Dell 9.10(0.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2016 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents 1 About this Guide..................................................................................................................... 38 Audience.................................................................................................................................... 38 Conventions.............................................................................................................................. 38 Related Documents..............................................................
Creating a Port-based VLAN..................................................................................................60 Assigning Interfaces to a VLAN.............................................................................................. 61 Assigning an IP Address to a VLAN....................................................................................... 61 Connect the S5000 to the Network....................................................................................
Enabling the System to Clear Existing Sessions...........................................................85 Changing System Logging Settings..................................................................................... 86 Display the Logging Buffer and the Logging Configuration........................................... 87 Configuring a UNIX Logging Facility Level......................................................................... 88 Synchronizing Log Messages....................................
Sending Loopback Messages and Responses..................................................................109 Sending Linktrace Messages and Responses....................................................................110 Caching Link Trace............................................................................................................111 Enabling CFM SNMP Traps....................................................................................................
CAM Optimization............................................................................................................144 Test CAM Usage................................................................................................................144 View CAM-ACL Settings.................................................................................................. 145 View CAM Usage...............................................................................................................
Configure Route Map Filters.......................................................................................... 170 Configuring Match Routes.............................................................................................. 171 Configuring Set Conditions............................................................................................ 172 Configure a Route Map for Route Redistribution......................................................
Four-Byte AS Numbers....................................................................................................218 AS4 Number Representation..........................................................................................218 AS Number Migration............................................................................................................220 BGP4 Management Information Base (MIB).....................................................................
Set a Clause with a Continue Clause........................................................................... 262 Enabling MBGP Configurations...........................................................................................263 BGP Regular Expression Optimization.............................................................................. 263 Debugging BGP......................................................................................................................
Data Center Bridging in a Traffic Flow.........................................................................305 Enabling Data Center Bridging............................................................................................305 DCB Maps and its Attributes.......................................................................................... 306 Data Center Bridging: Default Configuration..................................................................
15 Dynamic Host Configuration Protocol (DHCP)............................................................ 350 DHCP Packet Format and Options.................................................................................... 350 Assign an IP Address using DHCP.......................................................................................352 Implementation Information............................................................................................... 353 Configuration Tasks................
Route Table....................................................................................................................... 380 Zoning...................................................................................................................................... 380 Creating Zone and Adding Members...........................................................................380 Creating Zone Alias and Adding Members..................................................................
Configure Fibre Channel Interfaces................................................................................... 413 Enabling Fibre Channel Capability...................................................................................... 413 Configuring Fibre Channel Interfaces................................................................................414 Displaying Fibre Channel Information...............................................................................
Failure and Event Logging..............................................................................................442 Trace Log........................................................................................................................... 442 Core Dumps...................................................................................................................... 443 System Log.............................................................................................................
Handling of Switch-Destined Traffic........................................................................... 465 Handling of Transit Traffic (Traffic Separation)..........................................................465 Mapping of Management Applications and Traffic Type.........................................466 Behavior of Various Applications for Switch-Initiated Traffic ................................467 Behavior of Various Applications for Switch-Destined Traffic ..............................
Assigning an IP Address to a Port Channel.................................................................492 Deleting or Disabling a Port Channel.......................................................................... 492 Load Balancing Through Port Channels..................................................................... 492 Changing the Hash Algorithm.......................................................................................493 Bulk Configuration.........................................
Configure Static Routes for the Management Interface................................................523 IPv4 Path MTU Discovery Overview...................................................................................523 Using the Configured Source IP Address in ICMP Messages....................................... 524 Configuring the ICMP Source Interface...................................................................... 524 Configuring the Duration to Establish a TCP Connection........................
Implementing IPv6 with Dell Networking OS.................................................................. 546 ICMPv6............................................................................................................................... 546 Path MTU Discovery........................................................................................................ 547 IPv6 Neighbor Discovery................................................................................................
Implementation Information................................................................................................571 Configuration Information................................................................................................... 572 Configuration Tasks for IS-IS......................................................................................... 573 Configuring the Distance of a Route...........................................................................
NIC Teaming............................................................................................................................615 Configure Redundant Pairs.................................................................................................. 616 Important Points about Configuring Redundant Pairs............................................. 618 Far-End Failure Detection....................................................................................................
35 Multicast Source Discovery Protocol (MSDP)...............................................................653 Protocol Overview................................................................................................................. 653 Anycast RP............................................................................................................................... 656 Implementation Information...............................................................................................
MSTP Sample Configurations..............................................................................................685 Router 1 Running-ConfigurationRouter 2 Running-ConfigurationRouter 3 Running-ConfigurationSFTOS Example Running-Configuration......................... 685 Debugging and Verifying MSTP Configurations..............................................................688 37 Multicast Features.......................................................................................................
Object Tracking Configuration............................................................................................723 Tracking a Layer 2 Interface........................................................................................... 723 Tracking a Layer 3 Interface...........................................................................................724 Track an IPv4/IPv6 Route...............................................................................................
Create a Redirect List.......................................................................................................793 Create a Rule for a Redirect-list.................................................................................... 793 Apply a Redirect-list to an Interface using a Redirect-group................................. 795 Sample Configuration............................................................................................................
45 Private VLANs (PVLAN)......................................................................................................832 Private VLAN Concepts.........................................................................................................832 Using the Private VLAN Commands...................................................................................833 Configuration Task List.........................................................................................................
Enabling QoS Rate Adjustment........................................................................................... 873 Enabling Strict-Priority Queueing.......................................................................................874 Weighted Random Early Detection....................................................................................874 Creating WRED Profiles...................................................................................................
49 Remote Monitoring (RMON)........................................................................................... 908 Implementation Information...............................................................................................908 Fault Recovery........................................................................................................................908 Setting the rmon Alarm..................................................................................................
Enabling SCP and SSH.......................................................................................................... 943 Using SCP with SSH to Copy a Software Image........................................................944 Secure Shell Authentication...........................................................................................945 Enabling SSH Authentication by Password.................................................................945 Using RSA Authentication of SSH.................
54 sFlow.....................................................................................................................................973 Overview.................................................................................................................................. 973 Implementation Information............................................................................................... 974 Important Points to Remember......................................................................
Viewing the Available Flash Memory Size...................................................................998 MIB Support to Display the Software Core Files Generated by the System..............998 Viewing the Software Core Files Generated by the System................................... 999 Manage VLANs using SNMP.............................................................................................. 1000 Creating a VLAN.................................................................................
Split a Stack........................................................................................................................... 1035 Managing Redundant Stack Management......................................................................1035 Resetting a Unit on a Stack................................................................................................ 1036 Verify a Stack Configuration..............................................................................................
Configuring SupportAssist Manually.................................................................................1071 Configuring SupportAssist Activity................................................................................... 1073 Configuring SupportAssist Company...............................................................................1075 Configuring SupportAssist Person....................................................................................
63 Upgrade Procedures........................................................................................................1108 Get Help with Upgrades......................................................................................................1108 Getting Help with Switch Information............................................................................. 1108 64 Virtual LANs (VLANs).......................................................................................................
Configuring VLT.............................................................................................................. 1138 Configuring a VLT Interconnect..................................................................................1138 Enabling VLT and Creating a VLT Domain................................................................ 1139 Configuring a VLT Backup Link................................................................................... 1140 Configuring a VLT Port Delay Period...
Sample Configuration of IPv6 Peer Routing in a VLT Domain..............................1179 67 Virtual Routing and Forwarding (VRF)..........................................................................1183 VRF Overview........................................................................................................................ 1183 VRF Configuration Notes.................................................................................................... 1184 DHCP...............................
VRRP for IPv6 Configuration........................................................................................1226 Displaying VRRP in a VRF Configuration................................................................... 1230 69 S5000 Debugging and Diagnostics.............................................................................. 1231 Offline Diagnostics...............................................................................................................
1 About this Guide This guide describes the protocols and features supported on Dell Networking switches and routers by the Dell Networking operating system (OS) and provides configuration instructions and examples for implementing them. The S5000 switch is available with Dell Networking OS version 9.1(1.0) and later version. It also supports stacking. Though this guide contains information on protocols, it is not intended to be a complete reference.
Related Documents For more information about the S5000 switch, refer to the following documents.
2 Configuration Fundamentals The Dell Networking OS command line interface (CLI) is a text-based interface that you use to configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. In Dell Networking OS, after you enable a command, it is entered into the running configuration file.
CLI Modes Different sets of commands are available in each mode. A command found in one mode cannot be executed from another mode (except for EXEC mode commands preceded by the do command; for more information, refer to The do Command and EXEC Privilege Mode commands). You can set user access rights to commands and command modes using privilege levels; for more information about privilege levels and security options, refer to Privilege Levels Overview.
IP ACCESS-LIST STANDARD ACCESS-LIST EXTENDED ACCESS-LIST LINE CONSOLE VIRTUAL TERMINAL MAC ACCESS-LIST MAC CONTROL-PLANE MONITOR SESSION MULTIPLE SPANNING TREE Per-VLAN SPANNING TREE RAPID SPANNING TREE GVRP LLDP FIBRE CHANNEL PREFIX-LIST REDIRECT ROUTE-MAP ROUTER BGP ROUTER ISIS ROUTER OSPF ROUTER RIP SPANNING TREE TRACE-LIST Navigating CLI Modes The Dell Networking OS prompt changes to indicate the CLI mode.
CLI Command Mode Prompt Access Command AS-PATH ACL Dell(config-as-path)# ip as-path access-list Gigabit Ethernet Interface Dell(conf-if-gi-0/0)# interface (INTERFACE modes) 10 Gigabit Ethernet Interface Dell(conf-if-te-0/0)# interface (INTERFACE modes) 40 gigabit Ethernet Interface Dell(conf-if-fo-1/0)# interface (INTERFACE modes) Interface Range Dell(conf-if-range)# interface (INTERFACE modes) Loopback Interface Dell(conf-if-lo-0)# interface (INTERFACE modes) Management Ethernet Interf
CLI Command Mode Prompt Access Command FIBRE CHANNEL Dell (conf-fcoe) protocol fc REDIRECT Dell (conf-redirect-list)# ip redirect-list ROUTE-MAP Dell (conf-route-map)# route-map ROUTER BGP Dell(conf-router_bgp)# router bgp ROUTER ISIS Dell(conf-router_isis)# router isis ROUTER OSPF Dell(conf-router_ospf)# router ospf ROUTER RIP Dell(conf-router_rip)# router rip SPANNING TREE Dell(config-span)# protocol spanning-tree 0 TRACE-LIST Dell(conf-trace-acl)# ip trace-list The following
You can install an Ethernet module in any slot (from 0 to 3) and a Universal Port module in slot 0 on the I/O panel. On the S5000, the valid stack-unit numbers are from 0 to 11.
The no Command When you enter a command, the command line is added to the running configuration file. Disable a command and remove it from the running-config by entering the original command preceded by the no command. For example, to delete an ip address configured on an interface, use the no ip address ip-address command, as shown in bold in the following example. NOTE: To help you construct the “no” form of a command, use the help or ? command as described in Obtaining Help.
copy Copy from one file to another --More-Keyword? Command Example ? after a partial keyword lists all of the keywords that begin with the specified letters. Dell(conf)#cl? class-map clock Dell(conf)#cl Keyword ? Command Example A keyword followed by [space]? lists all of the keywords that can follow the specified keyword. Dell(conf)#clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone Dell(conf)#clock Entering and Editing Commands Notes for entering commands.
Short-Cut Key Combination Action CNTL-N Return to more recent commands in the history buffer after recalling commands with CTRL-P or the UP arrow key. CNTL-P Recalls commands, beginning with the last command. CNTL-R Re-enters the previous command. CNTL-U Deletes the line. CNTL-W Deletes the previous word. CNTL-X Deletes the line. CNTL-Z Ends continuous scrolling of command outputs. Esc B Moves the cursor back one word. Esc F Moves the cursor forward one word.
The grep command displays only the lines containing specified text. The following example shows this command used in combination with the do show stack-unit all stack-ports all pfc details | grep 0 command.
Multiple Users in Configuration Mode Dell Networking OS notifies all users when there are multiple users logged in to CONFIGURATION mode. A warning message indicates the username, type of connection (console or VTY), and in the case of a VTY connection, the IP address of the terminal on which the connection was established.
3 Getting Started This chapter helps you get started using the S5000. Accessing Ports The S5000 has two management ports available for system access — a console port and a universal serial bus (USB)-B port. The USB-B port acts the same as the console port. The terminal settings are the same for both access ports. Accessing the RJ-45/RS-232 Console Port The RS-232/RJ-45 console port is labeled on the lower left-hand side of the S5000 system as you face the Utility side of the chassis.
• 9600 baud rate • No parity • 8 data bits • 1 stop bit • No flow control Pin Assignments You can connect to the console using a RJ-45 to RJ-45 rollover cable and a RJ-45 to DB-9 female DTE adapter to a terminal server (for example, a PC). The pin assignments between the console and a DTE terminal server are as follows: Table 2.
Entering CLI commands Using an SSH Connection You can run CLI commands by entering any one of the following syntax to connect to a switch using the preconfigured user credentials using SSH: ssh username@hostname or echo | ssh admin@hostname The SSH server transmits the terminal commands to the CLI shell and the results are displayed on the screen non-interactively.
Default Configuration Although a version of Dell Networking OS is pre-loaded onto the system, the system is not configured when you power up the system first time (except for the default hostname, which is Dell). You must configure the system using the CLI. Accessing the USB-B Console Port When you connect the USB-B port, it becomes the primary connection and, when the system is connected, it sends all messages to the USB-B drive. The terminal settings are the same for the USB-B port and the console port.
Core: E500, Version: 5.1, (0x80211051) . . Board: S5000 Dell CPU CPLD: S5000 CPLD Rev 41 Board Revision 1 . . Boot Selector set to Bootflash Partition A image... Verifying Copyright Information..success for Image - 0 Boot Selector: Booting Bootflash Partition A image... Copying stage-2 loader from 0x800000 to 0x7f800000(size = 0x200000) F10 Boot Image selection DONE. ## Starting application at 0x7F800090 ... U-Boot 2012.
. RELEASE IMAGE HEADER DATA : -------------------------Release Image Created 2013/4/15 - 18:11:28 SOFTWARE IMAGE HEADER DATA : ---------------------------Software Image[1] Img file Name : CPRPLP-RPM-AP-9-0-1-0.bin Software Image[2] Img file Name : NBSDPCPRPLP-RPM-AP-9-0-1-0.bin . Starting Dell Networking application 00:00:38: %STKUNIT0-M:CP %RAM-6-ELECTION_ROLE: Stack unit 0 is transitioning to Management unit.
Enter the Initial Configuration Information To set up the switch, assign an IP address and other configuration information necessary for the switch to communicate with the local routers and the Internet. The minimal configuration provided here does not cover most of the features; it simply allows you to perform other configuration tasks using a Telnet connection from your management network.
• 5 is to input a password that is already encrypted using MD5 encryption method. Obtain the encrypted password from the configuration file of another device. • 8 is to input a password that is already encrypted using sha256-based encryption method. Obtain the encrypted password from the configuration file of another device. Configuring a Host Name The host name appears in the prompt. The default host name is Dell. • Host names must start with a letter and end with a letter or digit.
INTERFACE mode no shutdown 2 Place the interface in Layer 2 (switching) mode. INTERFACE mode switchport To view the interfaces in Layer 2 mode, use the show interfaces switchport command in EXEC mode. Accessing the System Remotely You can configure the system to access it remotely by Telnet or SSH. The system has a dedicated management port and a management routing table that is separate from the IP routing table.
Configure a Management Route Define a path from the system to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the system through the management port. To configure a management route, use the following command. • Configure a management route to the network from which you are accessing the system. CONFIGURATION mode management route ip-address/mask gateway • ip-address: the network address in dotted-decimal format (A.B.
To view the configured VLANs, use the show vlan command in EXEC Privilege mode. Assigning Interfaces to a VLAN You can only assign interfaces in Layer 2 mode to a VLAN using the tagged and untagged commands. To place an interface in Layer 2 mode, use the switchport command. You can designate Layer 2 interfaces as tagged or untagged. When you place an interface in Layer 2 mode using the switchport command, the interface is automatically designated untagged and placed in the default VLAN.
ip address ip-address mask [secondary] Connect the S5000 to the Network After you have completed the hardware installation and software configuration for the S5000 system, you can connect to your company network by following your company’s cabling requirements. Configure File Management You can store on and access files from various storage media. Rename, delete, and copy files on the system from the EXEC Privilege mode.
Important Points to Remember • You may not copy a file from one remote system to another. • You may not copy a file from one location to the same location. • When copying to a server, you can only use a hostname if a domain name server (DNS) server is configured.
Table 4. Mounting an NFS File System File Operation Syntax To mount an NFS file system: mount nfs rhost:path mount-point username password The foreign file system remains mounted as long as the device is up and does not reboot. You can run the file system commands without having to mount or un-mount the file system each time you run a command. When you save the configuration using the write command, the mount command is saved to the startup configuration.
! 15 bytes successfully copied Dell#copy flash://ashu/capture.txt.pcap nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied Dell#copy flash://ashu/capture.txt.pcap nfsmount:///ashutosh/snoop.pcap ! 24 bytes successfully copied Dell# Dell#copy tftp://10.16.127.35/mashutosh/dv-maa-test ? flash: Copy to local file system ([flash://]filepath) nfsmount: Copy to nfs mount file system (nfsmount:///filepath) running-config remote host: Destination file name [test.
copy running-config scp:// username:password@{hostip | hostname}/filepath/ filename NOTE: When copying to a server, you can only use a hostname if you configured a DNS server. Viewing Files You can only view file information and content on local file systems. To view a list of files or the contents of a file, use the following commands. • View a list of files on the internal flash. EXEC Privilege mode • dir flash: View a list of files on the usbflash.
12 -rwx 6900 13 -rwx 1244038 Feb 17 2011 04:43:12 +00:00 startup-config.bak Feb 13 2011 04:27:16 +00:00 f10cp_sysd_110213042625.acore.gz flash: 2143281152 bytes total (2123755520 bytes free) --More-- View Configuration Files Configuration files have three commented lines at the beginning of the file, as shown in the following example, to help you track the last time any user made a change to the file, which user made the changes, and when the file was last saved to the startup-configuration.
You can create groups of VLANs using the interface group command. This command will create nonexistent VLANs specified in a range. On successful command execution, the CLI switches to the interface group context. The configuration commands inside the group context will be the similar to that of the existing range command. Two existing exec mode CLIs are enhanced to display and store the running configuration in the compressed mode.
! ! interface TenGigabitEthernet 1/3 interface TenGigabitEthernet 1/34 no ip address ip address 2.1.1.1/16 shutdown shutdown ! ! interface TenGigabitEthernet 1/4 interface group Vlan 2 , Vlan 100 no ip address no ip address shutdown no shutdown ! ! interface TenGigabitEthernet 1/10 interface group Vlan 3 – 5 no ip address tagged te 1/1 shutdown no ip address ! shutdown interface TenGigabitEthernet 1/34 ! ip address 2.1.1.1/16 interface Vlan 1000 shutdown ip address 1.1.1.
! interface Vlan 5 tagged te 1/1 no ip address shutdown ! interface Vlan 100 no ip address no shutdown ! interface Vlan 1000 ip address 1.1.1.1/16 no shutdown Uncompressed config size – 52 lines write memory compressed The write memory compressed CLI will write the operating configuration to the startup-config file in the compressed mode. In stacking scenario, it will also take care of syncing it to all the standby and member units.
EXEC Privilege mode show file-systems The output of the show file-systems command in the following example shows the total capacity, amount of free memory, file structure, media type, read/write privileges for each storage device in use.
Activate the VRF application on a device by using the feature vrf command in CONFIGURATION mode. NOTE: The no feature vrf command is not supported on any of the platforms. To enable the VRF feature and cause all VRF-related commands to be available or viewable in the CLI interface, use the following command. You must enable the VRF feature before you can configure its related attributes.
Upgrading and Downgrading Dell Networking OS To upgrade or downgrade Dell Networking OS, refer to the Release Notes for the version you want to load on the system. Verify Software Images Before Installation To validate the software image on the flash drive, you can use the MD5 message-digest algorithm or SHA256 Secure Hash Algorithm, after the image is transferred to the system but before the image is installed.
• flash: (Optional) Specifies the flash drive. The default uses the flash drive. You can enter the image file name. • hash-value: (Optional). Specify the relevant hash published on iSupport. • img-file: Enter the name of the Dell Networking software image file to validate Examples: Without Entering the Hash Value for Verification MD5 Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin MD5 hash for FTOS-SE-9.5.0.0.bin: 275ceb73a4f3118e1d6bcf7d75753459 SHA256 Dell# verify sha256 flash://FTOS-SE-9.5.0.0.
specify a nondefault VRF, the VRF table corresponding to that nondefault VRF is used to look up the HTTP server. However, these changes are backward-compatible and do not affect existing behavior; meaning, you can still use the ip http source- interface command to communicate with a particular interface even if no VRF is configured on that interface NOTE: If the HTTP service is not VRF-aware, then it uses the global routing table to perform the look-up.
4 Switch Management This chapter explains the different protocols or services used to manage the S5000 switch. Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1. Level Description Level 1 Access to the system begins at EXEC mode, and EXEC mode commands are limited to enable, disable, and exit.
Moving a Command from EXEC Privilege Mode to EXEC Mode To move a command from EXEC Privilege to EXEC mode for a privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify the privilege level of the user or terminal line and specify all keywords in the command to which you want to allow access. Allowing Access to CONFIGURATION Mode Commands To allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGURATION mode.
• • allows access to CONFIGURATION mode with the banner command • allows access to INTERFACE and LINE modes are allowed with no commands Remove a command from the list of available commands in EXEC mode. CONFIGURATION mode • privilege exec level level {command ||...|| command} Move a command from EXEC Privilege to EXEC mode. CONFIGURATION mode • privilege exec level level {command ||...|| command} Allow access to CONFIGURATION mode.
Current privilege level is 3.
NOTE: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode, but the prompt is hostname#, rather than hostname>. Configuring Logging The Dell Networking OS tracks changes in the system using event and error messages. By default, Dell Networking OS logs these messages on: • the internal buffer • console and terminal lines • any configured syslog servers To disable logging, use the following commands. • Disable all logging except on the console.
Disabling System Logging By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the console, and the syslog servers. To disable system logging, use the following commands. • Disable all logging except on the console. CONFIGURATION mode • no logging on Disable logging to the logging buffer. CONFIGURATION mode • no logging buffer Disable logging to terminal lines. CONFIGURATION mode • no logging monitor Disable console logging.
In the previous lines, local7 is the logging facility level and debugging is the severity level. Track Login Activity Dell Networking OS enables you to track the login activity of users and view the successful and unsuccessful login events.
The following example enables login activity tracking and configures the system to store the login activity details for 12 days. Dell(config)#login statistics enable Dell(config)#login statistics time-period 12 Display Login Statistics To view the login statistics, use the show login statistics command. Example of the show login statistics Command The show login statistics command displays the successful and failed login details of the current user in the last 30 days or the custom defined time period.
User: admin3 Last login time: 13:18:42 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2 Example of the show login statistics user user-id command The show login statistics user user-id command displays the successful and failed login details of a specific user in the last 30 days or the custom defined time period.
Restrictions for Limiting the Number of Concurrent Sessions These restrictions apply for limiting the number of concurrent sessions: • Only the system and security administrators can limit the number of concurrent sessions and enable the clear-line option. • Users can clear their existing sessions only if the system is configured with the login concurrentsession clear-line enable command.
Login: admin Password: Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 Clear existing session? [line number/Enter to cancel]: When you try to create more than the permitted number of sessions, the following message appears, prompting you to close one of the existing sessions. If you close any of the existing sessions, you are allowed to login. $ telnet 10.11.178.17 Trying 10.11.178.17... Connected to 10.11.178.17. Escape character is '^]'.
• Specify the minimum severity level for logging to the syslog history table. CONFIGURATION mode • logging history level Specify the size of the logging buffer. CONFIGURATION mode • logging buffered size Specify the number of messages that Dell Networking OS saves to its logging history table.
Apr 26 11:48:57: up: 1/56 Apr 26 11:48:47: up: 1/48 Apr 26 11:43:52: to down: 1/48 Apr 26 11:43:43: to down: 1/56 Apr 26 11:33:08: up: 1/48 Apr 26 11:33:08: up: 1/56 Apr 25 11:07:15: slot 1 port 2 Apr 25 11:07:14: %S5000:1 %IFAGT-5-STACK_PORT_LINK_UP: Changed stack port state to %S5000:1 %IFAGT-5-STACK_PORT_LINK_UP: Changed stack port state to %S5000:1 %IFAGT-5-STACK_PORT_LINK_DOWN: Changed stack port state %S5000:1 %IFAGT-5-STACK_PORT_LINK_DOWN: Changed stack port state %S5000:1 %IFAGT-5-STACK_PORT_LINK_U
• sys11 (system use) • sys12 (system use) • sys13 (system use) • sys14 (system use) • syslog (for syslog messages) • user (for user programs) • uucp (UNIX to UNIX copy protocol) Example of the show running-config logging Command To view nondefault settings, use the show running-config logging command in EXEC mode.
• limit: the range is from 20 to 300. The default is 20. To view the logging synchronous configuration, use the show config command in LINE mode. Enabling Timestamp on Syslog Messages By default, syslog messages do not include a time/date stamp stating when the error or message was created. To enable timestamp, use the following command. • Add timestamp to syslog messages.
• Enabling the FTP Server • Configuring FTP Server Parameters • Configuring FTP Client Parameters Enabling the FTP Server To enable the system as an FTP server, use the following command. To view FTP configuration, use the show running-config ftp command in EXEC privilege mode. • Enable FTP on the system.
Configuring FTP Client Parameters To configure FTP client parameters, use the following commands. • Enter the following keywords and slot/port or number information: • For a Gigabit Ethernet interface, enter the GigabitEthernet keyword then the slot/port information. • For a loopback interface, enter the loopback keyword then a number between 0 and 16383. • For a port channel interface, enter the port-channel keyword then a number from 1 to 255 for TeraScale and ExaScale.
Denying and Permitting Access to a Terminal Line Dell Networking recommends applying only standard access control lists (ACLs) to deny and permit access to VTY lines. • Layer 3 ACLs deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with no rules does not deny traffic. • You cannot use the show ip accounting access-list command to display the contents of an ACL that is applied only to a VTY line. To apply an IP ACL to a line, use the following command.
local Prompt for the system username and password. none Do not authenticate the user. radius Prompt for a username and password and use a RADIUS server to authenticate. tacacs+ Prompt for a username and password and use a TACACS+ server to authenticate. 1 Configure an authentication method list. You may use a mnemonic name or use the keyword default. The default authentication method for terminal lines is local and the default method list is empty.
LINE mode • exec-timeout minutes [seconds] Return to the default time-out values. LINE mode no exec-timeout Example of Setting the Time Out Period for EXEC Privilege Mode The following example shows how to set the time-out period and how to view the configuration using the show config command from LINE mode.
Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.dell.com) (ttyp1) login: admin Dell# Lock CONFIGURATION Mode Dell Networking OS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2). You can set two types of lockst: auto and manual.
NOTE: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you configure a lock and then exit CONFIGURATION mode, and another user enters CONFIGURATION mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though you are the one that configured the lock. NOTE: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is unconfigured.
8 Save the running-config. EXEC Privilege mode copy running-config startup-config Recovering from a Forgotten Enable Password Use the following commands if you forget the enable password. 1 Log onto the system using the console. 2 Power-cycle the chassis by switching off all of the power modules and then switching them back on. 3 Hit any key to abort the boot process. You enter uBoot immediately, as indicated by the => prompt.
(during switch bootup) Press ESC key 3 Configure the Dell Networking OS image and parameters to use when the switch reloads. BOOT USER mode boot change {primary | secondary | default} Default: The S5000 boots using the primary parameters if they are valid. If the primary parameters are not valid, the switch boots with the secondary parameters. If the secondary parameters are not valid, it boots with the default parameters. 4 Assign an IP address to the Management Ethernet interface.
5 802.1ag Ethernet operations, administration, and maintenance (OAM) are a set of tools used to install, monitor, troubleshoot, and manage Ethernet infrastructure deployments. Ethernet OAM consists of three main areas: • Service layer OAM — IEEE 802.1ag connectivity fault management (CFM) • Link layer OAM — IEEE 802.
• there are complex interactions between various Layer 2 and Layer 3 protocols such as spanning tree protocol (STP), link aggregation group (LAG), virtual router redundancy protocol (VRRP), and electronic commerce messaging protocol (ECMP) configurations. • ping and traceroute are not designed to verify data connectivity in the network and within each node in the network (such as in the switching fabric and hardware forwarding tables).
Maintenance Points Domains are comprised of logical entities called maintenance points. A maintenance point is an interface demarcation that confines CFM frames to a domain. There are two types of maintenance points: • Maintenance end points (MEPs) — a logical entity that marks the end point of a domain. • Maintenance intermediate points (MIPs) — a logical entity configured at a port of a switch that is an intermediate point of a maintenance entity (ME).
Configure Up-MEPs on ingress ports, ports that send traffic towards the bridge relay. Configure Down-MEPs on egress ports, ports that send traffic away from the bridge relay. Figure 5. Maintenance End Points Implementation Information Because the S5000 has a single MAC address for all physical/LAG interfaces, only one MEP is allowed per MA (per VLAN or per MD level). Configuring the CFM To configure the CFM, follow these steps: 1 Configure the ecfmacl CAM region using the cam-acl command.
Related Configuration Tasks • Enabling CFM SNMP Traps • Displaying Ethernet CFM Statistics Enabling Ethernet CFM To enable the Ethernet CFM, use the following tasks. 1 Spawn the CFM process. No CFM configuration is allowed until the CFM process is spawned. CONFIGURATION mode ethernet cfm 2 Disable Ethernet CFM without stopping the CFM process.
Services MA-Name Your_MA VLAN 100 CC-Int 10s X-CHK Status enabled Creating a Maintenance Association A maintenance association (MA) is a subdivision of an MD that contains all managed entities corresponding to a single end-to-end service, typically a virtual area network (VLAN). An MA is associated with a VLAN ID. • Create maintenance association. ECFM DOMAIN mode service name vlan vlan-id Create Maintenance Points Domains are comprised of logical entities called maintenance points.
The range is from 1 to 8191. 2 Display configured MEPs and MIPs.
To display the MEP and MIP databases, use the following commands. • Display the MEP Database. EXEC Privilege mode show ethernet cfm maintenance-points remote detail [active | domain {level | name} | expired | waiting] Display the MIP Database.
MEPs must listen to these multicast MAC addresses and process these messages. MIPs may optionally process the CCM messages the MEPs originate and construct a MIP CCM database. MEPs and MIPs filter CCMs from higher and lower domain levels as described in the following table. Table 7.
The default is 10 seconds. Enabling Cross-Checking To enable cross-checking, use the following commands. 1 Enable cross-checking. ETHERNET CFM mode mep cross-check enable The default is Disabled. 2 Start the cross-check operation for an MEP ETHERNET CFM mode mep cross-check mep-id 3 Configure the amount of time the system waits for a remote MEP to come up before the cross-check operation is started.
Sending Linktrace Messages and Responses Linktrace message and response (LTM, LTR), also called Layer 2 Traceroute, is an administratively sent multicast frame transmitted by MEPs to track, hop-by-hop, the path to another MEP or MIP within the maintenance domain. All MEPs and MIPs in the same domain respond to an LTM with a unicast LTR. Intermediate MIPs forward the LTM toward the target MEP. Figure 6.
Caching Link Trace After you execute a Link Trace command, the trace information can be cached so that you can view it later without retracing. To enable, set, display, and delete link trace caching, use the following commands. • Enable Link Trace caching. CONFIGURATION mode • traceroute cache Set the amount of time a trace result is cached. ETHERNET CFM mode traceroute cache hold-time minutes The default is 100 minutes. • The range is from 10 to 65535 minutes. Set the size of the Link Trace Cache.
Enabling CFM SNMP Traps An SNMP trap is sent only when one of the five highest priority defects occur. Table 8.
MA-Index MA-Name VLAN CC-Int X-CHK Status 1 test 0 1s enabled Domain Name: Your_Name MD Index: 2 Level: 2 Total Service: 1 Services MA-Index MA-Name VLAN CC-Int X-CHK Status 1 test 100 1s enabled Displaying Ethernet CFM Statistics To display Ethernet CFM statistics, use the following commands. • Display MEP CCM statistics. EXEC Privilege mode • show ethernet cfm statistics [domain {name | level} vlan-id vlan-id mpid mpid Display CFM statistics by port.
Total CFM Pkts 10303 CCM Pkts 0 LBM Pkts 0 LTM Pkts 3 LBR Pkts 0 LTR Pkts 0 802.
6 802.1X 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
The following figures show how the EAP frames are encapsulated in Ethernet and RADIUS frames. Figure 7. EAP Frames Encapsulated in Ethernet and RADUIS Figure 8. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests.
server and the supplicant. The authenticator also changes the status of the port based on the results of the authentication process. The Dell Networking switch is the authenticator. • The authentication-server selects the authentication method, verifies the information the supplicant provides, and grants it network access privileges. Ports can be in one of two states: • Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in or out of the port.
6 If the identity information the supplicant provides is valid, the authentication server sends an AccessAccept frame in which network privileges are specified. The authenticator changes the port state to authorized and forwards an EAP Success frame. If the identity information is invalid, the server sends an Access-Reject frame. If the port state remains unauthorized, the authenticator forwards an EAP Failure frame. Figure 9. EAP Port-Authentication 802.
EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 10. EAP Over RADIUS RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.
Related Configuration Tasks • Configuring Request Identity Re-Transmissions • Forcibly Authorizing or Unauthorizing a Port • Re-Authenticating a Port • Configuring Timeouts • Configuring a Guest VLAN • Configuring an Authentication-Fail VLAN Important Points to Remember • Dell Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP. • All platforms support only RADIUS as the authentication server.
Enabling 802.1X Enable 802.1X globally. Figure 11. 802.1X Enabled 1 Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2 Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3 Enable 802.1X on the supplicant interface only. 802.
INTERFACE mode dot1x authentication Example of Verifying that 802.1X is Enabled Globally Example of Verifying 802.1X is Enabled on an Interface Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode. The bold lines show that 802.1X is enabled. Dell#show running-config | find dot1x dot1x authentication ! [output omitted] ! interface TenGigabitEthernet 2/1 no ip address dot1x authentication no shutdown ! Dell# View 802.
Configuring MAC addresses for a do1x Profile To configure a list of MAC addresses for a dot1x profile, use the mac command. You can configure 1 to 6 MAC addresses. • Configure a list of MAC addresses for a dot1x profile. DOT1X PROFILE CONFIG (conf-dot1x-profile) mac mac-address mac-address — Enter the keyword mac and type up to the 48– bit MAC addresses using the nn:nn:nn:nn:nn:nn format. A maximum of 6 MAC addresses are allowed.
The default is 30. Configure a maximum number of times that a Request Identity frame is re-transmitted by the authenticator. • INTERFACE mode dot1x max-eap-req number The range is from 1 to 10. The default is 2. The example in Configuring a Quiet Period after a Failed Authentication shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and retransmits a maximum of 10 times.
Dot1x Status: Port Control: Port Auth Status: Re-Authentication: Untagged VLAN id: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: Enable AUTO UNAUTHORIZED Disable None 90 seconds 120 seconds 2 30 seconds 30 seconds 3600 seconds 10 SINGLE_HOST Initialize Initialize Forcibly Authorizing or Unauthorizing a Port IEEE 802.
Untagged VLAN id: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: Auth PAE State: Backend State: None 90 seconds 120 seconds 2 30 seconds 30 seconds 3600 seconds 10 SINGLE_HOST Initialize Initialize Initialize Initialize Re-Authenticating a Port You can configure the authenticator for periodic re-authentication.
Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: Auth PAE State: Backend State: 90 seconds 120 seconds 10 30 seconds 30 seconds 7200 seconds 10 SINGLE_HOST Initialize Initialize Initialize Initialize Configuring Timeouts If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default.
Auth-Fail VLAN id: Auth-Fail Max-Attempts: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: NONE NONE 90 seconds 120 seconds 10 15 seconds 15 seconds 7200 seconds 10 Auth Type: Auth PAE State: Backend State: SINGLE_HOST Initialize Initialize Configuring Dynamic VLAN Assignment with Port Authentication Dell Networking OS supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID.
The illustration shows the configuration on the Dell Networking system before connecting the end-user device in black and blue text, and after connecting the device in red text. The blue text corresponds to the preceding numbered steps on dynamic VLAN assignment with 802.1X. Figure 12. Dynamic VLAN Assignment 1 Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations. 2 Make the interface a switchport so that it can be assigned to a VLAN.
the VLAN for which the port is configured or the VLAN that the authentication server indicates in the authentication data. NOTE: Ports cannot be dynamically assigned to the default VLAN. If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the network.
Configure a port to place in the VLAN after failing the authentication process as specified number of times using the dot1x auth-fail-vlan command from INTERFACE mode. Configure the maximum number of authentication attempts by the authenticator using the keyword max-attempts with this command.
Configuring dot1x Profile You can configure a dot1x profile for defining a list of trusted supplicant MAC addresses. A maximum of 10 dot1x profiles can be configured. The profile name length is limited to 32 characters. Thedot1x profile {profile-name} command sets the dot1x profile mode and you can enter profile-related commands, such as the mac command. To configure a dot1x profile, use the following commands. • Configure a dot1x profile.
Dell(conf-if-Te 2/1))#show dot1x interface TenGigabitEthernet 2/1 802.
802.
7 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This section describes the access control list (ACL) virtual local area network (VLAN) group, and content addressable memory (CAM) enhancements. Optimizing CAM Utilization During the Attachment of ACLs to VLANs To minimize the number of entries in CAM, enable and configure the ACL CAM feature. Use this feature when you apply ACLs to a VLAN (or a set of VLANs) and when you apply ACLs to a set of ports.
After these verification steps are performed, the ACL manager considers the command valid and sends the information to the ACL agent on the line card. The ACL manager notifies the ACL agent in the following cases: • A VLAN member is added or removed from a group and previously associated VLANs exist in the group. • The egress ACL is applied or removed from the group and the group contains VLAN members. • VLAN members are added or deleted from a VLAN, which itself is a group member.
• Within a port, you can apply Layer 2 ACLs on a VLAN or a set of VLANs. In this case, CAM optimization is not applied. • To enable optimization of CAM space for Layer 2 or Layer 3 ACLs that are applied to ports, the port number is removed as a qualifier for ACL application on ports, and port bits are used. When you apply the same ACL to a set of ports, the port bitmap is set when the ACL flow processor (FP) entry is added. When you remove the ACL from a port, the port bitmap is removed.
show acl-vlan-group {group name | detail} Dell#show acl-vlan-group detail Group Name : TestGroupSeventeenTwenty Egress IP Acl : SpecialAccessOnlyExpertsAllowed Vlan Members : 100,200,300 Group Name : CustomerNumberIdentificationEleven Egress IP Acl : AnyEmployeeCustomerElevenGrantedAccess Vlan Members : 2-10,99 Group Name : HostGroup Egress IP Acl : Group5 Vlan Members : 1,1000 Dell# Configuring FP Blocks for VLAN Parameters To allocate the number of FP blocks for the various VLAN processes on the system,
Viewing CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub- partitions) using the show cam-usage command in EXEC Privilege mode. Display Layer 2, Layer 3, ACL, or all CAM usage statistics.
| | IN-L3 ACL | | IN-V6 ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL 3 | 0 | IN-L2 ACL | | IN-L3 ACL | | IN-V6 ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL Codes: * - cam usage is above 90%.
You can configure only two of these features at a time. • To allocate the number of FP blocks for VLAN open flow operations, use the cam-acl-vlan vlanopenflow <0-2> command. • To allocate the number of FP blocks for VLAN iSCSI counters, use the cam-acl-vlan vlaniscsi <0-2> command. • To allocate the number of FP blocks for ACL VLAN optimization, use the cam-acl-vlan vlanaclopt <0-2> command. To reset the number of FP blocks to the default, use the no version of these commands.
8 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. The S5000 switch supports: • Access control lists (ACLs) • Ingress IP and MAC ACLs • Egress IP and MAC ACLs At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
IP Access Control Lists (ACLs) In Dell Networking switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet.
User Configurable CAM Allocation Allocate space for IPV6 ACLs by using the cam-acl command in CONFIGURATION mode. The CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 13 FP blocks. (There are 16 FP blocks, but System Flow requires three blocks that cannot be reallocated.
test cam-usage command in Privilege mode. The following example shows the output when executing this command. The status column indicates whether you can enable the policy.
Openflow fedgovacl : : 0 0 0 0 Dell(conf)# Example of Viewing CAM-ACL Settings NOTE: If you change the cam-acl setting from CONFIGURATION mode, the output of this command does not reflect any changes until you save the running-configuration and reload the chassis.
IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : : : 0 0 0 0 0 0 0 0 0 0 Dell# View CAM Usage View the amount of CAM space available, used, and remaining in each ACL partition using the show camusage command from EXEC Privilege mode.
Implementing ACLs on Dell Networking OS You can assign one IP ACL per interface with Dell Networking OS. If you do not assign an IP ACL to an interface, the software does not use it in any other capacity. The number of entries allowed per ACL is hardware-dependent. If you enable counters on IP ACL rules that are already configured, those counters are reset when a new rule is inserted or prepended. If a rule is appended, the existing counters are not affected.
and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be buffered in queue 4. In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use the order keyword to specify the order in which you want to apply ACL rules. The order can range from 0 to 254.
IP Fragments ACL Examples The following examples show how you can use ACL commands with the fragment keyword to filter fragmented packets. Example of Permitting All Packets on an Interface The following configuration permits all packets (both fragmented and non-fragmented) with destination IP 10.1.1.1. The second rule does not get hit at all. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32 Dell(conf-ext-nacl)#deny ip any 10.1.1.1.
Example of Layer 4 ACL Rules In this first example, TCP packets from host 10.1.1.1 with TCP destination port equal to 24 are permitted. All others are denied. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24 Dell(conf-ext-nacl)#deny ip any any fragment Dell(conf-ext-nacl) Example of TCP Packets In the following example, the TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with TCP destination port equal to 24 are permitted.
To view the rules of a particular ACL configured on a particular interface, use the show ip accounting access-list ACL-name interface interface command in EXEC Privilege mode. Example of Viewing the Rules of a Specific ACL on an Interface Example of the seq Command to Order Filters Dell#show ip accounting access-list ToOspf interface gig 1/6 Standard IP access list ToOspf seq 5 deny any seq 10 deny 10.2.0.0 /16 seq 15 deny 10.3.0.0 /16 seq 20 deny 10.4.0.0 /16 seq 25 deny 10.5.0.0 /16 seq 30 deny 10.6.0.
the first filter was given the lowest sequence number). The show config command in IP ACCESS LIST mode displays the two filters with the sequence numbers 5 and 10. Example of Viewing Filter Sequence for a Specified Standard ACL Dell(config-route-map)#ip access standard kigali Dell(config-std-nacl)#permit 10.1.0.0/16 Dell(config-std-nacl)#show config ! ip access-list standard kigali seq 5 permit 10.1.0.
CONFIG-EXT-NACL mode seq sequence-number {deny | permit} {ip-protocol-number | icmp | ip | tcp | udp} {source mask | any | host ip-address} {destination mask | any | host ipaddress} [operator port [port]] [count [byte] | log] [order] [monitor] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details.
When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details. The following example shows an extended IP ACL in which the software assigned the sequence numbers. The filters were assigned sequence numbers based on the order in which they were configured (for example, the first filter was given the lowest sequence number).
Table 9. L2 and L3 Filtering on Switched Packets L2 ACL Interfaces Behavior L3 ACL Interfaces Behavior Decision on Targeted Traffic Deny Deny L3 ACL denies. Deny Permit L3 ACL permits. Permit Deny L3 ACL denies. Permit Permit L3 ACL permits. NOTE: If you configure an interface as a vlan-stack access port, only the L2 ACL filters the packets. The L3 ACL applied to such a port does not affect traffic.
3 Apply an IP ACL to traffic entering or exiting an interface. INTERFACE mode ip access-group access-list-name {in | out} [implicit-permit] [vlan vlan-range] NOTE: The number of entries allowed per ACL is hardware-dependent. For detailed specification about entries allowed per ACL, refer to your line card documentation. 4 Apply rules to the new ACL.
Example of Applying ACL Rules to Ingress Traffic and Viewing ACL Configuration To specify ingress, use the in keyword. Begin applying rules to the ACL with the ip access-list extended abcd command. To view the access-list, use the show command.
Dell(config-ext-nacl)#deny icmp any any Dell(config-ext-nacl)#permit 1.1.1.2 Dell(config-ext-nacl)#end Dell#show ip accounting access-list ! Extended Ingress IP access list abcd on tengigEthernet 0/0 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.2 Applying Egress Layer 3 ACLs (Control-Plane) By default, egress ACLs do not filter packets originated from the system.
The ACLs target and handle Layer 3 traffic destined to terminate on the system including routing protocols, remote access, simple network management protocol (SNMP), internet control message protocol (ICMP), and so on, Effective filtering of Layer 3 traffic from Layer 3 routers reduces the risk of attack. NOTE: Loopback ACLs are supported only on ingress traffic. Loopback interfaces do not support ACLs using the IP fragment option.
Dell(config-ext-nacl)#permit 1.1.1.2 Dell(config-ext-nacl)#end Dell#show ip accounting access-list ! Extended Ingress IP access list abcd on Loopback 0 seq 5 permit tcp any any seq 10 deny icmp any any seq 10 deny icmp any any For more information, refer to the VTY Line Local Authentication and Authorization section in the Securitychapter. IP Prefix Lists IP prefix lists control routing policy.
Configuration Task List for Prefix Lists To configure a prefix list, use commands in PREFIX LIST, ROUTER RIP, ROUTER OSPF, and ROUTER BGP modes. Create the prefix list in PREFIX LIST mode and assign that list to commands in ROUTER RIP, ROUTER OSPF and ROUTER BGP modes. The following list includes the configuration tasks for prefix lists, as described in the following sections.
! ip prefix-list juba seq 12 deny 134.23.0.0/16 seq 15 deny 120.0.0.0/8 le 16 seq 20 permit 0.0.0.0/0 le 32 Dell(conf-nprefixl)# NOTE: The last line in the prefix list Juba contains a “permit all” statement. By including this line in a prefix list, you specify that all routes not matching any criteria in the prefix list are forwarded. To delete a filter, use the no seq sequence-number command in PREFIX LIST mode.
Viewing Prefix Lists To view all configured prefix lists, use the following commands. • Show detailed information about configured prefix lists. EXEC Privilege mode • show ip prefix-list detail [prefix-name] Show a table of summarized information about configured Prefix lists.
CONFIG-ROUTER-RIP mode • distribute-list prefix-list-name in [interface] Apply a configured prefix list to outgoing routes. You can specify an interface or type of route. If you enter the name of a non-existent prefix list, all routes are forwarded.
ACL Resequencing ACL resequencing allows you to re-number the rules and remarks in an access or prefix list. The placement of rules within the list is critical because packets are matched against rules in sequential order. To order new rules using the current numbering scheme, use resequencing. For example, the following table contains some rules that are numbered in increments of 1.
resequence prefix-list {ipv4 | ipv6} {prefix-list-name StartingSeqNum Step-toIncrement} Example of Resequencing ACLs When Remarks and Rules Have the Same Number Example of Resequencing ACLs When Remarks and Rules Have Different Numbers The example shows the resequencing of an IPv4 access-list beginning with the number 2 and incrementing by 2. Remarks and rules that originally have the same sequence number, have the same sequence number after you apply the resequence command.
remark 8 this remark corresponds to permit ip any host 1.1.1.2 seq 8 permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.3 seq 12 permit ip any host 1.1.1.4 Route Maps Similar to ACLs and prefix lists, route maps are composed of a series of commands that contain a matching criterion and an action; however, route maps can change the packets meeting the criterion. ACLs and prefix lists can only drop or forward the packet or traffic. Route maps process routes for route redistribution.
• Configure a Route Map for Route Redistribution (optional) • Configure a Route Map for Route Tagging (optional) Creating a Route Map Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route map filters do not contain the permit and deny actions found in ACLs and prefix lists. Route map filters match certain routes and set or specify values. To create a route map, use the following command. • Create a route map and assign it a unique name.
To delete all instances of that route map, use the no route-map map-name command. To delete just one instance, add the sequence number to the command syntax. Dell(conf)#no route-map zakho 10 Dell(conf)#end Dell#show route-map route-map zakho, permit, sequence 20 Match clauses: interface GigabitEthernet 0/1 Set clauses: tag 35 level stub-area Dell# The following example shows a route map with multiple instances. The show config command displays only the configuration of the current route map instance.
Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens in any instance of that route-map.
• Match destination routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode • match ipv6 address prefix-list-name Match next-hop routes specified in a prefix list (IPv4). CONFIG-ROUTE-MAP mode • match ip next-hop {access-list-name | prefix-list prefix-list-name} Match next-hop routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode • match ipv6 next-hop {access-list-name | prefix-list prefix-list-name} Match source routes specified in a prefix list (IPv4).
• Generate a tag to add to redistributed routes. CONFIG-ROUTE-MAP mode • set automatic-tag Specify an OSPF area or ISIS level for redistributed routes. CONFIG-ROUTE-MAP mode • set level {backbone | level-1 | level-1-2 | level-2 | stub-area} Specify a value for the BGP route’s LOCAL_PREF attribute. CONFIG-ROUTE-MAP mode • set local-preference value Specify a value for redistributed routes.
Configure a Route Map for Route Redistribution Route maps on their own cannot affect traffic and must be included in different commands to affect routing traffic. To apply a route map to traffic on the S5000, call or include that route map in a command such as the redistribute or default-information originate commands in OSPF, ISIS, and BGP. Route redistribution occurs when Dell Networking OS learns the advertising routes from static or directly connected routes or another routing protocol.
Example of the redistribute Command Using a Route Tag ! router rip redistribute ospf 34 metric 1 route-map torip ! route-map torip permit 10 match route-type internal set tag 34 ! Continue Clause Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more routemap modules are processed. If you configure the continue command at the end of a module, the next module (or a specified module) is processed even after a match is found.
9 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a threeway handshake.
How BFD Works Two neighboring systems running BFD establish a session using a three-way handshake. After the session has been established, the systems exchange control packets at agreed upon intervals. In addition, systems send a control packet anytime there is a state change or change in a session parameter. These control packets are sent without regard to transmit and receive intervals. NOTE: The Dell Networking operating system (OS) does not support multi-hop BFD sessions.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 13. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description system clears the poll bit and sets the final bit in its response. The poll and final bits are used during the handshake and in Demand mode (refer to BFD Sessions). NOTE: Dell Networking OS does not currently support multi-point sessions, Demand mode, authentication, or control plane independence; these bits are always clear. Detection Multiplier The number of packets that must be missed to declare a session down. Length The entire length of the BFD packet.
BFD Sessions To establish a session, enable BFD on both sides of a link. The two participating systems can assume either of two roles: Active The active system initiates the BFD session. Both systems can be active for the same session. Passive The passive system does not initiate a session. It only responds to a request for session initialization from the active system.
1 The active system sends a steady stream of control packets that indicates that its session state is Down, until the passive system responds. These packets are sent at the desired transmit interval of the Active system. The Your Discriminator field is set to zero. 2 When the passive system receives any of these control packets, it changes its session state to Init and sends a response that indicates its state change.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 15.
• Dell Networking OS supports only OSPF, IS-IS, BGP, and VRRP protocols as BFD clients. Configure BFD This section contains the following procedures. • • • • • Configure BFD for OSPF Configure BFD for IS-IS Configure BFD for BGP Configuring Protocol Liveness Troubleshooting BFD Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol.
protocol-liveness R1(conf)#bfd enable Enable BFD protocol-liveness R1(conf)#do show running-config bfd ! bfd enable R1(conf)# Establishing a Session on Physical Ports To establish a session, enable BFD at the interface level on both ends of the link, as shown in the following illustration. The configuration parameters do not need to match. Figure 16. Establishing a BFD Session on Physical Ports 1 Enter interface mode.
LocalAddr * 2.2.2.1 RemoteAddr 2.2.2.2 Interface Te 4/24 State Up Rx-int 100 Tx-int 100 Mult 3 Clients C To view specific information about BFD sessions, use the show bfd neighbors detail command. R1(conf-if-te-4/24)#do show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 2.2.2.1 Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.
TX: 100ms, RX: 100ms, Multiplier: 3 Actual parameters: TX: 100ms, RX: 100ms, Multiplier: 4 Role: Passive Delete session on Down: False Client Registered: CLI Uptime: 00:09:06 Statistics: Number of packets received from neighbor: 4092 Number of packets sent to neighbor: 4093 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 7 Disabling and Re-Enabling BFD BFD is enabled on all interfaces by default, though sessions are no
Related Configuration Tasks • Changing Static Route Session Parameters • Disabling BFD for Static Routes Establishing Sessions for Static Routes Sessions are established for all neighbors that are the next hop of a static route. Figure 17. Establishing Sessions for Static Routes To establish a BFD session, use the following command. • Establish BFD sessions for all neighbors that are the next hop of a static route.
Changing Static Route Session Parameters BFD sessions are configured with default intervals and a default role. The parameters you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all static routes. If you change a parameter, the change affects all sessions for static routes. To change parameters for static route sessions, use the following command . • Change parameters for all static route sessions.
Enabling BFD Globally You must enable BFD globally on both routers. To enable the BFD globally, use the following command. • Enable BFD globally. CONFIGURATION mode bfd enable Example of Verifying that BFD is Enabled To verify that BFD is enabled globally, use the show running bfd command. The bold line shows that BFD is enabled.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 18. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Establish sessions with all OSPF neighbors.
• Establish sessions with OSPF neighbors on a single interface. INTERFACE mode ip ospf bfd all-neighbors Example of Verifying Sessions with OSPF Neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions. Dell(conf-router_ospf)#bfd all-neighbors Dell(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.
To disable BFD sessions, use the following commands. • Disable BFD sessions with all OSPF neighbors. ROUTER-OSPF mode no bfd all-neighbors Disable BFD sessions with all OSPF neighbors on an interface. • INTERFACE mode ip ospf bfd all-neighbors disable Configure BFD for IS-IS When using BFD with IS-IS, the IS-IS protocol registers with the BFD manager on the RPM. BFD sessions are then established with all neighboring interfaces participating in IS-IS.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 19. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. ROUTER-ISIS mode • bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
The bold line shows that IS-IS BFD sessions are enabled. R2(conf-router_isis)#bfd all-neighbors R2(conf-router_isis)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 100 100 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role.
INTERFACE mode isis bfd all-neighbors disable Configure BFD for BGP In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence. BFD for BGP is supported on 1GE, 10GE, 40GE, port-channel, and VLAN interfaces. BFD for BGP does not support IPv6 and the BGP multihop feature.
For example, the following illustration shows a sample BFD configuration on Router 1 and Router 2 that use eBGP in a transit network to interconnect AS1 and AS2. The eBGP routers exchange information with each other as well as with iBGP routers to maintain connectivity and accessibility within each autonomous system. Figure 20.
use the BGP link to determine the appropriate response to the failure condition. The typical response is to terminate the peering session for the routing protocol and reconverge by bypassing the failed neighboring router. A log message is generated whenever BFD detects a failure condition. You can configure BFD for BGP on the following types of interfaces: physical port (10GE or 40GE), port channel, and VLAN. 1 Enable BFD globally.
The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally configured with the bfd all-neighbors command or configured for the peer group to which the neighbor belongs. • Disable a BFD for BGP session with a specified neighbor. ROUTER BGP mode neighbor {ip-address | peer-group-name} bfd disable Remove the disabled state of a BFD for BGP session with a specified neighbor.
• show ip bgp summary Displays routing information exchanged with BGP neighbors, including BFD for BGP sessions. EXEC Privilege mode show ip bgp neighbors [ip-address] Example of Verifying BGP Configuration Example of Viewing All BFD Neighbors Example of Viewing BFD Neighbor Detail Example of Viewing Configured BFD Counters Example of Viewing BFD Summary Information Example of Viewing BFD Information for a Specified Neighbor Dell# show running-config bgp ! router bgp 2 neighbor 1.1.1.
TX: 100ms, RX: 100ms, Multiplier: 3 Role: Active Delete session on Down: True Client Registered: BGP Uptime: 00:07:55 Statistics: Number of packets received from neighbor: 4762 Number of packets sent to neighbor: 4490 Number of state changes: 2 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 5 Session Discriminator: 10 Neighbor Discriminator: 11 Local Addr: 2.2.2.3 Local MAC Addr: 00:01:e8:66:da:34 Remote Addr: 2.2.2.
Messages: Registration De-registration Init Up Down Admin Down : : : : : : 1 0 0 1 0 2 The bold line shows the message displayed when you enable BFD for BGP connections. Dell# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 2 BGP table version is 0, main routing table version 0 BFD is enabled, Interval 100 Min_rx 100 Multiplier 3 Role Active 3 neighbor(s) using 24168 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 1.1.1.2 2.2.2.2 3.3.3.
Prefixes advertised 0, denied 0, withdrawn 0 from peer Connections established 1; dropped 0 Last reset never Local host: 2.2.2.3, Local port: 63805 Foreign host: 2.2.2.2, Foreign port: 179 E1200i_ExaScale# R2# show ip bgp neighbors 2.2.2.3 BGP neighbor is 2.2.2.3, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ...
CONFIGURATION debug bfd packet Example of Output from the debug bfd detail Command Example of Output from the debug bfd packet Command The following example shows a three-way handshake using the debug bfd detail command. Dell(conf-if-gi-4/24)#00:54:38: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Down for neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0) 00:54:38 : Sent packet for session with neighbor 2.2.2.
10 Border Gateway Protocol IPv4 (BGPv4) Border gateway protocol IPv4 (BGPv4) version 4 (BGPv4) is supported on Dell Networking OS This chapter provides a general description of BGPv4 as it is supported in the Dell Networking operating system (OS). BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
• Filtering on an AS-Path Attribute • Filtering BGP Routes Using AS-PATH Information • Redistributing Routes • Enabling Additional Paths • Configuring IP Community Lists • Filtering Routes with Community Lists • Manipulating the COMMUNITY Attribute • Changing MED Attributes • Changing the LOCAL_PREFERENCE Attribute • Changing the NEXT_HOP Attribute • Changing the WEIGHT Attribute • Enabling Multipath • Filtering BGP Routes Using Route Maps • Filtering BGP Routes Using AS-PATH Info
• transit AS — is one that provides connections through itself to separate networks. For example, in the following illustration, Router 1 can use Router 2 (the transit AS) to connect to Router 4. Internet service providers (ISPs) are always transit ASs, because they provide connections from one network to another. The ISP is considered to be “selling transit service” to the customer network, so thus the term Transit AS.
to be in “full mesh.” As seen in the following illustration, four routers connected in a full mesh have three peers each, six routers have five peers each, and eight routers in full mesh have seven peers each. Figure 22. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible.
Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two endpoints of that session are Peers. A Peer is also called a Neighbor. Establish a Session Events and timers drive information exchange between peers. The focus in BGP is on the traffic routing policies.
peers. If the peers are members of a peer group however, the information can be sent to one place and then passed onto the peers within the group. Route Reflectors Route reflectors reorganize the iBGP core into a hierarchy and allow some route advertisement rules. Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and its client peers form a route reflection cluster.
Communities BGP communities are sets of routes with one or more common attributes. This is a way to assign common attributes to multiple routes at the same time. BGP Attributes Routes learned using BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination. These properties are referred to as BGP attributes, and an understanding of how BGP attributes influence route selection is required for the design of robust networks.
The following illustration shows that the decisions BGP goes through to select the best path. The list following the illustration details the path selection criteria. Figure 24. BGP Best Path Selection Best Path Selection Details 1 Prefer the path with the largest WEIGHT attribute. 2 Prefer the path with the largest LOCAL_PREF attribute. 3 Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command.
a This comparison is only done if the first (neighboring) AS is the same in the two paths; the MEDs are compared only if the first AS in the AS_SEQUENCE is the same for both paths. b If you entered the bgp always-compare-med command, MEDs are compared for all paths. c Paths with no MED are treated as “worst” and assigned a MED of 4294967295. 7 Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths.
Local Preference Local preference (LOCAL_PREF) represents the degree of preference within the entire AS. The higher the number, the greater the preference for the route. Local preference (LOCAL_PREF) is one of the criteria used to determine the best path, so keep in mind that other criteria may effect selection, as shown in the illustration in Best Path Selection Criteria. For this example, assume that the local preference (LOCAL_PREF) is the only attribute applied.
One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this example, assume that the MED is the only attribute applied. In the following illustration, AS100 and AS200 connect in two places. Each connection is a BGP session. AS200 sets the MED for its T1 exit point to 100 and the MED for its OC3 exit point to 50. This sets up a path preference through the OC3 link. The MEDs are advertised to AS100 routers so they know which is the preferred path.
In Dell Networking OS, these origin codes appear as shown in the following example. The question mark (?) indicates an origin code of INCOMPLETE (shown in bold). The lower case letter (i) indicates an origin code of IGP (shown in bold). Example of Viewing Origin Codes Dell#show ip bgp BGP table version is 0, local router ID is 10.101.15.
advertises itself to another BGP speaker outside its local AS. It can also be set when advertising routes within an AS. The Next Hop attribute also serves as a way to direct traffic to another BGP speaker, rather than waiting for a speaker to advertise. Dell Networking OS allows you to set the Next Hop attribute in the CLI. Setting the Next Hop attribute lets you determine a router as the next hop for a BGP neighbor. Multiprotocol BGP Multiprotocol extensions for BGP (MBGP) are defined in IETF RFC 2858.
Advertise IGP Cost as MED for Redistributed Routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting others to a constant pre-defined metric as MED value. Dell Networking OS supports configuring the set metric-type internal command in a route-map to advertise the IGP cost as the MED to outbound EBGP peers when redistributing routes.
Ignore Router-ID for Some Best-Path Calculations Dell Networking OS allows you to avoid unnecessary BGP best-path transitions between external paths under certain conditions. The bgp bestpath router-id ignore command reduces network disruption routing causes and forwarding plane changes and allows for faster convergence. Four-Byte AS Numbers Dell Networking OS supports 4-Byte (32-bit) format when configuring autonomous system numbers (ASNs).
• • All AS numbers between 0 and 65535 are represented as a decimal number when entered in the CLI and when displayed in the show commands output. AS numbers larger than 65535 are represented using ASPLAIN notation. When entered in the CLI and when displayed in the show commands output, 65546 is represented as 65546. ASDOT+ representation splits the full binary 4 byte AS number into two words of 16 bits separated by a decimal point (.): ..
C’s configuration. Local-AS allows this behavior to happen by allowing Router B to appear as if it still belongs to Router B’s old network (AS 200) as far as communicating with Router C is concerned. Figure 27. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer.
3 Prepend "65001 65002" to as-path. Local-AS is prepended before the route-map to give an impression that update passed through a router in AS 200 before it reached Router B. BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances Dell Networking OS BGP management information base (MIB) support with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05.
• The AFI/SAFI is not used as an index to the f10BgpM2PeerCountersEntry table. The BGP peer’s AFI/ SAFI (IPv4 Unicast or IPv6 Multicast) is used for various outbound counters. Counters corresponding to IPv4 Multicast cannot be queried.
By default, Dell Networking OS compares the MED attribute on different paths from within the same AS (the bgp always-compare-med command is not enabled). NOTE: In Dell Networking OS, all newly configured neighbors and peer groups are disabled. To enable a neighbor or peer group, enter the neighbor {ip-address | peer-group-name} no shutdown command. The following table displays the default values for BGP on Dell Networking OS. Table 12.
the interface directly connected to the router. First, the BGP process determines if all internal BGP peers are reachable, then it determines which peers outside the AS are reachable. NOTE: Sample Configurations for enabling BGP routers are found at the end of this chapter. 1 Assign an AS number and enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format).
3 Enable the BGP neighbor. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} no shutdown Example of the show ip bgp summary Command (2-Byte AS number displayed) Example of the show ip bgp summary Command (4-Byte AS number displayed) Example of the show ip bgp neighbors Command Example of Verifying BGP Configuration NOTE: When you change the configuration of a BGP neighbor, always reset it by entering the clear ip bgp * command in EXEC Privilege mode.
router ID. If you do not configure Loopback interfaces, the highest IP address of any interface is used as the router ID. To view the status of BGP neighbors, use the show ip bgp neighbors command in EXEC Privilege mode as shown in the first example. For BGP neighbor configuration information, use the show running-config bgp command in EXEC Privilege mode as shown in the second example.
No active TCP connection Dell# Dell#show running-config bgp ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.
bgp asnotation asplain • NOTE: ASPLAIN is the default method Dell Networking OS uses and does not appear in the configuration display. Enable ASDOT AS Number representation. CONFIG-ROUTER-BGP mode • bgp asnotation asdot Enable ASDOT+ AS Number representation.
Configuring Peer Groups To configure multiple BGP neighbors at one time, create and populate a BGP peer group. An advantage of peer groups is that members of a peer group inherit the configuration properties of the group and share same update policy. A maximum of 256 peer groups are allowed on the system. Create a peer group by assigning it a name, then adding members to the peer group. After you create a peer group, you can configure route policies for it.
To add an external BGP (EBGP) neighbor, configure the as-number parameter with a number different from the BGP as-number configured in the router bgp as-number command. To add an internal BGP (IBGP) neighbor, configure the as-number parameter with the same BGP asnumber configured in the router bgp as-number command.
bgp log-neighbor-changes neighbor zanzibar peer-group neighbor zanzibar no shutdown neighbor 10.1.1.1 remote-as 65535 neighbor 10.1.1.1 shutdown neighbor 10.14.8.60 remote-as 18505 neighbor 10.14.8.60 no shutdown Dell(conf-router_bgp)# To disable a peer group, use the neighbor peer-group-name shutdown command in CONFIGURATION ROUTER BGP mode. The configuration of the peer group is maintained, but it is not applied to the peer group members.
Configuring BGP Fast Fall-Over By default, the hold time governs a BGP session. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fallover feature reduces the convergence time while maintaining stability. The connection to a BGP peer is immediately reset if a link to a directly connected external peer fails. When you enable fall-over, BGP tracks IP reachability to the peer remote address and the peer local address.
Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 52, neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dropped 5 Last reset 00:19:37, due to Reset by peer Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 200.200.200.200, Local port: 65519 Foreign host: 100.100.100.
You can constrain the number of passive sessions the neighbor accepts. The limit keyword allows you to set the total number of sessions the neighbor accepts, between 2 and 265. The default is 256 sessions. 1 Configure a peer group that does not initiate TCP connections with other peers. CONFIG-ROUTER-BGP mode neighbor peer-group-name peer-group passive limit Enter the limit keyword to restrict the number of sessions accepted. 2 Assign a subnet to the peer group.
You must Configuring Peer Groups before assigning it to an AS. This feature is not supported on passive peer groups. Example of the Verifying that Local AS Numbering is Disabled The first line in bold shows the actual AS number. The second two lines in bold show the local AS number (6500) maintained during migration. To disable this feature, use the no neighbor local-as command in CONFIGURATION ROUTER BGP mode. Dell(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.
To disable this feature, use the no neighbor allow-as in number command in CONFIGURATION ROUTER BGP mode. Dell(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Name in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.
• Defer best path selection for a certain amount of time. This helps optimize path selection and results in fewer updates being sent out. To enable graceful restart, use the configure router bgp graceful-restart command. • Enable graceful restart for the BGP node. CONFIG-ROUTER-BGP mode • bgp graceful-restart Set a maximum restart time for all peers. CONFIG-ROUTER-BGP mode bgp graceful-restart [restart-time time-in-seconds] • The default is 120 seconds.
• Local router supports graceful restart for this neighbor or peer-group as a receiver only. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} graceful-restart [role receiver-only] Set the maximum time to retain the restarting neighbor’s or peer-group’s stale paths. • CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} graceful-restart [stale-path-time timein-seconds] The default is 360 seconds.
CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} filter-list as-path-name {in | out} If you assign a non-existent or empty AS-PATH ACL, the software allows all routes. Example of the show ip bgp paths Command To view all BGP path attributes in the BGP database, use the show ip bgp paths command in EXEC Privilege mode.
Regular Expression Definition + (plus) Matches 1 or more sequences of the immediately previous character or pattern. ? (question) Matches 0 or 1 sequence of the immediately previous character or pattern. ( ) (parenthesis) Specifies patterns for multiple use when one of the multiplier metacharacters follows: asterisk *, plus sign +, or question mark ? [ ] (brackets) Matches any enclosed character and specifies a range of single characters.
Dell#show ip as-path-access-lists ip as-path access-list Eagle deny 32$ Dell# Filtering BGP Routes Using AS-PATH Information To filter routes based on AS-PATH information, use these commands. 1 Create an AS-PATH ACL and assign it a name. CONFIGURATION mode ip as-path access-list as-path-name 2 Create an AS-PATH ACL filter with a deny or permit action. AS-PATH ACL mode {deny | permit} as-regular-expression 3 Return to CONFIGURATION mode. AS-PATH ACL exit 4 Enter ROUTER BGP mode.
Redistributing Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the BGP process. With the redistribute command, you can include ISIS, OSPF, static, or directly connected routes in the BGP process. To add routes from other routing instances or protocols, use any of the following commands in ROUTER BGP mode. • Include, directly connected or user-configured (static) routes in BGP.
Enabling Additional Paths The add-path feature is disabled by default. NOTE: In some cases, while receiving 1K same routes from more than 64 iBGP neighbors, BGP sessions holdtime of 10 seconds may flap. The BGP add-path does not update packets for advertisement and cannot scale to higher numbers. Either reduce the number of routes you add or increase the holddown timer value. To allow multiple paths sent to peers, use the following commands.
• All routes with the NO_EXPORT (0xFFFFFF01) community attribute must not be advertised outside a BGP confederation boundary, but are sent to CONFED-EBGP and IBGP peers. Dell Networking OS also supports BGP Extended Communities as described in RFC 4360 — BGP Extended Communities Attribute. To configure an IP community list, use these commands. 1 Create a community list and enter COMMUNITY-LIST mode.
Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. 1 Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2 Configure a match filter for all routes meeting the criteria in the IP community or IP extended community list.
• Enable the software to send the router’s COMMUNITY attribute to the BGP neighbor or peer group specified. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} send-community To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. If you want to remove or add a specific COMMUNITY number from a BGP path, create a route map with one or both of the following statements in the route map. Then apply that route map to a BGP neighbor or peer group.
To view BGP routes matching a certain community number or a pre-defined BGP community, use the show ip bgp community command in EXEC Privilege mode. Dell>show ip bgp community BGP table version is 3762622, local router ID is 10.114.8.48 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network * i 3.0.0.0/8 *>i 4.2.49.12/30 * i 4.21.132.0/23 *>i 4.24.118.16/30 *>i 4.24.145.0/30 *>i 4.24.187.12/30 *>i 4.24.202.0/30 *>i 4.25.88.
bgp default local-preference value • value: the range is from 0 to 4294967295. The default is 100. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. A more flexible method for manipulating the LOCAL_PREF attribute value is to use a route map. 1 Enter the ROUTE-MAP mode and assign a name to a route map.
CONFIG-ROUTE-MAP mode set next-hop ip-address Changing the WEIGHT Attribute To change how the WEIGHT attribute is used, enter the first command. You can also use route maps to change this and other BGP attributes. For example, you can include the second command in a route map to specify the next hop address. • Assign a weight to the neighbor connection. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} weight weight • • weight: the range is from 0 to 65535. The default is 0.
Filtering BGP Routes Using Route Maps To filter routes using a route map, use these commands. 1 Create a route map and assign it a name. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2 Create multiple route map filters with a match or set action. CONFIG-ROUTE-MAP mode {match | set} For information about configuring route maps, see Access Control Lists (ACLs). 3 Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4 Enter ROUTER BGP mode.
ip as-path access-list as-path-name 2 Create a AS-PATH ACL filter with a deny or permit action. AS-PATH ACL mode {deny | permit} as-regular-expression 3 Return to CONFIGURATION mode. AS-PATH ACL exit 4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5 Filter routes based on the criteria in the configured route map.
• route maps (using the neighbor route-map command) Prior to filtering BGP routes, create the prefix list, AS-PATH ACL, or route map. For configuration information about prefix lists, AS-PATH ACLs, and route maps, refer to Access Control Lists (ACLs). NOTE: When you configure a new set of BGP policies, to ensure that the changes are made, always reset the neighbor or peer group by using the clear ip bgp command in EXEC Privilege mode. To filter routes using prefix lists, use the following commands.
• After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route. To view the BGP configuration, use the show config command in ROUTER BGP mode. To view a prefix list configuration, use the show ip prefix-list detail or show ip prefix-list summary commands in EXEC Privilege mode. Filtering BGP Routes Using Route Maps To filter routes using a route map, use these commands. 1 Create a route map and assign it a name.
Filtering BGP Routes Using AS-PATH Information To filter routes based on AS-PATH information, use these commands. 1 Create an AS-PATH ACL and assign it a name. CONFIGURATION mode ip as-path access-list as-path-name 2 Create an AS-PATH ACL filter with a deny or permit action. AS-PATH ACL mode {deny | permit} as-regular-expression 3 Return to CONFIGURATION mode. AS-PATH ACL exit 4 Enter ROUTER BGP mode.
To configure a route reflector, use the following commands. • Assign an ID to a router reflector cluster. CONFIG-ROUTER-BGP mode bgp cluster-id cluster-id • You can have multiple clusters in an AS. Configure the local router as a route reflector and the neighbor or peer group identified is the route reflector client.
Configuring BGP Confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, BGP confederations are recommended only for IBGP peering involving many IBGP peering sessions per router. Basically, when you configure BGP confederations, you break the AS into smaller sub-AS, and to those outside your network, the confederations appear as one AS.
• • Readvertise Attribute change When dampening is applied to a route, its path is described by one of the following terms: • • • history entry — an entry that stores information on a downed route dampened path — a path that is no longer advertised penalized path — a path that is assigned a penalty To configure route flap dampening parameters, set dampening parameters using a route map, clear information on route dampening and return suppressed routes to active state, view statistics on route flapping,
• View all flap statistics or for specific routes meeting the following criteria. EXEC or EXEC Privilege mode show ip bgp flap-statistics [ip-address [mask]] [filter-list as-path-name] [regexp regular-expression] • • • • ip-address [mask]: enter the IP address and mask. filter-list as-path-name: enter the name of an AS-PATH ACL. regexp regular-expression: enter a regular express to match on.
122836 network entrie(s) and 221664 paths using 29697640 bytes of memory 34298 BGP path attribute entrie(s) using 1920688 bytes of memory 29577 BGP AS-PATH entrie(s) using 1384403 bytes of memory 184 BGP community entrie(s) using 7616 bytes of memory Dampening enabled. 0 history paths, 0 dampened paths, 0 penalized paths Neighbor AS MsgRcvd MsgSent TblVer 10.114.8.34 18508 82883 79977 780266 10.114.8.
Enabling BGP Neighbor SoftReconfiguration BGP soft-reconfiguration allows for faster and easier route changing. Changing routing policies typically requires a reset of BGP sessions (the TCP connection) for the policies to take effect. Such resets cause undue interruption to traffic due to hard reset of the BGP cache and the time it takes to re-establish the session. BGP soft reconfiguration allows for policies to be applied to a session without clearing the BGP Session.
Entering this command starts the storage of updates, which is required to do inbound soft reconfiguration. Outbound BGP soft reconfiguration does not require inbound soft reconfiguration to be enabled. Example of Soft-Reconfigration of a BGP Neighbor The example enables inbound soft reconfiguration for the neighbor 10.108.1.1. All updates received from this neighbor are stored unmodified, regardless of the inbound policy.
Enabling MBGP Configurations Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of routes: one set for unicast routing and one set for multicast routing. The routes associated with multicast routing are used by the protocol independent multicast (PIM) to build data distribution trees. The S5000 supports MBGP for IPv6 Unicast and IPv4 multicast. Dell Networking OS MBGP is implemented per RFC 1858.
This feature is turned on by default. If necessary, use the bgp regex-eval-optz-disable command in CONFIGURATION ROUTER BGP mode to disable it. Debugging BGP To enable BGP debugging, use any of the following commands. • View all information about BGP, including BGP events, keepalives, notifications, and updates. EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] [in | out] View information about BGP route being dampened.
To disable all debugging, use the undebug all command. Storing Last and Bad PDUs Dell Networking OS stores the last notification sent/received and the last bad protocol data unit (PDU) received on a per peer basis. The last bad PDU is the one that causes a notification to be issued. In the following example, the last seven lines shown in bold are the last PDUs. Example of the show ip bgp neighbor Command to View Last and Bad PDUs Dell(conf-router_bgp)#do show ip bgp neighbors 1.1.1.2 BGP neighbor is 1.1.1.
Capturing PDUs To capture incoming and outgoing PDUs on a per-peer basis, use the capture bgp-pdu neighbor direction command. To disable capturing, use the no capture bgp-pdu neighbor direction command. The buffer size supports a maximum value between 40MB (the default) and 100MB. The capture buffers are cyclic and reaching the limit prompts the system to overwrite the oldest PDUs when new ones are received for a given neighbor or direction.
[. . .] Dell(conf-router_bgp)#do sho ip bg s BGP router identifier 172.30.1.
The following illustration shows the configurations described on the following examples. These configurations show how to create BGP areas using physical and virtual links. They include setting up the interfaces and peers groups with each other. Figure 28. Sample Configurations Example of Enabling BGP (Router 1) Example of Enabling BGP (Router 2) Dell# conf Dell(conf)#int loop 0 Dell(conf-if-lo-0)#ip address 192.168.128.
Dell(conf-if-te-1/21)#int te 1/31 Dell(conf-if-te-1/31)#ip address 10.0.3.31/24 Dell(conf-if-te-1/31)#no shutdown Dell(conf-if-te-1/31)#show config ! interface TengigabitEthernet 1/31 ip address 10.0.3.31/24 no shutdown Dell(conf-if-te-1/31)#router bgp 99 Dell(conf-router_bgp)#network 192.168.128.0/24 Dell(conf-router_bgp)#neighbor 192.168.128.2 remote 99 Dell(conf-router_bgp)#neighbor 192.168.128.2 no shut Dell(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0 Dell(conf-router_bgp)#neighbor 192.
Dell(conf-if-te-2/31)#show config ! interface TengigabitEthernet 2/31 ip address 10.0.2.2/24 no shutdown Dell(conf-if-te-2/31)# Dell(conf-if-te-2/31)#router bgp 99 Dell(conf-router_bgp)#network 192.168.128.0/24 Dell(conf-router_bgp)#neighbor 192.168.128.1 remote 99 Dell(conf-router_bgp)#neighbor 192.168.128.1 no shut Dell(conf-router_bgp)#neighbor 192.168.128.1 update-source loop 0 Dell(conf-router_bgp)#neighbor 192.168.128.3 remote 100 Dell(conf-router_bgp)#neighbor 192.168.128.
Dell(conf-if-te-3/21)#ip address 10.0.2.3/24 Dell(conf-if-te-3/21)#no shutdown Dell(conf-if-te-3/21)#show config ! interface TengigabitEthernet 3/21 ip address 10.0.2.3/24 no shutdown Dell(conf-if-te-3/21)# Dell(conf-if-te-3/21)#router bgp 100 Dell(conf-router_bgp)#show config ! router bgp 100 Dell(conf-router_bgp)#network 192.168.128.0/24 Dell(conf-router_bgp)#neighbor 192.168.128.1 remote 99 Dell(conf-router_bgp)#neighbor 192.168.128.1 no shut Dell(conf-router_bgp)#neighbor 192.168.128.
neighbor BBB no shutdown neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 peer-group AAA neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 peer-group BBB neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.3 no shutdown Dell# Dell#show ip bgp summary BGP router identifier 192.168.128.
Local host: 192.168.128.1, Local port: 179 Foreign host: 192.168.128.2, Foreign port: 65464 BGP neighbor is 192.168.128.3, remote AS 100, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
Dell# Dell#show ip bgp summary BGP router identifier 192.168.128.2, local AS number 99 BGP table version is 2, main routing table version 2 1 network entrie(s) using 132 bytes of memory 3 paths using 204 bytes of memory BGP-RIB over all using 207 bytes of memory 2 BGP path attribute entrie(s) using 128 bytes of memory 2 BGP AS-PATH entrie(s) using 90 bytes of memory 2 neighbor(s) using 9216 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.
Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
BGP state ESTABLISHED, in this state for 00:18:51 Last read 00:00:45, last write 00:00:44 Hold time is 180, keepalive interval is 60 seconds Received 138 messages, 0 in queue 7 opens, 2 notifications, 7 updates 122 keepalives, 0 route refresh requests Sent 140 messages, 0 in queue 7 opens, 4 notifications, 7 updates 122 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities advertised to neighbor for IPv4
11 Bare Metal Provisioning (BMP) Bare Metal Provisioning 2.0 is included as part of the Dell Networking OS image. BMP improves accessibility to the S5000 switch by automatically loading pre-defined configurations and boot images that are stored in file servers. You can use BMP on a single switch or on multiple switches. For more information about BMP in Auto-Configuration mode, refer to the Open Automation Guide.
Restrictions BMP 2.0 is supported on the user ports and management ports of a switch. Reconfiguring Jumpstart and Normal Modes On a new factory-loaded switch, the switch boots up in Jumpstart mode. You can reconfigure a switch to reload between Normal and Jumpstart mode. Jumpstart (BMP) mode The switch automatically configures all ports (management and user ports) as Layer 3 physical ports and acts as a DHCP client on the ports for a user-configured time (DHCP timeout). This is the default startup mode.
• This command stops the jumpstart reload process while it is in progress and changes the reload type to Normal mode. EXEC Privilege mode stop jump-start If the command is initiated while the switch is downloading an image or configuration file, the command takes effect when the DHCP release is sent. Example of Viewing the Configured Reload Mode To display the currently configured Reload mode for a switch running BMP version 2.0, use the show reload-type or show bootvar command.
DHCP Option Code Description 6 Domain Name Server IP 66 TFTP Server name 67 Boot filename 150 TFTP server IP address 209 Configuration File NOTE: The boot file name and configuration file name must be in the correct format. If it is not, the switch is unable to download the file from the DHCP server and behaves as if the server could not be reached. The discovery process continues, despite configured time-out, until you enter the stop jumpstart command. Table 13.
After 10 minutes of rediscovery attempts, the server IP address is blacklisted as shown in the system log: 00:05:45:%STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent 0/ 47. 00:05:45:%STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent 0/0. 00:05:45:%STKUNIT0-M:CP %JUMPSTART-5-DHCP_OFFER_REJECTED: Server IP address 10.11.197.39 was previously rejected. 00:05:59:%STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent 0/0.
Description Parameter Example MAC to IP mapping fixed-address 10.20.30.42; Dell Networking OS image option tftp-server-address 10.20.4.1; Config file filename "FTOS-SE-8.3.10.1.bin"; option config-file "S4810-2.conf"; } DHCP Retry Mechanism BMP can request different DHCP offers BMP requests a different DHCP offer in the following scenarios: • If you enter the reload-type jump-start config-download enable command, the DHCP offer specifies both the boot image and the configuration file.
• • • • • ftp://user:passwd@hostname//mypath/filename http://serverip/filename http://hostname/filename flash://filename filename (Assumes TFTP) When loading the Dell Networking OS image, if the Dell Networking OS image on the server is different from the image on the local flash, the switch downloads the image from the server onto the local flash and reloads using that image. Next, the switch tries to load the configuration file.
00:01:47: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Ma 0/0. 3 The IP address, boot image filename, and configuration filename are reserved for the switch and provided in the DHCP reply (one-file read method). The switch receives its IP address, subnet mask, DHCP server IP, TFTP server address, DNS server IP, bootfile name, and configuration filename from the DHCP server.
server is being applied 00:03:27: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_RELEASE: DHCP RELEASE sent on Fo 0/56. 00:03:27: %STKUNIT0-M:CP %SYS-5-CONFIG_LOAD: Loading configuration file c If the configuration file is downloaded from the server, any saved startup-configuration on the flash is ignored. If no configuration file is downloaded from the server or if you disabled the configdownload parameter, the startup-configuration file on the flash is loaded as in normal reload.
12 Content Addressable Memory (CAM) Content addressable memory (CAM) is supported on Dell Networking OS. CAM is a type of memory that stores information in the form of a lookup table. On the S5000 systems, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies.
IPV4Acl 4 Ipv6Acl 0 Ipv4Qos 2 L2Qos 1 L2PT 0 IpMacAcl 0 VmanQos 0 VmanDualQos 0 EcfmAcl 0 nlbclusteracl 0 FcoeAcl 0 iscsiOptAcl 0 ipv4pbr 0 vrfv4Acl 0 Openflow 0 fedgovacl 0 Re-Allocating CAM for Ingress ACLs and QoS The default CAM allocation settings for ingress ACL and QoS regions are shown in the following list.
• • • VMAN Dual QoS (vman-dual-qos): 0 FCoE ACL (fcoeacl): 2 iSCSI Opt ACL (iscsioptacl): 0 Enter the ipv6acl and vman-dual-qos allocations as a factor of 2 (2, 4, 6, 8, 10). All other CAM regions can use either even or odd numbered numbers. NOTE: On the S5000, there can be only one odd number of Blocks in the CLI configuration; the other Blocks must be in factors of 2. For example, a CLI configuration of 5+4+2+1+1 Blocks is not supported; a configuration of 6+4+2+1 Blocks is supported.
• L2 ACL(l2acl): from 1 to 4 • L3 ACL (ipv4acl): from 1 to 4 • IPv6 L3 ACL (ipv6acl): from 0 to 4 You must allocate at least one block of memory to the L2ACL and IPv4 ACL regions. You must save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings to take effect. To reconfigure the memory regions on the S5000 used for egress ACLs and QoS, follow these steps. 1 Enter the number of FP blocks for each egress ACL region.
Displaying CAM-ACL Settings To display the current CAM ACL settings for each ingress region, the show cam-acl command is supported on the S5000. The default ingress CAM ACL allocation settings on an S5000 (stack unit 0) are shown in the following example.
L2Acl Ipv4Acl Ipv6Acl Current : : : Settings(in block sizes) 1 1 2 -- Stack unit 0 -Current Settings(in block sizes) L2Acl : 1 Ipv4Acl : 1 Ipv6Acl : 2 Dell# CAM Optimization To optimize CAM utilization for QoS entries by minimizing the required policy-map CAM space, use the camoptimization command.
QoS CAM Region Limitation To store QoS service policies, the default CAM profile allocates a partition within the IPv4Flow region. If the QoS CAM space is exceeded, a message similar to the following displays.
13 Control Plane Policing (CoPP) Control plane policing (CoPP) is supported on Dell Networking OS. Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
The following illustration shows an example of the difference between having CoPP implemented and not having CoPP implemented. Figure 29. Control Plane Policing Figure 30.
Topics: • Configure Control Plane Policing • Configuring CoPP for Protocols • Configuring CoPP for CPU Queues • Show Commands Configure Control Plane Policing The S5000 can process a maximum of 4200 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though Per Protocol CoPP is applied. This happens because Queue-Based Rate Limiting is applied first.
ip access-list extended name cpu-qos permit {bgp | dhcp | dhcp-relay | ftp | icmp | igmp | msdp | ntp | ospf | pim | ip | ssh | telnet | vrrp} 3 Create an IPv6 ACL for control-plane traffic policing for a particular protocol. CONFIGURATION mode ipv6 access-list name cpu-qos permit {bgp | icmp | vrrp} 4 Create a QoS input policy for the router and assign the policing.
Dell(conf-ipv6-acl-cpuqos)#permit vrrp Dell(conf-ipv6-acl-cpuqos)#exit Dell(conf)#qos-policy-in rate_limit_200k cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 200 40 peak 500 40 Dell(conf-in-qos-policy-cpuqos)#exit Dell(conf)#qos-policy-in rate_limit_400k cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 400 50 peak 600 50 Dell(conf-in-qos-policy-cpuqos)#exit Dell(conf)#qos-policy-in rate_limit_500k cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 500 50 peak 1000 50 Dell(conf-in-qos-policy-cpuqos
CONFIGURATION mode policy-map--input name cpu-qos service-queue 0 qos-policy name 3 Enter Control Plane mode. CONFIGURATION mode control-plane-cpuqos 4 Assign a CPU queue-based service policy on the control plane in cpu-qos mode. Enabling this command sets the queue rates according to these configured.
Example of Viewing Queue Mapping To view the queue mapping for each configured protocol, use the show ip protocol-queue-mapping command.
14 Data Center Bridging (DCB) Data center bridging (DCB) refers to a set of enhancements to Ethernet local area networks used in data center environments, particularly with clustering and storage area networks.
DCB refers to a set of IEEE Ethernet enhancements that provide data centers with a single, robust, converged network to support multiple traffic types, including local area network (LAN), server, and storage traffic. Through network consolidation, DCB results in reduced operational cost, simplified management, and easy scalability by avoiding the need to deploy separate application-specific networks.
Priority-Based Flow Control In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion. When PFC detects congestion on a queue for a specified priority, it sends a pause frame for the 802.1p priority traffic to the transmitting device. In this way, PFC ensures that PFC-enabled priority traffic is not dropped by the switch. PFC enhances the existing 802.
after receiving a message to pause a specified priority. PFC traffic is paused only after surpassing both static and dynamic thresholds for the priority specified for the port. • By default, PFC is enabled when you enable DCB. If you have not loaded FCoE_DCB_Config and iSCSI_DCB_Config, DCB is disabled. When you enable DCB globally, you cannot simultaneously enable link-level flow control. • Buffer space is allocated and de-allocated only when you configure a PFC priority on the port.
Table 15. ETS Traffic Groupings Traffic Groupings Description Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7 configurable; 8 - 14 reservation and 15.0 - 15.7 is strict priority group.. Group bandwidth Percentage of available bandwidth allocated to a priority group. Group transmission selection algorithm (TSA) Type of queue scheduling a priority group uses. In Dell Networking OS, ETS is implemented as follows: • • ETS supports groups of 802.
Data Center Bridging in a Traffic Flow The following figure shows how DCB handles a traffic flow on an interface. Figure 33. DCB PFC and ETS Traffic Handling Enabling Data Center Bridging DCB is automatically configured when you configure FCoE or iSCSI optimization. Data center bridging supports converged enhanced Ethernet (CEE) in a data center network. DCB is disabled by default. It must be enabled to support CEE.
To enable DCB with PFC buffers on a switch, enter the following commands, save the configuration, and reboot the system to allow the changes to take effect. 1 Enable DCB. CONFIGURATION mode dcb enable 2 Set PFC buffering on the DCB stack unit. CONFIGURATION mode Dell(conf)#dcb enable pfc-queues NOTE: To save the pfc buffering configuration changes, save the configuration and reboot the system.
Important Points to Remember • If you remove a dot1p priority-to-priority group mapping from a DCB map (no priority pgid command), the PFC and ETS parameters revert to their default values on the interfaces on which the DCB map is applied. By default, PFC is not applied on specific 802.1p priorities; ETS assigns equal bandwidth to each 802.1p priority. As a result, PFC and lossless port queues are disabled on 802.
Configuring Priority-Based Flow Control Priority-Based Flow Control (PFC) provides a flow control mechanism based on the 802.1p priorities in converged Ethernet traffic received on an interface and is enabled by default when you enable DCB. As an enhancement to the existing Ethernet pause mechanism, PFC stops traffic transmission for specified priorities (Class of Service (CoS) values) without impacting other priority classes. Different traffic types are assigned to different priority classes.
Type, Length, Value (TLV) are supported. DCBx also validates PFC configurations that are received in TLVs from peer devices. NOTE: You cannot enable PFC and link-level flow control at the same time on an interface. Configuring Lossless Queues DCB also supports the manual configuration of lossless queues on an interface when PFC mode is turned off. Prerequisite: A DCB with PFC configuration is applied to the interface with the following conditions: • PFC mode is off (no pfc mode on).
pfc no-drop queues queue-range For the dot1p-queue assignments, refer to the dot1p Priority-Queue Assignment table. The maximum number of lossless queues globally supported on the switch is two. The range is from 0 to 3. Separate the queue values with a comma; specify a priority range with a dash; for example, pfc no-drop queues 1,3 or pfc no-drop queues 2-3. The default: No lossless queues are configured. NOTE: Dell Networking OS Behavior: By default, no lossless queues are configured on a port.
the CRC and discards counters. (These ingress interfaces receiving pfc-enabled traffic have an egress interface that has a compatible PFC configuration). NOTE: DCB maps are supported only on physical Ethernet interfaces. • To remove a DCB map, including the PFC configuration it contains, use the no dcb map command in Interface configuration mode. • To disable PFC operation on an interface, use the no pfc mode on command in DCB-Map configuration mode.
Applying a DCB Map on a Port When you apply a DCB map with PFC enabled on a switch interface, a memory buffer for PFC-enabled priority traffic is automatically allocated. The buffer size is allocated according to the number of PFC-enabled priorities in the assigned map. To apply a DCB map to an Ethernet port, follow these steps: Table 16. DCB Map to an Ethernet Port Step Task Command Command Mode 1 Enter interface configuration mode on an Ethernet port.
Step Task Command Command Mode fortygigabitEthernet slot/ port} 2 Enable PFC on specified priorities. Range: 0-7. Default: None. pfc priority priority- INTERFACE range Maximum number of lossless queues supported on an Ethernet port: 2. Separate priority values with a comma.
Refer the following configuration for queue to dot1p mapping: Dell(conf)#do show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 6 7 -> On ingress interfaces[Port A and C] we used the PFC on priority level. Queue : 0 0 0 1 2 3 3 3 -> On Egress interface[Port B] we used no-drop queues. Lossless traffic egresses out the no-drop queues. Ingress 802.1p traffic from PFC-enabled peers is automatically mapped to the no-drop egress queues.
Step Task Command Command Mode Range: 0-3. Separate queue values with a comma; specify a priority range with a dash; for example: pfc no-drop queues 1,3 or pfc no-drop queues 2-3 Default: No lossless queues are configured. Priority-Based Flow Control Using Dynamic Buffer Method In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion.
Although the system contains 9 MB of space for shared buffers, a minimum guaranteed buffer is provided to all the internal and external ports in the system for both unicast and multicast traffic. This minimum guaranteed buffer reduces the total available shared buffer to 7,787 KB. This shared buffer can be used for lossy and lossless traffic. The default behavior causes up to a maximum of 6.6 MB to be used for PFC-related traffic. The remaining approximate space of 1 MB can be used by lossy traffic.
Configuration Example for DSCP and PFC Priorities Consider a scenario in which the following DSCP and PFC priorities are necessary: DSCP 0 – 5, 10 - 15 Expected PFC Priority 1 20 – 25, 30 – 35 2 To configure the aforementioned DSCP and PFC priority values, perform the following tasks: 1 Create class-maps to group the DSCP subsets class-map match ip ! class-map match ip 2 match-any dscp-pfc-1 dscp 0-5,10-15 match-any dscp-pfc-2 dscp 20-25,30-35 Associate above class-maps to Queues Queue assignment a
Using PFC to Manage Converged Ethernet Traffic To use PFC for managing converged Ethernet traffic, use the following command: dcb-map stack-unit all dcb-map-name Configure Enhanced Transmission Selection ETS provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet traffic. Different traffic types have different service needs. Using ETS, you can create groups within an 802.
dcb-map dcb-map-name The dcb-map-name variable can have a maximum of 32 characters. 2 Create an ETS priority group. CONFIGURATION mode priority-group group-num {bandwidth bandwidth | strict-priority} pfc off The range for priority group is from 0 to 7. Set the bandwidth in percentage. The percentage range is from 1 to 100% in units of 1%. Committed and peak bandwidth is in megabits per second. The range is from 0 to 40000. Committed and peak burst size is in kilobytes. Default is 50.
The maximum number of priority groups supported in ETS output policies on an interface is equal to the number of data queues (4) on the port. The 802.1p priorities in a priority group can map to multiple queues. If you configure more than one priority queue as strict priority or more than one priority group as strict priority, the higher numbered priority queue is given preference when scheduling data traffic.
To create a QoS output policy that allocates different amounts of bandwidth to the different traffic types/ dot1p priorities assigned to a queue and apply the output policy to the interface, follow these steps. 1 Create a QoS output policy. CONFIGURATION mode Dell(conf)#qos-policy-output test12 The maximum 32 alphanumeric characters. 2 Configure the percentage of bandwidth to allocate to the dot1p priority/queue traffic in the associated L2 class map.
When you configure ETS in a DCB map: • The DCB map associates a priority group with a PFC operational mode (on or off) and an ETS scheduling and bandwidth allocation. You can apply a DCB map on multiple egress ports. • Use the ETS configuration associated with 802.1p priority traffic in a DCB map in DCBx negotiation with ETS peers.
• Although ETS bandwidth allocation or strict-priority queuing does not support weighted random early detection (WRED), explicit congestion notification (ECN), rate shaping, and rate limiting because these parameters are not negotiated by DCBx with peer devices, you can apply a QoS output policy with WRED and/or rate shaping on a DCBx CIN-enabled interface.
Strict-priority groups: If two priority groups have strict-priority scheduling, traffic assigned from the priority group with the higher priority-queue number is scheduled first. However, when three priority groups are used and two groups have strict-priority scheduling (such as groups 1 and 3 in the example), the strict priority group whose traffic is mapped to one queue takes precedence over the strict priority group whose traffic is mapped to two queues.
Prerequisite: For DCBx, enable LLDP on all DCB devices. DCBx Operation DCBx performs the following operations: • Discovers DCB configuration (such as PFC and ETS) in a peer device. • Detects DCB mis-configuration in a peer device; that is, when DCB features are not compatibly configured on a peer device and the local switch. Mis-configuration detection is feature-specific because some DCB features support asymmetric configuration.
When an auto-downstream port receives and overwrites its configuration with internally propagated information, one of the following actions is taken: Configuration source • If the peer configuration received is compatible with the internally propagated port configuration, the link with the DCBx peer is enabled.
NOTE: On a DCBx port, application priority TLV advertisements are handled as follows: • The application priority TLV is transmitted only if the priorities in the advertisement match the configured PFC priorities on the port. • On auto-upstream and auto-downstream ports: • • If a configuration source is elected, the ports send an application priority TLV based on the application priority TLV received on the configuration-source port.
• The port has performed a DCBx exchange with a DCBx peer. • The switch is capable of supporting the received DCB configuration values through either a symmetric or asymmetric parameter exchange. A newly elected configuration source propagates configuration changes received from a peer to the other auto-configuration ports. Ports receiving auto-configuration information from the configuration source ignore their current settings and use the configuration source information.
is received, a syslog message is generated and the peer version is recorded in the peer status table. If the frame cannot be processed, it is discarded and the discard counter is incremented. NOTE: Because DCBx TLV processing is best effort, it is possible that CIN frames may be processed when DCBx is configured to operate in CEE mode and vice versa. In this case, the unrecognized TLVs cause the unrecognized TLV counter to increment, but the frame is processed and is not discarded.
• The CIN version of DCBx supports only PFC, ETS, and FCOE; it does not support iSCSI, backward congestion management (BCN), logical link down (LLDF), and network interface virtualization (NIV). Configuring DCBx To configure DCBx, follow these steps. For DCBx, to advertise DCBx TLVs to peers, enable LLDP. For more information, refer to Link Layer Discovery Protocol (LLDP). 1 Configure ToR- and FCF-facing interfaces as auto-upstream ports. 2 Configure server-facing interfaces as auto-downstream ports.
[no] advertise DCBx-tlv {ets-conf | ets-reco | pfc} [ets-conf | ets-reco | pfc] [ets-conf | ets-reco | pfc] • ets-conf: enables the advertisement of ETS Configuration TLVs. • ets-reco: enables the advertisement of ETS Recommend TLVs. • pfc enables: the advertisement of PFC TLVs. The default is All PFC and ETS TLVs are advertised. NOTE: You can configure the transmission of more than one TLV type at a time; for example, advertise DCBx-tlv ets-conf ets-reco.
• cee: configures a port to use CEE (Intel 1.01). cin configures a port to use Cisco-Intel-Nuova (DCBx 1.0). • ieee-v2.5: configures a port to use IEEE 802.1Qaz (Draft 2.5). The default is Auto. NOTE: To configure the DCBx port role the interfaces use to exchange DCB information, use the DCBx port-role command in INTERFACE Configuration mode (Step 3). 4 Configure the PFC and ETS TLVs that advertise on unconfigured interfaces with a manual port-role.
The default is 0x10. DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs. LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface.
Verifying the DCB Configuration To display DCB configurations, use the following show commands. Table 20. Displaying DCB Configurations Command Output show qos dot1p-queue mapping Displays the current 802.1p priority-queue mapping. show dcb [stack-unit unit-number] Displays the data center bridging status, number of PFC-enabled ports, and number of PFC-enabled queues. On the master switch in a stack, you can specify a stack-unit number. The range is from 0 to 5.
Examples of the show Commands The following example shows the show dot1p-queue mapping command. Dell(conf)# show qos dot1p-queue-mapping Dot1p Priority: 0 1 2 3 4 5 6 7 Queue : 0 0 0 1 2 3 3 3 Dell(conf)# show qos dot1p-queue-mapping Dot1p Priority: 0 1 2 3 4 5 6 7 Queue : 1 0 2 3 4 5 6 7 The following example shows the show dcb command.
Dell# show interfaces tengigabitethernet 1/4 pfc detail Interface TenGigabitEthernet 1/4 Admin mode is on Admin is enabled Remote is enabled Remote Willing Status is enabled Local is enabled Oper status is recommended PFC DCBx Oper status is Up State Machine Type is Feature TLV Tx Status is enabled PFC Link Delay 45556 pause quanta Application Priority TLV Parameters : -------------------------------------FCOE TLV Tx Status is disabled ISCSI TLV Tx Status is disabled Local FCOE PriorityMap is 0x8 Local ISCS
Fields Description • Internally propagated: PFC configuration parameters were received from configuration source. PFC DCBx Oper status Operational status for exchange of PFC configuration on local port: match (up) or mismatch (down). State Machine Type Type of state machine used for DCBx exchanges of PFC parameters: • • Feature: for legacy DCBx versions Symmetric: for an IEEE version TLV Tx Status Status of PFC TLV advertisements: enabled or disabled.
Te Te Te Te 1/1 1/1 1/1 1/1 P4 P5 P6 P7 0 0 0 0 0 0 0 0 0 0 0 0 The following example shows the show interface ets summary command.
Admin mode is on Admin Parameters : -----------------Admin is enabled TC-grp Priority# 0 0,1,2,3,4,5,6,7 1 2 3 4 5 6 7 Priority# Bandwidth TSA 0 1 2 3 4 5 6 7 Remote Parameters: ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# 0 0,1,2,3,4,5,6,7 1 2 3 4 5 6 7 Bandwidth 100% 0% 0% 0% 0% 0% 0% 0% TSA ETS ETS ETS ETS ETS ETS ETS ETS 13% 13% 13% 13% 12% 12% 12% 12% ETS ETS ETS ETS ETS ETS ETS ETS Bandwidth 100% 0% 0% 0% 0% 0% 0% 0% TSA ETS ETS ETS E
Table 22. show interface ets detail Command Description Field Description Interface Interface type with stack-unit and port number. Maximum Supported TC Group Maximum number of priority groups supported. Number of Traffic Classes Number of 802.1p priorities currently configured. Admin mode ETS mode: on or off. Admin Parameters ETS configuration on local port, including priority groups, assigned dot1p priorities, and bandwidth allocation.
The following example shows the show stack-unit all stack-ports all pfc details command.
The following example shows the show interface DCBx detail command (IEEE).
Sequence Number: 1 Acknowledgment Number: 1 Total DCBx Frames transmitted 994 Total DCBx Frames received 646 Total DCBx Frame errors 0 Total DCBx Frames unrecognized 0 The following table describes the show interface DCBx detail command fields. Table 23. show interface DCBx detail Command Description Field Description Interface Interface type with chassis slot and port number. Port-Role Configured DCBx port role: auto-upstream, autodownstream, config-source, or manual.
Field Description Peer DCBx Status: DCBx Max Version Supported Highest DCBx version supported in Control TLVs received from peer device. Peer DCBx Status: Sequence Number Sequence number transmitted in Control TLVs received from peer device. Peer DCBx Status: Acknowledgment Number Acknowledgement number transmitted in Control TLVs received from peer device. Total DCBx Frames transmitted Number of DCBx frames sent from local port.
• One lossless queue is used. Figure 35. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
dot1p Value in the Incoming Frame Priority Group Assignment 1 LAN 2 LAN 3 SAN 4 IPC 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment. Priority Group Bandwidth Assignment IPC 5% SAN 50% LAN 45% PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic.
QoS dot1p Traffic Classification and Queue Assignment The following section describes QoS dot1P traffic classification and assignments. DCB supports PFC, ETS, and DCBx to handle converged Ethernet traffic that is assigned to an egress queue according to the following QoS methods: Honor dot1p You can honor dot1p priorities in ingress traffic at the port or global switch level (refer to Default dot1p to Queue Mapping) using the service-class dynamic dot1p command in INTERFACE configuration mode.
dot1p Value in the Incoming Frame Egress Queue Assignment 0 2 1 0 2 1 3 3 4 4 5 5 6 6 7 7 Configuring the Dynamic Buffer Method Priority-based flow control using dynamic buffer spaces is supported on the switch. To configure the dynamic buffer capability, perform the following steps: 1 Enable the DCB application. By default, DCB is enabled and link-level flow control is disabled on all interfaces.
CONFIGURATION mode dcb-buffer-threshold dcb-buffer-threshold 5 DCB-BUFFER-THRESHOLD mode priority 0 buffer-size 52 pause-threshold 16 resume-offset 10 shared-thresholdweight 7 6 Assign the DCB policy to the DCB buffer threshold profile on stack ports. CONFIGURATION mode Dell(conf)# dcb-policy buffer-threshold stack-unit all stack-ports all dcbpolicy-name 7 Assign the DCB policy to the DCB buffer threshold profile on interfaces. This setting takes precedence over the default buffer-threshold setting.
15 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies that network administrators determine.
specify the parameters that they require, and the server sends only those parameters. Some common options are shown in the following illustration. Figure 36. DHCP packet Format The following table lists common DHCP options. Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway.
Option Number and Description Clients use this option to tell the server which parameters it requires. It is a series of octets where each octet is DHCP option code. Renewal Time Option 58 Specifies the amount of time after the IP address is granted that the client attempts to renew its lease with the original server. Rebinding Time Option 59 Specifies the amount of time after the IP address is granted that the client attempts to renew its lease with any server, if the original server does not respond.
DHCPNAK A server sends this message to the client if it is not able to fulfill a DHCPREQUEST; for example, if the requested address is already in use. In this case, the client starts the configuration process over by sending a DHCPDISCOVER. Figure 37. Client and Server Messaging Implementation Information The following describes DHCP implementation. • Dell Networking implements DHCP based on RFC 2131 and RFC 3046.
NOTE: If the DHCP server is on the top of rack (ToR) and the VLTi (ICL) is down due to a failed link, when a VLT node is rebooted in BMP (Bare Metal Provisioning) mode, it is not able to reach the DHCP server, resulting in BMP failure.
Configuration Tasks To configure DHCP, an administrator must first set up a DHCP server and provide it with configuration parameters and policy information including IP address ranges, lease length specifications, and configuration data that DHCP hosts need.
• prefix-length: specifies the number of bits used for the network portion of the address you specify. The prefix-length range is from 17 to 31. 4 Display the current pool configuration. DHCP mode show config After an IP address is leased to a client, only that client may release the address. Dell Networking OS performs an IP + MAC source address validation to ensure that no client can release another clients address.
Enabling the DHCP Server To set up the DHCP Server, you must first enable it. The DHCP server is disabled by default. 1 Enter the DHCP command-line context. CONFIGURATION mode ip dhcp server 2 Enable DHCP server. DHCP mode no disable The default is Disabled. 3 Display the current DHCP configuration.
Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1 Create a domain. DHCP domain-name name 2 Specify in order of preference the DNS servers that are available to a DHCP client.
DHCP mode host address 3 Specify the client hardware address. DHCP mode hardware-address hardware-address type • hardware-address: the client MAC address. • type: the protocol of the hardware platform. The default protocol is Ethernet. Debugging the DHCP Server To debug the DHCP server, use the following command. • Display debug information for DHCP server.
Configure the System to be a Relay Agent DHCP clients and servers request and offer configuration information via broadcast DHCP messages. Routers do not forward broadcasts, so if there are no DHCP servers on the subnet, the client does not receive a response to its request and therefore cannot access the network.
NOTE: DHCP Relay is not available on Layer 2 interfaces and VLANs. Figure 39. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command Dell#show ip int tengig 1/3 TenGigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
Poison Reverse is disabled ICMP redirects are not sent ICMP unreachables are not sent Configure the System for User Port Stacking When you set the DHCP offer on the DHCP server, you can set the stacking-option variable to provide the stack-port detail so a stack can be formed when you connect the units. Configure Secure DHCP DHCP as defined by RFC 2131 provides no authentication or security mechanisms.
To insert Option 82 into DHCP packets, follow this step. • Insert Option 82 into DHCP packets. CONFIGURATION mode ip dhcp relay information-option [trust-downstream] For routers between the relay agent and the DHCP server, enter the trust-downstream option. DHCP Snooping DHCP snooping protects networks from spoofing. In the context of DHCP snooping, ports are either trusted or not trusted. By default, all ports are not trusted. Trusted ports are ports through which attackers cannot connect.
ip dhcp snooping vlan Adding a Static Entry in the Binding Table To add a static entry in the binding table, use the following command. • Add a static entry in the binding table. EXEC Privilege mode ip dhcp snooping binding mac Clearing the Binding Table To clear the binding table, use the following command. • Delete all of the entries in the binding table.
Drop DHCP Packets on Snooped VLANs Only Binding table entries are deleted when a lease expires or the relay agent encounters a DHCPRELEASE. Line cards maintain a list of snooped VLANs. When the binding table fills, DHCP packets are dropped only on snooped VLANs, while such packets are forwarded across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made. However, DHCP release and decline packets are allowed so that the DHCP snooping table can decrease in size.
MAC flooding An attacker can send fraudulent ARP messages to the gateway until the ARP cache is exhausted, after which, traffic from the gateway is broadcast. Denial of service An attacker can send a fraudulent ARP message to a client to associate a false MAC address with the gateway address, which would blackhole all internet-bound packets from the client. NOTE: Dynamic ARP inspection (DAI) uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow.
To see how many valid and invalid ARP packets have been processed, use the show arp inspection statistics command. Dell#show arp inspection statistics Dynamic ARP Inspection (DAI) Statistics --------------------------------------Valid ARP Requests : 0 Valid ARP Replies : 1000 Invalid ARP Requests : 1000 Invalid ARP Replies : 0 Dell# Bypassing the ARP Inspection You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in multiswitch environments.
The DHCP binding table associates addresses the DHCP servers assign with the port or the port channel interface on which the requesting client is attached and the VLAN the client belongs to. When you enable IP source address validation on a port, the system verifies that the source IP address is one that is associated with the incoming port and optionally that the client belongs to the permissible VLAN.
EXEC Privilege mode copy running-config startup-config 3 Reload the system. EXEC Privilege reload 4 Do one of the following. • Enable IP+MAC SAV. INTERFACE mode ip dhcp source-address-validation ipmac • Enable IP+MAC SAV with VLAN option. INTERFACE mode ip dhcp source-address-validation ipmac vlan vlan-id Dell Networking OS creates an ACL entry for each IP+MAC address pair in the binding table and applies it to the interface.
Clearing the Number of SAV Dropped Packets To clear the number of SAV dropped packets, use the clear ip dhcp snooping source-addressvalidation discard-counters command. Dell>clear ip dhcp snooping source-address-validation discard-counters To clear the number of SAV dropped packets on a particular interface, use the clear ip dhcp snooping source-address-validation discard-counters interface interface command.
16 Equal Cost Multi-Path (ECMP) Equal cost multi-path (ECMP) is supported on Dell Networking OS. ECMP for Flow-Based Affinity IPv6 /128 routes having multiple paths do not form ECMPs. The /128 route is treated as a host entry and finds its place in the host table. NOTE: Using XOR algorithms result in imbalanced loads across an ECMP/LAG when the number of members in said ECMP/LAG is a multiple of 4.
• NOTE: Packet loss might occur when you enable ip/ipv6 ecmp-deterministic for the first-time only. Enable IPv4 Deterministic ECMP next hop. CONFIGURATION mode. • ip ecmp-deterministic Enable IPv6 Deterministic ECMP next hop. CONFIGURATION mode. ipv6 ecmp-deterministic Configuring the Hash Algorithm Seed Deterministic ECMP sorts ECMPs in order even though RTM provides them in a random order.
is generated. for example Link bundle monitoring percent threshold %STKUNIT0-M:CP %IFMGR-5BUNDLE_UNEVEN_DISTRIBUTION: Found uneven distribution in LAG bundle 11.. The link bundle utilization is calculated as the total bandwidth of all links divided by the total bytes-persecond of all links. Within each ECMP group, interfaces can be specified. If monitoring is enabled for the ECMP group, the utilization calculation is performed when the utilization of the link-bundle (not a link within a bundle) exceeds 60%.
Creating an ECMP Group Bundle Within each ECMP group, you can specify an interface. If you enable monitoring for the ECMP group, the utilization calculation is performed when the average utilization of the link-bundle (as opposed to a single link within the bundle) exceeds 60%. 1 Create a user-defined ECMP group bundle. CONFIGURATION mode ecmp-group ecmp-group-id The range is from 1 to 64. 2 Add interfaces to the ECMP group bundle.
Viewing an ECMP Group NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indices are generated in even numbers (0, 2, 4, 6... 1022) and are for information only. You can configure ecmp-group with id 2 for link bundle monitoring.
17 Fabric Services The following example shows how fabric services operate. Figure 40.
• Maximum unique members allowed in an alias : 2,000 • Maximum NPIV devices supported per physical port: 64 Topics: • Configuring Switch Mode to Fabric Services • Name Server • Link State Database • Zoning Configuring Switch Mode to Fabric Services To configure switch mode to Fabric services, use the following commands. 1 Configure Switch mode to Fabric Services.
Name Server Each participant in the FC environment has a unique ID, which is called the World Wide Name (WWN). This WWN is a 64-bit address. A Fibre Channel fabric uses another addressing scheme to address the ports in the switched fabric. Each port in the switched fabric is assigned a 24-bit address by the FC switch.
Link State Database The collection of neighbor, connected ports, and cost of all the switches in a Fabric constitutes the link-state database (LSDB). Record Headings Description SwitchName WWN of a switch on the fabric. PortOut Port number on the local switch that would be used to route a frame to the named switch. Hops The number of links between the local switch and the named switch. Cost The overall link cost (in time) between the local switch and the named switch.
Route Table To view the established routes between server and target ports, use the show fc route command. Zoning The zoning configurations are supported for Fabric Services operation on the S5000. In Fabric Services, the fcoe-map default_full_fabrichas the default Zone mode set to deny. This setting denies all the fabric connections unless included in an active zoneset. To change this setting, use the default-zone-allow command.
Creating Zone Alias and Adding Members To create a zone alias and add devices to the alias, follow these steps. 1 Create a zone alias name. CONFIGURATION mode fc alias ZoneAliasName 2 Add devices to an alias. ALIAS CONFIGURATION mode member word The member can be WWPN (00:00:00:00:00:00:00:00), port ID (000000), or alias name (word).
Activating a Zoneset Activating a zoneset makes the zones within it effective. On a switch, only one zoneset can be active. Any changes in an activated zoneset do not take effect until it is re-activated. By default, the fcoe-map default_full_fabricdoes not have any active zonesets. 1 Change to the default zone behavior. no active-zoneset zoneset_name 2 View the active zoneset. show fc zoneset active Zone Merge (within ISL) When two switches are connected through E-port, the active zonesets are merged.
principal-priority For example: Dell(conf-fmap-default_full_fabric-fcfabric)# principal-priority 254 5 Configure the error detect timeout value. E-D-TOV For example: Dell(conf-fmap-default_full_fabric-fcfabric)# e-d-TOV 2000 This is the basic error timeout used for all Fibre Channel error detection. The default is 2000 milliseconds. 6 Configure the resource allocation timeout value.
Command Description show fc ns switch brief Display all the devices in name server database of the switch - brief version. show fc ns fabric Display all the devices in name server database of the fabric. show fc ns fabric brief Display all the devices in name server database of the fabric - brief version. show fc route Displays the route table. show fc zoneset Displays the zoneset. show fc zoneset active Displays the active zoneset. show fc zoneset merged Displays the merged active zones.
Default Zone Mode: Allow Active Zoneset: zs1 ======================================================= Members Fc 0/0 Fc 0/1 Fc 0/2 Fc 0/3 Fc 0/4 Fc 0/5 Fc 0/6 Fc 0/7 Fc 0/8 Fc 0/9 Fc 0/10 Fc 0/11 ======================================================= ======================================================= Dell# Example of the show fc fabric Command Dell#show Number of Domain Id 1* 2 Dell# fc fabric FC Switches = 2 Switch WWN Switch Name Mgmt IP addr 10:00:5c:f9:dd:ef:0a:00 Sonoma 127.10.11.
LinkCost NeighborID LocalPort RemotePort LinkCost Dell# 250 2 3 3 125 Example of the show fc ns switch Command Dell#show fc ns switch Total number of devices = 1 Switch Name 10:00:5c:f9:dd:ef:0a:00 Domain Id 1 Switch Port 53 Port Id 01:35:00 Port Name 10:00:8c:7c:ff:17:f8:01 Node Name 20:00:8c:7c:ff:17:f8:01 Class of Service 8 Symbolic Port Name Brocade-1860 | 3.0.3.
Example of the show fc ns fabric brief Command Dell#show fc ns fabric brief Total number of devices = 2 Intf# Domain FC-ID Enode-WWPN Enode-WWNN Fc 0/3 2 02:09:00 32:11:0e:fc:00:00:00:88 22:11:0e:fc:00:00:00:88 Te 0/13 2 02:0b:00 31:11:0e:fc:00:00:00:77 21:11:0e:fc:00:00:00:77 Dell# Example of the show fc route Command Dell#show fc route Domain Id 2 =================================================== Source FCF-Bridge Destination =================================================== Te 0/18 5c:f9:dd:ef:1e:03
Example of the show fc alias Command Dell#show fc alias No Zone Aliases configured Dell# Example of the show fc switch Command Dell#show fc switch Switch Mode : Fabric-Services Switch WWN : 10:00:5c:f9:dd:ef:0a:00 Dell# Example of the show fc topology Command Dell#show fc topology Port Port Local Remote FCID/ Number Type PortWWN NodeWWN Domain ID ______ ____ _______ _______ _________ Fc 0/0 F 20:00:5c:f9:dd:ef:24:40 00:00:00:66 02:00:00 Remote PortWWN _______ 32:11:0e:fc:00:00:00:66 22:11:0e:fc: Fabric Se
18 FCoE Transit The Fibre Channel over Ethernet (FCoE) Transit feature is supported on the S5000 switch on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces, in an S5000 switch stack, or on links between VLT peer switches.
To ensure similar Fibre Channel robustness and security with FCoE in an Ethernet cloud network, FIP establishes virtual point-to-point links between FCoE end-devices (server ENodes and target storage devices) and FCoE forwarders (FCFs) over transit FCoE-enabled bridges. Ethernet bridges commonly provide ACLs that can emulate a point-to-point link by providing the traffic enforcement required to create a Fibre Channel-level of robustness.
NOTE: When you deploy multiple FCFs, a downstream Intel Ethernet CNA X520 may transmit FIP and FCoE traffic only on the last VLAN ID that it received through FIP VLAN discovery. Figure 41. FIP Discovery and Login Between an ENode and an FCF FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF.
Enable FIP snooping on the S5000 switch, configure the FIP snooping parameters, and configure CAM allocation for FCoE. When you enable FIP snooping, all ports on the switch by default become ENode ports. Dynamic ACL generation on the switch operating as a FIP snooping bridge function as follows: Port-based ACLs These ACLs are applied on all three port modes: on ports directly connected to an FCF, server-facing ENode ports, and bridge-to-bridge links. Port-based ACLs take precedence over global ACLs.
operates as a lossless FIP snooping bridge to transparently forward FCoE frames between the ENode servers and the FCF switch. Figure 42. FIP Snooping on an S5000 Switch The following sections describe how to configure the FIP snooping feature on a switch that functions as a FIP snooping bridge so that it can perform the following functions: • • • Allocate CAM resources for FCoE. Perform FIP snooping (allowing and parsing FIP frames) globally on all VLANs or on a per-VLAN basis.
• To provide more port security on ports that are directly connected to an FCF and have links to other FIP snooping bridges, set the FCF or Bridge-to-Bridge Port modes. • To ensure that they are operationally active, check FIP snooping-enabled VLANs. • Process FIP VLAN discovery requests and responses, advertisements, solicitations, FLOGI/FDISC requests and responses, FLOGO requests and responses, keep-alive packets, and clear virtual-link messages.
When you enable FCoE transit, the switch snoops FIP packets on VLANs enabled for FIP snooping and allows legitimate sessions. FCoE and FIP packets are dropped on VLANs disabled for FIP snooping. When you disable FCoE transit, the S5000 operates as a pure Layer 2 switch that switches FCoE and FIP packets. As soon as you enable the FCoE transit feature on a switch-bridge, existing VLAN-specific and FIP snooping configurations are applied.
• You can configure multiple FCF-trusted interfaces in a VLAN. • When you disable FIP snooping: • ACLs are not installed, FIP and FCoE traffic is not blocked, and FIP packets are not processed. • The existing per-VLAN and FIP snooping configuration is stored. The configuration is re-applied the next time you enable the FIP snooping feature. • To support FIP-Snooping and set CAM-ACL, usecam-acl l2acl 4 ipv4acl 4 ipv6acl 0 ipv4qos 2 l2qos 1 l2pt 0 ipmacacl 0 vman-qos 0 ecfmacl 0 fcoeacl 2 command.
Enable FIP Snooping on VLANs You can enable FIP snooping globally on a switch on all VLANs or on a specified VLAN. When you enable FIP snooping on VLANs: • FIP frames are allowed to pass through the switch on the enabled VLANs and are processed to generate FIP snooping ACLs. • FCoE traffic is allowed on VLANs only after a successful virtual-link initialization (fabric login FLOGI) between an ENode and an FCF. All other FCoE traffic is dropped.
Configure a Port for a Bridge-to-FCF Link If a port is directly connected to an FCF, configure the port mode as FCF. Initially, all FCoE traffic is blocked; only FIP frames are allowed to pass. NOTE: FCoE-Trusted Port mode used to connect to another FIP snooping bridge (bridge-bridge link) is not supported on the S5000 switch. FCoE traffic is allowed on the port only after a successful fabric login (FLOGI) request/response and confirmed use of the configured FC-MAP value for the VLAN.
FIP Snooping on an NPIV Proxy Gateway When you configure an S5000 as an NPIV proxy gateway and enable Fibre Channel capability, FIP snooping is automatically enabled on all VLANs using the default FIP snooping settings. To identify the SAN fabric to which FCoE storage traffic is sent, use an FCoE map.
Impact Description FIP snooping in ENode or FCF mode, the ENode/FCF MAC-based ACLs are deleted. FIP Snooping Restrictions The following restrictions apply when you configure FIP snooping. • • • The maximum number of FCoE VLANs supported: • on an S5000 NPIV proxy gateway is 12. • on an S5000 switch not configured as an NPIV proxy gateway is eight. The maximum number of FCFs supported on a FIP snooping-enabled VLAN: • on an S5000 NPIV proxy gateway is 12.
CONFIGURATION mode or VLAN INTERFACE mode fip-snooping enable The default for FIP snooping is disabled on all VLANs. 3 Configure the FC-MAP value FIP snooping uses to identify an ENode MAC address on all VLANs. CONFIGURATION mode or VLAN INTERFACE mode fip-snooping fc-map fc-map-value The valid values are from 0EFC00 to 0EFCFF. The default is 0x0EFC00. 4 Configure the maximum number of FIP-snooping sessions supported on the switch for an ENode MAC address.
Command Output session ID number (FC-ID), worldwide node name (WWNN) and the worldwide port name (WWPN). show fip-snooping config Displays the FIP snooping status and configured FCMAP values. show fip-snooping enode [enode-macaddress] Displays information on the ENodes in FIP-snooped sessions, including the ENode interface and MAC address, FCF MAC address, VLAN ID and FC-ID.
0e:fc:00:01:00:04 01:00:04 41:00:0e:fc:00:00:00:02 21:00:0e:fc:00:00:00:00 0e:fc:00:01:00:05 01:00:05 41:00:0e:fc:00:00:00:03 21:00:0e:fc:00:00:00:00 The following table describes the show fip-snooping sessions command fields. Table 30. show fip-snooping sessions Command Description Field Description ENode MAC MAC address of the ENode. ENode Interface Slot/ port number of the interface connected to the ENode. FCF MAC MAC address of the FCF.
Field Description VLAN VLAN ID number the session uses. FC-ID Fibre Channel session ID the FCF assigns. The following example shows the show fip-snooping fcf command. Dell# show fip-snooping fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No. of Enodes ------------------- ---- ------------------- ------------54:7f:ee:37:34:40 Po 22 100 0e:fc:00 4000 2 The following table describes the show fip-snooping fcf command fields. Table 32.
Dell(conf)# Dell# show fip-snooping statistics int tengigabitethernet 0/11 Number of Vlan Requests :1 Number of Vlan Notifications :0 Number of Multicast Discovery Solicits :1 Number of Unicast Discovery Solicits :0 Number of FLOGI :1 Number of FDISC :16 Number of FLOGO :0 Number of Enode Keep Alive :4416 Number of VN Port Keep Alive :3136 Number of Multicast Discovery Advertisement :0 Number of Unicast Discovery Advertisement :0 Number of FLOGI Accepts :0 Number of FLOGI Rejects :0 Number of FDISC Accepts
Field Description Number of Multicast Discovery Solicits Number of FIP-snooped multicast discovery solicit frames received on the interface. Number of Unicast Discovery Solicits Number of FIP-snooped unicast discovery solicit frames received on the interface. Number of FLOGI Number of FIP-snooped FLOGI request frames received on the interface. Number of FDISC Number of FIP-snooped FDISC request frames received on the interface.
The following example shows the show fip-snooping system command. Dell# show fip-snooping system Global Mode : FCOE VLAN List (Operational) : FCFs : Enodes : Sessions : Enabled 1, 100 1 2 17 The following example shows the show fip-snooping vlan command.
In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch. On the FIP snooping bridge, DCBx is configured as follows: • A server-facing port is configured for DCBx in an auto-downstream role. • An FCF-facing port is configured for DCBx in an auto-upstream or configuration-source role. The DCBx configuration on the FCF-facing port is detected by the server-facing port and the DCB PFC configuration on both ports is synchronized.
19 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a nonregulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms.
Preparing the System Before you enable FIPS mode, Dell Networking recommends making the following changes to your system. 1 Disable the Telnet server (only use secure shell [SSH] to access the system). 2 Disable the FTP server (only use secure copy [SCP] to transfer files to and from the system). 3 Attach a secure, standalone host to the console port for the FIPS configuration to use. Enabling FIPS Mode To enable or disable FIPS mode, use the console port.
Generating Host-Keys The following describes hot-key generation. When you enable or disable FIPS mode, the system deletes the current public/private host-key pair, terminates any SSH sessions that are in progress (deleting all the per-session encryption key information), actually enables/tests FIPS mode, generates new host-keys, and re-enables the SSH server (assuming it was enabled before enabling FIPS).
CONFIGURATION mode no fips mode enable The following Warning message displays: WARNING: Disabling FIPS mode will close all SSH/Telnet connections, restart those servers, and destroy all configured host keys.
20 Fibre Channel Interface The S5000 functions as a converged enhanced Ethernet (CEE) switch that supports both LAN and storage area network (SAN) traffic using the Fibre Channel protocol. To access a SAN fabric, use a Fibre Channel (FC) module installed in the S5000. S5000 FC ports operate at 2G, 4G, and 8G speed. By default, FC ports have autosensing speed enabled to use or negotiate port speed with a peer SAN switch.
CONFIGURATION mode feature fc Configuring Fibre Channel Interfaces To configure a Fibre Channel interface, follow these steps. 1 Configure an FC interface. CONFIGURATION mode interface fibrechannel slot/port The range of the slot (stack-unit) numbers is from 0 to 11. The range of the port numbers is from 0 to 47. NOTE: You can install an FC module only in expansion slot 0. 2 Configure the speed of an FC port.
Command Description show runningconfig | grep feature Displays the currently running configuration feature. show runningconfig | grep feature Displays the currently running configuration for the switch-mode. Example of the show interfaces fibrechannel Command Dell#show interfaces fibrechannel 0/0 FibreChannel 0/0 is up, FC link is down Non-qualified pluggable media present, SFP+ type is FC-8GBPS-SR Wavelength is 850nm SFP+ receive power reading is -3.
Field Description Port type, Max BB credits The FC port type is fixed at N (end node port) in NPG mode and are automatically set to F (fabric port) or E (extended port) in Fabric Services. The maximum number of bufferto-buffer (BB) credits available is fixed at 16.
Field Description RxOfflineSequence Number of offline sequences received. s TxOfflineSequence Number of offline sequences transmitted. s TotalOfflineSeque nces Total number of offline sequences. Rate Information: Input bytes/sec, frames/sec, % of line-rate Incoming rate of FC traffic in bytes per second, frames per second, and percentage of the total line rate.
Command Description create fcdump-support Gather information about the Fibre Channel operation and store the FC dump file in flash/CORE_DUMP_DIR. Generates Syslog messages at the start and end of the FC dump file creation. change fctrace-level number Use for debugging purposes. Change the FC trace level used to record FC information in the FC trace file. The range is from 0 to 4, where: • 0 = Turns FC traces off. • 1 = Records FC error messages. • 2 = Records FC warning messages.
18:32:48.168 O> 0192 525f5252 44594661 506f7274 2e302e34 R_RRDYFailures;Oper.UserPort.0.4 18:32:48.168 O> 0224 2e466c6f 77457272 742e302e 342e5368 .FlowErrors;Oper.UserPort.0.4.Sh 18:32:48.168 O> 0256 6f727446 72616d65 742e302e 342e4c6f ortFramesIn;Oper.UserPort.0.4.Lo 18:32:48.168 O> 0288 6e674672 616d6573 2e302e34 2e433634 ngFramesIn;Oper.UserPort.0.4.
Examples of Configuring the Fibre Channel Port Group The following example shows the stack-unit port-group portmode ethernet command. Dell(conf)#stack-unit 0 port-group 0 portmode ethernet Changing port mode on slot 0 port-group 0 will make interface configs of 0 and 1 obsolete after a save and reload. [confirm yes/no]:yes Please save and reload for the changes to take effect. Dell(conf)# The following example shows the no stack-unit port-group portmode ethernet command.
21 Force10 Resilient Ring Protocol (FRRP) Force10 resilient ring protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require four to five seconds to reconverge.
noncontrol traffic belonging to this FRRP group, thereby avoiding a loop in the ring, like STP. Layer 2 switching and learning mechanisms operate per existing standards on this ring. Each Transit node is also configured with a Primary port and a Secondary port on the ring, but the port distinction is ignored as long as the node is configured as a Transit node.
transmitted and received through it. Refer to the following illustration for a simple example of this FRRP topology. The Master node’s Primary and Secondary ports determine ring direction. Figure 44.
A virtual LAN (VLAN) is configured on all node ports in the ring. All ring ports must be members of the Member VLAN and the Control VLAN. The Member VLAN is the VLAN used to transmit data as described earlier. The Control VLAN is used to perform the health checks on the ring. The Control VLAN can always pass through all ports in the ring, including the secondary port of the Master node.
the control frame instructing it to clear its routing table, it does so and unblocks the previously blocked ring ports on the newly restored port. Then the Transit node returns to the Normal state. Multiple FRRP Rings Up to 255 rings are allowed per system and multiple rings can be run on one system. More than the recommended number of rings may cause interface instability.
FRRP groups. Switch R3 has two instances of FRRP running on it: one for each ring. The example topology that follows shows R3 assuming the role of a Transit node for both FRRP 101 and FRRP 202. Figure 45. Example of Multiple Rings Connected by a Single Switch Important FRRP Points FRRP provides a convergence time that can generally range between 150 ms and 1500 ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring.
• One Master node per ring — all other nodes are Transit. • Each node has two member interfaces — primary and secondary. • There is no limit to the number of nodes on a ring. • Master node ring port states — blocking, preforwarding, forwarding, and disabled. • Transit node ring port states — blocking, preforwarding, forwarding, and disabled. • STP disabled on ring interfaces. • Master node secondary port is in blocking state during Normal operation.
Concept Ring Protocol Timers Ring Status Explanation • Hello Interval — The interval when ring frames are generated from the Master node’s Primary interface (default 500 ms). The Hello interval is configurable in 50 ms increments from 50 ms to 2000 ms. • Dead Interval — The interval when data traffic is blocked on a port. The default is three times the Hello interval rate. The dead interval is configurable in 50 ms increments from 50 ms to 6000 ms. The state of the FRRP ring.
FRRP Configuration These are the tasks to configure FRRP. • Creating the FRRP Group • Configuring the Control VLAN • • Configure Primary and Secondary ports Configuring and Adding the Member VLANs • Configure Primary and Secondary ports Other FRRP related commands are: • Clearing the FRRP Counters Creating the FRRP Group Create the FRRP group on each switch in the ring. To create the FRRP group, use the command. • Create the FRRP group with this Ring ID.
To create the control VLAN for this FRRP group, use the following commands on the switch that is to act as the Master node. 1 Create a VLAN with this ID number. CONFIGURATION mode. interface vlan vlan-id The VLAN ID range is from 1 to 4094. 2 Tag the specified interface or range of interfaces to this VLAN. CONFIG-INT-VLAN mode. tagged interface slot/ port {range} Interface: • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
Configuring and Adding the Member VLANs Control and member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to the Layer 2. Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • Tag control VLAN ports. Member VLAN ports, except the Primary/Secondary interface, can be tagged or untagged.
5 Identify the Member VLANs for this FRRP group. CONFIG-FRRP mode. member-vlan vlan-id {range} VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs. 6 Enable this FRRP group on this switch. CONFIG-FRRP mode. no disable Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time three times the Hello-Interval time. • Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode.
show configuration Viewing the FRRP Information To view general FRRP information, use one of the following commands. • Show the information for the identified FRRP group. EXEC or EXEC PRIVELEGED mode. show frrp ring-id The ring ID range is from 1 to 255. Show the state of all FRRP groups. • EXEC or EXEC PRIVELEGED mode. show frrp summary The ring ID range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information.
Sample Configuration and Topology The following example shows a basic FRRP topology. Figure 46.
no shutdown ! interface GigabitEthernet 2/31 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! interface Vlan 201 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 2/14 secondary GigabitEthernet 2/31 controlvlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface GigabitEthernet 3/14 no ip address switchport no shutdown ! interface GigabitEthernet 3/21 no ip
22 GARP VLAN Registration Protocol (GVRP) Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GVRP, defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. The GARP VLAN registration protocol (GVRP)-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other.
• Enabling GVRP Globally • Enabling GVRP on a Layer 2 Interface • Configure GVRP Registration • Configure a GARP Timer Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged.
1 Enabling GVRP Globally 2 Enabling GVRP on a Layer 2 Interface Related Configuration Tasks • Configure GVRP Registration • Configure a GARP Timer Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch.
To inspect the interface configuration, use the show config command from INTERFACE mode or use the show gvrp interface command in EXEC or EXEC Privilege mode. Configure GVRP Registration Configure GVRP registration. There are two GVRP registration modes: • Fixed Registration Mode — figuring a port in fixed registration mode allows for manual creation and registration of VLANs, prevents VLAN deregistration, and registers all VLANs known on other ports on the port.
information. The device then restarts the LeaveAll timer to begin a new cycle. The LeaveAll timer must be greater than or equal to 5x of the Leave timer. The Dell Networking OS default is 10000 ms.
23 High Availability (HA) High availability (HA) is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. Topics: • High Availability on Stacks • Hitless Behavior • Graceful Restart • Software Resiliency • Hot-Lock Behavior • Component Redundancy High Availability on Stacks A stack has a master and standby management unit that provide redundancy in a similar way to redundant route processor modules (RPMs).
• Link aggregation control protocol (refer to Link Aggregation Control Protocol (LACP)). • Spanning tree protocol. (Refer to Configuring Spanning Trees as Hitless). • Bi-directional Forwarding Detection (refer to Bidirectional Forwarding Detection (BFD)) Graceful Restart Graceful restart (also known as non-stop forwarding) is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets.
• Trace Log — contains trace messages related to software and hardware events, state, and errors. Trace Logs are stored in internal flash under the directory TRACE_LOG_DIR. • Crash Log — contains trace messages related to IPC and IRC timeouts and task crashes on line cards and is stored under the directory CRASH_LOG_DIR. Core Dumps A core dump is the contents of RAM a program uses at the time of a software exception and is used to identify the cause of the exception.
Automatic and Manual Stack Unit Failover Stack unit failover is the process of the standby unit becoming a management unit. Dell Networking OS fails over to the standby stack unit when: 1 Communication is lost between the standby and primary stack unit. 2 You request a failover via the CLI. To display the reason for the last failover, use the show redundancy command from EXEC Privilege mode.
Synchronization between Management and Standby Units Data between the Management and Standby units is synchronized immediately after bootup. After the Management and Standby units have done an initial full synchronization (block sync), Dell Networking OS only updates changed data (incremental sync). The data that is synchronized consists of configuration data, operational data, state and status, and statistics depending on the Dell Networking OS version.
Disabling Auto-Reboot To disable auto-reboot, use the following command. • Prevent a failed stack unit from rebooting after a failover. CONFIGURATION mode redundancy disable-auto-reboot Manually Synchronizing Management and Standby Units To manually synchronize Management and Standby units at any time, use the following command. • Manually synchronize Management and Standby units.
24 Internet Group Management Protocol (IGMP) Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. The internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group.
IGMP Protocol Overview IGMP has three versions. Version 3 obsoletes and is backwards-compatible with version 2; version 2 obsoletes version 1. IGMP Version 2 IGMP version 2 improves on version 1 by specifying IGMP Leave messages, which allows hosts to notify routers that they no longer care about traffic for a particular group. Leave messages reduce the amount of time that the router takes to stop forwarding traffic for a group to a subnet (leave latency) after the last host leaves the group.
Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1 One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicastsystems address 224.0.0.1) a general query to all hosts on the subnet.
• Reporting is more efficient and robust: hosts do not suppress query responses (nonsuppression helps track state and enables the immediate-leave and IGMP snooping features), state-change reports are retransmitted to insure delivery, and a single membership report bundles multiple statements from a single host, rather than sending an individual packet for each statement. The version 3 packet structure is different from version 2 to accommodate these protocol enhancements.
Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1 The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2 The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1. Include messages prevents traffic from all other sources in the group from reaching the subnet.
group-and-source query so that it can satisfy all other hosts. There are no other interested hosts so the request is recorded. Figure 51. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to groupand-specific and general queries. 1 Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary.
3 Separately in the following illustration, the querier sends a general query to 224.0.0.1. 4 Host 2 responds to the periodic general query so the querier refreshes the state information for that group. Figure 52. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1 Enable multicast routing using the ip multicast-routing command. 2 Enable a multicast routing protocol.
• Selecting an IGMP Version • Viewing IGMP Groups • Adjusting Timers • Preventing a Host from Joining a Group • Enabling IGMP Immediate-Leave • IGMP Snooping • Fast Convergence after MSTP Topology Changes • Designating a Multicast Router Interface Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. • View IGMP-enabled interfaces.
Inbound IGMP access group is not set Interface IGMP group join rate limit is not set Internet address is 1.1.1.1/24 IGMP is enabled on interface IGMP query interval is 60 seconds IGMP querier timeout is 125 seconds IGMP max query response time is 10 seconds IGMP last member query response interval is 1000 ms IGMP immediate-leave is disabled IGMP activity: 0 joins, 0 leaves, 0 channel joins, 0 channel leaves IGMP querying router is 1.1.1.
timer expires; in version 2, if another host responds before the timer expires, the timer is nullified, and no response is sent. The maximum response time is the amount of time that the querier waits for a response to a query before taking further action. The querier advertises this value in the query (refer to the illustration in IGMP Version 2).
IGMP Snooping IGMP snooping enables switches to use information in IGMP packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers. Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather than one unique device.
Example of ip igmp snooping enable Command Dell(conf)#ip igmp snooping enable Dell(conf)#do show running-config igmp ip igmp snooping enable Dell(conf)# Removing a Group-Port Association To configure or view the remove a group-port association feature, use the following commands. • Configure the switch to remove a group-port association after receiving an IGMP Leave message. INTERFACE VLAN mode • ip igmp fast-leave View the configuration.
Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. When you configure the no ip igmp snooping flood command, the system drops the packets immediately. The system does not forward the frames on mrouter ports, even if they are present. Disable Layer 3 multicast (no ip multicast-routing) in order to disable multicast flooding.
The switch may lose the querier election if it does not have the lowest IP address of all potential queriers on the subnet. When enabled, IGMP snooping querier starts after one query interval in case no IGMP general query (with IP SA lower than its VLAN IP address) is received on any of its VLAN members. Adjusting the Last Member Query Interval To adjust the last member query interval, use the following command.
returned dynamically by the DHCP client. A static route points to the management interface or a forwarding router. Transit traffic (destination IP not configured in the switch) that is received on the front-end port with destination on the management port is dropped and received in the management port with destination on the front-end port is dropped.
Application Name Port Number Client Server FTP 20/21 Supported Supported Syslog 514 Supported Telnet 23 Supported TFTP 69 Supported Radius 1812,1813 Supported Tacacs 49 Supported HTTP 80 for httpd Supported Supported 443 for secure httpd 8008 HTTP server port for confd application 8888 secure HTTP server port for confd application If you configure a source interface is for any EIS management application, EIS might not coexist with that interface and the behavior is undefined in su
When the feature is enabled using the management egress-interface-selection command, the following events are performed: • The CLI prompt changes to the EIS mode. • In this mode, you can run the application and no application commands • Applications can be configured or unconfigured as management applications using the application or no application command. All configured applications are considered as management applications and the rest of them as non-management applications.
• Any management static route newly added using the management route CLI is installed to both the management EIS routing table and default routing table. • As per existing behavior, for routes in the default routing table, conflicting front-end port routes if configured has higher precedence over management routes. So there can be scenarios where the same management route is present in the EIS routing table but not in the default routing table.
• For the clear arp-cache command, upon receiving the ARP delete request, the route corresponding to the destination IP is identified. The ARP entries learned in the management EIS routing table are also cleared. • Therefore, a separate control over clearing the ARP entries learned via routes in the EIS table is not present. If the ARP entry for a destination is cleared in the default routing table, then if an ARP entry for the destination exists in the EIS table, that entry is also cleared.
• Packets received on the front-end port with destination on the management port is dropped. • A separate drop counter is incremented for this case. This counter is viewed using the netstat command, like all other IP layer counters. Consider a scenario in which ip1 is an address assigned to the management port and ip2 is an address assigned to any of the front panel port of a switch. End users on the management and front panel port networks are connected.
This phenomenon occurs where traffic is transiting the switch. Traffic has not originated from the switch and is not terminating on the switch. • Drop the packets that are received on the front-end data port with destination on the management port. • Drop the packets that received on the management port with destination as the front-end data port. Switch-Destined Traffic This phenomenon occurs where traffic is terminated on the switch.
Table 36.
If source IP address does not match the management port IP address route lookup is done in the default routing table. Default Behavior: Route lookup is done in the default routing table and appropriate egress port is selected. Table 37.
sFlow management application is supported only in standalone boxes and switch shall throw error message if sFlow is configured in stacking environment Designating a Multicast Router Interface To designate an interface as a multicast router interface, use the following command. Dell Networking OS also has the capability of listening in on the incoming IGMP general queries and designates those interfaces as the multicast router interface when the frames have a nonzero IP source address.
25 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell Networking Operating System (OS). The system supports 10 Gigabit Ethernet and 40 Gigabit Ethernet interfaces. NOTE: Only Dell-qualified optics are supported on these interfaces. Non-Dell 40G optics are set to errordisabled state.
• Interface Types • View Basic Interface Information • Resetting an Interface to its Factory Default State • Enabling a Physical Interface • Physical Interfaces • Egress Interface Selection (EIS) • Management Interfaces • VLAN Interfaces • Loopback Interfaces • Null Interfaces • Port Channel Interfaces • Bulk Configuration • Defining Interface Range Macros • Monitoring and Maintaining Interfaces • Splitting QSFP Ports to SFP+ Ports • Converting a QSFP or QSFP+ Port to an SFP o
Interface Type Modes Possible Default Mode Requires Creation Default State VLAN L2, L3 L2 Yes (except default) L2 - Shutdown (disabled) L3 - No Shutdown (enabled) View Basic Interface Information To view basic interface information, use the following command. You have several options for viewing interface status and configuration parameters. • Lists all configurable interfaces on the chassis.
Output Statistics: 3 packets, 192 bytes, 0 underruns 3 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 3 Broadcasts, 0 Unicasts 0 Vlans, 0 throttles, 0 discarded, 0 collisions Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
Resetting an Interface to its Factory Default State You can reset the configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1 View the configurations applied on an interface. INTERFACE mode show config Dell(conf-if-te-1/5)#show config ! interface TenGigabitEthernet 1/5 no ip address portmode hybrid switchport rate-interval 8 mac learning-limit 10 no-station-move no shutdown 2 Reset an interface to its factory default state.
interface interface 2 • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Enable the interface. INTERFACE mode no shutdown To confirm that the interface is enabled, use the show config command in INTERFACE mode. To leave INTERFACE mode, use the exit command or end command. You cannot delete a physical interface.
Table 39. Layer Modes Type of Interface Possible Modes Requires Creation Default State 10 Gigabit Ethernet and 40 Gigabit Ethernet Layer 2 No Shutdown (disabled) Management N/A No Shutdown (disabled) Loopback Layer 3 Yes No shutdown (enabled) Null interface N/A No Enabled Port Channel Layer 2 Yes Shutdown (disabled) Yes, except for the default VLAN.
• Place the interface in Layer 2 (switching) mode. INTERFACE mode switchport To view the interfaces in Layer 2 mode, use the show interfaces switchport command in EXEC mode. Configuring Layer 3 (Network) Mode When you assign an IP address to a physical interface, you place it in Layer 3 mode. To enable Layer 3 mode on an individual interface, use the following commands. In all interface types except VLANs, the shutdown command prevents all traffic from passing through the interface.
• Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/xx). Add the keyword secondary if the IP address is the interface’s backup IP address. Example of the show ip interface Command You can only configure one primary IP address per interface. You can configure up to 255 secondary IP addresses on a single interface.
• Due to protocol, ARP packets received through the management port create two ARP entries (one for the lookup in the EIS table and one for the default routing table). Configuring EIS EIS is compatible with the following protocols: DNS, FTP, NTP, RADIUS, sFlow, SNMP, SSH, Syslog, TACACS, Telnet, and TFTP. To enable and configure EIS, use the following commands: 1 Enter EIS mode. CONFIGURATION mode management egress-interface-selection 2 Configure which applications uses EIS.
ip address ip-address mask • ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in / prefix format (/x). Viewing Two Global IPv6 Addresses Important Points to Remember — virtual-ip You can configure two global IPv6 addresses on the system in EXEC Privilege mode. To view the addresses, use the show interface managementethernet command, as shown in the following example. If you try to configure a third IPv6 address, an error message displays.
• virtual-ip is a CONFIGURATION mode command. • When applied, the management port on the primary RPM assumes the virtual IP address. Executing the show interfaces and show ip interface brief commands on the primary RPM management interface displays the virtual IP address and not the actual IP address assigned on that interface. • A duplicate IP address message is printed for the management port’s virtual IP address on an RPM failover.
Codes: C - connected, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is 10.11.131.254 to network 0.0.0.0 Destination ----------*S 0.0.0.0/0 C 10.11.130.
! ip ospf hello-interval 15 no shutdown Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally. Because this interface is not a physical interface, you can configure routing protocols on this interface to provide protocol stability. You can place Loopback interfaces in default Layer 3 mode. To configure, view, or delete a Loopback interface, use the following commands.
Port Channel Interfaces Port channel interfaces support link aggregation, as described in IEEE Standard 802.3ad. This section covers the following topics: • Port Channel Definition and Standards • Port Channel Benefits • Port Channel Implementation • Configuration Tasks for Port Channel Interfaces Port Channel Definition and Standards Link aggregation is defined by IEEE 802.
Member ports of a LAG are added and programmed into the hardware in a predictable order based on the port ID, instead of in the order in which the ports come up. With this implementation, load balancing yields predictable results across device reloads. A physical interface can belong to only one port channel at a time. Each port channel must contain interfaces of the same interface type/speed. Port channels can contain a mix of 1G/10G/40G.
• Configuring the Minimum Oper Up Links in a Port Channel (optional) • Adding or Removing a Port Channel from a VLAN (optional) • Assigning an IP Address to a Port Channel (optional) • Deleting or Disabling a Port Channel (optional) • Load Balancing Through Port Channels (optional) Creating a Port Channel You can create up to 128 port channels with up to 16 port members per group on the platform. To configure a port channel, use the following commands. 1 Create a port channel.
To view the interface’s configuration, enter INTERFACE mode for that interface and use the show config command or from EXEC Privilege mode, use the show running-config interface interface command. When an interface is added to a port channel, Dell Networking OS recalculates the hash algorithm. To add a physical interface to a port, use the following commands. 1 Add the interface to a port channel.
Input 00.01Mbits/sec, 2 packets/sec Output 81.60Mbits/sec, 133658 packets/sec Time since last interface status change: 04:31:57 Dell> When more than one interface is added to a Layer 2-port channel, Dell Networking OS selects one of the active interfaces in the port channel to be the primary port. The primary port replies to flooding and sends protocol data units (PDUs). An asterisk in the show interfaces port-channel brief command indicates the primary port.
Example of Moving an Interface to a New Port Channel The following example shows moving an interface from port channel 4 to port channel 3.
An interface with tagging enabled can belong to multiple VLANs. Add the port channel to the VLAN as an untagged interface. • INTERFACE VLAN mode untagged port-channel id number An interface without tagging enabled can belong to only one VLAN. Remove the port channel with tagging enabled from the VLAN. • INTERFACE VLAN mode no tagged port-channel id number or no untagged port-channel id number Identify which port channels are members of VLANs.
Assigning an IP Address to a Port Channel You can assign an IP address to a port channel and use port channels in Layer 3 routing protocols. To assign an IP address, use the following command. • Configure an IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] • ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in slash format (/24). • secondary: the IP address is the interface’s backup IP address.
Changing the Hash Algorithm The load-balance command selects the hash criteria applied to port channels. If you do not obtain even distribution with the load-balance command, you can use the hash-algorithm command to select the hash scheme for LAG, ECMP and NH-ECMP. You can rotate or shift the 12–bit Lag Hash until the desired hash is achieved. The nh-ecmp option allows you to change the hash value for recursive ECMP routes independently of nonrecursive ECMP routes.
• xor16 — uses 16 bit XOR. Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range. Bulk configuration excludes from configuration any non-existing interfaces from an interface range.
• Exclude a Smaller Port Range • Overlap Port Ranges • Commas • Add Ranges Create a Single-Range The following is an example of a single range. Example of the interface range Command (Single Range) Dell(config)# interface range tengigabitethernet 1/1 - 23 Dell(config-if-range-te-1/1-23)# no shutdown Dell(config-if-range-te-1/1-23)# Create a Multiple-Range The following is an example of multiple range.
Commas The following is an example of how to use commas to add different interface types to a range of interfaces. Example of Adding Interface Ranges Dell(config-if)# interface range tengigabitethernet 5/1 - 23, tengigabitethernet 1/1 - 2 Dell(config-if-range-te-5/1-23,te1/1-2)# no shutdown Dell(config-if-range-te-5/1-23,te1/1-2)# Add Ranges The following example shows how to use commas to add VLAN and port-channel interfaces to the range.
Example of Using a Macro to Change the Interface Range Configuration Mode The following example shows how to change to the interface-range configuration mode using the interfacerange macro named “test.” Dell(config)# interface range macro test Dell(config-if)# Monitoring and Maintaining Interfaces Monitor interface statistics with the monitor interface command. This command displays an ongoing list of the interface status (up/down), number of packets, traffic statistics, and so on.
Input giants: Input throttles: Input CRC: Input IP checksum: Input overrun: Output underruns: Output throttles: m l T q - 0 0 0 0 0 0 0 Change mode Page up Increase refresh interval Quit 0 0 0 0 0 0 0 pps pps pps pps pps pps pps 0 0 0 0 0 0 0 c - Clear screen a - Page down t - Decrease refresh interval q Dell# Maintenance Using TDR The time domain reflectometer (TDR) is supported on all Dell Networking switch/routers.
NOTE: When you split a 40G port (such as fo 1/4) into four 10G ports, the 40G interface configuration is still available in the startup configuration when you save the running configuration by using the write memory command. When a reload of the system occurs, the 40G interface configuration is not applicable because the 40G ports are split into four 10G ports after the reload operation. While the reload is in progress, you might see error messages when the configuration file is being loaded.
Similarly, you can enable the fan-out mode to configure the QSFP port on a device to act as an SFP or SFP+ port. As the QSA enables a QSFP or QSFP+ port to be used as an SFP or SFP+ port, Dell Networking OS does not immediately detect the QSA after you insert it into a QSFP port cage. After you insert an SFP or SFP+ cable into a QSA connected to a 40 Gigabit port, Dell Networking OS assumes that all the four fanned-out 10 Gigabit ports have plugged-in SFP or SFP+ optical cables.
……………… ……………… SFP+ 0 Diagnostic Information =================================== SFP+ 0 Rx Power measurement type =================================== SFP+ 0 Temp High Alarm threshold SFP+ 0 Voltage High Alarm threshold SFP+ 0 Bias High Alarm threshold = OMA = 0.000C = 0.000V = 0.000mA NOTE: In the following show interfaces tengigbitethernet commands, the ports 1,2, and 3 are inactive and no physical SFP or SFP+ connection actually exists on these ports.
SFP 0 Ext Id SFP 0 Connector SFP 0 Transceiver Code SFP 0 Encoding ……………… = = = = 0x00 0x23 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Dell#show interfaces tengigabitethernet 0/6 transceiver SFP 0 Serial ID Base Fields SFP 0 Id = 0x0d SFP 0 Ext Id = 0x00 SFP 0 Connector = 0x23 SFP 0 Transceiver Code = 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 SFP 0 Encoding = 0x00 ……………… Dell#show interfaces tengigabitethernet 0/7 transceiver SFP 0 Serial ID Base Fields SFP 0 Id = 0x0d SFP 0 Ext Id = 0x00 SFP 0 Connector
Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, SFP+ type is 10GBASE-SX Interface index is 35012865 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :90b11cf49afa MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit Dell#show interfaces tengigabitethernet 0/1 tengigabitethernet 0/1 is up, line protocol is down Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable medi
…………………… LineSpeed 1000 Mbit Dell#show interfaces tengigabitethernet 0/8 TenGigabitEthernet 0/0 is up, line protocol is up Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, QSFP type is 4x10GBASE-CR1-3M …….. LineSpeed 10000 Mbit The show inventory command shows the following output: NOTE: In the following show inventory media command output, the port numbers 1, 2, 3, 5, 6, and 7 ports are actually inactive.
Link Dampening Interface state changes occur when interfaces are administratively brought up or down or if an interface state changes. Every time an interface changes a state or flaps, routing protocols are notified of the status of the routes that are affected by the change in state. These protocols go through the momentous task of re-converging. Flapping; therefore, puts the status of entire network at risk of transient loops and black holes.
To view dampening information on all or specific dampened interfaces, use the show interfaces dampening command from EXEC Privilege mode. Dell#show interfaces dampening Interface Supp Flaps Penalty State Te 1/1 Up 0 0 Te 1/2 Up 0 0 Te 1/2 Up 0 0 Dell# Half-Life Reuse Suppress Max-Sup 1 1 1 2 2 2 3 3 3 4 4 4 To view a dampening summary for the entire system, use the show interfaces dampening summary command from EXEC Privilege mode.
NOTE: Because different networking vendors define MTU differently, check their documentation when planning MTU sizes across a network. The following table lists the range for each transmission media. Transmission Media MTU Range (in bytes) Ethernet 594-12000 = link MTU 576-9234 = IP MTU Link Bundle Monitoring Monitoring linked LAG bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time.
Using Ethernet Pause Frames for Flow Control Ethernet pause frames and threshold settings are supported on the Dell Networking OS. Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it. The destination sends a PAUSE frame back to the source, stopping the sender’s transmission for a period of time.
Enabling Pause Frames Enable Ethernet pause frames flow control on all ports on a chassis or a line card. If not, the system may exhibit unpredictable behavior. NOTE: Changes in the flow-control values may not be reflected automatically in the show interface output. As a workaround, apply the new settings, execute shut then no shut on the interface, and then check the running-config of the port. NOTE: If you disable rx flow control, Dell Networking recommends rebooting the system.
Table 40. Layer 2 Overhead Layer 2 Overhead Difference Between Link MTU and IP MTU Ethernet (untagged) 18 bytes VLAN Tag 22 bytes Untagged Packet with VLAN-Stack Header 22 bytes Tagged Packet with VLAN-Stack Header 26 bytes Link MTU and IP MTU considerations for port channels and VLANs are as follows. Port Channels: • All members must have the same link MTU value and the same IP MTU value.
NOTE: When you use a copper SFP2 module with catalog number GP-SFP2-1T in the S25P model, you can manually set its speed with the speed command. When the speed is set to 10Mbps or 100Mbps, you can use the duplex command. The local interface and the directly connected remote interface must have the same setting, and autonegotiation is the easiest way to accomplish that, as long as the remote interface is capable of autonegotiation.
7 Disable auto-negotiation on the port. INTERFACE mode no negotiation auto If the speed was set to 1000, do not disable auto-negotiation. 8 Verify configuration changes. INTERFACE mode show config Example of the show interfaces status Command to View Link Status NOTE: The show interfaces status command displays link status, but not administrative status. For both link and administrative status, use the show ip interface command.
Example of the negotiation auto Command Dell(conf)# int tengigabitethernet 1/1 Dell(conf-if-te-1/1)#neg auto Dell(conf-if-te-1/1-autoneg)# ? end Exit from configuration mode exit Exit from autoneg configuration mode mode Specify autoneg mode no Negate a command or set its defaults show Show autoneg configuration information Dell(conf-if-te-1/1-autoneg)#mode ? forced-master Force port to master mode forced-slave Force port to slave mode Dell(conf-if-te-1/1-autoneg)# For details about the speed, duplex, and n
In EXEC mode, the show interfaces switchport command displays only interfaces in Layer 2 mode and their relevant configuration information. The show interfaces switchport command displays the interface, whether it supports IEEE 802.1Q tagging or not, and the VLANs to which the interface belongs. Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds.
Last clearing of "show interface" counters 1d23h45m Queueing strategy: fifo 0 packets input, 0 bytes Input 0 IP Packets, 0 Vlans 0 MPLS 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate
clear counters [interface] [vrrp [vrid] | learning-limit] (OPTIONAL) Enter the following interface keywords and slot/port or number information: • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383.
26 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. • Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
Configuring IPSec The following sample configuration shows how to configure FTP and telnet for IPSec. 1 Define the transform set. CONFIGURATION mode crypto ipsec transform-set myXform-seta esp-authentication md5 esp-encryption des 2 Define the crypto policy.
27 IPv4 Routing The Dell Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
• Configuration Tasks for ICMP • Enabling ICMP Unreachable Messages • UDP Helper • Enabling UDP Helper • Configuring a Broadcast Address • Configurations Using UDP Helper • UDP Helper with Broadcast-All Addresses • UDP Helper with Subnet Broadcast Addresses • UDP Helper with Configured Broadcast Addresses • UDP Helper with No Configured Broadcast Addresses • Troubleshooting UDP Helper IP Addresses Dell Networking OS supports IP version 4 (as described in RFC 791), classful routing, and
• Configure Static Routes for the Management Interface (optional) For a complete listing of all commands related to IP addressing, refer to the Dell Networking OS Command Line Interface Reference Guide. Assigning IP Addresses to an Interface Assign primary and secondary IP addresses to physical or logical (for example, [virtual local area network [VLAN] or port channel) interfaces to enable IP communication between the system and hosts connected to that interface.
Configuring Static Routes A static route is an IP address that you manually configure and that the routing protocol does not learn, such as open shortest path first (OSPF). Often, static routes are used as backup routes in case other dynamically learned routes are unreachable. You can enter as many static IP addresses as necessary. To configure a static route, use the following command. • Configure a static IP address.
Direct, Lo 0 --More-Dell Networking OS installs a next hop that is on the directly connected subnet of current IP address on the interface. Dell Networking OS also installs a next hop that is not on the directly connected subnet but which recursively resolves to a next hop on the interface's configured subnet. • • • • When the interface goes down, Dell Networking OS withdraws the route. When the interface comes up, Dell Networking OS re-installs the route.
packets. When any device along the network path contains an MTU that is smaller than the size of the packet that it receives, the device drops the packet and sends an Internet Control Message Protocol (ICMP) Fragmentation Needed (Type 3, Code 4) message with its MTU value to the source or the sending device. This message enables the source to identify that the transmitted packet size must be reduced. The packet is retransmitted with a lower size than the previous value.
Configuring the Duration to Establish a TCP Connection You can configure the duration for which the device must wait before it attempts to establish a TCP connection. Using this capability, you can limit the wait times for TCP connection requests.
Resolution of Host Names Domain name service (DNS) maps host names to IP addresses. This feature simplifies commands such as Telnet and FTP by allowing you to enter a name instead of an IP address. Dynamic resolution of host names is disabled by default. Unless you enable the feature, the system resolves only host names entered into the host table with the ip host command.
gxr f00-3 Dell> (perm, OK) (perm, OK) - IP IP 192.71.18.2 192.71.23.1 To view the current configuration, use the show running-config resolve command. Specifying the Local System Domain and a List of Domains If you enter a partial domain, Dell Networking OS can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. Dell Networking OS searches the host table first to resolve the partial domain.
CONFIGURATION mode traceroute [host | ip-address] To keep the default setting for these parameters, press the ENTER key. Example of the traceroute Command The following text is example output of DNS using the traceroute command. Dell#traceroute www.force10networks.com Translating "www.force10networks.com"...domain server (10.11.0.1) [OK] Type Ctrl-C to abort. ---------------------------------------------------------------------Tracing the route to www.force10networks.com (10.11.84.
• Enabling Proxy ARP (optional) • Clearing ARP Cache (optional) • ARP Learning via Gratuitous ARP • ARP Learning via ARP Request • Configuring ARP Retries Configuring Static ARP Entries ARP dynamically maps the MAC and IP addresses, and while most network host support dynamic mapping, you can configure an ARP entry (called a static ARP) for the ARP cache. To configure a static ARP entry, use the following command. • Configure an IP address and MAC address mapping for an interface.
To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output. Clearing ARP Cache To clear the ARP cache of dynamically learnt ARP information, use the following command. • Clear the ARP caches for all interfaces or for a specific interface by entering the following information.
Enabling ARP Learning via Gratuitous ARP To enable ARP learning via gratuitous ARP, use the following command. • Enable ARP learning via gratuitous ARP. CONFIGURATION mode arp learn-enable ARP Learning via ARP Request In Dell Networking OS versions prior to 8.3.1.0, Dell Networking OS learns via ARP requests only if the target IP specified in the packet matches the IP address of the receiving router interface. This is the case when a host is attempting to resolve the gateway address.
Beginning with Dell Networking OS version 8.3.1.0, when you enable ARP learning via gratuitous ARP, the system installs a new ARP entry, or updates an existing entry for all received ARP requests. Figure 54. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP. It only updates the ARP entry for the Layer 3 interface with the source IP of the request.
ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply). ICMP error messages inform the router of problems in a particular packet. These messages are sent only on unicast traffic. Configuration Tasks for ICMP The following lists the configuration tasks for ICMP.
UDP Helper User datagram protocol (UDP) helper allows you to direct the forwarding IP/UDP broadcast traffic by creating special broadcast addresses and rewriting the destination IP address of packets to match those addresses. Configure UDP Helper To configure Dell Networking OS to direct UDP broadcast, enable UDP helper and specify the UDP ports for which traffic is forwarded.
-------------------------------------------------te 1/1 1000 Configuring a Broadcast Address To configure a broadcast address, use the following command. • Configure a broadcast address on an interface. ip udp-broadcast-address Examples of Configuring and Viewing a Broadcast Address Dell(conf-if-vl-100)#ip udp-broadcast-address 1.1.255.255 Dell(conf-if-vl-100)#show config ! interface Vlan 100 ip address 1.1.0.1/24 ip udp-broadcast-address 1.1.255.
UDP Helper with Broadcast-All Addresses When the destination IP address of an incoming packet is the IP broadcast address, Dell Networking OS rewrites the address to match the configured broadcast address. In the following illustration: 1 Packet 1 is dropped at ingress if you did not configure UDP helper address.
UDP Helper with Subnet Broadcast Addresses When the destination IP address of an incoming packet matches the subnet broadcast address of any interface, the system changes the address to the configured broadcast address and sends it to matching interface. In the following illustration, Packet 1 has the destination IP address 1.1.1.255, which matches the subnet broadcast address of VLAN 101.
the destination address unchanged because the forwarding process is Layer 2. If you enabled UDP helper, the packet is flooded on VLAN 100 as well. Figure 57. UDP Helper with Configured Broadcast Addresses UDP Helper with No Configured Broadcast Addresses The following describes UDP helper with no broadcast addresses configured. • If the incoming packet has a broadcast destination IP address, the unaltered packet is routed to all Layer 3 interfaces.
2005-11-05 11:59:35 %RELAY-I-PACKET, BOOTP REQUEST (Unicast) received at interface 172.21.50.193 BOOTP Request, XID = 0x9265f901, secs = 0 hwaddr = 00:02:2D:8D:46:DC, giaddr = 0.0.0.0, hops = 2 2005-11-05 11:59:35 %RELAY-I-BOOTREQUEST, Forwarded BOOTREQUEST for 00:02:2D:8D: 46:DC to 137.138.17.6 2005-11-05 11:59:36 %RELAY-I-PACKET, BOOTP REPLY (Unicast) received at interface 194.12.129.98 BOOTP Reply, XID = 0x9265f901, secs = 0 hwaddr = 00:02:2D:8D:46:DC, giaddr = 172.21.50.
28 IPv6 Routing Internet Protocol Version 6 (IPv6) is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
• Prefix Advertisement — Routers use “Router Advertisement” messages to announce the network prefix. Hosts then use their interface-identifier MAC address to generate their own valid IPv6 address. • Duplicate Address Detection (DAD) — Before configuring its IPv6 address, an IPv6 host node device checks whether that address is used anywhere on the network using this mechanism.
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 58. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
Next Header (8 bits) The Next Header field identifies the next header’s type. If an Extension header is used, this field contains the type of Extension header (as shown in the following table). If the next header is a transmission control protocol (TCP) or user datagram protocol (UDP) header, the value in this field is the same as for IPv4. The Extension header is located between the IP header and the TCP or UDP header. The following lists the Next Header field values.
Source Address (128 bits) The Source Address field contains the IPv6 address for the packet originator. Destination Address (128 bits) The Destination Address field contains the intended recipient’s IPv6 address. This can be either the ultimate destination or the address of the next hop router. Extension Header Fields Extension headers are used only when necessary. Due to the streamlined nature of the IPv6 header, adding extension headers do not severely impact performance.
00 Skip and continue processing. 01 Discard the packet. 10 Discard the packet and send an ICMP Parameter Problem Code 2 message to the packet’s Source IP Address identifying the unknown option type. 11 Discard the packet and send an ICMP Parameter Problem, Code 2 message to the packet’s Source IP Address only if the Destination IP Address is not a multicast address. The second byte contains the Option Data Length.
Link-local Addresses Link-local addresses, starting with fe80:, are assigned only in the local link area. The addresses are generated automatically by the operating system's IP layer for each network interface. This provides instant automatic network connectivity for any IPv6 host and means that if several hosts connect to a common hub or switch, they have an instant communication path via their link-local IPv6 address. Link-local addresses cannot be routed to the public Internet.
Path MTU Discovery Path MTU (Maximum Transmission Unit) defines the largest packet size that can traverse a transmission path without suffering fragmentation. Path MTU for IPv6 uses ICMPv6 Type-2 messages to discover the largest MTU along the path from source to destination and avoid the need to fragment the packet. The recommended MTU for IPv6 is 1280.
NOTE: To avoid problems with network discovery, Dell Networking recommends configuring the static route last or assigning an IPv6 address to the interface and assigning an address to the peer (the forwarding router’s address) less than 10 seconds apart. With ARP, each node broadcasts ARP requests on the entire link. This approach causes unnecessary processing by uninterested nodes.
Configuration Tasks for IPv6 The following are configuration tasks for the IPv6 protocol. • • • • • • • Adjusting Your CAM-Profile Assigning an IPv6 Address to an Interface Assigning a Static IPv6 Route Configuring Telnet with IPv6 SNMP over IPv6 Showing IPv6 Information Clearing IPv6 Routes Adjusting Your CAM-Profile Although adjusting your CAM-profile is not a mandatory step, if you plan to implement IPv6 ACLs, adjust your CAM settings. The CAM space is allotted in FP blocks.
• Provides information on FP groups allocated for the egress acl. CONFIGURATION mode show cam-acl-egress Allocate at least one group for L2ACL and IPv4 ACL. The total number of groups is 4. Assigning an IPv6 Address to an Interface Essentially, IPv6 is enabled in Dell Networking OS simply by assigning IPv6 addresses to individual router interfaces. You can use IPv6 and IPv4 together on a system, but be sure to differentiate that usage carefully.
• For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/ port information. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. • For a Loopback interface, enter the keyword loopback then the loopback number. • For a port-channel interface, enter the keywords port-channel then the port-channel number.
Showing IPv6 Information View specific IPv6 configuration with the following commands. • List the IPv6 show options.
IPV6 is enabled Link Local address: fe80::201:e8ff:fe06:95a3 Global Unicast address(es): 3:4:5:6::8, subnet is 3::/24 Global Anycast address(es): Joined Group address(es): ff02::1 ff02::2 ff02::1:ff00:8 ff02::1:ff06:95a3 MTU is 1500 ICMP redirects are not sent DAD is enabled, number of DAD attempts: 1 ND reachable time is 30 seconds ND advertised reachable time is 30 seconds ND advertised retransmit interval is 30 seconds ND router advertisements are sent every 200 seconds ND router advertisements live for
The following example shows the show ipv6 route command.
interface TenGigabitEthernet 2/2 no ip address ipv6 address 3:4:5:6::8/24 shutdown Dell# Clearing IPv6 Routes To clear routes from the IPv6 routing table, use the following command. • Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} • *: all routes. • ipv6 address: the format is x:x:x:x::x. • mask: the prefix length is from 0 to 128.
5 Set the hop count limit. POLICY LIST CONFIGURATION mode hop-limit {maximum | minimum limit} The hop limit range is from 0 to 254. 6 Set the managed address configuration flag. POLICY LIST CONFIGURATION mode managed-config-flag {on | off} 7 Enable verification of the sender IPv6 address in inspected messages from the authorized device source access list.
retrans—timer value The retransmission time range is from 100 to 4,294,967,295 milliseconds. 15 Display the configurations applied on the RA guard policy mode.
router-preference maximum medium trusted-port Interfaces : Te 1/1 Dell# Monitoring IPv6 RA Guard To debug IPv6 RA guard, use the following command. EXEC Privilege mode debug ipv6 nd ra-guard [interface slot/port | count value] The count range is from 1 to 65534. The default is infinity. For a complete listing of all commands related to IPv6 RA Guard, see the Dell Networking OS Command Line Reference Guide.
29 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
iSCSI optimization running on the master switch is configured to use dot1p priority-queue assignments to ensure that iSCSI traffic in these sessions receives priority treatment when forwarded on stacked switch hardware. Figure 61. Example of iSCSI Optimization Monitoring iSCSI Traffic Flows The switch snoops iSCSI session-establishment and termination packets by installing classifier rules that trap iSCSI protocol packets to the CPU for examination.
You can configure the switch to monitor traffic for additional port numbers or a combination of port number and target IP address, and you can remove the well-known port numbers from monitoring. Application of Quality of Service to iSCSI Traffic Flows You can configure iSCSI CoS mode. This mode controls whether CoS (dot1p priority) queue assignment and/or packet marking is performed on iSCSI traffic. When you enable iSCSI CoS mode, the CoS policy is applied to iSCSI traffic.
400001370000 InitiatorName - iqn.1991-05.com.microsoft:dt-brcd-cna-2 TargetName iqn.2001-05.com.equallogic:4-52aed6-b90d9446c-162466364804fa49-wj-v1 TSIH - 0" Detection and Auto-Configuration for Dell EqualLogic Arrays The iSCSI optimization feature includes auto-provisioning support with the ability to detect directly connected Dell EqualLogic storage arrays and automatically reconfigure the switch to enhance storage traffic flows.
conditions to support iSCSI traffic which will cause some automatic configuration to occur including jumbo frames and flow-control on all ports; no storm control and spanning-tree port fast to be enabled on the port of detection. After you execute the iscsi profile-compellent command, the following actions occur: • Jumbo frame size is set to 1200 for all interfaces on all ports and port-channels, if it is not already enabled. • Spanning-tree portfast is enabled on the interface.
Default iSCSI Optimization Values The following table lists the default values for the iSCSI optimization feature. Table 41. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization global setting Disabled iSCSI CoS mode (802.1p priority queue mapping) Enabled: dot1p priority 4 without the remark setting iSCSI CoS Packet classification VLAN classifies the iSCSI packets instead of by DSCP values.
NOTE: You cannot enable iSCSI optimization when the VLT domain is active. To deactivate the VLT domain, use the no vlt domain command. The default is disabled. 2 Configure the iSCSI target ports and optionally the IP addresses on which iSCSI communication is monitored. CONFIGURATION mode [no] iscsi target port tcp-port-1 [tcp-port-2...tcp-port-16] [address ipaddress] • tcp-port-n is the TCP port number or a list of TCP port numbers on which the iSCSI target listens to requests.
6 (Optional) Configures the advertised priority bitmap in iSCSI application TLVs. CONFIGURATION mode [no] iscsi priority-bits. The default is 4 (0x10 in the bitmap). 7 (Optional) Enter interface configuration mode to configure the auto-detection of Dell Compellent disk arrays. CONFIGURATION mode interface port-type slot/port 8 (Optional) Configures the auto-detection of Dell Compellent arrays on a port. INTERFACE mode [no] iscsi profile-compellent.
The following example shows the show iscsi session command. VLT PEER1 Dell#show iscsi session Session 0: ----------------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0e70c2002-10a0018426a48c94-iom010 Initiator: iqn.1991-05.com.microsoft:win-x9l8v27yajg ISID: 400001370000 VLT PEER2 Session 0: ----------------------------------------------------------------------------------Target: iqn.2001-05.com.
30 Intermediate System to Intermediate System Intermediate System to Intermediate System (IS-IS) protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter.
This brief overview is not intended to provide a complete understanding of IS-IS; for that, consult the documents listed in Multi-Topology IS-IS. IS-IS Addressing IS-IS PDUs require ISO-style addressing called network entity title (NET). For those familiar with name-to-network service mapping point (NSAP) addresses, the composition of the NET is identical to an NSAP address, except the last byte is always 0. The NET is composed of the IS-IS area address, system ID, and N-selector.
You must implement a wide metric-style globally on the autonomous system (AS) to run multi-topology IS-IS for IPv6 because the Type, Length, Value (TLVs) used to advertise IPv6 information in link-state packets (LSPs) are defined to use only extended metrics. The multi-topology ID is shown in the first octet of the IS-IS packet. Certain MT topologies are assigned to serve predetermined purposes: • MT ID #0: Equivalent to the “standard” topology. • MT ID #1: Reserved for IPv4 in-band management purposes.
Graceful Restart Graceful restart is supported on the S5000 platform for both Helper and Restart modes. Graceful restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and does not trigger a topology change.
information required for IPv6 routing. The new TLVs are IPv6 Reachability and IPv6 Interface Address. Also, a new IPv6 protocol identifier has also been included in the supported TLVs. The new TLVs use the extended metrics and up/down bit semantics. Multi-topology IS-IS adds TLVs: • MT TLV — contains one or more Multi-Topology IDs in which the router participates. This TLV is included in IIH and the first fragment of an LSP. • MT Intermediate Systems TLV — appears for every topology a node supports.
ROUTER ISIS mode configure IS-IS globally, while commands executed in INTERFACE mode enable and configure IS-IS features on that interface only. Commands in the ADDRESS-FAMILY mode are specific to IPv6. NOTE: When using the IS-IS routing protocol to exchange IPv6 routing information and to determine destination reachability, you can route IPv6 along with IPv4 while using a single intra-domain routing protocol.
net network-entity-title Specify the area address and system ID for an IS-IS routing process. The last byte must be 00. For more information about configuring a NET, refer to IS-IS Addressing. 3 Enter the interface configuration mode. CONFIGURATION mode interface interface Enter the keyword interface then the type of interface and slot/port information: • 4 For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383.
Examples of the show isis Commands The default IS type is level-1-2. To change the IS type to Level 1 only or Level 2 only, use the is-type command in ROUTER ISIS mode. To view the IS-IS configuration, enter the show isis protocol command in EXEC Privilege mode or the show config command in ROUTER ISIS mode. Dell#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.
Configuring Multi-Topology IS-IS (MT IS-IS) To configure multi-topology IS-IS (MT IS-IS), use the following commands. 1 Enable multi-topology IS-IS for IPv6. ROUTER ISIS AF IPV6 mode multi-topology [transition] Enter the keyword transition to allow an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode.
The range is from 1 to 120 minutes. • The default is 5 minutes. Enable the graceful restart maximum wait time before a restarting peer comes up. ROUTER-ISIS mode graceful-restart restart-wait seconds When implementing this command, be sure to set the t3 timer to adjacency on the restarting router. The range is from 1 to 120 minutes. • The default is 30 seconds.
To view all graceful restart-related configurations, use the show isis graceful-restart detail command in EXEC Privilege mode.
Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary. To change the defaults, use any or all of the following commands. • Set interval between LSP generation. ROUTER ISIS mode lsp-gen-interval [level-1 | level-2] seconds • seconds: the range is from 0 to 120.
Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63. If you configure wide or wide transition metric style, the cost can be a number between 0 and 16,777,215.
Example of Viewing IS-IS Metric Types Dell#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
Metric Style Correct Value Range narrow 0 to 63 wide transition 0 to 16777215 narrow transition 0 to 63 transition 0 to 63 To view the interface’s current metric, use the show config command in INTERFACE mode or the show isis interface command in EXEC Privilege mode. Configuring the Distance of a Route To configure the distance for a route, use the following command. • Configure the distance for a route.
eljefe.01-00 * 0x00000001 0x68DF 1122 0/0/0 eljefe.02-00 * 0x00000001 0x2E7F 1113 0/0/0 Dell.00-00 0x00000002 0xD1A7 1102 0/0/0 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL B233.00-00 0x00000006 0xC38A 1124 0/0/0 eljefe.00-00 * 0x0000000D 0x51C6 1129 0/0/0 eljefe.01-00 * 0x00000001 0x68DF 1122 0/0/0 eljefe.02-00 * 0x00000001 0x2E7F 1113 0/0/0 Dell.
redistribute {bgp as-number | connected | rip | static} [level-1 level-1-2 | level-2] [metric metric-value] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: • • level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. • metric-value the range is from 0 to 16777215. The default is 0. • metric-type: choose either external or internal. The default is internal. • map-name: enter the name of a configured route map.
• process-id: the range is from 1 to 65535. • level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. • metric value: the range is from 0 to 16777215. The default is 0. • match external: the range is 1 or 2. • match internal • metric-type: external or internal. • map-name: name of a configured route map. To view the IS-IS configuration globally (including both IPv4 and IPv6 settings), use the show runningconfig isis command in EXEC Privilege mode.
• Set the overload bit in LSPs. ROUTER ISIS mode set-overload-bit • This setting prevents other routers from using it as an intermediate hop in their shortest path first (SPF) calculations. Remove the overload bit. ROUTER ISIS mode no set-overload-bit Example of Viewing the Overload Bit Setting When the bit is set, a 1 is placed in the OL column in the show isis database command output. The overload bit is set in both the Level-1 and Level-2 database because the IS type for the router is Level-1-2.
• interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. View IS-IS SNP packets, include CSNPs and PSNPs. • EXEC Privilege mode debug isis snp-packets [interface] To view specific information, enter the following optional parameter: • interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. View the events that triggered IS-IS shortest path first (SPF) events for debugging purposes.
Configure Metric Values For any level (Level-1, Level-2, or Level-1-2), the value range possible in the isis metric command in INTERFACE mode changes depending on the metric style. The following describes the correct value range for the isis metric command.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value NOTE: A truncated value is a value that is higher than 63, but set back to 63 because the higher value is not supported. wide narrow transition default value (10) if the original value is greater than 63. A message is sent to the console.
Table 45. Metric Value when the Metric Style Changes Multiple Times Beginning Metric Style Next Metric Style Resulting Metric Value Next Metric Style Final Metric Value wide transition truncated value wide original value is recovered wide transition transition truncated value wide transition original value is recovered wide transition truncated value narrow default value (10).
Level-1 Metric Style Level-2 Metric Style Resulting Metric Value wide transition wide original value wide transition narrow truncated value wide transition narrow transition truncated value wide transition transition truncated value Sample Configurations The following configurations are examples for enabling IPv6 IS-IS. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations.
also enable the ip router isis command. In router isis configuration mode, enable multitopology transition under address-family ipv6 unicast. Figure 63. IPv6 IS-IS Sample Topography IS-IS Sample Configuration — Congruent Topology The following is a sample configuration for enabling IPv6 IS-IS. Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ip address 24.3.1.
! router isis net 34.0000.0000.AAAA.00 ! address-family ipv6 unicast multi-topology exit-address-family Dell (conf-router_isis)# IS-IS Sample Configuration — Multi-topology Transition Dell (conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell (conf-if-te-3/17)# Dell (conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
31 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by Dell Networking OS, provides both loadsharing and port redundancy across stack units. You can enable LAGs as static or dynamic. Introduction to Dynamic LAGs and LACP The unique benefit of a dynamic LAG is that its ports can toggle between participating in the LAG or acting as dedicated ports, whereas ports in a static LAG must be removed from the LAG in order to act alone.
• If a physical interface is a part of a dynamic LAG, it cannot be added as a member of a static LAG. The channel-member gigabitethernet x/y command is rejected in the static LAG interface for that physical interface. • A dynamic LAG can be created with any type of configuration. • There is a difference between the shutdown and no interface port-channel commands: • The shutdown command on LAG “xyz” disables the LAG and retains the user commands.
• Enable or disable LACP on any LAN port. INTERFACE mode [no] port-channel-protocol lacp The default is LACP disabled. This command creates context. Configure LACP mode. • LACP mode [no] port-channel number mode [active | passive | off] • number: cannot statically contain any links. The default is LACP active. Configure port priority. • LACP mode [no] lacp port-priority priority-value The range is from 1 to 65535 (the higher the number, the lower the priority). The default is 32768.
Examples of Configuring a LAG Interface Dell(conf)#interface port-channel 32 Dell(conf-if-po-32)#no shutdown Dell(conf-if-po-32)#switchport The LAG is in the default VLAN. To place the LAG into a nondefault VLAN, use the tagged command on the LAG. Dell(conf)#interface vlan 10 Dell(conf-if-vl-10)#tagged port-channel 32 Configuring the LAG Interfaces as Dynamic After creating a LAG, configure the dynamic LAG interfaces. To configure the dynamic LAG interfaces, use the following command.
NOTE: The 30-second timeout is available for dynamic LAG interfaces only. You can enter the lacp long-timeout command for static LAGs, but it has no effect. To configure LACP long timeout, use the following command. • Set the LACP timeout value to 30 seconds.
As shown in the following illustration, the line-rate traffic from R1 destined for R4 follows the lowest-cost route via R2. Traffic is equally distributed between LAGs 1 and 2. If LAG 1 fails, all traffic from R1 to R4 flows across LAG 2 only. This condition over-subscribes the link and packets are dropped. Figure 64. Shared LAG State Tracking To avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4).
To view the failover group configuration, use the show running-configuration po-failover-group command. Dell#show running-config po-failover-group ! port-channel failover-group group 1 port-channel 1 port-channel 2 As shown in the following illustration, LAGs 1 and 2 are members of a failover group. LAG 1 fails and LAG 2 is brought down after the failure. Message 1 logs this effect, in which a console message declares down both LAGs at the same time. Figure 65.
Important Points about Shared LAG State Tracking The following is more information about shared LAG state tracking. • • • • • This feature is available for static and dynamic LAGs. Only a LAG can be a member of a failover group. You can configure shared LAG state tracking on one side of a link or on both sides. If a LAG that is part of a failover group is deleted, the failover group is deleted. If a LAG moves to the Down state due to this feature, its members may still be in the Up state.
switchport no shutdown ! Alpha(conf-if-po-10)# Example of Viewing a LAG Port Configuration The following example inspects a LAG port configuration on ALPHA.
Figure 67.
Figure 68.
Figure 69.
switchport no shutdown interface TenGigabitEthernet 2/31 no ip address Summary of the LAG Configuration on Bravo Bravo(conf-if-te-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-proto
Figure 70.
Figure 71.
Figure 72. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
32 Layer 2 Layer 2 features are supported on Dell Networking OS. Manage the MAC Address Table Dell Networking OS provides the following management activities for the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
• Specify an aging time. CONFIGURATION mode mac-address-table aging-time seconds The range is from 10 to 1000000. Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command.
• mac learning-limit station-move • Learning Limit Violation Actions • Setting Station Move Violation Actions • Recovering from Learning Limit and Station Move Violations Dell Networking OS Behavior: When configuring the MAC learning limit on a port or VLAN, the configuration is accepted (becomes part of running-config and show mac learning-limit interface) before the system verifies that sufficient CAM space exists.
mac learning-limit station-move The station-move option, allows a MAC address already in the table to be learned off another interface. For example, if you disconnect a network device from one interface and reconnect it to another interface, the MAC address is learned on the new interface. When the system detects this “station move,” the system clears the entry learned on the original interface and installs a new entry on the new interface.
• Display a list of all of the interfaces configured with MAC learning limit or station move violation. CONFIGURATION mode show mac learning-limit violate-action NOTE: When the MAC learning limit (MLL) is configured as no-station-move, the MLL will be processed as static entries internally. For static entries, the MAC address will be installed in all port-pipes, irrespective of the VLAN membership.
If you don’t use any option, the mac-address-table disable-learning command disables source MAC address learning from both LACP and LLDP BPDUs. NIC Teaming NIC teaming is a feature that allows multiple network interface cards in a server to be represented by one MAC address and one IP address in order to provide transparent redundancy, balancing, and to fully utilize network adapter resources. The following illustration shows a topology where two NICs have been teamed together.
NOTE: If you have configured the no mac-address-table station-move refresh-arp command, traffic continues to be forwarded to the failed NIC until the ARP entry on the switch times out. Figure 74.
Apply all other configurations to each interface in the redundant pair such that their configurations are identical, so that transition to the backup interface in the event of a failure is transparent to rest of the network. Figure 75. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command.
To ensure that existing network applications see no difference when a primary interface in a redundant pair transitions to the backup interface, be sure to apply identical configurations of other traffic parameters to each interface. If you remove an interface in a redundant link (remove the line card of a physical interface or delete a port channel with the no interface port-channel command), the redundant pair configuration is also removed.
00:24:55: %STKUNIT0-M:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 3/42 00:24:55: %STKUNIT0-M:CP %IFMGR-5-ACTIVE: Changed Vlan interface state to active: Vl 1 00:24:55: %STKUNIT0-M:CP %IFMGR-5-STATE_STBY_ACT: Changed interface state from standby to active: Te 3/42 Dell(conf-if-te-3/41)#do show ip int brief | find 3/41 TenGigabitEthernet 3/41 unassigned NO Manual administratively down down TenGigabitEthernet 3/42 unassigned YES Manual up up [output omitted] Example of Configuring Redundant Pairs
enable FEFD globally or locally on an interface basis. Disabling the global FEFD configuration does not disable the interface configuration. Figure 76. Configuring Far-End Failure Detection The report consists of several packets in SNAP format that are sent to the nearest known MAC address. In the event of a far-end failure, the device stops receiving frames and, after the specified time interval, assumes that the far-end is not available.
2 After you enable FEFD on an interface, it transitions to the Unknown state and sends an FEFD packet to the remote end of the link. 3 When the local interface receives the echoed packet from the remote end, the local interface transitions to the Bi-directional state. 4 If the FEFD enabled system is configured to use FEFD in Normal mode and neighboring echoes are not received after three intervals, (you can set each interval can be set between 3 and 300 seconds) the state changes to unknown.
Configuring FEFD You can configure FEFD for all interfaces from CONFIGURATION mode, or on individual interfaces from INTERFACE mode. To enable FEFD globally on all interfaces, use the following command. • Enable FEFD globally on all interfaces. CONFIGURATION mode fefd-global To report interval frequency and mode adjustments, use the following commands. 1 Setup two or more connected interfaces for Layer 2 or Layer 3.
Enabling FEFD on an Interface To enable, change, or disable FEFD on an interface, use the following commands. • Enable FEFD on a per interface basis. INTERFACE mode fefd • Change the FEFD mode. INTERFACE mode fefd [mode {aggressive | normal}] • Disable FEFD protocol on one interface. INTERFACE mode fefd disable Disabling an interface shuts down all protocols working on that interface’s connected line. It does not delete your previous FEFD configuration which you can enable again at any time.
Debugging FEFD To debug FEFD, use the first command. To provide output for each packet transmission over the FEFD enabled connection, use the second command. • Display output whenever events occur that initiate or disrupt an FEFD enabled connection. EXEC Privilege mode • debug fefd events Provide output for each packet transmission over the FEFD enabled connection.
33 Link Layer Discovery Protocol (LLDP) Link Layer Discovery Protocol (LLDP) — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices. 802.1AB (LLDP) Overview The collected information is stored in a management information base (MIB) on each device, and is accessible via simple network management protocol (SNMP).
There are five types of TLVs. All types are mandatory in the construction of an LLDPDU except Optional TLVs. You can configure the inclusion of individual Optional TLVs. Table 48. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of an LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received.
Management TLVs A management TLV is an optional TLVs subtype. This TLV contains essential management information about the sender. Organizationally Specific TLVs A professional organization or a vendor can define organizationally specific TLVs. They have two mandatory fields (as shown in the following illustration) in addition to the basic TLV fields. • Organizationally Unique Identifier (OUI) — a unique number the IEEE to an organization or vendor assigns.
Type TLV Description 8 Management address Indicates the network address of the management interface. Dell Networking OS does not currently support this TLV. 127 Port-VLAN ID On Dell Networking systems, indicates the untagged VLAN to which a port belongs. 127 Port and Protocol VLAN ID On Dell Networking systems, indicates the tagged VLAN to which a port belongs (and the untagged VLAN to which a port belongs if the port is in Hybrid mode).
Type TLV Description 127 Maximum Frame Size Indicates the maximum frame size capability of the MAC and PHY. TIA-1057 (LLDP-MED) Overview Link layer discovery protocol — media endpoint discovery (LLDP-MED) as ANSI/ TIA-1057 defines — provides additional organizationally specific TLVs so that endpoint devices and network connectivity devices can advertise their characteristics and configuration information; the OUI for the Telecommunications Industry Association (TIA) is 00-12-BB.
Type SubType TLV Description • LLDP device class 127 2 Network Policy Indicates the application type, VLAN ID, Layer 2 Priority, and DSCP value. 127 3 Location Identification Indicates that the physical location of the device expressed in one of three possible formats: • • • 127 4 Inventory Management TLVs Implementation of this set of TLVs is optional in LLDP-MED devices. None or all TLVs must be supported. Dell Networking OS does not currently support these TLVs.
Type SubType TLV Description 127 11 Inventory — Asset ID Indicates a user specified device number to manage inventory. 127 12–255 Reserved — LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV.
Value Device Type 2 Endpoint Class 2 3 Endpoint Class 3 4 Network Connectivity 5–255 Reserved LLDP-MED Network Policies TLV A network policy in the context of LLDP-MED is a device’s VLAN configuration and associated Layer 2 and Layer 3 configurations.
Type Application Description 5 Softphone Voice Specify this application type only if guest voice control packets use a separate network policy than voice data. 6 Video Conferencing Specify this application type for dedicated video conferencing and other similar appliances supporting real-time interactive video. 7 Streaming Video Specify this application type for dedicated video conferencing and other similar appliances supporting real-time interactive video.
power inline auto | static command. Dell Networking also honors the power value (power requirement) the powered device sends when the port is configured for power inline auto. Figure 82. Extended Power via MDI TLV Configure LLDP Configuring LLDP is a two-step process. 1 Enable LLDP globally. 2 Advertise TLVs out of an interface.
CONFIGURATION versus INTERFACE Configurations All LLDP configuration commands are available in PROTOCOL LLDP mode, which is a submode of the CONFIGURATION mode and INTERFACE mode. • Configurations made at the CONFIGURATION level are global; that is, they affect all interfaces on the system. • Configurations made at the INTERFACE level affect only the specific interface; they override CONFIGURATION level configurations.
no disable Disabling and Undoing LLDP To disable or undo LLDP, use the following command. • Disable LLDP globally or for an interface. disable To undo an LLDP configuration, precede the relevant command with the keyword no. Enabling LLDP on Management Ports LLDP on management ports is enabled by default. To enable LLDP on management ports, use the following command. 1 Enter Protocol LLDP mode. CONFIGURATION mode protocol lldp 2 Enter LLDP management-interface mode.
To undo an LLDP management port configuration, precede the relevant command with the keyword no. Advertising TLVs You can configure the system to advertise TLVs out of all interfaces or out of specific interfaces. • If you configure the system globally, all interfaces send LLDPDUs with the specified TLVs. • If you configure an interface, only the interface sends LLDPDUs with the specified TLVs.
In the following example, LLDP is enabled globally. R1 and R2 are transmitting periodic LLDPDUs that contain management, 802.1, and 802.3 TLVs. Figure 83. Configuring LLDP Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration.
protocol lldp Dell(conf-if-Te-1/31-lldp)# Viewing Information Advertised by Adjacent LLDP Agents To view brief information about adjacent devices or to view all the information that neighbors are advertising, use the following commands. • Display brief information about adjacent devices. • show lldp neighbors Display all of the information that neighbors are advertising.
----------------------------------------------------------=========================================================== Configuring LLDPDU Intervals LLDPDUs are transmitted periodically; the default interval is 30 seconds. To configure LLDPDU intervals, use the following command. • Configure a nondefault transmit interval.
• mode tx Receive only. CONFIGURATION mode or INTERFACE mode • mode rx Return to the default setting.
no multiplier Example of the multiplier Command to Configure Time to Live R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#multiplier ? <2-10> Multiplier (default=4) R1(conf-lldp)#multiplier 5 R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise managemen
debug lldp detail Figure 84. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects Dell Networking OS supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: • received and transmitted TLVs • the LLDP configuration on the local agent • IEEE 802.
Table 54. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplier Multiplier value. msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs.
Table 55.
TLV Type TLV Name TLV Variable System LLDP MIB Object interface numbering subtype Local lldpLocManAddrIfSub type Remote lldpRemManAddrIfSu btype Local lldpLocManAddrIfId Remote lldpRemManAddrIfId Local lldpLocManAddrOID Remote lldpRemManAddrOID interface number OID Table 56. LLDP 802.
Table 57.
TLV Sub-Type TLV Name TLV Variable 3 Location Data Format Local Location Identifier Location ID Data 4 Extended Power via MDI Power Device Type Power Source System LLDP-MED MIB Object lldpXMedLocLocation Subtype Remote lldpXMedRemLocatio nSubtype Local lldpXMedLocLocation Info Remote lldpXMedRemLocatio nInfo Local lldpXMedLocXPoEDe viceType Remote lldpXMedRemXPoED eviceType Local lldpXMedLocXPoEPS EPowerSource lldpXMedLocXPoEPD PowerSource Remote lldpXMedRemXPoEPS EPowerSource lldpX
34 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
NLB Multicast Mode Scenario Consider a topology in which you configure four servers, S1 through S4, as a cluster or a farm. This set of servers connects to a Layer 3 switch, which connects to the end-clients. They contain a single multicast MAC address (MAC-Cluster: 03-00-5E-11-11-11). In Multicast NLB mode, configure a static ARP configuration command to associate the cluster IP address with a multicast cluster MAC address.
given in the payload. Then, all the traffic destined for the cluster is flooded out of all member ports. Because all the servers in the cluster receive traffic, failover and balancing are preserved. Enable and Disable VLAN Flooding • The older ARP entries are overwritten whenever newer NLB entries are learned. • All ARP entries, learned after you enable VLAN flooding, are deleted when you disable VLAN flooding, and RP2 triggers an ARP resolution.
This setting causes the multicast MAC address to be mapped to the cluster IP address for the NLB mode of operation of the switch. 2 Associate specific MAC or hardware addresses to VLANs.
35 Multicast Source Discovery Protocol (MSDP) Multicast Source Discovery Protocol (MSDP) is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP). Protocol Overview Each rendezvous point (RP) peers with every other RP via the transmission control protocol (TCP).
3 When an MSDP peer receives an SA message, it determines if there are any group members within the domain interested in any of the advertised sources. If there are, the receiving RP sends a join message to the originating RP, creating a shortest path tree (SPT) to the source. Figure 85.
RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 86.
Anycast RP Using MSDP, anycast RP provides load sharing and redundancy in PIM-SM networks. Anycast RP allows two or more rendezvous points (RPs) to share the load for source registration and the ability to act as hot backup routers for each other. Anycast RP allows you to configure two or more RPs with the same IP address on Loopback interfaces. The Anycast RP Loopback addresses are configured with a 32-bit mask, making it a host address.
Related Configuration Tasks The following lists related MSDP configuration tasks.
• MSDP Sample Configurations Figure 87. Configuring Interfaces for MSDP Figure 88.
Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1 Enable MSDP. CONFIGURATION mode ip multicast-msdp 2 Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source Examples of Configuring and Viewing MSDP Dell(conf)#ip multicast-msdp Dell(conf)#ip msdp peer 192.168.0.
Viewing the Source-Active Cache To view the source-active cache, use the following command. • View the SA cache. EXEC Privilege mode show ip msdp sa-cache Example of the show ip msdp sa-cache Command Dell#show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 192.168.0.1 Expire UpTime 76 00:10:44 Limiting the Source-Active Cache Set the upper limit of the number of active sources that the Dell Networking OS caches.
• Cache rejected sources. CONFIGURATION mode ip msdp cache-rejected-sa Accept Source-Active Messages that Fail the RFP Check A default peer is a peer from which active sources are accepted even though they fail the RFP check. Referring to the following illustrations: • In Scenario 1, all MSPD peers are up. • In Scenario 2, the peership between RP1 and RP2 is down, but the link (and routing protocols) between them is still up.
• In Scenario 4, RP1 has a default peer plus an access list. The list permits RP4 so the RPF check is disregarded for active sources from it, but RP5 (and all others because of the implicit deny all) are subject to the RPF check and fail, so those active sources are rejected. Figure 91. MSDP Default Peer, Scenario 1 Figure 92.
Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
The default limit is 100K. If the total number of sources received from the peer is already larger than the limit when this configuration is applied, those sources are not discarded. To enforce the limit in such a situation, first clear the SA cache. Preventing MSDP from Caching a Local Source You can prevent MSDP from caching an active source based on source and/or group. Because the source is not cached, it is not advertised to remote RPs.
Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1 OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache. CONFIGURATION mode ip msdp cache-rejected-sa 2 Prevent the system from caching remote sources learned from a specific peer based on source and group.
Preventing MSDP from Advertising a Local Source To prevent MSDP from advertising a local source, use the following command. • Prevent an RP from advertising a source in the SA cache. CONFIGURATION mode ip msdp sa-filter list in peer list ext-acl Example of Verifying that the System is not Advertising Local Sources In the following example, R1 stops advertising source 10.11.4.2. Because it is already in the SA cache of R3, the entry remains there until it expires.
Terminating a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639. • Terminate the TCP connection with a peer. CONFIGURATION mode ip msdp shutdown Example of the Verifying that the Peering State is Disabled After the relationship is terminated, the peering state of the terminator is SHUTDOWN, while the peering state of the peer is INACTIVE.
Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 5/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none R3_E600(conf)#do clear ip msdp peer 192.168.0.1 R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.
ip pim rp-address 3 In each routing domain that has multiple RPs serving a group, create another Loopback interface on each RP serving the group with a unique IP address. CONFIGURATION mode interface loopback 4 Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connectsource. CONFIGURATION mode ip msdp peer 5 Advertise the network of each of the unique Loopback addresses throughout the network.
no shutdown ! interface TenGigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.11/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.
network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.22/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.11 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.11 ip msdp originator-id Loopback 1 ! ip route 192.168.0.
! ip pim rp-address 192.168.0.3 group-address 224.0.0.0/4 MSDP Sample Configurations The following examples show the running-configurations described in this chapter. For more information, refer to the illustrations in the Related Configuration Tasks section.
ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.2/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 update-source Loopback 0 neighbor 192.168.0.3 no shutdown ! ip route 192.168.0.3/32 10.11.0.
! ip route 192.168.0.2/32 10.11.0.23 ip multicast-routing ! interface TenGigabitEthernet 4/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface TenGigabitEthernet 4/22 ip address 10.10.42.1/24 no shutdown ! interface TenGigabitEthernet 4/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.4/32 no shutdown ! router ospf 1 network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.168.0.4/32 area 0 ! ip pim rp-address 192.168.0.
36 Multiple Spanning Tree Protocol (MSTP) MSTP — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview In contrast, PVST+ allows a spanning tree instance for each VLAN.
Topics: • Configure Multiple Spanning Tree Protocol • Enable Multiple Spanning Tree Globally • Adding and Removing Interfaces • Creating Multiple Spanning Tree Instances • Influencing MSTP Root Selection • Interoperate with Non-Dell Networking OS Bridges • Modifying Global Parameters • Modifying the Interface Parameters • Configuring an EdgePort • Configuring Fast Hellos for Link State Detection • Flush MAC Addresses after a Topology Change • MSTP Sample Configurations • Debugging a
• Configuring Spanning Trees as Hitless Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. • Within an MSTI, only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports. 1 Enter PROTOCOL MSTP mode.
Creating Multiple Spanning Tree Instances To create multiple spanning tree instances, use the following command. A single MSTI provides no more benefit than RSTP. To take full advantage of MSTP, create multiple MSTIs and map VLANs to them. • Create an MSTI. PROTOCOL MSTP mode msti Specify the keyword vlan then the VLANs that you want to participate in the MSTI. Examples of Configuring and Viewing MSTI The following example shows the msti command.
Port 374 (TenGigabitEthernet 1/21) is root Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.374 Designated root has priority 32768, address 0001.e806.953e Designated bridge has priority 32768, address 0001.e806.953e Designated port id is 128.
Interoperate with Non-Dell Networking OS Bridges Dell Networking OS supports only one MSTP region. A region is a combination of three unique qualities: • • • Name is a mnemonic string you assign to the region. The default region name on Dell Networking OS is null. Revision is a 2-byte number. The default revision number on Dell Networking OS is 0. VLAN-to-instance mapping is the placement of a VLAN in an MSTI.
NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. 3 Change the max-age parameter. PROTOCOL MSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. 4 Change the max-hops parameter. PROTOCOL MSTP mode max-hops number The range is from 1 to 40. The default is 20.
Table 58. Default Values for Port Costs by Interface Port Cost Default Value 100-Mb/s Ethernet interfaces 200000 1-Gigabit Ethernet interfaces 20000 10-Gigabit Ethernet interfaces 2000 Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 To change the port cost or priority of an interface, use the following commands. 1 Change the port cost of an interface.
• Enable EdgePort on an interface. INTERFACE mode spanning-tree mstp edge-port [bpduguard | shutdown-on-violation] Dell Networking OS Behavior: Regarding bpduguard shutdown-on-violation behavior: • • • • If the interface to shut down is a port channel, all the member ports are disabled in the hardware. When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware.
Example of Verifying Hello-Time Interval Dell(conf-rstp)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 0001.e811.2233 Root Bridge hello time 50 ms, max age 20, forward delay 15 Bridge ID Priority 0, Address 0001.e811.2233 We are the root Configured hello time 50 ms, max age 20, forward delay 15 NOTE: The hello time is encoded in BPDUs in increments of 1/256ths of a second.
MSTP Sample Configurations The running-configurations support the topology shown in the following illustration. The configurations are from SFTOS systems. Figure 96. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology.
interface TenGigabitEthernet 1/31 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs.
no ip address tagged TenGigabitEthernet 2/11,31 no shutdown Router 3 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology. 3 Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
spanning-tree spanning-tree spanning-tree spanning-tree spanning-tree spanning-tree spanning-tree configuration name Tahiti configuration revision 123 MSTi instance 1 MSTi vlan 1 100 MSTi instance 2 MSTi vlan 2 200 MSTi vlan 2 300 (Step 2) interface 1/0/31 no shutdown spanning-tree port mode enable switchport protected 0 exit interface 1/0/32 no shutdown spanning-tree port mode enable switchport protected 0 exit (Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31
To view the overall MSTP configuration on the router, use the show running-configuration spanningtree mstp in EXEC Privilege mode. To monitor and verify that the MSTP configuration is connected and communicating as desired, use the debug spanning-tree mstp bpdu command. Key items to look for in the debug report include: • • • MSTP flags indicate communication received from the same region. • As shown in the following, the MSTP routers are located in the same region.
INST 2 (MSTP Instance): Flags: 0x78, Reg Root: 32768:0001.e806.953e, Int Root Cost: 0 Brg/Port Prio: 32768/128, Rem Hops: 19 Indicates MSTP routers are in the (single) region MSTP Instance MSTP Region name The following example shows viewing the debug log of an unsuccessful MSTP configuration. 4w0d4h : MSTP: Received BPDU on Gi 2/21 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x78Different Region (Indicates MSTP routers are in different regions and are not communicating with each other.
37 Multicast Features The Dell Networking operating system (OS) supports the following multicast protocols. • PIM Sparse-Mode (PIM-SM) • Internet Group Management Protocol (IGMP) • Multicast Source Discovery Protocol (MSDP) Topics: • Enabling IP Multicast • Implementation Information • First Packet Forwarding for Lossless Multicast • IPv4 Multicast Policies Enabling IP Multicast Enabling IP Multicast is supported on the S5000 switch.
Protocol Ethernet Address OSPF 01:00:5e:00:00:05 01:00:5e:00:00:06 RIP 01:00:5e:00:00:09 NTP 01:00:5e:00:01:01 VRRP 01:00:5e:00:00:12 PIM-SM 01:00:5e:00:00:0d • The Dell Networking OS implementation of MTRACE is in accordance with IETF draft draft-fennertraceroute-ipm. • Multicast is not supported on secondary IP addresses. • Egress L3 ACL is not applied to multicast data traffic if you enable multicast routing.
Limiting the Number of Multicast Routes When the total number of multicast routes on a system limit is reached, Dell Networking OS does not process any IGMP or multicast listener discovery protocol (MLD) joins to PIM — though it still processes leave messages — until the number of entries decreases below 95% of the limit. When the limit falls below 95% after hitting the maximum, the system begins relearning route entries through IGMP, MLD, and MSDP.
INTERFACE mode ip igmp access-group access-list-name Dell Networking OS Behavior: Do not enter the ip igmp access-group command before creating the access-list. If you do, after entering your first deny rule, Dell Networking OS clears multicast routing table and relearns all groups, even those not covered by the rules in the access-list, because there is an implicit deny all rule at the end of all access-lists. Therefore, configuring an IGMP join request filter in this order might result in data loss.
limiting Receiver 1, so both IGMP reports are accepted, and two corresponding entries are created in the routing table. Figure 97. Preventing a Host from Joining a Group Table 59. Preventing a Host from Joining a Group — Description Location 1/21 Description • • • Interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.
Location Description • no shutdown 1/31 • • • • Interface TenGigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • • Interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.
Location Description • • • • • ip pim sparse-mode ip address 10.11.4.1/24 untagged TenGigabitEthernet 1/2 ip igmp access-group igmpjoinfilR2G2 no shutdown Preventing a PIM Router from Forming an Adjacency To prevent a router from participating in PIM (for example, to configure stub multicast routing), use the following command. • Prevent a router from participating in protocol independent multicast (PIM).
allowed to forward both groups. As a result, Receiver 1 receives only one transmission, while Receiver 2 receives duplicate transmissions. Figure 98. Preventing a Source from Transmitting to a Group Table 60. Preventing a Source from Transmitting to a Group — Description Location 1/21 Description • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.
Location Description • no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.
Location Description • • • • ip pim sparse-mode ip address 10.11.4.1/24 untagged GigabitEthernet 1/2 no shutdown Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router.
38 NPIV Proxy Gateway The N-port identifier virtualization (NPIV) proxy gateway (NPG) provides FCoE-FC bridging capability on the S5000 switch. This chapter describes how to configure and use an NPIV proxy gateway on an S5000 switch in a storage area network (SAN).
NPIV Proxy Gateway Operation An S5000 configured as an NPG does not join a SAN fabric, but functions as an FCoE-FC bridge that forwards storage traffic between servers and core SAN switches. The core switches forward SAN traffic to and from FC storage arrays. The following illustration shows an example of the NPG operation. Figure 99.
Servers use CNA ports to connect over FCoE to an Ethernet port in ENode mode on the NPIV proxy gateway. FCoE transit with FIP snooping is automatically enabled and configured on the S5000 gateway to prevent unauthorized access and data transmission to the SAN network (see FCoE Transit). Server CNAs use FIP to discover an S5000 FCoE switch operating as an FCoE forwarder (FCF).
NPIV Proxy Gateway: Terms and Definitions The following table describes the terms used in an NPG configuration on the S5000. Table 61. S5000 NPIV Proxy Gateway: Terms and Definitions Term Description FC port Fibre Channel port on an S5000 FC module that operates in autosensing, 2–, 4–, or 8-Gigabit mode. On an NPIV proxy gateway, an FC port can be used as a downlink for a server connection and an uplink for a fabric connection.
Term Description FCoE VLAN VLAN dedicated to carrying only FCoE traffic between server CNA ports and a SAN fabric. (FCoE traffic must travel in a VLAN.) When you apply an FCoE map on a port, FCoE is enabled on the port. All non-FCoE traffic is dropped on an FCoE VLAN. FIP FCoE Initialization Protocol: Layer 2 protocol for endpoint discovery, fabric login, and fabric association. Server CNAs use FIP to discover an upstream FCoE switch operating as an FCF.
NOTE: In each FCoE map, the fabric ID, FC-MAP value, and FCoE VLAN must be unique. To access one SAN fabric, use one FCoE map. You cannot use the same FCoE map to access different fabrics. When you configure an S5000 as an NPG, FCoE transit with FIP snooping is automatically enabled and configured using the parameters in the FCoE map applied to server-facing Ethernet and fabric-facing FC interfaces (refer to FIP Snooping on an NPIV Proxy Gateway).
Creating a DCB Map Configure the priority-based flow control (PFC) and enhanced traffic selection (ETS) settings in a DCB map before you apply them on downstream server-facing ports on an NPG. 1 Create a DCB map to specify PFC and ETS settings for groups of dot1p priorities. CONFIGURATION mode dcb-map name 2 Configure the PFC setting (on or off) and the ETS bandwidth percentage allocated to traffic in each priority group or whether priority group traffic should be handled with strict-priority scheduling.
Important Points to Remember • If you remove a dot1p priority-to-priority group mapping from a DCB map (the no priority pgid command), the PFC and ETS parameters revert to their default values on the interfaces on which the DCB map is applied. By default, PFC is not applied on specific 802.1p priorities; ETS assigns equal bandwidth to each 802.1p priority. As a result, PFC and lossless port queues are disabled on 802.
Creating an FCoE VLAN Create a dedicated VLAN to send and receive Fibre Channel traffic over FCoE links between servers and a fabric over an NPG. The NPG receives FCoE traffic and forwards de-capsulated FC frames over FC links to SAN switches in a specified fabric. Create the dedicated VLAN for FCoE traffic. CONFIGURATION mode interface vlan vlan-id NOTE: VLAN 1002 is commonly used to transmit FCoE traffic.
Applying an FCoE Map on Server-Facing Ethernet Ports You can apply multiple FCoE maps on an Ethernet port or port channel. When you apply an FCoE map on a server-facing port or port channel: • The port is configured to operate in hybrid mode (accept both tagged and untagged VLAN frames). • The associated FCoE VLAN is enabled on the port or port channel. When you enable a server-facing Ethernet port, the servers respond to the FIP advertisements by performing FLOGIs on upstream virtualized FCF ports.
When you apply an FCoE map on a fabric-facing FC port, the FC port becomes part of the FCoE fabric, whose settings in the FCoE map are configured on the port and exported to downstream server CNA ports. Each FC port is associated with an Ethernet MAC address (FCF MAC address). When you enable a fabricfacing FC port, the FCoE map applied to the port starts sending FIP multicast advertisements using the parameters in the FCoE map over server-facing Ethernet ports.
Apply the DCB Map on a Downstream (Server-Facing) Ethernet Port Dell(config)# interface tengigabitethernet 1/0 Dell(config-if-te-0/0)#dcb-map SAN_DCB_MAP Create the Dedicated VLAN Used for FCoE Traffic Dell(conf)#interface vlan 1002 Configure an FCoE map Applied on the Downstream (Server-Facing) Ethernet and Upstream (Core-Facing) FC Ports Dell(config)# fcoe-map SAN_FABRIC_A Dell(config-fcoe-name)# fabric-id 1002 vlan 1002 Dell(config-fcoe-name)# description "SAN_FABRIC_A" Dell(config-fcoe-name)# fc-map 0ef
Command Description show fcoe-map [brief | mapname] Displays the Fibre Channel and FCoE configuration parameters in FCoE maps. Enter the brief keyword to display an overview of currently configured FCoE maps. Enter the name of an FCoE map to display the FC and FCoE parameters configured in the map to apply on the Ethernet (FCoE) and FC ports. show qos dcbmap map-name Displays configuration parameters in a specified DCB map.
Field Description • Fibre Channel ports — up (link is up and transmitting FC traffic) or down (link is down and not transmitting FC traffic), link-wait (link is up and waiting for FLOGI to complete on peer SW port), or removed (port has been shut down). Speed Transmission speed (in Megabits per second) of Ethernet and FC iports, including autonegotiated speed (Auto).
Field Oper-State Members Description • Active (all mandatory FCoE and FC parameters are correctly configured) • Incomplete (either the FC-MAP value, fabric ID, or VLAN ID are not correctly configured) Operational status of link to the fabric: • up (link is up and transmitting FC traffic) • down (link is down and not transmitting FC traffic), • link-wait (link is up and waiting for FLOGI to complete on peer FC port) • removed (port has been shut down) Ethernet and FC ports that are members of
The following lists the show npiv devices brief command example field descriptions. Field Description Total NPIV Devices Number of downstream ENodes connected to a fabric over the NPIV proxy gateway. ENode-Intf Ethernet interface (slot/port) to which a server CNA is connected. ENode-WWPN Worldwide port name (WWPN) of a server CNA port. FCoE-Vlan VLAN ID of the dedicated VLAN used to transmit FCoE traffic to and from the fabric.
Field Description ENode [number] Server CNA that has successfully logged in to a fabric over an Ethernet port in ENode mode. Enode MAC MAC address of a server CNA port. Enode Intf Port number of a server-facing Ethernet port operating in ENode mode. FCF MAC Fibre Channel forwarder MAC: MAC address of FCF interface. Fabric Intf Fabric-facing Fibre Channel port (slot/port) on which FCoE traffic is transmitted to the specified fabric.
NUM * 1 10 11 20 Status Active Inactive Inactive Inactive Description Fabric Q Ports FABRIC_NAME1 U Po10(Te 1/2-33) FABRIC_NAME10 - The following lists the show vlan command example field descriptions. Field Description Num VLAN ID number. Status Operational state of VLAN: • Active — Transmitting traffic. • Inactive — Not transmitting traffic. Description Text description of VLAN. Fabric SAN fabric to which Fibre Channel traffic is sent.
39 Object Tracking IPv4 or IPv6 object tracking is available on Dell Networking OS. Object tracking allows the Dell Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Later, if network conditions change and the cost of the default route in each router changes, the mastership of the VRRP group is automatically reassigned to the router with the better metric. Figure 100. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • UP and DOWN thresholds used to report changes in a route metric.
Track Layer 3 Interfaces You can create an object that tracks the Layer 3 state (IPv4 or IPv6 routing status) of an interface. • The Layer 3 status of an interface is UP only if the Layer 2 status of the interface is UP and the interface has a valid IP address. • The Layer 3 status of an interface goes DOWN when its Layer 2 status goes down or the IP address is removed from the routing table.
The UP and DOWN thresholds are user-configurable for each tracked route. The default UP threshold is 254; the default DOWN threshold is 255. The notification of a change in the state of a tracked object is sent when a metric value crosses a configured threshold. The tracking process uses a protocol-specific resolution value to convert the actual metric in the routing table to a scaled metric in the range from 0 to 255.
Object Tracking Configuration You can configure three types of object tracking for a client. • Track Layer 2 Interfaces • Track Layer 3 Interfaces • Track an IPv4/IPv6 Route For a complete listing of all commands related to object tracking, refer to the Dell Networking OS Command Line Interface Reference Guide. Tracking a Layer 2 Interface You can create an object that tracks the line-protocol state of a Layer 2 interface and monitors its operational status (UP or DOWN).
OBJECT TRACKING mode description text The text string can be up to 80 characters. 4 (Optional) Display the tracking configuration and the tracked object’s status.
CONFIGURATION mode track object-id interface interface {ip routing | ipv6 routing} Valid object IDs are from 1 to 65535. 2 (Optional) Configure the time delay used before communicating a change in the status of a tracked interface. OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0. 3 (Optional) Identify the tracked object with a text description. OBJECT TRACKING mode description text The text string can be up to 80 characters.
Track an IPv4/IPv6 Route You can create an object that tracks the reachability or metric of an IPv4 or IPv6 route. You specify the route to be tracked by its address and prefix-length values. Optionally, for an IPv4 route, you can enter a VRF instance name if the route is part of a VPN routing and forwarding (VRF) table. The next-hop address is not part of the definition of a tracked IPv4/IPv6 route.
• The resolution value used to map RIP routes is not configurable. The RIP hop-count is automatically multiplied by 16 to scale it. For example, a RIP metric of 16 (unreachable) scales to 256, which considers a route to be DOWN. Tracking Route Reachability Use the following commands to configure object tracking on the reachability of an IPv4 or IPv6 route. To remove object tracking, use the no track object-id command. 1 Configure object tracking on the reachability of an IPv4 or IPv6 route.
Reachability is Down (route not in route table) 2 changes, last change 00:02:49 Tracked by: Dell#configure Dell(conf)#track 4 ip route 3.1.1.
Valid delay times are from 0 to 180 seconds. The default is 0. 4 (Optional) Identify the tracked object with a text description. OBJECT TRACKING mode description text The text string can be up to 80 characters. 5 (Optional) Configure the metric threshold for the UP and/or DOWN routing status to be tracked for the specified route. OBJECT TRACKING mode threshold metric {[up number] [down number]} The default UP threshold is 254.
Displaying Tracked Objects To display the currently configured objects used to track Layer 2 and Layer 3 interfaces, and IPv4 and IPv6 routes, use the following show commands. To display the configuration and status of currently tracked Layer 2 or Layer 3 interfaces, IPv4 or IPv6 routes, or a VRF instance, use the show track command. You can also display the currently configured perprotocol resolution values used to scale route metrics when tracking metric thresholds.
Example of the show track resolution Command Dell#show track resolution IP Route Resolution ISIS 1 OSPF 1 IPv6 Route Resolution ISIS 1 Example of the show track vrf Command Dell#show track vrf red Track 5 IP route 192.168.0.0/24 reachability, Vrf: red Reachability is Up (CONNECTED) 3 changes, last change 00:02:39 First-hop interface is TenGigabitEthernet 1/4 Example of Viewing Object Tracking Configuration Dell#show running-config track track 1 ip route 23.0.0.
40 Open Shortest Path First (OSPFv2) Open Shortest Path First (OSPFv2) is supported on Dell Networking OS. OSPF protocol standards are listed in the Standards Compliance chapter.
routing tables on all routers. An area within the AS may not see the details of another area’s topology. AS areas are known by their area number or the router’s IP address. Figure 101. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. An OSPF backbone is responsible for distributing routing information between areas.
NOTE: Configure all routers within an assigned stub area as stubby, and not generate LSAs that do not apply. For example, a Type 5 LSA is intended for external areas and the Stubby area routers may not generate external LSAs. • A not-so-stubby area (NSSA) can import AS external route information and send it to the backbone. It cannot receive external AS information from the backbone or other areas. • Totally stubby areas are referred to as no summary areas in the Dell Networking OS.
The following example shows different router designations. Figure 102. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example.
Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database. An ABR takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is connected to. An ABR can connect to many areas in an AS, and is considered a member of each area it connects to.
Link-State Advertisements (LSAs) A link-state advertisement (LSA) communicates the router’s local routing topology to all other local routers in the same area. Dell Networking supports the following LSA types: • Type 1: Router LSA — The router lists links to other routers or networks in the same area. Type 1 LSAs are flooded across their own area only. The link-state ID of the Type 1 LSA is the originating router ID.
When you configure the LSA throttle timers, syslog messages appear, indicating the interval times, as shown, for the transmit timer (45000 ms) and arrival timer (1000 ms). Mar 15 09:46:00: %STKUNIT0-M:CP %OSPF-4-LSA_BACKOFF: OSPF Process 10,Router lsa id 2.2.2.2 router-id 2.2.2.2 is backed off to transmit after 45000ms Mar 15 09:46:06: %STKUNIT0-M:CP %OSPF-4-LSA_BACKOFF: OSPF Process 10,Router lsa id 3.3.3.3 rtrid 3.3.3.
Implementing OSPF with Dell Networking OS Dell Networking OS supports up to 10,000 OSPF routes. Within that 10,000, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes. The S5000 supports up to 16 processes simultaneously.
Processing SNMP and Sending SNMP Traps Only the process in default vrf can process the SNMP requests and send SNMP traps. RFC-2328 Compliant OSPF Flooding In OSPF, flooding is the most resource-consuming task. The flooding algorithm described in RFC 2328 requires that OSPF flood LSAs on all interfaces, as governed by LSA’s flooding scope (refer to Section 13 of the RFC.
OSPF ACK Packing The OSPF ACK packing feature bundles multiple LS acknowledgements in a single packet, significantly reducing the number of ACK packets transmitted when the number of LSAs increases. This feature also enhances network utilization and reduces the number of small ACK packets sent to a neighboring router. OSPF ACK packing is enabled by default and non-configurable.
You must configure OSPF GLOBALLY on the system in CONFIGURATION mode. OSPF features and functions are assigned to each router using the CONFIG-INTERFACE commands for each interface. NOTE: By default, OSPF is disabled. Configuration Task List for OSPFv2 (OSPF for IPv4) The following configuration tasks include two mandatory tasks and several optional tasks.
If you are using a Loopback interface, refer to Loopback Interfaces. 2 Enable the interface. CONFIG-INTERFACE mode no shutdown 3 Return to CONFIGURATION mode to enable the OSPFv2 process globally. CONFIGURATION mode router ospf process-id [vrf {vrf name}] • vrf name: enter the keyword VRF and the instance name to tie the OSPF instance to the VRF. All network commands under this OSPF instance are later tied to the VRF instance. The range is from 0 to 65535.
Enable OSPFv2 on Interfaces Enable and configure OSPFv2 on each interface (configure for Layer 3 protocol), and not shutdown. You can also assign OSPFv2 to a Loopback interface as a virtual interface. OSPF functions and features, such as MD5 Authentication, Grace Period, Authentication Wait Time, are assigned on a per interface basis. NOTE: If using features like MD5 Authentication, ensure all the neighboring routers are also configured for MD5.
Process ID 1, Router ID 11.1.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 13.1.1.1, Interface address 10.2.3.2 Backup Designated Router (ID) 11.1.2.1, Interface address 10.2.3.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:05 Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 13.1.1.1 (Designated Router) Dell> Loopback interfaces also help the OSPF process.
• Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf [vrf vrf-name] process Configuring Stub Areas OSPF supports different types of LSAs to help reduce the amount of router processing within the areas. Type 5 LSAs are not flooded into stub areas; the ABR advertises a default route into the stub area to which it is attached. Stub area routers use the default route to reach external destinations. To ensure connectivity in your OSPFv2 network, never configure the backbone area as a stub area.
Configuring LSA Throttling Timers Configured LSA timers replace the standard transmit and acceptance times for LSAs. The LSA throttling timers are configured in milliseconds, with the interval time increasing exponentially until a maximum time has been reached. If the maximum time is reached, the system continues to transmit at the max-interval. If the system is stable for twice the maximum interval time, the system reverts to the startinterval timer and the cycle begins again.
• For a VLAN, enter the keyword vlan then a number from 1 to 4094 (for example, passiveinterface vlan 2222). The keyword default sets all interfaces on this OSPF process as passive. To remove the passive interface from select interfaces, use the no passive-interface interface command while passive interface default is configured. To enable both receiving and sending routing updates, use the no passive-interface interface command.
fast-convergence {number} The parameter range is from 1 to 4. The higher the number, the faster the convergence. When disabled, the parameter is set at 0. NOTE: A higher convergence level can result in occasional loss of OSPF adjacency. Generally, convergence level 1 meets most convergence requirements. Only select higher convergence levels following consultation with Dell Technical Support.
CONFIG-INTERFACE mode ip ospf dead-interval seconds • seconds: the range is from 1 to 65535 (the default is 40 seconds). The dead interval must be four times the hello interval. • The dead interval must be the same on all routers in the OSPF network. Change the time interval between hello-packet transmission. CONFIG-INTERFACE mode ip ospf hello-interval seconds • • seconds: the range is from 1 to 65535 (the default is 10 seconds).
Example of Changing and Verifying the cost Parameter and Viewing Interface Status To view interface configurations, use the show config command in CONFIGURATION INTERFACE mode. To view interface status in the OSPF process, use the show ip ospf interface command in EXEC mode. The bold lines in the example show the change on the interface. The change is reflected in the OSPF configuration. Dell(conf-if)#ip ospf cost 45 Dell(conf-if)#show config ! interface TenGigabitEthernet 0/0 ip address 10.1.2.100 255.255.
The default is 0 seconds. Configuring Virtual Links Areas within OSPF must be connected to the backbone area (Area ID 0.0.0.0). If an OSPF area does not have a direct connection to the backbone, at least one virtual link is required. Configure virtual links on an ABR connected to the backbone.
Creating Filter Routes To filter routes, use prefix lists. OSPF applies prefix lists to incoming or outgoing routes. Incoming routes must meet the conditions of the prefix lists. If they do not, OSPF does not add the route to the routing table. Configure the prefix list in CONFIGURATION PREFIX LIST mode prior to assigning it to the OSPF process. • Create a prefix list and assign it a unique name. CONFIGURATION mode ip prefix-list prefix-name • You are in PREFIX LIST mode.
Example of Viewing OSPF Configuration after Redistributing Routes To view the current OSPF configuration, use the show running-config ospf command in EXEC mode or the show config command in ROUTER OSPF mode. Dell(conf-router_ospf)#show config ! router ospf 34 network 10.1.2.32 0.0.0.255 area 2.2.2.2 network 10.1.3.24 0.0.0.255 area 3.3.3.3 distribute-list dilling in Dell(conf-router_ospf)# Troubleshooting OSPFv2 Dell Networking OS has several tools to make troubleshooting easier.
• show ip ospf neighbor View the LSAs currently in the queue. EXEC Privilege mode • show ip ospf timers rate-limit View debug messages. EXEC Privilege mode debug ip ospf process-id [event | packet | spf | database-timers rate-limit] To view debug messages for a specific OSPF process ID, use the debug ip ospf process-id command. If you do not enter a process ID, the command applies to the first OSPF process.
You can copy and paste from these examples to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes. Basic OSPFv2 Router Topology The following illustration is a sample basic OSPFv2 topology. Figure 104. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Gl 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface TenGigabitEthernet 1/1 ip address 10.1.11.
interface Loopback 30 ip address 192.168.100.100/24 no shutdown ! interface TenGigabitEthernet 3/1 ip address 10.1.13.3/24 no shutdown ! interface TenGigabitEthernet 3/2 ip address 10.2.13.3/24 no shutdown OSPF Area 0 — Gl 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface TenGigabitEthernet 2/1 ip address 10.2.21.
Enable OSPFv3 for IPv6 by specifying an OSPF process ID and an area in INTERFACE mode. If you have not created an OSPFv3 process, it is created automatically. All IPv6 addresses configured on the interface are included in the specified OSPF process. NOTE: IPv6 and OSPFv3 do not support Multi-Process OSPF. You can only enable a single OSPFv3 process. Set the time interval between when the switch receives a topology change and starts a shortest path first (SPF) calculation.
Assigning Area ID on an Interface To assign the OSPFv3 process to an interface, use the following command. The ipv6 ospf area command enables OSPFv3 on an interface and places the interface in the specified area. Additionally, the command creates the OSPFv3 process with ID on the router. OSPFv2 requires two commands to accomplish the same tasks — the router ospf command to create the OSPF process, then the network area command to enable OSPFv2 on an interface.
Assigning OSPFv3 Process ID and Router ID to a VRF To assign, disable, or reset OSPFv3 on a non-default VRF, use the following commands. • Enable the OSPFv3 process on a non-default VRF and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID} vrf {vrf-name} • The process ID range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} • number: the IPv4 address. The format is A.B.C.D.
Interface: identifies the specific interface that is passive. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. • For a port channel interface, enter the keywords port-channel then a number. • For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
• metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2. • route-map map-name: enter a name of a configured route map. Enabling OSPFv2 Graceful Restart Graceful restart is enabled for the global OSPF process. The Dell Networking implementation of OSPFv2 graceful restart enables you to specify: • grace period — the length of time the graceful restart process can last before OSPF terminates it.
• Restart-only: the OSPFv2 router supports graceful-restart only during unplanned restarts. By default, OSPFv2 supports both restarting and helper roles. Selecting one or the other role restricts OSPFv2 to the single selected role. To disable OSPFv2 graceful-restart after you have enabled it, use the no graceful-restart graceperiod command in CONFIG-ROUTEROSPF- id mode. The command returns OSPF graceful-restart to its default state. NOTE: The Helper mode is enabled by default on the device.
graceful-restart grace-period 180 network 20.1.1.0/24 area 0 network 30.1.1.0/24 area 0 ! ipv6 router ospf 1 log-adjacency-changes graceful-restart grace-period 180 The following example shows the show ipv6 ospf database database-summary command. Dell#show ipv6 ospf database database-summary ! OSPFv3 Router with ID (200.1.1.
OSPFv3 Authentication Using IPsec OSPFv3 uses IPsec to provide authentication for OSPFv3 packets. IPsec authentication ensures security in the transmission of OSPFv3 packets between IPsec-enabled routers. IPsec is a set of protocols developed by the internet engineering task force (IETF) to support secure exchange of packets at the IP layer. IPsec supports two encryption modes: transport and tunnel. • Transport mode — encrypts only the data portion (payload) of each packet, but leaves the header untouched.
• You can only enable one security protocol (AH or ESP) at a time on an interface or for an area. Enable IPsec AH with the ipv6 ospf authentication command; enable IPsec ESP with the ipv6 ospf encryption command. • The security policy configured for an area is inherited by default on all interfaces in the area. • The security policy configured on an interface overrides any area-level configured security for the area to which the interface is assigned.
• Enable IPsec authentication for OSPFv3 packets on an IPv6-based interface. INTERFACE mode ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} [key-encryptiontype] key} • null: causes an authentication policy configured for the area to not be inherited on the interface. • ipsec spi number: the security policy index (SPI) value. The range is from 256 to 4294967295. • MD5 | SHA1: specifies the authentication type: Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1).
• key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information. Required lengths of a non-encrypted or encrypted key are: 3DES 48 or 96 hex digits; DES - 16 or 32 hex digits; AES-CBC - 32 or 64 hex digits for AES-128 and 48 or 96 hex digits for AES-192. • key-encryption-type: (optional) specifies if the key is encrypted. The valid values are 0 (key is not encrypted) or 7 (key is encrypted).
• • key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For MD5 authentication, the key must be 32 hex digits (non-encrypted) or 64 hex digits (encrypted). For SHA-1 authentication, the key must be 40 hex digits (non-encrypted) or 80 hex digits (encrypted). Remove an IPSec authentication policy from an OSPFv3 area.
• key-authentication-type: (optional) specifies if the authentication key is encrypted. The valid values are 0 or 7. • Remove an IPsec encryption policy from an OSPFv3 area. • no area area-id encryption ipsec spi number Display the configuration of IPsec encryption policies on the router. show crypto ipsec policy Displaying OSPFv3 IPsec Security Policies To display the configuration of IPsec authentication and encryption policies, use the following commands.
Policy refcount : 2 Inbound AH SPI : 500 (0x1F4) Outbound AH SPI : 500 (0x1F4) Inbound AH Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e Outbound AH Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e Transform set : ah-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv3-0-501 Policy refcount : 1 Inbound ESP SPI : 501 (0x1F5) Outbound ESP SPI : 501 (0x1F5) Inbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb7c0
replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSPFv3 operation on the switch. This section describes typical, OSPFv3 troubleshooting scenarios. NOTE: The following troubleshooting section is meant to be a comprehensive list, but only to provide some examples of typical troubleshooting checks.
• For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. • For a port channel interface, enter the keywords port-channel then a number. • For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
Dell(conf-ipv6-router_ospf)#end Dell# Enabling IPv6 Unicast Routing To enable IPv6 unicast routing, use the following command. • Enable IPv6 unicast routing globally. CONFIGURATION mode ipv6 unicast routing Applying cost for OSPFv3 Change in bandwidth directly affects the cost of OSPF routes. • Explicitly specify the cost of sending a packet on an interface. INTERFACE mode ipv6 ospf interface-cost • interface-cost:The range is from 1 to 65535. Default cost is based on the bandwidth.
no shutdown Assigning Area ID on an Interface To assign the OSPFv3 process to an interface, use the following command. The ipv6 ospf area command enables OSPFv3 on an interface and places the interface in the specified area. Additionally, the command creates the OSPFv3 process with ID on the router. OSPFv2 requires two commands to accomplish the same tasks — the router ospf command to create the OSPF process, then the network area command to enable OSPFv2 on an interface.
clear ipv6 ospf process Assigning OSPFv3 Process ID and Router ID to a VRF To assign, disable, or reset OSPFv3 on a non-default VRF, use the following commands. • Enable the OSPFv3 process on a non-default VRF and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID} vrf {vrf-name} • The process ID range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} • number: the IPv4 address. The format is A.B.C.D.
Configuring Passive-Interface To suppress the interface’s participation on an OSPFv3 interface, use the following command. This command stops the router from sending updates on that interface. • Specify whether some or all some of the interfaces are passive. CONF-IPV6-ROUTER-OSPF mode passive-interface {interface-type} Interface: identifies the specific interface that is passive. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
Configuring a Default Route To generate a default external route into the OSPFv3 routing domain, configure the following parameters. To specify the information for the default route, use the following command. • Specify the information for the default route.
INTERFACE mode • ipv6 ospf graceful-restart helper-reject Specify the operating mode and type of events that trigger a graceful restart. CONF-IPV6-ROUTER-OSPF mode graceful-restart mode [planned-only | unplanned-only] • • Planned-only: the OSPFv3 router supports graceful restart only for planned restarts. A planned restart is when you manually enter a redundancy force-failover rpm command to force the primary RPM over to the secondary RPM.
log-adjacency-changes graceful-restart grace-period 180 The following example shows the show ipv6 ospf database database-summary command. Dell#show ipv6 ospf database database-summary ! OSPFv3 Router with ID (200.1.1.
IPsec is a set of protocols developed by the internet engineering task force (IETF) to support secure exchange of packets at the IP layer. IPsec supports two encryption modes: transport and tunnel. • • Transport mode — encrypts only the data portion (payload) of each packet, but leaves the header untouched. Tunnel mode — is more secure and encrypts both the header and payload. On the receiving side, an IPsec-compliant device decrypts each packet.
• The configured authentication or encryption policy is applied to all OSPFv3 packets transmitted on the interface or in the area. The IPsec security associations (SAs) are the same on inbound and outbound traffic on an OSPFv3 interface. • There is no maximum AH or ESP header length because the headers have fields with variable lengths.
• null: causes an authentication policy configured for the area to not be inherited on the interface. • ipsec spi number: the security policy index (SPI) value. The range is from 256 to 4294967295. • MD5 | SHA1: specifies the authentication type: Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1). • key-encryption-type: (optional) specifies if the key is encrypted. The valid values are 0 (key is not encrypted) or 7 (key is encrypted).
• authentication-algorithm: specifies the encryption authentication algorithm to use. The valid values are MD5 or SHA1. • key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For MD5 authentication, the key must be 32 hex digits (non-encrypted) or 64 hex digits (encrypted). For SHA-1 authentication, the key must be 40 hex digits (non-encrypted) or 80 hex digits (encrypted).
• no area area-id authentication ipsec spi number Display the configuration of IPSec authentication policies on the router. show crypto ipsec policy Configuring IPsec Encryption for an OSPFv3 Area To configure, remove, or display IPsec encryption in an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec encryption in an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
• Display the configuration of IPsec encryption policies on the router. show crypto ipsec policy Displaying OSPFv3 IPsec Security Policies To display the configuration of IPsec authentication and encryption policies, use the following commands. • Display the AH and ESP parameters configured in IPsec security policies, including the SPI number, key, and algorithms used. EXEC Privilege mode show crypto ipsec policy [name name] • • name: displays configuration details about a specified policy.
Outbound AH Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e Transform set : ah-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv3-0-501 Policy refcount : 1 Inbound ESP SPI : 501 (0x1F5) Outbound ESP SPI : 501 (0x1F5) Inbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb7c0c30808825fb5 Outbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb7c0c30808825fb5 Inbound ESP Cipher Key : bbdd96e6eb4828e2e2
transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSPFv3 operation on the switch. This section describes typical, OSPFv3 troubleshooting scenarios. NOTE: The following troubleshooting section is meant to be a comprehensive list, but only to provide some examples of typical troubleshooting checks.
• For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. • For a port channel interface, enter the keywords port-channel then a number. • For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
41 Policy-based Routing (PBR) Policy-based routing (PBR) allows a switch to make routing decisions based on policies applied to an interface. Overview When a router receives a packet, the router decides where to forward the packet based on the destination address in the packet, which is used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria: size, source, protocol type, destination, and so on.
To enable PBR, create a redirect list. Redirect lists are defined by rules or routing policies. You can define following parameters in routing policies or rules: • • • • • • • IP address of the forwarding router (next-hop IP address) Protocol as defined in the header Source IP address and mask Destination IP address and mask Source port Destination port TCP Flags After you apply a redirect-list to an interface, all traffic passing through it is subjected to the rules defined in the redirect-list.
Defined as: seq 5 permit ip 200.200.200.200 200.200.200.200 199.199.199.199 199.199.199.199 seq 10 redirect 1.1.1.2 tcp 234.224.234.234 255.234.234.234 222.222.222.222/24 seq 40 ack, Next-hop reachable(via Te 8/1) Applied interfaces: Te 8/2 Hot-Lock PBR Ingress and egress Hot lock PBR allows you to add or delete new rules into an existing policy (already written into content address memory [CAM]) without disruption to traffic flow.
Create a Redirect List To create a redirect list, use the following commands. Create a redirect list by entering the list name. CONFIGURATION mode ip redirect-list redirect-list-name redirect-list-name: 16 characters. To delete the redirect list, use the no ip redirect-list command. The following example creates a redirect list by the name of xyz.
To delete a rule, use the no redirect command. The redirect rule supports Non-contiguous bitmasks for PBR in the Destination router IP address The following example shows how to create a rule for a redirect list by configuring: • IP address of the next-hop router in the forwarding route • IP protocol number • Source address with mask information • Destination address with mask information Example: Creating a Rule Dell(conf-redirect-list)#redirect ? A.B.C.
seq 10 redirect 10.1.1.2 ip 20.1.1.0/24 any seq 15 redirect 10.1.1.3 ip 20.1.1.0/25 any seq 20 redirect 10.1.1.3 ip 20.1.1.0/24 any Dell(conf-redirect-list)# NOTE: Starting with the Dell Networking OS version 9.4(0.0), the use of multiple recursive routes with the same source-address and destination-address combination in a redirect policy on an router.
Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address ip redirect-group test ip redirect-group xyz shutdown Dell(conf-if-te-1/1)# Dell(conf-if-gi-1/1)#ip redirect-group test Dell(conf-if-gi-1/1)#ip redirect-group xyz Dell(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 no ip address ip redirect-group test ip redirect-group xyz shutdown Dell(conf-if-gi-1/1)# In addition to supporting multiple redirect-lists in a redirect-group, multiple redirect-groups are supported on
seq 40 redirect 43.1.1.2 tcp 155.55.2.0/24 222.22.2.0/24, Next-hop reachable (via Vl 30) seq 45 redirect 31.1.1.2 track 200 ip 12.0.0.0 255.0.0.197 13.0.0.0 255.0.0.
examples to your CLI. Make the necessary changes to support your own IP addresses, interfaces, names, and so on. The Redirect-List GOLD defined in this example creates the following rules: • • • • description Route Gold traffic to the DS3 seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any “ Redirect to next-hop router IP 10.99.99.254 any traffic originating in 192.168.1.0/24” seq 10 redirect 10.99.99.254 ip 192.168.2.0/24 any “ Redirect to next-hop router IP 10.99.99.254 any traffic originating in 192.168.
Assign Redirect-List GOLD to Interface 2/11 EDGE_ROUTER(conf)#int Te 2/11 EDGE_ROUTER(conf-if-Te-2/11)#ip add 192.168.3.2/24 EDGE_ROUTER(conf-if-Te-2/11)#no shut EDGE_ROUTER(conf-if-Te-2/11)# EDGE_ROUTER(conf-if-Te-2/11)#ip redirect-group GOLD EDGE_ROUTER(conf-if-Te-2/11)#no shut EDGE_ROUTER(conf-if-Te-2/11)#end EDGE_ROUTER(conf-redirect-list)#end EDGE_ROUTER# View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.
Verify the Status of the Track Objects (Up/Down): Dell#show track brief ResId 1 2 3 4 Resource Interface ip routing Interface ipv6 routing IP Host reachability IP Host reachability Parameter Tunnel 1 Tunnel 2 42.1.1.2/32 43.1.1.
Dell(conf-if-tu-2)#end Dell# Create Track Objects to track the Tunnel Interfaces: Dell#configure terminal Dell(conf)#track 1 interface tunnel 1 ip routing Dell(conf-track-1)#exit Dell(conf)#track 2 interface tunnel 2 ipv6 routing Dell(conf-track-2)#end Verify the Status of the Track Objects (Up/Down): Dell#show track brief ResId 1 2 Dell# Resource Interface ip routing Interface ipv6 routing Parameter Tunnel 1 Tunnel 2 State Up Up LastChange 00:00:00 00:00:00 Create a Redirect-list with Track Objects pe
42 PIM Sparse-Mode (PIM-SM) PIM-sparse mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
Requesting Multicast Traffic A host requesting multicast traffic for a particular group sends an Internet group management protocol (IGMP) Join message to its gateway router. The gateway router is then responsible for joining the shared tree to the RP (RPT) so that the host can receive the requested traffic. 1 After receiving an IGMP Join message, the receiver gateway router (last-hop DR) creates a (*,G) entry in its multicast routing table for the requested group.
receiving the first multicast packet from a particular source, the last-hop DR sends a PIM Join message to the source to create an SPT to it. 4 There are two paths, then, between the receiver and the source, a direct SPT and an RPT.
NOTE: You can influence the selection of the Rendezvous Point by enabling PIM-Sparse Mode on a Loopback interface and assigning a low IP address. To display PIM neighbors for each interface, use the show ip pim neighbor command from EXEC Privilege mode. Dell#show ip pim neighbor Neighbor Interface Uptime/Expires Address 127.87.5.5 Te 4/11 01:44:59/00:01:16 127.87.3.5 Te 4/12 01:45:00/00:01:16 127.87.50.
The default is 210. 2 Create an extended ACL. CONFIGURATION mode ip access-list extended access-list-name 3 Specify the source and group to which the timer is applied using extended ACLs with permit rules only. CONFIG-EXT-NACL mode [seq sequence-number] permit ip source-address/mask | any | host sourceaddress} {destination-address/mask | any | host destination-address} 4 Set the expiry time for a specific (S,G) entry (as shown in the following example).
interface Loopback 0 ip address 1.1.1.1/32 ip pim sparse-mode no shutdown Dell#sh run pim ! ip pim rp-address 1.1.1.1 group-address 224.0.0.0/4 Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. Use the following command if you have configured a static RP for a group.
INTERFACE mode • ip pim query-interval seconds Display the current value of these parameters. EXEC Privilege mode show ip pim interface Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs). PMBRs connect each PIM domain to the rest of the Internet.
43 PIM Source-Specific Mode (PIMSSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Important Points to Remember • The default SSM range is 232/8 always. Applying an SSM range does not overwrite the default range. Both the default range and SSM range are effective even when the default range is not added to the SSM ACL. • Extended ACLs cannot be used for configuring SSM range. Be sure to create the ACL first and then apply it to the SSM range. • The default range is always supported, so range can never be smaller than the default.
R1(conf)#do show ip pim ssm-range Group Address / MaskLen 239.0.0.2 / 32 Use PIM-SSM with IGMP Version 2 Hosts PIM-SSM requires receivers that support IGMP version 3. You can employ PIM-SSM even when receivers support only IGMP version 1 or version 2 by translating (*,G) entries to (S,G) entries. Translate (*,G) entries to (S,G) entries using the ip igmp ssm-map acl command source from CONFIGURATION mode. In a standard access list, specify the groups or the group ranges that you want to map to a source.
Member Ports: Te 1/1 239.0.0.1 Vlan 400 INCLUDE 00:00:10 Never 10.11.4.2 R1(conf)#show ip igmp ssm-map Interface Vlan 101 Group 226.0.0.0 Uptime 10:40:31 Expires Never Router mode IGMPv2 Last reporter 110.0.101.22 Group SSM Mapped source list Source address Expires 110.1.1.250 00:02:08 172.16.84.250 00:02:08 R1(conf)#do show ip igmp ssm-map 239.0.0.2 SSM Map Information Group : 239.0.0.2 Source(s) : 10.11.5.
Expires Router mode Last reporter Last reporter mode Last report Group source Source address 10.11.5.2 00:00:01 Never IGMPv2-Compat 10.11.3.2 IGMPv2 received Join list Uptime Expires Never Interface Vlan 400 Group 239.0.0.1 Uptime 00:00:05 Expires Never Router mode INCLUDE Last reporter 10.11.4.2 Last reporter mode INCLUDE Last report received ALLOW Group source list Source address Uptime Expires 10.11.5.
44 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
• • • • • • • A Port monitoring session can have multiple source statements. Range command is supported in the source statement, where we can specify a range of interfaces of (Physical, Port Channel or VLAN) types. One Destination Port (MG) can be used in multiple sessions. There can be a maximum of 128 source ports in a Port Monitoring session. Flow based monitoring is supported for all type of source interfaces.
10 Te 1/14 Te 2/2 20 Te 1/15 Te 2/3 30 Te 1/16 Te 2/7 300 Te 1/17 Te 1/1 Dell(conf-mon-sess-300)# rx rx rx tx interface interface interface interface Port-based Port-based Port-based Port-based Example of Configuring Another Monitoring Session with a Previously Used Destination Port Dell(conf)#mon ses 300 Dell(conf-mon-sess-300)#source TenGig 1/17 destination TenGig 1/4 direction tx % Error: Exceeding max MG ports for this MD port pipe.
that the MG port TeGig 6/2 receives are tagged with the VLAN ID of the MD port. Similarly, if BPDUs are transmitted, the MG port receives them tagged with the VLAN ID 4095. This behavior might result in a difference between the number of egress packets on the MD port and monitored packets on the MG port. Dell Networking OS Behavior: The platform continues to mirror outgoing traffic even after an MD participating in spanning tree protocol (STP) transitions from the forwarding to blocking.
Dell(conf-mon-sess-1)#flow-based enable Dell(conf-mon-sess-1)#exit Dell(conf)#do show monitor session SessID Source Destination Dir Mode Source IP ------ ------------------ ---- --------0 Te 1/1 Te 1/2 rx Port N/A 0 Po 10 Te 1/2 rx Port N/A 1 Vl 40 Te 1/3 rx Flow N/A Dest IP -------N/A N/A N/A NOTE: Source as VLAN is achieved via Flow based mirroring. Please refer section Enabling Flow-Based Monitoring.
MONITOR SESSION mode flow-based enable 2 Define in access-list rules that include the keyword monitor. For port monitoring, Dell Networking OS only considers traffic matching rules with the keyword monitor. CONFIGURATION mode ip access-list Refer to Access Control Lists (ACLs). 3 Apply the ACL to the monitored port.
Remote port mirroring helps network administrators monitor and analyze traffic to troubleshoot network problems in a time-saving and efficient way. In a remote-port mirroring session, monitored traffic is tagged with a VLAN ID and switched on a userdefined, non-routable L2 VLAN. The VLAN is reserved in the network to carry only mirrored traffic, which is forwarded on all egress ports of the VLAN.
The reserved VLANs transport the mirrored traffic in sessions (blue pipes) to the destination analyzers in the local network. Two destination sessions are shown: one for the reserved VLAN that transports orange-circle traffic; one for the reserved VLAN that transports green-circle traffic. Figure 107.
• Mirrored traffic is transported across the network using 802.1Q-in-802.1Q tunneling. The source address, destination address and original VLAN ID of the mirrored packet are preserved with the tagged VLAN header. Untagged source packets are tagged with the reserve VLAN ID. • You cannot configure a private VLAN or a GVRP VLAN as the reserved RPM VLAN. • The RPM VLAN can’t be a Private VLAN. • The RPM VLAN can be used as GVRP VLAN. • The L3 interface configuration should be blocked for RPM VLAN.
• By default, ingress traffic on a destination port is dropped. Restrictions When you configure remote port mirroring, the following restrictions apply: • You can configure the same source port to be used in multiple source sessions. • You cannot configure a source port channel or source VLAN in a source session if the port channel or VLAN has a member port that is configured as a destination port in a remote-port mirroring session.
R R 100 300 Active Active T Fo 1/20/1 T Fo 1/24/1 Configuring the Sample Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches). Table 62.
Dell(conf)#mac access-list standard mac_acl Dell(config-std-macl)#permit 00:00:00:00:11:22 count monitor Dell(config-std-macl)#exit Dell(conf)#interface vlan 100 Dell(conf-if-vl-100)#mac access-group mac_acl1 in Dell(conf-if-vl-100)#exit Dell(conf)#inte te 1/30 Dell(conf-if-te-1/30)#no shutdown Dell(conf-if-te-1/30)#switchport Dell(conf-if-te-1/30)#exit Dell(conf)#interface vlan 30 Dell(conf-if-vl-30)#mode remote-port-mirroring Dell(conf-if-vl-30)#tagged te 1/30 Dell(conf-if-vl-30)#exit Dell(conf)#interface
Dell(conf-if-vl-20)#mode remote-port-mirroring Dell(conf-if-vl-20)#tagged te 1/2 Dell(conf-if-vl-20)#exit Dell(conf)#interface vlan 30 Dell(conf-if-vl-30)#mode remote-port-mirroring Dell(conf-if-vl-30)#tagged te 1/3 Dell(conf-if-vl-30)#exit Dell(conf)#monitor session 1 type rpm Dell(conf-mon-sess-1)#source remote-vlan 10 dest te 1/4 Dell(conf-mon-sess-1)#exit Dell(conf)#monitor session 2 type rpm Dell(conf-mon-sess-2)#source remote-vlan 20 destination te 1/5 Dell(conf-mon-sess-2)#tagged destination te 0/4 D
5 Show the output for the LACP. Dell#show interfaces port-channel brief Codes: L - LACP Port-channel O - OpenFlow Controller Port-channel LAG L1 L2 Dell# Mode L3 L2 Status up up Uptime 00:01:17 00:00:58 Ports Te 1/4 Te 1/5 (Up) (Up) Encapsulated Remote Port Monitoring Encapsulated Remote Port Monitoring (ERPM) copies traffic from source ports/port-channels or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the destination IP address specified in the session.
Table 63. Configuration steps for ERPM Step Command Purpose 1 configure terminal Enter global configuration mode. 2 monitor session type erpm Specify a session ID and ERPM as the type of monitoring session, and enter Monitoring-Session configuration mode. The session number needs to be unique and not already defined. 3 source { interface | range } direction {rx | tx | both} Specify the source port or range of ports.
Dell#show running-config interface vlan 11 ! interface Vlan 11 no ip address tagged TenGigabitEthernet 1/1-3 mac access-group flow in <<<<<<<<<<<<<< Only ingress packets are supported for mirroring shutdown ERPM Behavior on a typical Dell Networking OS The Dell Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported.
If the sniffer does not support IP interface, a destination switch will be needed to receive the encapsulated ERPM packet and locally mirror the whole packet to the Sniffer or a Linux Server. Decapsulation of ERPM packets at the Destination IP/ Analyzer • In order to achieve the decapsulation of the original payload from the ERPM header. The below two methods are suggested : a b Using Network Analyzer • Install any well-known Network Packet Analyzer tool which is open source and free to download.
: Specify another interface on the Linux server via which the decapsulation packets can Egress. In case there is only one interface, the ingress interface itself can be specified as Egress and the analyzer can listen in the tx direction.
45 Private VLANs (PVLAN) Private VLANs (PVLANs) extend the Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN). For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell Networking OS Command Line Reference Guide. A PVLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair.
• • • Isolated VLAN — a type of secondary VLAN in a primary VLAN: • Ports in an isolated VLAN cannot talk directly to each other. • Ports in an isolated VLAN can only communicate with promiscuous ports in the primary VLAN. • An isolated VLAN can only contain ports configured as host. Primary VLAN — the base VLAN of a PVLAN: • A switch can have one or more primary VLANs, and it can have none. • A primary VLAN has one or more secondary VLANs.
NOTE: Even after you disable ip-local-proxy-arp (no ip-local-proxy-arp) in a secondary VLAN, Layer 3 communication may happen between some secondary VLAN hosts, until the address resolution protocol (ARP) timeout happens on those secondary VLAN hosts. Set the mode of the selected VLAN to community, isolated, or primary. • INTERFACE VLAN mode [no] private-vlan mode {community | isolated | primary} Map secondary VLANs to the selected primary VLAN.
Creating PVLAN Ports PVLAN ports are ports that will be assigned to the PVLAN. 1 Access INTERFACE mode for the port that you want to assign to a PVLAN. CONFIGURATION mode interface interface 2 Enable the port. INTERFACE mode no shutdown 3 Set the port in Layer 2 mode. INTERFACE mode switchport 4 Select the PVLAN mode.
Creating a Primary VLAN A primary VLAN is a port-based VLAN that is specifically enabled as a primary VLAN to contain the promiscuous ports and PVLAN trunk ports for the private VLAN. A primary VLAN also contains a mapping to secondary VLANs, which comprise community VLANs and isolated VLANs. 1 Access INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces. CONFIGURATION mode interface vlan vlan-id 2 Enable the VLAN.
NOTE: If a promiscuous or host port is untagged in a VLAN and it receives a tagged packet in the same VLAN, the packet is NOT dropped. Creating a Community VLAN A community VLAN is a secondary VLAN of the primary VLAN in a private VLAN. The ports in a community VLAN can talk to each other and with the promiscuous ports in the primary VLAN. 1 Access INTERFACE VLAN mode for the VLAN that you want to make a community VLAN. CONFIGURATION mode interface vlan vlan-id 2 Enable the VLAN.
4 Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/ port,port,port) or hyphenated (slot/ port-port). You can only add ports defined as host to the VLAN. Example of Configuring Private VLAN Members The following example shows the use of the PVLAN commands that are used in VLAN INTERFACE mode to configure the PVLAN member VLANs (primary, community, and isolated VLANs).
The following configuration is based on the example diagram for the S5000–1: • TenGig 0/0 and TenGig 23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. • TenGig 0/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. • TenGig 0/24 and TenGig 0/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003. • TenGig 4/0 and TenGig 23 are configured as host ports and assigned to the community VLAN, VLAN 4001.
• The following example shows the PVLAN parts of the running-config from the S5000–2 switch in the topology diagram previously shown. Display the type and status of the configured PVLAN interfaces. show interfaces private-vlan [interface interface] This command is specific to the PVLAN feature. • For more information, refer to the Security chapter in the Dell Networking OS Command Line Reference Guide. Display the configured PVLANs or interfaces that are part of a PVLAN.
NOTE: In the following example, notice the addition of the PVLAN codes – P, I, and C – in the left column. The following example shows the show vlan command output from S5000–2.
46 Per-VLAN Spanning Tree Plus (PVST +) Per-VLAN spanning tree plus (PVST+) is a variation of Spanning Tree — developed by a third party — that allows you to configure a separate Spanning Tree instance for each VLAN. For more information about Spanning Tree, refer to Spanning Tree Protocol (STP).
Protocol Overview Figure 110. Per-VLAN Spanning Tree The Dell Networking OS supports three other variations of spanning tree, as shown in the following table. Table 64. Spanning Tree Variations Dell Networking OS Supports Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
Implementation Information • The Dell Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. • The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table). Other implementations use IEEE 802.1w costs as the default costs. If you are using Dell Networking systems in a multivendor network, verify that the costs are values you intended. • On the S5000, you can enable PVST+ on 254 VLANs.
no disable Disabling PVST+ To disable PVST+ globally or on an interface, use the following commands. • Disable PVST+ globally. PROTOCOL PVST mode • disable Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst Example of Viewing PVST+ Configuration To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
Influencing PVST+ Root Selection As shown in the previous per-VLAN spanning tree illustration, all VLANs use the same forwarding topology because R2 is elected the root, and all Ten-GigabitEthernet ports have the same cost. The following per-VLAN spanning tree illustration changes the bridge priority of each bridge so that a different forwarding topology is generated for each VLAN. This behavior demonstrates how you can use PVST + to achieve load balancing. Figure 111.
vlan vlan-range bridge-priority value The VLAN range is from 1 to 4094. The range is from 0 to 61440. The default is 32768. Example of the show spanning-tree pvst vlan Command To display the PVST+ forwarding topology, use the show spanning-tree pvst [vlan vlan-id] command from EXEC Privilege mode. Dell(conf)#do show spanning-tree pvst vlan 100 VLAN 100 Root Identifier has priority 4096, Address 0001.e80d.
The range is from 4 to 30. The default is 15 seconds. Change the hello-time parameter. • PROTOCOL PVST mode vlan vlan-range hello-time value NOTE: With large configurations (especially those configurations with more ports), Dell Networking recommends increasing the hello-time. The VLAN range is from 1 to 4094. The range is from 1 to 10. The default is 2 seconds. Change the max-age parameter. • PROTOCOL PVST mode vlan vlan-range max-age value The VLAN range is from 1 to 4094. The range is from 6 to 40.
Port Cost Default Value Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 NOTE: The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs. Other implementations use IEEE 802.1w costs as the default costs. If you are using Dell Networking systems in a multi-vendor network, verify that the costs are values you intended.
INTERFACE mode spanning-tree pvst edge-port [bpduguard | shutdown-on-violation] The EdgePort status of each interface is given in the output of the show spanning-tree pvst command, as previously shown. Dell Networking OS Behavior: Regarding the bpduguard shutdown-on-violation command behavior: • If the interface to be shut down is a port channel, all the member ports are disabled in the hardware.
To keep both ports in a Forwarding state, use extend system ID. Extend system ID augments the bridge ID with a VLAN ID to differentiate BPDUs on each VLAN so that PVST+ does not detect a loop and both ports can remain in a Forwarding state. Figure 112. PVST+ with Extend System ID • Augment the bridge ID with the VLAN ID.
! interface Vlan 200 no ip address tagged TenGigabitEthernet 1/22,32 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/22,32 no shutdown Example of PVST+ Configuration (R2) protocol spanning-tree pvst no disable vlan 200 bridge-priority 4096 interface TenGigabitEthernet 2/12 no ip address switchport no shutdown ! interface TenGigabitEthernet 2/32 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TenGigabitEthernet 2/12,32 no shutdown ! interface Vlan 200
tagged TenGigabitEthernet 3/12,22 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 3/12,22 no shutdown Per-VLAN Spanning Tree Plus (PVST+) 853
47 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 66.
Feature Direction Configure a Scheduler to Queue Egress Specify WRED Drop Precedence Egress Create Policy Maps Ingress + Egress Create Input Policy Maps Ingress Honor DSCP Values on Ingress Packets Ingress Honoring dot1p Values on Ingress Packets Ingress Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Quality of Service (QoS) 85
Feature Direction Create WRED Profiles Egress Figure 113.
• Applying Layer 2 Match Criteria on a Layer 3 Interface • Applying DSCP and VLAN Match Criteria on a Service Queue • Classifying Incoming Packets Using ECN and Color-Marking • Guidelines for Configuring ECN for Classifying and Color-Marking Packets • Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class • Sample configuration to mark non-ecn packets as “yellow” with single traffic class • Enabling Buffer Statistics Tracking Implementation Information The Dell Ne
Dell(conf-if-te-1/1)#dot1p-priority 1 Dell(conf-if-te-1/1)#end Honoring dot1p Priorities on Ingress Traffic By default, Dell Networking OS does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces.
rate police Example of the rate police Command The following example shows configuring rate policing.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 114. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, Dell Networking OS matches packets against match criteria in the order that you configure them.
Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value or IP precedence, and characteristics defined in an IP ACL. You can also use VLAN IDs and VRF IDs to classify the traffic using layer 3 class-maps. You may specify more than one DSCP and IP precedence value, but only one value must match to trigger a positive match for the class map. NOTE: IPv6 and IP-any class maps cannot match on ACLs or VLANs. Use step 1 or step 2 to start creating a Layer 3 class map.
The following example matches IPv6 traffic with a DSCP value of 40. Dell(conf)# class-map match-all test Dell(conf-class-map)# match ipv6 dscp 40 The following example matches IPv4 and IPv6 traffic with a precedence value of 3. Dell(conf)# class-map match-any test1 Dell(conf-class-map)#match ip-any precedence 3 Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the class-map command.
and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be buffered in queue 4. In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use the keyword order. Dell Networking OS writes to the CAM ACL rules with lower order numbers (order numbers closer to 0) before rules with higher order numbers so that packets are matched as you intended.
seq 5 permit ip host 23.64.0.5 any seq 10 deny ip any any Dell# show cam layer3-qos interface tengigabitethernet 2/4 Cam Port Dscp Proto Tcp Src Dst SrcIp DstIp DSCP Queue Index Flag Port Port Marking ----------------------------------------------------------------------20416 1 18 IP 0x0 0 0 23.64.0.5/32 0.0.0.0/0 20 2 20417 1 18 IP 0x0 0 0 0.0.0.0/0 0.0.0.0/0 0 20418 1 0 IP 0x0 0 0 23.64.0.2/32 0.0.0.0/0 10 1 20419 1 0 IP 0x0 0 0 0.0.0.0/0 0.0.0.0/0 0 20420 1 0 IP 0x0 0 0 23.64.0.3/32 0.0.0.
Creating an Input QoS Policy To create an input QoS policy, use the following steps. 1 Create a Layer 3 input QoS policy. CONFIGURATION mode qos-policy-input Create a Layer 2 input QoS policy by specifying the keyword layer2 after the qos-policy-input command.
Configuring Policy-Based Rate Shaping To configure policy-based rate shaping, use the following command. • Configure rate shape egress traffic. QOS-POLICY-OUT mode rate-shape Allocating Bandwidth to Queue The switch schedules packets for egress based on Deficit Round Robin (DRR). This strategy offers a guaranteed data rate. Allocate bandwidth to queues only in terms of percentage in 4-queue and 8-queue systems. The following table shows the default bandwidth percentage for each queue.
Create Policy Maps There are two types of policy maps: input and output. Creating Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2. 1 Create a Layer 3 input policy map. CONFIGURATION mode policy-map-input Create a Layer 2 input policy map by specifying the keyword layer2 with the policy-map-input command.
Table 68.
Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, you can create service classes based the queueing strategy in Honoring dot1p Values on Ingress Packets. You may apply this queuing strategy globally by entering the following command from CONFIGURATION mode. • All dot1p traffic is mapped to Queue 0 unless you enable service-class dynamic dot1p on an interface or globally.
policy-map-output 2 After you create an output policy map, do one or more of the following: Applying an Output QoS Policy to a Queue Specifying an Aggregate QoS Policy Applying an Output Policy Map to an Interface 3 Apply the policy map to an interface. Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. • Apply an output QoS policy to queues.
Creating a DSCP Color Map You can create a DSCP color map to outline the differentiated services codepoint (DSCP) mappings to the appropriate color mapping (green, yellow, red) for the input traffic. The system uses this information to classify input traffic on an interface based on the DSCP value of each packet and assigns it an initial drop precedence of green, yellow, or red The default setting for each DSCP value (0-63) is green (low drop precedence).
Create the DSCP color map profile, bat-enclave-map, with a yellow drop precedence , and set the DSCP values to 9,10,11,13,15,16 Dell(conf)# qos dscp-color-map bat-enclave-map Dell(conf-dscp-color-map)# dscp yellow 9,10,11,13,15,16 Dell (conf-dscp-color-map)# exit Assign the color map, bat-enclave-map to interface te 1/11 .
Display summary information about a color policy for a specific interface.
Enabling Strict-Priority Queueing In strict-priority queuing, the system de-queues all packets from the assigned queue before servicing any other queues. You can assign strict-priority to one unicast queue, using the strict-priority command. • • Policy-based per-queue rate shaping is not supported on the queue configured for strict-priority queuing.
Figure 115. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Creating WRED Profiles To create WRED profiles, use the following commands. 1 Create a WRED profile. CONFIGURATION mode wred-profile 2 Specify the minimum and maximum threshold values. WRED mode threshold Applying a WRED Profile to Traffic After you create a WRED profile, you must specify to which traffic Dell Networking OS should apply the profile.
• • If you do not configure Dell Networking OS to honor DSCP values on ingress (refer to Honoring DSCP Values on Ingress Packets), all traffic defaults to green drop precedence. Assign a WRED profile to either yellow or green traffic. QOS-POLICY-OUT mode wred Displaying Default and Configured WRED Profiles To display the default and configured WRED profiles, use the following command. • Display default and configured WRED profiles and their threshold values.
Example of the show qos statistics egress-queue Command Pre-Calculating Available QoS CAM Space Before Dell Networking OS version 7.3.1, there was no way to measure the number of CAM entries a policymap would consume (the number of CAM entries that a rule uses is not predictable; from 1 to 16 entries might be used per rule depending upon its complexity). Therefore, it was possible to apply to an interface a policy-map that requires more entries than are available.
NOTE: The show cam-usage command provides much of the same information as the test camusage command, but whether a policy-map can be successfully applied to an interface cannot be determined without first measuring how many CAM entries the policy-map would consume; the test cam-usage command is useful because it provides this measurement. • Verify that there are enough available CAM entries.
network varies over time, you can specify a weight to enable a smooth, seamless averaging of packets to handle the sudden overload of packets based on the previous time sampling performed. You can specify the weight parameter for front-end and backplane ports separately in the range of 0 through 15. You can enable WRED and ECN capabilities per queue for granularity.
Table 70. Scenarios of WRED and ECN Configuration Queue Configuration Service-Pool Configuration WRED Threshold Relationship Q threshold = Q-T, Service pool threshold = SP-T Expected Functionality WRED ECN WRED ECN 0 0 X X X WRED/ECN not applicable 1 0 0 X X Queue based WRED, 1 X Q-T < SP-T No ECN marking SP-T < Q-T SP based WRED, No ECN marking 1 1 0 X X 1 X Q-T < SP-T SP-T < Q-T Queue-based ECN marking above queue threshold.
Dell(conf-wred) #wred—profile thresh-1 Dell(conf-wred) #threshold min 100 max 200 max-drop-rate 40 3 Configure another WRED profile, and specify the threshold and maximum drop rate. WRED mode Dell(conf-wred) #wred—profile thresh-2 Dell(conf-wred) #threshold min 300 max 400 max-drop-rate 80 4 Create a global buffer pool that is a shared buffer pool accessed by multiple queues when the minimum guaranteed buffers for the queue are consumed.
• If two rate three color policer is configured along with this feature then, • x < CIR – will be marked as “Green” • CIR < x< PIR – will be marked as “Yellow” • PIR < x – will be marked as “Red” But ‘Green’ packets matching the specific match criteria for which ‘color-marking’ is configured will be overwritten and marked as “Yellow”.
In such a condition, it is necessary that the switch is capable to take differentiated actions for ECN/Non-ECN packets. After classifying packets to ECN/Non-ECN, marking ECN and Non-ECN packets to different color packets is performed. Policy based ingress QOS involves the following three steps to achieve QOS: 1 Classification of incoming traffic. 2 Specify the differentiated actions for different traffic class. 3 Attach the policy-map to the interface.
• PSH • RST • URG You can now use the ‘ecn’ match qualifier along with the above TCP flag for classification.
seq 5 permit any dscp 50 ! ip access-list standard dscp_40 seq 5 permit any dscp 40 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40 ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50 ! policy-map-input pmap_dscp_40_50 servi
Applying Layer 2 Match Criteria on a Layer 3 Interface To process Layer 3 packets that contain a dot1p (IEEE 802.1p) VLAN Layer 2 header, configure VLAN tags on a Layer 3 port interface which is configured with an IP address but has no VLAN associated with it. You can also configure a VLAN sub-interface on the port interface and apply a policy map that classifies packets using the dot1p VLAN ID.
To configure IP VLAN and DSCP match criteria in a Layer 3 class map, and apply the class and policy maps to a service queue: 1 Create a match-any or a match-all Layer 3 class map, depending on whether you want the packets to meet all or any of the match criteria. By default, a Layer 3 class map is created if you do not enter the layer2 option with the class-map command. When you create a class map, you enter the class-map configuration mode.
ECN enabled packets are not subject to any kind of drops like WRED except tail drops. Though ECN & WRED are independent technologies, BRCM has made WRED a mandatory for ECN to work. On ECN deployment, the non-ECN packets that are transmitted on the ECN-WRED enabled interface will be considered as Green packets and will be subject to the early WRED drops. Typically the TCP-acks, OAM, ICMP ping packets will be non-ECN in nature and it is not desirable for this packets getting WRED dropped.
Until Release 9.3(0.0), ACL supports classification based on the below TCP flags: • ACK • FIN • SYN • PSH • RST • URG You can now use the ‘ecn’ match qualifier along with the above TCP flag for classification.
Guidelines for Configuring ECN for Classifying and Color-Marking Packets Keep the following points in mind while configuring the marking and mapping of incoming packets using ECN fields in IPv4 headers: • Currently Dell Networking OS supports matching only the following TCP flags: • ACK • FIN • SYN • PSH • RST • URG In the existing software, ECE/CWR TCP flag qualifiers are not supported.
seq 5 permit any ecn 0 class-map match-any ecn_0_cmap match ip access-group ecn_0 set-color yellow ! policy-map-input ecn_0_pmap service-queue 0 class-map ecn_0_cmap Applying this policy-map “ecn_0_pmap” will mark all the packets with ‘ecn == 0’ as yellow packets on queue0 (default queue).
seq 10 permit any dscp 50 ecn 2 seq 15 permit any dscp 50 ecn 3 ! ip access-list standard dscp_40_ecn seq 5 permit any dscp 40 ecn 1 seq 10 permit any dscp 40 ecn 2 seq 15 permit any dscp 40 ecn 3 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40_ecn ! class-map match-any class_dscp_50 match ip
3 To view the buffer statistics tracking resource information depending on the type of buffer information, such as device-level details, queue-based snapshots, or priority group-level snapshot in the egress and ingress direction of traffic, use show hardware stack-unit buffer-stats-snapshot unit resource x EXEC/EXEC Privilege mode Dell#show hardware stack-unit 1 buffer-stats-snapshot unit 3 resource interface all queue mcast 3 Unit 1 unit: 3 port: 1 (interface Fo 1/144) --------------------------
Unit 1 unit: 3 port: 37 (interface Fo 1/180) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------4 Use show hardware buffer-stats-snapshot resource interface interface{prioritygroup { id | all } | queue { ucast{id | all}{ mcast {id | all} | all} to view buffer statistics tracking resource information for a specific interface.
48 Routing Information Protocol (RIP) RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter. Topics: • Protocol Overview • Implementation Information • Configuration Information • RIP Configuration Example Protocol Overview RIP is the oldest interior gateway protocol. There are two versions of RIP: RIP version 1 (RIPv1) and RIP version 2 (RIPv2).
RIPv2 RIPv2 adds support for subnet fields in the RIP routing updates, thus qualifying it as a classless routing protocol. The RIPv2 message format includes entries for route tags, subnet masks, and next hop addresses. Another enhancement included in RIPv2 is multicasting for route updates on IP multicast address 224.0.0.9.
Configuration Task List The following is the configuration task list for RIP.
When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes. Dell#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 0/0 160.160.0.0/16 auto-summary 2.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 0/0 2.0.0.0/8 auto-summary 4.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 0/0 4.0.0.0/8 auto-summary 8.0.0.0/8 [120/1] via 29.10.10.12, 00:00:26, Fa 0/0 8.0.0.0/8 auto-summary 12.0.0.
ROUTER RIP mode neighbor ip-address • You can use this command multiple times to exchange RIP information with as many RIP networks as you want. Disable a specific interface from sending or receiving RIP routing information. ROUTER RIP mode passive-interface interface Setting the Send and Receive Version To change the RIP version globally or on an interface in Dell Networking OS, use the following command. To specify the RIP version, use the version command in ROUTER RIP mode.
Interface Recv GigabitEthernet 0/0 Routing for Networks: 10.0.0.0 Send 2 Routing Information Sources: Gateway Distance 2 Last Update Distance: (default is 120) Dell# To configure an interface to receive or send both versions of RIP, include 1 and 2 in the command syntax. The command syntax for sending both RIPv1 and RIPv2 and receiving only RIPv2 is shown in the following example.
• value The range is from 1 to 16. • route-map-name: The name of a configured route map. To confirm that the default route configuration is completed, use the show config command in ROUTER RIP mode. Summarize Routes Routes in the RIPv2 routing table are summarized by default, thus reducing the size of the routing table and improving routing efficiency in large networks. By default, the autosummary command in ROUTER RIP mode is enabled and summarizes RIP routes up to the classful network boundary.
Configure the following parameters: • prefix-list-name: the name of an established Prefix list to determine which incoming routes are modified • offset: the range is from 0 to 16. • interface: the type, slot, and number of an interface. To view the configuration changes, use the show config command in ROUTER RIP mode. Debugging RIP The debug ip rip command enables RIP debugging. When you enable debugging, you can view information on RIP protocol changes or RIP routes.
• RIP Configuration Summary Figure 116. Example of a RIP Topology RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Example of Configuring RIPv2 on Core 2 Core2(conf-if-te-2/31)# Core2(conf-if-te-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.
Core2#show ip rip database Total number of routes in RIP database: 7 10.11.30.0/24 [120/1] via 10.11.20.1, 00:00:03, TenGigabitEthernet 10.300.10.0/24 directly connected,TenGigabitEthernet 10.200.10.0/24 directly connected,TenGigabitEthernet 10.11.20.0/24 directly connected,TenGigabitEthernet 10.11.10.0/24 directly connected,TenGigabitEthernet 10.0.0.0/8 auto-summary 192.168.1.0/24 [120/1] via 10.11.20.1, 00:00:03, TenGigabitEthernet 192.168.1.0/24 auto-summary 192.168.2.0/24 [120/1] via 10.11.20.
TenGigabitEthernet 2/11 2 2 Routing for Networks: 10.300.10.0 10.200.10.0 10.11.20.0 10.11.10.0 Routing Information Sources: Gateway Distance Last Update 10.11.20.1 120 00:00:12 Distance: (default is 120) Core2# RIP Configuration on Core3 The following example shows how to configure RIPv2 on a host named Core3. Example of Configuring RIPv2 on Core3 Core3(conf-if-te-3/21)#router rip Core3(conf-router_rip)#version 2 Core3(conf-router_rip)#network 192.168.1.0 Core3(conf-router_rip)#network 192.168.2.
10.0.0.0/8 192.168.1.0/24 192.168.1.0/24 192.168.2.0/24 192.168.2.0/24 Core3# auto-summary directly connected,TenGigabitEthernet 3/43 auto-summary directly connected,TenGigabitEthernet 3/44 auto-summary The following command shows the show ip routes command to view the RIP setup on Core 3.
RIP Configuration Summary Examples of Viewing RIP Configuration on Core 2 and Core 3 The following example shows viewing the RIP configuration on Core 2. ! interface TenGigabitEthernet ip address 10.11.10.1/24 no shutdown ! interface TenGigabitEthernet ip address 10.11.20.2/24 no shutdown ! interface TenGigabitEthernet ip address 10.200.10.1/24 no shutdown ! interface TenGigabitEthernet ip address 10.250.10.1/24 no shutdown router rip version 2 10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.
49 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
NOTE: A network management system (NMS) should be ready to interpret a down interface and plot the interface performance graph accordingly. • Stack Unit Down — When a stack unit goes down, all sampled data is lost. But the RMON configurations are saved in the configuration file, and the sampling process continues after the stack unit returns to operation. • Platform Adaptation — RMON supports all Dell Networking chassis and all Dell Networking Ethernet interfaces.
Example of the rmon alarm Command To disable the alarm, use the no form of the command. The following example configures RMON alarm number 10. The alarm monitors the MIB variable 1.3.6.1.2.1.2.2.1.20.1 (ifEntry.ifOutErrors) once every 20 seconds until the alarm is disabled, and checks the rise or fall of the variable. The alarm is triggered when the 1.3.6.1.2.1.2.2.1.20.1 value shows a MIB counter increase of 15 or more (such as from 100000 to 100015).
Configuring RMON Collection Statistics To enable RMON MIB statistics collection on an interface, use the RMON collection statistics command in INTERFACE CONFIGURATION mode. • Enable RMON MIB statistics collection. CONFIGURATION INTERFACE (config-if) mode [no] rmon collection statistics {controlEntry integer} [owner ownername] • controlEntry: specifies the RMON group of statistics using a value. • integer: a value from 1 to 65,535 that identifies the RMON Statistics Table.
• seconds: (Optional) the number of seconds in each polling cycle. The value is ranged from 5 to 3,600 (Seconds). The default is 1,800 (as defined in RFC-2819). Example of the rmon collection history Command To remove a specified RMON history group of statistics collection, use the no form of this command.
50 Rapid Spanning Tree Protocol (RSTP) Rapid spanning tree protocol (RSTP) is supported on Dell Networking OS. Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). The Dell Networking OS supports three other variations of spanning tree, as shown in the following table. Table 72.
Important Points to Remember • RSTP is disabled by default. • Dell Networking OS supports only one Rapid Spanning Tree (RST) instance. • All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. • Adding a group of ports to a range of VLANs sends multiple messages to the rapid spanning tree protocol (RSTP) task, avoid using the range command.
Configuring Interfaces for Layer 2 Mode To configure and enable interfaces in Layer 2 mode, use the following commands. All interfaces on all bridges that participate in Rapid Spanning Tree must be in Layer 2 and enabled. Figure 117. Example of Configuring Interfaces for Layer 2 Mode 1 If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2 Place the interface in Layer 2 mode.
switchport 3 Enable the interface. INTERFACE mode no shutdown Example of Verifying that an Interface is in Layer 2 Mode and Enabled To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. The bold lines indicate that the interface is in Layer 2 mode.
no disable Dell(conf-rstp)# Figure 118. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.378, designated path cost 0 Number of transitions to forwarding state 1 BPDU : sent 121, received 2 The port is not in the Edge port mode Port 379 (TenGigabitEthernet 2/3) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.379 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
Modifying Global Parameters You can modify RSTP parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in the Rapid Spanning Tree group. • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state. • Hello-time — the time interval in which the bridge sends RSTP BPDUs.
NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. Change the max-age parameter. • PROTOCOL SPANNING TREE RSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode.
Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states. The bpduguard shutdown-onviolation option causes the interface hardware to shut down when it receives a BPDU.
shutdown Dell(conf-if-Te-2/0)# Influencing RSTP Root Selection RSTP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority or designate it as the primary or secondary root. PROTOCOL SPANNING TREE RSTP mode bridge-priority priority-value • priority-value The range is from 0 to 65535.
51 Software-Defined Networking (SDN) The Dell Networking OS supports software-defined networking (SDN). For more information, see the SDN Deployment Guide.
52 Security This chapter describes several ways to provide security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Line Reference Guide.
• Configuring Accounting of EXEC and Privilege-Level Command Usage (optional) • Configuring AAA Accounting for Terminal Lines (optional) • Monitoring AAA Accounting (optional) Enabling AAA Accounting The aaa accounting command allows you to create a record for any or all of the accounting functions monitored. To enable AAA accounting, use the following command. • Enable AAA accounting and create a record for monitoring the accounting function.
CONFIGURATION mode aaa accounting system default start-stop tacacs+ aaa accounting command 15 default start-stop tacacs+ System accounting can use only the default method list. Example of Configuring AAA Accounting to Track EXEC and EXEC Privilege Level Command Use In the following sample configuration, AAA accounting is set to track all usage of EXEC commands and commands on privilege level 15.
AAA Authentication Dell Networking OS supports a distributed client/server system implemented through authentication, authorization, and accounting (AAA) to help secure networks against unauthorized access.
and does so to ensure that users are not locked out of the system if network-wide issue prevents access to these servers. 1 Define an authentication method-list (method-list-name) or specify the default. CONFIGURATION mode aaa authentication login {method-list-name | default} method1 [... method4] The default method-list is applied to all terminal lines.
If you do not set the default list, only the local enable is checked. This setting has the same effect as issuing an aaa authentication enable default enable command. Enabling AAA Authentication — RADIUS To enable authentication from the RADIUS server, and use TACACS as a backup, use the following commands. 1 Enable RADIUS and set up TACACS as backup. CONFIGURATION mode aaa authentication enable default radius tacacs 2 Establish a host address and password. CONFIGURATION mode radius-server host x.x.x.
Therefore, the RADIUS server must have an entry for this username. Obscuring Passwords and Keys By default, the service password-encryption command stores encrypted passwords. For greater security, you can also use the service obscure-passwords command to prevent a user from reading the passwords and keys, including RADIUS, TACACS+ keys, router authentication strings, VRRP authentication by obscuring this information.
• Privilege level 1 — is the default level for EXEC mode. At this level, you can interact with the router, for example, view some show commands and Telnet and ping to test connectivity, but you cannot configure the router. This level is often called the “user” level. One of the commands available in Privilege level 1 is the enable command, which you can use to enter a specific privilege level. • Privilege level 0 — contains only the end, enable, and disable commands.
• access-class access-list-name: Enter the name of a configured IP ACL. • nopassword: Do not require the user to enter a password. • encryption-type: Enter 0 for plain text or 7 for encrypted text. • password: Enter a string. • privilege level The range is from 0 to 15. To view username, use the show users command in EXEC Privilege mode. Configuring the Enable Password Command To configure Dell Networking OS, use the enable command to enter EXEC Privilege level 15.
CONFIGURATION mode username name [access-class access-list-name] [privilege level] [nopassword | password [encryption-type] password] Configure the optional and required parameters: 2 • name: Enter a text string up to 63 characters(maximum) long. • access-class access-list-name: Restrict access by access-class.. • privilege level: The range is from 0 to 15. • nopassword: No password is required for the user to log in. • encryption-type: Enter 0 for plain text or 7 for encrypted text.
Line 4: The snmp-server commands, in CONFIGURATION mode, are assigned to privilege level 8. Dell(conf)#username john privilege 8 password john Dell(conf)#enable password level 8 notjohn Dell(conf)#privilege exec level 8 configure Dell(conf)#privilege config level 8 snmp-server Dell(conf)#end Dell#show running-config Current Configuration ...
• level level: The range is from 0 to 15. Levels 0, 1, and 15 are preconfigured. Levels from 2 to 14 are available for custom configuration. Specify either a plain text or encrypted password. • LINE mode password [encryption-type] password Configure the following optional and required parameters: • encryption-type: Enter 0 for plain text or 7 for encrypted text. • password: Enter a text string up to 25 characters long.
RADIUS Authentication and Authorization Dell Networking OS supports RADIUS for user authentication (text password) at login and can be specified as one of the login authentication methods in the aaa authentication login command. When configuring AAA authorization, you can configure to limit the attributes of services available to a user. When authorization is enabled, the network access server uses configuration information from the user profile to issue the user's session.
Auto-Command You can configure the system through the RADIUS server to automatically execute a command when you connect to a specific line. The auto-command command is executed when the user is authenticated and before the prompt appears to the user. • Automatically execute a command. auto-command Setting Access to Privilege Levels through RADIUS To configure a privilege level for users to enter into when they connect to a session, use the RADIUS server. This value is configured on the client system.
CONFIGURATION mode • aaa authentication login method-list-name radius Create a method list with RADIUS and TACACS+ as authorization methods. CONFIGURATION mode aaa authorization exec {method-list-name | default} radius tacacs+ Typical order of methods: RADIUS, TACACS+, Local, None. If RADIUS denies authorization, the session ends (RADIUS must not be the last method specified).
• key [encryption-type] key: enter 0 for plain text or 7 for encrypted text, and a string for the key. The key can be up to 42 characters long. This key must match the key configured on the RADIUS server host. If you do not configure these optional parameters, the global default values for all RADIUS host are applied. To specify multiple RADIUS server hosts, configure the radius-server host command multiple times.
radius-server timeout seconds • seconds: the range is from 0 to 1000. Default is 5 seconds. To view the configuration of RADIUS communication parameters, use the show running-config command in EXEC Privilege mode. Monitoring RADIUS To view information on RADIUS transactions, use the following command. • View RADIUS transactions to troubleshoot problems.
Use this command multiple times to configure multiple TACACS+ server hosts. 2 Enter a text string (up to 16 characters long) as the name of the method list you wish to use with the TACAS+ authentication method. CONFIGURATION mode aaa authentication login {method-list-name | default} tacacs+ [...method3] The TACACS+ method must not be the last method specified. 3 Enter LINE mode. CONFIGURATION mode line {aux 0 | console 0 | vty number [end-number]} 4 Assign the method-list to the terminal line.
on vty0 (10.11.9.209) %RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password authentication success on vty0 ( 10.11.9.209 ) Monitoring TACACS+ To view information on TACACS+ transactions, use the following command. • View TACACS+ transactions to troubleshoot problems. EXEC Privilege mode debug tacacs+ TACACS+ Remote Authentication Dell Networking OS takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and packet sizes.
If rejected by the AAA server, the command is not added to the running config, and a message displays: 04:07:48: %RPM0-P:CP %SEC-3-SEC_AUTHORIZATION_FAIL: Authorization failure Command authorization failed for user (denyall) on vty0 ( 10.11.9.209 ) Protection from TCP Tiny and Overlapping Fragment Attacks Tiny and overlapping fragment attack is a class of attack where configured ACL entries — denying TCP portspecific traffic — is bypassed and traffic is sent to its destination although denied by the ACL.
Specifying an SSH Version The following example uses the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting. Dell(conf)#ip ssh server version 2 Dell(conf)#do show ip ssh SSH server : disabled. SSH server version : v2. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. To disable SSH server functions, use the no ip ssh server enable command.
• ip ssh pub-key-file: specify the file the host-based authentication uses. • ip ssh rhostsfile: specify the rhost file the host-based authorization uses. • ip ssh rsa-authentication enable: enable RSA authentication for the SSHv2 server. • ip ssh rsa-authentication: add keys for the RSA authentication. • show crypto: display the public part of the SSH host-keys. • show ip ssh client-pub-keys: display the client public keys used in host-based authentication.
Example of Enabling SSH Password Authentication To view your SSH configuration, use the show ip ssh command from EXEC Privilege mode. Dell(conf)#ip ssh server enable % Please wait while SSH Daemon initializes ... done. Dell(conf)#ip ssh password-authentication enable Dell#sh ip ssh SSH server : enabled. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled.
cp /etc/ssh/ssh_host_rsa_key.pub /.ssh/shosts Refer to the first example. 3 Create a list of IP addresses and usernames that are permitted to SSH in a file called rhosts. Refer to the second example. 4 Copy the file shosts and rhosts to the Dell Networking system. 5 Disable password authentication and RSA authentication, if configured CONFIGURATION mode or EXEC Privilege mode no ip ssh password-authentication or no ip ssh rsa-authentication 6 Enable host-based authentication.
Using Client-Based SSH Authentication To SSH from the chassis to the SSH client, use the following command. This method uses SSH version 1 or version 2. If the SSH port is a nondefault value, use the ip ssh server port number command to change the default port number. You may only change the port number when SSH is disabled. Then use the -p option with the ssh command. • SSH from the chassis to the SSH client. ssh ip_address Example of Client-Based SSH Authentication Dell#ssh 10.16.127.
The following example shows you how to configure a HMAC algorithm list. Dell(conf)# ip ssh server mac hmac-sha1-96 Configuring the HMAC Algorithm for the SSH Client To configure the HMAC algorithm for the SSH client, use the ip ssh mac hmac-algorithm command in CONFIGURATION mode. hmac-algorithm: Enter a space-delimited list of keyed-hash message authentication code (HMAC) algorithms supported by the SSH server.
The following ciphers are available. • 3des-cbc • aes128-cbc • aes192-cbc • aes256-cbc • aes128-ctr • aes192-ctr • aes256-ctr The default cipher list is aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc. Example of Configuring a Cipher List The following example shows you how to configure a cipher list.
Troubleshooting SSH To troubleshoot SSH, use the following information. You may not bind id_rsa.pub to RSA authentication while logged in via the console. In this case, this message displays:%Error: No username set for this term. Enable host-based authentication on the server (Dell Networking system) and the client (Unix machine). The following message appears if you attempt to log in via SSH and host-based is disabled on the client.
Authentication Method VTY access-class support? Username access-class support? Remote authorization support? RADIUS YES NO YES (with Dell Networking OS version 6.1.1.0 and later) Dell Networking OS provides several ways to configure access classes for VTY lines, including: • • VTY Line Local Authentication and Authorization VTY Line Remote Authentication and Authorization VTY Line Local Authentication and Authorization Dell Networking OS retrieves the access class from the local database.
VTY Line Remote Authentication and Authorization Dell Networking OS retrieves the access class from the VTY line. The Dell Networking OS takes the access class from the VTY line and applies it to ALL users. Dell Networking OS does not need to know the identity of the incoming user and can immediately apply the access class. If the authentication method is RADIUS, TACACS+, or line, and you have configured an access class for the VTY line, Dell Networking OS immediately applies it.
53 Service Provider Bridging Service provider bridging is supported on Dell Networking OS. VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which are an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. Using only 802.
forward the frame traffic across its network. At the egress edge, the provider removes the S-Tag, so that the customer receives the frame in its original condition, as shown in the following illustration. Figure 119. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLANStack-enabled VLAN.
• You cannot ping across a trunk port link if one or both of the systems is an S5000. • This limitation becomes relevant if you enable the port as a multi-purpose port (carrying single-tagged and double-tagged traffic). Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process. 1 Creating Access and Trunk Ports 2 Assign access and trunk ports to a VLAN (Creating Access and Trunk Ports). 3 Enable VLAN-Stacking for a VLAN.
Example of Displaying the VLAN-Stack Configuration for a Switchport To display the VLAN-Stacking configuration for a switchport, use the show config command from INTERFACE mode.
vlan-stack protocol-type The default is 9100. To display the S-Tag TPID for a VLAN, use the show running-config command from EXEC privilege mode. Dell Networking OS displays the S-Tag TPID only if it is a nondefault value. Dell Networking OS Options for Trunk Ports You can also tag 802.1ad trunk ports as members of a VLAN so that they can carry single-tagged and doubletagged traffic.
NUM * 1 100 101 103 Status Description Inactive Inactive Inactive Inactive Q Ports U Te 0/1 T Te 0/1 M Te 0/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command. • Debug the internal state and membership of a VLAN and its ports. debug member Example of Debugging a VLAN and its Ports The port notations are as follows: • MT — stacked trunk • MU — stacked access port • T — 802.1Q trunk port • U — 802.
VLAN Stacking The default TPID for the outer VLAN tag is 0x9100. The system allows you to configure both bytes of the 2 byte TPID. Previous versions allowed you to configure the first byte only, and thus, the systems did not differentiate between TPIDs with a common first byte. For example, 0x8100 and any other TPID beginning with 0x81 were treated as the same TPID, as shown in the following illustration. Dell Networking OS Versions 8.2.1.
Therefore, a mismatched TPID results in the port not differentiating between tagged and untagged traffic. Figure 120. Single and Double-Tag TPID Match Figure 121.
The following table details the outcome of matched and mismatched TPIDs in a VLAN-stacking network. Table 75. Behaviors for Mismatched TPID Network Position Incoming Packet TPID System TPID Match Type 9.1(1.
Table 76. Drop Eligibility Behavior Ingress Egress DEI Disabled DEI Enabled Normal Port Normal Port Retain CFI Set CFI to 0. Trunk Port Trunk Port Retain inner tag CFI Retain inner tag CFI. Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 Access Port Trunk Port To enable drop eligibility globally, use the following command. • Make packets eligible for dropping based on their DEI value.
Gi 8/9 Gi 8/40 1 0 Red Yellow Marking Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress. For ingress information, refer to Honoring the Incoming DEI Value. To mark egress packets, use the following command. • Set the DEI value on egress according to the color currently assigned to the packet.
Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.1p priority bits in the tag to indicate the level of QoS desired. When an S-Tag is added to incoming customer frames, the 802.1p bits on the S-Tag may be configured statically for each customer or derived from the C-Tag using Dynamic Mode CoS. Dynamic Mode CoS maps the C-Tag 802.1p value to a S-Tag 802.1p value. Figure 123.
! class-map match-any a layer2 match mac access-group a ! mac access-list standard a seq 5 permit any ! qos-policy-input 3 layer2 rate-police 40 Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3. All other packets will have outer dot1p 0 and hence are queued to Queue 1. They are therefore policed according to qos-policyinput 1.
reload 4 Map C-Tag dot1p values to a S-Tag dot1p value. INTERFACE mode vlan-stack dot1p-mapping c-tag-dot1p values sp-tag-dot1p value Separate C-Tag values by commas. Dashed ranges are permitted. Dynamic Mode CoS overrides any Layer 2 QoS configuration in case of conflicts. NOTE: Because dot1p-mapping marks and queues packets, the only remaining applicable QoS configuration is rate metering. You may use Rate Shaping or Rate Policing.
traverse the intermediate network might be consumed and later dropped because the intermediate network itself might be using spanning tree (shown in the following illustration). Figure 124. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region.
Dell Networking OS Behavior: In Dell networking OS version 9.1(1.0) and later, the L2PT MAC address is userconfigurable, so you can specify an address that non-Dell Networking systems can recognize and rewrite the address at egress edge. Figure 125. VLAN Stacking with L2PT Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. • No protocol packets are tunneled when you enable VLAN stacking. • L2PT requires the default CAM profile.
Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1 Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2 Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3 Tunnel BPDUs the VLAN.
For details about this command, refer to CAM Allocation. 2 Save the running-config to the startup-config. EXEC Privilege mode copy running-config startup-config 3 Reload the system. EXEC Privilege mode reload 4 Set a maximum rate at which the RPM processes BPDUs for L2PT. VLAN STACKING mode protocol-tunnel rate-limit The default is: no rate limiting. The range is from 64 to 320 kbps. Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command.
Provider backbone bridging through IEEE 802.1ad eliminates the need for tunneling BPDUs with L2PT and increases the reliability of provider bridge networks as the network core need only learn the MAC addresses of core switches, as opposed to all MAC addresses received from attached customer devices.
54 sFlow The Dell Networking Operating System (OS) supports sFlow version 5.
Application-specific integrated circuits (ASICs) typically complete packet sampling. sFlow collector analyses the sFlow datagrams received from different devices and produces a network-wide view of traffic flows. Figure 126. sFlow Traffic Monitoring System Implementation Information Dell Networking sFlow is designed so that the hardware sampling rate is per line card port-pipe and is decided based on all the ports in that port-pipe.
• By default, sFlow collection is supported only on data ports. If you want to enable sFlow collection through management ports, use the management egress-interface-selection and application sflow-collector commands in Configuration and EIS modes respectively. • sFlow sampling is done on a per-port basis. • Dell Networking OS exports all sFlow packets to the collector. A small sampling rate can equate to many exported packets. A backoff mechanism is automatically applied to reduce this amount.
Enabling sFlow Max-Header Size Extended To configure the maximum header size of a packet to 256 bytes, use the following commands: • Set the maximum header size of a packet. CONFIGURATION mode INTERFACE mode sflow max-header-size extended By default, the maximum header size of a packet is 128 bytes. When sflow max-header-size extended is enabled, 256 bytes are copied. These bytes are useful for VxLAN, NvGRE, IPv4, and IPv6 tunneled packets. NOTE: Interface mode configuration takes priority.
sflow collector 100.1.1.12 agent-addr 100.1.1.1 sflow enable sflow max-header-size extended Dell#show run int tengigabitEthernet 1/10 ! interface TenGigabitEthernet 1/10 no ip address switchport sflow ingress-enable sflow max-header-size extended no shutdown sFlow Show Commands Dell Networking OS includes the following sFlow display commands.
show sflow interface interface-name Examples of the sFlow show Commands The following example shows the show sflow interface command. Dell#show sflow interface tengigabitethernet 1/16 Te 1/16 Configured sampling rate :8192 Actual sampling rate :8192 Sub-sampling rate :2 Counter polling interval :15 Samples rcvd from h/w :33 Samples dropped for sub-sampling :6 The following example shows the show running-config interface command.
Changing the Polling Intervals The sflow polling-interval command configures the polling interval for an interface in the maximum number of seconds between successive samples of counters sent to the collector. This command changes the global default counter polling (20 seconds) interval. You can configure an interface to use a different polling interval. To configure the polling intervals globally (in CONFIGURATION mode) or by interface (in INTERFACE mode), use the following command.
55 Simple Network Management Protocol (SNMP) NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
MIBs are hierarchically structured and use object identifiers to address managed objects, but managed objects also have a textual name called an object descriptor. Implementation Information The following describes SNMP implementation information. • Dell Networking OS supports SNMP version 1 as defined by RFC 1155, 1157, and 1212, SNMP version 2c as defined by RFC 1901, and SNMP version 3 as defined by RFC 2571. • Dell Networking OS supports up to 16 trap receivers.
Important Points to Remember • Typically, 5-second timeout and 3-second retry values on an SNMP server are sufficient for both LAN and WAN applications. If you experience a timeout with these values, increase the timeout value to greater than 3 seconds, and increase the retry value to greater than 2 seconds on your SNMP server. • User ACLs override group ACLs. Set up SNMP As previously stated, Dell Networking OS supports SNMP version 1 and version 2 that are community-based security models.
Example of Creating an SNMP Community To view your SNMP configuration, use the show running-config snmp command from EXEC Privilege mode. Dell(conf)#snmp-server community my-snmp-community ro 22:31:23: %STKUNIT0-P:CP %SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP WARM_START.
NOTE: To give a user read and write privileges, repeat this step for each privilege type. • Configure an SNMP group (with password or privacy privileges). CONFIGURATION mode • snmp-server group group-name {oid-tree} priv read name write name Configure the user with a secure authorization password and privacy password. CONFIGURATION mode • snmp-server user name group-name {oid-tree} auth md5 auth-password priv des56 priv password Configure an SNMPv3 view.
The following example shows reading the value of the next managed object. > snmpgetnext -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1.3.0 SNMPv2-MIB::sysContact.0 = STRING: > snmpgetnext -v 2c -c mycommunity 10.11.131.161 sysContact.0 The following example shows reading the value of the many managed objects at one time. > snmpwalk -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1 SNMPv2-MIB::sysDescr.0 = STRING: Dell Real Time Operating System Software Dell Operating System Version: 1.
CONFIGURATION mode snmp-server location text You may use up to 55 characters. The default is None. (From a management station) Identify the system manager along with this person’s contact information (for example, an email address or phone number). • CONFIGURATION mode snmpset -v version -c community agent-ip sysContact.0 s “contact-info” You may use up to 55 characters. The default is None.
To send informational messages, enter the keyword informs. To send the SNMP version to use for notification messages, enter the keyword version. To identify the SNMPv1 community string, enter the name of the community-string. 2 Specify which traps the Dell Networking system sends to the trap receiver. CONFIGURATION mode snmp-server enable traps Enable all Dell Networking enterprise-specific and RFC-defined traps using the snmp-server enable traps command from CONFIGURATION mode.
RPM_DOWN: RPM 0 down - card removed HOT_FAILOVER: RPM Failover Completed SFM_DISCOVERY: Found SFM 1 SFM_REMOVE: Removed SFM 1 MAJOR_SFM: Major alarm: Switch fabric down MAJOR_SFM_CLR: Major alarm cleared: Switch fabric up MINOR_SFM: MInor alarm: No working standby SFM MINOR_SFM_CLR: Minor alarm cleared: Working standby SFM present TASK SUSPENDED: SUSPENDED - svce:%d - inst:%d - task:%s RPM0-P:CP %CHMGR-2-CARD_PARITY_ERR ABNORMAL_TASK_TERMINATION: CRASH - task:%s %s CPU_THRESHOLD: Cpu %s usage above threshol
%ECFM-5-ECFM_MAC_STATUS_ALARM: MAC Status Defect detected by MEP 1 in Domain provider at Level 4 VLAN 3000 %ECFM-5-ECFM_REMOTE_ALARM: Remote CCM Defect detected by MEP 3 in Domain customer1 at Level 7 VLAN 1000 %ECFM-5-ECFM_RDI_ALARM: RDI Defect detected by MEP 3 in Domain customer1 at Level 7 VLAN 1000 entity Enable entity change traps Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1487406) 4:07:54.06, SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.
CONFIGURATION MODE snmp-server enable traps snmp syslog-unreachable To enable an SNMP agent to send a trap when the syslog server resumes connectivity, enter the following command: CONFIGURATION MODE snmp-server enable traps snmp syslog-reachable Table 77. List of Syslog Server MIBS that have read access MIB Object OID Object Values Description dF10SysLogTraps 1.3.6.1.4.1.6027.3.30.1.1 1 = reachable2 = unreachable Specifies whether the syslog server is reachable or unreachable.
The following table lists the relevant MIBs for these functions are. Table 78. MIB Objects for Copying Configuration Files via SNMP MIB Object OID Object Values copySrcFileType 1 = Dell Networking OS . 1.3.6.1.4.1.6027.3.5.1.1.1.1. file 2 2 = running-config 3 = startup-config Description Specifies the type of file to copy from. The range is: • • copySrcFileLocation 1 = flash . 1.3.6.1.4.1.6027.3.5.1.1.1.1.
MIB Object OID Object Values Description n and copyDestFileName. copyDestFileLocation 1 = flash . 1.3.6.1.4.1.6027.3.5.1.1.1.1. 2 = slot0 6 3 = tftp Specifies the location of destination file. • 4 = ftp 5 = scp If copyDestFileLocatio n is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. copyDestFileName . Path (if the file is not in Specifies the name of 1.3.6.1.4.1.6027.3.5.1.1.1.1. the default directory) and destination file. 7 filename. copyServerAddress .
snmp-server community community-name rw 2 Copy the f10-copy-config.mib MIB from the Dell iSupport web page to the server to which you are copying the configuration file. 3 On the server, use the snmpset command as shown in the following example. snmpset -v snmp-version -c community-name -m mib_path/f10-copy-config.mib force10system-ip-address mib-object.index {i | a | s} object-value... • • • Every specified object must have an object value and must precede with the keyword i.
i 2 copyDestFileType.101 i 3 FTOS-COPY-CONFIG-MIB::copySrcFileType.101 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileType.101 = INTEGER: startupConfig(3) The following example shows copying configuration files using OIDs. > snmpset -v 2c -c public -m ./f10-copy-config.mib 10.10.10.10 .1.3.6.1.4.1.6027.3.5.1.1.1.1.2.100 i 2 .1.3.6.1.4.1.6027.3.5.1.1.1.1.5.100 i 3 FTOS-COPY-CONFIG-MIB::copySrcFileType.100 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileType.
• precede the values for copyUsername and copyUserPassword by the keyword s. Example of Copying Configuration Files via FTP From a UNIX Machine > snmpset -v 2c -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType. 110 i 2 copyDestFileName.110 s /home/startup-config copyDestFileLocation.110 i 4 copyServerAddress.110 a 11.11.11.11 copyUserName.110 s mylogin copyUserPassword.110 s mypass FTOS-COPY-CONFIG-MIB::copySrcFileType.110 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileName.
copySrcFileLocation.10 i 4 copyDestFileType.10 i 3 copySrcFileName.10 s /home/ myfilename copyServerAddress.10 a 172.16.1.56 copyUserName.10 s mylogin copyUserPassword.10 s mypass Additional MIB Objects to View Copy Statistics Dell Networking provides more MIB objects to view copy statistics, as shown in the following table. Table 79. Additional MIB Objects for Copying Configuration Files via SNMP MIB Object OID Values copyState 1= running . 1.3.6.1.4.1.6027.3.5.1.1.1.1.
Obtaining a Value for MIB Objects To obtain a value for any of the MIB objects, use the following command. • Get a copy-config MIB object value. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address [OID.index | mib-object.index] index: the index value used in the snmpset command used to complete the copy operation. NOTE: You can use the entire OID rather than the object name. Use the form: OID.index.
MIB Support to Display the Available Memory Size on Flash Dell Networking provides more MIB objects to display the available memory size on flash memory. The following table lists the MIB object that contains the available memory size on flash memory. Table 80. MIB Objects for Displaying the Available Memory Size on Flash via SNMP MIB Object OID Description chStackUnitFlashUsageUtil 1.3.6.1.4.1.6027.3.10.1.2.9.1.6 Contains flash memory usage in percentage.
MIB Object OID Description chSysCoresInstance 1.3.6.1.4.1.6027.3.10.1.2.10.1.1 Stores the indexed information about the available software core files. chSysCoresFileName 1.3.6.1.4.1.6027.3.10.1.2.10.1.2 Contains the core file names and the file paths. chSysCoresTimeCreated 1.3.6.1.4.1.6027.3.10.1.2.10.1.3 Contains the time at which core files are created. chSysCoresStackUnitNumber 1.3.6.1.4.1.6027.3.10.1.2.10.1.
Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object. The snmpset operation shown in the following example creates VLAN 10 by specifying a value of 4 for instance 10 of the dot1qVlanStaticRowStatus object. Example of Creating a VLAN using SNMP > snmpset -v2c -c mycommunity 123.45.6.78 .1.3.6.1.2.1.17.7.1.4.3.1.5.10 i 4 SNMPv2-SMI::mib-2.17.7.1.4.3.1.5.
Vlan 10 is down, line protocol is down Address is 00:01:e8:cc:cc:ce, Current address is 00:01:e8:cc:cc:ce Interface index is 1107787786 Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed auto ARP type: ARPA, ARP Timeout 04:00:00 To display the ports in a VLAN, send an snmpget request for the object dot1qStaticEgressPorts using the interface index as the instance number, as shown. The following example shows viewing VLAN ports using SNMP with no ports assigned.
NOTE: The table contains none of the other information the command provides, such as port speed or whether the ports are tagged or untagged. Add Tagged and Untagged Ports to a VLAN The value dot1qVlanStaticEgressPorts object is an array of all VLAN members. The dot1qVlanStaticUntaggedPorts object is an array of only untagged VLAN members. All VLAN members that are not in dot1qVlanStaticUntaggedPorts are tagged. • To add a tagged port to a VLAN, write the port to the dot1qVlanStaticEgressPorts object.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SNMPv2-SMI::mib-2.17.7.1.4.3.1.4.
Or, from the management system, use the snmpwwalk command to identify the interface index. 3 Enter the snmpset command to change the admin status using either the object descriptor or the OID. snmpset with descriptor: snmpset -v version -c community agent-ip ifAdminStatus.ifindex i {1 | 2} snmpset with OID: snmpset -v version -c community agent-ip . 1.3.6.1.2.1.2.2.1.7.ifindex i {1 | 2} Choose integer 1 to change the admin status to Up, or 2 to change the admin status to Down.
The value of dot1dTpFdbPort is the port number of the port off which the system learns the MAC address. In this case, of TenGigabitEthernet 1/21, the manager returns the integer 118.
• • • the next 5 bits represent the slot number the next 1 bit is 0 for a physical interface and 1 for a logical interface the next 1 bit is unused For example, the index 72925242 is 100010110001100000000111010 in binary. The binary interface index for TeGigabitEthernet 1/21 of a 48-port 10/100/1000Base-T line card with RJ-45 interface. Notice that the physical/logical bit and the final, unused bit are not given.
SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.4.1 = INTEGER: 1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.4.2 = INTEGER: 1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.5.1 = Hex-STRING: 00 00 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.5.2 = Hex-STRING: 00 00 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.6.1 = STRING: "Gi 5/84 " << Channel member for Po1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.6.2 = STRING: "Gi 5/85 " << Channel member for Po2 dot3aCommonAggFdbIndex SNMPv2-SMI::enterprises.6027.3.2.1.1.6.1.1.1107755009.
Troubleshooting SNMP Operation When you use SNMP to retrieve management data from an SNMP agent on a Dell Networking router, take into account the following behavior. • When you query an IPv4 icmpMsgStatsInPkts object in the ICMP table by using the snmpwalk command, the output for echo replies may be incorrectly displayed. To correctly display this information under ICMP statistics, use the show ip traffic command.
56 Stacking Stacking provides a single point of management and network interface controller (NIC) teaming for high availability and higher throughput. Stacking is supported on the 10 GbE data ports of Ethernet module. Stacking is not supported on Fibre Channel/Ethernet Universal Port Modules. You can connect up to six S5000 switches in a single stack using port cables; no special cabling is required.
Ethernet pluggable modules. Notice that the four 10GbE ports in a stack group on one switch are connected to the four 10 GbE ports in a stack group on a peer stacked switch in order to maximize throughput. For more information, refer to Supported Stacking Topologies. Figure 127. Four Stacked S5000 Switches Stack Management Roles The stack elects the management units for the stack management. • Stack master — primary management unit, also called the master unit. • Standby — secondary management unit.
• Switch removal If the master switch goes off line, the standby replaces it as the new master and the switch with the next highest priority or MAC address becomes standby. NOTE: An S5000 switch stack has only one management IP address. Stack Master Election By default, the stack determines a master and standby unit at bootup time by electing the units with the highest MAC addresses. You can preconfigure the units which are elected master and standby by assigning higher priorities to these units.
-------------------------------------------------0 Member not present S5000 1 Standby online S5000 S5000 9-0-1-0 2 Management online S5000 S5000 9-0-1-0 3 Member not present S5000 4 Member not present S5000 5 Member not present 6 Member not present 7 Member not present 8 Member not present 9 Member not present 10 Member not present 11 Member not present Virtual IP You can manage the stack using a single IP, known as a virtual IP, that is retained in the stack even after a failover.
Stacking LAG When multiple links are used between stack units, Dell Networking OS automatically bundles them in a stacking LAG to provide aggregated throughput and redundancy. The stacking LAG is established automatically and transparently by Dell Networking OS (without user configuration) after peering is detected and behaves as follows: • The stacking LAG dynamically aggregates; it can lose link members or gain new links.
Last failover timestamp: Last failover Reason: Last failover type: None None None --Last Data Block Sync Record: -----------------------------------------Stack Unit Config: succeeded Mar 24 2013 20:35:14 Start-up Config: failed Mar 24 2013:35:14 Runtime Event Log: succeeded Mar 24 2013 20:35:14 Running Config: succeeded Mar 24 2013 20:35:14 ACL Mgr: succeeded Mar 24 2012 20:35:14 LACP: no block sync done STP: no block sync done SPAN: no block sync done Management Access on Stacks You can access the stack
Stacking Installation Tasks The following are the stacking installation tasks. • Create a Stack • Add Units to an Existing Stack • Split a Stack Create a Stack Stacking is enabled on the device using the front end ports. Stack Group/Port Numbers By default, each unit in Standalone mode is numbered stack-unit 0. A maximum of eight 10G stack links or two 40G stack links can be made between two units in a stack. The front end ports are divided into 16 stack groups, each with 40G of bandwidth.
• If the new unit is running an Dell Networking OS version prior to 8.3.10.x , the unit is put into a card problem state, Dell Networking OS is not upgraded, and a syslog message is raised. The unit must be upgraded to Dell Networking OS version 8.3.12.0 before you can proceed. Syslog messages are generated by the management unit: • • • • before the management unit downloads its Dell Networking OS version 8.3.12.0 or later to the new unit.
Creating a New Stack Prior to creating a stack, know which unit will be the management unit and which will be the standby unit. Enable the front ports of the units for stacking. For more information, refer to Enabling Front End Port Stacking. To create a new stack, use the following commands. 1 Power up all units in the stack. 2 Verify that each unit has the same Dell Networking OS version prior to stacking them together.
When the stack-group configuration is complete, the system prints a syslog for reload. Dell#configure Dell(conf)#stack-unit 4 stack-group 13 Dell(conf)#02:39:12: %STKUNIT4-M:CP %IFMGR-6-STACK_PORTS_ADDED: Ports Fo 4/52 have been configured as stacking ports. Please save and reload for config to take effect Dell(conf)#stack-unit 4 stack-group 14 Dell(conf)#02:39:15: %STKUNIT4-M:CP %IFMGR-6-STACK_PORTS_ADDED: Ports Fo 4/56 have been configured as stacking ports.
CONFIGURATION mode stack-unit stack-unit-number priority priority-number 4 Assign a stack group to each unit. CONFIGURATION mode stack-unitstack-unit-number stack-group stack-group-number 5 Connect the new unit to the stack using stacking cables. Example of Adding a Stack Unit with a Conflicting Stack Number (Before and After) The following example shows adding a stack unit with a conflicting stack number (before). The following example shows adding a stack unit with a conflicting stack number (after).
Attach cables to connect the ports already configured as stack groups on the switch to one or more switches in the stack. Dell Networking OS automatically assigns a number to the new unit and adds it as member switch in the stack. The new unit synchronizes its running and startup configurations with the stack.
are the master and standby when the stack boots up, you can assign unit numbers using the stackunit renumber command. • Stack-group numbers: Stacking ports are divided into 16 stack-groups (from 0 to 15), as shown in the following illustration. Each set of four 10 GbE ports on an Ethernet module or each fixed 40 GbE port on the front panel correspond to a stack group. Each stack group has 40 GbE of bandwidth. Usage Notes: • Stacking is not supported on Fibre Channel ports.
For example, to configure 10-Gigabit Ethernet ports 16 to 19 on stack unit 0 for stacking, enter the stackunit 0 stack-group 4 command in Global Configuration mode. Figure 129. S5000 Stack-Group Assignments Supported Stacking Topologies The S5000 supports stacking up to six units in a ring or a daisy chain topology. The following illustration shows three stacked S5000 units in each topology. Dell Networking recommends the ring topology when stacking S5000 switches to provide redundant connectivity.
Configuring an S5000 Switch Stack To configure and bring up a switch stack, follow these steps. 1 Power down the switches stack and attach port cables to connect the ports between pairs of switches. Connect ports with the same speed on each pair of stacked switches. 2 Power up each stack unit. 3 Configure the stacking ports on each switch, including unit number and priority. 4 Save the stacking configuration to the startup configuration and reload each stacked switch, one after another.
Cables for Stacked Switches Before you attach cables to set up a stack of S5000 switches, ensure that the Dell Networking OS version running on each unit is the same (the show version command) and that all switches are powered down. Review the cabling requirements in Stack and Cable Requirements. To connect 10 GbE and 40 GbE stacking ports, use normal port cables. For detailed cabling information, refer to the Dell Networking S5000 Installation Guide.
To configure or revert assigning stacked switch priority, use the following commands. 1 Configure a stack so that the roles are assigned according to pre-determined priorities instead of using the highest MAC addresses. Global Configuration mode stack-unit priority 2 Revert the management priority of a stack unit to the default value of 0.
Configuring Stacking Ports and Bringing Up a Stack After you attach port cables to set up a stack of S5000 switches, bring up the stack by enabling stacking on the ports. 1 Power up a cabled S5000 switch and set up a connection as described in Accessing the Stack CLI. 2 Log on to the CLI and enter global configuration mode.
• • 8 stack-unit unit-number is the stack-unit number. stack-group group-number is group of four 10 GbE ports or one 40 GbE port. The valid values are from 0 to 15. Save the stacking configuration to the startup configuration. EXEC Privilege mode write memory 9 Repeat Steps 7 and 8 on each stack unit to configure the stack ports on the master, standby, and member units. 10 Reboot each switch, one after another, in as short a time as possible.
Proceed with reload [confirm yes/no]: yes Feb 8 17:11:17: %STKUNIT2-M:CP %CHMGR-5-RELOAD: User request to reload the chassis S5000-2(conf)#stack-unit 1 stack-group 2 S5000-2(conf)#Feb 8 17:10:00: %STKUNIT1-M:CP %IFMGR-6-STACK_PORTS_ADDED: Ports Te 1/8 Te 1/9 Te 1/10 Te 1/11 have been configured as stacking ports.
The following example displays a stack configuration. S5000-1#show system Stack MAC : 5c:f9:dd:ef:0a:c0 Reload-Type : normal-reload [Next boot : normal-reload] -- Unit 0 -Unit Type Status Next Boot Required Type Current Type Master priority Hardware Rev Num Ports Up Time Dell Version Jumbo Capable POE Capable FIPS Mode Burned In MAC No Of MACs : : : : : : : : : : : : : : : Management Unit online online S5000 - 4-module, 4-port GE/TE/FG (SH) S5000 - 4-module, 4-port GE/TE/FG (SH) 0 3.0 64 46 min, 55 sec 9.
Status : not present Required Type : -- Unit 2 -Unit Type : Member Unit Status : not present Required Type : -- Unit 3 -Unit Type : Member Unit Status : not present Required Type : -- Unit 4 -Unit Type : Member Unit Status : not present Required Type : -- Unit 5 -Unit Type : Member Unit Status : not present Required Type : -- Unit 6 -Unit Type : Member Unit Status : not present Required Type : -- Unit 7 -Unit Type : Member Unit Status : not present Required Type : -- Unit 8 -Unit Type : Member Unit Status :
Provisioning a Stack Unit You can logically provision a stack-unit number to accept only an S5000 switch. Provisioning is a type of pre-configuration that is stored on the master switch and applied when a stacked unit is assigned the unit number. 1 Create a virtual stack unit by logically provisioning a switch. CONFIGURATION mode stack-unit unit-number provision S5000 2 Save the provisioning configuration.
3 Reload the stack for the port reconfiguration to take effect. EXEC Privilege mode reload To display the stack-unit number, use the show system brief command. Removing a Stack Group from Stacking Mode To remove a stack group of four 10 GbE ports or one 40 GbE port from the stack, use the no form of the stack-unit unit-number stack-group number command.
Adding a Stack Unit Before you add a unit to an S5000 stack, to verify that the switch is running the same Dell networking OS version. use the show version command, then power down the switch. You can add a new powered-down unit to an existing stack both when the unit has no stacking ports (stack groups) configured and when the unit already has stacking ports configured. If you add a unit that was previously configured for stacking to a stack, it is assigned the smallest available unit number in the stack.
stack-unit 0 stack-group group-number 5 • stack-unit 0 defines the default ID unit-number in the initial configuration of a switch. • stack-group group-number configures a group of 10 GbE ports or a single 40 GbE port for stacking. Save the stacking configuration. EXEC Privilege mode write memory 6 Reload the switch. Dell networking OS automatically assigns a number to the new unit and adds it as member switch in the stack.
• If there is no unit numbering conflict, the stack members retain their previous unit numbers. Otherwise, the stack master assigns new unit numbers, based on the order in which they come online. • The new stack master uses its own startup and running configurations to synchronize the configurations on the new stack members. NOTE: Adding a new unit that is powered on and has stack groups configured is the same as merging two stacks (refer to Adding a Stack Unit).
show redundancy Resetting a Unit on a Stack To reload any of the member units or the standby in a stack, use the following commands. If you try to reset the stack master, an error message displays: Reset of master unit is not allowed. • Reload a stack unit from the master switch. EXEC Privilege mode • reset stack-unit unit-number Reload a member unit from the unit itself. EXEC Privilege mode • reset-self Reset a stack-unit when the unit is in a problem state.
Command Output show system stack-unit unit-number stack-group Displays the port numbers that correspond to the stack groups on a switch. The valid stack-unit numbers are from 0 to 11. show system stack-ports [status | topology] Displays the type of stack topology (ring or daisy chain) with a list of all stacked ports, port status, link speed, and peer stack-unit connection. Examples of the show system Commands. The following example shows the show system stack-unit stack-group configured command.
0/10 0/11 1/4 1/5 1/6 1/7 1/8 1/9 1/10 1/11 1/12 1/13 1/14 1/15 2/4 2/5 2/6 2/7 2/8 2/9 2/10 2/11 2/12 2/13 2/14 2/15 2/16 2/17 2/18 2/19 4/14 4/15 0/4 0/5 0/6 0/7 2/4 2/5 2/6 2/7 2/8 2/9 2/10 2/11 1/8 1/9 1/10 1/11 1/12 1/13 1/14 1/15 3/4 3/5 3/6 3/7 3/8 3/9 3/10 3/11 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up u
4/4 4/5 4/6 4/7 4/8 4/9 4/10 4/11 3/12 3/13 3/14 3/15 3/16 3/17 3/18 3/19 10 10 10 10 10 10 10 10 up up up up up up up up up up up up up up up up The following example shows the show system stack-ports topology command.
Command Output unit-number stack-port port-number clear hardware stack-unit unit-number counters Clears statistics on the specified stack unit. The valid stack-unit numbers are from 0 to 11.
-- Stack-unit Failover Record ------------------------------------------------Failover Count: 0 Last failover timestamp: None Last failover Reason: None Last failover type: None -- Last Data Block Sync Record: ------------------------------------------------Stack Unit Config: succeeded Feb 13 2013 15:13:52 Start-up Config: succeeded Feb 13 2013 15:13:52 Runtime Event Log: succeeded Feb 13 2013 15:13:52 Running Config: succeeded Feb 13 2013 15:13:52 ACL Mgr: succeeded Feb 13 2013 15:13:52 LACP: no block sync
Feb 13 15:26:19: %STKUNIT4-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 2/1 Feb 13 15:26:19: %STKUNIT4-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 1 Feb 13 15:26:19: %STKUNIT4-M:CP %IFMGR-1-DEL_PORT: Removed port: Te 2/0-11,20-23, Fo 2/ 48,52,56,60, Feb 13 15:26:19: %STKUNIT3-S:CP %IFMGR-1-DEL_PORT: Removed port: Te 2/0-11,20-23, Fo 2/ 48,52,56,60, Unplugged Stacking Cable Problem: A stacking cable is unplugged from a member switch.
UNIT-----------------------------------------10:55:18: %STKUNIT1-M:CP %KERN-2-INT: Error: Stack Port 52 has flapped 5 times within 10 seonds.Shutting down this stack port now. 10:55:18: %STKUNIT1-M:CP %KERN-2-INT: Error: Please check the stack cable/module and power-cycle the stack. ----------------------------------------MEMBER 2--------------------------------------------Error: Stack Port 52 has flapped 5 times within 10 seconds.Shutting down this stack port now.
Dell#show system stack-unit 2 -- Unit 2 -Unit Type Status Next Boot Required Type Current Type Master priority Hardware Rev : : : : : : : Member Unit card problem - ipc timeout online S5000 - 4-module, 4-port GE/TE/FG (SH) S5000 - 4-module, 4-port GE/TE/FG (SH) NA 1.
EXEC Privilege mode write memory 5 Reload the stack unit to activate the new Dell Networking OS version. EXEC Privilege mode reload The following example shows how to upgrade all switches in a stack, including the master switch. Dell# upgrade system ftp: A: Address or name of remote host []: 10.11.200.241 Source file name []: Dell-SH-9.0.(1.0).bin User name to login remote host: ftp Password to login remote host: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Erasing IOM Primary Image, please wait .!...
3 Save the configuration. CONFIGURATION mode write memory 4 Reset the stack unit to activate the new Dell Networking OS version. EXEC Privilege power-cycle stack-unit unit-number The following example shows how to upgrade an individual stack unit.
57 Storm Control The storm control feature allows you to control unknown-unicast, muticast, and broadcast control traffic on Layer 2 and Layer 3 physical interfaces. The minimum number of packets per second (PPS) that storm control can limit is two. Dell Networking Operating System (OS) Behavior: Dell Networking OS supports broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic.
Configuring Storm Control from INTERFACE Mode To configure storm control, use the following command. From INTERFACE mode: • You can only on configure storm control for ingress traffic. • If you configure storm control from both INTERFACE and CONFIGURATION mode, the INTERFACE mode configurations override the CONFIGURATION mode configurations. • The storm control is calculated in packets per second. • Configure storm control.
• Configure the packets per second (pps) of multicast traffic allowed on C-Series and S-Series networks only. CONFIGURATION mode • storm-control multicast packets_per_second in Configure the packets per second of unknown-unicast traffic allowed in or out of the network.
58 Spanning Tree Protocol (STP) Spanning tree protocol (STP) is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network.
Table 84. Dell Networking OS Supported Spanning Tree Protocols Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802.1d Rapid Spanning Tree Protocol (RSTP) 802.1w Multiple Spanning Tree Protocol (MSTP) 802.1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Configure Spanning Tree Configuring spanning tree is a two-step process.
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 131. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1 If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2 Place the interface in Layer 2 mode.
switchport 3 Enable the interface. INTERFACE mode no shutdown Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address switchport no shutdown Dell(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default.
• Bridges block a redundant path by disabling one of the link ports. Figure 132. Spanning Tree Enabled Globally To enable STP globally, use the following commands. 1 Enter PROTOCOL SPANNING TREE mode. CONFIGURATION mode protocol spanning-tree 0 2 Enable STP. PROTOCOL SPANNING TREE mode no disable Examples of Verifying Spanning Tree Information To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode.
To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 Removing an Interface from the Spanning Tree Group To remove a Layer 2 interface from the spanning tree topology, use the following command. • Disable spanning tree on a Layer 2 interface. INTERFACE mode no spanning-tree 0 Modifying Global Parameters You can modify the spanning tree parameters.
STP Parameters • • • 40-Gigabit Ethernet interfaces Port Channel with 1-Gigabit Ethernet interfaces Port Channel with 10-Gigabit Ethernet interfaces Port Priority • Default Value • • 3 1 8 Change the forward-delay parameter (the wait time before the interface enters the Forwarding state). PROTOCOL SPANNING TREE mode forward-delay seconds The range is from 4 to 30. The default is 15 seconds. Change the hello-time parameter (the BPDU transmission interval).
To change the port cost or priority of an interface, use the following commands. • Change the port cost of an interface. INTERFACE mode spanning-tree 0 cost cost The range is from 0 to 65535. • The default values are listed in Modifying Global Parameters. Change the port priority of an interface. INTERFACE mode spanning-tree 0 priority priority-value The range is from 0 to 15. The default is 8.
no shutdown Dell#(conf-if-te-1/1)# Prevent Network Disruptions with BPDU Guard Configure the Portfast (and EdgePort, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport do not expect to receive BDPUs. If an EdgePort does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
• Disabling global spanning tree (the no spanning-tree in CONFIGURATION mode). Figure 133. Enabling BPDU Guard Dell Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: • • is used on EdgePorts and blocks all traffic on EdgePort if it receives a BPDU. drops the BPDU after it reaches the RPM and generates a console message.
Te 0/6 128.263 128 Te 0/7 128.264 128 20000 FWD 20000 32768 0001.e805.fb07 128.653 20000 EDS 20000 32768 0001.e85d.0e90 128.264 Interface Name Role PortID Prio Cost Sts Cost Link-type Edge ---------- ------ -------- ---- ------- --- ---------------Te 0/6 Root 128.263 128 20000 FWD 20000 P2P No Te 0/7 ErrDis 128.
Interface BPDU Filtering When you enable BPDU filtering on an interface, it stops sending and receiving BPDUs on the portfastenabled ports. When you enable BPDU guard and BPDU filter on the port, the BPDU filter takes the highest precedence. By default, BPDU filtering on an interface is disabled. Figure 135. BPDU Filtering Enabled on an Interface Selecting STP Root STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge.
The default is 32768. Example of Viewing STP Root Information To view only the root information, use the show spanning-tree root command from EXEC privilege mode. Dell#show spanning-tree 0 root Root ID Priority 32768, Address 0001.e80d.2462 We are the root of the spanning tree Root Bridge hello time 2, max age 20, forward delay 15 Dell# STP Root Guard To avoid bridging loops, use the STP root guard feature in a Layer 2 network.
If you enable a root guard on all STP ports on the links where the root bridge should not appear, you can ensure a stable STP network topology and avoid bridging loops. Figure 136. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis.
To enable the root guard on an STP-enabled port or port-channel interface in instance 0, use the following command. • Enable root guard on a port or port-channel interface. INTERFACE mode or INTERFACE PORT-CHANNEL mode spanning-tree {0 | mstp | rstp | pvst} rootguard • • • • 0: enables root guard on an STP-enabled port assigned to instance 0. mstp: enables root guard on an MSTP-enabled port. rstp: enables root guard on an RSTP-enabled port. pvst: enables root guard on a PVST-enabled port.
! redundancy protocol xstp Dell# STP Loop Guard The STP loop guard feature provides protection against Layer 2 forwarding loops (STP loops) caused by a hardware failure, such as a cable failure or an interface fault. When a cable or interface fails, a participating STP link may become unidirectional (STP requires links to be bidirectional) and an STP port does not receive BPDUs. When an STP blocking port does not receive BPDUs, it transitions to a Forwarding state.
As soon as a BPDU is received on an STP port in a Loop-Inconsistent state, the port returns to a blocking state. If you disable STP loop guard on a port in a Loop-Inconsistent state, the port transitions to an STP blocking state and restarts the max-age timer. Figure 137. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis.
• Spanning Tree Protocol (STP) • Rapid Spanning Tree Protocol (RSTP) • Multiple Spanning Tree Protocol (MSTP) • Per-VLAN Spanning Tree Plus (PVST+) • You cannot enable root guard and loop guard at the same time on an STP port. For example, if you configure loop guard on a port on which root guard is already configured, the following error message is displayed: % Error: RootGuard is configured. Cannot configure LoopGuard.
Name Instance Sts Guard type --------- -------- --------- ---------Te 0/1 0 INCON(Root) Rootguard Te 0/2 0 LIS Loopguard Te 0/3 0 EDS (Shut) Bpduguard Spanning Tree Protocol (STP) 1069
59 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell Networking device. For more information on SmartScripts, see Dell Networking Open Automation guide. Figure 138.
Topics: • Configuring SupportAssist Using a Configuration Wizard • Configuring SupportAssist Manually • Configuring SupportAssist Activity • Configuring SupportAssist Company • Configuring SupportAssist Person • Configuring SupportAssist Server • Viewing SupportAssist Configuration Configuring SupportAssist Using a Configuration Wizard You are guided through a series of queries to configure SupportAssist.
the information for providing recommendations to improve your IT infrastructure.
contact-person [first ] last Dell(conf)#support-assist Dell(conf-supportassist)#contact-person first john last doe Dell(conf-supportassist-pers-john_doe)# 5 (Optional) Configure the name of the remote SupportAssist Server and move to SupportAssist Server mode.
action-manifest get tftp | ftp | flash Dell(conf-supportassist-act-full-transfer)#action-manifest get tftp://10.0.0.1/ test file Dell(conf-supportassist-act-full-transfer)# The custom action-manifest file is a JSON file. Syntax of the custom action-manifest file: { } “show command-1” : “xml tag-1”, “show command-2” : “xml tag-2”, “show command-3” : “xml tag-3”, ...
[no] enable Dell(conf-supportassist-act-full-transfer)#enable Dell(conf-supportassist-act-full-transfer)# Configuring SupportAssist Company SupportAssist Company mode allows you to configure name, address and territory information of the company. SupportAssist Company configurations are optional for the SupportAssist service. To configure SupportAssist company, use the following commands. 1 Configure the contact information for the company.
Configuring SupportAssist Person SupportAssist Person mode allows you to configure name, email addresses, phone, method and time zone for contacting the person. SupportAssist Person configurations are optional for the SupportAssist service. To configure SupportAssist person, use the following commands. 1 Configure the contact name for an individual.
Configuring SupportAssist Server SupportAssist Server mode allows you to configure server name and the means of reaching the server. By default, a SupportAssist server URL has been configured on the device. Configuring a URL to reach the SupportAssist remote server should be done only under the direction of Dell SupportChange. To configure SupportAssist server, use the following commands. 1 Configure the name of the remote SupportAssist Server and move to SupportAssist Server mode.
show support-assist status Dell#show support-assist status SupportAssist Service: Installed EULA: Accepted Server: default Enabled: Yes URL: https://stor.g3.ph.dell.com Service status: Enabled Server: chennai Enabled: Yes URL: http://10.16.148.19/ Activity -------------full-transfer 2 State ------Success Last Start -----------------------Aug 10 2015 11:15:26 PST Last Success -----------------------Aug 10 2015 11:15:28 PST Display the current configuration and changes from the default values.
may include but is not limited to configuration information, user supplied contact information, names of data volumes, IP addresses, access control lists, diagnostics & performance information, network configuration information, host/server configuration & performance information and related data (Collected Data) and transmits this information to Dell. By downloading SupportAssist and agreeing to be bound by these terms and the Dell end user license agreement, available at: www.dell.
60 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
also definitive maximum error bounds, so that the user interface can determine not only the time, but the quality of the time as well. In what may be the most common client/server model, a client sends an NTP message to one or more servers and processes the replies as received. The server interchanges addresses and ports, overwrites certain fields in the message, recalculates the checksum and returns the message immediately.
Figure 139. NTP Fields Implementation Information Dell Networking systems can only be an NTP client. Configure the Network Time Protocol Configuring NTP is a one-step process. • Enabling NTP Related Configuration Tasks • Configuring NTP Broadcasts • Disabling NTP on an Interface • Configuring a Source IP Address for NTP Packets (optional) Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell Networking system synchronizes.
• Specify the NTP server to which the Dell Networking system synchronizes. CONFIGURATION mode ntp server ip-address Examples of Viewing System Clock To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. R6_E300(conf)#do show ntp status Clock is synchronized, stratum 2, reference is 192.168.1.1 frequency is -369.623 ppm, stability is 53.319 ppm, precision is 4294967279 reference time is CD63BCC2.0CBBD000 (16:54:26.
To view whether NTP is configured on the interface, use the show config command in INTERFACE mode. If ntp disable is not listed in the show config command output, NTP is enabled. (The show config command displays only non-default configuration information.) Configuring a Source IP Address for NTP Packets By default, the source address of NTP packets is the IP address of the interface used to reach the network. You can configure one interface’s IP address include in all NTP packets.
ntp authenticate 2 Set an authentication key. CONFIGURATION mode ntp authentication-key number md5 key Configure the following parameters: 3 • number: the range is from 1 to 4294967295. This number must be the same as the number in the ntp trusted-key command. • key: enter a text string. This text string is encrypted. Define a trusted key. CONFIGURATION mode ntp trusted-key number Configure a number from 1 to 4294967295.
rec CD7F4F63.6BE8F000 (14:51:15.421 UTC Thu Apr 2 2009) xmt CD7F5368.D0535000 (15:8:24.813 UTC Thu Apr 2 2009) 1w6d23h : NTP: rcv packet from 192.168.1.1 leap 0, mode 4, version 3, stratum 1, ppoll 1024 rtdel 0000 (0.000000), rtdsp AF587 (10959.090820), refid 4C4F434C (76.79.67.76) ref CD7E14FD.43F7CED9 (16:29:49.265 UTC Wed Apr 1 2009) org CD7F5368.D0535000 (15:8:24.813 UTC Thu Apr 2 2009) rec CD7F5368.D0000000 (15:8:24.812 UTC Thu Apr 2 2009) xmt CD7F5368.D0000000 (15:8:24.
NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rollover interval) in the day of insertion to be increased or decreased by one.
Configuring a Custom-defined Period for NTP time Synchronization You can configure the system to send an audit log message to a syslog server if the time difference from the NTP server is greater than a threshold value (offset-threshold). However, time synchronization still occurs. To configure the offset-threshold, follow this procedure. • Specify the threshold time interval before which the system generates an NTP audit log message if the system time deviates from the NTP server.
• time: enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format; for example, 17:15:00 is 5:15 pm. • month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. • day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. • year: enter a four-digit number as the year.
• Set the clock to the appropriate timezone and daylight saving time. CONFIGURATION mode clock summer-time time-zone date start-month start-day start-year start-time end-month end-day end-year end-time [offset] • time-zone: enter the three-letter name for the time zone. This name displays in the show clock output. • start-month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year.
• week-number: Enter a number from 1 to 4 as the number of the week in the month to start daylight saving time. • first: Enter the keyword first to start daylight saving time in the first week of the month. • last: Enter the keyword last to start daylight saving time in the last week of the month. • start-month: Enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. • start-day: Enter the number of the day.
Dell(conf)#02:10:57: %RPM0-P:CP %CLOCK-6-TIME CHANGE: Summertime configuration changed from "Summer time starts 00:00:00 Pacific Sat Mar 14 2009 ; Summer time ends 00:00:00 pacific Sat Nov 7 2009" to "Summer time starts 02:00:00 Pacific Sun Mar 8 2009;Summer time ends 02:00:00 pacific Sun Nov 1 2009" System Time and Date 1092
61 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
The following sample configuration shows a tunnel configured in IPV6IP mode (IPv4 tunnel carries IPv6 traffic only): Dell(conf)#interface tunnel 2 Dell(conf-if-tu-2)#tunnel source 60.1.1.1 Dell(conf-if-tu-2)#tunnel destination 90.1.1.1 Dell(conf-if-tu-2)#tunnel mode ipv6ip Dell(conf-if-tu-2)#ipv6 address 2::1/64 Dell(conf-if-tu-2)#no shutdown Dell(conf-if-tu-2)#show config ! interface Tunnel 2 no ip address ipv6 address 2::1/64 tunnel destination 90.1.1.1 tunnel source 60.1.1.
Dell(conf-if-tu-1)#no shutdown Dell(conf-if-tu-1)#tunnel keepalive 1.1.1.2 attempts 4 interval 6 Dell(conf-if-tu-1)#show config ! interface Tunnel 1 ip address 1.1.1.1/24 ipv6 address 1abd::1/64 tunnel destination 40.1.1.2 tunnel source 40.1.1.1 tunnel keepalive 1.1.1.2 attempts 4 interval 6 tunnel mode ipip no shutdown Configuring a Tunnel Interface You can configure the tunnel interface using the ip unnumbered and ipv6 unnumbered commands.
The following sample configuration shows how to configure a tunnel allow-remote address. Dell(conf)#interface tunnel 1 Dell(conf-if-tu-1)#ipv6 address 1abd::1/64 Dell(conf-if-tu-1)#ip address 1.1.1.1/24 Dell(conf-if-tu-1)#tunnel source 40.1.1.1 Dell(conf-if-tu-1)#tunnel mode ipip decapsulate-any Dell(conf-if-tu-1)#tunnel allow-remote 40.1.1.2 Dell(conf-if-tu-1)#no shutdown Dell(conf-if-tu-1)#show config ! interface Tunnel 1 ip address 1.1.1.1/24 ipv6 address 1abd::1/64 tunnel source 40.1.1.
62 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with NIC teaming, automatic recovery from a failed link. Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
• In Step C, UFD on S1 disables the link to the server. The server then stops using the link to S1 and switches to using its link to S2 to send traffic upstream to R1. Figure 140.
How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
UFD and NIC Teaming To implement a rapid failover solution, you can use uplink failure detection on a switch with network adapter teaming on a server. For more information, refer to NIC Teaming. For example, as shown previously, the switch/router with UFD detects the uplink failure and automatically disables the associated downstream link port to the server.
Configuring Uplink Failure Detection To configure UFD, use the following commands. 1 Create an uplink-state group and enable the tracking of upstream links on the switch/router. CONFIGURATION mode uplink-state-group group-id • group-id: values are from 1 to 16. To delete an uplink-state group, use the no uplink-state-group group-id command. 2 Assign a port or port-channel to the uplink-state group as an upstream or downstream interface.
downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5 (Optional) Enters a text description of the uplink-state group. UPLINK-STATE-GROUP mode description text The maximum length is 80 alphanumeric characters. 6 (Optional) Disables upstream-link tracking without deleting the uplink-state group.
Example of Syslog Messages Before and After Entering the clear ufd-disable uplink-state-group Command (S50) The following example message shows the Syslog messages that display when you clear the UFD-Disabled state from all disabled downstream interfaces in an uplink-state group by using the clear ufd-disable uplink-state-group group-id command. All downstream interfaces return to an operationally up state.
EXEC mode show uplink-state-group [group-id] [detail] • group-id: The values are from 1 to 16. • • detail: displays additional status information on the upstream and downstream interfaces in each group. Display the status of a port or port-channel interface assigned to an uplink-state group. EXEC mode show interfaces interface interface specifies one of the following interface types: • • 10 Gigabit Ethernet: enter tengigabitethernet slot/port.
13/13(Dis) Te 13/14(Dis) Te 13/15(Dis) Uplink State Group : 6 Upstream Interfaces : Downstream Interfaces : Status: Enabled, Up Uplink State Group : 7 Upstream Interfaces : Downstream Interfaces : Status: Enabled, Up Uplink State Group : 16 Status: Disabled, Up Upstream Interfaces : Te 0/41(Dwn) Po 8(Dwn) Downstream Interfaces : Te 0/40(Dwn) The following example shows viewing the interface status with UFD information for the S50.
no enable description test downstream disable links all downstream TenGigabitEthernet 0/40 upstream TenGigabitEthernet 0/41 upstream Port-channel 8 Sample Configuration: Uplink Failure Detection The following example shows a sample configuration of UFD on a switch/router in which you configure as follows. • • • • • • Configure uplink-state group 3. Add downstream links TenGigabitethernet 0/1, 0/2, 0/5, 0/9, 0/11, and 0/12. Configure two downstream links to disable if an upstream link fails.
Dell# show uplink-state-group 3 Uplink State Group: 3 Status: Enabled, Up Dell# show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Te 0/3(Up) Te 0/4(Dwn) Downstream Interfaces : Te 0/1(Dis) Te 0/2(Dwn) Te 0/5(Dwn) Te 0/9(Dwn) Te 0/11(Dwn) Te 0/12(Dwn) Uplink Failure Detection (UFD) 1107
63 Upgrade Procedures To find the upgrade procedures, go to the Dell Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell Networking OS version. To upgrade your system type, follow the procedures in the Dell Networking OS Release Notes. Get Help with Upgrades Direct any questions or concerns about the Dell Networking OS upgrade procedures to the Dell Technical Support Center. You can reach Technical Support: • On the web: http://dell.
64 Virtual LANs (VLANs) VLANs are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The Dell Networking operating system (OS) supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
Default VLAN When you configure interfaces for Layer 2 mode, they are automatically placed in the Default VLAN as untagged interfaces. Only untagged interfaces can belong to the Default VLAN. The following example displays the outcome of placing an interface in Layer 2 mode. To configure an interface for Layer 2 mode, use the switchport command.
Port-Based VLANs Port-based VLANs are a broadcast domain defined by different ports or interfaces. In Dell Networking OS, a port-based VLAN can contain interfaces from different line cards within the chassis. Dell Networking OS supports 4094 port-based VLANs. Port-based VLANs offer increased security for traffic, conserve bandwidth, and allow switch segmentation. Interfaces in different VLANs do not communicate with each other, adding some security to the traffic on those interfaces.
Configuration Task List This section contains the following VLAN configuration tasks. • • • • Creating a Port-Based VLAN (mandatory) Assigning Interfaces to a VLAN (optional) Assigning an IP Address to a VLAN (optional) Enabling Null VLAN as the Default VLAN Creating a Port-Based VLAN To configure a port-based VLAN, create the VLAN and then add physical interfaces or port channel (LAG) interfaces to the VLAN.
Dell# U So 9/0 Assigning Interfaces to a VLAN You can only assign interfaces in Layer 2 mode to a VLAN using the tagged and untagged commands. To place an interface in Layer 2 mode, use the switchport command. You can further designate these Layer 2 interfaces as tagged or untagged. For more information, refer to the Interfaces chapter and Configuring Layer 2 (Data Link) Mode.
Dell(conf-if-vlan)#tagged po 1 Dell(conf-if-vlan)#show conf ! interface Vlan 4 no ip address tagged Port-channel 1 Dell(conf-if-vlan)#end Dell#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM Status Q * 1 Inactive 2 Active T T 3 Active T T 4 Active T Dell# Ports Po1(So 0/0-1) Te 3/0 Po1(So 0/0-1) Te 3/1 Po1(So 0/0-1) When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VLAN.
* 1 2 Active Active U Te 3/2 T Po1(So 0/0-1) T Te 3/0 3 Active T Po1(So 0/0-1) T Te 3/1 4 Inactive Dell#conf Dell(conf)#int vlan 4 Dell(conf-if-vlan)#untagged gi 3/2 Dell(conf-if-vlan)#show config ! interface Vlan 4 no ip address untagged TenGigabitEthernet 3/2 Dell(conf-if-vlan)#end Dell#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 3 4 Dell# Status Q Inactive Active T T Active T T Active U Ports Po1(So 0/0-1) Te 3/0 Po1(So 0/0-1) Te 3/1 Te 3/2 The only way to remove an interface from th
Enabling Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured. This presents a vulnerability because both interfaces are initially placed in the native VLAN, VLAN 1, and for that period customers are able to access each other's networks.
INTERFACE mode portmode hybrid 3 Configure the interface for Switchport mode. INTERFACE mode switchport 4 Add the interface to a tagged or untagged VLAN.
65 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Dell Networking OS Command Line Reference Guide.
For more information about eVLT, refer to the Virtual Link Trunking (VLT) chapter. The core or Layer 3 routers C and D in local VLT Domain and C1 and D1 in the remote VLT Domain are then part of a Layer 3 cloud. Figure 143. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: • Proxy gateway is supported only for VLT; for example, across a VLT domain.
• • • • • • • • • • • • • The connection between DCs must be a L3 VLT in eVLT format . For more information, refer to the eVLT Configuration Example The trace route across the DCs can show extra hops. To ensure no traffic drops, you must maintain route symmetry across the VLT domains. When the routing table across DCs is not symmetrical, there is a possibility of a routing miss by a DC that does not have the route for L3 traffic.
• LLDP has a limited TLV size. As a result, information that is carried by the new TLV is limited to one or two MAC addresses. • You must have all related systems properly configured and set up. LLDP Organizational TLV for Proxy Gateway • LLDP defines an organizationally specific TLV (type 127) with a unique identifier (0x0001E8) and a defined subtype (0x01) for sending or receiving information.
• LLDP packets fail to reach the remote VLT domain devices (for example, because the system is down, rebooting, or the port physical link connection is down). Figure 144. Sample Configuration for a VLT Proxy Gateway • The above figure shows a sample VLT Proxy gateway scenario. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This causes sub-optimal routing with the VLT Proxy Gateway LLDP method.
• Assume the inter-chassis link (ICL) between C1 and D1 is shut and if D1 is the secondary VLT, one half of the inter DC link goes down. After VM motion, if a packet reaches D2 with the destination MAC address of D1, it may be dropped. This behavior is applicable only in an LLDP configuration; in a static configuration, the packet is forwarded. • Any L3 packet, when it gets an L3 hit and is routed, it has a time to live (TTL) decrement as expected.
Configuring a Static VLT Proxy Gateway You can configure a proxy gateway in VLT domains. A proxy gateway allows you to locally route the packets that are destined to an L3 endpoint of the other VLT domain. Apply the following configurations in the Core L3 Routers C and D in local VLT domain and C1 and D1 in the remote VLT domain: 1 Configure proxy-gateway static in VLT Domain Configuration mode. 2 Configure remote-mac-address in VLT Domain Proxy Gateway LLDP mode.
66 Virtual Link Trunking (VLT) Virtual link trunking (VLT) allows physical links between two chassis to appear as a single virtual link to the network core or other switches such as Edge, Access or ToR. VLT reduces the role of Spanning Tree protocols by allowing LAG terminations on two separate distribution or core switches, and by supporting a loop free topology. (A Spanning Tree protocol is still needed to prevent the initial loop that may occur prior to VLT being established.
• • • • • • Provides a loop-free topology. Uses all available uplink bandwidth. Provides fast convergence if either the link or a device fails. Optimized forwarding with virtual router redundancy protocol (VRRP). Provides link-level resiliency. Assures high availability. CAUTION: Dell Networking does not recommend enabling Stacking and VLT simultaneously. If you enable both features at the same time, unexpected behavior occurs.
VLT on Core Switches You can also deploy VLT on core switches. Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing. This set up requires “horizontal” stacking at the access layer and VLT at the aggregation layer such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode.
Multiple VLT A multiple VLT (mVLT) configuration allows two different VLT domains connected by a standard LACP LAG to form a loop-free Layer 2 topology in the aggregation layer. This configuration supports a maximum of four (4) units, increasing the number of available ports and allowing for dual redundancy of the VLT. The following illustration shows how the core/aggregation port density in the Layer 2 topology is increased using mVLT.
• VLT peer device — One of a pair of devices that are connected with the special port channel known as the VLT interconnect (VLTi). VLT peer switches have independent management planes. A VLT interconnect between the VLT chassis maintains synchronization of L2/L3 control planes across the two VLT peer switches. The VLT interconnect uses either 10G or 40G user ports on the chassis. A separate backup link maintains heartbeat messages across an out-of-band (OOB) management network.
Configuration Notes When you configure VLT, the following conditions apply. • • VLT domain • A VLT domain supports two chassis members, which appear as a single logical device to network access devices connected to VLT ports through a port channel. • A VLT domain consists of the two core chassis, the interconnect trunk, backup link, and the LAG members connected to attached devices. • Each VLT domain has a unique MAC address that you create or VLT creates automatically.
• When you change the default VLAN ID on a VLT peer switch, the VLT interconnect may flap. • In a VLT domain, the following software features are supported on VLTi: link layer discovery protocol (LLDP), flow control, port monitoring, jumbo frames, and data center bridging (DCB). • When you enable the VLTi link, the link between the VLT peer switches is established if the following configured information is true on both peer switches: • the VLT system MAC address matches.
the VLT domain. In the port-channel used by the switch to connect to the VLT domain, configure the port interfaces on each VLT peer as hybrid ports before adding them to the port channel (refer to Connecting a VLT Domain to an Attached Access Device (Switch or Server)). To configure a port in Hybrid mode so that it can carry untagged, single-tagged, and double-tagged traffic, use the portmode hybrid command in Interface Configuration mode as described in Configuring Native VLANs.
• • Failure scenarios • On a link failover, when a VLT port channel fails, the traffic destined for that VLT port channel is redirected to the VLTi to avoid flooding. • When a VLT switch determines that a VLT port channel has failed (and that no other local port channels are available), the peer with the failed port channel notifies the remote peer that it no longer has an active port channel for a link.
VLT Bandwidth Monitoring When bandwidth usage of the VLTi (ICL) exceeds 80%, a syslog error message (shown in the following message) and an SNMP trap are generated. %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (port-channel 25) crosses threshold. Bandwidth usage (80 ) When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (shown in the following message) and an SNMP trap.
If you enable IGMP snooping, IGMP queries are also sent out on the VLT ports at this time allowing any receivers to respond to the queries and update the multicast table on the new node. This delay in bringing up the VLT ports also applies when the VLTi link recovers from a failure that caused the VLT ports on the secondary VLT peer node to be disabled.
that originates from the source that is connected to the VLT ports to reach the PIM router which has downstream neighbors. The VLT peer nodes can also act as normal PIM routers on Layer 3 ports and on VLANs that do not have any VLT port members. In addition to being first-hop or last -hop routers, the peer node can also act as an intermediate router.
Preventing Forwarding Loops in a VLT Domain During the bootup of VLT peer switches, a forwarding loop may occur until the VLT configurations are applied on each switch and the primary/secondary roles are determined. To prevent the interfaces in the VLT interconnect trunk and RSTP-enabled VLT ports from entering a Forwarding state and creating a traffic loop in a VLT domain, follow these steps. 1 Configure RSTP in the core network and on each peer switch as described in Rapid Spanning Tree Protocol (RSTP).
Configure RSTP on VLT Peers to Prevent Forwarding Loops (VLT Peer 2) Dell_VLTpeer2(conf)#protocol spanning-tree rstp Dell_VLTpeer2(conf-rstp)#no disable Dell_VLTpeer2(conf-rstp)#bridge-priority 0 Configuring VLT To configure VLT, use the following procedure. Prerequisites: Before you begin, make sure that both VLT peer switches are running the same Dell Networking OS version and are configured for RSTP as described in RSTP Configuration.
no ip address 3 Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 4 • 10 Gigabit Ethernet: Enter tengigabitethernet slot/port. • 40 Gigabit Ethernet: Enter fortygigabitethernet slot/port. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 5 Repeat Steps 1 to 4 on the VLT peer switch to configure the VLT interconnect.
lacp ungroup member-independent {vlt | port-channel port-channel-id} LACP on VLT ports (on a VLT switch or access device), which are members of the virtual link trunk, is not brought up until the VLT domain is recognized on the access device. 5 Repeat Steps 1 to 4 on the VLT peer switch to configure the IP address of this switch as the endpoint of the VLT backup link and to configure the same port channel for the VLT interconnect.
delay-restore delay-restore-time The range is from 1 to 1200. The default is 90 seconds. Reconfiguring the Default VLT Settings (Optional) To reconfigure the default VLT settings, use the following commands. 1 Enter VLT-Domain Configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000.
Unit IDs are used for internal system operations. Use this command to minimize the time required for the VLT system to determine the unit ID assigned to each peer switch when one peer switch reboots. Connecting a VLT Domain to an Attached Access Device (Switch or Server) To connect a VLT domain to an attached access device, use the following commands. On a VLT peer switch: To connect to an attached device, configure the same port channel ID number on each peer switch in the VLT domain.
8 On an attached switch or server: To connect to the VLT domain and add port channels to it, configure a port channel. For an example of how to verify the port-channel configuration, refer to VLT Sample Configuration. To configure the VLAN where a VLT peer forwards received packets over the VLTi from an adjacent VLT peer that is down, use the peer-down-vlan parameter. When a VLT peer with BMP reboots, untagged DHCP discover packets are sent to the peer over the VLTi.
INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 3 • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000.
Use this command to minimize the time required for the VLT system to determine the unit ID assigned to each peer switch when one peer switch reboots. 8 Configure enhanced VLT. Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode. CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command in the Enabling VLT and Creating a VLT Domain.
PVST+ Configuration PVST+ is supported in a VLT domain. Before you configure VLT on peer switches, configure PVST+ in the network. PVST+ is required for initial loop prevention during the VLT startup phase. You may also use PVST+ for loop prevention in the network outside of the VLT port channel. For information on PVST+, refer to Per-VLAN Spanning Tree Plus (PVST+). Run PVST+ on both VLT peer switches. A PVST+ instance is created for every VLAN configured in the system.
Po 2 Te 1/10 Te 1/13 128.3 128.230 128.233 Interface Name ---------Po 1 Po 2 Te 1/10 Te 1/13 Dell# Role -----Desg Desg Desg Desg 128 128 128 2000 2000 2000 PortID -------128.2 128.3 128.230 128.233 Prio ---128 128 128 128 FWD(vlt) FWD FWD Cost ------188 2000 2000 2000 0 0 0 Sts ----------FWD FWD FWD FWD 0 0 0 90b1.1cf4.9b79 90b1.1cf4.9b79 90b1.1cf4.9b79 128.3 128.230 128.
EXEC mode or EXEC Privilege mode show interfaces interface 11 In the top of rack unit, configure LACP in the physical ports. EXEC Privilege mode show running-config entity 12 Verify that VLT is running. EXEC mode show vlt brief or show vlt detail 13 Verify that the VLT LAG is running in both VLT peer units. EXEC mode or EXEC Privilege mode show interfaces interface In the following sample VLT configuration steps, VLT peer 1 is S5000-2, VLT peer 2 is S5000-4, and the ToR is S60-1.
peer-link port-channel 1 back-up destination 10.11.206.43 S5000-4# S5000-4#show running-config interface managementethernet 0/0 ip address 10.11.206.58/16 no shutdown Configure the VLT links between VLT peer 1 and VLT peer 2 to the top of rack unit. In the following example, port Te 0/40 in VLT peer 1 is connected to Te 0/48 of TOR and port Te 0/18 in VLT peer 2 is connected to Te 0/50 of TOR. 1 Configure the static LAG/LACP between ports connected from VLT peer 1 and VLT peer 2 to the top of rack unit.
s60-1# s60-1#show running-config interface port-channel 100 ! interface Port-channel 100 no ip address switchport no shutdown s60-1# s60-1#show port-channel interface 100 brief Codes: L - LACP Port-channel LAG Mode Status Uptime Ports L 100 L2 up 03:33:48 Te 0/48 (Up) Te 0/50 (Up) s60-1# Verify that VLT is up. Verify that the VLTi (ICL) link, backup link connectivity (heartbeat status) and VLT peer link (peer chassis) are all up.
In Domain 1, configure Peer 1 fist, then configure Peer 2. When that is complete, perform the same steps for the peer nodes in Domain 2. The interface used in this example is TenGigabitEthernet.
Figure 149. eVLT Configuration Example eVLT Configuration Step Examples In Domain 1, configure the VLT domain and VLTi on Peer 1. Domain_1_Peer1#configure Domain_1_Peer1(conf)#interface port-channel 1 Domain_1_Peer1(conf-if-po-1)# channel-member TenGigabitEthernet 1/8-9 Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)# peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)# back-up destination 10.16.130.
Domain_1_Peer2(conf-vlt-domain)# Domain_1_Peer2(conf-vlt-domain)# Domain_1_Peer2(conf-vlt-domain)# Domain_1_Peer2(conf-vlt-domain)# peer-link port-channel 1 back-up destination 10.16.130.12 system-mac mac-address 00:0a:00:0a:00:0a unit-id 1 Configure eVLT on Peer 2. Domain_1_Peer2(conf)#interface port-channel 100 Domain_1_Peer2(conf-if-po-100)# switchport Domain_1_Peer2(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer2(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 2.
Domain_2_Peer4(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_2_Peer4(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 4.
Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, use any of the following show commands on the primary and secondary VLT switches. • Display information on backup link operation. EXEC mode • show vlt backup-link Display general status information about VLT domains currently configured on the switch.
Examples of the show vlt and show spanning-tree rstp Commands The following example shows the show vlt backup-link command. Dell_VLTpeer1# show vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.
The following example shows the show vlt detail command. Dell_VLTpeer1# show vlt detail Local LAG Id -----------100 127 Peer LAG Id ----------100 2 Local Status Peer Status Active VLANs ------------ ----------- ------------UP UP 10, 20, 30 UP UP 20, 30 Dell_VLTpeer2# show vlt detail Local LAG Id -----------2 100 Peer LAG Id ----------127 100 Local Status -----------UP UP Peer Status ----------UP UP Active VLANs ------------20, 30 10, 20, 30 The following example shows the show vlt role command.
Dell_VLTpeer2# show vlt statistics VLT Statistics ---------------HeartBeat Messages Sent: HeartBeat Messages Received: ICL Hello's Sent: ICL Hello's Received: 994 978 89 89 The following example shows the show spanning-tree rstp command. The bold section displays the RSTP state of port channels in the VLT domain. Port channel 100 is used in the VLT interconnect trunk (VLTi) to connect to VLT peer2. Port channels 110, 111, and 120 are used to connect to access switches or servers (vlt).
Additional VLT Sample Configurations To configure VLT, configure a backup link and interconnect trunk, create a VLT domain, configure a backup link and interconnect trunk, and connect the peer switches in a VLT domain to an attached access device (switch or server). Review the following examples of VLT configurations. Configuring Virtual Link Trunking (VLT Peer 1) Enable VLT and create a VLT domain with a backup-link and interconnect trunk (VLTi).
Configuring Virtual Link Trunking (VLT Peer 2) Enable VLT and create a VLT domain with a backup-link VLT interconnect (VLTi). Dell_VLTpeer2(conf)#vlt domain 999 Dell_VLTpeer2(conf-vlt-domain)#peer-link port-channel 100 Dell_VLTpeer2(conf-vlt-domain)#back-up destination 10.11.206.23 Dell_VLTpeer2(conf-vlt-domain)#exit Configure the backup link. Dell_VLTpeer2(conf)#interface ManagementEthernet 0/0 Dell_VLTpeer2(conf-if-ma-0/0)#ip address 10.11.206.
switchport channel-member fortyGigE 1/18,22 no shutdown Troubleshooting VLT To help troubleshoot different VLT issues that may occur, use the following information. NOTE: For information on VLT Failure mode timing and its impact, contact your Dell Networking representative. Table 86.
Description Behavior at Peer Up Behavior During Run Time Action to Take Spanning tree mismatch at port level A syslog error message is generated. A one-time informational Correct the spanning tree syslog message is configuration on the generated. ports. System MAC mismatch A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated. Verify that the unit ID of VLT peers is not the same on both units and that the MAC address is the same on both units.
7 Confirm the reload query. 8 After reloading, confirm that VLT is enabled. 9 Confirm that the management ports are interconnected or connected to a switch that can transfer Heartbeat information. Specifying VLT Nodes in a PVLAN You can configure VLT peer nodes in a private VLAN (PVLAN). VLT enables redundancy without the implementation of Spanning Tree Protocol (STP), and provides a loop-free network with optimal bandwidth utilization.
symmetrical across peers. If the VLT LAG is tagged to any one of the primary or secondary VLANs of a PVLAN, then both the primary and secondary VLANs are considered as VLT VLANs. If you add an ICL or VLTi link as a member of a primary VLAN, the ICL becomes a part of the primary VLAN and its associated secondary VLANs, similar to the behavior for normal trunk ports. VLAN parity is not validated if you associate an ICL to a PVLAN.
PVLAN Operations When One VLT Peer is Down When a VLT port moves to the Admin or Operationally Down state on only one of the VLT nodes, the VLT Lag is still considered to be up. All the PVLAN MAC entries that correspond to the operationally down VLT LAG are maintained as synchronized entries in the device. These MAC entries are removed when the peer VLT LAG also becomes inactive or a change in PVLAN configuration occurs.
Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN The following table illustrates the association of the VLTi link and PVLANs, and the MAC synchronization of VLT nodes in a PVLAN (for various modes of operations of the VLT peers): Table 87.
VLT LAG Mode PVLAN Mode of VLT VLAN ICL VLAN Membership Mac Synchronizatio n Peer1 Peer2 Peer1 Peer2 Access Access Secondary (Community) Secondary (Community) Yes Yes - Primary VLAN X - Primary VLAN X Yes Yes Secondary (Isolated) Secondary (Isolated) Yes Yes - Primary VLAN X - Primary VLAN X Yes Yes Secondary (Isolated) Secondary (Isolated) No No - Primary VLAN X - Primary VLAN Y No No Secondary (Community) Secondary (Community) No No - Primary VLAN Y - Primary VLAN X
CONFIGURATION mode interface port-channel id-number. Enter the same port-channel number configured with the peer-link port-channel command as described in Enabling VLT and Creating a VLT Domain. NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2 Remove an IP address from the interface. INTERFACE PORT-CHANNEL mode no ip address 3 Add one or more port interfaces to the port channel.
CONFIGURATION mode interface interface 2 Enable the port. INTERFACE mode no shutdown 3 Set the port in Layer 2 mode. INTERFACE mode switchport 4 Select the PVLAN mode. INTERFACE mode switchport mode private-vlan {host | promiscuous | trunk} 5 • host (isolated or community VLAN port) • promiscuous (intra-VLAN communication port) • trunk (inter-switch PVLAN hub port) Access INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces.
Proxy ARP Capability on VLT Peer Nodes The proxy ARP functionality is supported on VLT peer nodes. A proxy ARP-enabled device answers the ARP requests that are destined for another host or router. The local host forwards the traffic to the proxy ARP-enabled device, which in turn transmits the packets to the destination. By default, proxy ARP is enabled. To disable proxy ARP, use the no proxy-arp command in Interface mode. To re-enable proxy ARP, use the ip proxy-arp command in Interface mode.
broadcast ARP requests. Control packets, other than ARP requests destined for the VLT peers that reach the undesired and incorrect VLT node, are dropped if the ICL link is down. Further processing is not done on these control packets. The VLT node does not perform any action if it receives gratuitous ARP requests for the VLT peer IP address. Proxy ARP is also supported on secondary VLANs.
the VLT peer, after the RP starts receiving multicast traffic via these routes, these (S, G) routes are considered valid and are downloaded to the device. Only (S, G) routes are used to forward the multicast traffic from the source to the receiver. You can configure VLT nodes, which function as RP, as Multicast source discovery protocol (MSDP) peers in different domains. However, you cannot configure the VLT peers as MSDP peers in the same VLT domain.
Configure the VLT domain Dell(conf)#vlt domain 1 Dell(conf-vlt-domain)#peer-link port-channel 1 Dell(conf-vlt-domain)#back-up destination 10.16.151.116 Dell(conf-vlt-domain)#primary-priority 100 Dell(conf-vlt-domain)#system-mac mac-address 00:00:00:11:11:11 Dell(conf-vlt-domain)#unit-id 0 Dell(conf-vlt-domain)# Dell#show running-config vlt ! vlt domain 1 peer-link port-channel 1 back-up destination 10.16.151.
Dell#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown Dell# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN Dell#show vlan id 50 Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P Primary, C - Community, I - Isolated O - Openflow Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged o - OpenFlow untagged, O - OpenFlow tagged G - GVRP tagged, M - Vlan-stack i - Intern
Dell(conf)#interface port-channel 20 Dell(conf-if-po-20)#switchport Dell(conf-if-po-20)#vlt-peer-lag port-channel 20 Dell(conf-if-po-20)#vlan-stack trunk Dell(conf-if-po-20)#no shutdown Dell#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown Dell# Configure the VLAN as a VLAN-Stack VLAN and add the VLT LAG as members to the VLAN Dell(conf)#interface vlan 50 Dell(conf-if-vl-50)#vlan-stack compatible Dell
IPv6 Peer Routing in VLT Domains Overview VLT enables the physical links between two devices that are called VLT nodes or peers, and within a VLT domain, to be considered as a single logical link to external devices that are connected using LAG bundles to both the VLT peers. This capability enables redundancy without the implementation of Spanning tree protocol (STP), thereby providing a loop-free network with optimal bandwidth utilization.
Synchronization of IPv6 ND Entries in a VLT Domain Because the VLT nodes appear as a single unit, the ND entries learned via the VLT interface are expected to be the same on both VLT nodes. VLT V6 VLAN and neighbor discovery protocol monitor (NDPM) entries synchronization between VLT nodes is performed. The VLT V6 VLAN information must synchronize with peer VLT node. Therefore, both the VLT nodes are aware of the VLT VLAN information associated with the peers.
The overall tunneling process involves the VLT nodes that are connected from the ToR through a LAG. The following illustration is a basic VLT setup, which describes the communication between VLT nodes to tunnel the NA from one VLT node to its peer. NA messages can be sent in two scenarios: • NA messages are almost always sent in response to an NS message from a node. In this case, the solicited NA has the destination address field set to the unicast MAC address of the initial NS sender.
Sample Configuration of IPv6 Peer Routing in a VLT Domain Consider a sample scenario as shown in the following figure in which two VLT nodes, Unit1 and Unit2, are connected in a VLT domain using an ICL or VLTi link. To the south of the VLT domain, Unit1 and Unit2 are connected to a ToR switch named Node B. Also, Unit1 is connected to another node, Node A, and Unit2 is linked to a node, Node C. The network between the ToR and the VLT nodes is Layer 2.
Consider an example in which NA for VLT node1 reaches VLT node1 on the VLT interface and NA for VLT node1 reaches VLT node2 due to LAG level hashing in ToR. When VLT node1 receives NA on VLT interface, it learns the Host MAC address on VLT interface. This learned neighbor entry is synchronized to VLT node2 as it is learned on VLT interface of Node2.
One of the VLT peer is configured as the default gateway router on VLT hosts. If the VLT node receives Layer 3 traffic intended for the other VLT peer, it routes the traffic to next hop instead of forwarding the traffic to the VLT peer. If the neighbor entry is not present, the VLT node resolves the next hop. There may be traffic loss during the neighbor resolution period.
Upgrading from Releases That Do Not Support IPv6 Peer Routing During an upgrade to Release 9.4(0.0) from earlier releases, VLT peers might contain different versions of FTOS. You must upgrade both the VLT peers to Release 9.4(0.0) to leverage the benefits of IPv6 peer routing. Station Movement When a host moves from VLT interface to non-VLT interface or vice versa Neighbor entry is updated and synchronized to VLT peer.
67 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time. VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices.
Figure 152. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
VRF supports route redistribution between routing protocols (including static routes) only when the routes are within the same VRF. Dell Networking OS uses both the VRF name and VRF ID to manage VRF instances. The VRF name and VRF ID number are assigned using the ip vrf command. The VRF ID is displayed in show ip vrf command output. The VRF ID is not exchanged between routers. VRF IDs are local to a router. VRF supports some routing protocols only on the default VRF (default-vrf) instance.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF NOTE: ACLs supported on all VRF VLAN ports. IPv4 ACLs are supported on nondefault-VRFs also. IPv6 ACLs are supported on defaultVRF only. PBR supported on default-VRF only. QoS not supported on VLANs.
DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance. VRF Configuration The VRF configuration tasks are: 1 Enabling VRF in Configuration Mode 2 Creating a Non-Default VRF 3 Assign an Interface to a VRF You can also: • View VRF Instance Information • Connect an OSPF Process to a VRF Instance • Configure VRRP on a VRF Loading VRF CAM • Load CAM memory for the VRF feature.
Assigning an Interface to a VRF You must enter the ip vrf forwarding command before you configure the IP address or any other setting on an interface. NOTE: You can configure an IP address or subnet on a physical or VLAN interface that overlaps the same IP address or subnet configured on another interface only if the interfaces are assigned to different VRFs. If two interfaces are assigned to the same VRF, you cannot configure overlapping IP subnets or the same IP address on them.
View VRF Instance Information To display information about VRF configuration, enter the show ip vrf command. To display information on all VRF instances (including the default VRF 0), do not enter a value for vrf-name. • Display the interfaces assigned to a VRF instance. EXEC show ip vrf [vrf-name] Assigning an OSPF Process to a VRF Instance OSPF routes are supported on all VRF instances. SeeOpen Shortest Path First (OSPFv2) for complete OSPF configuration information.
Table 89. Configuring VRRP on a VRF Task Command Syntax Command Mode Create VRF ip vrf vrf1 CONFIGURATION Assign the VRF to an interface ip vrf forwarding vrf1 VRF CONFIGURATION Assign an IP address to the interface ip address 10.1.1.1 /24 no shutdown Configure the VRRP group and virtual IP address vrrp-group 10 virtual-address 10.1.1.100 show config ----------------------------! interface TenGigabitEthernet 1/13 ip vrf forwarding vrf1 ip address 10.1.1.1/24 ! vrrp-group 10 virtual-address 10.1.
When Management VRF is configured, the following interface range or interface group commands are disabled: • ipv6 nd dad — Duplicated Address Detection • ipv6 nd dns-server — Configure DNS distribution option in RA packets originated by the router • ipv6 nd hop-limit — Set hop limit advertised in RA and used in IPv6 data packets originated by the router • ipv6 nd managed-config-flag — Hosts should use DHCP for address config • ipv6 nd max-ra-interval — Set IPv6 Max Router Advertisement Interval •
Sample VRF Configuration The following configuration illustrates a typical VRF set-up. Figure 153.
Figure 154. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface TenGigabitEthernet 3/1 no ip address switchport no shutdown ! interface TenGigabitEthernet 1/1 ip vrf forwarding blue ip address 10.0.0.
! interface TenGigabitEthernet 1/2 ip vrf forwarding orange ip address 20.0.0.1/24 no shutdown ! interface TenGigabitEthernet 1/3 ip vrf forwarding green ip address 30.0.0.1/24 no shutdown ! interface Vlan 128 ip vrf forwarding blue ip address 1.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.
! interface TenGigabitEthernet 2/3 ip vrf forwarding green ip address 31.0.0.1/24 no shutdown ! interface Vlan 128 ip vrf forwarding blue ip address 1.0.0.2/24 tagged TenGigabitEthernet 3/1 no shutdown interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.2/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.2/24 tagged TenGigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.
Neighbor ID Pri State 2.0.0.2 1 FULL/DR Dell#show ip route vrf blue Dead Time Address Interface Area 00:00:37 2.0.0.
00:09:06 =================================================================================== === The following shows the output of the show commands on Router 2. Router 2 Dell#show ip vrf VRF-Name default-vrf VRF-ID 0 2/0-17,21-47, blue Ma 0/0, Ma 1/0, Nu 0, Vl 1 Te 2/1, Vl 128 Te 2/2, Vl 192 Te 2/3, Vl 256 1 orange 2 green Dell#show ip ospf 1 neighbor Neighbor ID Pri Area 1.0.0.1 1 FULL/BDR 128 0 ! Dell#sh ip ospf 2 neighbor Neighbor ID Pri Area 2.0.0.
N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination Change --------------------C 2.0.0.0/24 00:26:44 O 20.0.0.0/24 C 21.0.0.0/24 00:20:38 Gateway Dist/Metric ------- ----------- Direct, Vl 192 via 2.0.0.
interface TenGigabitEthernet 1/10 ip vrf forwarding VRF2 ip address 140.0.0.1/24 ip route vrf VRF1 20.0.0.0/16 140.0.0.2 vrf VRF2 ip route vrf VRF2 40.0.0.0/16 120.0.0.2 vrf VRF1 Dynamic Route Leaking Route Leaking is a powerful feature that enables communication between isolated (virtual) routing domains by segregating and sharing a set of services such as VOIP, Video, and so on that are available on one routing domain with other virtual domains.
For leaking the routes from VRF-Shared to VRF-Red and VRF-Blue, you can configure route-export tag on VRF-shared (source VRF, who is exporting the routes); the same route-export tag value should be configured on VRF-Red and VRF-blue as route-import tag (target VRF, that is importing the routes). For a reply communication, VRF-red and VRF-blue are configured with two different route-export tags, one for each, and those two values are configured as route-import tags on VRF-shared.
ip vrf vrf-green interface-type slot/port ip vrf forwarding VRF-green ip address ip—address mask A non-default VRF named VRF-green is created and the interface is assigned to it. 10 Configure the import target in the source VRF VRF-Shared for reverse communication with VRF-red and VRF-blue.
Show routing tables of VRFs( after route-export and route-import tags are configured). Dell# show ip route vrf VRF-Red O C O C 11.1.1.1/32 111.1.1.0/24 44.4.4.4/32 144.4.4.0/24 via 111.1.1.1 110/0 00:00:10 Direct, Te 1/11 0/0 22:39:59 via VRF-shared:144.4.4.4 0/0 00:32:36 Direct, VRF-shared:Te 1/4 0/0 00:32:36 Dell# show ip route vrf VRF-Blue O 22.2.2.2/32 via 122.2.2.2 00:00:11 C O C 122.2.2.0/24 44.4.4.4/32 144.4.4.0/24 110/0 Direct, Te 1/12 0/0 22:39:61 via vrf-shared:144.4.4.
are exported and imported into the route targets based on certain matching criteria. These match criteria include, prefix matches and portocol matches. You can use the match source-protocol or match ip-address commands to specify matching criteria for importing or exporting routes between VRFs. NOTE: You must use the match source-protocol or match ip-address commands in conjunction with the route-map command to be able to define the match criteria for route leaking.
interface-type slot/port ip vrf forwarding VRF-blue ip address ip—address mask A non-default VRF named VRF-blue is created and the interface 1/22 is assigned to it. 6 Define the route-map import_ospf_protocol. Dell(config)route-map import_ospf_protocol permit 10 7 Define the matching criteria for importing routes into VRF-blue. Dell(config-route-map)match source-protocol ospf This action specifies that the route-map contains OSPF as the matching criteria for importing routes into vrf-blue.
set of routes (for example, BGP routes) to some other VRF. Similarly, when two VRFs leak or export routes, there is no option to discretely filter leaked routes from each source VRF. Meaning, you cannot import one set of routes from VRF-red and another set of routes from VRF-blue.
68 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. VRRP Overview VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN). The MASTER router is chosen from the virtual routers by an election process and forwards packets sent to the next hop IP address.
For more detailed information about VRRP, refer to RFC 2338, Virtual Router Redundancy Protocol. Figure 155. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single pointof-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation The S5000 supports a total of 255 VRRP groups on a switch.
The recommendations in the following table may vary depending on various factors like ARP broadcasts, IP broadcasts, or STP before changing the advertisement interval. When the number of packets processed by RP2/CP/FP processor increases or decreases based on the dynamics of the network, the advertisement intervals may increase or decrease accordingly.
• Setting VRRP Initialization Delay For a complete listing of all commands related to VRRP, refer to Dell Networking OS Command Line Reference Guide. Creating a Virtual Router To enable VRRP, create a virtual router. In Dell Networking Operating System (OS), the virtual router identifier (VRID) identifies a VRRP group. To enable or delete a virtual router, use the following commands. • Create a virtual router for that interface with a VRID. INTERFACE mode vrrp-group vrid The VRID range is from 1 to 255.
The VRID range is from 1 to 255. 2 Configure virtual IP addresses for this VRID. INTERFACE -VRID mode virtual-address ip-address1 [...ip-address12] The range is up to 12 addresses. Examples of the Configuring and Verifying a Virtual IP Address The following example shows how to configure a virtual IP address. Dell(conf-if-te-1/1-vrid-111)#virtual-address 10.10.10.1 Dell(conf-if-te-1/1-vrid-111)#virtual-address 10.10.10.2 Dell(conf-if-te-1/1-vrid-111)#virtual-address 10.10.10.
When the VRRP process completes its initialization, the State field contains either Master or Backup. Setting VRRP Group (Virtual Router) Priority Setting a virtual router priority to 255 ensures that router is the “owner” virtual router for the VRRP group. VRRP elects the MASTER router by choosing the router with the highest priority. The default priority for a virtual router is 100. The higher the number, the higher the priority.
Configuring VRRP Authentication Simple authentication of VRRP packets ensures that only trusted routers participate in VRRP processes. When you enable authentication, Dell Networking OS includes the password in its VRRP transmission. The receiving router uses that password to verify the transmission.\ NOTE: You must configure all virtual routers in the VRRP group the same and enable authentication with the same password or authentication is disabled.
INTERFACE-VRID mode no preempt Examples of Disabling Preempt Re-enable preempt by entering the preempt command. When you enable preempt, it does not display in the show commands, because it is a default setting. The following example shows how to disable preempt using the no preempt command. Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)#no preempt Dell(conf-if-te-1/1-vrid-111)# The following example shows how to verify preempt is disabled using the show conf command.
Examples of the advertise-interval Command The following example shows how to change the advertise interval using the advertise-interval command. Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)#advertise-interval 10 Dell(conf-if-te-1/1-vrid-111)# The following example shows how to verify the advertise interval change using the show conf command.
In addition, if you configure a VRRP group on an interface that belongs to a VRF instance and later configure object tracking on an interface for the VRRP group, the tracked interface must belong to the VRF instance. Tracking an Interface To track an interface, use the following commands. NOTE: The sum of all the costs for all tracked interfaces must be less than the configured priority of the VRRP group.
The following example shows verifying the tracking status.
VRRP initializes with no errors or conflicts. You can configure the delay for up to 15 minutes, after which VRRP enables normally. Set the delay timer on individual interfaces. The delay timer is supported on all physical interfaces, VLANs, and LAGs. When you configure both CLIs, the later timer rules VRRP enabling.
you make the necessary changes. The VRRP topology was created using the CLI configuration shown in the following example. Figure 156. VRRP for IPv4 Topology Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. R2(conf)#int te 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.
interface TenGigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.3 no shutdown R2(conf-if-te-2/31)#end R2#show vrrp -----------------TenGigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.
10.1.1.3 Authentication: (none) Figure 157. Example of VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
R2(conf-if-te-0/0)#ipv6 address 1::1/64 R2(conf-if-te-0/0)#vrrp-group 10 R2(conf-if-te-0/0-vrid-10)#virtual-address fe80::10 R2(conf-if-te-0/0-vrid-10)#virtual-address 1::10 R2(conf-if-te-0/0-vrid-10)#no shutdown R2(conf-if-te-0/0)#show config interface TenGigabitEthernet 0/0 ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-0/0)#end R2#show vrrp -----------------TenGigabitEthernet 0/0, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:
VRRP in a VRF Configuration The following example shows how to enable VRRP operation in a VRF virtualized network for the following scenarios. • Multiple VRFs on physical interfaces running VRRP. • Multiple VRFs on VLAN interfaces running VRRP. To view a VRRP in a VRF configuration, use the show commands. VRRP in a VRF: Non-VLAN Scenario The following example shows how to enable VRRP in a non-VLAN.
the same in VRF-1 and VRF-2; similarly, there is no requirement for the IP addresses to be different. In VRF-3, the node IP addresses and subnet are unique. Figure 158. VRRP in a VRF: Non-VLAN Example Example of Configuring VRRP in a VRF on Switch-1 (Non-VLAN) Switch-1 S1(conf)#ip vrf default-vrf 0 ! S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface TenGigabitEthernet 12/1 S1(conf-if-te-12/1)#ip vrf forwarding VRF-1 S1(conf-if-te-12/1)#ip address 10.10.1.
S1(conf-if-te-12/2-vrid-101)#priority 100 S1(conf-if-te-12/2-vrid-101)#virtual-address 10.10.1.2 S1(conf-if-te-12/2)#no shutdown ! S1(conf)#interface TenGigabitEthernet 12/3 S1(conf-if-te-12/3)#ip vrf forwarding VRF-3 S1(conf-if-te-12/3)#ip address 20.1.1.5/24 S1(conf-if-te-12/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-12/3-vrid-105)#priority 255 S1(conf-if-te-12/3-vrid-105)#virtual-address 20.1.1.
This VLAN scenario often occurs in a service-provider network in which you configure VLAN tags for traffic from multiple customers on customer-premises equipment (CPE), and separate VRF instances associated with each VLAN are configured on the provider edge (PE) router in the point-of-presence (POP).
S2(conf-if-vl-100)#ip address 10.10.1.2/24 S2(conf-if-vl-100)#tagged tengigabitethernet 12/4 S2(conf-if-vl-100)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177. S2(conf-if-vl-100-vrid-101)#priority 255 S2(conf-if-vl-100-vrid-101)#virtual-address 10.10.1.2 S2(conf-if-vl-100)#no shutdown ! S2(conf-if-te-12/4)#interface vlan 200 S2(conf-if-vl-200)#ip vrf forwarding VRF-2 S2(conf-if-vl-200)#ip address 10.10.1.
Consider an example VRRP for IPv6 configuration in which the IPv6 VRRP group consists of two routers. Figure 159. VRRP for IPv6 Topology NOTE: This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, and so on.
R2(conf-if-te-1/1)#ipv6 address 1::1/64 R2(conf-if-te-1/1)#vrrp-group 10 NOTE: You must configure a virtual link local (fe80) address for each VRRPv3 group created for an interface. The VRRPv3 group becomes active as soon as you configure the link local address. Afterwards, you can configure the group’s virtual IPv6 address. R2(conf-if-te-1/1-vrid-10)#virtual-address fe80::10 NOTE: The virtual IPv6 address you configure should be the same as the IPv6 subnet to which the interface belongs.
Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 11, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:0a Virtual IP address: 1::10 fe80::10 Dell#show vrrp tengigabitethernet 0/0 TenGigabitEthernet 0/0, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:fd76 VRF: 0 default State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvI
Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 443 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 Dell#show vrrp vrf vrf2 port-channel 1 Port-channel 1, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:fd76 VRF: 2 vrf2 State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 548, Bad pkts rcvd: 0, Adv sent: 0
69 S5000 Debugging and Diagnostics Topics: • Offline Diagnostics • Trace Logs • Hardware Watchdog Timer • Using the Show Hardware Commands • Enabling Environmental Monitoring • Buffer Tuning • Troubleshooting Packet Loss • Enabling Application Core Dumps • Mini Core Dumps • Enabling TCP Dumps Offline Diagnostics The diagnostics tests are grouped into three levels: • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications.
• Perform offline diagnostics on one stack member at a time. • Diagnostics only test connectivity, not the entire data path. • Diagnostic results are stored on the flash of the unit on which you performed the diagnostics. • When offline diagnostics are complete, the unit or stack member reboots automatically. Running Offline Diagnostics To run offline diagnostics, use the following commands. For more information, refer to the examples following the steps. 1 Place the unit in the offline state.
Please make sure that stacking/fanout not configured for Diagnostics execution. Also reboot/online command is necessary for normal operation after the offline command is issued.
The following is an example of running offline diagnostics on a standalone unit. Dell#diag stack-unit 1 alllevels Warning - diagnostic execution will cause multiple link flaps on the peer side advisable to shut directly connected ports Proceed with Diags [confirm yes/no]: yes 00:03:35: %S5000:1 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on stack unit 1 00:03:35 : Approximate time to complete these Diags ... 6 Min Dell#00:09:32 : Diagnostic test results are stored on file: flash:/TestReportSU-0.
PLD Version : 5 Diag image based on build : E_MAIN4.7.7.206 Stack Unit Board Voltage levels - 3.300000 V, 2.500000 V, 1.800000 V, 1.250000 V, 1.200000 V, 2.000000 V Stack Unit Board temperature : 26 Degree C Stack Unit Number : 0 ****************************Stack Unit EEPROM INFO******************************* ********MFG INFO******************* Data in Chassis Eeprom Mfg Info is listed as...
• On a Standby unit, you can reach the TRACE_LOG_DIR files only by using the show file command from the flash://TRACE_LOG_DIR directory. NOTE: Non-management member units do not support this functionality. Hardware Watchdog Timer The hardware watchdog command automatically reboots an Dell Networking OS switch/router with a single RPM that is unresponsive. This is a last resort mechanism intended to prevent a manual power cycle.
• show hardware stack-unit {0-11} buffer unit {0-0} port {1-64} queue {0-14 | all} buffer-info View input and output statistics on the party bus, which carries inter-process communication traffic between CPUs. EXEC Privilege mode • show hardware stack-unit {0-11} cpu party-bus statistics View the ingress and egress internal packet-drop counters, MAC counters drop, and FP packet drops for the stack unit on per port basis.
Enabling Environmental Monitoring The S5000 components use environmental monitoring hardware to detect transmit power readings, receive power readings, and temperature updates. To receive periodic power updates, you must enable the following command. • Enable environmental monitoring.
Recognize an Overtemperature Condition An overtemperature condition occurs, for one of two reasons: the card genuinely is too hot or a sensor has malfunctioned. Inspect cards adjacent to the one reporting the condition to discover the cause. • If directly adjacent cards are not normal temperature, suspect a genuine overheating condition. • If directly adjacent cards are normal temperature, suspect a faulty sensor. When the system detects a genuine over-temperature condition, it powers off the card.
This message indicates that the specified card is not receiving enough power. In response, the system first shuts down Power over Ethernet (PoE). If the under-voltage condition persists, member units are shut down, then the master unit. Troubleshoot an Under-Voltage Condition To troubleshoot an under-voltage condition, check that the correct number of power supplies are installed and their Status light emitting diodes (LEDs) are lit.
Buffer Tuning Buffer tuning allows you to modify the way your switch allocates buffers from its available memory and helps prevent packet drops during a temporary burst of traffic. The application-specific integrated circuit (ASICs) implement the key functions of queuing, feature lookups, and forwarding lookups in hardware.
• Dynamic Cell Limit Per port = 59040/29 = 2036 cells Figure 160. Buffer Tuning Points Deciding to Tune Buffers Dell Networking recommends exercising caution when configuring any non-default buffer settings, as tuning can significantly affect system performance. The default values work for most cases. As a guideline, consider tuning buffers if traffic is bursty (and coming from several interfaces). In this case: • Reduce the dedicated buffer on all queues/interfaces.
• buffer-profile csf csqueue Change the dedicated buffers on a physical 1G interface. BUFFER PROFILE mode • buffer dedicated Change the maximum number of dynamic buffers an interface can request. BUFFER PROFILE mode • buffer dynamic Change the number of packet-pointers per queue. BUFFER PROFILE mode • buffer packet-pointers Apply the buffer profile to a line card. CONFIGURATION mode • buffer fp-uplink linecard Apply the buffer profile to a CSF to FP link.
The following example shows viewing the default buffer profile. Dell#show buffer-profile stack-unit Stack-Unit Current Buffer-Profile Next-Boot Buffer-Profile ---------- ---------------------- -----------------------0 Default (Dynamic) Default (Dynamic) Dell# The following example shows viewing the buffer profile allocations.
buffer-profile fp fsqueue-hig buffer dedicated queue0 3 queue1 3 queue2 3 queue3 3 queue4 3 queue5 3 queue6 3 queue7 3 buffer dynamic 1256 ! buffer fp-uplink stack-unit 0 port-set 0 buffer-policy fsqueue-hig buffer fp-uplink stack-unit 0 port-set 1 buffer-policy fsqueue-hig ! Interface range te 0/1 - 48 buffer-policy fsqueue-fp Dell#sho run int te 0/10 ! interface TenGigabitEthernet 0/10 no ip address Troubleshooting Packet Loss The show hardware stack-unit command is intended primarily to troubleshoot pac
• Display drop counters.
--- Egress MAC counters--Egress FCS Drops --- Egress FORWARD PROCESSOR IPv4 L3UC Aged & Drops TTL Threshold Drops INVALID VLAN CNTR Drops L2MC Drops PKT Drops of ANY Conditions Hg MacUnderflow TX Err PKT Counter --- Error counters--Internal Mac Transmit Errors Unknown Opcodes Internal Mac Receive Errors : 0 Drops : 0 : 0 : 0 : 0 : 0 : 0 : 0 --- : 0 : 0 : 0 Dataplane Statistics The show hardware stack-unit cpu data-plane statistics command provides insight into the packet types coming to the CPU.
txPkt(COS2) txPkt(COS3) txPkt(COS4) txPkt(COS5) txPkt(COS6) txPkt(COS7) txPkt(UNIT0) :0 :0 :0 :0 :0 :0 :0 Example of Viewing Party Bus Statistics Dell#sh hardware stack-unit 2 cpu party-bus statistics Input Statistics: 27550 packets, 2559298 bytes 0 dropped, 0 errors Output Statistics: 1649566 packets, 1935316203 bytes 0 errors Display Stack Port Statistics The show hardware stack-unit stack-port command displays input and output statistics for a stackport interface.
GR127.ge0 GR255.ge0 GRPKT.ge0 GRBYT.ge0 GRMCA.ge0 GRBCA.ge0 GT64.ge0 GT127.ge0 GT255.ge0 GT511.ge0 GTPKT.ge0 GTBCA.ge0 GTBYT.ge0 RUC.cpu0 TDBGC6.cpu0 : : : : : : : : : : : : : : : 1,566 4 1,602 117,600 366 12 4 964 4 1 973 1 71,531 972 1,584 +1,433 +4 +1,461 +106,202 +235 +9 +3 +964 +4 +1 +972 +1 +71,467 +971 +1,449= Enabling Application Core Dumps Application core dumps are disabled by default. A core dump file can be very large.
1 2 3 4 5 6 7 8 9 drwx drwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx 4096 4096 512 299829760 471494 1626169 466916 512 512 Feb Feb Jan Jan Jan Jan Jan Jan Jan 09 09 28 22 22 22 22 30 30 2013 2013 2013 2013 2013 2013 2013 2013 2013 16:07:14 16:07:12 10:42:14 23:27:46 23:40:40 23:40:46 23:49:34 00:41:10 00:49:38 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 . .. f10StkUnit9.kcore.mini.txt f10StkUnit9.kcore.gz f10cp_dsm_130122233423_Stk8.acore.gz sysdlp_Stk8.acore.
To enable a TCP dump, use the following command. • Enable a TCP dump for CPU bound traffic.
70 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking Operating System (OS), Dell Networking OS also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
802.3x Flow Control 802.3z Gigabit Ethernet (1000BASE-X) ANSI/TIA-1057 LLDP-MED Dell Networking FRRP (Redundant Ring Protocol) Dell Networking PVST+ SFF-8431 SFP+ Direct Attach Cable (10GSFP+Cu) MTU 9,252 bytes RFC and I-D Compliance Dell Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell Networking OS first supports the standard.
RFC# Full Name Dell networking OS 9.1(1.0) 2615 PPP over SONET/SDH √ 2698 A Two Rate Three Color Marker √ 3164 The BSD syslog Protocol √ draft-ietf-bfd -base-03 Bidirectional Forwarding Detection √ General IPv4 Protocols The following table lists the Dell Networking OS support per platform for general IPv4 protocols. Table 93. General IPv4 Protocols RFC# Full Name Dell networking OS 9.1(1.
RFC# Full Name Dell networking OS 9.1(1.0) 3069 VLAN Aggregation for Efficient IP Address Allocation √ 3128 Protection Against a Variant of the Tiny Fragment Attack √ General IPv6 Protocols The following table lists the Dell Networking OS support per platform for general IPv6 protocols. Table 94. General IPv6 Protocols RFC# Full Name Dell networking OS 9.1(1.
Border Gateway Protocol (BGP) The following table lists the Dell Networking OS support per platform for BGP protocols. Table 95.
RFC# Full Name S-Series/Z-Series 2328 OSPF Version 2 √ 2370 The OSPF Opaque LSA Option √ 2740 OSPF for IPv6 √ 3623 Graceful OSPF Restart √ 4222 Prioritized Treatment of Specific OSPF Version 2 Packets and Congestion Avoidance √ Intermediate System to Intermediate System (IS-IS) The following table lists the Dell Networking OS support per platform for IS-IS protocol. Table 97. Intermediate System to Intermediate System (IS-IS) RFC# Full Name Dell networking OS 9.1(1.
RFC# Full Name Dell networking OS 9.1(1.0) draft-ietf-isis-igpp2p- overlan-06 Point-to-point operation over LAN in link-state routing protocols Not supported draft-kaplan-isis-e xt-eth-02 Extended Ethernet Frame Size Support Not supported Routing Information Protocol (RIP) The following table lists the Dell Networking OS support per platform for RIP protocol. Table 98. Routing Information Protocol (RIP) RFC# Full Name Dell networking OS 9.1(1.
RFC# Full Name Dell networking OS 9.1(1.0) 4541 Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches √ draft-ietf-pim -sm-v2-new- 05 Protocol Independent Multicast Sparse Mode (PIM-SM): Protocol Specification (Revised) √ Network Management The following table lists the Dell Networking OS support per platform for network management protocol. Table 100.
RFC# Full Name Dell networking OS 9.1(1.
RFC# Full Name Dell networking OS 9.1(1.
RFC# Full Name Dell networking OS 9.1(1.0) 3580 IEEE 802.1X Remote √ Authentication Dial In User Service (RADIUS) Usage Guidelines 3815 Definitions of Managed Objects for √ the Multiprotocol Label Switching (MPLS), Label Distribution Protocol (LDP) 4001 Textual Conventions for Internet Network Addresses √ 5060 Protocol Independent Multicast MIB √ ANSI/TIA-1057 The LLDP Management Information Base extension module for TIA-TR41.
RFC# Full Name Dell networking OS 9.1(1.0) IEEE 802.1AB The LLDP Management Information Base extension module for IEEE 802.3 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) √ ruzin-mstp-mib-0 2 (Traps) Definitions of Managed Objects for √ Bridges with Multiple Spanning Tree Protocol sFlow.org sFlow Version 5 √ sFlow.
RFC# Full Name Dell networking OS 9.1(1.0) FORCE10-SYST EMCOMPONENT-MIB Dell Networking System Component MIB (enables the user to view CAM usage information) √ FORCE10-TC-MIB Dell Networking Textual Convention √ FORCE10-TRAP-ALARM-MIB Dell Networking Trap Alarm MIB √ MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/CSPortal20/KnowledgeBase/Documentation.
