sent when an RS message is received. FTOS manipulation of IPv6 stateless autoconfiguration supports the router side only. Neighbor discovery (ND) messages are advertised so the neighbor can use this information to auto-configure its address. However, received ND messages are not used to create an IPv6 address.
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 53. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
Value Description 4 IPv4 6 TCP 8 Exterior Gateway Protocol (EGP) 41 IPv6 43 Routing header 44 Fragmentation header 50 Encrypted Security 51 Authentication header 59 No Next Header 60 Destinations option header NOTE: This table is not a comprehensive list of Next Header field values. For a complete and current listing, refer to the Internet Assigned Numbers Authority (IANA) web page at http://www.iana.org/assignments/ protocol-numbers.
Hop-by-Hop Options Header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path. It follows the IPv6 header and is designated by the Next Header value 0 (zero). When a Hop-by-Hop Options header is not included, the router knows that it does not have to process any router specific information and immediately processes the packet to its final destination.
• 2001:0db8:0:0::1428:57ab • 2001:0db8::1428:57ab • 2001:db8::1428:57ab IPv6 networks are written using classless inter-domain routing (CIDR) notation. An IPv6 network (or subnet) is a contiguous group of IPv6 addresses the size of which must be a power of two; the initial bits of addresses, which are identical for all hosts in the network, are called the network's prefix. A network is denoted by the first address in the network and the size in bits of the prefix (in decimal), separated with a slash.
Feature and Functionality FTOS Release Introduction Documentation and Chapter Location S4820T IPv6 stateless autoconfiguration 8.3.19 Stateless Autoconfiguration IPv6 MTU path discovery 8.3.19 Path MTU Discovery IPv6 ICMPv6 8.3.19 ICMPv6 IPv6 ping 8.3.19 ICMPv6 IPv6 traceroute 8.3.19 ICMPv6 IPv6 SNMP 8.3.19 IPv6 Routing Static routing 8.3.19 Assigning a Static IPv6 Route Route redistribution 8.3.19 OSPF, IS-IS, and IPv6 BGP chapters in the FTOS Command Line Reference Guide.
Feature and Functionality FTOS Release Introduction Documentation and Chapter Location S4820T IPv6 Services and Management Telnet client over IPv6 (outbound Telnet) 8.3.19 Configuring Telnet with IPv6 Telnet server over IPv6 (inbound Telnet) 8.3.19 Secure Shell (SSH) client support over IPv6 (outbound SSH) Layer 3 only 8.3.19 Secure Shell (SSH) Over an IPv6 Transport Secure Shell (SSH) server support over IPv6 (inbound SSH) Layer 3 only 8.3.
Path MTU Discovery IPv6 path maximum transmission unit (MTU) discovery is supported on the S4820T platform. Path MTU, in accordance with RFC 1981, defines the largest packet size that can traverse a transmission path without suffering fragmentation. Path MTU for IPv6 uses ICMPv6 Type-2 messages to discover the largest MTU along the path from source to destination and avoid the need to fragment the packet. The recommended MTU for IPv6 is 1280.
Figure 55. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets With FTOS version 8.3.1.0, you can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
Adjusting Your CAM-Profile The cam-acl command is supported on the S4820T platform. Although adjusting your CAM-profile is not a mandatory step, if you plan to implement IPv6 ACLs, adjust your CAM settings. The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. There are 16 FP blocks, but the System Flow requires three blocks that cannot be reallocated. You must enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10).
• Enter the IPv6 Address for the device. CONFIG-INTERFACE mode ipv6 address ipv6 address/mask – ipv6 address: x:x:x:x::x – mask: The prefix length is from 0 to 128 NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits. Separate each group by a colon (:). Omitting zeros is accepted as described in Addressing. Assigning a Static IPv6 Route IPv6 static routes are supported on the S4820T platform. To configure IPv6 static routes, use the ipv6 route command.
• Enter the IPv6 Address for the device. EXEC mode or EXEC Privileged mode telnet ipv6 address – ipv6 address: x:x:x:x::x – mask: prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing. SNMP over IPv6 The simple network management protocol (SNMP) is supported on the S4820T platform.
Showing an IPv6 Interface To view the IPv6 configuration for a specific interface, use the following command. • Show the currently running configuration for the specified interface. EXEC mode show ipv6 interface type {slot/port} Enter the keyword interface then the type of interface and slot/port information: – For all brief summary of IPv6 status and configuration, enter the keyword brief. – For all IPv6 configured interfaces, enter the keyword configured.
• Show IPv6 routing information for the specified route type. EXEC mode show ipv6 route type The following keywords are available: – To display information about a network, enter ipv6 address (X:X:X:X::X). – To display information about a host, enter hostname. – To display information about all IPv6 routes (including non-active routes), enter all. – To display information about all connected IPv6 routes, enter connected.
----------------------------------------------------S 8888:9999:5555:6666:1111:2222::/96 [1/0] via 2222:2222:3333:3333::1, Gi 9/1, 00:03:16 S 9999:9999:9999:9999::/64 [1/0] via 8888:9999:5555:6666:1111:2222:3333:4444, 00:03:16 Showing the Running-Configuration for an Interface To view the configuration for any interface, use the following command. • Show the currently running configuration for the specified interface.
iSCSI Optimization 25 iSCSI optimization is supported on the S4820T platform. This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
• iSCSI DCBx TLVs are supported. The following illustration shows iSCSI optimization between servers and a storage array in which a stack of three switches connect installed servers (iSCSI initiators) to a storage array (iSCSI targets) in a SAN network. iSCSI optimization running on the master switch is configured to use dot1p priority-queue assignments to ensure that iSCSI traffic in these sessions receives priority treatment when forwarded on stacked switch hardware. Figure 56.
Application of Quality of Service to iSCSI Traffic Flows You can configure iSCSI CoS mode. This mode controls whether CoS (dot1p priority) queue assignment and/or packet marking is performed on iSCSI traffic. When you enable iSCSI CoS mode, the CoS policy is applied to iSCSI traffic. When you disable iSCSI CoS mode, iSCSI sessions and connections are still detected and displayed in the status tables, but no CoS policy is applied to iSCSI traffic.
After a switch is reloaded, any information exchanged during the initial handshake is not available. If the switch picks up the communication after reloading, it would detect a session was in progress but could not obtain complete information for it. Any incomplete information of this type would not be available in the show commands.
• Spanning-tree portfast is enabled on the interface. • Unicast storm control is disabled on the interface. Enter the iscsi profile-compellent command in INTERFACE Configuration mode; for example: FTOS(conf-if-te-o/50# iscsi profile-compellent Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer The following behavior occurs during synchronization of iSCSI sessions.
Default iSCSI Optimization Values The following table lists the default values for the iSCSI optimization feature. Table 32. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization global setting Disabled on the S4820T. iSCSI CoS mode (802.1p priority queue mapping) iSCSI CoS Packet classification When you enable iSCSI, iSCSI packets are queued based on dot1p, instead of DSCP values. VLAN priority tag iSCSI flows are assigned by default to dot1p priority 4 without the remark setting.
NOTE: In FTOS Version 9.2.(0.0), content addressable memory (CAM) allocation is optional. If CAM is not allocated, the following features are disabled: – session monitoring – aging – class of service You can enable iSCSI even when allocated with zero (0) CAM blocks. However, if no CAM blocks are allocated, session monitoring is disabled and this information displays in the show iscsi command. 2. For a non-DCB environment: Enable iSCSI. CONFIGURATION mode iscsi enable 3.
7. (Optional) Set the QoS policy that is applied to the iSCSI flows. CONFIGURATION mode [no] iscsi cos {enable | disable | dot1p vlan-priority-value [remark] | dscp dscp-value [remark]} – enable: enables the application of preferential QoS treatment to iSCSI traffic so that iSCSI packets are scheduled in the switch with a dot1p priority 4 regardless of the VLAN priority tag in the packet. The default is: iSCSI packets are handled with dotp1 priority 4 without remark.
• Display all globally configured non-default iSCSI settings in the current FTOS session.
IP Address 10.10.0.53 436 TCP Port 33432 IP Address 10.10.0.
Intermediate System to Intermediate System 26 Intermediate system to intermediate system (Is-IS) is supported on the S4820T platform. • • • IS-IS is supported on the S4820T with FTOS version 8.3.19.0. The IS-IS protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter.
Figure 57. ISO Address Format Multi-Topology IS-IS The S4820T platform supports multi-topology IS-IS with FTOS version 8.3.11.1 and later. Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases. Use this feature to place a virtual physical topology into logical routing domains, which can each support different routing and security policies.
Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement MT extensions. If a local router does not participate in certain MTs, it does not advertise those MT IDs in its IS-IS hellos (IIHs) and so does not include that neighbor within its LSPs. If an MT ID is not detected in the remote side’s IIHs, the local router does not include that neighbor within its LSPs.
identifier has also been included in the supported TLVs. The new TLVs use the extended metrics and up/down bit semantics. Multi-topology IS-IS adds TLVs: • MT TLV — contains one or more Multi-Topology IDs in which the router participates. This TLV is included in IIH and the first fragment of an LSP. • MT Intermediate Systems TLV — appears for every topology a node supports. An MT ID is added to the extended IS reachability TLV type 22.
Except where identified, the commands described in this chapter apply to both IPv4 and IPv6 versions of IS-IS. Configuration Tasks for IS-IS The following describes the configuration tasks for IS-IS.
4. – For a port channel, enter the keywords port-channel then a number. – For a SONET interface, enter the keyword sonet then the slot/port information. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a VLAN, enter the keyword vlan then a number from 1 to 4094. Enter an IPv4 Address. INTERFACE mode ip address ip-address mask Assign an IP address and mask to the interface.
Accept wide metrics: FTOS# none To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
4. Implement a wide metric-style globally. ROUTER ISIS AF IPV6 mode isis ipv6 metric metric-value [level-1 | level-2 | level-1-2] To configure wide or wide transition metric style, the cost can be between 0 and 16,777,215. Configuring IS-IS Graceful Restart To enable IS-IS graceful restart globally, use the following commands. Additionally, you can implement optional commands to enable the graceful restart settings. • Enable graceful restart on ISIS processes.
– manual: allows you to specify a fixed value that the restarting router should use. The range is from 50 to 120 seconds. The default is 30 seconds. NOTE: If this timer expires before the synchronization has completed, the restarting router sends the overload bit in the LSP. The 'overload' bit is an indication to the receiving router that database synchronization did not complete at the restarting router.
Next IS-IS LAN Level-2 Hello in 6 seconds LSP Interval: 33 Next IS-IS LAN Level-1 Hello in 4 seconds Next IS-IS LAN Level-2 Hello in 6 seconds LSP Interval: 33 Restart Capable Neighbors: 2, In Start: 0, In Restart: 0 FTOS# Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary.
Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63. If you configure wide or wide transition metric style, the cost can be a number between 0 and 16,777,215.
Loopback 0 Redistributing: Distance: 115 Generate narrow metrics: level-1-2 Accept narrow metrics: level-1-2 Generate wide metrics: Accept wide metrics: FTOS# none none Configuring the IS-IS Cost When you change from one IS-IS metric style to another, the IS-IS metric value could be affected. For each interface with IS-IS enabled, you can assign a cost or metric that is used in the link state calculation. To change the metric or cost of the interface, use the following commands.
Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router. ROUTER ISIS mode is-type {level-1 | level-1-2 | level-2-only} • Default is level-1-2. Change the IS-type for the IS-IS process.
– For a VLAN, enter the keyword vlan then a number from 1 to 4094. Distribute Routes Another method of controlling routing information is to filter the information through a prefix list. Prefix lists are applied to incoming or outgoing routes and routes must meet the conditions of the prefix lists or FTOS does not install the route in the routing table. The prefix lists are globally applied on all interfaces running IS-IS.
distribute-list prefix-list-name in [interface] Enter the type of interface and slot/port information: • – For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. – For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383. – For a port channel, enter the keywords port-channel then a number. – For a SONET interface, enter the keyword sonet then the slot/port information.
• Include specific OSPF routes in IS-IS. ROUTER ISIS mode redistribute ospf process-id [level-1| level-1-2 | level-2] [metric value] [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: – process-id the range is from 1 to 65535. – level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. – metric value the range is from 0 to 16777215. The default is 0.
command in ROUTER ISIS mode. To view the current IPv6 IS-IS configuration, use the show config command in ROUTER ISIS-ADDRESS FAMILY IPV6 mode. Configuring Authentication Passwords You can assign an authentication password for routers in Level 1 and for routers in Level 2. Because Level 1 and Level 2 routers do not communicate with each other, you can assign different passwords for Level 1 routers and for Level 2 routers.
B233.00-00 0x00000003 0x07BF eljefe.00-00 * 0x0000000A 0xF963 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.00-00 0x00000002 0xD1A7 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000006 0xC38A eljefe.00-00 * 0x0000000E 0x53BF eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
– interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. FTOS displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode. To disable a specific debug command, enter the keyword no then the debug command. For example, to disable debugging of IS-IS updates, use the no debug isis updates-packets command. To disable all IS-IS debugging, use the no debug isis command.
Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow. When you change from one IS-IS metric style to another, the IS-IS metric value (configured with the isis metric command) could be affected.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value narrow transition wide transition original value narrow transition transition original value wide transition wide original value wide transition narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition narrow transition default value (10) if the original value is greater than 63. A message is sent to the console.
Level-1 Metric Style Level-2 Metric Style Resulting Metric Value narrow transition original value wide narrow truncated value wide narrow transition truncated value wide wide transition original value wide transition truncated value narrow transition wide original value narrow transition narrow original value narrow transition wide transition original value narrow transition transition original value transition wide original value transition narrow original value transiti
• Multi-topology Transition — You must configure the IPv6 address. Configuring the IPv4 address is optional. You must enable the ipv6 router isis command on the interface. If you configure IPv4, also enable the ip router isis command. In router isis configuration mode, enable multi-topology transition under address-family ipv6 unicast. Figure 58. IPv6 IS-IS Sample Topography The following is a sample configuration for enabling IPv6 IS-IS.
FTOS (conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.00 ! address-family ipv6 unicast multi-topology exit-address-family FTOS (conf-router_isis)# IS-IS Sample Configuration — Multi-topology Transition FTOS (conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown FTOS (conf-if-te-3/17)# FTOS (conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
Link Aggregation Control Protocol (LACP) 27 Link aggregation control protocol (LACP) is supported on the S4820T platform. Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel by FTOS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. The benefits and constraints are basically the same, as described in Port Channel Interfaces in the Interfaces chapter.
NOTE: There is no configuration on the interface because that condition is required for an interface to be part of a LAG. • You can configure link dampening on individual members of a LAG. For more information, refer to Link Debounce Timer. LACP Modes FTOS provides three modes for configuration of LACP — Off, Active, and Passive. • Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state.
The range is from 1 to 65535 (the higher the number, the lower the priority). The default is 32768. LACP Configuration Tasks The following are LACP configuration tasks. • Creating a LAG • Configuring the LAG Interfaces as Dynamic • Setting the LACP Long Timeout • Monitoring and Debugging LACP • Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces.
FTOS(conf)#interface Gigabitethernet 3/16 FTOS(conf-if-gi-3/16)#no shutdown FTOS(conf-if-gi-3/16)#port-channel-protocol lacp FTOS(conf-if-gi-3/16-lacp)#port-channel 32 mode active ... FTOS(conf)#interface Gigabitethernet 4/15 FTOS(conf-if-gi-4/15)#no shutdown FTOS(conf-if-gi-4/15)#port-channel-protocol lacp FTOS(conf-if-gi-4/15-lacp)#port-channel 32 mode active ...
To view the PDU exchanges and the timeout value, use the debug lacp command. For more information, refer to Monitoring and Debugging LACP. Monitoring and Debugging LACP The system log (syslog) records faulty LACP actions. To debug LACP, use the following command. • Debug LACP, including configuration and events.
port-channel failover-group 2. Create a failover group and specify the two port-channels that will be members of the group. CONFIG-PO-FAILOVER-GRP mode group number port-channel number port-channel number In the following example, LAGs 1 and 2 have been placed into to the same failover group.
Minimum number of links to bring Port-channel up is 1 Port-channel is part of failover-group 1 Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit Members in this channel: Gi 1/17(U) ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:01:28 Queueing strategy: fifo NOTE: The set of console messages shown above appear only if you configure shared LAG state tracking on that router (you can configure the feature on one or both sides of a link).
Alpha(conf-if-po-10)#no shutdown Alpha(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Alpha(conf-if-po-10)# The following example inspects a LAG port configuration on ALPHA.
Figure 62.
Figure 63.
Figure 64.
interface GigabitEthernet 2/31 no ip address Summary of the LAG Configuration on Bravo Bravo(conf-if-gi-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp Bravo(conf-if-gi-3/2
Figure 65.
Figure 66.
Figure 67. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
Layer 2 28 Layer 2 features are supported on the S4820T platform. Manage the MAC Address Table FTOS provides the following management activities for the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Setting the Aging Time for Dynamic Entries on a VLAN • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table.
In this case, the configuration is still present in the running-config and show output. Remove the configuration before re-applying a MAC learning limit with a lower value. Also, ensure that you can view the Syslog messages on your session. NOTE: The CAM-check failure message beginning in FTOS version 8.3.1.0 is different from versions 8.2.1.
When you enable sticky mac on an interface, dynamically-learned MAC addresses do not age, even if you enabled mac-learning-limit dynamic. If you configured mac-learning-limit and mac-learning-limit dynamic and you disabled sticky MAC, any dynamically-learned MAC addresses ages. mac learning-limit station-move The mac learning-limit station-move command is available on the S4820T platform. The station-move option, allows a MAC address already in the table to be learned off of another interface.
Setting Station Move Violation Actions Station move violation actions are supported only on the S4820T platform. no-station-move is the default behavior. You can configure the system to take an action if a station move occurs using one the following options with the mac learning-limit command. To display a list of interfaces configured with MAC learning limit or station move violation actions, use the following commands. • Generate a system log message indicating a station move.
NIC Teaming Network interface controller (NIC) teaming is available on the Z-Series platform. NIC teaming is a feature that allows multiple network interface cards in a server to be represented by one MAC address and one IP address in order to provide transparent redundancy, balancing, and to fully utilize network adapter resources. The following illustration shows a topology where two NICs have been teamed together.
Figure 69. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Configuring redundant pairs is supported on the S4820T platform. Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 70. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
Important Points about Configuring Redundant Pairs • You may not configure any interface to be a backup for more than one interface, no interface can have more than one backup, and a backup interface may not have a backup interface. • The active or backup interface may not be a member of a LAG. • The active and standby do not have to be of the same type (1G, 10G, and so on). • You may not enable any Layer 2 protocol on any interface of a redundant pair or to ports connected to them.
Example of Configuring Redundant Pairs on a Port-Channel (S4820T) FTOS#show interfaces port-channel brief Codes: L - LACP Port-channel LAG Mode Status Uptime Ports 1 L2 up 00:08:33 Te 0/0 (Up) 2 L2 up 00:00:02 Te 0/1 (Up) FTOS#configure FTOS(conf)#interface port-channel 1 FTOS(conf-if-po-1)#switchport backup interface port-channel 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Po 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-OSTATE_DN: Changed interface state
Figure 71. Configuring Far-End Failure Detection The report consists of several packets in SNAP format that are sent to the nearest known MAC address. In the event of a far-end failure, the device stops receiving frames and, after the specified time interval, assumes that the far-end is not available. The connecting line protocol is brought down so that upper layer protocols can detect the neighbor unavailability faster. FEFD State Changes FEFD has two operational modes, Normal and Aggressive.
5. If the FEFD system has been set to Aggressive mode and neighboring echoes are not received after three intervals, the state changes to Err-disabled. You must manually reset all interfaces in the Err-disabled state using the fefd reset [interface] command in EXEC privilege mode (it can be done globally or one interface at a time) before the FEFD enabled system can become operational again. Table 38.
no shutdown 3. Enable fefd globally. CONFIGURATION mode fefd {interval | mode} To display information about the state of each interface, use the show fefd command in EXEC privilege mode. Example of the show fefd Command FTOS#show fefd FEFD is globally 'ON', interval is 3 seconds, mode is 'Normal'.
interface GigabitEthernet 1/0 no ip address switchport fefd mode normal no shutdown FTOS(conf-if-gi-1/0)#do show fefd | grep 1/0 Gi 1/0 Normal 3 Unknown Debugging FEFD To debug FEFD, use the first command. To provide output for each packet transmission over the FEFD enabled connection, use the second command. • Display output whenever events occur that initiate or disrupt an FEFD enabled connection.
%RPM1-P:CP %FEFD-5-FEFD-BIDIRECTION-LINK-DETECTED: Interface Gi 0/45 has bidirectional link with its peer 491
Link Layer Discovery Protocol (LLDP) 29 The link layer discovery protocol (LLDP) is supported on the S4820T platform. 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Table 39. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of an LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live An administratively assigned name that identifies a port through which TLVs are sent and received.
Figure 74. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Networking system to advertise any or all of these TLVs. Table 40. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. FTOS does not currently support this TLV.
Type TLV Description 127 MAC/PHY Configuration/Status Indicates the capability and current setting of the duplex status and bit rate, and whether the current settings are the result of auto-negotiation. This TLV is not available in the FTOS implementation of LLDP, but is available and mandatory (nonconfigurable) in the LLDP-MED implementation.
• transmitting an LLDP-MED capability TLV to endpoint devices • storing the information that endpoint devices advertise The following table describes the five types of TIA-1057 Organizationally Specific TLVs. Table 41.
Type SubType TLV Description 127 8 Inventory — Serial Number Indicates the device serial number of the LLDP-MED device. 127 9 Inventory — Manufacturer Name Indicates the manufacturer of the LLDP-MED device. 127 10 Inventory — Model Name Indicates the model of the LLDP-MED device. 127 11 Inventory — Asset ID Indicates a user specified device number to manage inventory.
Table 43. LLDP-MED Device Types Value Device Type 0 Type Not Defined 1 Endpoint Class 1 2 Endpoint Class 2 3 Endpoint Class 3 4 Network Connectivity 5–255 Reserved LLDP-MED Network Policies TLV A network policy in the context of LLDP-MED is a device’s VLAN configuration and associated Layer 2 and Layer 3 configurations.
Type Application Description 6 Video Conferencing Specify this application type for dedicated video conferencing and other similar appliances supporting real-time interactive video. 7 Streaming Video Specify this application type for dedicated video conferencing and other similar appliances supporting real-time interactive video. 8 Video Signaling Specify this application type only if video control packets use a separate network policy than video data. 9–255 Reserved — Figure 76.
Configure LLDP Configuring LLDP is a two-step process. 1. Enable LLDP globally. 2. Advertise TLVs out of an interface. Related Configuration Tasks • Viewing the LLDP Configuration • Viewing Information Advertised by Adjacent LLDP Agents • Configuring LLDPDU Intervals • Configuring Transmit and Receive Mode • Configuring a Time to Live • Debugging LLDP Important Points to Remember • LLDP is enabled by default. • Dell Networking systems support up to eight neighbors per interface.
R1(conf-lldp)#exit R1(conf)#interface gigabitethernet 1/31 R1(conf-if-gi-1/31)#protocol lldp R1(conf-if-gi-1/31-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol on this interface end Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP hello configuration mode LLDP mode configuration (default = rx and tx) multiplier LLDP multiplier configuration no Negate a command or set its defaults show Show LLDP configuration R1(conf-if-gi-1/31-lldp)# Enabling LLDP LLDP is enable
PROTOCOL LLDP mode advertise {management-tlv | dot1-tlv | dot3-tlv | med} Include the keyword for each TLV you want to advertise. – For management TLVs: system-capabilities, system-description. – For 802.1 TLVs: port-protocol-vlan-id, port-vlan-id vlan-name. – For 802.3 TLVs: max-frame-size.
Example of Viewing LLDP Global Configurations R1(conf)#protocol lldp R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description hello 10 no disable R1(conf-lldp)# Example of Viewing LLDP Interface Configurations R1(conf-lldp)#exit R1(conf)#interface gigabitethernet 1/31 R1(conf-if-gi-1/31)#show config ! interface GigabitEthernet 1/31 no ip address switchport no shutdown R1(c
----------------------------------------------------------------------Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 00:01:e8:06:95:3e Remote Port Subtype: Interface name (5) Remote Port ID: GigabitEthernet 2/11 Local Port ID: GigabitEthernet 1/21 Locally assigned remote Neighbor Index: 4 Remote TTL: 120 Information valid for next 120 seconds Time since last information change of this neighbor: 01:50:16 Remote MTU: 1554 Remote System Desc: Dell Force10 Networks Real Time Operating System Soft
advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Configuring Transmit and Receive Mode After you enable LLDP, Dell Networking systems transmit and receive LLDPDUs by default. To configure the system to transmit or receive only and return to the default, use the following commands. • Transmit only. CONFIGURATION mode or INTERFACE mode • mode tx Receive only. CONFIGURATION mode or INTERFACE mode • mode rx Return to the default setting.
Configuring a Time to Live The information received from a neighbor expires after a specific amount of time (measured in seconds) called a time to live (TTL). The TTL is the product of the LLDPDU transmit interval (hello) and an integer called a multiplier. The default multiplier is 4, which results in a default TTL of 120 seconds. • Adjust the TTL value. • multiplier Return to the default multiplier value. CONFIGURATION mode or INTERFACE mode. CONFIGURATION mode or INTERFACE mode.
Figure 79. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects FTOS supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: • received and transmitted TLVs • the LLDP configuration on the local agent • IEEE 802.1AB Organizationally Specific TLVs • received and transmitted LLDP-MED TLVs Table 45.
MIB Object Category Basic TLV Selection LLDP Statistics LLDP Variable LLDP MIB Object Description rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs. mibBasicTLVsTxEnable lldpPortConfigTLVsTxEnable Indicates which management TLVs are enabled for system ports. mibMgmtAddrInstanceTxEnable lldpManAddrPortsTxEnable The management addresses defined for the system and the ports through which they are enabled for transmission.
TLV Type 4 5 6 7 8 TLV Name Port Description System Name System Description System Capabilities Management Address TLV Variable port description system name system description system capabilities enabled capabilities management address length management address subtype management address interface numbering subtype interface number OID System LLDP MIB Object Remote lldpRemPortId Local lldpLocPortDesc Remote lldpRemPortDesc Local lldpLocSysName Remote lldpRemSysName Local
TLV Type TLV Name TLV Variable System 127 Port and Protocol VLAN port and protocol VLAN Local ID supported Remote port and protocol VLAN Local enabled PPVID 127 VLAN Name VID VLAN name length VLAN name LLDP MIB Object lldpXdot1LocProtoVlan Supported lldpXdot1RemProtoVlan Supported lldpXdot1LocProtoVlan Enabled Remote lldpXdot1RemProtoVlan Enabled Local lldpXdot1LocProtoVlanI d Remote lldpXdot1RemProtoVlan Id Local lldpXdot1LocVlanId Remote lldpXdot1RemVlanId Local lldpXdot1LocVlanNam
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object Unknown Policy Flag Local lldpXMedLocMediaPoli cyUnknown Remote lldpXMedLocMediaPoli cyUnknown Local lldpXMedLocMediaPoli cyTagged Remote lldpXMedLocMediaPoli cyTagged Local lldpXMedLocMediaPoli cyVlanID Remote lldpXMedRemMediaPol icyVlanID Local lldpXMedLocMediaPoli cyPriority Remote lldpXMedRemMediaPol icyPriority Local lldpXMedLocMediaPoli cyDscp Remote lldpXMedRemMediaPol icyDscp Local lldpXMedLocLocationS ubtype R
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object Power Priority Local lldpXMedLocXPoEPDP owerPriority lldpXMedLocXPoEPSEP ortPDPriority Remote lldpXMedRemXPoEPSE PowerPriority lldpXMedRemXPoEPDP owerPriority Local lldpXMedLocXPoEPSEP ortPowerAv lldpXMedLocXPoEPDP owerReq Remote lldpXMedRemXPoEPSE PowerAv lldpXMedRemXPoEPDP owerReq Power Value 513
Multicast Source Discovery Protocol (MSDP) 30 Multicast source discovery protocol (MSDP) is supported on the S4820T platform. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 81. MSDP SA Message Format Anycast RP Using MSDP, anycast RP provides load sharing and redundancy in PIM-SM networks.
The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP. Also, refer to Open Shortest Path First (OSPFv2) and Border Gateway Protocol IPv4 (BGPv4). 2. Configure PIM-SM within each EGP routing domain. Refer to the following figures. The MSDP Sample Configurations show the PIM-SM configuration in this chapter for MSDP. Also, refer to PIM Sparse-Mode (PIM-SM). 3. Enable MSDP. 4. Peer the RPs in each routing domain with each other. Refer to Enable MSDP.
Figure 82.
Figure 83.
Figure 84.
Figure 85. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains.
Example of Configuring MSDP R3_E600(conf)#ip multicast-msdp R3_E600(conf)#ip msdp peer 192.168.0.1 connect-source Loopback 0 R3_E600(conf)#do show ip msdp summary Peer Addr Description Local Addr State Source SA Up/Down To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache).
Limiting the Source-Active Cache Set the upper limit of the number of active sources that the Dell Networking operating system (FTOS) caches. The default active source limit is 500K messages. When the total number of active sources reaches the specified limit, subsequent active sources are dropped even if they pass the reverse path forwarding (RPF) and policy check. To limit the number of sources that SA cache stores, use the following command.
Figure 86.
Figure 87.
Figure 88.
Figure 89. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
FTOS(conf)#ip access-list standard fifty FTOS(conf)#seq 5 permit host 200.0.0.50 FTOS#ip msdp sa-cache MSDP Source-Active Cache - 3 entries GroupAddr SourceAddr RPAddr LearnedFrom 229.0.50.2 24.0.50.2 200.0.0.50 10.0.50.2 229.0.50.3 24.0.50.3 200.0.0.50 10.0.50.2 229.0.50.4 24.0.50.4 200.0.0.50 10.0.50.2 FTOS#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.
ip msdp peer 192.168.0.3 connect-source Loopback 0 ip msdp redistribute list mylocalfilter ip msdp cache-rejected-sa 1000 R1_E600(conf)#do show run acl ! ip access-list extended mylocalfilter seq 5 deny ip host 239.0.0.1 host 10.11.4.2 seq 10 deny ip any any R1_E600(conf)#do show ip msdp sa-cache R1_E600(conf)#do show ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 1 rejected SAs received, cache-size 1000 UpTime GroupAddr SourceAddr RPAddr LearnedFrom 00:02:20 239.0.0.1 10.11.4.2 192.168.0.
Preventing MSDP from Advertising a Local Source To prevent MSDP from advertising a local source, use the following command. • Prevent an RP from advertising a source in the SA cache. CONFIGURATION mode ip msdp sa-filter list in peer list ext-acl In the following example, R1 stops advertising source 10.11.4.2. Because it is already in the SA cache of R3, the entry remains there until it expires.
After the relationship is terminated, the peering state of the terminator is SHUTDOWN, while the peering state of the peer is INACTIVE. Example of the Verifying that Peering State is Disabled [Router 3] R3_E600(conf)#ip msdp shutdown 192.168.0.1 R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.
Input (S,G) filter: myremotefilter Output (S,G) filter: none Debugging MSDP To debug MSDP, use the following command. • Display the information exchanged between peers. CONFIGURATION mode debug ip msdp Example of the debug ip msdp Command R1_E600(conf)#do debug ip msdp All MSDP debugging has been turned on R1_E600(conf)#03:16:08 : MSDP-0: Peer 03:16:09 : MSDP-0: Peer 192.168.0.3, 03:16:27 : MSDP-0: Peer 192.168.0.3, 03:16:38 : MSDP-0: Peer 192.168.0.3, 03:16:39 : MSDP-0: Peer 192.168.0.
Figure 90. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2. Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3.
interface loopback 4. Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5. Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP.
interface Loopback 1 ip address 192.168.0.11/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.22 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.22 ip msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.
! ip route 192.168.0.3/32 10.11.0.32 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 Example of R3 Configuration for MSDP with Anycast RP ip multicast-routing ! interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 192.168.0.1/32 area 0 network 10.11.3.0/24 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.
MSDP Sample Configuration: R3 Running-Config ip multicast-routing ! interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown ! interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface ManagementEthernet 0/0 ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.168.0.4/32 area 0 ! ip pim rp-address 192.168.0.3 group-address 224.0.0.
Multiple Spanning Tree Protocol (MSTP) 31 Multiple spanning tree protocol (MSTP) is supported on the S4820T platform. Protocol Overview MSTP — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances.
Spanning Tree Variations The Dell Networking operating system (FTOS) supports four variations of spanning tree, as shown in the following table. Table 49. Spanning Tree Variations Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information The following describes the MSTP implementation information.
• • • Prevent Network Disruptions with BPDU Guard Enabling SNMP Traps for Root Elections and Topology Changes Configuring Spanning Trees as Hitless Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. • • 1. Within an MSTI, only one path from any bridge to any other bridge is enabled.
msti Specify the keyword vlan then the VLANs that you want to participate in the MSTI. Example of the msti Command FTOS(conf)#protocol spanning-tree mstp FTOS(conf-mstp)#msti 1 vlan 100 FTOS(conf-mstp)#msti 2 vlan 200-300 FTOS(conf-mstp)#show config ! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping.
Influencing MSTP Root Selection MSTP determines the root bridge, but you can assign one bridge a lower priority to increase the probability that it becomes the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority. PROTOCOL MSTP mode msti instance bridge-priority priority A lower number increases the probability that the bridge becomes the root bridge. The range is from 0 to 61440, in increments of 4096. The default is 32768.
Changing the Region Name or Revision To change the region name or revision, use the following commands. • Change the region name. • PROTOCOL MSTP mode name name Change the region revision number. PROTOCOL MSTP mode revision number To view the current region name and revision, use the show spanning-tree mst configuration command from EXEC Privilege mode.
The range is from 1 to 10. The default is 2 seconds. 3. Change the max-age parameter. PROTOCOL MSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. 4. Change the max-hops parameter. PROTOCOL MSTP mode max-hops number The range is from 1 to 40. The default is 20. To view the current values for MSTP parameters, use the show running-config spanning-tree mstp command from EXEC privilege mode.
To change the port cost or priority of an interface, use the following commands. 1. Change the port cost of an interface. INTERFACE mode spanning-tree msti number cost cost The range is from 0 to 200000. For the default, refer to the default values shown in the table.. 2. Change the port priority of an interface. INTERFACE mode spanning-tree msti number priority priority The range is from 0 to 240, in increments of 16. The default is 128.
* Disabling global spanning tree (using the no spanning-tree command in CONFIGURATION mode). To verify that EdgePort is enabled, use the show config command from INTERFACE mode.
Router 1 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
(Step 2) interface GigabitEthernet 2/11 no ip address switchport no shutdown ! interface GigabitEthernet 2/31 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged GigabitEthernet 2/11,31 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 2/11,31 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 2/11,31 no shutdown Router 3 Running-Configuration This example uses the following steps: 1.
tagged GigabitEthernet 3/11,21 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 3/11,21 no shutdown SFTOS Example Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
• debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages. debug spanning-tree mstp events To ensure all the necessary parameters match (region name, region version, and VLAN to instance mapping), examine your individual routers. To show various portions of the MSTP configuration, use the show spanning-tree mst commands. To view the overall MSTP configuration on the router, use the show running-configuration spanningtree mstp in EXEC Privilege mode.
ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x78 (Indicates MSTP routers are in the [single] region.) CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.953e, CIST Port Id: 128:470 Msg Age: 0, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver3 Len: 96 Name: Tahiti, Rev: 123 (MSTP region name and revision), Int Root Path Cost: 0 Rem Hops: 19, Bridge Id: 32768:0001.e8d5.cbbd 4w0d4h : INST 1 (MSTP Instance): Flags: 0x78, Reg Root: 32768:0001.e806.
Multicast Features 32 Multicast features are supported on the S4820T platform. NOTE: Multicast is supported on secondary IP addresses on the S4820T platform. The Dell Networking operating system (FTOS) supports the following multicast protocols: • PIM Sparse-Mode (PIM-SM) • Internet Group Management Protocol (IGMP) • Multicast Source Discovery Protocol (MSDP) Enabling IP Multicast Enable IP multicast is supported on the S4820T platform.
Figure 93. Multicast with ECMP Implementation Information Because protocol control traffic in FTOS is redirected using the MAC address, and multicast control traffic and multicast data traffic might map to the same MAC address, FTOS might forward data traffic with certain MAC addresses to the CPU in addition to control traffic. As the upper5 bits of an IP Multicast address are dropped in the translation, 32 different multicast group IDs all map to the same Ethernet address. For example, 224.0.0.
• Multicast is not supported on secondary IP addresses. • Egress L3 ACL is not applied to multicast data traffic if you enable multicast routing. First Packet Forwarding for Lossless Multicast Beginning with FTOS version version 8.3.1.0, all initial multicast packets are forwarded to receivers to achieve lossless multicast. In previous versions, when the Dell Networking system is an RP, all initial packets are dropped until PIM creates an (S,G) entry.
When the multicast route limit is reached, FTOS displays the following: 3w1d13h: %RPM0-P:RP2 %PIM-3-PIM_TIB_LIMIT: PIM TIB limit reached. No new routes will be learnt until TIB level falls below low watermark. 3w1d13h: %RPM0-P:RP2 %PIM-3-PIM_TIB_LIMIT: PIM TIB below low watermark. Route learning will begin. To limit the number of multicast routes, use the following command. • Limit the total number of multicast routes on the system. CONFIGURATION mode ip multicast-limit The range if from 1 to 50000.
Figure 94. Preventing a Host from Joining a Group Table 51. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Rate Limiting IGMP Join Requests If you expect a burst of IGMP Joins, protect the IGMP process from overload by limiting that rate at which new groups can be joined. Hosts whose IGMP requests are denied will use the retry mechanism built-in to IGMP so that they’re membership is delayed rather than permanently denied. • Limit the rate at which new groups can be joined.
Figure 95. Preventing a Source from Transmitting to a Group Table 52. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
33 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on the S4820T platform. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell Networking operating system (FTOS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 96. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous. In this case, backbone connectivity must be restored through virtual links. Virtual links are configured between any backbone routers that share a link to a non-backbone area and function as if they were direct links.
• Totally stubby areas are referred to as no summary areas in the Dell Networking operating system (FTOS). Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism.
Figure 97. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
Autonomous System Border Router (ASBR) The autonomous system border area router (ASBR) connects to more than one AS and exchanges information with the routers in other ASs. Generally, the ASBR connects to a non-interior gate protocol (IGP) such as BGP or uses static routes. Internal Router (IR) The internal router (IR) has adjacencies with ONLY routers in the same area, as Router E, M, and I shown in the previous example.
• Type 8: Link LSA (OSPFv3) — This LSA carries the IPv6 address information of the local links. • Type 9: Link Local LSA (OSPFv2), Intra-Area-Prefix LSA (OSPFv3) — For OSPFv2, this is a link-local "opaque" LSA as defined by RFC2370. For OSPFv3, this LSA carries the IPv6 prefixes of the router and network links. • Type 11 - Grace LSA (OSPFv3) — For OSPFv3 only, this LSA is a link-local “opaque” LSA sent by a restarting OSPFv3 router during a graceful restart.
• Priority is a numbered rating 0 to 255. The higher the number, the higher the priority. • Cost is a numbered rating 1 to 65535. The higher the number, the greater the cost. The cost assigned reflects the cost should the router fail. When a router fails and the cost is assessed, a new priority number results. Figure 98. Priority and Cost Examples OSPF with FTOS FTOS supports up to 10,000 OSPF routes for OSPFv2.
• LSA(type 5) • External LSA (type 7) • Link LSA, OSPFv3 only (type 8) • Opaque Link-Local (type 9) • Grace LSA, OSPFv3 only (type 11) Graceful Restart Graceful restart for OSPFv2 and OSPFv3 are supported on the S4820T platform in Helper and Restart modes. When a router goes down without a graceful restart, there is a possibility for loss of access to parts of the network due to ongoing network topology changes. Additionally, LSA flooding and reconvergence can cause substantial delays.
• OSPFv2 and OSPFv3 support planned-only and/or unplanned-only restarts. The default is support for both planned and unplanned restarts. A planned restart occurs when you enter the redundancy force-failover rpm command to force the primary RPM to switch to the backup RPM. During a planned restart, OSPF sends out a Grace LSA before the system switches over to the backup RPM.
By default, FTOS implements an enhanced flooding procedure which dynamically and intelligently detects when to optimize flooding. Wherever possible, the OSPF task attempts to reduce flooding overhead by selectively flooding on a subset of the interfaces between two routers. Enabling RFC-2328 Compliant OSPF Flooding To enable OSPF flooding, use the following command. When you enable this command, it configures FTOS to flood LSAs on all interfaces. • Enable RFC 2328 flooding.
Setting OSPF Adjacency with Cisco Routers To establish an OSPF adjacency between Dell Networking and Cisco routers, the hello interval and dead interval must be the same on both routers. In FTOS, the OSPF dead interval value is, by default, set to 40 seconds, and is independent of the OSPF hello interval. Configuring a hello interval does not change the dead interval in FTOS. In contrast, the OSPF dead interval on a Cisco router is, by default, four times as long as the hello interval.
Configuration Task List for OSPFv2 (OSPF for IPv4) Open shortest path first version 2 (OSPF for IPv4) is supported on the S4820T platform.
router ospf process-id [vrf {vrf name}] – vrf name: enter the keyword VRF and the instance name to tie the OSPF instance to the VRF. All network commands under this OSPF instance are later tied to the VRF instance. The range is from 0 to 65535. The OSPF process ID is the identifying number assigned to the OSPF process. The router ID is the IP address associated with the OSPF process. After the OSPF process and the VRF are tied together, the OSPF process ID cannot be used again in the system.
Format: A.B.C.D/M. If you are using a Loopback interface, refer to Loopback Interfaces. 2. Enable the interface. CONFIG-INTERFACE mode no shutdown 3. Return to CONFIGURATION mode to enable the OSPFv2 process globally. CONFIGURATION mode router ospf process-id [vrf] The range is from 0 to 65535. After the OSPF process and the VRF are tied together, the OSPF process ID cannot be used again in the system.
FTOS(conf-if-gi-4/44)#no shutdown FTOS(conf-if-gi-4/44)#ex FTOS(conf)#router ospf 1 FTOS(conf-router_ospf-1)#network 1.2.3.4/24 area 0 FTOS(conf-router_ospf-1)#network 10.10.10.10/24 area 1 FTOS(conf-router_ospf-1)#network 20.20.20.20/24 area 2 FTOS(conf-router_ospf-1)# FTOS# Dell Networking recommends using the interface IP addresses for the OSPFv2 router ID for easier management and troubleshooting. To view the configuration, use the show config command in CONFIGURATION ROUTER OSPF mode.
Process ID 1, Router ID 10.168.253.2, Network Type LOOPBACK, Cost: 1 Loopback interface is treated as a stub Host. FTOS# Configuring Stub Areas OSPF supports different types of LSAs to help reduce the amount of router processing within the areas. Type 5 LSAs are not flooded into stub areas; the ABR advertises a default route into the stub area to which it is attached. Stub area routers use the default route to reach external destinations.
passive-interface {default | interface} The default is enabled passive interfaces on ALL interfaces in the OSPF process. Entering the physical interface type, slot, and number enables passive interface on only the identified interface. – For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information (for example, passive-interface gi 2/1). – For a port channel, enter the keywords port-channel then a number from 1 to 255 for TeraScale and ExaScale.
Setting the convergence parameter (from 1 to 4) indicates the actual convergence level. Each convergence setting adjusts the LSA parameters to zero, but the fast-convergence parameter setting allows for even finer tuning of the convergence speed. The higher the number, the faster the convergence. To enable or disable fast-convergence, use the following command. • Enable OSPF fast-convergence and specify the convergence level.
ip ospf cost • – cost: The range is from 1 to 65535 (the default depends on the interface speed). Change the time interval the router waits before declaring a neighbor dead. CONFIG-INTERFACE mode ip ospf dead-interval seconds – seconds: the range is from 1 to 65535 (the default is 40 seconds). The dead interval must be four times the hello interval. • The dead interval must be the same on all routers in the OSPF network. Change the time interval between hello-packet transmission.
The bold lines in the example show the change on the interface. The change is reflected in the OSPF configuration. Example of Changing and Verifying the cost Parameter and Viewing Interface Status FTOS(conf-if)#ip ospf cost 45 FTOS(conf-if)#show config ! interface GigabitEthernet 0/0 ip address 10.1.2.100 255.255.255.0 no shutdown ip ospf cost 45 FTOS(conf-if)#end FTOS#show ip ospf 34 interface GigabitEthernet 0/0 is up, line protocol is up Internet Address 10.1.2.100/24, Area 2.2.2.
NOTE: By default, OSPFv2 graceful restart is disabled. To enable and configure OSPFv2 graceful restart, use the following commands. 1. Enable OSPFv2 graceful-restart globally and set the grace period. CONFIG-ROUTEROSPF- id mode graceful-restart grace-period seconds The seconds range is from 40 and 3000. This setting is the time that an OSPFv2 router’s neighbors advertises it as fully adjacent, regardless of the synchronization state, during a graceful restart.
Configuring Virtual Links Areas within OSPF must be connected to the backbone area (Area ID 0.0.0.0). If an OSPF area does not have a direct connection to the backbone, at least one virtual link is required. Configure virtual links on an ABR connected to the backbone.
• Create a prefix list and assign it a unique name. CONFIGURATION mode ip prefix-list prefix-name • You are in PREFIX LIST mode. Create a prefix list with a sequence number and a deny or permit action. CONFIG- PREFIX LIST mode seq sequence-number {deny |permit} ip-prefix [ge min-prefix-length] [le maxprefix-length] The optional parameters are: – ge min-prefix-length: is the minimum prefix length to match (from 0 to 32). – le max-prefix-length: is the maximum prefix length to match (from 0 to 32).
router ospf 34 network 10.1.2.32 0.0.0.255 area 2.2.2.2 network 10.1.3.24 0.0.0.255 area 3.3.3.3 distribute-list dilling in FTOS(conf-router_ospf)# Troubleshooting OSPFv2 FTOS has several tools to make troubleshooting easier. Be sure to check the following, as these questions represent typical issues that interrupt an OSPFv2 process. NOTE: The following is not a comprehensive list, just some examples of typical troubleshooting checks.
If you do not enter a process ID, the command applies to the first OSPF process. To view debug messages for a specific operation, enter one of the optional keywords: – event: view OSPF event messages. – packet: view OSPF packet information. – spf: view SPF information. – database-timers rate-limit: view the LSAs currently in the queue. Example of Viewing OSPF Configuration FTOS#show run ospf ! router ospf 3 ! router ospf 4 router-id 4.4.4.4 network 4.4.4.
Figure 99. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Gl 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface GigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Gl 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.
OSPF Area 0 — Gl 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface GigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface GigabitEthernet 2/2 ip address 10.2.22.2/24 no shutdown Configuration Task List for OSPFv3 (OSPF for IPv6) Open shortest path first version 3 (OSPF for IPv6) is supported on the S4820T platform.
Assigning IPv6 Addresses on an Interface To assign IPv6 addresses to an interface, use the following commands. 1. Assign an IPv6 address to the interface. CONF-INT-type slot/port mode ipv6 address ipv6 address IPv6 addresses are normally written as eight groups of four hexadecimal digits; separate each group by a colon (:). The format is A:B:C::F/128. 2. Bring up the interface.
• no ipv6 router ospf process-id Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Enter an example that illustrates the current task (optional). Enter the tasks the user should do after finishing this task (optional). Configuring Stub Areas To configure IPv6 stub areas, use the following command. • Configure the area as a stub area. CONF-IPV6-ROUTER-OSPF mode area area-id stub [no-summary] – no-summary: use these keywords to prevent transmission in to the area of summary ASBR LSAs.
• Specify which routes are redistributed into the OSPF process. CONF-IPV6-ROUTER-OSPF mode redistribute {bgp | connected | static} [metric metric-value | metric-type type-value] [route-map map-name] [tag tag-value] Configure the following required and optional parameters: – bgp | connected | static: enter one of the keywords to redistribute those routes. – metric metric-value: The range is from 0 to 4294967295.
graceful-restart grace-period seconds • The valid values are from 40 to 1800 seconds. Configure an OSPFv3 interface to not act on the Grace LSAs that it receives from a restarting OSPFv3 neighbor. • INTERFACE mode ipv6 ospf graceful-restart helper-reject Specify the operating mode and type of events that trigger a graceful restart. CONF-IPV6-ROUTER-OSPF mode graceful-restart mode [planned-only | unplanned-only] • – Planned-only: the OSPFv3 router supports graceful restart only for planned restarts.
OSPFv3 Router with ID (200.1.1.
To ensure integrity, data origin authentication, detection and rejection of replays, and confidentiality of the packet, RFC 4302 and RFC 4303 propose using two security protocols — authentication header (AH) and encapsulating security payload (ESP). For OSPFv3, these two IPsec protocols provide interoperable, high-quality cryptographically-based security.
– 3DES, DES, AES-CBC, and NULL encryption algorithms are supported; encrypted and unencrypted keys are supported. NOTE: To encrypt all keys on a router, use the service password-encryption command in Global Configuration mode. However, this command does not provide a high level of network security. To enable key encryption in an IPsec security policy at an interface or area level, specify 7 for [key-encryption-type] when you enter the ipv6 ospf authentication ipsec or ipv6 ospf encryption ipsec command.
Configuring IPsec Encryption on an Interface To configure, remove, or display IPsec encryption on an interface, use the following commands. Prerequisite: Before you enable IPsec encryption on an OSPFv3 interface, first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
If you have enabled IPSec encryption in an OSPFv3 area using the area encryption command, you cannot use the area authentication command in the area at the same time. The configuration of IPSec authentication on an interface-level takes precedence over an area-level configuration. If you remove an interface configuration, an area authentication policy that has been configured is applied to the interface. • Enable IPSec authentication for OSPFv3 packets in an area.
• • – esp encryption-algorithm: specifies the encryption algorithm used with ESP. The valid values are 3DES, DES, AES-CBC, and NULL. For AES-CBC, only the AES-128 and AES-192 ciphers are supported. – key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information.
Outbound ESP SPI Inbound ESP Auth Key Outbound ESP Auth Key Inbound ESP Cipher Key Outbound ESP Cipher Key Transform set : : : : : : 502 (0x1F6) 123456789a123456789b123456789c12 123456789a123456789b123456789c12 123456789a123456789b123456789c123456789d12345678 123456789a123456789b123456789c123456789d12345678 esp-3des esp-md5-hmac Crypto IPSec client security policy data Policy name Policy refcount Inbound AH SPI Outbound AH SPI Inbound AH Key Outbound AH Key Transform set : : : : : : : OSPFv3-1-500 2 50
outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 FTOS has several tools to make troubleshooting easier. Consider the following information as these are typical issues that interrupt the OSPFv3 process.
• show ipv6 ospf neighbor View debug messages for all OSPFv3 interfaces. EXEC Privilege mode debug ipv6 ospf [event | packet] {type slot/port} 604 – event: View OSPF event messages. – packet: View OSPF packets. – For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information (for example, passive-interface gi 2/1). – For a port channel, enter the keywords port-channel then a number from 1 to 255 for TeraScale and ExaScale.
PIM Sparse-Mode (PIM-SM) 34 Protocol-independent multicast sparse-mode (PIM-SM) is supported on the S4820T platform. PIM-SM is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information Be aware of the following PIM-SM implementation information.
has a (*,G) entry, the interface on which the message was received is added to the outgoing interface list associated with the (*,G) entry, and the message is not (and does not need to be) forwarded towards the RP. Refuse Multicast Traffic A host requesting to leave a multicast group sends an IGMP Leave message to the last-hop DR. If the host is the only remaining receiver for that group on the subnet, the last-hop DR is responsible for sending a PIM Prune message up the RPT to prune its branch to the RP.
3. Enable PIM-SM on an interface. Enable multicast routing. CONFIGURATION mode ip multicast-routing Related Configuration Tasks The following are related PIM-SM configuration tasks. • Configuring S,G Expiry Timers • Configuring a Static Rendezvous Point • Configuring a Designated Router • Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1. Enable multicast routing on the system. CONFIGURATION mode ip multicast-routing 2.
Example of Viewing the PIM Multicast Routing Table FTOS#show ip pim tib PIM Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 192.1.2.1), uptime 00:29:36, expires 00:03:26, RP 10.87.2.6, flags: SCJ Incoming interface: GigabitEthernet 4/12, RPF neighbor 10.87.3.
NOTE: The expiry time configuration is nullified and the default global expiry time is used if: • an ACL is specified in the ip pim sparse-mode sg-expiry-timer command, but the ACL has not been created or is a standard ACL. • if the expiry time is specified for an (S,G) entry in a deny rule. Example Configuring an (S,G) Expiry Time FTOS(conf)#ip access-list extended SGtimer FTOS(config-ext-nacl)#permit ip 10.1.2.3/24 225.1.1.0/24 FTOS(config-ext-nacl)#permit ip any 232.1.1.
Example of Viewing the Rendezvous Point (Multicast Group) FTOS#show ip Group 225.0.1.40 226.1.1.1 pim rp RP 165.87.50.5 165.87.50.5 To display the assigned RP for a group range (group-to-RP mapping), use the show ip pim rp mapping command in EXEC privilege mode. Example of Viewing the Rendezvous Point (Multicast Group Range) FTOS#show ip pim rp mapping PIM Group-to-RP Mappings Group(s): 224.0.0.0/4, Static RP: 165.87.50.
Enabling PIM-SM Graceful Restart To enable PIM-SM graceful restart, use the following commands. • Enable PIM-SM graceful restart (non-stop forwarding capability). CONFIGURATION mode ip pim graceful-restart nsf – (option) restart-time: the time the Dell Networking system requires to restart. The default value is 180 seconds. – (option) stale-entry-time: the maximum amount of time that the Dell Networking system preserves entries from a restarting neighbor. The default value is 60 seconds.
PIM Source-Specific Mode (PIM-SSM) 35 PIM source-specific mode (PIM-SSM) is supported on the Z9000 platform. PIM-SSM is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Related Configuration Tasks • Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode.
IGMP group table. If you do not specify the group option, the display is a list of groups currently in the IGMP group table that has a group-to-source mapping. To display the list of sources mapped to a group currently in the IGMP group table, use the show ip igmp groups group detail command. Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.
Port Monitoring 36 Port monitoring is supported on the S4820T platform. Port monitoring is a feature that copies all incoming or outgoing packets on one port and forwards (mirrors) them to another port. The source port is the monitored port (MD) and the destination port is the monitoring port (MG). Port monitoring functionality is different between platforms, but the behavior is the same, with highlighted exceptions.
Example of Changing the Destination Port in a Monitoring Session FTOS#show mon session SessionID Source Destination Direction Mode Type --------- ------ ----------- --------- ------0 Gi 0/13 Gi 0/1 rx interface Port-based 10 Gi 0/14 Gi 0/2 rx interface Port-based 20 Gi 0/15 Gi 0/3 rx interface Port-based 30 Gi 0/16 Gi 0/37 rx interface Port-based FTOS(conf)#mon ses 300 FTOS(conf-mon-sess-300)#source gig 0/17 destination gig 0/4 direction tx % Error: Exceeding max MG ports for this MD port pipe.
Figure 100. Port Monitoring Configurations on the S-Series FTOS Behavior: All monitored frames are tagged if the configured monitoring direction is transmit (TX), regardless of whether the monitored port (MD) is a Layer 2 or Layer 3 port. If the MD port is a Layer 2 port, the frames are tagged with the VLAN ID of the VLAN to which the MD belongs. If the MD port is a Layer 3 port, the frames are tagged with VLAN ID 4095.
--------- ------ ----------- --------- ------0 Gi 1/1 Gi 1/2 rx interface Port-based FTOS(conf)# In the example below, the host and server are exchanging traffic which passes through interface gigabitethernet 1/ 1. Interface gigabitethernet 1/1 is the monitored port and gigabitethernet 1/2 is the monitoring port, which is configured to only monitor traffic received on gigabitethernet 1/1 (host-originated traffic). Figure 101.
Private VLANs (PVLAN) 37 The private VLAN (PVLAN) feature is supported on the S4820T platform. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the FTOS Command Line Reference Guide. Private VLANs extend the Dell Networking operating system (FTOS) security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
• – A primary VLAN has one or more promiscuous ports. – A primary VLAN might have one or more trunk ports, or none. Secondary VLAN — a subdomain of the primary VLAN. – There are two types of secondary VLAN — community VLAN and isolated VLAN. PVLAN port types include: • Community port — a port that belongs to a community VLAN and is allowed to communicate with other ports in the same community VLAN and with promiscuous ports.
• Display PVLANs and/or interfaces that are part of a PVLAN. EXEC mode or EXEC Privilege mode • show vlan private-vlan [community | interface | isolated | primary | primary_vlan | interface interface] Display primary-secondary VLAN mapping. EXEC mode or EXEC Privilege mode • show vlan private-vlan mapping Set the PVLAN mode of the selected port.
NOTE: You cannot add interfaces that are configured as PVLAN ports to regular VLANs. Conversely, you cannot add “regular” ports (ports not configured as PVLAN ports) to PVLANs. The example below shows the switchport mode private-vlan command on a port and on a port channel.
You can enter interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/port-port). You can only add promiscuous ports or PVLAN trunk ports to the PVLAN (no host or regular ports). 6. (OPTIONAL) Assign an IP address to the VLAN. INTERFACE VLAN mode ip address ip address 7. (OPTIONAL) Enable/disable Layer 3 communication between secondary VLANs.
INTERFACE VLAN mode private-vlan mode isolated 4. Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add ports defined as host to the VLAN. The following example shows the use of the PVLAN commands that are used in VLAN INTERFACE mode to configure the PVLAN member VLANs (primary, community, and isolated VLANs).
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 102. Sample Private VLAN Topology The following configuration is based on the example diagram for the C300–1: • Gi 0/0 and Gi 23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. • Gi 0/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. • Gi 0/24 and Gi 0/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
NOTE: Even after you disable ip-local-proxy-arp (no ip-local-proxy-arp) in a secondary VLAN, Layer 3 communication may happen between some secondary VLAN hosts, until the ARP timeout happens on those secondary VLAN hosts. In parallel, on S50-1: • Gi 0/3 is a promiscuous port and Gi 0/25 is a PVLAN trunk port, assigned to the primary VLAN 4000. • Gi 0/4-6 are host ports. Gi 0/4 and Gi 0/5 are assigned to the community VLAN 4001, while Gi 0/6 is assigned to the isolated VLAN 4003.
4001 4002 4003 Community Yes Community Yes Isolated Yes Gi 4/0,23 Gi 4/24,47 Gi 0/24,47 Example of Viewing a Private VLAN (S50V) S50-1#show vlan private-vlan Primary Secondary Type Active ------- --------- --------- -----4000 Primary Yes 4001 Community Yes 4003 Isolated Yes Ports ----------Gi 0/3,25 Gi 0/4-5 Gi 0/6 Example of the show vlan private-vlan mapping Command S50-1#show vlan private-vlan mapping Private Vlan: Primary : 4000 Isolated : 4003 Community : 4001 NOTE: In the following example, notic
interface GigabitEthernet 0/25 no ip address switchport switchport mode private-vlan trunk no shutdown ! interface Vlan 4000 private-vlan mode primary private-vlan mapping secondary-vlan 4001-4003 no ip address tagged GigabitEthernet 0/3,25 no shutdown ! interface Vlan 4001 private-vlan mode community 630
Per-VLAN Spanning Tree Plus (PVST+) 38 Per-VLAN spanning tree plus (PVST+) is supported on the S4820T platform. Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 103.
Table 53. Spanning Tree Variations FTOS Supports Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The FTOS implementation of PVST+ is based on IEEE Standard 802.1w. • The FTOS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table).
no disable Disabling PVST+ To disable PVST+ globally or on an interface, use the following commands. • Disable PVST+ globally. PROTOCOL PVST mode • disable Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
Figure 104. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. • Assign a bridge priority.
We are the root of VLAN 100 Current root has priority 4096, Address 0001.e80d.b6d6 Number of topology changes 5, last change occurred 00:34:37 ago on Gi 1/32 Port 375 (GigabitEthernet 1/22) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.375 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.
Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. • Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
bpduguard, although the interface is placed in an Error Disabled state when receiving the BPDU, the physical interface remains up and spanning-tree drops packets in the hardware after a BPDU violation. BPDUs are dropped in the software after receiving the BPDU violation. This feature is the same as PortFast mode in spanning tree. CAUTION: Configure EdgePort only on links connecting to an end station. EdgePort can cause loops if you enable it on an interface connected to a network.
To keep both ports in a Forwarding state, use extend system ID. Extend system ID augments the bridge ID with a VLAN ID to differentiate BPDUs on each VLAN so that PVST+ does not detect a loop and both ports can remain in a Forwarding state. Figure 105. PVST+ with Extend System ID • Augment the bridge ID with the VLAN ID.
! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 interface Vlan 100 no ip address tagged GigabitEthernet 1/22,32 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 1/22,32 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 1/22,32 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface GigabitEthernet 2/12 no ip address switchport no shutdown ! interface GigabitEthernet 2/32 n
! interface Vlan 100 no ip address tagged GigabitEthernet 3/12,22 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 3/12,22 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 3/12,22 no shutdown ! protocol spanning-tree pvst no disable vlan 300 bridge-priority 4096 640
39 Quality of Service (QoS) Quality of service (QoS) is supported on the S4820T platform. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 55. FTOS Support for Port-Based, Policy-Based, and Multicast QoS Features Feature • Specifying WRED Drop Precedence Weighted Random Early Detection • Creating WRED Profiles Platform Direction S4820T Egress S4820T Egress S4820T Egress Figure 106.
Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
FTOS(conf-if)#switchport FTOS(conf-if)#dot1p-priority 1 FTOS(conf-if)#end FTOS# Honoring dot1p Priorities on Ingress Traffic By default, FTOS does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces.
FTOS(conf-if)#rate police 100 40 peak 150 50 FTOS(conf-if)#end FTOS# Example of Viewing Rate Policing Status FTOS#show interfaces gigabitEthernet 1/2 rate police Rate police 300 (50) peak 800 (50) Traffic Monitor 0: normal 300 (50) peak 800 (50) Out of profile yellow 23386960 red 320605113 Traffic Monitor 1: normal NA peak NA Out of profile yellow 0 red 0 Traffic Monitor 2: normal NA peak NA Out of profile yellow 0 red 0 Traffic Monitor 3: normal NA peak NA Out of profile yellow 0 red 0 Traffic Monitor 4: n
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 107. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to each class. For both class maps, Layer 2 and Layer 3, FTOS matches packets against match criteria in the order that you configure them.
Use step 1 or step 2 to start creating a Layer 3 class map. 1. Create a match-any class map. CONFIGURATION mode class-map match-any 2. Create a match-all class map. CONFIGURATION mode class-map match-all 3. Specify your match criteria. CLASS MAP mode match ip After you create a class-map, FTOS places you in CLASS MAP mode. Match-any class maps allow up to five ACLs. Match-all class-maps allow only one ACL. 4. Link the class-map to a queue.
match mac After you create a class-map, FTOS places you in CLASS MAP mode. Match-any class maps allow up to five access-lists. Match-all class-maps allow only one. You can match against only one VLAN ID. 4. Link the class-map to a queue. POLICY MAP mode service-queue Determining the Order in Which ACLs are Used to Classify Traffic When you link class-maps to queues using the service-queue command, FTOS matches the class-maps according to queue priority (queue numbers closer to 0 have lower priorities).
ip access-list extended AF1-FB1 seq 5 permit ip host 23.64.0.2 any seq 10 deny ip any any ! ip access-list extended AF1-FB2 seq 5 permit ip host 23.64.0.3 any seq 10 deny ip any any ! ip access-list extended AF2 seq 5 permit ip host 23.64.0.5 any seq 10 deny ip any any FTOS#show cam layer3-qos interface gigabitethernet 4/49 Cam Port Dscp Proto Tcp Src Dst SrcIp DstIp DSCP Queue Index Flag Port Port Marking ----------------------------------------------------------------------20416 1 18 IP 0x0 0 0 23.64.0.
Creating an Input QoS Policy To create an input QoS policy, use the following steps. 1. Create a Layer 3 input QoS policy. CONFIGURATION mode qos-policy-input Create a Layer 2 input QoS policy by specifying the keyword layer2 after the qos-policy-input command. 2.
Table 57. Default Bandwidth Weights Queue Default Weight Equivalent Percentage 0 1 6.67% 1 2 13.33% 2 4 26.67% 3 8 53.33% A key similarity between allocating bandwidth by percentage and allocating by weight is that assigning a weight or percentage to one queue affects the amount of bandwidth that is allocated to other queues. Therefore, whenever you are allocating bandwidth to one queue, Dell Networking recommends evaluating your bandwidth requirements for all other queues as well.
Applying a Class-Map or Input QoS Policy to a Queue Applying an Input QoS Policy to an Input Policy Map Honoring DSCP Values on Ingress Packets Honoring dot1p Values on Ingress Packets 3. Apply the input policy map to an interface. Applying a Class-Map or Input QoS Policy to a Queue To apply a class-map or input QoS policy to a queue, use the following command. • Assign an input QoS policy to a queue.
Honoring dot1p Values on Ingress Packets FTOS honors dot1p values on ingress packets with the Trust dot1p feature. The following table specifies the queue to which the classified traffic is sent based on the dot1p value. Table 60. Default dot1p to Queue Mapping dot1p Queue ID 0 1 1 0 2 0 3 1 4 2 5 2 6 3 7 3 The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN. • Enable the trust dot1p feature.
Applying an Input Policy Map to an Interface To apply an input policy map to an interface, use the following command. You can apply the same policy map to multiple interfaces, and you can modify a policy map after you apply it. • • You cannot apply a class-map and QoS policies to the same interface. • You cannot apply an input Layer 2 QoS policy on an interface you also configure with vlan-stack access.
Enabling QoS Rate Adjustment By default, while rate limiting, policing, and shaping, FTOS does not include the Preamble, SFD, or the IFG fields. These fields are overhead; only the fields from MAC destination address to the CRC are used for forwarding and are included in these rate metering calculations.
or a few types of traffic, leaving no space for other types. You can apply a WRED profile to a policy-map so that specified traffic can be prevented from consuming too much of the BTM resources. WRED uses a profile to specify minimum and maximum threshold values. The minimum threshold is the allotted buffer space for specified traffic, for example, 1000KB on egress.
threshold Applying a WRED Profile to Traffic After you create a WRED profile, you must specify to which traffic FTOS should apply the profile. FTOS assigns a color (also called drop precedence) — red, yellow, or green — to each packet based on it DSCP value before queuing it. DSCP is a 6–bit field. Dell Networking uses the first 3 bits of this field (DP) to determine the drop precedence. • • DP values of 110 and 100 map to yellow; all other values map to green.
FTOS# Pre-Calculating Available QoS CAM Space Pre-calculating available QoS CAM space is supported on the S4820T platform. Before FTOS version 7.3.1, there was no way to measure the number of CAM entries a policy-map would consume (the number of CAM entries that a rule uses is not predictable; from 1 to 16 entries might be used per rule depending upon its complexity). Therefore, it was possible to apply to an interface a policy-map that requires more entries than are available.
• Verify that there are enough available CAM entries.
Routing Information Protocol (RIP) 40 Routing information protocol (RIP) is supported on the S4820T platform. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter. Protocol Overview RIP is the oldest interior gateway protocol. There are two versions of RIP: RIP version 1 (RIPv1) and RIP version 2 (RIPv2).
Table 62. RIP Defaults Feature Default Interfaces running RIP • • Listen to RIPv1 and RIPv2 Transmit RIPv1 RIP timers • • • • update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Auto summarization Enabled ECMP paths supported 16 Configuration Information By default, RIP is disabled in FTOS. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
network ip-address After designating networks with which the system is to exchange RIP information, ensure that all devices on that network are configured to exchange RIP information. The FTOS default is to send RIPv1 and to receive RIPv1 and RIPv2. To change the RIP version globally, use the version command in ROUTER RIP mode. To view the global RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode.
Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes. By default, interfaces that you enable and configure with an IP address in the same subnet as the RIP network address receive RIPv1 and RIPv2 routes and send RIPv1 routes. Assign IP addresses to interfaces that are part of the same subnet as the RIP network identified in the network command syntax.
redistribute {connected | static} [metric metric-value] [route-map map-name] – • metric-value: the range is from 0 to 16. – map-name: the name of a configured route map. Include IS-IS routes in RIP. ROUTER RIP mode redistribute isis [level-1 | level-1-2 | level-2] [metric metric-value] [route-map map-name] – • metric-value: the range is from 0 to 16. – map-name: the name of a configured route map. Include specific OSPF routes in RIP.
Routing Protocols is RIP Sending updates every 30 seconds, next due in 23 Invalid after 180 seconds, hold down 180, flushed after 240 Output delay 8 milliseconds between packets Automatic network summarization is in effect Outgoing filter for all interfaces is Incoming filter for all interfaces is Default redistribution metric is 1 Default version control: receive version 2, send version 2 Interface Recv Send GigabitEthernet 0/0 2 2 Routing for Networks: 10.0.0.
• Specify the generation of a default route in RIP. ROUTER RIP mode default-information originate [always] [metric value] [route-map route-mapname] – always: Enter the keyword always to always generate a default route. – value The range is from 1 to 16. – route-map-name: The name of a configured route map. To confirm that the default route configuration is completed, use the show config command in ROUTER RIP mode.
– offset: the range is from 0 to 16. – interface: the type, slot, and number of an interface. To view the configuration changes, use the show config command in ROUTER RIP mode. Debugging RIP The debug ip rip command enables RIP debugging. When you enable debugging, you can view information on RIP protocol changes or RIP routes. To enable RIP debugging, use the following command. • debug ip rip [interface | database | events | trigger] EXEC privilege mode Enable debugging of RIP.
Example of Configuring RIPv2 on Core 2 Core2(conf-if-gi-2/31)# Core2(conf-if-gi-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.0 version 2 Core2(conf-router_rip)# Core 2 RIP Output The examples in the section show the core 2 RIP output.
C 10.200.10.0/24 C 10.300.10.0/24 R 192.168.1.0/24 R 192.168.2.0/24 Core2# R 192.168.1.0/24 R 192.168.2.0/24 Direct, Gi 2/41 Direct, Gi 2/42 via 10.11.20.1, Gi 2/31 via 10.11.20.1, Gi 2/31 0/0 0/0 120/1 120/1 00:03:03 00:02:42 00:01:20 00:01:20 via 10.11.20.1, Gi 2/31 via 10.11.20.
Core 3 RIP Output The examples in this section show the core 2 RIP output. • To display Core 3 RIP database, use the show ip rip database command. • To display Core 3 RIP setup, use the show ip route command. • To display Core 3 RIP activity, use the show ip protocols command. Example of the show ip rip database Command to View Learned RIP Routes on Core 3 Core3#show ip rip database Total number of routes in RIP database: 7 10.11.10.0/24 [120/1] via 10.11.20.2, 00:00:13, GigabitEthernet 10.200.10.
Default version control: Interface Recv Send GigabitEthernet 3/21 GigabitEthernet 3/11 GigabitEthernet 3/44 GigabitEthernet 3/43 Routing for Networks: 10.11.20.0 10.11.30.0 192.168.2.0 192.168.1.0 receive version 2, send version 2 2 2 2 2 2 2 2 2 Routing Information Sources: Gateway Distance Last Update 10.11.20.2 120 00:00:22 Distance: (default is 120) Core3# RIP Configuration Summary Example of Viewing RIP Configuration on Core 2 ! interface GigabitEthernet 2/11 ip address 10.11.10.
ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
Remote Monitoring (RMON) 41 Remote monitoring (RMON) is supported on the S4820T platform. RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment.
• Platform Adaptation — RMON supports all Dell Networking chassis and all Dell Networking Ethernet interfaces. Setting the rmon Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. • Set an alarm on any MIB object.
Configuring an RMON Event To add an event in the RMON event table, use the rmon event command in GLOBAL CONFIGURATION mode. • Add an event in the RMON event table. CONFIGURATION mode [no] rmon event number [log] [trap community] [description string] [owner string] – number: assigned event number, which is identical to the eventIndex in the eventTable in the RMON MIB. The value must be an integer from 1 to 65,535 and be unique in the RMON Event Table.
Example of the rmon collection statistics Command FTOS(conf-if-mgmt)#rmon collection statistics controlEntry 20 owner john Configuring the RMON Collection History To enable the RMON MIB history group of statistics collection on an interface, use the rmon collection history command in INTERFACE CONFIGURATION mode. • Configure the RMON MIB history group of statistics collection.
Rapid Spanning Tree Protocol (RSTP) 42 Rapid spanning tree protocol (RSTP) is supported on the S4820T platform. Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). The Dell operating system (FTOS) supports three other variations of spanning tree, as shown in the following table. Table 63.
• FTOS supports only one Rapid Spanning Tree (RST) instance. • All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. • Adding a group of ports to a range of VLANs sends multiple messages to the rapid spanning tree protocol (RSTP) task, avoid using the range command. When using the range command, Dell Networking recommends limiting the range to five ports and 40 VLANs.
interface GigabitEthernet 1/1 no ip address switchport no shutdown FTOS(conf-if-gi-1/1)# Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. • Only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports.
Figure 110. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Example of the show spanning-tree rstp Command FTOS#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.
The port is not in the Edge port mode Port 379 (GigabitEthernet 2/3) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.379 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
Modifying Global Parameters You can modify RSTP parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in the Rapid Spanning Tree group. • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state. • Hello-time — the time interval in which the bridge sends RSTP BPDUs.
• The default is 2 seconds. Change the max-age parameter. PROTOCOL SPANNING TREE RSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps, use the following command. • Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
snmp-server enable traps xstp Influencing RSTP Root Selection RSTP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority or designate it as the primary or secondary root. PROTOCOL SPANNING TREE RSTP mode bridge-priority priority-value – priority-value The range is from 0 to 65535.
– Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). – Disable global spanning tree (the no spanning-tree command in CONFIGURATION mode). To enable EdgePort on an interface, use the following command. • Enable EdgePort on an interface.
Software-Defined Networking (SDN) 43 Dell Networking operating software (FTOS) supports Software-Defined Networking (SDN). For more information, refer to the SDN Deployment Guide.
Security 44 Security features are supported on the S4820T platform. This chapter describes several ways to provide access security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the FTOS Command Reference Guide. AAA Accounting Accounting, authentication, and authorization (AAA) accounting is part of the AAA security model.
– default | name: enter the name of a list of accounting methods. – start-stop: use for more accounting information, to send a start-accounting notice at the beginning of the requested event and a stop-accounting notice at the end. – wait-start: ensures that the TACACS+ security server acknowledges the start notice before granting the user's process request.
Monitoring AAA Accounting FTOS does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command. • Step through all active sessions and print all the accounting records for the actively accounted functions.
Configure Login Authentication for Terminal Lines You can assign up to five authentication methods to a method list. FTOS evaluates the methods in the order in which you enter them in each list. If the first method list does not respond or returns an error, FTOS applies the next method list until the user either passes or fails the authentication. If the user fails a method list, FTOS does not apply the next method list.
– method-list-name: character string used to name the list of enable authentication methods activated when a user logs in. – method1 [... method4]: any of the following: RADIUS, TACACS, enable, line, none. If you do not set the default list, only the local enable is checked. This setting has the same effect as issuing an aaa authentication enable default enable command.
Privilege Levels Overview Limiting access to the system is one method of protecting the system and your network. However, at times, you might need to allow others access to the router and you can limit that access to a subset of commands. In FTOS, you can configure a privilege level for users who need limited access to the system. Every command in FTOS is assigned a privilege level of 0, 1, or 15. You can configure up to 16 privilege levels in FTOS.
– name: Enter a text string up to 63 characters long. – access-class access-list-name: Enter the name of a configured IP ACL. – nopassword: Do not require the user to enter a password. – encryption-type: Enter 0 for plain text or 7 for encrypted text. – password: Enter a string. – privilege level The range is from 0 to 15. To view usernames, use the show users command in EXEC Privilege mode.
Configure the optional and required parameters: 2. – name: enter a text string (up to 63 characters). – access-class access-list-name: enter the name of a configured IP ACL. – privilege level: the range is from 0 to 15. – nopassword: do not require the user to enter a password. – encryption-type: enter 0 for plain text or 7 for encrypted text. – password: enter a string. Configure a password for privilege level.
! hostname Force10 ! enable password level 8 notjohn enable password Force10 ! username admin password 0 admin username john password 0 john privilege 8 ! The following example shows the Telnet session for user john. The show privilege command output confirms that john is in privilege level 8. In EXEC Privilege mode, john can access only the commands listed. In CONFIGURATION mode, john can access only the snmp-server commands. Example of Privilege Level Login and Available Commands apollo% telnet 172.31.1.
– password: Enter a text string up to 25 characters long. To view the password configured for a terminal, use the show config command in LINE mode. Enabling and Disabling Privilege Levels To enable and disable privilege levels, use the following commands. • Set a user’s security level. EXEC Privilege mode enable or enable privilege-level • If you do not enter a privilege level, FTOS sets it to 15 by default. Move to a lower privilege level.
|Force10 Boot | | | | | | | | | | | | | | | | | | | | | +-----------------------------+ Use the ^ and v keys to select which entry is highlighted. Press enter to boot the selected OS, 'e' to edit the commands before booting or 'c' for a command-line. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol.
Idle Time Every session line has its own idle-time. If the idle-time value is not changed, the default value of 30 minutes is used. RADIUS specifies idle-time allow for a user during a session before timeout. When a user logs in, the lower of the two idle-time values (configured or default) is used. The idle-time value is updated if both of the following happens: • The administrator changes the idle-time of the line on which the user has logged in.
NOTE: RADIUS authentication and authorization are done in a single step. Hence, authorization cannot be used independent of authentication. However, if you have configured RADIUS authorization and have not configured authentication, a message is logged stating this. During authorization, the next method in the list (if present) is used, or if another method is not present, an error is reported.
– auth-port port-number: the range is from 0 to 65335. Enter a UDP port number. The default is 1812. – retransmit retries: the range is from 0 to 100. Default is 3. – timeout seconds: the range is from 0 to 1000. Default is 5 seconds. – key [encryption-type] key: enter 0 for plain text or 7 for encrypted text, and a string for the key. The key can be up to 42 characters long. This key must match the key configured on the RADIUS server host.
Monitoring RADIUS To view information on RADIUS transactions, use the following command. • View RADIUS transactions to troubleshoot problems. EXEC Privilege mode debug radius TACACS+ FTOS supports terminal access controller access control system (TACACS+ client, including support for login authentication. Configuration Task List for TACACS+ The following list includes the configuration task for TACACS+ functions.
To view the configuration, use the show config in LINE mode or the show running-config tacacs+ command in EXEC Privilege mode. If authentication fails using the primary method, FTOS employs the second method (or third method, if necessary) automatically. For example, if the TACACS+ server is reachable, but the server key is invalid, FTOS proceeds to the next authentication method. In the following example, the TACACS+ is incorrect, but the user is still authenticated by the secondary method.
downloads it and applies it. If the user is found to be coming from the 10.0.0.0 subnet, FTOS also immediately closes the Telnet connection. Note, that no matter where the user is coming from, they see the login prompt. When configuring a TACACS+ server host, you can set different communication parameters, such as the key password. Example of Specifying a TACACS+ Server Host FTOS# FTOS(conf)# FTOS(conf)#ip access-list standard deny10 FTOS(conf-std-nacl)#permit 10.0.0.
Command Authorization The AAA command authorization feature configures FTOS to send each configuration command to a TACACS server for authorization before it is added to the running configuration. By default, the AAA authorization commands configure the system to check both EXEC mode and CONFIGURATION mode commands. Use the no aaa authorization config-commands command to enable only EXEC mode command checking.
The following example shows using the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting. Specifying an SSH Version FTOS(conf)#ip ssh server version 2 FTOS(conf)#do show ip ssh SSH server : disabled. SSH server version : v2. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. To disable SSH server functions, use the no ip ssh server enable command.
• show ip ssh client-pub-keys: display the client public keys used in host-based authentication. • show ip ssh rsa-authentication: display the authorized-keys for the RSA authentication. • ssh-peer-rpm: open an SSH connection to the peer RPM. The following example shows the use of SCP and SSH to copy a software image from one switch running SSH server on UDP port 99 to the local switch.
Using RSA Authentication of SSH The following procedure authenticates an SSH client based on an RSA key using RSA authentication. This method uses SSH version 2. 1. On the SSH client (Unix machine), generate an RSA key, as shown in the following example. 2. Copy the public key id_rsa.pub to the Dell Networking system. 3. Disable password authentication if enabled. CONFIGURATION mode no ip ssh password-authentication enable 4. Bind the public keys to RSA authentication.
Example of Creating shosts admin@Unix_client# cd /etc/ssh admin@Unix_client# ls moduli sshd_config ssh_host_dsa_key.pub ssh_host_key.pub ssh_host_rsa_key.pub ssh_config ssh_host_dsa_key ssh_host_key ssh_host_rsa_key admin@Unix_client# cat ssh_host_rsa_key.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8K7jLZRVfjgHJzUOmXxuIbZx/ AyWhVgJDQh39k8v3e8eQvLnHBIsqIL8jVy1QHhUeb7GaDlJVEDAMz30myqQbJgXBBRTWgBpLWwL/ doyUXFufjiL9YmoVTkbKcFmxJEMkE3JyHanEi7hg34LChjk9hL1by8cYZP2kYS2lnSyQWk= admin@Unix_client# ls id_rsa id_rsa.
If the IP address in the RSA key does not match the IP address from which you attempt to log in, the following message appears. In this case, verify that the name and IP address of the client is contained in the file /etc/hosts: RSA Authentication Error. Telnet To use Telnet with SSH, first enable SSH, as previously described. By default, the Telnet daemon is enabled. If you want to disable the Telnet daemon, use the following command, or disable Telnet in the startup config.
excluded them from the VTY line with a deny-all access class. After users identify themselves, FTOS retrieves the access class from the local database and applies it. (FTOS then can close the connection if a user is denied access.) NOTE: If a VTY user logs in with RADIUS authentication, the privilege level is applied from the RADIUS server only if you configure RADIUS authentication. The following example shows how to allow or deny a Telnet connection to a user.
FTOS(config-std-mac)#deny any FTOS(conf)# FTOS(conf)#line vty 0 9 FTOS(config-line-vty)#access-class sourcemac FTOS(config-line-vty)#end 713
Service Provider Bridging 45 Service provider bridging is supported on the S4820T platform. VLAN Stacking Virtual local area network (VLAN) stacking is supported on the S4820T platform. VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
Figure 111. VLAN Stacking in a Service Provider Network Important Points to Remember 716 • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. • Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process. 1. Creating Access and Trunk Ports 2. Assign access and trunk ports to a VLAN (Creating Access and Trunk Ports). 3. Enabling VLAN-Stacking for a VLAN.
Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. • Enable VLAN-Stacking for the VLAN. INTERFACE VLAN mode vlan-stack compatible To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLAN-Stacking-enabled VLAN are marked with an M in column Q.
[tagged | untagged] In the following example, GigabitEthernet 0/1 is a trunk port that is configured as a hybrid port and then added to VLAN 100 as untagged VLAN 101 as tagged, and VLAN 103, which is a stacking VLAN.
vlan id FTOS# : 603 (MT), 100(T), 101(NU) VLAN Stacking in Multi-Vendor Networks The first field in the VLAN tag is the tag protocol identifier (TPID), which is 2 bytes. In a VLAN-stacking network, after the frame is double tagged, the outer tag TPID must match the TPID of the next-hop system. While 802.1Q requires that the inner tag TPID is 0x8100, it does not require a specific value for the outer tag TPID.
Figure 112.
Figure 113.
Figure 114. Single and Double-Tag TPID Mismatch The following table details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the SSeries. Table 66. Behaviors for Mismatched TPID Network Position Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Network Position Core Egress Access Point Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
• Make packets eligible for dropping based on their DEI value. CONFIGURATION mode dei enable By default, packets are colored green, and DEI is marked 0 on egress. Honoring the Incoming DEI Value To honor the incoming DEI value, you must explicitly map the DEI bit to an FTOS drop precedence. Precedence can have one of three colors. Description Green High-priority packets that are the least preferred to be dropped. Yellow Lower-priority packets that are treated as best-effort.
Default CFI/DEI Marking: 0 Interface Drop precedence CFI/DEI -------------------------------Gi 0/1 Green 0 Gi 0/1 Yellow 1 Gi 8/9 Yellow 0 Gi 8/40 Yellow 0 Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.1p priority bits in the tag to indicate the level of QoS desired. When an S-Tag is added to incoming customer frames, the 802.
Examples of QoS Interface Configuration and Rate Policing policy-map-input in layer2 service-queue 3 class-map a qos-policy 3 ! class-map match-any a layer2 match mac access-group a ! mac access-list standard a seq 5 permit any ! qos-policy-input 3 layer2 rate-police 40 Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3.
Separate C-Tag values by commas. Dashed ranges are permitted. Dynamic Mode CoS overrides any Layer 2 QoS configuration in case of conflicts. NOTE: Because dot1p-mapping marks and queues packets, the only remaining applicable QoS configuration is rate metering. You may use Rate Shaping or Rate Policing. Layer 2 Protocol Tunneling Spanning tree bridge protocol data units (BPDUs) use a reserved destination MAC address called the bridge group address, which is 01-80-C2-00-00-00.
Figure 116. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
address is user-configurable, so you can specify an address that non-Dell Networking systems can recognize and rewrite the address at egress edge. Figure 117. VLAN Stacking with L2PT Implementation Information 730 • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. • No protocol packets are tunneled when you enable VLAN stacking. • L2PT requires the default CAM profile.
Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2. Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3. Tunnel BPDUs the VLAN.
The range is from 64 to 320 kbps. Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.
sFlow 46 Configuring sFlow is supported on the S4820T platform. Overview The Dell Networking operating system (FTOS) supports sFlow version 5. sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers. sFlow uses two types of sampling: • Statistical packet-based sampling of switched or routed packet flows.
when the exported packet rate is high and the backoff mechanism is about to or is starting to take effect. The dropEvent counter, in the sFlow packet, is always zero. • Community list and local preference fields are not filled in extended gateway element in the sFlow datagram. • 802.1P source priority field is not filled in extended switch element in sFlow datagram. • Only Destination and Destination Peer AS number are packed in the dst-as-path field in extended gateway element.
Example of Verifying Extended sFlow Disabled FTOS#show sflow sFlow services are disabled Global default sampling rate: 32768 Global default counter polling interval: 20 Global extended information enabled: none 0 collectors configured 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Enabling and Disabling sFlow on an Interface By default, sFlow is disabled on all interfaces.
Linecard 1 Port set 0 H/W sampling rate 8192 Gi 1/16: configured rate 8192, actual rate 8192, sub-sampling rate 1 Gi 1/17: configured rate 16384, actual rate 16384, sub-sampling rate 2 Displaying Show sFlow on an Interface To view sFlow information on a specific interface, use the following command. • Display sFlow configuration information and statistics on a specific interface.
• Identify sFlow collectors to which sFlow datagrams are forwarded. CONFIGURATION mode sflow collector ip-address agent-addr ip-address [number [max-datagram-size number] ] | [max-datagram-size number ] The default UDP port is 6343. The default max-datagram-size is 1400. Changing the Polling Intervals The sflow polling-interval command configures the polling interval for an interface in the maximum number of seconds between successive samples of counters sent to the collector.
• extended-gateway — Source and destination AS number and the BGP next-hop. NOTE: The entire AS path is not included. BGP community-list and local preference information are not included. These fields are assigned default values and are not interpreted by the collector. • • Enable extended sFlow. sflow [extended-switch] [extended-router] [extended-gateway] enable By default packing of any of the extended information in the datagram is disabled. Confirm that extended information packing is enabled.
Table 68. Extended Gateway Summary IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS Description static/connected/IGP static/connected/IGP — — Extended gateway data is not exported because there is no AS information. static/connected/IGP BGP 0 Exported src_as and src_peer_as are zero because there is no AS information for IGP. BGP static/connected/IGP — Exported — Exported Prior to FTOS version 7.8.1.0, extended gateway data is not exported because IP DA is not learned via BGP.
47 Simple Network Management Protocol (SNMP) Simple network management protocol (SNMP) is supported on the S4820T platform. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd). Protocol Overview Network management stations use SNMP to retrieve or alter management data from network elements.
• Copying Configuration Files via SNMP • Manage VLANs Using SNMP • Enabling and Disabling a Port using SNMP • Fetch Dynamic MAC Entries using SNMP • Deriving Interface Indices • Monitor Port-channels Important Points to Remember • Typically, 5-second timeout and 3-second retry values on an SNMP server are sufficient for both LAN and WAN applications.
! snmp-server community mycommunity ro Setting Up User-Based Security (SNMPv3) When setting up SNMPv3, you can set users up with one of the following three types of configuration for SNMP read/ write operations. Users are typically associated to an SNMP group with permissions provided, such as OID view. • noauth — no password or privacy. Select this option to set up a user with no password or privacy privileges. This setting is the basic configuration.
Select a User-based Security Type FTOS(conf)#snmp-server host 1.1.1.1 traps {oid tree} version 3 ? auth Use the SNMPv3 authNoPriv Security Level noauth Use the SNMPv3 noAuthNoPriv Security Level priv Use the SNMPv3 authPriv Security Level FTOS(conf)#snmp-server host 1.1.1.1 traps {oid tree} version 3 noauth ? WORD SNMPv3 user name Reading Managed Object Values You may only retrieve (read) managed object values if your management station is a member of the same community as the SNMP agent.
Writing Managed Object Values You may only alter (write) a managed object value if your management station is a member of the same community as the SNMP agent, and the object is writable. Use the following command to write or write-over the value of a managed object. • To write or write-over the value of a managed object. snmpset -v version -c community agent-ip {identifier.instance | descriptor.instance}syntax value Example of Writing the Value of a Managed Object > snmpset -v 2c -c mycommunity 10.11.
Subscribing to Managed Object Value Updates using SNMP By default, the Dell Networking system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system. FTOS supports the following three sets of traps: • RFC 1157-defined traps — coldStart, warmStart, linkDown, linkUp, authenticationFailure, and egpNeighbborLoss.
Enabling a Subset of SNMP Traps You can enable a subset of Dell Networking enterprise-specific SNMP traps using one of the following listed command options. To enable a subset of Dell Networking enterprise-specific SNMP traps, use the following command. • Enable a subset of SNMP traps. snmp-server enable traps NOTE: The envmon option enables all environment traps including those traps that are enabled with the envmon supply, envmon temperature, and envmon fan options.
FAN_BAD: Minor alarm: some fans in fan tray %d are down FAN_OK: Minor alarm cleared: all fans in fan tray %d are good vlt Enable VLT traps. vrrp Enable VRRP state change traps xstp %SPANMGR-5-STP_NEW_ROOT: New Spanning Tree Root, Bridge ID Priority 32768, Address 0001.e801.fc35. %SPANMGR-5-STP_TOPOLOGY_CHANGE: Bridge port GigabitEthernet 11/38 transitioned from Forwarding to Blocking state. %SPANMGR-5-MSTP_NEW_ROOT_BRIDGE: Elected root bridge for instance 0.
Copy Configuration Files Using SNMP To do the following, use SNMP from a remote client. • copy the running-config file to the startup-config file • copy configuration files from the Dell Networking system to a server • copy configuration files from a server to the Dell Networking system You can perform all of these tasks using IPv4 or IPv6 addresses. The examples in this section use IPv4 addresses; however, you can substitute IPv6 addresses for the IPv4 addresses in all of the examples.
MIB Object OID Object Values Description • copyDestFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.6 e is running-config or startup-config, the default copyDestFileLocatio n is flash. If copyDestFileType is a binary, you must specify copyDestFileLocatio n and copyDestFileName. 1 = flash 2 = slot0 3 = tftp 4 = ftp 5 = scp Specifies the location of destination file. • If copyDestFileLocatio n is FTP or SCP, you must specify copyServerAddress , copyUserName, and copyUserPassword. copyDestFileName .1.3.
CONFIGURATION mode snmp-server community community-name rw 2. Copy the f10-copy-config.mib MIB from the Dell iSupport web page to the server to which you are copying the configuration file. 3. On the server, use the snmpset command as shown in the following example. snmpset -v snmp-version -c community-name -m mib_path/f10-copy-config.mib force10system-ip-address mib-object.index {i | a | s} object-value... – Every specified object must have an object value and must precede with the keyword i.
FTOS-COPY-CONFIG-MIB::copySrcFileType.101 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileType.101 = INTEGER: startupConfig(3) Example of Copying Configuration Files (Using OIDs) > snmpset -v 2c -c public -m ./f10-copy-config.mib 10.10.10.10 .1.3.6.1.4.1.6027.3.5.1.1.1.1.2.100 i 2 .1.3.6.1.4.1.6027.3.5.1.1.1.1.5.100 i 3 FFTOS-COPY-CONFIG-MIB::copySrcFileType.100 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileType.
Copying the Startup-Config Files to the Server via TFTP To copy the startup-config to the server via TFTP from the UNIX machine, use the following command. NOTE: Verify that the file exists and its permissions are set to 777. Specify the relative path to the TFTP root directory. • Copy the startup-config to the server via TFTP from the UNIX machine. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 3 copyDestFileType.index i 1 copyDestFileName.
MIB Object OID Values Description 3 = failed copyTimeStarted .1.3.6.1.4.1.6027.3.5.1.1.1.1.12 Time value Specifies the point in the up-time clock that the copy operation started. copyTimeCompleted .1.3.6.1.4.1.6027.3.5.1.1.1.1.13 Time value Specifies the point in the up-time clock that the copy operation completed. copyFailCause .1.3.6.1.4.1.6027.3.5.1.1.1.1.
Example of Getting a MIB Object Value (Using OID) > snmpget -v 2c -c private 10.11.131.140 .1.3.6.1.4.1.6027.3.5.1.1.1.1.13.110 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.13.110 = Timeticks: (1179831) 3:16:38.31 Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object.
LineSpeed auto ARP type: ARPA, ARP Timeout 04:00:00 To display the ports in a VLAN, send an snmpget request for the object dot1qStaticEgressPorts using the interface index as the instance number, as shown for an S-Series. Example of Viewing VLAN Ports Using SNMP (No Ports Assigned) > snmpget -v2c -c mycommunity 10.11.131.185 . 1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.
Add Tagged and Untagged Ports to a VLAN The value dot1qVlanStaticEgressPorts object is an array of all VLAN members. The dot1qVlanStaticUntaggedPorts object is an array of only untagged VLAN members. All VLAN members that are not in dot1qVlanStaticUntaggedPorts are tagged. • • To add a tagged port to a VLAN, write the port to the dot1qVlanStaticEgressPorts object. To add an untagged port to a VLAN, write the port to the dot1qVlanStaticEgressPorts and dot1qVlanStaticUntaggedPorts objects.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Managing Overload on Startup If you are running IS-IS, you can set a specific amount of time to prevent ingress traffic from being received after a reload and allow the routing protocol upgrade process to complete. To prevent ingress traffic on a router while the IS reload is implemented, use the following command.
Fetch Dynamic MAC Entries using SNMP Dell Networking supports the RFC 1493 dot1d table for the default VLAN and the dot1q table for all other VLANs. NOTE: The 802.1q Q-BRIDGE MIB defines VLANs regarding 802.1d, as 802.1d itself does not define them. As a switchport must belong a VLAN (the default VLAN or a configured VLAN), all MAC address learned on a switchport are associated with a VLAN. For this reason, the Q-Bridge MIB is used for MAC address query.
VlanId Mac Address Type Interface State 1000 00:01:e8:06:95:ac Dynamic Gi 1/21 Active ---------------Query from Management Station--------------->snmpwalk -v 2c -c techpubs 10.11.131.162 .1.3.6.1.2.1.17.7.1.2.2.1 Use dot3aCurAggFdbTable to fetch the learned MAC address of a port-channel. The instance number is the decimal conversion of the MAC address concatenated with the port-channel number.
To view the system image on Flash Partition A, use the chSysSwInPartitionAImgVers object or, to view the system image on Flash Partition B, use the chSysSwInPartitionBImgVers object. Table 72. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImgVe 1.3.6.1.4.1.6027.3.10.1.2.8.1.11 List the version string of the Chassis MIB rs system image in Flash Partition A. chSysSwInPartitionBImgVe 1.3.6.1.4.1.6027.3.10.1.2.8.1.
If we learn MAC addresses for the LAG, status is shown for those as well. Example of Viewing Status of Learned MAC Addresses dot3aCurAggVlanId SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.1.1.0.0.0.0.0.1.1 dot3aCurAggMacAddr SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.2.1.0.0.0.0.0.1.1 00 00 00 01 dot3aCurAggIndex SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.3.1.0.0.0.0.0.1.1 dot3aCurAggStatus SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.4.1.0.0.0.0.0.1.
Stacking 48 Stacking is supported on the S4820T platform. Stacking is supported on the S4820T platform with the Dell operating system (FTOS) version 8.3.19.0 and newer. NOTE: The S4820T commands accept Unit ID numbers 0-11, though the S4820T supports stacking up to three units only with FTOS version 8.3.19.0 and version 8.3.10.2. The S4820T supports stacking up to six units with FTOS version 8.3.19.0.
• Inter-switch stacking link failure • Switch insertion • Switch removal If the master switch goes off line, the standby replaces it as the new master and the switch with the next highest priority or MAC address becomes standby. Stack Master Election The stack elects a master and standby unit at bootup time based on two criteria. • Unit priority — User-configurable. The range is from 1 to 14. A higher value (14) means a higher priority. The default is 1.
Virtual IP You can manage the stack using a single IP, known as a virtual IP, that is retained in the stack even after a failover. The virtual IP address is used to log in to the current master unit of the stack. Both IPv4 and IPv6 addresses are supported as virtual IPs. Failover Roles If the stack master fails (for example, is powered off), it is removed from the stack topology.
-- Stack Info -Unit UnitType Status ReqTyp CurTyp Version --------------------------------------------------0 Standby online S50V S50V 7.8.1.0 1 Management online S50N S50N 7.8.1.
• Shortest path selection inside the stack: If multiple paths exist between two units in the stack, the shortest path is used. Supported Stacking Topologies The S4820T supports stacking in a ring or a daisy chain topology. Dell Networking recommends the ring topology when stacking S4820T switches to provide redundant connectivity. Figure 118.
Link to Peer: Up -- PEER Stack-unit Status ------------------------------------------------Stack-unit State: Standby Peer stack-unit ID: 2 Stack-unit SW Version: 7.8.1.
start Start shell telnet-peer-stack-unit Open a telnet connection to the peer Stack-unit terminal Set terminal line parameters upload Upload file -----------------CONSOLE ACCESS ON A MEMBER---------------------------Stack(stack-member-0)#? reset-self Reset this unit alone show Show running system information You can connect two units with two or more stacking cables in case of a stacking port or cable failure. Removal of only one of the cables does not trigger a reset.
• Ports are divided into 16 stack-groups (0 to 15) as shown in the following example. The stack groups must be of a single speed - either all 10G or all 40G. – stack-group 0 corresponds to ports 0-3, stack-group 1 corresponds to ports 4-7, so on through stackgroup 11. – stack-group 12 corresponds to the 40G port 48, stack-group 13 corresponds to port 52, so on through stack group 15. Figure 119. S4820T Stack-Group Assignments You can connect the units while they are powered down or up.
Enabling Front End Port Stacking To enable the front ports on an S4820T unit for stacking, use the following commands. NOTE: After a port has been allocated for stacking, you can only use it for stacking. If stack-group 0 is allocated for stacking, you can use ports 0, 1, 2, and 3 for stacking but not for Ethernet anymore. If only port 0 is used for stacking, ports 1, 2, and 3 are spare; they cannot be used for Ethernet. 1. Assign a stack group for each unit.
The range is from 0 to 15. 6. Connect the units using stacking cables. NOTE: The S4820T does not require special stacking cables. The cables used to connect the data ports are sufficient. 7. Reload the stack one unit at a time. EXEC Privilege mode show system brief Start with the management unit, then the standby, then each of the members in order of their assigned stack number (or the position in the stack you want each unit to take).
FTOS(conf)# FTOS#02:39:18: %STKUNIT4-M:CP %SYS-5-CONFIG_I: Configured from console Reload each unit in the stack. After the reload is complete, the four units will come up as a stack with unit 1 as the management unit, unit 2 as the standby unit, and the remaining units as stack-members. All units in the stack can be accessed from the management unit.
Setting ports Te 0/0 Te 0/1 Te 0/2 Te 0/3 as stack group will make their interface configs obsolete after a reload. [confirm yes/no]:yes S4810-1#show system stack-ports Topology: Ring Interface Connection Link Speed Admin Link Trunk (Gb/s) Status Status Group -----------------------------------------------------------------0/0 1/0 10 up up 0/1 1/1 10 up up 0/2 1/2 10 up up 0/3 1/3 10 up up S4810-1# Add Units to an Existing S-Series Stack You can add units to an existing stack in one of three ways.
5. Connect the new unit to the stack using stacking cables.
– Login: username – Password: ***** – FTOS> enable – FTOS# configure Configure the ports on the added switch for stacking. 5. CONFIGURATION mode stack-unit 0 stack-group group-number 6. – stack-unit 0: defines the default ID unit-number in the initial configuration of a switch. – stack-group group-number: configures a port for stacking. Save the stacking configuration on the ports. EXEC Privilege mode write memory 7. Reload the switch.
• If one of the new stacks receives the master and the standby management units, it is unaffected by the split. • If one of the new stacks receives only the master unit, that unit remains the stack manager, and FTOS elects a new standby management unit. • If one of the new stacks receives only the standby unit, it becomes the master unit of the new stack, and FTOS elects a new standby unit.
• Refer to the following example. Display most of the information in show system, but in a more convenient tabular form. EXEC Privilege mode show system brief • Refer to the following example. Display the same information in show system, but only for the specified unit. EXEC Privilege mode show system stack-unit • Refer to the following example. Display topology and stack link status for the entire stack. EXEC Privilege mode show system stack-ports [status | topology] Refer to the following example.
-- Unit 3 -Unit Type Status Next Boot Required Type Current Type Master priority Hardware Rev Num Ports Up Time FTOS Version Jumbo Capable POE Capable Burned In MAC No Of MACs : : : : : : : : : : : : : : Standby Unit online online S4810 - 52-port GE/TE/FG (SE) S4810 - 52-port GE/TE/FG (SE) 0 3.0 64 57 min, 3 sec 8-3-7-13 yes no 00:01:e8:8a:df:bf 3 -----output truncated----Display information about an S4820T stack using the show system brief command.
Influencing Management Unit Selection on an S-Series Stack Stack priority is the system variable that FTOS uses to determine which units in the stack are the master and standby management units. If multiple units tie for highest priority, the unit with the highest MAC address prevails. If management was determined by priority only, a change in management occurs when: • the management unit is powered down or a failover occurs. • you disconnect the management unit from the stack.
• Reload a member unit, from the unit itself. • EXEC Privilege mode reset-self Reset a stack-unit when the unit is in a problem state. EXEC Privilege mode reset stack-unit {hard} Verify a Stack Configuration The light of the LED status indicator on the front panel of an S4820T stack identifies the unit’s role in the stack. • Off indicates the unit is a stack member. • Blinking green indicates the unit is the stack standby. • Solid green indicates the unit is the stack master (management unit).
Jumbo Capable POE Capable Boot Flash Memory Size Temperature Voltage Serial Number Part Number Vendor Id Date Code Country Code Piece Part ID PPID Revision Service Tag Expr Svc Code Auto Reboot Burned In MAC No Of MACs : : : : : : : : : : : : : : : : : : yes no 1.2.0.
Remove Units or Front End Ports from a Stack To remove units or front end ports from a stack, use the following instructions. • Removing a Unit from an S-Series Stack • Removing Front End Port Stacking Removing a Unit from an S-Series Stack The running-configuration and startup-configuration are synchronized on all stack units. A stack member that is disconnected from the stack maintains this configuration. To remove a stack member from the stack, disconnect the stacking cables from the unit.
Removing Front End Port Stacking To remove the configuration on the front end ports used for stacking, use the following commands. 1. Remove the stack group configuration that is configured. CONFIGURATION mode no stack-unit id stack-group id 2. Save the stacking configuration on the ports. EXEC Privilege mode write memory 3. Reload the switch. EXEC Privilege mode reload After the units are reloaded, the system reboots. The units come up as standalone units after the reboot completes.
stack port now. Error: Please check the stack cable/module and power-cycle the stack. Recover from a Card Problem State on an S-Series Stack If a unit added to a stack has a different FTOS version, the unit does not come online and FTOS cites a card problem error. To recover, disconnect the new unit from the stack, change the FTOS version to match the stack, and then reconnect it to the stack.
• remove the provision from the stack, then reconnect the standalone unit, or • renumber the standalone unit with another available stack number on the stack.
6 7 Member Member not present not present 787
Storm Control 49 Storm control is supported on the and S4820T platform. The storm control feature allows you to control unknown-unicast and broadcast traffic on Layer 2 and Layer 3 physical interfaces. FTOS Behavior: FTOS supports broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. FTOS Behavior: The minimum number of packets per second (PPS) that storm control can limit on the S4820T is two.
Spanning Tree Protocol (STP) 50 The spanning tree protocol (STP) is supported on the S4820T platform. Protocol Overview STP is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network. By eliminating loops, the protocol improves scalability in a large network and allows you to implement redundant paths, which can be activated after the failure of active paths.
Important Points to Remember • • • • • STP is disabled by default. The Dell Networking operating system (FTOS) supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+). You may only enable one flavor of spanning tree at any one time.
To configure and enable the interfaces for Layer 2, use the following command. 1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface. INTERFACE mode no shutdown To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode.
Figure 122. Spanning Tree Enabled Globally To enable STP globally, use the following commands. 1. Enter PROTOCOL SPANNING TREE mode. CONFIGURATION mode protocol spanning-tree 0 2. Enable STP. PROTOCOL SPANNING TREE mode no disable To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Example of Viewing Spanning Tree Configuration R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and maxage and overwrites the values set on other bridges participating in STP. NOTE: Dell Networking recommends that only experienced network administrators change the spanning tree parameters. Poorly planned modification of the spanning tree parameters can negatively affect network performance. The following table displays the default values for STP. Table 74.
To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally. Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port.
Example of Verifying PortFast is Enabled on an Interface FTOS#(conf-if-gi-1/1)#show conf ! interface GigabitEthernet 1/1 no ip address switchport spanning-tree 0 portfast no shutdown FTOS#(conf-if-gi-1/1)# Prevent Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs.
Figure 123. Enabling BPDU Guard FTOS Behavior: BPDU guard and BPDU filtering (refer to Removing an Interface from the Spanning Tree Group) both block BPDUs, but are two separate features. BPDU guard: • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. • drops the BPDU after it reaches the RPM and generates a console message.
Interface Name Role PortID Prio Cost Sts Cost Link-type Edge ---------- ------ -------- ---- ------- --- ---------------Gi 0/6 Root 128.263 128 20000 FWD 20000 P2P No Gi 0/7 ErrDis 128.
A, device D is elected as root, causing the link between Switches A and B to enter a Blocking state. Network traffic then begins to flow in the directions indicated by the BPDU arrows in the topology. If the links between Switches C and A or Switches C and B cannot handle the increased traffic flow, frames may be dropped.
• You cannot enable root guard and loop guard at the same time on an STP port. For example, if you configure root guard on a port on which loop guard is already configured, the following error message displays: • % Error: LoopGuard is configured. Cannot configure RootGuard. • When used in an MSTP network, if root guard blocks a boundary port in the CIST, the port is also blocked in all other MST instances.
redundancy protocol xstp FTOS# STP Loop Guard STP loop guard is supported only on the S4820T platform. The STP loop guard feature provides protection against Layer 2 forwarding loops (STP loops) caused by a hardware failure, such as a cable failure or an interface fault. When a cable or interface fails, a participating STP link may become unidirectional (STP requires links to be bidirectional) and an STP port does not receive BPDUs.
Figure 125. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. FTOS Behavior: The following conditions apply to a port enabled with loop guard: 804 • Loop guard is supported on any STP-enabled port or port-channel interface.
• You cannot enable root guard and loop guard at the same time on an STP port. For example, if you configure loop guard on a port on which root guard is already configured, the following error message is displayed: % Error: RootGuard is configured. Cannot configure LoopGuard. • Enabling Portfast BPDU guard and loop guard at the same time on a port results in a port that remains in a blocking state and prevents traffic from flowing through it.
System Time and Date 51 System time and date settings and the network time protocol (NTP) are supported on the S4820T platform. You can set system times and dates and maintained through the NTP. They are also set through the Dell Networking operating system (FTOS) command line interfaces (CLIs) and hardware settings. Network Time Protocol The network time protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients.
and serve as a client to the NTP host. As soon as a host-client relationship is established, the networking device propagates the time information throughout its local network. Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately.
Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell Networking system synchronizes. To specify multiple servers, enter the command multiple times. You may specify an unlimited number of servers at the expense of CPU resources. • Specify the NTP server to which the Dell Networking system synchronizes. CONFIGURATION mode ntp server ip-address To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode.
• Set the interface to receive NTP packets. INTERFACE mode ntp broadcast client Example of Configuring NTP Broadcasts 2w1d11h : NTP: Maximum Slew:-0.000470, Remainder = -0.496884 Disabling NTP on an Interface By default, NTP is enabled on all active interfaces. If you disable NTP on an interface, FTOS drops any NTP packets sent to that interface. To disable NTP on an interface, use the following command. • Disable NTP on the interface.
Configuring NTP Authentication NTP authentication and the corresponding trusted key provide a reliable means of exchanging NTP packets with trusted time sources. NTP authentication begins when the first NTP packet is created following the configuration of keys. NTP authentication in FTOS uses the message digest 5 (MD5) algorithm and the key is embedded in the synchronization packet that is sent to an NTP time source. FTOS Behavior: FTOS versions 8.2.1.
ntp server 11.1.1.1 version 3 ntp trusted-key 345 FTOS# Configuring an NTP Server R6_E300(conf)#1w6d23h : NTP: xmit packet to 192.168.1.1: leap 0, mode 3, version 3, stratum 2, ppoll 1024 rtdel 0219 (8.193970), rtdsp AF928 (10973.266602), refid C0A80101 (192.168.1.1) ref CD7F4F63.6BE8F000 (14:51:15.421 UTC Thu Apr 2 2009) org CD7F4F63.68000000 (14:51:15.406 UTC Thu Apr 2 2009) rec CD7F4F63.6BE8F000 (14:51:15.421 UTC Thu Apr 2 2009) xmt CD7F5368.D0535000 (15:8:24.
NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rollover interval) in the day of insertion to be increased or decreased by one.
Setting the Time and Date for the Switch Hardware Clock To set the time and date for the switch hardware clock, use the following command. • Set the hardware clock to the current time and date. EXEC Privilege mode calendar set time month day year – time: enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format; for example, 17:15:00 is 5:15 pm. – month: enter the name of one of the 12 months in English.
• Set the clock to the appropriate timezone. CONFIGURATION mode clock timezone timezone-name offset – timezone-name: enter the name of the timezone. Do not use spaces. – offset: enter one of the following: * a number from 1 to 23 as the number of hours in addition to UTC for the timezone. * a minus sign (-) then a number from 1 to 23 as the number of hours.
changed from "none" to "Summer time starts 00:00:00 Pacific Sat Mar 14 2009;Summer time ends 00:00:00 pacific Sat Nov 7 2009" Setting Recurring Daylight Saving Time Set a date (and time zone) on which to convert the switch to daylight saving time on a specific day every year. If you have already set daylight saving for a one-time setting, you can set that date and time as the recurring setting with the clock summer-time time-zone recurring command.
FTOS(conf)#02:02:13: %RPM0-P:CP %CLOCK-6-TIME CHANGE: Summertime configuration changed from "none" to "Summer time starts 00:00:00 Pacific Sat Mar 14 2009;Summer time ends 00:00:00 pacific Sat Nov 7 2009" NOTE: If you enter after entering the recurring command parameter, and you have already set a one-time daylight saving time/date, the system uses that time and date as the recurring setting.
Tunneling 52 Tunneling is supported on the S4820T platform. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported. Configuring a Tunnel Configuring a tunnel is supported on the S4820T platform. You can configure a tunnel in IPv6 mode, IPv6IP mode, and IPIP mode.
tunnel destination 23.22.21.3 tunnel source 23.22.22.3 tunnel mode ipv6ip no shutdown FTOS(conf-if-tu-22)#ipv6 address 5adb::3/64 FTOS(conf-if-tu-22)#sho c ! interface Tunnel 22 no ip address ipv6 address 5adb::3/64 tunnel destination 23.22.21.3 tunnel source 23.22.22.3 tunnel mode ipv6ip no shutdown FTOS(conf-if-tu-22)#exit FTOS(conf)#ip route 23.22.21.0/24 23.22.22.
Uplink Failure Detection (UFD) 53 Uplink failure detection (UFD) is supported on the S4820T platform. Feature Description UFD provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
Figure 127. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 128. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
• • You can assign physical port or port-channel interfaces to an uplink-state group. – You can assign an interface to only one uplink-state group. Configure each interface assigned to an uplink-state group as either an upstream or downstream interface, but not both. – You can assign individual member ports of a port channel to the group. An uplink-state group can contain either the member ports of a port channel or the port channel itself, but not both.
Where port-range and port-channel-range specify a range of ports separated by a dash (-) and/or individual ports/port channels in any order; for example: upstream gigabitethernet 1/1-2,5,9,11-12 downstream port-channel 1-3,5 – A comma is required to separate each port and port-range entry. To delete an interface from the group, use the no {upstream | downstream} interface command. 3.
– Fast Ethernet: enter fastethernet {slot/port | slot/port-range} – 1 Gigabit Ethernet: enter gigabitethernet {slot/port | slot/port-range} – 10 Gigabit Ethernet: enter tengigabitethernet {slot/port | slot/port-range} – Port channel: enter port-channel {1-512 | port-channel-range} * Where port-range and port-channel-range specify a range of ports separated by a dash (-) and/or individual ports/port channels in any order; for example: gigabitethernet 1/1-2,5,9,11-12 port-channel 1-3,5 * A comma is
02:38:53: disabled: Fo 13/0 02:38:53: disabled: Fo 13/1 02:38:53: disabled: Fo 13/3 02:38:53: disabled: Fo 13/5 02:38:53: disabled: Fo 13/6 02:38:53: 13/0 02:38:53: 13/1 02:38:53: 13/3 02:38:53: 13/5 02:38:53: 13/6 %RPM0-P:CP %IFMGR-5-OSTATE_UP: Downstream interface cleared from UFD error%RPM0-P:CP %IFMGR-5-OSTATE_UP: Downstream interface cleared from UFD error%RPM0-P:CP %IFMGR-5-OSTATE_UP: Downstream interface cleared from UFD error%RPM0-P:CP %IFMGR-5-OSTATE_UP: Downstream interface cleared from UFD error
Uplink Uplink Uplink Uplink Uplink Uplink State State State State State State Group: Group: Group: Group: Group: Group: 1 3 5 6 7 16 Status: Status: Status: Status: Status: Status: Enabled, Up Enabled, Up Enabled, Down Enabled, Up Enabled, Up Disabled, Up FTOS# show uplink-state-group 16 Uplink State Group: 16 Status: Disabled, Up FTOS#show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 1 Upstream Interfaces : Downstream Interfaces :
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
FTOS(conf-uplink-state-group-3)# show config ! uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstream GigabitEthernet 0/1-2,5,9,11-12 upstream GigabitEthernet 0/3-4 FTOS(conf-uplink-state-group-3)# FTOS(conf-uplink-state-group-3)#exit FTOS(conf)#exit FTOS# 00:13:06: %STKUNIT0-M:CP %SYS-5-CONFIG_I: Configured from console by console FTOS# show running-config uplink-state-group ! uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstream Giga
Upgrade Procedures 54 To find the upgrade procedures, go to the FTOS Release Notes for your system type to see all the requirements needed to upgrade to the desired FTOS version. To upgrade your system type, follow the procedures in the FTOS Release Notes. Get Help with Upgrades Direct any questions or concerns about the FTOS upgrade procedures to the Dell Technical Support Center. You can reach Technical Support: • On the web: http://support.dell.com/ • By email: Dell-Force10_Technical_Support@Dell.
Virtual LANs (VLANs) 55 Virtual LANs (VLANs) are supported on the S4820T platform. VLANs are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The Dell Networking operating system (FTOS) supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN. For more information about assigning IP addresses, refer to Assigning an IP Address to a VLAN. • Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN.
Figure 129. Tagged Frame Format The tag header contains some key information that FTOS uses: • The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). • Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved. NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.3 standard.
To activate the VLAN, after you create a VLAN, assign interfaces in Layer 2 mode to the VLAN. To view the configured VLANs, use the show vlan command in EXEC Privilege mode.
NUM Status Q * 1 Inactive 2 Active T T 3 Active T T Ports Po1(So 0/0-1) Gi 3/0 Po1(So 0/0-1) Gi 3/1 FTOS#config FTOS(conf)#int vlan 4 FTOS(conf-if-vlan)#tagged po 1 FTOS(conf-if-vlan)#show conf ! interface Vlan 4 no ip address tagged Port-channel 1 FTOS(conf-if-vlan)#end FTOS#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM Status Q * 1 Inactive 2 Active T T 3 Active T T 4 Active T FTOS# Ports Po1(So 0/0-1) Gi 3/0 Po1(So 0/0-1) Gi 3/1 Po1(So 0/0-1) When you remove a tagged interface from a VLAN (us
Move an Untagged Interface to Another VLAN FTOS#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 Status Active Active 3 Active Q U T T T T Ports Gi 3/2 Po1(So 0/0-1) Gi 3/0 Po1(So 0/0-1) Gi 3/1 4 Inactive FTOS#conf FTOS(conf)#int vlan 4 FTOS(conf-if-vlan)#untagged gi 3/2 FTOS(conf-if-vlan)#show config ! interface Vlan 4 no ip address untagged GigabitEthernet 3/2 FTOS(conf-if-vlan)#end FTOS#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 Status Q Inactive Active T T Active T T
– secondary — This is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Configuring Native VLANs Traditionally, ports can be either untagged for membership to one VLAN or tagged for membership to multiple VLANs. You must connect an untagged port to a VLAN-unaware station (one that does not understand VLAN tags), and you must connect a tagged port to a VLAN-aware station (one that generates and understands VLAN tags).
Default: the default VLAN is enabled (no default-vlan disable).
Virtual Link Trunking (VLT) 56 Virtual link trunking (VLT) is supported on the S4820T platform. Overview VLT allows physical links between two chassis to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR). VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches, and by supporting a loop-free topology.
Figure 130. VLT on S4820T Switches VLT on Core Switches You can also deploy VLT on core switches. Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing. This set up requires “horizontal” stacking at the access layer and VLT at the aggregation layer such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode.
Figure 131. Enhanced VLT VLT Terminology The following are key VLT terms. • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. • VLT backup link — The backup link monitors the vitality of VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. • VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches. Both ends must be on 10G or 40G interfaces.
Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember • You cannot enable S4820T stacking simultaneously with VLT. If you enable both at the same time, unexpected behavior occurs. Refer to VLT and Stacking. • VLT port channel interfaces must be switch ports. • If you include RSTP on the system, configure it before VLT. Refer to Configure Rapid Spanning Tree.
Configuration Notes When you configure VLT, the following conditions apply. • • VLT domain – A VLT domain supports two chassis members, which appear as a single logical device to network access devices connected to VLT ports through a port channel. – A VLT domain consists of the two core chassis, the interconnect trunk, backup link, and the LAG members connected to attached devices. – Each VLT domain has a unique MAC address that you create or VLT creates automatically.
– When you change the default VLAN ID on a VLT peer switch, the VLT interconnect may flap. – In a VLT domain, the following software features are supported on VLTi: link layer discovery protocol (LLDP), flow control, port monitoring, jumbo frames, and data center bridging (DCB). – When you enable the VLTi link, the link between the VLT peer switches is established if the following configured information is true on both peer switches: * the VLT system MAC address matches.
In the port-channel used by the switch to connect to the VLT domain, configure the port interfaces on each VLT peer as hybrid ports before adding them to the port channel (refer to Connecting a VLT Domain to an Attached Access Device (Switch or Server)). To configure a port in Hybrid mode so that it can carry untagged, single-tagged, and double-tagged traffic, use the portmode hybrid command in Interface Configuration mode as described in Configuring Native VLANs.
• • Failure scenarios – On a link failover, when a VLT port channel fails, the traffic destined for that VLT port channel is redirected to the VLTi to avoid flooding. – When a VLT switch determines that a VLT port channel has failed (and that no other local port channels are available), the peer with the failed port channel notifies the remote peer that it no longer has an active port channel for a link.
• Configure any ports at the edge of the spanning tree’s operating domain as edge ports, which are directly connected to end stations or server racks. Disable RSTP on ports connected directly to Layer 3-only routers not running STP or configure them as edge ports. • Ensure that the primary VLT node is the root bridge and the secondary VLT peer node has the second-best bridge ID in the network.
VLT Port Delayed Restoration With FTOS version 8.3.19.0, when a VLT node boots up, if the VLT ports have been previously saved in the start-up configuration, they are not immediately enabled. To ensure MAC and ARP entries from the VLT per node are downloaded to the newly enabled VLT node, the system allows time for the VLT ports on the new node to be enabled and begin receiving traffic. The delay-restore feature waits for all saved configurations to be applied, then starts a configurable timer.
Figure 132. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
Each VLT peer runs its own PIM protocol independently of other VLT peers. To ensure the PIM protocol states or multicast routing information base (MRIB) on the VLT peers are synced, if the incoming interface (IIF) and outgoing interface (OIF) are Spanned, the multicast route table is synced between the VLT peers. To verify the PIM neighbors on the VLT VLAN and on the multicast port, use the show ip pim neighbor, show ip igmp snooping mrouter, and show running config commands.
vlt domain domain-id 2. Enable peer-routing. VLT DOMAIN mode peer-routing 3. Configure the peer-routing timeout. VLT DOMAIN mode peer-routing—timeout value value: Specify a value (in seconds) from 1 to 65535. VLT Multicast Routing VLT multicast routing is supported on the S4820T platform.
peer-routing 3. Configure the multicast peer-routing timeout. VLT DOMAIN mode multicast peer-routing—timeout value value: Specify a value (in seconds) from 1 to 1200. 4. Configure a PIM-SM compatible VLT node as a designated router (DR). For more information, refer to Configuring a Designated Router. 5. Configure a PIM-enabled external neighboring router as a rendezvous point (RP). For more information, refer to Configuring a Static Rendezvous Point. 6.
no disable 3. Configure each peer switch with a unique bridge priority. PROTOCOL SPANNING TREE RSTP mode bridge-priority Sample RSTP Configuration The following is a sample of an RSTP configuration. Using the example shown in the Overview section as a sample VLT topology, the primary VLT switch sends BPDUs to an access device (switch or server) with its own RSTP bridge ID. BPDUs generated by an RSTP-enabled access device are only processed by the primary VLT switch.
Configuring a VLT Interconnect To configure a VLT interconnect, follow these steps. 1. Configure the port channel for the VLT interconnect on a VLT switch and enter interface configuration mode. CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command as described in Enabling VLT and Creating a VLT Domain. NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2.
4. (Optional) Prevent a possible loop during the bootup of a VLT peer switch or a device that accesses the VLT domain. CONFIGURATION mode lacp ungroup member-independent {vlt | port-channel port-channel-id} LACP on VLT ports (on a VLT switch or access device), which are members of the virtual link trunk, is not brought up until the VLT domain is recognized on the access device. 5.
The range of domain IDs is from 1 to 1000. 2. (Optional) After you configure the VLT domain on each peer switch on both sides of the interconnect trunk, by default, FTOS elects a primary and secondary VLT peer device. VLT DOMAIN CONFIGURATION mode primary-priority value To reconfigure the primary role of VLT peer switches, use the primary-priority command. To configure the primary role on a VLT peer, enter a lower value than the priority value of the remote peer. The priority values are from 1 to 65535.
5. – 1-Gigabit Ethernet: enter gigabitethernet slot/port. – 10-Gigabit Ethernet: enter tengigabitethernet slot/port. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 6. Associate the port channel to the corresponding port channel in the VLT peer for the VLT connection to an attached device. INTERFACE PORT-CHANNEL mode vlt-peer-lag port-channel id-number The valid port-channel ID numbers are from 1 to 128. 7.
channel-member interface interface: specify one of the following interface types: 3. – 1 Gigabit Ethernet: enter gigabitethernet slot/port. – 10 Gigabit Ethernet: enter tengigabitethernet slot/port. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 4. Enter the port-channel number that acts as the interconnect trunk.
10. Associate the port channel to the corresponding port channel in the VLT peer for the VLT connection to an attached device. INTERFACE PORT-CHANNEL mode vlt-peer-lag port-channel id-number Valid port-channel ID numbers are from 1 to 128. 11. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 12. Add links to the eVLT port. Configure a range of interfaces to bulk configure. CONFIGURATION mode interface range {port-channel id} 13. Enable LACP on the LAN port.
7. Configure the peer 1 management ip/ interface ip for which connectivity is present in VLT peer 1. EXEC mode or EXEC Privilege mode show interfaces interface 8. Configure the VLT links between VLT peer 1 and VLT peer 2 to the top of rack unit (shown in the following example). 9. Configure the static LAG/LACP between ports connected from VLT peer 1 and VLT peer 2 to the top of rack unit. EXEC Privilege mode show running-config entity 10.
back-up destination 10.11.206.58 s4810-2# s4810-2# show interfaces managementethernet 0/0 Internet address is 10.11.206.43/16 s4810-4#show running-config vlt ! vlt domain 5 peer-link port-channel 1 back-up destination 10.11.206.43 s4810-4# s4810-4#show running-config interface managementethernet 0/0 ip address 10.11.206.58/16 no shutdown Configure the VLT links between VLT peer 1 and VLT peer 2 to the Top of Rack unit.
! interface TenGigabitEthernet 0/50 no ip address ! port-channel-protocol LACP port-channel 100 mode active no shutdown s60-1# s60-1#show running-config interface port-channel 100 ! interface Port-channel 100 no ip address switchport no shutdown s60-1# s60-1#show interfaces port-channel 100 brief Codes: L - LACP Port-channel L LAG 100 Mode L2 Status up Uptime 03:33:48 s60-1# Ports Te 0/48 (Up) Te 0/50 (Up) Verify VLT is up.
eVLT Configuration Example The following example demonstrates the steps to configure enhanced VLT (eVLT) in a network. In this example, you are configuring two domains. Domain 1 consists of Peer 1 and Peer 2; Domain 2 consists of Peer 3 and Peer 4, as shown in the following example. In Domain 1, configure Peer 1 fist, then configure Peer 2. When that is complete, perform the same steps for the peer nodes in Domain 2. The interface used in this example is TenGigabitEthernet. Figure 133.
Next, configure the VLT domain and VLTi on Peer 2. Domain_1_Peer2#configure Domain_1_Peer2(conf)#interface port-channel 1 Domain_1_Peer2(conf-if-po-1)# channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer2(conf) #vlt domain Domain_1_Peer2(conf-vlt-domain)# Domain_1_Peer2(conf-vlt-domain)# Domain_1_Peer2(conf-vlt-domain)# Domain_1_Peer2(conf-vlt-domain)# 1000 peer-link port-channel 1 back-up destination 10.16.130.12 system-mac mac-address 00:0a:00:0a:00:0a unit-id 1 Configure eVLT on Peer 2.
Configure eVLT on Peer 4. Domain_2_Peer4(conf)#interface port-channel 100 Domain_2_Peer4(conf-if-po-100)# switchport Domain_2_Peer4(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_2_Peer4(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 4.
Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, use any of the following show commands on the primary and secondary VLT switches. • Display information on backup link operation. EXEC mode • show vlt backup-link Display general status information about VLT domains currently configured on the switch.
UDP Port: 34998 HeartBeat Messages Sent: 1026 HeartBeat Messages Received: 1025 FTOS_VLTpeer2# show vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.
2 100 127 100 UP UP UP UP Example of the show vlt role Command FTOS_VLTpeer1# show vlt role VLT Role ---------VLT Role: System MAC address: System Role Priority: Local System MAC address: Local System Role Priority: Primary 00:01:e8:8a:df:bc 32768 00:01:e8:8a:df:bc 32768 FTOS_VLTpeer2# show vlt role VLT Role ---------VLT Role: System MAC address: System Role Priority: Local System MAC address: Local System Role Priority: Secondary 00:01:e8:8a:df:bc 32768 00:01:e8:8a:df:e6 32768 Example of the show r
Example of the show spanning-tree rstp Command The bold section displays the RSTP state of port channels in the VLT domain. Port channel 100 is used in the VLT interconnect trunk (VLTi) to connect to VLT peer2. Port channels 110, 111, and 120 are used to connect to access switches or servers (vlt). FTOS_VLTpeer1# show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 0001.e88a.
Configure the backup link. FTOS_VLTpeer1(conf)#interface ManagementEthernet 0/0 FTOS_VLTpeer1(conf-if-ma-0/0)#ip address 10.11.206.23/ FTOS_VLTpeer1(conf-if-ma-0/0)#no shutdown FTOS_VLTpeer1(conf-if-ma-0/0)#exit Configure the VLT interconnect (VLTi).
Configure the port channel to an attached device. FTOS_VLTpeer2(conf)#interface port-channel 110 FTOS_VLTpeer2(conf-if-po-110)#no ip address FTOS_VLTpeer2(conf-if-po-110)#switchport FTOS_VLTpeer2(conf-if-po-110)#channel-member fortyGigE 0/48 FTOS_VLTpeer2(conf-if-po-110)#no shutdown FTOS_VLTpeer2(conf-if-po-110)#vlt-peer-lag port-channel 110 FTOS_VLTpeer2(conf-if-po-110)#end Verify that the port channels used in the VLT domain are assigned to the same VLAN.
Description Behavior at Peer Up Behavior During Run Time Action to Take FTOS Version mismatch A syslog error message is generated. A syslog error message is generated. Follow the correct upgrade procedure for the unit with the mismatched FTOS version. Remote VLT port channel status N/A N/A Use the show vlt detail and show vlt brief commands to view the VLT port channel status information. Spanning tree mismatch at global level All VLT port channels go down on both VLT peers.
Reconfiguring Stacked Switches as VLT To convert switches that have been stacked to VLT peers, use the following procedure. 1. Remove the current configuration from the switches. You will need to split the configuration up for each switch. 2. Copy the files to the flash memory of the appropriate switch. 3. Copy the files on the flash drive to the startup-config. 4. Reset the stacking ports to user ports for both switches. 5. Reload the stack and confirm the new configurations have been applied. 6.
Virtual Router Redundancy Protocol (VRRP) 57 Virtual router redundancy protocol (VRRP) is supported on the S4820T platform. VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN). The MASTER router is chosen from the virtual routers by an election process and forwards packets sent to the next hop IP address.
Figure 134. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation Within a single VRRP group, up to 12 virtual IP addresses are supported.
CAUTION: Increasing the advertisement interval increases the VRRP Master dead interval, resulting in an increased failover time for Master/Backup election. Take caution when increasing the advertisement interval, as the increased dead interval may cause packets to be dropped during that switch-over time. Table 76.
• Delete a VRRP group. INTERFACE mode no vrrp-group vrid Example of Configuring VRRP FTOS(conf)#int gi 1/1 FTOS(conf-if-gi-1/1)#vrrp-group 111 FTOS(conf-if-gi-1/1-vrid-111)# Example of Verifying the VRRP Configuration FTOS(conf-if-gi-1/1)#show conf ! interface GigabitEthernet 1/1 ip address 10.10.10.1/24 ! vrrp-group 111 no shutdown FTOS(conf-if-gi-1/1)# Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP group (VRID).
vrrp-group vrrp-id The VRID range is from 1 to 255. 2. Configure virtual IP addresses for this VRID. INTERFACE -VRID mode virtual-address ip-address1 [...ip-address12] The range is up to 12 addresses. Example of the virtual-address Command FTOS(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.1 FTOS(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.2 FTOS(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.
Setting VRRP Group (Virtual Router) Priority Setting a virtual router priority to 255 ensures that router is the “owner” virtual router for the VRRP group. VRRP elects the MASTER router by choosing the router with the highest priority. The default priority for a virtual router is 100. The higher the number, the higher the priority. If the MASTER router fails, VRRP begins the election process to choose a new MASTER router based on the next-highest priority.
• Configure a simple text password. INTERFACE-VRID mode authentication-type simple [encryption-type] password Parameters: – encryption-type: 0 indicates unencrypted; 7 indicates encrypted. – password: plain text. Example of authentication-type Command The bold section shows the encryption type (encrypted) and the password.
virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 FTOS(conf-if-gi-1/1-vrid-111)# Changing the Advertisement Interval By default, the MASTER router transmits a VRRP advertisement to all members of the VRRP group every one second, indicating it is operational and is the MASTER router. If the VRRP group misses three consecutive advertisements, the election process begins and the BACKUP virtual router with the highest priority transitions to MASTER.
• 1 Gigabit Ethernet: enter gigabitethernet slot/port in the track interface command (shown in the following example). • 10 Gigabit Ethernet: enter tengigabitethernet slot/port. • Port channel: enter port-channel number. • SONET: enter sonet slot/port. • VLAN: enter vlan vlan-id. – – For the S-Series, the valid port channel numbers are from 1 to 128. The valid VLAN IDs are from 1 to 4094.
vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 track GigabitEthernet 1/2 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.
virtual-address 2007::1 virtual-address fe80::1 no shutdown Setting VRRP Initialization Delay VRRP initialization delay is supported on the S4820T platform. When configured, VRRP is enabled immediately upon system reload or boot. You can delay VRRP initialization to allow the IGP and EGP protocols to be enabled prior to selecting the VRRP Master. This delay ensures that VRRP initializes with no errors or conflicts. You can configure the delay for up to 15 minutes, after which VRRP enables normally.
Figure 135. VRRP for IPv4 Topology Example of Configuring VRRP for IPv4 Router 2 R2(conf)#int gi 2/31 R2(conf-if-gi-2/31)#ip address 10.1.1.1/24 R2(conf-if-gi-2/31)#vrrp-group 99 R2(conf-if-gi-2/31-vrid-99)#priority 200 R2(conf-if-gi-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-gi-2/31-vrid-99)#no shut R2(conf-if-gi-2/31)#show conf ! interface GigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.
no shutdown R2(conf-if-gi-2/31)#end R2#show vrrp -----------------GigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#int gi 3/21 R3(conf-if-gi-3/21)#ip address 10.1.1.
Figure 136. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. Example of Configuring VRRP for IPv6 Router 2 and Router 3 Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
R2(conf-if-gi-0/0)#no ip address R2(conf-if-gi-0/0)#ipv6 address 1::1/64 R2(conf-if-gi-0/0)#vrrp-group 10 R2(conf-if-gi-0/0-vrid-10)#virtual-address fe80::10 R2(conf-if-gi-0/0-vrid-10)#virtual-address 1::10 R2(conf-if-gi-0/0-vrid-10)#no shutdown R2(conf-if-gi-0/0)#show config interface GigabitEthernet 0/0 ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-gi-0/0)#end R2#show vrrp -----------------GigabitEthernet 0/0, IPv6 VRID: 10, Version:
VRRP in a VRF Configuration The following example shows how to enable VRRP operation in a VRF virtualized network for the following scenarios. • Multiple VRFs on physical interfaces running VRRP. • Multiple VRFs on VLAN interfaces running VRRP. To view a VRRP in a VRF configuration, use the show commands described in Displaying VRRP in a VRF Configuration. VRRP in a VRF: Non-VLAN Scenario The following example shows how to enable VRRP in a non-VLAN.
Figure 137. VRRP in a VRF: Non-VLAN Example Example of Configuring VRRP in a VRF on Switch-1 (Non-VLAN) Switch-1 S1(conf)#ip vrf default-vrf 0 ! S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface GigabitEthernet 12/1 S1(conf-if-gi-12/1)#ip vrf forwarding VRF-1 S1(conf-if-gi-12/1)#ip address 10.10.1.5/24 S1(conf-if-gi-12/1)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177.
! S1(conf)#interface GigabitEthernet 12/3 S1(conf-if-gi-12/3)#ip vrf forwarding VRF-3 S1(conf-if-gi-12/3)#ip address 20.1.1.5/24 S1(conf-if-gi-12/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-gi-12/3-vrid-105)#priority 255 S1(conf-if-gi-12/3-vrid-105)#virtual-address 20.1.1.
! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface GigabitEthernet 12/4 S1(conf-if-gi-12/4)#no ip address S1(conf-if-gi-12/4)#switchport S1(conf-if-gi-12/4)#no shutdown ! S1(conf-if-gi-12/4)#interface vlan 100 S1(conf-if-vl-100)#ip vrf forwarding VRF-1 S1(conf-if-vl-100)#ip address 10.10.1.5/24 S1(conf-if-vl-100)#tagged gigabitethernet 12/4 S1(conf-if-vl-100)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177.
S2(conf-if-gi-12/4)#interface vlan 200 S2(conf-if-vl-200)#ip vrf forwarding VRF-2 S2(conf-if-vl-200)#ip address 10.10.1.2/24 S2(conf-if-vl-200)#tagged gigabitethernet 12/4 S2(conf-if-vl-200)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 2 will be 178. S2(conf-if-vl-200-vrid-101)#priority 255 S2(conf-if-vl-200-vrid-101)#virtual-address 10.10.1.
S-Series Debugging and Diagnostics 58 This chapter describes debugging and diagnostics for the S-Series platform. Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostics tests are grouped into three levels: • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, Level 0 diagnostics verify the identification registers of the components on the board.
EXEC Privilege mode show system brief 3. Start diagnostics on the unit. diag When the tests are complete, the system displays the following message and automatically reboots the unit. FTOS#00:09:32 : Diagnostic test results are stored on file: flash:/ TestReport-SU-1.txt 00:09:37: %S50N:1 %DIAGAGT-6-DA_DIAG_DONE: Diags finished on stack unit 1 Diags completed... Rebooting the system now!!! Diagnostic results are printed to a file in the flash using the filename format TestReport-SU-.txt.
0 1 1 2 2 1 0 1 0 1 absent up absent up absent AC AC Example of the diag Command (Standalone Unit) FTOS#diag stack-unit 1 alllevels Warning - diagnostic execution will cause multiple link flaps on the peer side - advisable to shut directly connected ports Proceed with Diags [confirm yes/no]: yes 00:03:35: %S50N:1 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on stack unit 1 00:03:35 : Approximate time to complete these Diags ...
Example of the show file flash:\\ Command (Standalone Unit) FTOS#show file flash://TestReport-SU-0.txt *********************S-Series Diagnostics******************** Stack Unit Board Serial Number : DL267160098 CPU Version : MPC8541, Version: 1.1 PLD Version : 5 Diag image based on build : E_MAIN4.7.7.206 Stack Unit Board Voltage levels - 3.300000 V, 2.500000 V, 1.800000 V, 1.250000 V, 1.200000 V, 2.
Auto Save on Crash or Rollover Exception information for MASTER or standby units is stored in the flash:/TRACE_LOG_DIR directory. This directory contains files that save trace information when there has been a task crash or timeout. On a MASTER unit, you can reach the TRACE_LOG_DIR files by FTP or by using the show file command from the flash://TRACE_LOG_DIR directory. On a Standby unit, you can reach the TRACE_LOG_DIR files only by using the show file command from the flash://TRACE_LOG_DIR directory.
• View the modular packet buffers details per stack unit and the mode of allocation. EXEC Privilege mode • show hardware stack-unit {0-11} buffer total-buffer View the modular packet buffers details per unit and the mode of allocation. EXEC Privilege mode • show hardware stack-unit {0-11} buffer unit {0-1} total-buffer View the forwarding plane statistics containing the packet buffer usage per port per stack unit.
show hardware stack-unit {0-11} unit {0-1} table-dump {table name} Enabling Environmental Monitoring The S4820T components use environmental monitoring hardware to detect transmit power readings, receive power readings, and temperature updates. To receive periodic power updates, you must enable the following command. • Enable environmental monitoring.
2. Check air flow through the system. Ensure that the air ducts are clean and that all fans are working correctly. 3. After the software has determined that the temperature levels are within normal limits, you can re-power the card safely. To bring back the line card online, use the power-on command in EXEC mode. In addition, to control airflow for adequate system cooling, Dell Networking requires that you install blanks in all slots without a line card.
OID String OID Name Description .1.3.6.1.4.1.6027.3.16.1.1.5 fpStatsPerPortTable View the forwarding plane statistics containing the packet buffer usage per port per stack unit. .1.3.6.1.4.1.6027.3.16.1.1.6 fpStatsPerCOSTable View the forwarding plane statistics containing the packet buffer statistics per COS per port. Buffer Tuning Buffer tuning allows you to modify the way your switch allocates buffers from its available memory and helps prevent packet drops during a temporary burst of traffic.
• Dynamic Pool= Total Available Pool(16384 cells) — Total Dedicated Pool = 5904 cells • Oversubscription ratio = 10 • Dynamic Cell Limit Per port = 59040/29 = 2036 cells Figure 138. Buffer Tuning Points Deciding to Tune Buffers Dell Networking recommends exercising caution when configuring any non-default buffer settings, as tuning can significantly affect system performance. The default values work for most cases.
• buffer-profile csf csqueue Change the dedicated buffers on a physical 1G interface. • BUFFER PROFILE mode buffer dedicated Change the maximum number of dynamic buffers an interface can request. • BUFFER PROFILE mode buffer dynamic Change the number of packet-pointers per queue. • BUFFER PROFILE mode buffer packet-pointers Apply the buffer profile to a line card. • CONFIGURATION mode buffer fp-uplink linecard Apply the buffer profile to a CSF to FP link.
2 3 4 5 6 7 2.50 2.50 9.38 9.38 9.38 9.38 256 256 256 256 256 256 Example of Viewing the Buffer Profile Allocations FTOS#show running-config interface tengigabitethernet 2/0 ! interface TenGigabitEthernet 2/0 no ip address mtu 9252 switchport no shutdown buffer-policy myfsbufferprofile Example of Viewing the Buffer Profile (Interface) FTOS#sho buffer-profile detail int gi 0/10 Interface Gi 0/10 Buffer-profile fsqueue-fp Dynamic buffer 1256.
FTOS Behavior: If you configure 1Q, save the running-config to the startup-config, and then delete the startup-config and reload the chassis. The only way to return to the default buffer profile is to remove the 1Q profile configured and then reload the chassis. If you have already applied a custom buffer profile on an interface, the buffer-profile global command fails and a message similar to the following displays: % Error: User-defined buffer profile already applied.
• • • • • • • • • • • • • • show hardware stack-unit cpu data-plane statistics show hardware stack-unit cpu party-bus statistics show hardware stack-unit 0-11 drops unit 0-1 port 0-63 show hardware stack-unit 0-11 stack-port 48-51 show hardware stack-unit 0-11 unit 0-1 {counters | details | port-stats [detail] | register | execute-shell-cmd | ipmc-replication | table-dump} show hardware {layer2| layer3} {e.g.
IPv4 L3 Discards Policy Discards Packets dropped by FP (L2+L3) Drops Port bitmap zero Drops Rx VLAN Drops : : : : : : 0 0 14 0 16 0 --- Ingress MAC counters--Ingress FCSDrops : 0 Ingress MTUExceeds : 0 --- MMU Drops --HOL DROPS TxPurge CellErr Aged Drops : 0 : 0 : 0 --- Egress MAC counters--Egress FCS Drops : 0 --- Egress FORWARD PROCESSOR Drops --IPv4 L3UC Aged & Drops : 0 TTL Threshold Drops : 0 INVALID VLAN CNTR Drops : 0 L2MC Drops : 0 PKT Drops of ANY Conditions : 0 Hg MacUnderflow : 0 TX Err PK
rxPkt(UNIT2) rxPkt(UNIT3) transmitted txRequested noTxDesc txError txReqTooLarge txInternalError txDatapathErr txPkt(COS0) txPkt(COS1) txPkt(COS2) txPkt(COS3) txPkt(COS4) txPkt(COS5) txPkt(COS6) txPkt(COS7) txPkt(UNIT0) :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 Example of Viewing Party Bus Statistics FTOS#sh hardware stack-unit 2 cpu party-bus statistics Input Statistics: 27550 packets, 2559298 bytes 0 dropped, 0 errors Output Statistics: 1649566 packets, 1935316203 bytes 0 errors Display Sta
Example of Displaying Stack Unit Counters RIPC4.ge0 : 1,202 +1,202 RUC.ge0 : 1,224 +1,217 RDBGC0.ge0 : 34 +24 RDBGC1.ge0 : 366 +235 RDBGC5.ge0 : 16 +12 RDBGC7.ge0 : 18 +12 GR64.ge0 : 5,176 +24 GR127.ge0 : 1,566 +1,433 GR255.ge0 : 4 +4 GRPKT.ge0 : 1,602 +1,461 GRBYT.ge0 : 117,600 +106,202 GRMCA.ge0 : 366 +235 GRBCA.ge0 : 12 +9 GT64.ge0 : 4 +3 GT127.ge0 : 964 +964 GT255.ge0 : 4 +4 GT511.ge0 : 1 +1 GTPKT.ge0 : 973 +972 GTBCA.ge0 : 1 +1 GTBYT.ge0 : 71,531 +71,467 RUC.cpu0 : 972 +971 TDBGC6.
1 drw2 drwx 3 drw4 d--5 -rw6 -rw7 -rw- 156 8 -rw- 156 9 -rw- 156 10 -rw- 156 11 -rw- 156 12 -rw- 156 13 -rw- 156 16384 Jan 01 1980 00:00:00 +00:00 . 1536 Sep 03 2009 16:51:02 +00:00 .. 512 Aug 07 2009 13:05:58 +00:00 TRACE_LOG_DIR 512 Aug 07 2009 13:06:00 +00:00 ADMIN_DIR 8693 Sep 03 2009 16:50:56 +00:00 startup-config 8693 Sep 03 2009 16:44:22 +00:00 startup-config.bak Aug 28 2009 16:16:10 +00:00 f10StkUnit0.mrtm.acore.mini.txt Aug 28 2009 17:17:24 +00:00 f10StkUnit0.vrrp.acore.mini.
tcpdump cp [capture-duration time | filter expression | max-file-count value | packet-count value | snap-length value | write-to path] 915
Standards Compliance 59 This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking operating system (FTOS), FTOS also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance FTOS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of FTOS first supports the standard. General Internet Protocols The following table lists the FTOS support per platform for general internet protocols. Table 80. General Internet Protocols RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale 768 User Datagram Protocol 7.6.1 7.5.1 √ 8.1.
RFC# Full Name S-Series 2615 PPP over SONET/SDH √ 2698 A Two Rate Three Color Marker √ 8.1.1 3164 The BSD syslog Protocol 7.5.1 √ 8.1.1 draft-ietf-bfd base-03 Bidirectional Forwarding Detection 7.6.1 √ 8.1.1 7.6.1 C-Series E-Series TeraScale E-Series ExaScale General IPv4 Protocols The following table lists the FTOS support per platform for general IPv4 protocols. Table 81.
RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale Assignment and Aggregation Strategy 1542 Clarifications and Extensions for the Bootstrap Protocol 7.6.1 7.5.1 √ 8.1.1 1812 Requirements for IP Version 4 Routers 7.6.1 7.5.1 √ 8.1.1 2131 Dynamic Host 7.6.1 Configuration Protocol 7.5.1 √ 8.1.1 2338 Virtual Router Redundancy Protocol (VRRP) 7.6.1 7.5.1 √ 8.1.1 3021 Using 31-Bit Prefixes on IPv4 Point-to-Point Links 7.7.1 7.5.1 7.7.1 8.1.
RFC# Full Name 2464 S-Series C-Series E-Series TeraScale E-Series ExaScale Transmission of IPv6 7.8.1 Packets over Ethernet Networks 7.8.1 √ 8.2.1 2675 IPv6 Jumbograms 7.8.1 7.8.1 √ 8.2.1 2711 IPv6 Router Alert Option 8.3.12.0 3587 IPv6 Global Unicast Address Format 7.8.1 7.8.1 √ 8.2.1 4007 IPv6 Scoped Address Architecture 8.3.12.0 4291 Internet Protocol Version 6 (IPv6) Addressing Architecture 7.8.1 7.8.1 √ 8.2.
RFC# Full Name S-Series/Z-Series 2842 Capabilities Advertisement with BGP-4 7.8.1 2858 Multiprotocol Extensions for BGP-4 7.8.1 2918 Route Refresh Capability for BGP-4 7.8.1 3065 Autonomous System Confederations for BGP 7.8.1 4360 BGP Extended Communities Attribute 7.8.1 4893 BGP Support for Four-octet AS Number Space 7.8.1 5396 Textual Representation of Autonomous System (AS) Numbers 8.1.2 draft-ietf-idrbgp4- 20 A Border Gateway Protocol 4 (BGP-4) 7.8.
RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale Protocol (ISO DP 10589) 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments √ 8.1.1 2763 Dynamic Hostname Exchange Mechanism for IS-IS √ 8.1.1 2966 Domain-wide Prefix Distribution with TwoLevel IS-IS √ 8.1.1 3373 Three-Way Handshake for Intermediate System to Intermediate System (IS-IS) Pointto-Point Adjacencies √ 8.2.1 3567 IS-IS ACruythpetongtircaap thioicn √ 8.1.
RFC# Full Name draft-kaplan-isise xt-eth-02 Extended Ethernet Frame Size Support S-Series C-Series E-Series TeraScale E-Series ExaScale √ 8.1.1 Routing Information Protocol (RIP) The following table lists the FTOS support per platform for RIP protocol. Table 86. Routing Information Protocol (RIP) RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale 1058 Routing Information Protocol 7.8.1 7.6.1 √ 8.1.1 2453 RIP Version 7.8.1 7.6.1 √ 8.1.1 4191 Default Router 8.
RFC# Full Name 3810 S-Series C-Series E-Series TeraScale E-Series ExaScale Multicast Listener Discovery Version 2 (MLDv2) for IPv6 √ 8.2.1 3973 Protocol Independent Multicast - Dense Mode (PIM-DM): Protocol Specification (Revised) √ 4541 Considerations for 7.6.1 (IGMPv1/v2) 7.6.1 (IGMPv1/v2) √ IGMPv1/v2/v3, 8.2.
RFC# Full Name S4810 dot1dTpLearnedEntryDiscard s object] 1724 RIP Version 2 MIB Extension 1850 OSPF Version 2 Management 7.6.1 Information Base 1901 Introduction to Communitybased SNMPv2 2011 SNMPv2 Management 7.6.1 Information Base for the Internet Protocol using SMIv2 2012 SNMPv2 Management Information Base for the Transmission Control Protocol using SMIv2 2013 SNMPv2 Management 7.6.
RFC# Full Name S4810 2574 User-based Security Model 7.6.1 (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) 2575 View-based Access Control 7.6.1 Model (VACM) for the Simple Network Management Protocol (SNMP) 2576 Coexistence Between Version 1, Version 2, and Version 3 of the Internetstandard Network Management Framework 2578 Structure of Management 7.6.1 Information Version 2 (SMIv2) 2579 Textual Conventions for SMIv2 7.6.1 2580 Conformance Statements for SMIv2 7.6.
RFC# Full Name S4810 Table, Ethernet History Control Table, Ethernet History Table, Alarm Table, Event Table, Log Table 2863 The Interfaces Group MIB 2865 Remote Authentication Dial In 7.6.1 User Service (RADIUS) 3273 Remote Network Monitoring Management Information Base for High Capacity Networks (64 bits): Ethernet Statistics High-Capacity Table, Ethernet History HighCapacity Table 7.6.1 3416 Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) 7.6.
RFC# Full Name S4810 S4820T Z9000 9.2(0.0) 9.2(0.0) Endpoint Discovery information draft-grant-tacacs -02 The TACACS+ Protocol 7.6.1 draft-ietf-idr-bgp4 mib-06 Definitions of Managed 7.8.
RFC# Full Name S4810 S4820T Z9000 9.2.(0.0) 9.2.(0.0) Multiple Spanning Tree Protocol sFlow.org sFlow Version 5 7.7.1 sFlow.org sFlow Version 5 MIB 7.7.1 FORCE10-BGP4-V2MIB Force10 BGP MIB (draft-ietfidr-bgp4-mibv2-05) 7.8.1 f10–bmp-mib Force10 Bare Metal Provisioning MIB 9.2(0.0) FORCE10-FIB-MIB Force10 CIDR Multipath Routes MIB (The IP Forwarding Table provides information that you can use to determine the egress port of an IP packet and troubleshoot an IP reachability issue.
RFC# Full Name S4810 FORCE10-SMI Force10 Structure of Management Information 7.6.1 FORCE10-SYSTEMCOMPONENT-MIB Force10 System Component 7.6.1 MIB (enables the user to view CAM usage information) FORCE10-TC-MIB Force10 Textual Convention 7.6.1 FORCE10-TRAPALARM-MIB Force10 Trap Alarm MIB 7.6.1 S4820T Z9000 MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/csportal20/KnowledgeBase/Documentation.
