Dell 9.11(2.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Copyright © 2017 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents 1 About this Guide...........................................................................................................................................36 Audience........................................................................................................................................................................... 36 Conventions.....................................................................................................................................................
Configure File Management........................................................................................................................................... 54 Copying Files to and from the System.......................................................................................................................... 54 Important Points to Remember...............................................................................................................................
Configuration Task List for File Transfer Services.................................................................................................. 78 Enabling the FTP Server........................................................................................................................................... 78 Configuring FTP Server Parameters........................................................................................................................78 Configuring FTP Client Parameters.....
7 Access Control Lists (ACLs)....................................................................................................................... 106 IP Access Control Lists (ACLs).....................................................................................................................................106 CAM Allocation and CAM Optimization.......................................................................................................................107 User Configurable CAM Allocation..
Creating a Route Map..............................................................................................................................................128 Configure Route Map Filters................................................................................................................................... 130 Configuring Match Routes......................................................................................................................................
BGP4 Management Information Base (MIB).............................................................................................................. 173 Important Points to Remember...............................................................................................................................174 Configuration Information.............................................................................................................................................. 174 BGP Configuration...........
Storing Last and Bad PDUs.....................................................................................................................................210 Capturing PDUs.........................................................................................................................................................211 PDU Counters...........................................................................................................................................................
PFC Prerequisites and Restrictions....................................................................................................................... 248 Applying a DCB Map on a Port.................................................................................................................................... 248 Configuring PFC without a DCB Map.........................................................................................................................
Creating Manual Binding Entries............................................................................................................................286 Debugging the DHCP Server................................................................................................................................. 286 Using DHCP Clear Commands..............................................................................................................................
Enable the FCoE Transit Feature............................................................................................................................316 FIP Snooping Prerequisites......................................................................................................................................317 Important Points to Remember..............................................................................................................................
Clearing the FRRP Counters.................................................................................................................................. 347 Viewing the FRRP Configuration........................................................................................................................... 347 Viewing the FRRP Information...............................................................................................................................347 Troubleshooting FRRP..............
Related Configuration Tasks................................................................................................................................... 367 Viewing IGMP Enabled Interfaces............................................................................................................................... 368 Selecting an IGMP Version...........................................................................................................................................
Egress Interface Selection (EIS)..................................................................................................................................394 Important Points to Remember............................................................................................................................. 394 Configuring EIS........................................................................................................................................................
Auto-Negotiation on Ethernet Interfaces....................................................................................................................421 Setting the Speed of Ethernet Interfaces............................................................................................................. 421 Set Auto-Negotiation Options................................................................................................................................423 View Advanced Interface Information....
UDP Helper with Broadcast-All Addresses.................................................................................................................443 UDP Helper with Subnet Broadcast Addresses.........................................................................................................444 UDP Helper with Configured Broadcast Addresses.................................................................................................. 444 UDP Helper with No Configured Broadcast Addresses.......
Displaying iSCSI Optimization Information................................................................................................................. 469 29 Intermediate System to Intermediate System........................................................................................... 471 IS-IS Protocol Overview................................................................................................................................................ 471 IS-IS Addressing........................
mac learning-limit Dynamic.................................................................................................................................... 509 mac learning-limit mac-address-sticky................................................................................................................. 509 mac learning-limit station-move............................................................................................................................ 509 Learning Limit Violation Actions..
Configuring a Switch for NLB ......................................................................................................................................541 Enabling a Switch for Multicast NLB.................................................................................................................... 542 34 Multicast Source Discovery Protocol (MSDP)......................................................................................... 543 Protocol Overview.................................
Router 1 Running-ConfigurationRouter 2 Running-ConfigurationRouter 3 RunningConfigurationSFTOS Example Running-Configuration....................................................................................... 574 Debugging and Verifying MSTP Configurations.........................................................................................................577 36 Multicast Features...........................................................................................................................
Object Tracking Configuration...................................................................................................................................... 614 Tracking a Layer 2 Interface.................................................................................................................................... 614 Tracking a Layer 3 Interface....................................................................................................................................
Create the Redirect-List GOLDAssign Redirect-List GOLD to Interface 2/11View Redirect-List GOLD..... 680 41 PIM Sparse-Mode (PIM-SM)................................................................................................................... 684 Implementation Information..........................................................................................................................................684 Protocol Overview...........................................................................
Using the Private VLAN Commands............................................................................................................................714 Configuration Task List.................................................................................................................................................. 715 Creating PVLAN Ports.............................................................................................................................................
Displaying egress–queue Statistics........................................................................................................................ 751 Pre-Calculating Available QoS CAM Space................................................................................................................ 752 Configuring Weights and ECN for WRED ..................................................................................................................
Enabling Rapid Spanning Tree Protocol Globally........................................................................................................786 Adding and Removing Interfaces........................................................................................................................... 788 Modifying Global Parameters................................................................................................................................. 788 Modifying Interface Parameters.........
SMS-OTP Mechanism............................................................................................................................................ 822 Configuring the System to Drop Certain ICMP Reply Messages............................................................................ 822 52 Service Provider Bridging........................................................................................................................ 825 VLAN Stacking.............................................
Implementation Information..........................................................................................................................................849 Configuration Task List for SNMP...............................................................................................................................849 Related Configuration Tasks...................................................................................................................................
Troubleshooting SNMP Operation............................................................................................................................... 877 Transceiver Monitoring.................................................................................................................................................. 877 55 Stacking..................................................................................................................................................
Protocol Overview..........................................................................................................................................................914 Configure Spanning Tree............................................................................................................................................... 915 Related Configuration Tasks....................................................................................................................................
Setting the Timezone..............................................................................................................................................945 Set Daylight Saving Time........................................................................................................................................945 Setting Daylight Saving Time Once.......................................................................................................................
65 Virtual Link Trunking (VLT)...................................................................................................................... 975 Overview.........................................................................................................................................................................975 VLT on Core Switches.............................................................................................................................................976 Multiple VLT.
Configuring a VLT VLAN or LAG in a PVLAN........................................................................................................... 1010 Creating a VLT LAG or a VLT VLAN.....................................................................................................................1010 Associating the VLT LAG or VLT VLAN in a PVLAN...........................................................................................1011 Proxy ARP Capability on VLT Peer Nodes.........................
Track an Interface or Object................................................................................................................................. 1049 Tracking an Interface............................................................................................................................................. 1050 Setting VRRP Initialization Delay...........................................................................................................................
MIB Location.................................................................................................................................................................1089 70 X.509v3.................................................................................................................................................. 1091 Introduction to X.509v3 certification......................................................................................................................... 1091 X.
1 About this Guide This guide describes the protocols and features supported on Dell Networking switches and routers by the Dell Networking operating system (OS) and provides configuration instructions and examples for implementing them. The S5000 switch is available with Dell Networking OS version 9.1(1.0) and later version. It also supports stacking. Though this guide contains information on protocols, it is not intended to be a complete reference.
2 Configuration Fundamentals The Dell Networking OS command line interface (CLI) is a text-based interface that you use to configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. In Dell Networking OS, after you enable a command, it is entered into the running configuration file.
You can set user access rights to commands and command modes using privilege levels; for more information about privilege levels and security options, refer to Privilege Levels Overview. The Dell Networking OS CLI is divided into three major mode levels: • EXEC mode — is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information.
Navigating CLI Modes The Dell Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode. Move linearly through the command modes, except for the end command which takes you directly to EXEC Privilege mode and the exit command which moves you up one command mode level.
CLI Command Mode Prompt Access Command IP COMMUNITY-LIST Dell(config-community-list)# ip community-list CONSOLE Dell(config-line-console)# line (LINE Modes) VIRTUAL TERMINAL Dell(config-line-vty)# line (LINE Modes) STANDARD ACCESS-LIST Dell(config-std-macl)# mac access-list standard (MAC ACCESS-LIST Modes) EXTENDED ACCESS-LIST Dell(config-ext-macl)# mac access-list extended (MAC ACCESS-LIST Modes) MULTIPLE SPANNING TREE Dell(config-mstp)# protocol spanning-tree mstp Per-VLAN SPANNING TR
Figure 1. Port Numbering Convention The S5000 supports the following possible modules: • Twelve-Port Ethernet module (1G/10G speeds) • Twelve-Port Universal Port module (2G/4G/8G/10G speeds) You can install an Ethernet module in any slot (from 0 to 3) and a Universal Port module in slot 0 on the I/O panel. On the S5000, the valid stack-unit numbers are from 0 to 11.
The no Command When you enter a command, the command line is added to the running configuration file. Disable a command and remove it from the running-config by entering the original command preceded by the no command. For example, to delete an ip address configured on an interface, use the no ip address ip-address command, as shown in bold in the following example. NOTE: To help you construct the “no” form of a command, use the help or ? command as described in Obtaining Help.
Keyword ? Command Example A keyword followed by [space]? lists all of the keywords that can follow the specified keyword. Dell(conf)#clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone Dell(conf)#clock Entering and Editing Commands Notes for entering commands. • The CLI is not case-sensitive. • You can enter partial CLI keywords. • Enter the minimum number of letters to uniquely identify a command.
Command History Dell Networking OS maintains a history of previously entered commands for each mode. For example: • When you are in EXEC mode, the UP and DOWN arrow keys display the previously entered EXEC mode commands. • When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously entered CONFIGURATION mode commands.
Filtering Command Outputs with the find Command Dell(conf)#do show stack-unit all stack-ports all pfc details | find 0 stack unit 0 stack-port all Admin mode is On Admin is enabled Local is enabled Link Delay 45556 pause quantum 0 Pause Tx pkts, 0 Pause Rx pkts stack unit 1 stack-port all The display command displays additional configuration information. The no-more command displays the output all at once rather than one screen at a time.
3 Getting Started This chapter helps you get started using the S5000. Accessing Ports The S5000 has two management ports available for system access — a console port and a universal serial bus (USB)-B port. The USB-B port acts the same as the console port. The terminal settings are the same for both access ports. Accessing the RJ-45/RS-232 Console Port The RS-232/RJ-45 console port is labeled on the lower left-hand side of the S5000 system as you face the Utility side of the chassis.
Pin Assignments You can connect to the console using a RJ-45 to RJ-45 rollover cable and a RJ-45 to DB-9 female DTE adapter to a terminal server (for example, a PC). The pin assignments between the console and a DTE terminal server are as follows: Table 2.
cat < CLIscript.file > | ssh admin@hostname The script is run and the actions contained in the script are performed. Following are the points to remember, when you are trying to establish an SSH session to the device to run commands or script files: • There is an upper limit of 10 concurrent sessions in SSH. Therefore, you might expect a failure in executing SSH-related scripts. • To avoid denial of service (DoS) attacks, a rate-limit of 10 concurrent sessions per minute in SSH is devised.
Completed Boot Process U-Boot 2012.04(Dell Networking) Built by build at tools-sjc-01 on Tue Jan 15 0:50:03 2013 S5000 Boot Selector Label 1.3.0.0m CPU0: P2020, Version: 2.1, (0x80e20021) Core: E500, Version: 5.1, (0x80211051) . . Board: S5000 Dell CPU CPLD: S5000 CPLD Rev 41 Board Revision 1 . . Boot Selector set to Bootflash Partition A image... Verifying Copyright Information..success for Image - 0 Boot Selector: Booting Bootflash Partition A image...
. RELEASE IMAGE HEADER DATA : -------------------------Release Image Created 2013/4/15 - 18:11:28 SOFTWARE IMAGE HEADER DATA : ---------------------------Software Image[1] Img file Name : CPRPLP-RPM-AP-9-0-1-0.bin Software Image[2] Img file Name : NBSDPCPRPLP-RPM-AP-9-0-1-0.bin . Starting Dell Networking application 00:00:38: %STKUNIT0-M:CP %RAM-6-ELECTION_ROLE: Stack unit 0 is transitioning to Management unit.
Configuring the Enable Password Access EXEC Privilege mode using the enable command. EXEC Privilege mode is unrestricted by default. Configure a password as a basic security measure. There are three types of enable passwords: • enable password is stored in the running/startup configuration using a DES encryption method. • enable secret is stored in the running/startup configuration using MD5 encryption method.
Default Configuration A version of Dell Networking OS is pre-loaded onto the chassis; however, the system is not configured when you power up for the first time (except for the default hostname, which is Dell). You must configure the system using the CLI.
no shutdown Configure a Management Route Define a path from the system to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the system through the management port. To configure a management route, use the following command. • Configure a management route to the network from which you are accessing the system.
To tag frames leaving an interface in Layer 2 mode, assign that interface to a port-based VLAN to tag it with that VLAN ID. 1 Access the INTERFACE VLAN mode of the VLAN to which you want to assign the interface. CONFIGURATION mode interface vlan vlan-id 2 Enable an interface to include the IEEE 802.1Q tag header. INTERFACE mode tagged interface 3 To move untagged interfaces from the default VLAN to another VLAN, use the untagged command.
• To copy a remote file to Dell Networking system, combine the file-origin syntax for a remote file location with the file-destination syntax for a local file location. Table 3.
Before executing any CLI command to perform file operations, you must first mount the NFS file system to a mount-point on the device. Since multiple mount-points exist on a device, it is mandatory to specify the mount-point to which you want to load the system. The /f10/mnt/nfs directory is the root of all mount-points. To mount an NFS file system, perform the following steps: Table 4.
15 bytes successfully copied Dell#copy flash://test/capture.txt.pcap nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied Dell#copy flash://test/capture.txt.pcap nfsmount:///username/snoop.pcap ! 24 bytes successfully copied Dell# Dell#copy tftp://10.16.127.35/username/dv-maa-test ? flash: Copy to local file system ([flash://]filepath) nfsmount: Copy to nfs mount file system (nfsmount:///filepath) running-config remote host: Destination file name [test.
• dir flash: View a list of files on the usbflash. EXEC Privilege mode • dir usbflash: View the contents of a file in the internal flash. EXEC Privilege mode • show file flash://filename View the contents of a file in the usb flash. EXEC Privilege mode • show file usbflash://filename View the running-configuration. EXEC Privilege mode • show running-config View the startup-configuration.
redundancy auto-synchronize full ! service timestamps log datetime ! hostname Dell ! enable password 7 b125455cf679b208e79b910e85789edf ! username admin password 7 1d28e9f33f99cf5c ! stack-unit 0 provision S5000 ! interface fibrechannel 0/0 shutdown ! interface fibrechannel 0/1 shutdown ! ... -- More -- Compressing Configuration Files You can optimize and reduce the sizes of the configuration files.
! ! interface TenGigabitEthernet 1/1 interface TenGigabitEthernet 1/1 no ip address no ip address switchport switchport shutdown shutdown ! ! Interface group TenGigabitEthernet 1/2 – 4 , TenGigabitEthernet 1/10 interface TenGigabitEthernet 1/2 no ip address shutdown ! interface TenGigabitEthernet 1/3 no ip address shutdown ! interface TenGigabitEthernet 1/4 no ip address shutdown ! interface TenGigabitEthernet 1/10 no ip address shutdown ! interface TenGigabitEthernet 1/34 ip address 2.
tagged te 1/1 no ip address shutdown ! interface Vlan 4 tagged te 1/1 no ip address shutdown ! interface Vlan 5 tagged te 1/1 no ip address shutdown ! interface Vlan 100 no ip address no shutdown ! interface Vlan 1000 ip address 1.1.1.1/16 no shutdown Uncompressed config size – 52 lines write memory compressed The write memory compressed CLI will write the operating configuration to the startup-config file in the compressed mode.
Managing the File System The S5000 switch can use the internal Flash, external Flash, or remote devices to store files. The system stores files on the internal Flash by default but can be configured to store files elsewhere. To view file system information, use the following command. • View information about each file system.
NOTE: The no feature vrf command is not supported on any of the platforms. To enable the VRF feature and cause all VRF-related commands to be available or viewable in the CLI interface, use the following command. You must enable the VRF feature before you can configure its related attributes. Dell(conf)# feature vrf Based on if the VRF feature is identified as supported in the Feature Configuration file, configuration command feature vrf becomes available for usage.
The verify {md5 | sha256} command calculates and displays the hash of any file on the specified local flash drive. You can compare the displayed hash against the appropriate hash published on iSupport. Optionally, you can include the published hash in the verify {md5 | sha256} command, which displays whether it matches the calculated hash of the indicated file. To validate a software image: 1 Download Dell Networking OS software image file from the iSupport page to the local (FTP or TFTP) server.
• To copy a file on the USB device, enter usbflash:// followed by the filename. In the Dell Networking OS release 9.8(0.0), HTTP services support the VRF-aware functionality. If you want the HTTP server to use a VRF table that is attached to an interface, configure that HTTP server to use a specific routing table. You can use the ip http vrf command to inform the HTTP server to use a specific routing table. After you configure this setting, the VRF table is used to look up the destination address.
4 Switch Management This chapter explains the different protocols or services used to manage the S5000 switch. Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1. Level Description Level 1 Access to the system begins at EXEC mode, and EXEC mode commands are limited to enable, disable, and exit.
Allowing Access to CONFIGURATION Mode Commands To allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGURATION mode. A user that enters CONFIGURATION mode remains at his privilege level and has access to only two commands, end and exit. You must individually specify each CONFIGURATION mode command you want to allow access to using the privilege configure level level command.
Example of EXEC Privilege Commands Dell(conf)#do show run priv ! privilege exec level 3 capture privilege exec level 3 configure privilege exec level 4 resequence privilege exec level 3 capture bgp-pdu privilege exec level 3 capture bgp-pdu max-buffer-size privilege configure level 3 line privilege configure level 3 interface Dell(conf)#do telnet 10.11.80.201 [telnet output omitted] Dell#show priv Current privilege level is 3.
CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command. • Configure a privilege level for a terminal line. Line mode privilege level level NOTE: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode, but the prompt is hostname#, rather than hostname>.
• Sending System Messages to a Syslog Server Disabling System Logging By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the console, and the syslog servers. To disable system logging, use the following commands. • Disable all logging except on the console. CONFIGURATION mode no logging on • Disable logging to the logging buffer. CONFIGURATION mode no logging buffer • Disable logging to terminal lines.
change the default value to any number of days from 1 to 30. By default, login activity tracking is disabled. You can enable it using the login statistics enable command from the configuration mode. Restrictions for Tracking Login Activity These restrictions apply for tracking login activity: • Only the system and security administrators can configure login activity tracking and view the login activity details of other users.
Example of the show login statistics all command The show login statistics all command displays the successful and failed login details of all users in the last 30 days or the custom defined time period. Dell#show login statistics all -----------------------------------------------------------------User: admin Last login time: 08:54:28 UTC Wed Mar 23 2016 Last login location: Line vty0 ( 10.16.127.
The following is sample output of the show login statistics unsuccessful-attempts user login-id command. Dell# show login statistics unsuccessful-attempts user admin There were 3 unsuccessful login attempt(s) for user admin in last 12 day(s). The following is sample output of the show login statistics successful-attempts command. Dell#show login statistics successful-attempts There were 4 successful login attempt(s) for user admin in last 30 day(s).
Example of Clearing Existing Sessions When you try to log in, the following message appears with all your existing concurrent sessions, providing an option to close any one of the existing sessions: $ telnet 10.11.178.14 Trying 10.11.178.14... Connected to 10.11.178.14. Escape character is '^]'. Login: admin Password: Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.
• Specify the minimum severity level for logging to the console. CONFIGURATION mode • logging console level Specify the minimum severity level for logging to terminal lines. CONFIGURATION mode • logging monitor level Specify the minimum severity level for logging to a syslog server. CONFIGURATION mode • logging trap level Specify the minimum severity level for logging to the syslog history table. CONFIGURATION mode • logging history level Specify the size of the logging buffer.
Apr Apr Apr Apr Apr Apr Apr Apr Apr 26 26 26 26 26 26 26 25 25 11:51:01: 11:48:57: 11:48:47: 11:43:52: 11:43:43: 11:33:08: 11:33:08: 11:07:15: 11:07:14: %S5000:1 %S5000:1 %S5000:1 %S5000:1 %S5000:1 %S5000:1 %S5000:1 %S5000:1 %S5000:1 %IFAGT-5-STACK_PORT_LINK_DOWN: Changed stack port state to down: 1/48 %IFAGT-5-STACK_PORT_LINK_UP: Changed stack port state to up: 1/56 %IFAGT-5-STACK_PORT_LINK_UP: Changed stack port state to up: 1/48 %IFAGT-5-STACK_PORT_LINK_DOWN: Changed stack port state to down: 1/48 %I
logging service service ! logging logging logging logging Dell# buffered 524288 debugging timestamps log datetime msec timestamps debug datetime msec trap debugging facility user source-interface Loopback 0 10.10.10.4 Synchronizing Log Messages You can configure Dell Networking OS to filter and consolidate the system messages for a specific line by synchronizing the message output. Only the messages with a severity at or below the set level appear.
To disable time stamping on syslog messages, use the no service timestamps [log | debug] command. File Transfer Services With Dell Networking OS, you can configure the system to transfer files over the network using the file transfer protocol (FTP). One FTP application is copying the system image files over an interface on to the system; however, FTP is not supported on virtual local area network (VLAN) interfaces. For more information about FTP, refer to RFC 959, File Transfer Protocol.
Configure the following optional and required parameters: • username: enter a text string. • encryption-type: enter 0 for plain text or 7 for encrypted text. • password: enter a text string. NOTE: You cannot use the change directory (cd) command until you have configured ftp-server topdir. To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode. Configuring FTP Client Parameters To configure FTP client parameters, use the following commands.
• Apply an ACL to a VTY line. LINE mode ip access-class access-list Example of an ACL that Permits Terminal Access To view the configuration, use the show config command in LINE mode. Dell(config-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.1 Dell(config-std-nacl)#line vty 0 Dell(config-line-vty)#show config line vty 0 access-class myvtyacl Dell Networking OS Behavior: Prior to Dell Networking OS version 7.4.2.
Example of Terminal Line Authentication In the following example, VTY lines 0 2 use a single authentication method, line.
Enter an IPv4 address in dotted decimal format (A.B.C.D). Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported. Example of the telnet Command for Device Access Dell# telnet 10.11.80.203 Trying 10.11.80.203... Connected to 10.11.80.203. Exit character is '^]'. Login: Login: admin Password: Dell>exit Dell#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'.
NOTE: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you configure a lock and then exit CONFIGURATION mode, and another user enters CONFIGURATION mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though you are the one that configured the lock. NOTE: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is unconfigured.
3 Hit any key to abort the boot process. You enter uBoot immediately, as indicated by the => prompt. (during bootup) hit any key 4 Set the system parameters to ignore the enable password when the system reloads. BOOT USER mode ignore enable-password 5 Reload the system. BOOT USER mode reload 6 Configure a new enable password. CONFIGURATION mode enable {password | secret | sha256–password} 7 Save the running-config to the startup-config.
5 802.1X 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 4. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
• Guest and Authentication-Fail VLANs • Configuring dot1x Profile • Configuring the Static MAB and MAB Profile • Configuring Critical VLAN The Port-Authentication Process The authentication process begins when the authenticator senses that a link status has changed from down to up: 1 When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request frame. 2 The supplicant responds with its identity in an EAP Response Identity frame.
Figure 6. EAP Over RADIUS RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Enabling 802.1X Enable 802.1X globally. Figure 7. 802.1X Enabled 1 Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2 Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3 Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Example of Verifying that 802.1X is Enabled Globally Example of Verifying 802.1X is Enabled on an Interface Verify that 802.
The bold lines show that 802.1X is enabled. Dell#show running-config | find dot1x dot1x authentication ! [output omitted] ! interface TenGigabitEthernet 2/1 no ip address dot1x authentication no shutdown ! Dell# View 802.1X configuration information for an interface using the show dot1x interface command. The bold lines show that 802.1X is enabled on all ports unauthorized by default. Dell#show dot1x interface TenGigabitEthernet 2/1 802.
mac 00:50:56:aa:01:11 Dell(conf-dot1x-profile)# Dell(conf-dot1x-profile)#exit Dell(conf)# Configuring Request Identity Re-Transmissions If the authenticator sends a Request Identity frame, but the supplicant does not respond, the authenticator waits 30 seconds and then retransmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator retransmits are configurable.
• • after 90 seconds and a maximum of 10 times for an unresponsive supplicant re-transmits an EAP Request Identity frame The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions. Dell Dell Dell Dell (conf-if-range-te-0/0)#dot1x tx-period 90 (conf-if-range-te-0/0)#dot1x max-eap-req 10 (conf-if-range-te-0/0)#dot1x quiet-period 120 #show dot1x interface TenGigabitEthernet 2/1 802.
Untagged VLAN id: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: Auth PAE State: Backend State: None 90 seconds 120 seconds 2 30 seconds 30 seconds 3600 seconds 10 SINGLE_HOST Initialize Initialize Initialize Initialize Re-Authenticating a Port You can configure the authenticator for periodic re-authentication.
Auth PAE State: Backend State: Initialize Initialize Configuring Timeouts If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default. You can configure the amount of time the authenticator waits for a response. To terminate the authentication process, use the following commands. • Terminate the authentication process due to an unresponsive supplicant.
Configuring Dynamic VLAN Assignment with Port Authentication Dell Networking OS supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID.
Guest and Authentication-Fail VLANs Typically, the authenticator (the Dell system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured or the VLAN that the authentication server indicates in the authentication data. NOTE: Ports cannot be dynamically assigned to the default VLAN.
Example of Configuring an Authentication-Fail VLAN Dell(conf-if-te-2/1)#dot1x guest-vlan 200 Dell(conf-if-te 2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 no shutdown Dell(conf-if-te-2/1)# Dell(conf-if-te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 Dell(conf-if-te-2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown Dell(conf-if-Te-2/1)# View you
profile—name — Enter the dot1x profile name. The profile name length is limited to 32 characters. Example of Configuring and Displaying a dot1x Profile Dell(conf)#dot1x profile test Dell(conf-dot1x-profile)# Dell#show dot1x profile 802.1x profile information ----------------------------Dot1x Profile test Profile MACs 00:00:00:00:01:11 Configuring the Static MAB and MAB Profile Enable MAB (mac-auth-bypass) before using the dot1x static-mab command to enable static mab.
Auth PAE State: Backend State: Authenticated Idle Configuring Critical VLAN By default, critical-VLAN is not configured. If authentication fails because of a server which is not reachable, user session is authenticated under critical-VLAN. To configure a critical-VLAN for users or devices when authenticating server is not reachable, use the following command.
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This section describes the access control list (ACL) virtual local area network (VLAN) group, and content addressable memory (CAM) enhancements. Optimizing CAM Utilization During the Attachment of ACLs to VLANs To minimize the number of entries in CAM, enable and configure the ACL CAM feature. Use this feature when you apply ACLs to a VLAN (or a set of VLANs) and when you apply ACLs to a set of ports.
• The ACL VLAN group is deleted and it does not contain VLAN members. • The ACL is applied or removed from a group and the ACL group does not contain a VLAN member. • The description of the ACL group is added or removed. Guidelines for Configuring ACL VLAN Groups Keep the following points in mind when you configure ACL VLAN groups: • The interfaces where you apply the ACL VLAN group function as restricted interfaces.
description description 3 Apply an egress IP ACL to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode ip access-group {group name} out implicit-permit 4 Add VLAN member(s) to an ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode member vlan {VLAN-range} 5 Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name.
EXEC Privilege mode Dell#show cam-usage switch Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|============|============|============= 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 Codes: * - cam usage is above 90%. Viewing CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub- partitions) using the show cam-usage command in EXEC Privilege mode.
2 | 0 | IN-L2 ACL | | IN-L3 ACL | | IN-V6 ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL 3 | 0 | IN-L2 ACL | | IN-L3 ACL | | IN-V6 ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL Codes: * - cam usage is above 90%.
To reset the number of FP blocks to the default, use the no version of these commands. By default, zero groups are allocated for the ACL in VCAP. ACL VLAN groups or CAM optimization is not enabled by default. You must also allocate the slices for CAM optimization. To display the number of FP blocks that is allocated for the different VLAN services, use the show cam-acl-vlan command. After you configure the ACL VLAN groups, reboot the system to store the settings in nonvolatile storage.
7 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. The S5000 switch supports: • Access control lists (ACLs) • Ingress IP and MAC ACLs • Egress IP and MAC ACLs At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
• IP protocol number • Source IP address • Destination IP address • Source TCP port number • Destination TCP port number • Source UDP port number • Destination UDP port number For more information about ACL options, refer to the Dell Networking OS Command Line Reference Guide. For extended ACL, TCP, and UDP filters, you can match criteria on specific or ranges of TCP or UDP ports. For extended ACL TCP filters, you can also match criteria on established TCP sessions.
• iSCSI Opt ACL (iscsioptacl): 0 Enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even-numbered or odd-numbered ranges. Save the new CAM settings to the startup-config (use write-mem or copy run start) then reload the system for the new settings to take effect. For more information, refer to Re-allocating CAM for Ingress ACLs and QoS.
VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 -- Stack unit 0 -Current Settings(in block sizes) Next Boot(in block sizes) 1 block = 128 entries L2Acl : 6 4 Ipv4Acl : 4 2 Ipv6Acl : 0 0 Ipv4Qos : 2 2 L2Qos : 1 1 L2PT : 0 0 IpMacAcl : 0 0 VmanQos : 0 0 VmanDualQos : 0 0 EcfmAcl : 0 0 FcoeAcl : 0 0 iscsiOptAcl : 0 0 ipv4pbr : 0 2 vrfv4Acl : 0 2 Openflow : 0 0 fedgovacl : 0 0 Dell(conf)# Example of Viewing CAM-ACL Settings NOTE: If
IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : : : 0 0 0 0 0 0 0 0 0 0 -- Stack unit 7 -Current Settings(in block sizes) 1 block = 128 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 FcoeAcl : 0 iscsiOptAcl : 0 ipv4pbr : 0 vrfv4Acl : 0 Openflow : 0 fedgovacl : 0 Dell# View CAM Usage View the amount of CAM space available, used, and remaining in each partition (inclu
%EX2YD:12 %DIFFSERV-2DSA_QOS_CAM_INSTALL_FAILED: Not enough space in L3 Cam(PolicyQos) for class 5 (Te 1/ 22) entries on portpipe 1 for linecard 1 If you exceed the QoS CAM space, follow these steps. 1 Verify that you have configured a CAM profile that allocates 24 K entries to the IPv4 system flow region. 2 Allocate more entries in the IPv4Flow region to QoS. Dell Networking OS supports the ability to view the actual CAM usage before applying a service-policy.
In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use the order keyword to specify the order in which you want to apply ACL rules. The order can range from 0 to 254. The Dell Networking OS writes to the CAM ACL rules with lower-order numbers (order numbers closer to 0) before rules with higher-order numbers so that packets are matched as you intended. By default, all ACL rules have an order of 254.
Example of Denying Second and Subsequent Fragments To deny the second/subsequent fragments, use the same rules in a different order. These ACLs deny all second and subsequent fragments with destination IP 10.1.1.1 but permit the first fragment and non-fragmented packets with destination IP 10.1.1.1. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments Dell(conf-ext-nacl)#permit ip any 10.1.1.
Dell(conf-ext-nacl)#deny ip any any log Dell(conf-ext-nacl) Configure a Standard IP ACL To configure an ACL, use commands in IP ACCESS LIST mode and INTERFACE mode. For a complete list of all the commands related to IP ACLs, refer to the Dell Networking OS Command Line Interface Reference Guide. To set up extended ACLs, refer to Configure an Extended IP ACL. A standard IP ACL uses the source IP address as its match criterion. 1 Enter IP ACCESS LIST mode by naming a standard IP access list.
Configuring a Standard IP ACL Filter If you are creating a standard ACL with only one or two filters, you can let Dell Networking OS assign a sequence number based on the order in which the filters are configured. The software assigns filters in multiples of five. 1 Configure a standard IP ACL and assign it a unique name. CONFIGURATION mode ip access-list standard access-list-name 2 Configure a drop or forward IP ACL filter.
Configuring Filters with a Sequence Number To configure filters with a sequence number, use the following commands. 1 Enter IP ACCESS LIST mode by creating an extended IP ACL. CONFIGURATION mode ip access-list extended access-list-name 2 Configure a drop or forward filter.
{deny | permit} udp {source mask | any | host ip-address}} [count [byte]] [order] [monitor [session-id]] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details. The following example shows an extended IP ACL in which the software assigned the sequence numbers.
NOTE: If you configure an interface as a vlan-stack access port, only the L2 ACL filters the packets. The L3 ACL applied to such a port does not affect traffic. That is, existing rules for other features (such as trace-list, policy-based routing [PBR], and QoS) are applied to the permitted traffic. For information about MAC ACLs, refer to Layer 2. Assign an IP ACL to an Interface To pass traffic through a configured IP ACL, assign that ACL to a physical interface, a port channel interface, or a VLAN.
ip access-group nimule in no shutdown Dell(conf-if)# To filter traffic on Telnet sessions, use only standard ACLs in the access-class command. Counting ACL Hits You can view the number of packets matching the ACL by using the count option when creating ACL entries. 1 Create an ACL that uses rules with the count option. Refer to Configuring a Standard IP ACL Filter. 2 Apply the ACL as an inbound or outbound ACL on an interface. Refer to Assign an IP ACL to an Interface.
To restrict egress traffic, use an egress ACL. For example, when a direct operating system (DOS) attack traffic is isolated to a specific interface, you can apply an egress ACL to block the flow from the exiting the box, thus protecting downstream devices. To create an egress ACL, use the ip access-group command in EXEC Privilege mode. The example shows viewing the configuration, applying rules to the newly created access group, and viewing the access list.
Configure ACLs to Loopback You can apply ACLs on a Loopback interface. Configuring ACLs onto the CPU in a Loopback interface protects the system infrastructure from attack — malicious and incidental — by explicate allowing only authorized traffic. The ACLs on Loopback interfaces are applied only to the CPU on the stack–unit — this application eliminates the need to apply specific ACLs onto all ingress interfaces and achieves the same results. By localizing target traffic, it is a simpler implementation.
Dell(config-ext-nacl)#end Dell#show ip accounting access-list ! Extended Ingress IP access list abcd on Loopback 0 seq 5 permit tcp any any seq 10 deny icmp any any seq 10 deny icmp any any For more information, refer to the VTY Line Local Authentication and Authorization section in the Securitychapter. IP Prefix Lists IP prefix lists control routing policy.
• Applying a Prefix List for Route Redistribution For a complete listing of all commands related to prefix lists, refer to the Dell Networking OS Command Line Interface Reference Guide. Creating a Prefix List To create a prefix list, use the following commands. 1 Create a prefix list and assign it a unique name. You are in PREFIX LIST mode. CONFIGURATION mode ip prefix-list prefix-name 2 Create a prefix list with a sequence number and a deny or permit action.
ip prefix-list prefix-name 2 Create a prefix list filter with a deny or permit action. CONFIG-NPREFIXL mode {deny | permit} ip-prefix [ge min-prefix-length] [le max-prefix-length] The optional parameters are: • ge min-prefix-length: is the minimum prefix length to be matched (from 0 to 32). • le max-prefix-length: is the maximum prefix length to be matched (from 0 to 32).
count: 3, range entries: 3, sequences: 5 - 10 ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 Dell> Applying a Prefix List for Route Redistribution To pass traffic through a configured prefix list, use the prefix list in a route redistribution command. Apply the prefix list to all traffic redistributed into the routing process. The traffic is either forwarded or dropped, depending on the criteria and actions specified in the prefix list.
CONFIG-ROUTER-OSPF mode distribute-list prefix-list-name out [connected | rip | static] Example of Viewing Configured Prefix Lists (ROUTER OSPF mode) To view the configuration, use the show config command in ROUTER OSPF mode, or the show running-config ospf command in EXEC mode. Dell(conf-router_ospf)#show config ! router ospf 34 network 10.2.1.1 255.255.255.255 area 0.0.0.
• IPv4 or IPv6 prefix-list EXEC mode resequence prefix-list {ipv4 | ipv6} {prefix-list-name StartingSeqNum Step-to-Increment} Example of Resequencing ACLs When Remarks and Rules Have the Same Number Example of Resequencing ACLs When Remarks and Rules Have Different Numbers The example shows the resequencing of an IPv4 access-list beginning with the number 2 and incrementing by 2.
Route Maps Similar to ACLs and prefix lists, route maps are composed of a series of commands that contain a matching criterion and an action; however, route maps can change the packets meeting the criterion. ACLs and prefix lists can only drop or forward the packet or traffic. Route maps process routes for route redistribution. For example, a route map can be called to filter only specific routes and to add a metric. Route maps also have an “implicit deny.
route-map map-name [permit | deny] [sequence-number] The default is permit. The optional seq keyword allows you to assign a sequence number to the route map instance. Example of Viewing a Configured Route Map Example of Matching Instances of a Route-Map Example of Deleting Instances of a Route Map Example of Viewing All Instances of a Specified Route Map The default action is permit and the default sequence number starts at 10.
tag 3444 Dell# To delete a route map, use the no route-map map-name command in CONFIGURATION mode. Configure Route Map Filters Within ROUTE-MAP mode, there are match and set commands. • match commands search for a certain criterion in the routes. • set commands change the characteristics of routes, either adding something or specifying a level.
• Match routes with COMMUNITY list attributes in their path. CONFIG-ROUTE-MAP mode match community community-list-name [exact] • Match routes whose next hop is a specific interface. CONFIG-ROUTE-MAP mode match interface interface The parameters are: • • For a Loopback interface, enter the keyword loopback then a number between zero (0) and 16383. • For a port channel interface, enter the keywords port-channel then a number.
match tag tag-value To create route map instances, use these commands. There is no limit to the number of match commands per route map, but the convention is to keep the number of match filters in a route map low. Set commands do not require a corresponding match command. Configuring Set Conditions To configure a set condition, use the following commands. • Add an AS-PATH number to the beginning of the AS-PATH. CONFIG-ROUTE-MAP mode set as-path prepend as-number [...
To create route map instances, use these commands. There is no limit to the number of set commands per route map, but the convention is to keep the number of set filters in a route map low. Set commands do not require a corresponding match command. Configure a Route Map for Route Redistribution Route maps on their own cannot affect traffic and must be included in different commands to affect routing traffic.
Continue Clause Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more route-map modules are processed. If you configure the continue command at the end of a module, the next module (or a specified module) is processed even after a match is found. The following example shows a continue clause at the end of a route-map module. In this example, if a match is found in the route-map “test” module 10, module 30 is processed.
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
NOTE: A session state change from Up to Down is the only state change that triggers a link state change in the routing protocol client. BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 9. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state.
Field Description Detection Multiplier The number of packets that must be missed to declare a session down. Length The entire length of the BFD packet. My Discriminator A random number the local system generates to identify the session. Your Discriminator A random number the remote system generates to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface.
NOTE: Dell Networking OS supports Asynchronous mode only. A session can have four states: Administratively Down, Down, Init, and Up. Administratively Down The local system does not participate in a particular session. Down The remote system is not sending control packets or at least not within the detection time for a particular session. Init The local system is communicating. Up Both systems are exchanging control packets.
Figure 10.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 11.
• Configure BFD for BGP • Configuring Protocol Liveness • Troubleshooting BFD Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
Neighbor Discriminator: 1 Local Addr: 2.2.2.1 Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.
3 Configure an IP route to connect BFD on the static routes using the ip route bfd command. Related Configuration Tasks • Changing Static Route Session Parameters • Disabling BFD for Static Routes Establishing Sessions for Static Routes Sessions are established for all neighbors that are the next hop of a static route. Figure 12. Establishing Sessions for Static Routes To establish a BFD session, use the following command.
Establishing Static Route Sessions on Specific Neighbors You can selectively enable BFD sessions on specific neighbors based on a destination prefix-list. When you establish a BFD session using the ip route bfd command, all the next-hop neighbors in the static route become part of the BFD session. Starting with Dell Networking OS release 9.11.0.0, you can enable BFD sessions on specific next-hop neighbors. You can specify the next-hop neighbors to be part of a BFD session by including them in a prefix-list.
• Change parameters for all static route sessions. CONFIGURATION mode ip route bfd [prefix-list prefix-list-name] interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information Disabling BFD for Static Routes If you disable BFD, all static route BFD sessions are torn down.
protocol-liveness Enable BFD protocol-liveness Dell(conf)#bfd enable Dell(conf)#do show running-config bfd ! bfd enable Dell(conf)# Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 13.
INTERFACE mode ip ospf bfd all-neighbors Example of Verifying Sessions with OSPF Neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions. Dell(conf-router_ospf)#bfd all-neighbors Dell(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.
INTERFACE mode ip ospf bfd all-neighbors disable Configure BFD for IS-IS When using BFD with IS-IS, the IS-IS protocol registers with the BFD manager on the RPM. BFD sessions are then established with all neighboring interfaces participating in IS-IS. If a neighboring interface fails, the BFD agent on the stack unit notifies the BFD manager, which in turn notifies the IS-IS protocol that a link state change occurred. Configuring BFD for IS-IS is a two-step process: 1 Enable BFD globally.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 14. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. ROUTER-ISIS mode • bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 100 100 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface.
Configure BFD for BGP In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence. BFD for BGP is supported on 1GE, 10GE, 40GE, port-channel, and VLAN interfaces. BFD for BGP does not support IPv6 and the BGP multihop feature.
• By establishing BFD sessions with BGP discovering all neighbors (the bfd all-neighbors command). • By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peer-group-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
configured for the peer group to which the neighbor belongs. Also, the neighbor only inherits the global timer values configured with the bfd all-neighbors command (interval, min_rx, and multiplier). 6 Repeat Steps 1 to 5 on each BGP peer participating in a BFD session. Disabling BFD for BGP You can disable BFD for BGP. To disable a BFD for BGP session with a specified neighbor, use the first command. To remove the disabled state of a BFD for BGP session with a specified neighbor, use the second command.
EXEC Privilege mode • show bfd neighbors [interface] [detail] Check to see if BFD is enabled for BGP connections. EXEC Privilege mode • show ip bgp summary Displays routing information exchanged with BGP neighbors, including BFD for BGP sessions.
Actual parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Role: Active Delete session on Down: True Client Registered: BGP Uptime: 00:07:55 Statistics: Number of packets received from neighbor: 4762 Number of packets sent to neighbor: 4490 Number of state changes: 2 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 5 Session Discriminator: 10 Neighbor Discriminator: 11 Local Addr: 2.2.2.3 Local MAC Addr: 00:01:e8:66:da:34 Remote Addr: 2.2.2.
Up Down Admin Down : 1 : 0 : 2 The bold line shows the message displayed when you enable BFD for BGP connections. Dell# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 2 BGP table version is 0, main routing table version 0 BFD is enabled, Interval 100 Min_rx 100 Multiplier 3 Role Active 3 neighbor(s) using 24168 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 1.1.1.2 2.2.2.2 3.3.3.
BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ... Neighbor is using BGP neighbor mode BFD configuration Peer active in peer-group outbound optimization ... R2# show ip bgp neighbors 2.2.2.4 BGP neighbor is 2.2.2.4, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ...
2.2.2.2 on interface Gi 4/24 (diag: 0) The following example displays hexadecimal output from the debug bfd packet command. RX packet dump: 20 c0 03 18 00 00 00 05 00 00 00 04 00 01 86 a0 00 01 86 a0 00 00 00 00 00:34:13 : Sent packet for session with neighbor 2.2.2.2 on Gi 4/24 TX packet dump: 20 c0 03 18 00 00 00 04 00 00 00 05 00 01 86 a0 00 01 86 a0 00 00 00 00 00:34:14 : Received packet for session with neighbor 2.2.2.
9 Border Gateway Protocol IPv4 (BGPv4) Border gateway protocol IPv4 (BGPv4) version 4 (BGPv4) is supported on Dell Networking OS This chapter provides a general description of BGPv4 as it is supported in the Dell Networking operating system (OS). BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
• Manipulating the COMMUNITY Attribute • Changing MED Attributes • Changing the LOCAL_PREFERENCE Attribute • Configuring the local System or a Different System to be the Next Hop for BGP-Learned Routes • Changing the WEIGHT Attribute • Enabling Multipath • Filtering BGP Routes Using Route Maps • Filtering BGP Routes Using AS-PATH Information • Filtering BGP Routes • Configuring BGP Route Reflectors • Aggregating Routes • Configuring BGP Confederations • Enabling Route Flap Dampening
Figure 16. Internal BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 17. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two endpoints of that session are Peers. A Peer is also called a Neighbor. Establish a Session Events and timers drive information exchange between peers. The focus in BGP is on the traffic routing policies.
State Description Idle BGP initializes all resources, refuses all inbound BGP connection attempts, and initiates a TCP connection to the peer. Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state.
Figure 18. BGP Router Rules 1 Router B receives an advertisement from Router A through eBGP. Because the route is learned through eBGP, Router B advertises it to all its iBGP peers: Routers C and D. 2 Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B.
were received from the neighbors because MED may or may not get compared between the adjacent paths. In deterministic mode, Dell Networking OS compares MED between the adjacent paths within an AS group because all paths in the AS group are from the same AS. The following illustration shows that the decisions BGP goes through to select the best path. The list following the illustration details the path selection criteria. Figure 19.
c 10 the paths were received from IBGP or EBGP neighbor respectively. If the bgp bestpath router-id ignore command is enabled and: a if the Router-ID is the same for multiple paths (because the routes were received from the same route) skip this step. b if the Router-ID is NOT the same for multiple paths, prefer the path that was first received as the Best Path. The path selection algorithm returns without performing any of the checks detailed here.
Figure 20. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may effect selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 21. Multi-Exit Discriminators Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE. Origin Type Description IGP Indicates the prefix originated from information learned through an interior gateway protocol. EGP Indicates the prefix originated from information learned from an EGP protocol, which NGP replaced. INCOMPLETE Indicates that the prefix originated from an unknown source.
Example of Viewing AS Paths Dell#show ip bgp paths Total 30655 Paths Address Hash Refcount Metric 0x4014154 0 3 18508 0x4013914 0 3 18508 0x5166d6c 0 3 18508 0x5e62df4 0 2 18508 0x3a1814c 0 26 18508 0x567ea9c 0 75 18508 0x6cc1294 0 2 18508 0x6cc18d4 0 1 18508 0x5982e44 0 162 18508 0x67d4a14 0 2 18508 0x559972c 0 31 18508 0x59cd3b4 0 2 18508 0x7128114 0 10 18508 0x536a914 0 3 18508 0x2ffe884 0 1 18508 Path 701 3549 19421 i 701 7018 14990 i 209 4637 1221 9249 9249 i 701 17302 i 209 22291 i 209 3356 2529 i 20
calculate the best path in its own. BGP add-path helps switchover to next new best path based on IGP convergence time when best path becomes unavailable. Advertise IGP Cost as MED for Redistributed Routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting others to a constant pre-defined metric as MED value.
appears in the show commands as 48581.51768; an ASN of 65123 is shown as 65123. To calculate the comparable dot format for an ASN from a traditional format, use ASN/65536. ASN%65536. Traditional Format DOT Format 65001 0.65501 65536 1.0 100000 1.34464 4294967295 65535.65535 When creating Confederations (Communities), all the routers in a Confederation must be either 4 Byte or 2 Byte identified routers. You cannot mix them. Configure 4-byte AS numbers with the four-octet-support command.
neighbor 172.30.1.250 local-as 65057
The following illustration shows a scenario where Router A, Router B, and Router C belong to AS 100, 200, and 300, respectively. Router A acquired Router B; Router B has Router C as its customer. When Router B is migrating to Router A, it must maintain the connection with Router C without immediately updating Router C’s configuration.
Important Points to Remember • The f10BgpM2AsPathTableEntry table, f10BgpM2AsPathSegmentIndex, and f10BgpM2AsPathElementIndex are used to retrieve a particular ASN from the AS path. These indices are assigned to the AS segments and individual ASN in each segment starting from 0. For example, an AS path list of {200 300 400} 500 consists of two segments: {200 300 400} with segment index 0 and 500 with segment index 1. ASN 200, 300, and 400 are assigned 0, 1, and 2 element indices in that order.
• deterministic multi-exit discriminator (MED) (default) • a path with a missing MED is treated as worst path and assigned an MED value of (0xffffffff) • the community format follows RFC 1998 • delayed configuration (the software at system boot reads the entire configuration file prior to sending messages to start BGP peer sessions) The following are not yet supported: • auto-summarization (the default is no auto-summary) • synchronization (the default is no synchronization) BGP Configuration To
Enabling BGP By default, BGP is not enabled on the system. Dell Networking OS supports one autonomous system (AS) and assigns the AS number (ASN). To establish BGP sessions and route traffic, configure at least one BGP neighbor or peer. In BGP, routers with an established TCP connection are called neighbors or peers. After a connection is established, the neighbors exchange full BGP routing tables with incremental updates afterward.
• peer-group name: 16 characters • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format) Formats: IP Address A.B.C.D You must Configuring Peer Groups before assigning it a remote AS. 3 Enable the BGP neighbor.
For the router’s identifier, Dell Networking OS uses the highest IP address of the Loopback interfaces configured. Because Loopback interfaces are virtual, they cannot go down, thus preventing changes in the router ID. If you do not configure Loopback interfaces, the highest IP address of any interface is used as the router ID. To view the status of BGP neighbors, use the show ip bgp neighbors command in EXEC Privilege mode as shown in the first example.
network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.
router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.250 no shutdown 5332332 9911991 65057 18508 12182 7018 46164 i Dell(conf-router_bgp)#bgp asnotation asdot Dell(conf-router_bgp)#sho conf ! router bgp 100 bgp asnotation asdot bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.
4 Enable the neighbor. CONFIG-ROUTERBGP mode neighbor ip-address no shutdown 5 Add an enabled neighbor to the peer group. CONFIG-ROUTERBGP mode neighbor ip-address peer-group peer-group-name 6 Add a neighbor as a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number Formats: IP Address A.B.C.D • Peer-Group Name: 16 characters. • as-number: the range is from 0 to 65535 (2 Byte) or from 1 to 4294967295 | 0.1 to 65535.65535 (4 Byte) or 0.1 to 65535.
neighbor zanzibar peer-group neighbor zanzibar shutdown neighbor 10.1.1.1 remote-as 65535 neighbor 10.1.1.1 shutdown neighbor 10.14.8.60 remote-as 18505 neighbor 10.14.8.60 no shutdown Dell(conf-router_bgp)# To enable a peer group, use the neighbor peer-group-name no shutdown command in CONFIGURATION ROUTER BGP mode (shown in bold).
10.68.185.1 Dell> Configuring BGP Fast Fall-Over By default, the hold time governs a BGP session. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fall-over feature reduces the convergence time while maintaining stability. The connection to a BGP peer is immediately reset if a link to a directly connected external peer fails. When you enable fall-over, BGP tracks IP reachability to the peer remote address and the peer local address.
Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dropped 5 Last reset 00:19:37, due to Reset by peer Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 200.200.200.200, Local port: 65519 Foreign host: 100.100.100.100, Foreign port: 179 Dell# To verify that fast fall-over is enabled on a peer-group, use the show ip bgp peer-group command (shown in bold).
3 Enable the peer group. CONFIG-ROUTER-BGP mode neighbor peer-group-name no shutdown 4 Create and specify a remote peer for BGP neighbor. CONFIG-ROUTER-BGP mode neighbor peer-group-name remote-as as-number Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED. After the peer group is ESTABLISHED, the peer group is the same as any other peer group. For more information about peer groups, refer to Configuring Peer Groups.
Allowing an AS Number to Appear in its Own AS Path This command allows you to set the number of times a particular AS number can occur in the AS path. The allow-as feature permits a BGP speaker to allow the ASN to be present for a specified number of times in the update received from the peer, even if that ASN matches its own. The AS-PATH loop is detected if the local ASN is present more than the specified number of times in the command.
• • Deletes all routes from the peer if forwarding state information is not saved. Speeds convergence by advertising a special update packet known as an end-of-RIB marker. This marker indicates that the peer has been updated with all routes in the local RIB.
• Local router supports graceful restart for this neighbor or peer-group as a receiver only. CONFIG-ROUTER-BGP mode • neighbor {ip-address | peer-group-name} graceful-restart [role receiver-only] Set the maximum time to retain the restarting neighbor’s or peer-group’s stale paths. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} graceful-restart [stale-path-time time-in-seconds] The default is 360 seconds.
Address 0x4014154 0x4013914 0x5166d6c 0x5e62df4 0x3a1814c 0x567ea9c 0x6cc1294 0x6cc18d4 0x5982e44 0x67d4a14 0x559972c 0x59cd3b4 0x7128114 0x536a914 0x2ffe884 0x2ff7284 0x2ff7ec4 0x2ff8544 0x736c144 0x3b8d224 --More-- Hash 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Refcount 3 3 3 2 26 75 2 1 162 2 31 2 10 3 1 99 4 3 1 10 Metric Path 18508 701 3549 19421 i 18508 701 7018 14990 i 18508 209 4637 1221 9249 9249 i 18508 701 17302 i 18508 209 22291 i 18508 209 3356 2529 i 18508 209 1239 19265 i 18508 701 2914 4713
For more information about this command and route filtering, refer to Filtering BGP Routes. The following example applies access list Eagle to routes inbound from BGP peer 10.5.5.2. Access list Eagle uses a regular expression to deny routes originating in AS 32. The first lines shown in bold create the access list and filter. The second lines shown in bold are the regular expression shown as part of the access list filter.
5 Filter routes based on the criteria in the configured route map. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} filter-list as-path-name {in | out} Configure the following parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • as-path-name: enter the name of a configured AS-PATH ACL. • in: apply the AS-PATH ACL map to inbound routes. • out: apply the AS-PATH ACL to outbound routes.
Enabling Additional Paths The add-path feature is disabled by default. NOTE: In some cases, while receiving 1K same routes from more than 64 iBGP neighbors, BGP sessions holdtime of 10 seconds may flap. The BGP add-path does not update packets for advertisement and cannot scale to higher numbers. Either reduce the number of routes you add or increase the holddown timer value. To allow multiple paths sent to peers, use the following commands.
{deny | permit} {community-number | local-AS | no-advertise | no-export | quote-regexp regular-expression-list | regexp regular-expression} • • • • • • community-number: use AA:NN format where AA is the AS number (2 Bytes or 4 Bytes) and NN is a value specific to that autonomous system. local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED. no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE. no-export: routes with the COMMUNITY attribute of NO_EXPORT.
5 Apply the route map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
router bgp as-number 5 Apply the route map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} Example of the show ip bgp community Command To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
bgp default local-preference value • value: the range is from 0 to 4294967295. The default is 100. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show runningconfig bgp command in EXEC Privilege mode. A more flexible method for manipulating the LOCAL_PREF attribute value is to use a route map. 1 Enter the ROUTE-MAP mode and assign a name to a route map.
If the set next-hop command is applied on the out-bound interface using a route map, it takes precedence over the neighbor next-hop-self command. Changing the WEIGHT Attribute To change how the WEIGHT attribute is used, enter the first command. You can also use route maps to change this and other BGP attributes. For example, you can include the second command in a route map to specify the next hop address. • Assign a weight to the neighbor connection.
3 Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5 Filter routes based on the criteria in the configured route map. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} Configure the following parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • map-name: enter the name of a configured route map.
To view which commands are configured, use the show config command in CONFIGURATION ROUTER BGP mode and the show ip as-path-access-list command in EXEC Privilege mode. To forward all routes not meeting the AS-PATH ACL criteria, include the permit .* filter in your AS-PATH ACL. Filtering BGP Routes Filtering routes allows you to implement BGP policies.
Configure the following parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • prefix-list-name: enter the name of a configured prefix list. • in: apply the prefix list to inbound routes. • out: apply the prefix list to outbound routes. As a reminder, the following are rules concerning prefix lists: • If the prefix list contains no filters, all routes are permitted.
Filtering BGP Routes Using AS-PATH Information To filter routes based on AS-PATH information, use these commands. 1 Create an AS-PATH ACL and assign it a name. CONFIGURATION mode ip as-path access-list as-path-name 2 Create an AS-PATH ACL filter with a deny or permit action. AS-PATH ACL mode {deny | permit} as-regular-expression 3 Return to CONFIGURATION mode. AS-PATH ACL exit 4 Enter ROUTER BGP mode.
• Configure the local router as a route reflector and the neighbor or peer group identified is the route reflector client. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-reflector-client When you enable a route reflector, Dell Networking OS automatically enables route reflection to all clients. To disable route reflection between all clients in this reflector, use the no bgp client-to-client reflection command in CONFIGURATION ROUTER BGP mode.
CONFIG-ROUTER-BGP mode bgp confederation peers as-number [... as-number] • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). All Confederation routers must be either 4 Byte or 2 Byte. You cannot have a mix of router ASN support. To view the configuration, use the show config command in CONFIGURATION ROUTER BGP mode. Enabling Route Flap Dampening When EBGP routes become unavailable, they “flap” and the router issues both WITHDRAWN and UPDATE notices.
• • route-map map-name: name of a configured route map. Only match commands in the configured route map are supported. Use this parameter to apply route dampening to selective routes. Enter the following optional parameters to configure route dampening. CONFIG-ROUTE-MAP mode set dampening half-life reuse suppress max-suppress-time • half-life: the range is from 1 to 45. Number of minutes after which the Penalty is decreased.
Dell(conf-router_bgp)#bgp dampening 2 2000 ? <1-20000> Value to start suppressing a route (default = 2000) Dell(conf-router_bgp)#bgp dampening 2 2000 3000 ? <1-255> Maximum duration to suppress a stable route (default = 60) Dell(conf-router_bgp)#bgp dampening 2 2000 3000 10 ? route-map Route-map to specify criteria for dampening To view a count of dampened routes, history routes, and penalized routes when you enable route dampening, look at the seventh line of the show ip bgp summary command output, as
Enabling BGP Neighbor Soft-Reconfiguration BGP soft-reconfiguration allows for faster and easier route changing. Changing routing policies typically requires a reset of BGP sessions (the TCP connection) for the policies to take effect. Such resets cause undue interruption to traffic due to hard reset of the BGP cache and the time it takes to re-establish the session. BGP soft reconfiguration allows for policies to be applied to a session without clearing the BGP Session.
Enabling or disabling BGP neighbors You can enable or disable all the configured BGP neighbors using the shutdown all command in ROUTER BGP mode. To disable all the configured BGP neighbors: 1 Enter the router bgp mode using the following command: CONFIGURATION Mode router bgp as-number 2 In ROUTER BGP mode, enter the following command: ROUTER BGP Mode shutdown all You can use the no shutdown all command in the ROUTER BGP mode to re-enable all the BGP interface.
ipv6-unicast commands. Irrespective of whether the BGP neighbors are disabled earlier, the shutdown all command brings down all the configured BGP neighbors. When you issue the no shutdown all command, all the BGP neighbor neighbors are enabled. However, when you re-enable all the BGP neighbors in global configuration mode, only the neighbors that were not in disabled state before the global shutdown come up.
The default is IPv4 Unicast routes. When you configure a peer to support IPv4 multicast, Dell Networking OS takes the following actions: • Send a capacity advertisement to the peer in the BGP Open message specifying IPv4 multicast as a supported AFI/SAFI (Subsequent Address Family Identifier). • If the corresponding capability is received in the peer’s Open message, BGP marks the peer as supporting the AFI/SAFI.
Debugging BGP To enable BGP debugging, use any of the following commands. • View all information about BGP, including BGP events, keepalives, notifications, and updates. EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] [in | out] View information about BGP route being dampened. EXEC Privilege mode • debug ip bgp dampening [in | out] View information about local BGP state changes and other BGP events.
Example of the show ip bgp neighbor Command to View Last and Bad PDUs Dell(conf-router_bgp)#do show ip bgp neighbors 1.1.1.2 BGP neighbor is 1.1.1.2, remote AS 2, external link BGP version 4, remote router ID 2.4.0.
Example of the show capture bgp-pdu neighbor Command Example of Viewing Space Requirements for Storing all PDUs To change the maximum buffer size, use the capture bgp-pdu max-buffer-size command. To view the captured PDUs, use the show capture bgp-pdu neighbor command. Dell#show capture bgp-pdu neighbor 20.20.20.2 Incoming packet capture enabled for BGP neighbor 20.20.20.
Figure 23. Sample Configurations Example of Enabling BGP (Router 1) Example of Enabling BGP (Router 2) Dell# conf Dell(conf)#int loop 0 Dell(conf-if-lo-0)#ip address 192.168.128.1/24 Dell(conf-if-lo-0)#no shutdown Dell(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown Dell(conf-if-lo-0)#int te 1/21 Dell(conf-if-te-1/21)#ip address 10.0.1.21/24 Dell(conf-if-te-1/21)#no shutdown Dell(conf-if-te-1/21)#show config ! interface TengigabitEthernet 1/21 ip address 10.0.1.
Dell(conf-router_bgp)#neighbor 192.168.128.2 remote 99 Dell(conf-router_bgp)#neighbor 192.168.128.2 no shut Dell(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0 Dell(conf-router_bgp)#neighbor 192.168.128.3 remote 100 Dell(conf-router_bgp)#neighbor 192.168.128.3 no shut Dell(conf-router_bgp)#neighbor 192.168.128.3 update-source loop 0 Dell(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.
! router bgp 99 bgp router-id 192.168.128.2 network 192.168.128.0/24 bgp graceful-restart neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.3 no shutdown Dell(conf-router_bgp)#end Dell#show ip bgp summary BGP router identifier 192.168.128.
router bgp 100 network 192.168.128.0/24 neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown Dell(conf)#end Dell#show ip bgp summary BGP router identifier 192.168.128.
Member of peer-group AAA for session parameters BGP version 4, remote router ID 192.168.128.
Last reset 00:00:54, due to user reset Dell# Example of Enabling Peer Groups (Router 2) Dell#conf Dell(conf)#router bgp 99 Dell(conf-router_bgp)# neighbor CCC peer-group Dell(conf-router_bgp)# neighbor CC no shutdown Dell(conf-router_bgp)# neighbor BBB peer-group Dell(conf-router_bgp)# neighbor BBB no shutdown Dell(conf-router_bgp)# neighbor 192.168.128.1 peer AAA Dell(conf-router_bgp)# neighbor 192.168.128.1 no shut Dell(conf-router_bgp)# neighbor 192.168.128.3 peer BBB Dell(conf-router_bgp)# neighbor 192.
Dell(conf-router_bgp)# Dell(conf-router_bgp)# Dell(conf-router_bgp)# Dell(conf-router_bgp)# Dell(conf-router_bgp)# Dell(conf-router_bgp)# Dell(conf-router_bgp)# neighbor neighbor neighbor neighbor neighbor neighbor CCC peer-group CCC no shutdown 192.168.128.2 peer-group BBB 192.168.128.2 no shutdown 192.168.128.1 peer-group BBB 192.168.128.1 no shutdown Dell(conf-router_bgp)#end Dell#show ip bgp summary BGP router identifier 192.168.128.
For address family: IPv4 Unicast BGP table version 2, neighbor version 2 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes advertised 1, denied 0, withdrawn 0 from peer Connections established 6; dropped 5 Last reset 00:12:01, due to Closed by neighbor Notification History 'HOLD error/Timer expired' Sent : 1 Recv: 0 'Connection Reset' Sent : 2 Recv: 2 Last notification (len 21) received 00:12:01 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Local host: 192.168.128.
10 Bare Metal Provisioning (BMP) Bare Metal Provisioning 2.0 is included as part of the Dell Networking OS image. BMP improves accessibility to the S5000 switch by automatically loading pre-defined configurations and boot images that are stored in file servers. You can use BMP on a single switch or on multiple switches. For more information about BMP in Auto-Configuration mode, refer to the Open Automation Guide.
Reconfiguring Jumpstart and Normal Modes On a new factory-loaded switch, the switch boots up in Jumpstart mode. You can reconfigure a switch to reload between Normal and Jumpstart mode. Jumpstart (BMP) mode The switch automatically configures all ports (management and user ports) as Layer 3 physical ports and acts as a DHCP client on the ports for a user-configured time (DHCP timeout). This is the default startup mode. It is set with the reload-type jump-start command.
Jumpstart Mode Jumpstart (BMP) mode is the default boot mode configured for a new switch arriving from Dell Networking. This mode obtains the Dell Networking OS image and configuration file from a network source (DHCP server and file server). DHCP Server/Configuration You must first configure an external DHCP server before you can use Jumpstart mode on a switch. Configure the DHCP server with the following parameters for each client switch.
Description URL Example Flash path relative to /f10/flash directory option bootfile-name "flash://FTOSSE-8.3.10.1.bin"; ##### Configuration file could be given in the following way FTP URL with IP address option config-file "ftp:// user:passwd@10.20.4.1//home/user/ S4810-1.conf"; HTTP URL with hostname (requires DNS) option config-file "http://myserver/ S4810-1.conf"; TFTP URL with IP address option config-file "tftp://10.10.4.1/ S4810-1.
Description Parameter Example Dell Networking OS image option boot-filename "tftp://10.20.4.1/FTOS-SE-8.3.10.1.bin"; Config file option config-file "http://10.20.4.1/S4810-1.conf";} host S4810-2 { BMP1.0 syntax hardware ethernet 00:01:e8:8c:4c:04; MAC to IP mapping fixed-address 10.20.30.42; Dell Networking OS image option tftp-server-address 10.20.4.1; Config file filename "FTOS-SE-8.3.10.1.bin"; option config-file "S4810-2.
• filename (Assumes TFTP) When loading the Dell Networking OS image, if the Dell Networking OS image on the server is different from the image on the local flash, the switch downloads the image from the server onto the local flash and reloads using that image. Next, the switch tries to load the configuration file. If the configuration file is not specified or if you disable the config-download parameter, the switch loads the startup-config from the local flash.
DOWNLOADED RELEASE HEADER : Release Image Major Version Release Image Minor Version Release Image Main Version Release Image Patch Version : : : : 8 3 8 33 FLASH RELEASE HEADER B : Release Image Major Version : 8 Release Image Minor Version : 3 Release Image Main Version : 10 Release Image Patch Version : 1 00:04:05: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DOWNLOAD: The Dell Networking OS image download is successful. Erasing Sseries Primary Image, please wait ..............................................
11 Content Addressable Memory (CAM) Content addressable memory (CAM) is supported on Dell Networking OS. CAM is a type of memory that stores information in the form of a lookup table. On the S5000 systems, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies.
L2PT 0 IpMacAcl 0 VmanQos 0 VmanDualQos 0 EcfmAcl 0 nlbclusteracl 0 FcoeAcl 0 iscsiOptAcl 0 ipv4pbr 0 vrfv4Acl 0 Openflow 0 fedgovacl 0 Re-Allocating CAM for Ingress ACLs and QoS The default CAM allocation settings for ingress ACL and QoS regions are shown in the following list.
cam-acl [default | l2acl] NOTE: Selecting default resets the CAM entries to the default settings. To re-allocate memory space for ingress ACL and QoS regions, select l2acl. 2 Enter the number of FP blocks for each region. Separate each keyword and number with a blank space. The total CAM space allocated must equal 13.
Testing CAM Usage for QoS Policies The test cam-usage command applies to the IPv4 ingress CAM partition. To determine whether there is sufficient space in this CAM region for the ACLs created in QoS service-policies, use this command. You can create a class map with all required ACL rules and then enter the test cam-usage command in Privilege mode to verify the actual CAM space required. The following example shows the command output. The status column indicates whether you can enable the policy.
Displaying CAM-ACL-Egress Settings To display the current CAM ACL settings for each egress region, use the show cam-acl-egress command on the S5000. The default egress CAM ACL allocation settings on an S5000 (stack unit 0) are in the following example.
12 Control Plane Policing (CoPP) Control plane policing (CoPP) is supported on Dell Networking OS. Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 25. CoPP Implemented Versus CoPP Not Implemented Topics: • Configure Control Plane Policing • Configuring CoPP for Protocols • Configuring CoPP for CPU Queues • Show Commands Configure Control Plane Policing The S5000 can process a maximum of 4200 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though Per Protocol CoPP is applied.
traffic rate, you cannot set the required queue rate limit value. You must complete queue bandwidth tuning carefully because the system cannot open up to handle any rate, including traffic coming at the line rate. CoPP policies are assigned on a per-protocol or a per-queue basis, and are assigned in CONTROL-PLANE mode to each port-pipe. CoPP policies are configured by creating extended ACL rules and specifying rate-limits through QoS policies. The ACLs and QoS policies are assigned as service-policies.
Example of Creating the IP/IPv6/MAC Extended ACL Example of Creating the QoS Input Policy Example of Creating the QoS Class Map Example of Matching the QoS Class Map to the QoS Policy Example of Creating the Control Plane Service Policy Dell(conf)#ip access-list extended ospf cpu-qos Dell(conf-ip-acl-cpuqos)#permit ospf Dell(conf-ip-acl-cpuqos)#exit Dell(conf)#ip access-list extended bgp cpu-qos Dell(conf-ip-acl-cpuqos)#permit bgp Dell(conf-ip-acl-cpuqos)#exit Dell(conf)#mac access-list extended lacp cpu-qo
Configuring CoPP for CPU Queues Controlling traffic on the CPU queues does not require ACL rules, but does require QoS policies. CoPP for CPU queues converts the input rate from kbps to pps, assuming 64 bytes is the average packet size, and applies that rate to the corresponding queue. Consequently, 1 kbps is roughly equivalent to 2 pps. The basics for creating a CoPP service policy are to create QoS policies for the desired CPU bound queue and associate it with a particular rate-limit.
Q2 Q3 Q4 Q5 Q6 Q7 Dell# 300 300 2000 400 400 1100 Example of Viewing Queue Mapping To view the queue mapping for each configured protocol, use the show ip protocol-queue-mapping command.
13 Data Center Bridging (DCB) Data center bridging (DCB) refers to a set of enhancements to Ethernet local area networks used in data center environments, particularly with clustering and storage area networks.
DCB-enabled network is required in a data center. The Dell Networking switches that support a unified fabric and consolidate multiple network infrastructures use a single input/output (I/O) device called a converged network adapter (CNA). A CNA is a computer input/output device that combines the functionality of a host bus adapter (HBA) with a network interface controller (NIC). Multiple adapters on different devices for several traffic types are no longer required.
Figure 26. Illustration of Traffic Congestion The system supports loading two DCB_Config files: • FCoE converged traffic with priority 3. • iSCSI storage traffic with priority 4. In the Dell Networking OS, PFC is implemented as follows: • PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface.
Figure 27. Enhanced Transmission Selection The following table lists the traffic groupings ETS uses to select multiprotocol traffic for transmission. Table 13. ETS Traffic Groupings Traffic Groupings Description Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7 configurable; 8 - 14 reservation and 15.0 - 15.7 is strict priority group.. Group bandwidth Percentage of available bandwidth allocated to a priority group.
ETS parameters ETS Configuration TLV and ETS Recommendation TLV. Data Center Bridging in a Traffic Flow The following figure shows how DCB handles a traffic flow on an interface. Figure 28. DCB PFC and ETS Traffic Handling Enabling Data Center Bridging DCB is automatically configured when you configure FCoE or iSCSI optimization. Data center bridging supports converged enhanced Ethernet (CEE) in a data center network. DCB is disabled by default. It must be enabled to support CEE.
dcb enable 2 Set PFC buffering on the DCB stack unit. CONFIGURATION mode Dell(conf)#dcb enable pfc-queues NOTE: To save the pfc buffering configuration changes, save the configuration and reboot the system. NOTE: Dell Networking OS Behavior: DCB is not supported if you enable link-level flow control on one or more interfaces. For more information, refer to Ethernet Pause Frames.
If you delete the dot1p priority-priority group mapping (no priority pgid command) before you apply the new DCB map, the default PFC and ETS parameters are applied on the interfaces. This change may create a DCB mismatch with peer DCB devices and interrupt network operation. Data Center Bridging: Default Configuration Before you configure PFC and ETS on a switch see the priority group setting taken into account the following default settings: DCB is enabled. PFC and ETS are globally enabled by default.
The pfc on command enables priority-based flow control. 3 Specify the dot1p priority-to-priority group mapping for each priority. priority-pgid dot1p0_group_num dot1p1_group_num ...dot1p7_group_num Priority group range is from 0 to 7. All priorities that map to the same queue must be in the same priority group. Leave a space between each priority group number.
interface type slot/port 2 Configure the port queues that will still function as no-drop queues for lossless traffic. INTERFACE mode pfc no-drop queues queue-range For the dot1p-queue assignments, refer to the dot1p Priority-Queue Assignment table. The maximum number of lossless queues globally supported on the switch is two. The range is from 0 to 3. Separate the queue values with a comma; specify a priority range with a dash; for example, pfc no-drop queues 1,3 or pfc no-drop queues 2-3.
• To disable PFC operation on an interface, use the no pfc mode on command in DCB-Map configuration mode. • Traffic may be interrupted when you reconfigure PFC no-drop priorities in a DCB map or re-apply the DCB map to an interface. • For PFC to be applied, the configured priority traffic must be supported by a PFC peer (as detected by DCBx). • If you apply a DCB map with PFC disabled (pfc off), you can enable link-level flow control on the interface using the flowcontrol rx on tx on command.
Step Task Command Command Mode Dell# interface tengigabitEthernet 1/1 Dell(config-if-te-1/1)# dcb-map SAN_A_dcb_map1 Repeat Steps 1 and 2 to apply a DCB map to more than one port. You cannot apply a DCB map on an interface that has been already configured for PFC using thepfc priority command or which is already configured for lossless queues (pfc no-drop queues command).
Port B acting as Egress During the congestion, [traffic pump on priorities 3 and 4 from PORT A and PORT C is at full line rate], PORT A and C send out the PFCs to rate the traffic limit. Egress drops are not observed on Port B since traffic flow on priorities is mapped to loss less queues. Port B acting as Ingress If the traffic congestion is on PORT B , Egress DROP is on PORT A or C, as the PFC is not enabled on PORT B.
Step Task Command Command Mode 1,3 or pfc no-drop queues 2-3 Default: No lossless queues are configured. Priority-Based Flow Control Using Dynamic Buffer Method In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion. When PFC detects congestion on a queue for a specified priority, it sends a pause frame for the 802.
By default the total available buffer for PFC is 6.6 MB and when you configure dynamic ingress buffering, a minimum of least 52 KB per queue is used when all ports are congested. This default behavior is impacted if you modify the total buffer available for PFC or assign static buffer configurations to the individual PFC queues. Behavior of Tagged Packets The below is example for enabling PFC for priority 2 for tagged packets. Priority (Packet Dot1p) 2 will be mapped to PG6 on PRIO2PG setting.
3 4 Dot1p->Queue Mapping Configuration is retained at the default value. Default dot1p-queue mapping is, Dell#show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 Queue : 0 0 0 1 2 3 6 3 7 3 Default dot1p-queue mapping is, Dell#show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 Queue : 2 0 1 3 4 5 6 6 7 7 Interface Configurations on server connected ports. a Enable DCB globally. Dell(conf)#dcb enable b Apply PFC Priority configuration. Configure priorities on which PFC is enabled.
dcb-map dcb-map-name The dcb-map-name variable can have a maximum of 32 characters. 2 Create an ETS priority group. CONFIGURATION mode priority-group group-num {bandwidth bandwidth | strict-priority} pfc off The range for priority group is from 0 to 7. Set the bandwidth in percentage. The percentage range is from 1 to 100% in units of 1%. Committed and peak bandwidth is in megabits per second. The range is from 0 to 40000. Committed and peak burst size is in kilobytes. Default is 50.
ETS Operation with DCBx The following section describes DCBx negotiation with peer ETS devices. In DCBx negotiation with peer ETS devices, ETS configuration is handled as follows: • ETS TLVs are supported in DCBx versions CIN, CEE, and IEEE2.5. • The DCBx port-role configurations determine the ETS operational parameters (refer to Configure a DCBx Operation). • ETS configurations received from TLVs from a peer are validated.
Dell(conf-if-te-0/1)#exit 5 Enter INTERFACE Configuration mode. CONFIGURATION mode interface type slot/port 6 Apply the QoS output policy with the bandwidth percentage for specified priority queues to an egress interface. INTERFACE mode Dell(conf-if-te-0/1)#service-policy output test12 Configuring ETS in a DCB Map A switch supports the use of a DCB map in which you configure enhanced transmission selection (ETS) setting. To configure ETS parameters, you must apply a DCB map on an interface.
ETS Prerequisites and Restrictions On a switch, ETS is enabled by default on Ethernet ports with equal bandwidth assigned to each 802.1p priority. You can change the default ETS configuration only by using a DCB map.
Strict-priority groups: If two priority groups have strict-priority scheduling, traffic assigned from the priority group with the higher priority-queue number is scheduled first. However, when three priority groups are used and two groups have strictpriority scheduling (such as groups 1 and 3 in the example), the strict priority group whose traffic is mapped to one queue takes precedence over the strict priority group whose traffic is mapped to two queues.
DCBx Port Roles To enable the auto-configuration of DCBx-enabled ports and propagate DCB configurations learned from peer DCBx devices internally to other switch ports, use the following DCBx port roles. Auto-upstream The port advertises its own configuration to DCBx peers and is willing to receive peer configuration. The port also propagates its configuration to other ports on the switch. The first auto-upstream that is capable of receiving a peer configuration is elected as the configuration source.
or propagate internal or external configurations. Unlike other user-configured ports, the configuration of DCBx ports in Manual mode is saved in the running configuration. On a DCBx port in a manual role, all PFC, application priority, ETS recommend, and ETS configuration TLVs are enabled.
• The port is enabled with link up and DCBx enabled. • The port has performed a DCBx exchange with a DCBx peer. • The switch is capable of supporting the received DCB configuration values through either a symmetric or asymmetric parameter exchange. A newly elected configuration source propagates configuration changes received from a peer to the other auto-configuration ports.
DCBx Example The following figure shows how to use DCBx. The external 40GbE 40GbE ports on the base module (ports 33 and 37) of two switches are used for uplinks configured as DCBx autoupstream ports. The device is connected to third-party, top-of-rack (ToR) switches through 40GbE uplinks. The ToR switches are part of a Fibre Channel storage network. The internal ports (ports 1-32) connected to the 10GbE backplane are configured as auto-downstream ports. Figure 29.
4 Configure ports to operate in a manual role. 1 Enter INTERFACE Configuration mode. CONFIGURATION mode interface type slot/port 2 Enter LLDP Configuration mode to enable DCBx operation. INTERFACE mode [no] protocol lldp 3 Configure the DCBx version used on the interface, where: auto configures the port to operate using the DCBx version received from a peer. PROTOCOL LLDP mode [no] DCBx version {auto | cee | cin | ieee-v2.5} • cee: configures the port to use CEE (Intel 1.01).
• fcoe: enables the advertisement of FCoE in Application Priority TLVs. • iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled to advertise FCoE and iSCSI. NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-applntlv iscsi. For information about how to use iSCSI, refer to iSCSI Optimization To verify the DCBx configuration on a port, use the show interface DCBx detail command.
[no] advertise DCBx-appln-tlv {fcoe | iscsi} • fcoe: enables the advertisement of FCoE in Application Priority TLVs. • iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled and advertise FCoE and iSCSI. NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-applntlv iscsi. 6 Configure the FCoE priority advertised for the FCoE protocol in Application Priority TLVs.
• config-exchng: enables traces for DCBx configuration exchanges. • fail: enables traces for DCBx failures. • mgmt: enables traces for DCBx management frames. • resource: enables traces for DCBx system resource frames. • sem: enables traces for the DCBx state machine. • tlv: enables traces for DCBx TLVs. Verifying the DCB Configuration To display DCB configurations, use the following show commands. Table 18.
DCB Status : Enabled PFC Port Count : 56 (current), 56 (configured) PFC Queue Count : 2 (current), 2 (configured) The following example shows the show qos priority-groups command. Dell#show qos priority-groups priority-group ipc priority-list 4 set-pgid 2 The following example shows the output of the show qos dcb-map test command.
0 Input TLV pkts, 1 Output TLV pkts, 0 Error pkts, 0 Pause Tx pkts, 0 Pause Rx pkts The following table describes the show interface pfc summary command fields. Table 19. show interface pfc summary Command Description Fields Description Interface Interface type with stack-unit and port number. Admin mode is on; Admin is enabled PFC Admin mode is on or off with a list of the configured PFC priorities .
Fields Description Application Priority TLV: Remote FCOE Priority Map Status of FCoE advertisements in application priority TLVs from remote peer port: enabled or disabled. Application Priority TLV: Remote ISCSI Priority Map Status of iSCSI advertisements in application priority TLVs from remote peer port: enabled or disabled. PFC TLV Statistics: Input TLV pkts Number of PFC TLVs received. PFC TLV Statistics: Output TLV pkts Number of PFC TLVs transmitted.
0 1 2 3 4 5 6 7 3 4 0,1,2,5,6,7 25 25 50 - - - - Oper status is init ETS DCBX Oper status is Down Reason: Port Shutdown State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled The following example shows the show interface ets detail command.
6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output Pkts ETS ETS Pkts, 0 Error Conf TLV Pkts Traffic Class TLV Pkts, 0 Error Traffic Class TLV The following table describes the show interface ets detail command fields. Table 20. show interface ets detail Command Description Field Description Interface Interface type with stack-unit and port number.
The following example shows the show stack-unit all stack-ports all pfc details command.
-----------------------------------------------------------------------------------------Interface TenGigabitEthernet 2/12 Remote Mac Address 00:01:e8:8a:df:a0 Port Role is Manual DCBx Operational Status is Enabled Is Configuration Source? FALSE Local DCBx Compatibility mode is IEEEv2.5 Local DCBx Configured mode is IEEEv2.5 Peer Operating version is IEEEv2.
Field Description DCBx Operational Status Operational status (enabled or disabled) used to elect a configuration source and internally propagate a DCB configuration. The DCBx operational status is the combination of PFC and ETS operational status. Configuration Source Specifies whether the port serves as the DCBx configuration source on the switch: true (yes) or false (no). Local DCBx Compatibility mode DCBx version accepted in a DCB configuration as compatible.
Figure 30. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
dot1p Value in the Incoming Frame Priority Group Assignment 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment. Priority Group Bandwidth Assignment IPC 5% SAN 50% LAN 45% PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic.
NOTE: Dell Networking does not recommend mapping all ingress traffic to a single queue when using PFC and ETS. However, Dell Networking does recommend using Ingress traffic classification using the service-class dynamic dot1p command (honor dot1p) on all DCB-enabled interfaces.
CONFIGURATION mode dcb pfc-shared-buffer-size value dcb pfc-total-buffer-size value The buffer size range is from 0 to 3399. Default is 3088. 3 Configure the number of PFC queues. CONFIGURATION mode dcb enable pfc-queues pfc-queues The number of ports supported based on lossless queues configured depends on the buffer.
14 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies that network administrators determine.
Figure 31. DHCP packet Format The following table lists common DHCP options. Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
Option Number and Description Rebinding Time Option 59 Specifies the amount of time after the IP address is granted that the client attempts to renew its lease with any server, if the original server does not respond. End Option 255 Signals the last option in the DHCP packet. Assign an IP Address using DHCP The following section describes DHCP and the client in a network.
Implementation Information The following describes DHCP implementation. • Dell Networking implements DHCP based on RFC 2131 and RFC 3046. • IP source address validation is a sub-feature of DHCP Snooping; the Dell Networking OS uses access control lists (ACLs) internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP source address validation.
DHCP Server Responsibility Description Responding To Client Requests DHCP servers respond to different types of requests from clients, primarily, granting, renewing, and terminating leases. Providing Administration Services DHCP servers include functionality that allows an administrator to implement policies that govern how DHCP performs its other tasks.
DHCP mode show config After an IP address is leased to a client, only that client may release the address. Dell Networking OS performs an IP + MAC source address validation to ensure that no client can release another clients address. This validation is a default behavior and is separate from IP+MAC source address validation. Excluding Addresses from the Address Pool The DHCP server assumes that all IP addresses in a DHCP address pool are available for assigning to DHCP clients.
The default is Disabled. 3 Display the current DHCP configuration. DHCP mode show config In the following illustration, an IP phone powers Power over Ethernet (PoE) and has acquired an IP address from the Dell Networking system, which is advertising link layer discovery protocol (LLDP)-media endpoint discovery (MED). The leased IP address is displayed using the show ip dhcp binding command and confirmed using the show lldp neighbors command. Figure 33.
DHCP mode netbios-node-type type Creating Manual Binding Entries An address binding is a mapping between the IP address and the media access control (MAC) address of a client. The DHCP server assigns the client an available IP address automatically, and then creates an entry in the binding table. However, the administrator can manually create an entry for a client; manual bindings are useful when you want to guarantee that a particular network device receives a particular IP address.
• Clear a DHCP address conflict. EXEC Privilege mode clear ip dhcp conflict • Clear DHCP server counters. EXEC Privilege mode clear ip dhcp server statistics Configure the System to be a Relay Agent DHCP clients and servers request and offer configuration information via broadcast DHCP messages. Routers do not forward broadcasts, so if there are no DHCP servers on the subnet, the client does not receive a response to its request and therefore cannot access the network.
Figure 34. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command Dell#show ip int tengig 1/3 TenGigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
Configure the System for User Port Stacking When you set the DHCP offer on the DHCP server, you can set the stacking-option variable to provide the stack-port detail so a stack can be formed when you connect the units. Configure Secure DHCP DHCP as defined by RFC 2131 provides no authentication or security mechanisms. Secure DHCP is a suite of features that protects networks that use dynamic address allocation from spoofing and attacks.
DHCP Snooping DHCP snooping protects networks from spoofing. In the context of DHCP snooping, ports are either trusted or not trusted. By default, all ports are not trusted. Trusted ports are ports through which attackers cannot connect. Manually configure ports connected to legitimate servers and relay agents as trusted.
• Delete all of the entries in the binding table. EXEC Privilege mode clear ip dhcp snooping binding Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. • Display the contents of the binding table. EXEC Privilege mode show ip dhcp snooping Example of the show ip dhcp snooping Command View the DHCP snooping statistics with the show ip dhcp snooping command.
10.1.1.252 10.1.1.253 10.1.1.254 00:00:4d:57:e6:f6 00:00:4d:57:f8:e8 00:00:4d:69:e8:f2 172800 172740 172740 D D D Vl 10 Vl 10 Vl 10 Te 0/1 Te 0/3 Te 0/50 Total number of Entries in the table : 4 Dynamic ARP Inspection Dynamic address resolution protocol (ARP) inspection prevents ARP spoofing by forwarding only ARP frames that have been validated against the DHCP binding table. ARP is a stateless protocol that provides no authentication mechanism.
Configuring Dynamic ARP Inspection To enable dynamic ARP inspection, use the following commands. 1 Enable DHCP snooping. 2 Validate ARP frames against the DHCP snooping binding table. INTERFACE VLAN mode arp inspection Examples of Viewing the ARP Database and Packets To view entries in the ARP database, use the show arp inspection database command.
Source Address Validation Using the DHCP binding table, Dell Networking OS can perform three types of source address validation (SAV). Table 23. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table.
DHCP MAC Source Address Validation DHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against the client hardware address field (CHADDR) in the payload. Dell Networking OS ensures that the packet’s source MAC address is checked against the CHADDR field in the DHCP header only for packets from snooped VLANs. • Enable DHCP MAC SAV.
Total cam count 1 deny count (0 packets) deny access-list on TenGigabitEthernet 1/2 Total cam count 2 deny vlan 10 count (0 packets) deny vlan 20 count (0 packets) The following output of the show ip dhcp snooping source-address-validation discard-counters interface interface command displays the number of SAV dropped packets on a particular interface.
15 Equal Cost Multi-Path (ECMP) Equal cost multi-path (ECMP) is supported on Dell Networking OS. ECMP for Flow-Based Affinity IPv6 /128 routes having multiple paths do not form ECMPs. The /128 route is treated as a host entry and finds its place in the host table. NOTE: Using XOR algorithms result in imbalanced loads across an ECMP/LAG when the number of members in said ECMP/LAG is a multiple of 4.
ipv6 ecmp-deterministic Configuring the Hash Algorithm Seed Deterministic ECMP sorts ECMPs in order even though RTM provides them in a random order. However, the hash algorithm uses as a seed the lower 12 bits of the chassis MAC, which yields a different hash result for every chassis. This behavior means that for a given flow, even though the prefixes are sorted, two unrelated chassis can select different hops.
Managing ECMP Group Paths Configure the maximum number of paths for an ECMP route that the L3 CAM can hold to avoid path degeneration. When you do not configure the maximum number of routes, the CAM can hold a maximum ECMP per route. To configure the maximum number of paths, use the following command. NOTE: Save the new ECMP settings to the startup-config (write-mem) then reload the system for the new settings to take effect. • Configure the maximum number of paths per ECMP group. CONFIGURATION mode.
• The default is 60%. Display details for an ECMP group bundle. EXEC mode show link-bundle-distribution ecmp-group ecmp-group-id The range is from 1 to 64. Viewing an ECMP Group NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indices are generated in even numbers (0, 2, 4, 6... 1022) and are for information only.
16 Fabric Services The following example shows how fabric services operate. Figure 35.
Topics: • Configuring Switch Mode to Fabric Services • Name Server • Link State Database • Zoning Configuring Switch Mode to Fabric Services To configure switch mode to Fabric services, use the following commands. 1 Configure Switch mode to Fabric Services. CONFIGURATION mode fc switch-mode fabric-services 2 Configure the SAN fabric to which the FC port connects by entering the name of the FCoE map applied to the interface.
• N_Port sends a Port Login (PLOGI) to inform the Fabric Name Server of its personality and capabilities, this includes WWNN, WWPN. • N_Port sends PLOGI to address 0xFFFFFC to register this address with the name server. Command Description show fc ns switch Display all the devices in name server database of the switch. show fc ns switch brief Displays the local name server entries — brief version. show fc ns fabric Display all the devices in name server database of the fabric.
Principal Switch Selection and Domain ID Assignment To view the information on all switches in the fabric, use the show fc fabric command. Route Table To view the established routes between server and target ports, use the show fc route command. Zoning The zoning configurations are supported for Fabric Services operation on the S5000. In Fabric Services, the fcoe-map default_full_fabrichas the default Zone mode set to deny.
Creating Zone Alias and Adding Members To create a zone alias and add devices to the alias, follow these steps. 1 Create a zone alias name. CONFIGURATION mode fc alias ZoneAliasName 2 Add devices to an alias. ALIAS CONFIGURATION mode member word The member can be WWPN (00:00:00:00:00:00:00:00), port ID (000000), or alias name (word).
no active-zoneset zoneset_name 2 View the active zoneset. show fc zoneset active Zone Merge (within ISL) When two switches are connected through E-port, the active zonesets are merged. Merge operation involves checking for any zones with same name and different member set and segmenting the switches. If no conflicts are found, the zones are merged together. All unique zones are part of both the switches. All non-unique zones (that is, zones with same name and same members) stay intact.
This is the amount of time given to devices to allocate the resources that process received frames. The default is 10000 milliseconds. 7 Configure the receiver transmitter timeout value. R-T-TOV For example: Dell(conf-fmap-default_full_fabric-fcfabric)# r-t-TOV 100 This is the amount of time that the receiver logic uses to determine loss of sync on the wire. The default is 100 milliseconds.
Example of the show config Command Dell(conf)#Dell(conf-fmap-default_full_fabric-fcfabric)#show config domain-id 3 principal-priority 253 E-D-TOV 101 R-A-TOV 10001 R-T-TOV 101 default-zone-allow all active-zoneset zs1 Dell(conf-fmap-default_full_fabric-fcfabric)# Example of the show fcoe-map Command Dell#show fcoe-map Fabric Name default_full_fabric Fabric Type full-fabric Fabric Id 1002 Vlan Id 1002 Vlan priority 3 FC-MAP 0efc00 FKA-ADV-Period 8 Fcf Priority 128 Config-State ACTIVE Oper-State UP ==========
LinkCost NeighborID LocalPort RemotePort LinkCost Switch Name DomainId Switch Port Hops Cost Age LinkCount NeighborID LocalPort RemotePort LinkCost NeighborID LocalPort RemotePort LinkCost Switch Name DomainId Switch Port Hops Cost Age LinkCount NeighborID LocalPort RemotePort LinkCost NeighborID LocalPort RemotePort LinkCost Dell# 250 2 1 1 125 10:00:5c:f9:dd:ef:0a:80 2 N/A N/A N/A N/A 2 1 1 1 125 3 3 3 125 10:00:5c:f9:dd:ef:16:80 3 3 1 125 1 2 1 1 3 250 2 3 3 125 Example of the show fc ns switch Command
Symbolic Port Name Symbolic Node Name Port Type Switch Name Domain Id Switch Port Port Id Port Name Node Name Class of Service Symbolic Port Name Symbolic Node Name Port Type Switch Name Domain Id Switch Port Port Id Port Name Node Name Class of Service Symbolic Port Name Symbolic Node Name Port Type Dell# (NULL) (NULL) N_Port 10:00:5c:f9:dd:ef:0a:80 2 11 02:0b:00 31:11:0e:fc:00:00:00:77 21:11:0e:fc:00:00:00:77 8 (NULL) (NULL) N_Port 10:00:5c:f9:dd:ef:0a:00 1 53 01:35:00 10:00:8c:7c:ff:17:f8:01 20:00:8c:7c
Dell# 20:02:00:11:0d:03:00:00 Example of the show fc zoneset merged Command Dell#show fc zoneset merged Active Zoneset: zs1 Merged Zones Dell# Example of the show fc zone Command Dell#show fc zone ZoneName ZoneMember ============================== brcd_sanb brcd_cna1_wwpn1 sanb_p2tgt1_wwpn Dell# Example of the show fc alias Command Dell#show fc alias No Zone Aliases configured Dell# Example of the show fc switch Command Dell#show fc switch Switch Mode : Fabric-Services Switch WWN : 10:00:5c:f9:dd:ef:0a:00
17 FCoE Transit The Fibre Channel over Ethernet (FCoE) Transit feature is supported on the S5000 switch on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces, in an S5000 switch stack, or on links between VLT peer switches.
FIP provides functionality for discovering and logging into an FCF. After discovering and logging in, FIP allows FCoE traffic to be sent and received between FCoE end-devices (ENodes) and the FCF. FIP uses its own EtherType and frame format. The following illustration shows the communication that occurs between an ENode server and an FCoE switch (FCF). The following table lists the FIP functions. Table 24.
Figure 36. FIP Discovery and Login Between an ENode and an FCF FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to transmit between an FCoE end-device and an FCF. An Ethernet bridge that provides these functions is called a FIP snooping bridge (FSB).
ToR switch and an S5000 switch. The switch operates as a lossless FIP snooping bridge to transparently forward FCoE frames between the ENode servers and the FCF switch. Figure 37. FIP Snooping on an S5000 Switch The following sections describe how to configure the FIP snooping feature on a switch that functions as a FIP snooping bridge so that it can perform the following functions: • Allocate CAM resources for FCoE.
• Process FIP VLAN discovery requests and responses, advertisements, solicitations, FLOGI/FDISC requests and responses, FLOGO requests and responses, keep-alive packets, and clear virtual-link messages. FIP Snooping in a Switch Stack FIP snooping supports switch stacking as follows: • A switch stack configuration is synchronized with the standby stack unit. • Dynamic population of the FCoE database (ENode, Session, and FCF tables) is synchronized with the standby stack unit.
FIP Snooping Prerequisites Before you enable FCoE transit and configure FIP snooping on a switch, ensure that certain conditions are met. A FIP snooping bridge requires data center bridging exchange protocol (DCBx) and priority-based flow control (PFC) to be enabled on the switch for lossless Ethernet connections (refer to the Data Center Bridging (DCB)chapter). Dell Networking recommends also enabling enhanced transmission selection (ETS); however, ETS is recommended but not required.
iscsiOptAcl : ipv4pbr : vrfv4Acl : Openflow : fedgovacl : nlbclusteracl: 0 0 0 0 0 0 st-sjc-s5000-29# Enabling the FCoE Transit Feature The following sections describe how to enable FCoE transit. NOTE: FCoE transit is disabled by default. To enable this feature, you must follow the Configuring FIP Snooping. As soon as you enable the FCoE transit feature on a switch-bridge, existing VLAN-specific and FIP snooping configurations are applied.
Configure a Port for a Bridge-to-Bridge Link If a switch port is connected to another FIP snooping bridge, configure the FCoE-Trusted Port mode for bridge-bridge links. Initially, all FCoE traffic is blocked. Only FIP frames with the ALL_FCF_MAC and ALL_ENODE_MAC values in their headers are allowed to pass. After the switch learns the MAC address of a connected FCF, it allows FIP frames destined to or received from the FCF MAC address.
FIP Snooping on an NPIV Proxy Gateway When you configure an S5000 as an NPIV proxy gateway and enable Fibre Channel capability, FIP snooping is automatically enabled on all VLANs using the default FIP snooping settings. To identify the SAN fabric to which FCoE storage traffic is sent, use an FCoE map.
• • • on an S5000 switch not configured as an NPIV proxy gateway is eight. The maximum number of FCFs supported on a FIP snooping-enabled VLAN: • on an S5000 NPIV proxy gateway is 12. • on an S5000 switch not configured as an NPIV proxy gateway is 12. The maximum number of FIP snooping sessions (including NPIV sessions) supported per ENode server is 64 and is user-configurable. In a full FCoE NPIV configuration, 64 sessions (one FLOGI + 63 NPIV sessions) are supported per ENode server.
interface port-type slot/port NOTE: By default, a port is enabled for bridge-to-ENode links. 6 Configure the port for bridge-to-FCF links. INTERFACE mode or CONFIGURATION mode fip-snooping port-mode fcf To disable the FCoE transit feature or FIP snooping on VLANs, use the no version of a command; for example, no feature fipsnooping or no fip-snooping enable. Displaying FIP Snooping Information To display information on FIP snooping, use the following show commands. Table 27.
Examples of the show fip-snooping Commands The following example shows the show fip-snooping sessions command.
Table 29. show fip-snooping enode Command Description Field Description ENode MAC MAC address of the ENode. ENode Interface Slot/ port number of the interface connected to the ENode. FCF MAC MAC address of the FCF. VLAN VLAN ID number the session uses. FC-ID Fibre Channel session ID the FCF assigns. The following example shows the show fip-snooping fcf command. Dell# show fip-snooping fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
Dell# show fip-snooping statistics int tengigabitethernet 0/11 Number of Vlan Requests :1 Number of Vlan Notifications :0 Number of Multicast Discovery Solicits :1 Number of Unicast Discovery Solicits :0 Number of FLOGI :1 Number of FDISC :16 Number of FLOGO :0 Number of Enode Keep Alive :4416 Number of VN Port Keep Alive :3136 Number of Multicast Discovery Advertisement :0 Number of Unicast Discovery Advertisement :0 Number of FLOGI Accepts :0 Number of FLOGI Rejects :0 Number of FDISC Accepts :0 Number of
Field Description Number of FLOGI Number of FIP-snooped FLOGI request frames received on the interface. Number of FDISC Number of FIP-snooped FDISC request frames received on the interface. Number of FLOGO Number of FIP-snooped FLOGO frames received on the interface. Number of ENode Keep Alives Number of FIP-snooped ENode keep-alive frames received on the interface. Number of VN Port Keep Alives Number of FIP-snooped VN port keep-alive frames received on the interface.
FCoE Transit Configuration Example The following illustration shows an S5000 switch enabled for FCoE transit and used as a FIP snooping bridge for FCoE traffic between an ENode (server CNA) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 38. Configuration Example of FCoE Transit on an S5000 Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
Example of Configuring the ENode Server-Facing Port Dell(conf)# interface tengigabitethernet 0/1 Dell(conf-if-te-0/1)# portmode hybrid Dell(conf-if-te-0/1)# switchport Dell(conf-if-te-0/1)# protocol lldp Dell(conf-if-te-0/1-lldp)# dcbx port-role auto-downstream NOTE: A port is enabled by default for bridge-ENode links.
18 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms.
Enabling FIPS Mode To enable or disable FIPS mode, use the console port. Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual terminal session are denied. When you enable FIPS mode, the following actions are taken: • If enabled, the SSH server is disabled. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.
Examples of the show fips status and show system Commands The following example shows the show fips status command. Dell#show fips status FIPS Mode : Enabled for the system using the show system command. The following example shows the show system command. Disabling FIPS Mode When you disable FIPS mode, the following changes occur: • The SSH server disables. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, close.
19 Fibre Channel Interface The S5000 functions as a converged enhanced Ethernet (CEE) switch that supports both LAN and storage area network (SAN) traffic using the Fibre Channel protocol. To access a SAN fabric, use a Fibre Channel (FC) module installed in the S5000. S5000 FC ports operate at 2G, 4G, and 8G speed. By default, FC ports have autosensing speed enabled to use or negotiate port speed with a peer SAN switch.
feature fc Configuring Fibre Channel Interfaces To configure a Fibre Channel interface, follow these steps. 1 Configure an FC interface. CONFIGURATION mode interface fibrechannel slot/port The range of the slot (stack-unit) numbers is from 0 to 11. The range of the port numbers is from 0 to 47. NOTE: You can install an FC module only in expansion slot 0. 2 Configure the speed of an FC port. INTERFACE FIBRE_CHANNEL mode speed {auto | 2G | 4G | 8G} The valid values are: 2, 4 Gbps or 8 Gbps or autosensing.
WWN is 20:00:5c:f9:dd:ef:24:40, FC-ID is 020000 Last clearing of "show interface" counters 2d11h27m Statistics: BBCR_FrameFailures 0 TotalRxBytes 0 BBCR_RRDYFailures 0 TotalTxBytes 0 Class2FramesIn 0 LongFramesIn 0 Class2FramesOut 0 LossOfSync 0 Class3FramesIn 0 ShortFramesIn 0 Class3FramesOut 0 RxLinkResets 6 Class3Discard 0 TxLinkResets 19698 DecodeErrors 0 TotalLinkResets 19704 FReject 0 TotalRxFrames 0 FBusy 0 TotalTxFrames 0 AddressErrors 0 RxOfflineSeq 19698 LinkFailures 0 TxOfflineSeq 39409 --More--
Field Description DecodeErrors Number of decode errors. FBusy Number of Fabric port Busy (F_BSY) frames received. FReject Number of Fabric port Reject (F_RJT) frames received. AddressErrors Number of frame-address ID errors. LinkFailures Number of link failures. InvalidCRC Number of cyclic redundancy check (CRC) errors. TotalRxBytes Number of bytes received. TotalTxBytes Number of bytes transmitted. LongFramesIn Number of long frames received.
Example of the show running-config | grep switch-mode Command Dell#Show running-config | grep switch-mode fc switch-mode fabric-services Dell# Troubleshooting Fibre Channel Operation To investigate problems in the FC interface operation, use the following commands. Examples of the show command follow this table. Command Description create fcdump-support Gather information about the Fibre Channel operation and store the FC dump file in flash/CORE_DUMP_DIR.
meFailures;Oper.UserPort.0.4.BBC 18:32:48.168 O> 0192 525f5252 44594661 R_RRDYFailures;Oper.UserPort.0.4 18:32:48.168 O> 0224 2e466c6f 77457272 .FlowErrors;Oper.UserPort.0.4.Sh 18:32:48.168 O> 0256 6f727446 72616d65 ortFramesIn;Oper.UserPort.0.4.Lo 18:32:48.168 O> 0288 6e674672 616d6573 ngFramesIn;Oper.UserPort.0.4.
The following example shows the no stack-unit port-group portmode ethernet command. Dell(conf)#no stack-unit 0 port-group 0 portmode ethernet Changing port mode on slot 0 port-group 0 will make interface configs of 0 and 1 obsolete after a save and reload. [confirm yes/no]:yes Please save and reload for the changes to take effect. Dell(conf)# Displaying Fibre Channel Port Group Mode Information To display the Fibre Channel Port-Group mode information, use the following show command.
20 Force10 Resilient Ring Protocol (FRRP) Force10 resilient ring protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require four to five seconds to reconverge.
Figure 39. Normal Operating FRRP Topology A virtual LAN (VLAN) is configured on all node ports in the ring. All ring ports must be members of the Member VLAN and the Control VLAN.
The Member VLAN is the VLAN used to transmit data as described earlier. The Control VLAN is used to perform the health checks on the ring. The Control VLAN can always pass through all ports in the ring, including the secondary port of the Master node. Ring Status The ring failure notification and the ring status checks provide two ways to ensure that the ring remains up and active in the event of a switch or port failure.
Member VLAN Spanning Two Rings Connected by One Switch A member VLAN can span two rings interconnected by a common switch, in a figure-eight style topology. A switch can act as a Master node for one FRRP group and a Transit for another FRRP group, or it can be a Transit node for both rings. In the following example, FRRP 101 is a ring with its own Control VLAN, and FRRP 202 has its own Control VLAN running on another ring. A Member VLAN that spans both rings is added as a Member VLAN to both FRRP groups.
• You can run multiple physical rings on the same switch. • One Master node per ring — all other nodes are Transit. • Each node has two member interfaces — primary and secondary. • There is no limit to the number of nodes on a ring. • Master node ring port states — blocking, preforwarding, forwarding, and disabled. • Transit node ring port states — blocking, preforwarding, forwarding, and disabled. • STP disabled on ring interfaces.
Concept Explanation Ring Health-Check Frame (RHF) The Master node generates two types of RHFs. RHFs never loop the ring because they terminate at the Master node’s secondary port. • Hello RHF (HRHF) — These frames are processed only on the Master node’s Secondary port. The Transit nodes pass the HRHF through without processing it. An HRHF is sent at every Hello interval. • Topology Change RHF (TCRHF) — These frames contains ring status, keepalive, and the control and member VLAN hash.
Configuring the Control VLAN Control and member VLANS are configured normally for Layer 2. Their status as control or member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to Layer 2. Follow these guidelines: • All VLANS must be in Layer 2 mode. • You can only add ring nodes to the VLAN. • A control VLAN can belong to one FRRP group only. • Tag control VLAN ports. • All ports on the ring must use the same VLAN ID for the control VLAN.
member-vlan vlan-id {range} VLAN-ID, Range: VLAN IDs for the ring’s member VLANs. 6 Enable FRRP. CONFIG-FRRP mode. no disable Configuring and Adding the Member VLANs Control and member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to the Layer 2. Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • Tag control VLAN ports.
CONFIG-FRRP mode. member-vlan vlan-id {range} VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs. 6 Enable this FRRP group on this switch. CONFIG-FRRP mode. no disable Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time three times the Hello-Interval time. • Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode.
• Show the information for the identified FRRP group. EXEC or EXEC PRIVELEGED mode. show frrp ring-id • The ring ID range is from 1 to 255. Show the state of all FRRP groups. EXEC or EXEC PRIVELEGED mode. show frrp summary The ring ID range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • Each Control Ring must use a unique VLAN ID. • Only two interfaces on a switch can be Members of the same control VLAN.
no shutdown ! interface GigabitEthernet 1/34 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 1/24,34 no shutdown ! interface Vlan 201 no ip address tagged GigabitEthernet 1/24,34 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 1/24 secondary GigabitEthernet 1/34 control-vlan 101 member-vlan 201 mode master no disable Example of R2 TRANSIT interface GigabitEthernet 2/14 no ip address switchport no shutdown ! interface GigabitEthernet 2/31 no ip
no ip address tagged GigabitEthernet 3/14,21 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 3/21 secondary GigabitEthernet 3/14 control-vlan 101 member-vlan 201 mode transit no disable FRRP Support on VLT Using FRRP rings, you can inter-connect VLT domains across data centers. These FRRP rings make use of Layer2 VLANs that spawn across Data Centers and provide resiliency by detecting node or link level failures.
Example Scenario Following example scenario describes an Active-Active FRRP ring topology where the ring is blocked on a per VLAN or VLAN group basis allowing active-active FRRP ring for different set of VLANs. In this scenario, an FRRP ring named R1 is configured with VLT Node1 acting as the Master node and VLT Node2 as the transit node. Simillary, an FRRP ring named R2 is configured with VLT Node2 as the master node and VLT node1 as the trasit node.
Figure 43. FRRP Ring using VLTi links Important Points to Remember • VLTi can be configured only as the primary interface for the primary interface of any FRRP ring. • Only RSTP and PVST are supported in the VLT environment. Enabling either RSTP or PVST effects FRRP functionality even though these features are disabled on FRRP enabled interfaces. • Dell Networking OS does not support coexistence of xSTP and FRRP configurations.
21 GARP VLAN Registration Protocol (GVRP) Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GVRP, defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. The GARP VLAN registration protocol (GVRP)-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other.
type of port is referred to as a VLAN trunk port, but it is not necessary to specifically identify to the Dell Networking OS that the port is a trunk port. Figure 44. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1 Enabling GVRP Globally 2 Enabling GVRP on a Layer 2 Interface Related Configuration Tasks • Configure GVRP Registration • Configure a GARP Timer Enabling GVRP Globally To configure GVRP globally, use the following command.
Example of Configuring GVRP Dell(conf)#protocol gvrp Dell(config-gvrp)#no disable Dell(config-gvrp)#show config ! protocol gvrp no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. • Enable GVRP on a Layer 2 interface.
gvrp registration fixed 34-35 gvrp registration forbidden 45-46 no shutdown Dell(conf-if-te-1/21)# Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings. • Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter. The Dell Networking OS default is 200 ms.
22 High Availability (HA) High availability (HA) is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. Topics: • High Availability on Stacks • Hitless Behavior • Graceful Restart • Software Resiliency • Hot-Lock Behavior • Component Redundancy High Availability on Stacks A stack has a master and standby management unit that provide redundancy in a similar way to redundant route processor modules (RPMs).
Graceful Restart Graceful restart (also known as non-stop forwarding) is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change.
• Application core dump is the contents of the memory allocated to a failed application at the time of an exception. System Log Event messages provide system administrators diagnostics and auditing information. Dell Networking OS sends event messages to the internal buffer, all terminal lines, the console, and optionally to a syslog server. For more information about event messages and configurable options, refer to Switch Management.
Last failover type: None -- Last Data Block Sync Record: ------------------------------------------------Stack Unit Config: no block sync done Start-up Config: no block sync done Runtime Event Log: no block sync done Running Config: no block sync done ACL Mgr: no block sync done LACP: no block sync done STP: no block sync done SPAN: no block sync done Dell# Synchronization between Management and Standby Units Data between the Management and Standby units is synchronized immediately after bootup.
Manually Synchronizing Management and Standby Units To manually synchronize Management and Standby units at any time, use the following command. • Manually synchronize Management and Standby units.
23 Internet Group Management Protocol (IGMP) Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. The internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group.
leaves a multicast group by sending an IGMP message to its IGMP Querier. The querier is the router that surveys a subnet for multicast receivers and processes survey responses to populate the multicast routing table. IGMP messages are encapsulated in IP packets, as shown in the following illustration. Figure 45.
2 The querier sends a Group-Specific Query to determine whether there are any remaining hosts in the group. There must be at least one receiver in a group on a subnet for a router to forward multicast traffic for that group to the subnet. 3 Any remaining hosts respond to the query according to the delay timer mechanism (refer to Adjusting Query and Response Timers). If no hosts respond (because there are none remaining in the group), the querier waits a specified period and sends another query.
Figure 47. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1 The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2 The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Figure 48. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1 Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary.
Figure 49. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1 Enable multicast routing using the ip multicast-routing command. 2 Enable a multicast routing protocol.
Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. • View IGMP-enabled interfaces. EXEC Privilege mode show ip igmp interface Example of the show ip igmp interface Command Dell#show ip igmp interface tengig 7/16 TenGigabitEthernet 7/16 is up, line protocol is up Internet address is 10.87.3.
EXEC Privilege mode show ip igmp groups Example of the show ip igmp groups Command Dell(conf-if-te-1/0)#do sho ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Uptime Expires Last Reporter 224.1.1.1 TenGigabitEthernet 1/0 00:00:03 Never CLI 224.1.2.1 TenGigabitEthernet 1/0 00:56:55 00:01:22 1.1.1.2 Adjusting Timers The following sections describe viewing and adjusting timers. To view the current value of all IGMP timers, use the following command.
Enabling IGMP Immediate-Leave If the querier does not receive a response to a group-specific or group-and-source query, it sends another (querier robustness value). Then, after no response, it removes the group from the outgoing interface for the subnet. IGMP immediate leave reduces leave latency by enabling a router to immediately delete the group membership on an interface after receiving a Leave message (it does not send any group-specific or group-and-source queries before deleting the entry).
no ip igmp snooping Related Configuration Tasks • Enabling IGMP Immediate-Leave • Disabling Multicast Flooding • Specifying a Port as Connected to a Multicast Router • Configuring the Switch as Querier Example of ip igmp snooping enable Command Dell(conf)#ip igmp snooping enable Dell(conf)#do show running-config igmp ip igmp snooping enable Dell(conf)# Removing a Group-Port Association To configure or view the remove a group-port association feature, use the following commands.
Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. When you configure the no ip igmp snooping flood command, the system drops the packets immediately. The system does not forward the frames on mrouter ports, even if they are present. Disable Layer 3 multicast (no ip multicast-routing) in order to disable multicast flooding.
sending a second one is the last member query interval (LMQI). The switch waits one LMQI after the second query before removing the group-port entry from the forwarding table. • Adjust the last member query interval. INTERFACE VLAN mode ip igmp snooping last-member-query-interval Fast Convergence after MSTP Topology Changes The following describes the fast convergence feature.
Protocol Separation When you configure the application application-type command to configure a set of management applications with TCP/UDP port numbers to the OS, the following table describes the association between applications and their port numbers. Table 32.
Enabling and Disabling Management Egress Interface Selection You can enable or disable egress-interface-selection using the management egress-interface-selection command. NOTE: Egress Interface Selection (EIS) works only with IPv4 routing. When the feature is enabled using the management egress-interface-selection command, the following events are performed: • The CLI prompt changes to the EIS mode.
• As per existing behavior, for routes in the default routing table, conflicting front-end port routes if configured has higher precedence over management routes. So there can be scenarios where the same management route is present in the EIS routing table but not in the default routing table. • Routes in the EIS routing table are displayed using the show ip management-eis-route command.
Handling of Switch-Destined Traffic • The switch processes all traffic received on the management port destined to the management port IP address or the front-end port destined to the front-end IP address. • If the source TCP/UDP port number matches a configured EIS or non-EIS management application and the source IP address is a management Port IP address, then the EIS route lookup is done for the response traffic and hence is sent out of the management port.
Table 33. Mapping of Management Applications and Traffic Type Traffic type / Application type Switch initiated traffic Switch-destined traffic Transit Traffic EIS Management Application Management is the preferred egress port selected based on route lookup in EIS table. If the management port is down or the route lookup fails, packets are dropped.
EIS Behavior: If the destination TCP/UDP port matches a configured management application, a route lookup is done in the EIS table and the management port gets selected as the egress port. If management port is down or the route lookup fails, packets are dropped. EIS Behavior for ICMP: ICMP packets do not have TCP/UDP ports. To do an EIS route lookup for ICMP-based applications (ping and traceroute) using the source ip option, the management port IP address should be specified as the source IP address.
If source IP address does not match the management port IP address route lookup is done in the default routing table. Default Behavior: Route lookup is done in the default routing table and appropriate egress port is selected. Table 35.
Designating a Multicast Router Interface To designate an interface as a multicast router interface, use the following command. Dell Networking OS also has the capability of listening in on the incoming IGMP general queries and designates those interfaces as the multicast router interface when the frames have a nonzero IP source address. All IGMP control packets and IP multicast data traffic originating from receivers is forwarded to multicast router interfaces.
24 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell Networking Operating System (OS). The system supports 10 Gigabit Ethernet and 40 Gigabit Ethernet interfaces. NOTE: Only Dell-qualified optics are supported on these interfaces. Non-Dell 40G optics are set to error-disabled state.
• Physical Interfaces • Egress Interface Selection (EIS) • Management Interfaces • VLAN Interfaces • Loopback Interfaces • Null Interfaces • Port Channel Interfaces • Bulk Configuration • Defining Interface Range Macros • Monitoring and Maintaining Interfaces • Splitting QSFP Ports to SFP+ Ports • Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port • Configuring wavelength for 10–Gigabit SFP+ optics • Link Dampening • Link Bundle Monitoring • Using Ethernet Pause Frames for
This command has options to display the interface status, IP and MAC addresses, and multiple counters for the amount and type of traffic passing through the interface. If you configured a port channel interface, this command lists the interfaces configured in the port channel. NOTE: To end output from the system, such as the output from the show interfaces command, enter CTRL+C and Dell Networking OS returns to the command prompt.
To determine which physical interfaces are available, use the show running-config command in EXEC mode. This command displays all physical interfaces available on the system. Dell#show running Current Configuration ...
Enabling Energy Efficient Ethernet Energy Efficient Ethernet (EEE) is an IEEE 802.3 az standard that reduces power consumptions on Ethernet ports. EEE stops the transmission when there is no data to be transmitted and resumes the transmission at the arrival of new packets. You can enable EEE only on ten Gigabit native or optional module copper ports. 1 To enable EEE, use the eee command.
show hardware counters interface-type slot/port show hardware stack-unit stack-unit-number unit unit-number counters Examples of the show Commands The following example shows the status information for all the interfaces.
RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX 388 - IPV6 L3 Routed Multicast Packets Unicast Packet Counter 64 Byte Frame Counter 65 to 127 Byte Frame Counter 128 to 255 Byte Frame Counter 256 to 511 Byte Frame Counter 512 to 1023 Byte Frame Counter 1024 to 1518 Byte Frame Counter 1519 to 1522 Byte Good VLAN Frame Counter 1519 to 2047 Byte Frame
TX - Double VLAN Tag Frame Counter TX - RUNT Frame Counter TX - Fragment Counter TX - PFC Frame Priority 0 TX - PFC Frame Priority 1 TX - PFC Frame Priority 2 TX - PFC Frame Priority 3 TX - PFC Frame Priority 4 TX - PFC Frame Priority 5 TX - PFC Frame Priority 6 TX - PFC Frame Priority 7 TX - Debug Counter 0 TX - Debug Counter 1 TX - Debug Counter 2 TX - Debug Counter 3 TX - Debug Counter 4 TX - Debug Counter 5 TX - Debug Counter 6 TX - Debug Counter 7 TX - Debug Counter 8 TX - Debug Counter 9 TX - Debug Co
RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - PFC Frame Priority 4 PFC Frame Priority 5 PFC Frame Priority 6 PFC Frame Priority 7 Debug Counter 0 Debug Counter 1 Debug Counter 2 Debug Counter 3 Debug Counter 4 Debug Counter 5 Debug Counter 6 Debug Counter 7 Debug Counter 8 EEE LPI Event Counter EEE LPI Duration Counter 64 Byte Frame Counter 65 to 127 Byte Frame Counter
• Clear the EEE counters on all the copper ports. EXEC Privilege mode • clear counters eee Clear the EEE counters on the specified port. EXEC Privilege mode • clear counters interface-type slot/port eee Clear the EEE counters on the specified range of ports. EXEC Privilege mode clear counters interface-type slot/port-range eee Examples of the clear counters eee Command When you use this command, confirm that you want Dell Networking OS to clear the EEE counters.
Dell Networking OS Behavior: The system uses a single MAC address for all physical interfaces. Configuration Task List for Physical Interfaces By default, all interfaces are operationally disabled and traffic does not pass through them.
Example of a Basic Layer 2 Interface Configuration Dell(conf-if)#show config ! interface Port-channel 1 no ip address switchport no shutdown Dell(conf-if)# Configuring Layer 2 (Interface) Mode To configure an interface in Layer 2 mode, use the following commands. • Enable the interface. INTERFACE mode no shutdown • Place the interface in Layer 2 (switching) mode. INTERFACE mode switchport To view the interfaces in Layer 2 mode, use the show interfaces switchport command in EXEC mode.
To determine the configuration of an interface, use the show config command in INTERFACE mode or the various show interface commands in EXEC mode. Configuring Layer 3 (Interface) Mode To assign an IP address, use the following commands. • Enable the interface. INTERFACE mode • no shutdown Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/xx).
• • If a route in the EIS table conflicts with a front-end port route, the front-end port route has precedence. Due to protocol, ARP packets received through the management port create two ARP entries (one for the lookup in the EIS table and one for the default routing table). Configuring EIS EIS is compatible with the following protocols: DNS, FTP, NTP, RADIUS, sFlow, SNMP, SSH, Syslog, TACACS, Telnet, and TFTP. To enable and configure EIS, use the following commands: 1 Enter EIS mode.
displays. If you enable auto-configuration, all IPv6 addresses on that management interface are auto-configured. The first IPv6 address that you configure on the management interface is the primary address. If deleted, you must re-add it; the secondary address is not promoted. The following rules apply to having two IPv6 addresses on a management interface: • IPv6 addresses on a single management interface cannot be in the same subnet.
Configuring a Management Interface on an Ethernet Port You can manage the system through any port using remote access such as Telnet. To configure an IP address for the port, use the following commands. There is no separate management routing table, so configure all routes in the IP routing table (the ip route command). • Configure an IP address. INTERFACE mode ip address ip-address mask • Enable the interface. INTERFACE mode no shutdown • The interface is the management interface.
Dell Networking OS supports Inter-VLAN routing (Layer 3 routing in VLANs). You can add IP addresses to VLANs and use them in routing protocols in the same manner that physical interfaces are used. For more information about configuring different routing protocols, refer to the chapters on the specific protocol. A consideration for including VLANs in routing protocols is that you must configure the no shutdown command. (For routing traffic to flow, you must enable the VLAN.
Null Interfaces The Null interface is another virtual interface. There is only one Null interface. It is always up, but no traffic is transmitted through this interface. To enter INTERFACE mode of the Null interface, use the following command. • Enter INTERFACE mode of the Null interface. CONFIGURATION mode interface null 0 The only configurable command in INTERFACE mode of the Null interface is the ip unreachable command.
There are 128 port-channels with 16 members per channel. As soon as you configure a port channel, Dell Networking OS treats it like a physical interface. For example, IEEE 802.1Q tagging is maintained while the physical interface is in the port channel. Member ports of a LAG are added and programmed into the hardware in a predictable order based on the port ID, instead of in the order in which the ports come up. With this implementation, load balancing yields predictable results across device reloads.
Creating a Port Channel You can create up to 128 port channels with up to 16 port members per group on the platform. To configure a port channel, use the following commands. 1 Create a port channel. CONFIGURATION mode interface port-channel id-number 2 Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown After you enable the port channel, you can place it in Layer 2 or Layer 3 mode.
show config Examples of the show interfaces port-channel Commands To view the port channel’s status and channel members in a tabular format, use the show interfaces port-channel brief command in EXEC Privilege mode, as shown in the following example.
% Error: Port is part of a LAG Te 1/6. Dell(conf-if)# Reassigning an Interface to a New Port Channel An interface can be a member of only one port channel. If the interface is a member of a port channel, remove it from the first port channel and then add it to the second port channel. Each time you add or remove a channel member from a port channel, Dell Networking OS recalculates the hash algorithm for the port channel. To reassign an interface to a new port channel, use the following commands.
Example of Configuring the Minimum Oper Up Links in a Port Channel Dell#config t Dell(conf)#int po 1 Dell(conf-if-po-1)#minimum-links 5 Dell(conf-if-po-1)# Adding or Removing a Port Channel from a VLAN As with other interfaces, you can add Layer 2 port channel interfaces to VLANs. To add a port channel to a VLAN, place the port channel in Layer 2 mode (by using the switchport command). To add or remove a VLAN port channel and to view VLAN port channel members, use the following commands.
EXEC mode Dell(conf)# interface tengigabitethernet 1/1 Dell(conf-if-te-1/1)#switchport Dell(conf-if-te-1/1)# vlan tagged 2-5,100,4010 Dell#show interfaces switchport te 1/1 Codes: U x G i - Untagged, T - Tagged Dot1x untagged, X - Dot1x tagged GVRP tagged, M - Trunk, H - VSN tagged Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged Name: TenGigabitEthernet 1/1 802.
Dell Networking OS allows you to modify the hashing algorithms used for flows and for fragments. The load-balance and hash-algorithm commands are available for modifying the distribution algorithms. Changing the Hash Algorithm The load-balance command selects the hash criteria applied to port channels. If you do not obtain even distribution with the load-balance command, you can use the hash-algorithm command to select the hash scheme for LAG, ECMP and NH-ECMP.
Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range. Bulk configuration excludes from configuration any non-existing interfaces from an interface range.
Create a Single-Range The following is an example of a single range. Example of the interface range Command (Single Range) Dell(config)# interface range tengigabitethernet 1/1 - 23 Dell(config-if-range-te-1/1-23)# no shutdown Dell(config-if-range-te-1/1-23)# Create a Multiple-Range The following is an example of multiple range.
Add Ranges The following example shows how to use commas to add VLAN and port-channel interfaces to the range. Example of Adding VLAN and Port-Channel Interface Ranges Dell(config-if-range-te-1/1-2)# interface range Vlan 2 – 100 , Port 1 – 25 Dell(config-if-range-te-1/1-2-vl-2-100-po-1-25)# no shutdown Defining Interface Range Macros You can define an interface-range macro to automatically select a range of interfaces for configuration.
Example of the monitor interface Command The information displays in a continuous run, refreshing every 2 seconds by default. To manage the output, use the following keys. • m — Change mode • l — Page up • T — Increase refresh interval (by 1 second) • t — Decrease refresh interval (by 1 second) • c — Clear screen • a — Page down • q — Quit Dell#monitor interface Te 3/1 Dell uptime is 1 day(s), 4 hour(s), 31 minute(s) Monitor time: 00:00:00 Refresh Intvl.
To test and display TDR results, use the following commands. 1 To test for cable faults on the TenGigabitEthernet cable. EXEC Privilege mode tdr-cable-test tengigabitethernet slot/port Between two ports, do not start the test on both ends of the cable. Enable the interface before starting the test. Enable the port to run the test or the test prints an error message. 2 Displays TDR test results.
Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port You can convert a QSFP or QSFP+ port to an SFP or SFP+ port using the Quad to Small Form Factor Pluggable Adapter (QSA). QSA provides smooth connectivity between devices that use Quad Lane Ports (such as the 40 Gigabit Ethernet adapters) and 10 Gigabit hardware that uses SFP+ based cabling. Using this adapter, you can effectively use a QSFP or QSFP+ module to connect to a lower-end switch or server that uses an SFP or SFP+ based module.
For these configurations, the following examples show the command output that the show interfaces tengigbitethernet transceiver, show interfaces tengigbitethernet, and show inventory media commands displays: Dell#show interfaces tengigabitethernet 0/0 transceiver SFP+ 0 Serial ID Base Fields SFP+ 0 Id = 0x0d SFP+ 0 Ext Id = 0x00 SFP+ 0 Connector = 0x23 SFP+ 0 Transceiver Code = 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 SFP+ 0 Encoding = 0x00 ……………… ……………… SFP+ 0 Diagnostic Information ========================
NOTE: In the following show interfaces tengigbitethernet transceiver commands, the ports 5,6, and 7 are inactive and no physical SFP or SFP+ connection actually exists on these ports. However, Dell Networking OS still perceives these ports as valid and the output shows that pluggable media (optical cables) is inserted into these ports. This is a software limitation for this release.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Dell#show interfaces tengigabitethernet 0/0 tengigabitethernet 0/0 is up, line protocol is up Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, SFP+ type is 10GBASE-SX Interface index is 35012865 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :90b11cf49afa MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit Dell#show interfaces tengigabitethernet
LineSpeed 1000 Mbit Dell#show interfaces tengigabitethernet 0/8 TenGigabitEthernet 0/0 is up, line protocol is up Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, QSFP type is 4x10GBASE-CR1-3M …….. LineSpeed 10000 Mbit The show inventory command shows the following output: NOTE: In the following show inventory media command output, the port numbers 1, 2, 3, 5, 6, and 7 ports are actually inactive.
Link dampening: • reduces processing on the CPUs by reducing excessive interface flapping. • improves network stability by penalizing misbehaving interfaces and redirecting traffic. • improves convergence times and stability throughout the network by isolating failures so that disturbances are not propagated. Important Points to Remember • Link dampening is not supported on VLAN interfaces. • Link dampening is disabled when the interface is configured for port monitoring.
Clearing Dampening Counters To clear dampening counters and accumulated penalties, use the following command. • Clear dampening counters.
• Enable link bundle monitoring. ecmp-group • View all LAG link bundles being monitored. show running-config ecmp-group • Enable link bundle monitoring on port channel interfaces. link-bundle-monitor enable • Configure threshold level for link bundle monitoring. link-bundle-distribution trigger-threshold Dell(conf-if-po-10)#link-bundle-monitor enable Dell(conf)#link-bundle-distribution trigger-threshold • View the link bundle monitoring status.
Enabling Pause Frames Enable Ethernet pause frames flow control on all ports on a chassis or a line card. If not, the system may exhibit unpredictable behavior. NOTE: Changes in the flow-control values may not be reflected automatically in the show interface output. As a workaround, apply the new settings, execute shut then no shut on the interface, and then check the running-config of the port. NOTE: If you disable rx flow control, Dell Networking recommends rebooting the system.
• All members of a VLAN must have the same IP MTU value. • Members can have different Link MTU values. Tagged members must have a link MTU 4–bytes higher than untagged members to account for the packet tag. • The VLAN link MTU and IP MTU must be less than or equal to the link MTU and IP MTU values configured on the VLAN members. For example, the VLAN contains tagged members with Link MTU of 1522 and IP MTU of 1500 and untagged members with Link MTU of 1518 and IP MTU of 1500.
speed {10 | 100 | 1000 | 10000 | auto} NOTE: If you use an active optical cable (AOC), you can convert the QSFP+ port to a 10 Gigabit SFP+ port or 1 Gigabit SFP port. You can use the speed command to enable the required speed. 6 Optionally, set full- or half-duplex. INTERFACE mode duplex {half | full} 7 Disable auto-negotiation on the port. INTERFACE mode no negotiation auto If the speed was set to 1000, do not disable auto-negotiation. 8 Verify configuration changes.
Set Auto-Negotiation Options The negotiation auto command provides a mode option for configuring an individual port to forced master/ forced slave once autonegotiation is enabled. CAUTION: Ensure that only one end of the node is configured as forced-master and the other is configured as forced-slave. If both are configured the same (that is, both as forced-master or both as forced-slave), the show interface command flaps between an auto-neg-error and forced-master/slave states.
Dell#show Dell#show Dell#show Dell#show Dell#show Dell#show Dell#show Dell#show ip interface configured ip interface stack-unit 1 configured ip interface tengigabitEthernet 1 configured ip interface br configured ip interface br stack-unit 1 configured ip interface br tengigabitEthernet 1 configured running-config interfaces configured running-config interface tengigabitEthernet 1 configured In EXEC mode, the show interfaces switchport command displays only interfaces in Layer 2 mode and their relevant co
Last clearing of "show interface" counters 1d23h45m Queueing strategy: fifo 0 packets input, 0 bytes Input 0 IP Packets, 0 Vlans 0 MPLS 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate
3106 packets, 226755 bytes, 0 underruns 133 64-byte pkts, 2973 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 406 Multicasts, 0 Broadcasts, 2700 Unicasts 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 150 seconds): Input 300.00 Mbits/sec, 1534517 packets/sec, 30.00% of line-rate Output 100.00 Mbits/sec, 4636111 packets/sec, 10.
• L2 ACL • L2 FIB Clearing Interface Counters The counters in the show interfaces command are reset by the clear counters command. This command does not clear the counters any SNMP program captures. To clear the counters, use the following the command. • Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones. Without an interface specified, the command clears all interface counters.
25 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. • Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
crypto ipsec policy myCryptoPolicy 10 ipsec-manual transform-set myXform-set session-key inbound esp 256 auth encrypt session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.
26 IPv4 Routing The Dell Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
• Configuring a Broadcast Address • Configurations Using UDP Helper • UDP Helper with Broadcast-All Addresses • UDP Helper with Subnet Broadcast Addresses • UDP Helper with Configured Broadcast Addresses • UDP Helper with No Configured Broadcast Addresses • Troubleshooting UDP Helper IP Addresses Dell Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks.
2 • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. • For the Management interface on the stack-unit, enter the keyword ManagementEthernet then the slot/port information. • For a port channel interface, enter the keywords port-channel then a number. • For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Enable the interface. INTERFACE mode no shutdown 3 Configure a primary IP address and mask on the interface.
Example of the show ip route static Command To view the configured routes, use the show ip route static command. Dell#show ip route static Destination Gateway ----------------S 2.1.2.0/24 Direct, Nu 0 S 6.1.2.0/24 via 6.1.20.2, S 6.1.2.2/32 via 6.1.20.2, S 6.1.2.3/32 via 6.1.20.2, S 6.1.2.4/32 via 6.1.20.2, S 6.1.2.5/32 via 6.1.20.2, S 6.1.2.6/32 via 6.1.20.2, S 6.1.2.7/32 via 6.1.20.2, S 6.1.2.8/32 via 6.1.20.2, S 6.1.2.9/32 via 6.1.20.2, S 6.1.2.10/32 via 6.1.20.2, S 6.1.2.11/32 via 6.1.20.2, S 6.1.2.
IPv4 Path MTU Discovery Overview The size of the packet that can be sent across each hop in the network path without being fragmented is called the path maximum transmission unit (PMTU). This value might vary for the same route between two devices, mainly over a public network, depending on the network load and speed, and it is not a consistent value. The MTU size can also be different for various types of traffic sent from one host to the same endpoint.
Configuring the Duration to Establish a TCP Connection You can configure the duration for which the device must wait before it attempts to establish a TCP connection. Using this capability, you can limit the wait times for TCP connection requests.
The following sections describe DNS and the resolution of host names. • Enabling Dynamic Resolution of Host Names • Specifying the Local System Domain and a List of Domains • Configuring DNS with Traceroute Name server, Domain name, and Domain list are VRF specific. The maximum number of Name servers and Domain lists per VRF is six. Enabling Dynamic Resolution of Host Names By default, dynamic resolution of host names (DNS) is disabled. To enable DNS, use the following commands.
ip domain-list name Configure this command up to six times to specify a list of possible domain names. Dell Networking OS searches the domain names in the order they were configured until a match is found or the list is exhausted. Configuring DNS with Traceroute To configure your switch to perform DNS with traceroute, use the following commands. • Enable dynamic resolution of host names. CONFIGURATION mode ip domain-lookup • Specify up to six name servers.
For more information about Proxy ARP, refer to RFC 925, Multi-LAN Address Resolution, and RFC 1027, Using ARP to Implement Transparent Subnet Gateways. Configuration Tasks for ARP For a complete listing of all ARP-related commands, refer to the Dell Networking OS Command Line Reference Guide.
Clearing ARP Cache To clear the ARP cache of dynamically learnt ARP information, use the following command. • Clear the ARP caches for all interfaces or for a specific interface by entering the following information. EXEC privilege clear arp-cache [interface | ip ip-address] [no-refresh] • ip ip-address (OPTIONAL): enter the keyword ip then the IP address of the ARP entry you wish to clear. • no-refresh (OPTIONAL): enter the keywords no-refresh to delete the ARP entry from CAM.
Figure 50. ARP Learning via ARP Request Beginning with Dell Networking OS version 8.3.1.0, when you enable ARP learning via gratuitous ARP, the system installs a new ARP entry, or updates an existing entry for all received ARP requests. Figure 51. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP.
arp backoff-time The default is 30. • The range is from 1 to 3600. Display all ARP entries learned via gratuitous ARP. EXEC Privilege mode show arp retries ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply). ICMP error messages inform the router of problems in a particular packet. These messages are sent only on unicast traffic.
Important Points to Remember • The existing ip directed broadcast command is rendered meaningless if you enable UDP helper on the same interface. • The broadcast traffic rate should not exceed 200 packets per second when you enable UDP helper. • You may specify a maximum of 16 UDP ports.
Internet address is 1.1.0.1/24 IP UDP-Broadcast address is 1.1.255.
Figure 52. UDP Helper with Broadcast-All Addresses UDP Helper with Subnet Broadcast Addresses When the destination IP address of an incoming packet matches the subnet broadcast address of any interface, the system changes the address to the configured broadcast address and sends it to matching interface. In the following illustration, Packet 1 has the destination IP address 1.1.1.255, which matches the subnet broadcast address of VLAN 101.
Figure 54. UDP Helper with Configured Broadcast Addresses UDP Helper with No Configured Broadcast Addresses The following describes UDP helper with no broadcast addresses configured. • If the incoming packet has a broadcast destination IP address, the unaltered packet is routed to all Layer 3 interfaces. • If the Incoming packet has a destination IP address that matches the subnet broadcast address of any interface, the unaltered packet is routed to the matching interfaces.
27 IPv6 Routing Internet Protocol Version 6 (IPv6) is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration. NOTE: Dell Networking OS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS). By default, RA response messages are sent when an RS message is received. Enable the RA response messages with the ipv6 nd prefix default command in INTERFACE mode.
Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities. Routers understand the priority settings and handle them appropriately during conditions of congestion.
Value Description 59 No Next Header 60 Destinations option header NOTE: This table is not a comprehensive list of Next Header field values. For a complete and current listing, refer to the Internet Assigned Numbers Authority (IANA) website. Hop Limit (8 bits) The Hop Limit field shows the number of hops remaining for packet processing. In IPv4, this is known as the Time to Live (TTL) field and uses seconds rather than hops.
• Next Header (1 byte) This field identifies the type of header following the Hop-by-Hop Options header and uses the same values. • Header Extension Length (1 byte) This field identifies the length of the Hop-by-Hop Options header in 8-byte units, but does not include the first 8 bytes. Consequently, if the header is less than 8 bytes, the value is 0 (zero). • Options (size varies) This field can contain one or more options.
Link-local Addresses Link-local addresses, starting with fe80:, are assigned only in the local link area. The addresses are generated automatically by the operating system's IP layer for each network interface. This provides instant automatic network connectivity for any IPv6 host and means that if several hosts connect to a common hub or switch, they have an instant communication path via their link-local IPv6 address. Link-local addresses cannot be routed to the public Internet.
The recommended MTU for IPv6 is 1280. Greater MTU settings increase processing efficiency because each packet carries more data while protocol overheads (for example, headers) or underlying per-packet delays remain fixed. Figure 56. Path MTU Discovery Process IPv6 Neighbor Discovery NDP is a top-level protocol for neighbor discovery on an IPv6 network.
Figure 57. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
Adjusting Your CAM-Profile Although adjusting your CAM-profile is not a mandatory step, if you plan to implement IPv6 ACLs, adjust your CAM settings. The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. There are 16 FP blocks, but the System Flow requires three blocks that cannot be reallocated. You must enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd-numbered ranges.
CONFIG-INTERFACE mode ipv6 address ipv6 address/mask • ipv6 address: x:x:x:x::x • mask: The prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits. Separate each group by a colon (:). Omitting zeros is accepted as described in Addressing. Assigning a Static IPv6 Route To configure IPv6 static routes, use the ipv6 route command.
NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing. SNMP over IPv6 You can configure SNMP over IPv6 transport so that an IPv6 host can perform SNMP queries and receive SNMP notifications from a device running Dell Networking OS IPv6. The Dell Networking OS SNMP-server commands for IPv6 have been extended to support IPv6.
• For all brief summary of IPv6 status and configuration, enter the keyword brief. • For all IPv6 configured interfaces, enter the keyword configured. • For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/ port information. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
• To display information about an IPv6 Prefix lists, enter list and the prefix-list name. Examples of the show ipv6 route Commands The following example shows the show ipv6 route summary command. Dell#show ipv6 route summary Route connected static Total Source Active Routes Non-active Routes 5 0 0 0 5 0 The following example shows the show ipv6 route command.
• For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Example of the show running-config interface Command Dell#show run int te 2/2 ! interface TenGigabitEthernet 2/2 no ip address ipv6 address 3:4:5:6::8/24 shutdown Dell# Clearing IPv6 Routes To clear routes from the IPv6 routing table, use the following command. • Clear (refresh) all or a specific route from the IPv6 routing table.
configure terminal 2 Enable the IPv6 RA guard. CONFIGURATION mode ipv6 nd ra-guard enable 3 Create the policy. POLICY LIST CONFIGURATION mode ipv6 nd ra-guard policy policy-name 4 Define the role of the device attached to the port. POLICY LIST CONFIGURATION mode device-role {host | router} Use the keyword host to set the device role as host. Use the keyword router to set the device role as router. 5 Set the hop count limit.
mtu value 13 Set the advertised reachability time. POLICY LIST CONFIGURATION mode reachable—time value The reachability time range is from 0 to 3,600,000 milliseconds. 14 Set the advertised retransmission time. POLICY LIST CONFIGURATION mode retrans—timer value The retransmission time range is from 100 to 4,294,967,295 milliseconds. 15 Display the configurations applied on the RA guard policy mode.
Example of the show ipv6 nd ra-guard policy Command Dell#show ipv6 nd ra-guard policy test ipv6 nd ra-guard policy test device-role router hop-limit maximum 1 match ra ipv6-access-list access other-config-flag on router-preference maximum medium trusted-port Interfaces : Te 1/1 Dell# Monitoring IPv6 RA Guard To debug IPv6 RA guard, use the following command. EXEC Privilege mode debug ipv6 nd ra-guard [interface slot/port | count value] The count range is from 1 to 65534. The default is infinity.
28 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
Figure 58. Example of iSCSI Optimization Monitoring iSCSI Traffic Flows The switch snoops iSCSI session-establishment and termination packets by installing classifier rules that trap iSCSI protocol packets to the CPU for examination. Devices that initiate iSCSI sessions usually use well-known TCP ports 3260 or 860 to contact targets. When you enable iSCSI optimization, by default the switch identifies IP packets to or from these ports as iSCSI traffic.
You can configure whether the iSCSI optimization feature uses the VLAN priority or IP DSCP mapping to determine the traffic class queue. By default, iSCSI flows are assigned to dot1p priority 4. To map incoming iSCSI traffic on an interface to a dot1p priority-queue other than 4, use the CoS dot1p-priority command (refer to QoS dot1p Traffic Classification and Queue Assignment). Dell Networking recommends setting the CoS dot1p priority-queue to 0 (zero).
• At the first detection of an EqualLogic array, an MTU of 12000 is enabled on all ports and port-channels (if it has not already been enabled). • Spanning-tree portfast is enabled on the interface LLDP identifies. • Unicast storm control is disabled on the interface LLDP identifies. Configuring Detection and Ports for Dell Compellent Arrays To configure a port connected to a Dell Compellent storage array, use the following command. • Configure a port connected to a Dell Compellent storage array.
When you disable the iSCSI feature, iSCSI resources are released and the detection of EqualLogic arrays using LLDP is disabled. Disabling iSCSI does not remove the MTU, flow control, portfast, or storm control configuration applied as a result of enabling iSCSI. NOTE: By default, CAM allocation for iSCSI is set to 0. This disables session monitoring. Default iSCSI Optimization Values The following table lists the default values for the iSCSI optimization feature. Table 39.
[no] iscsi target port tcp-port-1 [tcp-port-2...tcp-port-16] [address ip-address] • tcp-port-n is the TCP port number or a list of TCP port numbers on which the iSCSI target listens to requests. You can configure up to 16 target TCP ports on the switch in one command or multiple commands. The default is 860, 3260. Separate port numbers with a comma. • 3 ip-address specifies the IP address of the iSCSI target.
The default is: Dell Compellent disk arrays are not detected. Displaying iSCSI Optimization Information To display information on iSCSI optimization, use the following show commands. • • • • Display the currently configured iSCSI settings. show iscsi Display information on active iSCSI sessions on the switch. show iscsi sessions Display detailed information on active iSCSI sessions on the switch. To display detailed information on specified iSCSI session, enter the session’s iSCSI ID.
10.10.0.44 33345 10.10.0.101 3260 0 VLT PEER2 Session 0: ------------------------------------------------------------Target:iqn.2010-11.com.ixia:ixload:iscsi-TG1 Initiator:iqn.2010-11.com.ixia.ixload:initiator-iscsi-2c Up Time:00:00:01:28(DD:HH:MM:SS) Time for aging out:00:00:09:34(DD:HH:MM:SS) ISID:806978696102 Initiator Initiator Target Target Connection IP Address TCP Port IP Address TCPPort ID 10.10.0.53 33432 10.10.0.
29 Intermediate System to Intermediate System Intermediate System to Intermediate System (IS-IS) protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter.
The NET length is variable, with a maximum of 20 bytes and a minimum of 8 bytes. It is composed of the following: • area address — within your routing domain or area, each area must have a unique area value. The first byte is called the authority and format indicator (AFI). • system address — the router’s MAC address. • N-selector — this is always 0. The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.
Interface Support MT IS-IS is supported on physical Ethernet interfaces, port-channel interfaces (static & dynamic using LACP), and VLAN interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement MT extensions. If a local router does not participate in certain MTs, it does not advertise those MT IDs in its IS-IS hellos (IIHs) and so does not include that neighbor within its LSPs.
Implementation Information IS-IS implementation supports one instance of IS-IS and six areas. You can configure the system as a Level 1 router, a Level 2 router, or a Level 1-2 router. For IPv6, the IPv4 implementation has been expanded to include two types, length, values (TLVs) in the PDU that carries information required for IPv6 routing. The new TLVs are IPv6 Reachability and IPv6 Interface Address. Also, a new IPv6 protocol identifier has also been included in the supported TLVs.
NOTE: When using the IS-IS routing protocol to exchange IPv6 routing information and to determine destination reachability, you can route IPv6 along with IPv4 while using a single intra-domain routing protocol. The configuration commands allow you to enable and disable IPv6 routing and to configure or remove IPv6 prefixes on links. Except where identified, the commands described in this chapter apply to both IPv4 and IPv6 versions of IS-IS.
Enter the keyword interface then the type of interface and slot/port information: 4 • For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383. • For a port channel, enter the keywords port-channel then a number from 1 to 255. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a VLAN, enter the keyword vlan then a number from 1 to 4094. Enter an IPv4 Address.
Generate wide metrics: Accept wide metrics: Dell# none none To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
Use this command for IPv6 route computation only when you enable multi-topology. If using single-topology mode, to apply to both IPv4 and IPv6 route computations, use the spf-interval command in CONFIG ROUTER ISIS mode. 4 Implement a wide metric-style globally. ROUTER ISIS AF IPV6 mode isis ipv6 metric metric-value [level-1 | level-2 | level-1-2] To configure wide or wide transition metric style, the cost can be between 0 and 16,777,215.
ROUTER-ISIS mode graceful-restart t3 {adjacency | manual seconds} • • adjacency: the restarting router receives the remaining time value from its peer and adjusts its T3 value so if user has configured this option. manual: allows you to specify a fixed value that the restarting router should use. The range is from 50 to 120 seconds. The default is 30 seconds.
Next IS-IS LAN Level-2 Hello in 6 seconds LSP Interval: 33 Next IS-IS LAN Level-1 Hello in 4 seconds Next IS-IS LAN Level-2 Hello in 6 seconds LSP Interval: 33 Restart Capable Neighbors: 2, In Start: 0, In Restart: 0 Dell# Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary.
Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63. If you configure wide or wide transition metric style, the cost can be a number between 0 and 16,777,215.
Distance: 115 Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: Dell# level-1-2 level-1-2 none none Configuring the IS-IS Cost When you change from one IS-IS metric style to another, the IS-IS metric value could be affected. For each interface with IS-IS enabled, you can assign a cost or metric that is used in the link state calculation. To change the metric or cost of the interface, use the following commands. • Assign an IS-IS metric.
distance Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router. ROUTER ISIS mode is-type {level-1 | level-1-2 | level-2-only} • Default is level-1-2. Change the IS-type for the IS-IS process.
• For a VLAN, enter the keyword vlan then a number from 1 to 4094. Distribute Routes Another method of controlling routing information is to filter the information through a prefix list. Prefix lists are applied to incoming or outgoing routes and routes must meet the conditions of the prefix lists or Dell Networking OS does not install the route in the routing table. The prefix lists are globally applied on all interfaces running IS-IS.
Redistributing IPv6 Routes To add routes from other routing instances or protocols, use the following commands. NOTE: These commands apply to IPv6 IS-IS only. To apply prefix lists to IPv4 routes, use the ROUTER ISIS mode previously shown. • Include BGP, directly connected, RIP, or user-configured (static) routes in IS-IS.
domain-password [encryption-type | hmac-md5] password The Dell Networking OS supports both DES and HMAC-MD5 authentication methods. This password is inserted in Level 2 LSPs, Complete SNPs, and Partial SNPs. To view the passwords, use the show config command in ROUTER ISIS mode or the show running-config isis command in EXEC Privilege mode. To remove a password, use either the no area-password or no domain-password commands in ROUTER ISIS mode.
• View information on all adjacency-related activity (for example, hello packets that are sent and received). EXEC Privilege mode debug isis adj-packets [interface] To view specific information, enter the following optional parameter: • • interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. View information about IS-IS local update packets.
• narrow transition (accepts both narrow and wide and sends only narrow or old-style TLV) • wide transition (accepts both narrow and wide and sends only wide or new-style TLV) Configure Metric Values For any level (Level-1, Level-2, or Level-1-2), the value range possible in the isis metric command in INTERFACE mode changes depending on the metric style. The following describes the correct value range for the isis metric command.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value wide wide transition original value narrow wide original value narrow transition original value narrow narrow transition original value narrow wide transition original value transition wide original value transition narrow original value transition narrow original value transition wide transition original value narrow transition wide original value narrow transition narrow original value narrow transit
Leaks from One Level to Another In the following scenarios, each IS-IS level is configured with a different metric style. Table 44.
NOTE: Whenever you make IS-IS configuration changes, clear the IS-IS process (re-started) using the clear isis command. The clear isis command must include the tag for the ISIS process. The following example shows the response from the router: Dell#clear isis * % ISIS not enabled. Dell#clear isis 9999 * You can configure IPv6 IS-IS routes in one of the following three different methods: • Congruent Topology — You must configure both IPv4 and IPv6 addresses on the interface.
net 34.0000.0000.AAAA.00 Dell (conf-router_isis)# IS-IS Sample Configuration — Multi-topology Dell (conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell (conf-if-te-3/17)# Dell (conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
30 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by Dell Networking OS, provides both load-sharing and port redundancy across stack units. You can enable LAGs as static or dynamic. Introduction to Dynamic LAGs and LACP The unique benefit of a dynamic LAG is that its ports can toggle between participating in the LAG or acting as dedicated ports, whereas ports in a static LAG must be removed from the LAG in order to act alone.
LACP Modes Dell Networking OS provides three modes for configuration of LACP — Off, Active, and Passive. • Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. • Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state.
The default is 32768. LACP Configuration Tasks The following are LACP configuration tasks. • Creating a LAG • Configuring the LAG Interfaces as Dynamic • Setting the LACP Long Timeout • Monitoring and Debugging LACP Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. • Create a dynamic port channel (LAG). CONFIGURATION mode • interface port-channel Create a dynamic port channel (LAG).
Dell(conf-if-te-4/15)#port-channel-protocol lacp Dell(conf-if-te-4/15-lacp)#port-channel 32 mode active ... Dell(conf)#interface TenGigabitethernet 4/16 Dell(conf-if-te-4/16)#no shutdown Dell(conf-if-te-4/16)#port-channel-protocol lacp Dell(conf-if-te-4/16-lacp)#port-channel 32 mode active The port-channel 32 mode active command shown here may be successfully issued as long as there is no existing static channel-member configuration in LAG 32.
[no] debug lacp [config | events | pdu [in | out | [interface [in | out]]]] Shared LAG State Tracking Shared LAG state tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG. As shown in the following illustration, the line-rate traffic from R1 destined for R4 follows the lowest-cost route via R2.
To view the failover group configuration, use the show running-configuration po-failover-group command. Dell#show running-config po-failover-group ! port-channel failover-group group 1 port-channel 1 port-channel 2 As shown in the following illustration, LAGs 1 and 2 are members of a failover group. LAG 1 fails and LAG 2 is brought down after the failure. Message 1 logs this effect, in which a console message declares down both LAGs at the same time. Figure 62.
• • • You can configure shared LAG state tracking on one side of a link or on both sides. If a LAG that is part of a failover group is deleted, the failover group is deleted. If a LAG moves to the Down state due to this feature, its members may still be in the Up state. LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 63.
Queueing strategy: fifo Input statistics: 132 packets, 163668 bytes 0 Vlans 0 64-byte pkts, 12 over 64-byte pkts, 120 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 132 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 136 Multicasts, 0 Broadcasts, 0 Unic
Figure 65.
Figure 66.
Summary of the LAG Configuration on Bravo Bravo(conf-if-te-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-te-3/21-lacp)#port-channel 10 mode active Bravo(
Figure 67.
Figure 68.
Figure 69. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
31 Layer 2 Layer 2 features are supported on Dell Networking OS. Manage the MAC Address Table Dell Networking OS provides the following management activities for the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table.
In this case, the configuration is still present in the running-config and show output. Remove the configuration before re-applying a MAC learning limit with a lower value. Also, ensure that you can view the Syslog messages on your session. NOTE: The CAM-check failure message beginning in Dell Networking OS version 8.3.1.0 is different from versions 8.2.1.
INTERFACE mode learn-limit-violation shutdown Setting Station Move Violation Actions no-station-move is the default behavior. You can configure the system to take an action if a station move occurs using one the following options with the mac learning-limit command. To display a list of interfaces configured with MAC learning limit or station move violation actions, use the following commands. • Generate a system log message indicating a station move.
mac learning-limit reset station-move-violation [interface | all] Disabling MAC Address Learning on the System You can configure the system to not learn MAC addresses from LACP and LLDP BPDUs. To disable source MAC address learning from LACP and LLDP BPDUs, follow this procedure: • Disable source MAC address learning from LACP BPDUs. CONFIGURATION mode mac-address-table disable-learning lacp • Disable source MAC address learning from LLDP BPDUs.
port and re-associated with another port in the ARP table, configure the no mac-address-table station-move refresh-arp command should not be configured on the Dell Networking switch at the time that NIC teaming is being configured on the server. NOTE: If you have configured the no mac-address-table station-move refresh-arp command, traffic continues to be forwarded to the failed NIC until the ARP entry on the switch times out. Figure 71.
Figure 72. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
Important Points about Configuring Redundant Pairs • • • • You may not configure any interface to be a backup for more than one interface, no interface can have more than one backup, and a backup interface may not have a backup interface. The active or backup interface may not be a member of a LAG. The active and standby do not have to be of the same type (1G, 10G, and so on). You may not enable any Layer 2 protocol on any interface of a redundant pair or to ports connected to them.
Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-STATE_ACT_STBY: Changed interface state to standby: Po 2 Dell(conf-if-po-1)# Dell# Dell#show interfaces switchport backup Interface Status Paired Interface Status Port-channel 1 Active Port-chato mannel 2 Standby Port-channel 2 Standby Port-channel 1 Active Dell# Dell(conf-if-po-1)#switchport backup interface tengigabitethernet 0/2 Apr 9 00:16:29: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Te 0/2 Dell(conf-if-po-1)# Far-End Failu
FEFD State Changes FEFD has two operational modes, Normal and Aggressive. When you enable Normal mode on an interface and a far-end failure is detected, no intervention is required to reset the interface to bring it back to an FEFD operational state. When you enable Aggressive mode on an interface in the same state, manual intervention is required to reset the interface.
Configuring FEFD You can configure FEFD for all interfaces from CONFIGURATION mode, or on individual interfaces from INTERFACE mode. To enable FEFD globally on all interfaces, use the following command. • Enable FEFD globally on all interfaces. CONFIGURATION mode fefd-global To report interval frequency and mode adjustments, use the following commands. 1 Setup two or more connected interfaces for Layer 2 or Layer 3.
fefd [mode {aggressive | normal}] • Disable FEFD protocol on one interface. INTERFACE mode fefd disable Disabling an interface shuts down all protocols working on that interface’s connected line. It does not delete your previous FEFD configuration which you can enable again at any time. To set up and activate two or more connected interfaces, use the following commands. 1 Setup two or more connected interfaces for Layer 2 or Layer 3.
2w1d22h: %RPM0-P:CP %IFMGR-5-INACTIVE: Changed Vlan interface state to inactive: Vl 1 2w1d22h : FEFD state on Te 4/1 changed from Bi-directional to Unknown Dell#debug fefd packets Dell#2w1d22h : FEFD packet sent via interface Te 1/1 Sender state -- Bi-directional Sender info -- Mgmt Mac(00:01:e8:14:89:25), Slot-Port(Te 1/1) Peer info -- Mgmt Mac (00:01:e8:14:89:25), Slot-Port(Te 4/1) Sender hold time -- 3 (second) 2w1d22h : FEFD packet received on interface Te 4/1 Sender state -- Bi-directional Sender info
32 Link Layer Discovery Protocol (LLDP) Link Layer Discovery Protocol (LLDP) — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices. 802.1AB (LLDP) Overview The collected information is stored in a management information base (MIB) on each device, and is accessible via simple network management protocol (SNMP).
Table 46. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of an LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live An administratively assigned name that identifies a port through which TLVs are sent and received.
Figure 76. Organizationally Specific TLV IEEE Organizationally Specific TLVs The IEEE 802.1 and 802.3 working groups define eight TLV types as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Networking system to advertise any or all of these TLVs. Table 47. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. Dell Networking OS does not currently support this TLV.
Type TLV Description LLDP, but is available and mandatory (nonconfigurable) in the LLDP-MED implementation. 127 Power via MDI Dell Networking supports the LLDP-MED protocol, which recommends that Power via MDI TLV be not implemented, and therefore Dell Networking implements Extended Power via MDI TLV only. 127 Link Aggregation Indicates whether the link is capable of being aggregated, whether it is currently in a LAG, and the port identification of the LAG.
Table 48. TIA-1057 (LLDP-MED) Organizationally Specific TLVs Type SubType TLV Description 127 1 LLDP-MED Capabilities Indicates: • • • whether the transmitting device supports LLDP-MED what LLDP-MED TLVs it supports LLDP device class 127 2 Network Policy Indicates the application type, VLAN ID, Layer 2 Priority, and DSCP value.
LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV. • The value of the LLDP-MED capabilities field in the TLV is a 2–octet bitmap, each bit represents an LLDP-MED capability (as shown in the following table). • The possible values of the LLDP-MED device type are shown in the following.
• VLAN ID • VLAN tagged or untagged status • Layer 2 priority • DSCP value An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED network policy TLV is generated for each application type that you specify with the Dell Networking OS CLI (Advertising TLVs).
Extended Power via MDI TLV The extended power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices. Advertise the extended power via MDI on all ports that are connected to an 802.3af powered, LLDP-MED endpoint device. • Power Type — there are two possible power types: power source entity (PSE) or power device (PD). The Dell Networking system is a PSE, which corresponds to a value of 0, based on the TIA-1057 specification.
LLDP Compatibility • Spanning tree and Dell Force10 ring protocol “blocked” ports allow LLDPDUs. • 802.1X controlled ports do not allow LLDPDUs until the connected device is authenticated. CONFIGURATION versus INTERFACE Configurations All LLDP configuration commands are available in PROTOCOL LLDP mode, which is a submode of the CONFIGURATION mode and INTERFACE mode. • Configurations made at the CONFIGURATION level are global; that is, they affect all interfaces on the system.
Disabling and Undoing LLDP To disable or undo LLDP, use the following command. • Disable LLDP globally or for an interface. disable To undo an LLDP configuration, precede the relevant command with the keyword no. Enabling LLDP on Management Ports LLDP on management ports is enabled by default. To enable LLDP on management ports, use the following command. 1 Enter Protocol LLDP mode. CONFIGURATION mode protocol lldp 2 Enter LLDP management-interface mode.
To advertise TLVs, use the following commands. 1 Enter LLDP mode. CONFIGURATION mode or INTERFACE mode protocol lldp 2 Advertise one or more TLVs. PROTOCOL LLDP mode advertise {management-tlv | dot1–tlv | dot3–tlv | med } Include the keyword for each TLV you want to advertise. • For management TLVs: system-capabilities, system-description. • For 802.1 TLVs: port-protocol-vlan-id, port-vlan-id, vlan-name. • For 802.3 TLVs: max-frame-size.
show config Examples of Viewing LLDP Configurations Dell(conf)#protocol lldp Dell(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description hello 10 no disable Dell(conf-lldp)# Dell(conf-lldp)#exit Dell(conf)#interface Tengigabitethernet 1/31 Dell(conf-if-Te-1/31)#show config ! interface TenGigabitEthernet 1/31 no ip address switchport no shutdown Dell(conf-if-Te-1/31)#protoco
Remote Port ID: TenGigabitEthernet 2/11 Local Port ID: TenGigabitEthernet 1/21 Locally assigned remote Neighbor Index: 4 Remote TTL: 120 Information valid for next 120 seconds Time since last information change of this neighbor: 01:50:16 Remote MTU: 1554 Remote System Desc: Dell Networking Real Time Operating System Software Dell Operating System Version: 1.0. Dell App lication Software Version: 9.0.1.0.
CONFIGURATION mode or INTERFACE mode • mode tx Receive only. CONFIGURATION mode or INTERFACE mode • mode rx Return to the default setting.
advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#multiplier ? <2-10> Multiplier (default=4) R1(conf-lldp)#multiplier 5 R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description multiplier 5 no disable R1(conf-lldp)#no multiplier R1(conf-lldp)#show
Figure 81. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects Dell Networking OS supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: • received and transmitted TLVs • the LLDP configuration on the local agent • IEEE 802.1AB Organizationally Specific TLVs • received and transmitted LLDP-MED TLVs Table 52.
MIB Object Category LLDP Variable LLDP MIB Object Description Basic TLV Selection mibBasicTLVsTxEnable lldpPortConfigTLVsTxEnable Indicates which management TLVs are enabled for system ports. mibMgmtAddrInstanceTxEnable lldpManAddrPortsTxEnable The management addresses defined for the system and the ports through which they are enabled for transmission.
TLV Type TLV Name TLV Variable System LLDP MIB Object 7 System Capabilities system capabilities Local lldpLocSysCapSupported Remote lldpRemSysCapSupported Local lldpLocSysCapEnabled Remote lldpRemSysCapEnabled Local lldpLocManAddrLen Remote lldpRemManAddrLen Local lldpLocManAddrSubtype Remote lldpRemManAddrSubtype Local lldpLocManAddr Remote lldpRemManAddr Local lldpLocManAddrIfSubtype Remote lldpRemManAddrIfSubtype Local lldpLocManAddrIfId Remote lldpRemManAddrIfId Local
TLV Type TLV Name TLV Variable System LLDP MIB Object VLAN name Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Table 55.
TLV Sub-Type TLV Name TLV Variable Location ID Data 4 Extended Power via MDI Power Device Type Power Source System LLDP-MED MIB Object Remote lldpXMedRemLocationSubt ype Local lldpXMedLocLocationInfo Remote lldpXMedRemLocationInfo Local lldpXMedLocXPoEDeviceTy pe Remote lldpXMedRemXPoEDeviceT ype Local lldpXMedLocXPoEPSEPow erSource lldpXMedLocXPoEPDPowe rSource Remote lldpXMedRemXPoEPSEPo werSource lldpXMedRemXPoEPDPow erSource Power Priority Local lldpXMedLocXPoEPDPowe rPriority
33 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
With Multicast NLB mode, the data forwards to all the servers based on the port specified using the following Layer 2 multicast command in CONFIGURATION MODE: mac-address-table static multicast vlan output-range , Limitations of the NLB Feature The following limitations apply to switches on which you configure NLB: • The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN.
• Enter the ip vlan-flooding command to specify that all Layer 3 unicast routed data traffic going through a VLAN member port floods across all the member ports of that VLAN. CONFIGURATION mode ip vlan-flooding There might be some ARP table entries that are resolved through ARP packets, which had the Ethernet MAC SA different from the MAC information inside the ARP packet. This unicast data traffic flooding occurs only for those packets that use these ARP entries.
34 Multicast Source Discovery Protocol (MSDP) Multicast Source Discovery Protocol (MSDP) is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIMSM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP). Protocol Overview Each rendezvous point (RP) peers with every other RP via the transmission control protocol (TCP).
Figure 83.
active sources in the area of the other RPs. If any of the RPs fail, IP routing converges and one of the RPs becomes the active RP in more than one area. New sources register with the backup RP. Receivers join toward the new RP and connectivity is maintained. Implementation Information The Dell Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process.
Figure 84.
Figure 85.
Figure 86.
Figure 87. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1 Enable MSDP. CONFIGURATION mode ip multicast-msdp 2 Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source Examples of Configuring and Viewing MSDP Dell(conf)#ip multicast-msdp Dell(conf)#ip msdp peer 192.168.0.
Dell(conf)#do show ip msdp summary Peer Addr Local Addr State Source SA Up/Down Description To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3_E600#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
If the total number of active sources is already larger than the limit when limiting is applied, the sources that are already in Dell Networking OS are not discarded. To enforce the limit in such a situation, use the clear ip msdp sa-cache command to clear all existing entries. Clearing the Source-Active Cache To clear the source-active cache, use the following command. • Clear the source-active cache of all, local, or rejected entries, or entries for a specific group.
Figure 88.
Figure 89.
Figure 90.
Figure 91. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
GroupAddr 229.0.50.2 229.0.50.3 229.0.50.4 SourceAddr 24.0.50.2 24.0.50.3 24.0.50.4 RPAddr 200.0.0.50 200.0.0.50 200.0.0.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Dell#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 Expire 73 73 73 UpTime 00:13:49 00:13:49 00:13:49 LearnedFrom 10.0.50.2 10.
R1_E600(conf)#do show ip msdp sa-cache R1_E600(conf)#do show ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 1 rejected SAs received, cache-size 1000 UpTime GroupAddr SourceAddr RPAddr LearnedFrom 00:02:20 239.0.0.1 10.11.4.2 192.168.0.1 local Reason Redistribute Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1 OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache.
Example of Verifying that the System is not Advertising Local Sources In the following example, R1 stops advertising source 10.11.4.2. Because it is already in the SA cache of R3, the entry remains there until it expires. [Router 1] R1_E600(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.3 list mylocalfilter R1_E600(conf)#do show run acl ! ip access-list extended mylocalfilter seq 5 deny ip host 239.0.0.1 host 10.11.4.
Output (S,G) filter: none [Router 1] R1_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.3 Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:03 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Clearing Peer Statistics To clear the peer statistics, use the following command. • Reset the TCP connection to the peer and clear all peer statistics.
03:17:10 : MSDP-0: Peer 192.168.0.3, 03:17:27 : MSDP-0: Peer 192.168.0.3, Input (S,G) filter: none Output (S,G) filter: none rcvd Keepalive msg sent Source Active msg Configuring Anycast RP To configure anycast RP, use the following commands. 1 In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2 Make this address the RP for the group.
CONFIGURATION mode ip msdp originator-id Examples of R1, R2, and R3 Configuration for MSDP with Anycast RP The following example shows an R1 configuration for MSDP with Anycast RP. ip multicast-routing ! interface TenGigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface TenGigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.
! interface Loopback 1 ip address 192.168.0.22/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.22/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.
! ip pim rp-address 192.168.0.3 group-address 224.0.0.0/4 MSDP Sample Configurations The following examples show the running-configurations described in this chapter. For more information, refer to the illustrations in the Related Configuration Tasks section.
router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.2/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 update-source Loopback 0 neighbor 192.168.0.3 no shutdown ! ip route 192.168.0.3/32 10.11.0.32 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.
interface TenGigabitEthernet 4/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.4/32 no shutdown ! router ospf 1 network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.168.0.4/32 area 0 ! ip pim rp-address 192.168.0.3 group-address 224.0.0.
35 Multiple Spanning Tree Protocol (MSTP) MSTP — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on perVLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview In contrast, PVST+ allows a spanning tree instance for each VLAN.
• Interoperate with Non-Dell Networking OS Bridges • Modifying Global Parameters • Modifying the Interface Parameters • Configuring an EdgePort • Configuring Fast Hellos for Link State Detection • Flush MAC Addresses after a Topology Change • MSTP Sample Configurations • Debugging and Verifying MSTP Configurations Configure Multiple Spanning Tree Protocol Configuring multiple spanning tree is a four-step process. 1 Configure interfaces for Layer 2. 2 Place the interfaces in VLANs.
Example of Verifying that MSTP is Enabled To verify that MSTP is enabled, use the show config command in PROTOCOL MSTP mode. Dell(conf)#protocol spanning-tree mstp Dell(config-mstp)#show config ! protocol spanning-tree mstp no disable Dell# Adding and Removing Interfaces To add and remove interfaces, use the following commands. To add an interface to the MSTP topology, configure it for Layer 2 and add it to a VLAN.
To view the forwarding/discarding state of the ports participating in an MSTI, use the show spanning-tree msti command from EXEC Privilege mode. Dell#show spanning-tree msti 1 MSTI 1 VLANs mapped 100 Root Identifier has priority 32768, Address 0001.e806.953e Root Bridge hello time 2, max age 20, forward delay 15, max hops 19 Bridge Identifier has priority 32768, Address 0001.e80d.b6d6 Configured hello time 2, max age 20, forward delay 15, max hops 20 Current root has priority 32768, Address 0001.e806.
Interoperate with Non-Dell Networking OS Bridges Dell Networking OS supports only one MSTP region. A region is a combination of three unique qualities: • Name is a mnemonic string you assign to the region. The default region name on Dell Networking OS is null. • Revision is a 2-byte number. The default revision number on Dell Networking OS is 0. • VLAN-to-instance mapping is the placement of a VLAN in an MSTI.
The range is from 6 to 40. The default is 20 seconds. 4 Change the max-hops parameter. PROTOCOL MSTP mode max-hops number The range is from 1 to 40. The default is 20. Example of the forward-delay Parameter To view the current values for MSTP parameters, use the show running-config spanning-tree mstp command from EXEC privilege mode.
For the default, refer to the default values shown in the table. 2 Change the port priority of an interface. INTERFACE mode spanning-tree msti number priority priority The range is from 0 to 240, in increments of 16. The default is 128. To view the current values for these interface parameters, use the show config command from INTERFACE mode. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner.
Configuring Fast Hellos for Link State Detection Use RSTP fast hellos to achieve sub-second link-down detection so that convergence is triggered faster. The standard RSTP link-state detection mechanism does not offer the same low link-state detection speed. To achieve sub-second link-down detection so that convergence is triggered faster, use RSTP fast hellos. The standard RSTP link-state detection mechanism does not offer the same low link-state detection speed.
Figure 93. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology. 3 Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
interface Vlan 300 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology. 3 Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
MSTI 2 VLAN 200,300 ! (Step 2) interface TenGigabitEthernet 3/11 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/21 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown SFTOS Example Running-Configuration This example uses the following steps: 1 Enable
interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs. EXEC Privilege mode • debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages.
Dell# 4w0d4h : MSTP: Sending BPDU on Gi 2/21 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x6e CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.953e, CIST Port Id: 128:470 Msg Age: 0, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver3 Len: 96 Name: Tahiti, Rev: 123, Int Root Path Cost: 0 Rem Hops: 20, Bridge Id: 32768:0001.e806.953e 4w0d4h : INST 1: Flags: 0x6e, Reg Root: 32768:0001.e806.
36 Multicast Features The Dell Networking operating system (OS) supports the following multicast protocols.
Protocol Ethernet Address RIP 01:00:5e:00:00:09 NTP 01:00:5e:00:01:01 VRRP 01:00:5e:00:00:12 PIM-SM 01:00:5e:00:00:0d • • • The Dell Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. Multicast is not supported on secondary IP addresses. Egress L3 ACL is not applied to multicast data traffic if you enable multicast routing.
3w1d13h: %RPM0-P:RP2 %PIM-3-PIM_TIB_LIMIT: PIM TIB below low watermark. Route learning will begin. To limit the number of multicast routes, use the following command. • Limit the total number of multicast routes on the system. CONFIGURATION mode ip multicast-limit The range if from 1 to 50000. The default is 15000. NOTE: The IN-L3-McastFib CAM partition is used to store multicast routes and is a separate hardware limit that exists per portpipe.
Figure 94. Preventing a Host from Joining a Group Table 57. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface TenGigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • • • ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface TenGigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
INTERFACE mode ip pim neighbor-filter Preventing a Source from Registering with the RP To prevent the PIM source DR from sending register packets to RP for the specified multicast source and group, use the following command. If the source DR never sends register packets to the RP, no hosts can ever discover the source and create a shortest path tree (SPT) to it. • Prevent a source from transmitting to a particular group.
Figure 95. Preventing a Source from Transmitting to a Group Table 58. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • • • ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
Important Points to Remember • Destination address of the mtrace query message can be either a unicast or a multicast address. NOTE: When you use mtrace to trace a specific multicast group, the query is sent with the group's address as the destination. Retries of the query use the unicast address of the receiver. • When you issue an mtrace without specifying a group address (weak mtrace), the destination address is considered as the unicast address of the receiver.
• Source Network/Mask — source mask Example of the mtrace Command to View the Network Path The following is an example of tracing a multicast route. R1>mtrace 103.103.103.3 1.1.1.1 226.0.0.3 Type Ctrl-C to abort. Querying reverse path for source 103.103.103.3 to destination 1.1.1.1 via group 226.0.0.
The response data block filled in by the last-hop router contains a Forwarding code field. Forwarding code can be added at any node and is not restricted to the last hop router. This field is used to record error codes before forwarding the response to the next neighbor in the path towards the source. In a response data packet, the following error codes are supported: Table 60.
Scenario Output -4 103.103.103.3 --> Source ----------------------------------------------------------------- You can issue the mtrace command specifying the source multicast tree and multicast group without specifying the destination. Mtrace traces the complete path traversing through the multicast group to reach the source. The output displays the destination and the first hop (-1) as 0 to indicate any PIM enabled interface on the node. R1>mtrace 103.103.103.3 1.1.1.1 226.0.0.3 Type Ctrl-C to abort.
Scenario Output 103.103.103.0/24 -3 2.2.2.1 PIM 103.103.103.0/24 -4 103.103.103.3 --> Source ----------------------------------------------------------------- You can issue the mtrace command by providing the source and multicast information. However, if the multicast group is a shared group (*,G), then mtrace traces the path of the shared tree until it reaches the RP. The source mask field reflects the shared tree that is being used to trace the path.
Scenario Output -3 10.10.10.1 PIM No route default ----------------------------------------------------------------- If a multicast tree is not formed due to a configuration issue (for example, PIM is not enabled on one of the interfaces on the path), you can invoke a weak mtrace to identify the location in the network where the error has originated. R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort.
Scenario Output -3 2.2.2.1 PIM 99.99.0.0/16 -4 * * * * ----------------------------------------------------------------- If there is no response for mtrace even after switching to expanded hop search, the command displays an error message. R1>mtrace 99.99.99.99 1.1.1.1 Type Ctrl-C to abort. While traversing the path from source to destination, if the mtrace packet exhausts the maximum buffer size of the packet, then NO SPACE error is displayed in the output.
Scenario Output scenario, a corresponding error message is displayed. ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 4.4.4.5 --> Destination -1 4.4.4.4 PIM 6.6.6.0/24 -2 20.20.20.2 PIM 6.6.6.0/24 -3 10.10.10.1 PIM Wrong interface 6.6.6.0/24 ----------------------------------------------------------------R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort.
37 NPIV Proxy Gateway The N-port identifier virtualization (NPIV) proxy gateway (NPG) provides FCoE-FC bridging capability on the S5000 switch. This chapter describes how to configure and use an NPIV proxy gateway on an S5000 switch in a storage area network (SAN).
Figure 96. NPIV Proxy Gateway Example An S5000 FC port is configured as an N (node) port that logs in to an F (fabric) port on the upstream FC core switch and creates a channel for N-port identifier virtualization. NPIV allows multiple N-port fabric logins at the same time on a single, physical Fibre Channel link. Converged Network Adapter (CNA) ports on servers connect to S5000 Ten-Gigabit Ethernet ports and log in to an upstream FC core switch through the S5000 N port.
• When you apply the FCoE map to a server-facing Ethernet port in ENode mode, ACLs are automatically configured to allow only FCoE traffic from servers that perform a successful FLOGI on the FC switch. All other traffic on the VLAN is denied. You can specify one or more upstream N ports in an FCoE map. The FCoE map also contains the VLAN ID of the dedicated VLAN used to transmit FCoE traffic between the SAN fabric and servers.
Term Description DCB map Template used to configure DCB parameters, including prioritybased flow control (PFC) and enhanced transmission selection (ETS), on CEE ports. Fibre Channel fabric Network of Fibre Channel devices and storage arrays that interoperate and communicate. FCF Fibre Channel forwarder: FCoE-enabled switch that can forward FC traffic to both downstream FCoE and upstream FC devices.
An FCoE map applies the following parameters on server-facing Ethernet and fabric-facing FC ports: • The dedicated FCoE VLAN used to transport FCoE storage traffic. • The FC-MAP value used to generate a fabric-provided MAC address. • The association between the FCoE VLAN ID and FC fabric ID where the desired storage arrays are installed. Each Fibre Channel fabric serves as an isolated SAN topology within the same physical network.
Creating a DCB Map Configure the priority-based flow control (PFC) and enhanced traffic selection (ETS) settings in a DCB map before you apply them on downstream server-facing ports on an NPG. 1 Create a DCB map to specify PFC and ETS settings for groups of dot1p priorities. CONFIGURATION mode dcb-map name 2 Configure the PFC setting (on or off) and the ETS bandwidth percentage allocated to traffic in each priority group or whether priority group traffic should be handled with strict-priority scheduling.
If you delete the dot1p priority-priority group mapping (the no priority pgid command) before you apply the new DCB map, the default PFC and ETS parameters are applied on the interfaces. This change may create a DCB mismatch with peer DCB devices and interrupt network operation. Applying a DCB Map on Server-Facing Ethernet Ports You can apply a DCB map only on a physical Ethernet interface and can apply only one DCB map per interface.
An FCoE map applies the following parameters on server-facing Ethernet and fabric-facing FC ports: • The dedicated FCoE VLAN used to transport FCoE storage traffic. • The FC-MAP value used to generate a fabric-provided MAC address. • The association between the FCoE VLAN ID and FC fabric ID where the desired storage arrays are installed. Each Fibre Channel fabric serves as an isolated SAN topology within the same physical network.
Applying an FCoE Map on Fabric-Facing FC Ports By default, FC ports are configured to operate in N Port mode to connect to an F port on an FC switch in a fabric. You can apply only one FCoE map on an FC port. When you apply an FCoE map on a fabric-facing FC port, the FC port becomes part of the FCoE fabric, whose settings in the FCoE map are configured on the port and exported to downstream server CNA ports. Each FC port is associated with an Ethernet MAC address (FCF MAC address).
Apply the DCB Map on a Downstream (Server-Facing) Ethernet Port Dell(config)# interface tengigabitethernet 1/0 Dell(config-if-te-0/0)#dcb-map SAN_DCB_MAP Create the Dedicated VLAN Used for FCoE Traffic Dell(conf)#interface vlan 1002 Configure an FCoE map Applied on the Downstream (Server-Facing) Ethernet and Upstream (Core-Facing) FC Ports Dell(config)# fcoe-map SAN_FABRIC_A Dell(config-fcoe-name)# fabric-id 1002 vlan 1002 Dell(config-fcoe-name)# description "SAN_FABRIC_A" Dell(config-fcoe-name)# fc-map 0ef
Command Description show npiv devices [brief] Displays information on FCoE and FC devices currently logged in to the NPG. show fc switch Displays the FC mode of operation and worldwide node (WWN) name. show vlan Displays the VLANs currently configured on the switch, including the VLANs dedicated to carrying only FC/FCoE traffic from a server to a SAN fabric.
Example of the show fcoe-map Command Dell# show fcoe-map brief Fabric-Name Fabric-Id Vlan-Id FC-MAP FCF-Priority Config-State Oper-State fid_1003 1003 1003 0efc03 128 ACTIVE UP fid_1004 1004 1 004 0efc04 128 ACTIVE DOWN Dell# show fcoe-map fid_1003 Fabric Name fid_1003 Fabric Id 1003 Vlan Id 1003 Vlan priority 3 FC-MAP 0efc03 FKA-ADV-Period 8 Fcf Priority 128 Config-State ACTIVE Oper-State UP Members Fc 0/0 Te 0/14 Te 0/16 The following lists the show fcoe-map command example field descriptions.
PG:1 TSA:ETS BW:50 PFC:ON Priorities:3 The following lists the show qos dcb-map command example field descriptions. Term heading State Description heading • Complete: All mandatory DCB parameters are correctly configured. • In progress: The DCB map configuration is not complete. Some mandatory parameters are not configured. PFC Mode PFC configuration in the DCB map: On (enabled) or Off. PG Priority group configured in the DCB map.
FC-ID LoginMethod Secs Status ENode[1] ENode MAC ENode Intf FCF MAC Fabric Intf FCoE Vlan Fabric Map ENode WWPN ENode WWNN FCoE MAC FC-ID LoginMethod Secs Status : 01:02:01 : FLOGI : 5593 : LOGGED_IN : : 00:10:18:f1:94:22 : Te 0/13 : 5c:f9:dd:ef:10:c9 : Fc 0/0 : 1003 : fid_1003 : 10:00:00:00:c9:d9:9c:cb : 10:00:00:00:c9:d9:9c:cd : 0e:fc:03:01:02:02 : 01:02:01 : FDISC : 5593 : LOGGED_IN The following lists the show npiv devices command example field descriptions.
Example of the show vlan Command Dell# show vlan Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C Community, I - Isolated, Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged G - GVRP tagged, M - Vlan-stack, H - VSN tagged i - Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged NUM * 1 10 11 20 Status Active Inactive Inactive Inactive Description Fabric Q Ports FABRIC_NAME1 U Po10(Te 1/2-33) FABRIC_NAME10 - The following lists the
38 Object Tracking IPv4 or IPv6 object tracking is available on Dell Networking OS. Object tracking allows the Dell Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 97. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • UP and DOWN thresholds used to report changes in a route metric. • A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
Track IPv4 and IPv6 Routes You can create an object that tracks an IPv4 or IPv6 route entry in the routing table. Specify a tracked route by its IPv4 or IPv6 address and prefix-length. Optionally specify a tracked route by a virtual routing and forwarding (VRF) instance name if the route to be tracked is part of a VRF. The next-hop address is not part of the definition of the tracked object.
Set Tracking Delays You can configure an optional UP and/or DOWN timer for each tracked object to set the time delay before a change in the state of a tracked object is communicated to clients. The configured time delay starts when the state changes from UP to DOWN or the opposite way. If the state of an object changes back to its former UP/DOWN state before the timer expires, the timer is cancelled and the client is not notified.
To configure object tracking on the status of a Layer 2 interface, use the following commands. 1 Configure object tracking on the line-protocol state of a Layer 2 interface. CONFIGURATION mode track object-id interface interface line-protocol Valid object IDs are from 1 to 65535. 2 (Optional) Configure the time delay used before communicating a change in the status of a tracked interface. OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds.
For an IPv6 interface, a routing object only tracks the UP/DOWN status of the specified IPv6 interface (the track interface ipv6routing command). • The status of an IPv6 interface is UP only if the Layer 2 status of the interface is UP and the interface has a valid IPv6 address. • The Layer 3 status of an IPv6 interface goes DOWN when its Layer 2 status goes down (for a Layer 3 VLAN, all VLAN ports must be down) or the IPv6 address is removed from the routing table.
Interface TenGigabitEthernet 7/11 ipv6 routing Description: Austin access point Track an IPv4/IPv6 Route You can create an object that tracks the reachability or metric of an IPv4 or IPv6 route. You specify the route to be tracked by its address and prefix-length values. Optionally, for an IPv4 route, you can enter a VRF instance name if the route is part of a VPN routing and forwarding (VRF) table. The next-hop address is not part of the definition of a tracked IPv4/ IPv6 route.
Tracking Route Reachability Use the following commands to configure object tracking on the reachability of an IPv4 or IPv6 route. To remove object tracking, use the no track object-id command. 1 Configure object tracking on the reachability of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} reachability [vrf vrf-name] Valid object IDs are from 1 to 65535.
The following example configures object tracking on the reachability of an IPv6 route: Dell(conf)#track 105 ipv6 route 1234::/64 reachability Dell(conf-track-105)#delay down 5 Dell(conf-track-105)#description Headquarters Dell(conf-track-105)#end Dell#show track 105 Track 105 IPv6 route 1234::/64 reachability Description: Headquarters Reachability is Down (route not in route table) 2 changes, last change 00:03:03 Tracking a Metric Threshold Use the following commands to configure object tracking on the met
threshold metric {[up number] [down number]} The default UP threshold is 254. The routing state is UP if the scaled route metric is less than or equal to the UP threshold. The defult DOWN threshold is 255. The routing state is DOWN if the scaled route metric is greater than or equal to the DOWN threshold. 6 (Optional) Display the tracking configuration.
First-hop interface is TenGigabitEthernet 1/2 Tracked by: VRRP TenGigabitEthernet 2/30 IPv6 VRID 1 Track 3 IPv6 route 2050::/64 reachability Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is TenGigabitEthernet 1/2 Tracked by: VRRP TenGigabitEthernet 2/30 IPv6 VRID 1 Track 4 Interface TenGigabitEthernet 1/4 ip routing IP routing is Up 3 changes, last change 00:03:30 Tracked by: Example of the show track brief Command Router# show track brief ResId State 1 Resource LastChange
39 Open Shortest Path First (OSPFv2) Open Shortest Path First (OSPFv2) is supported on Dell Networking OS. OSPF protocol standards are listed in the Standards Compliance chapter.
Figure 98. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers. The backbone is the only area with a default area number. All other areas can have their Area ID assigned in the configuration.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Figure 99. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
An ABR can connect to many areas in an AS, and is considered a member of each area it connects to. Autonomous System Border Router (ASBR) The autonomous system border area router (ASBR) connects to more than one AS and exchanges information with the routers in other ASs. Generally, the ASBR connects to a non-interior gate protocol (IGP) such as BGP or uses static routes.
• Type 9: Link Local LSA (OSPFv2) — For OSPFv2, this is a link-local "opaque" LSA as defined by RFC2370. For all LSA types, there are 20-byte LSA headers. One of the fields of the LSA header is the link-state ID. Each router link is defined as one of four types: type 1, 2, 3, or 4. The LSA includes a link ID field that identifies, by the network number and mask, the object this link connects to. Depending on the type, the link ID has different meanings.
Figure 100. Priority and Cost Examples Implementing OSPF with Dell Networking OS Dell Networking OS supports up to 10,000 OSPF routes. Within that 10,000, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes. The S5000 supports up to 16 processes simultaneously.
NOTE: The faster the convergence, the more frequent the route calculations and updates. This impacts CPU utilization and may impact adjacency stability in larger topologies. Multi-Process OSPFv2 (IPv4 only) Multi-Process OSPF is supported on the S5000 switch for OSPFv2 with IPv4 only. Multi-process OSPF allows multiple OSPFv2 processes on a single router.
Example of the show ip ospf Command To confirm that RFC-2328 compliant OSPF flooding is enabled, use the show ip ospf command. Dell#show ip ospf Routing Process ospf 1 with ID 2.2.2.
Configuration Information The interfaces must be in Layer-3 mode (assigned an IP address) and enabled so that they can send and receive traffic. The OSPF process must know about these interfaces. To make the OSPF process aware of these interfaces, they must be assigned to OSPF areas. You must configure OSPF GLOBALLY on the system in CONFIGURATION mode. OSPF features and functions are assigned to each router using the CONFIG-INTERFACE commands for each interface. NOTE: By default, OSPF is disabled.
If you are using a Loopback interface, refer to Loopback Interfaces. 2 Enable the interface. CONFIG-INTERFACE mode no shutdown 3 Return to CONFIGURATION mode to enable the OSPFv2 process globally. CONFIGURATION mode router ospf process-id [vrf {vrf name}] • vrf name: enter the keyword VRF and the instance name to tie the OSPF instance to the VRF. All network commands under this OSPF instance are later tied to the VRF instance. The range is from 0 to 65535.
NOTE: If using features like MD5 Authentication, ensure all the neighboring routers are also configured for MD5. In the example below, an IP address is assigned to an interface and an OSPFv2 area is defined that includes the IP address of a Layer 3 interface. The first bold lines assign an IP address to a Layer 3 interface, and theno shutdown command ensures that the interface is UP. The second bold line assigns the IP address of an interface to an area.
Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 10.168.253.5, Interface address 10.168.0.4 Backup Designated Router (ID) 192.168.253.3, Interface address 10.168.0.2 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:08 Neighbor Count is 3, Adjacent neighbor count is 2 Adjacent with neighbor 10.168.253.5 (Designated Router) Adjacent with neighbor 10.168.253.3 (Backup Designated Router) Loopback 0 is up, line protocol is up Internet Address 10.
show ip ospf process-id [vrf vrf name] database database-summary 2 Enter CONFIGURATION mode. EXEC Privilege mode configure 3 Enter ROUTER OSPF mode. CONFIGURATION mode router ospf process-id [vrf {vrf name}] Process ID is the ID assigned when configuring OSPFv2 globally. 4 Configure the area as a stub area. CONFIG-ROUTER-OSPF-id mode area area-id stub [no-summary] Use the keywords no-summary to prevent transmission into the area of summary ASBR LSAs.
timers throttle lsa arrival arrival-time • arrival-time: set the interval between receiving the same LSA repeatedly, to allow sufficient time for the system to accept the LSA. The range is from 0 to 600,000 milliseconds. Enabling Passive Interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface.
Loopback 45 is up, line protocol is up Internet Address 10.1.1.23/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.100, Network Type LOOPBACK, Cost: 1 Enabling Fast-Convergence The fast-convergence CLI sets the minimum origination and arrival LSA parameters to zero (0), allowing rapid route calculation. When you disable fast-convergence, origination and arrival LSA parameters are set to 5 seconds and 1 second, respectively.
Changing OSPFv2 Parameters on Interfaces In Dell Networking OS, you can modify the OSPF settings on the interfaces. Some interface parameter values must be consistent across all interfaces to avoid routing errors. For example, set the same time interval for the hello packets on all routers in the OSPF network to prevent misconfiguration of OSPF neighbors. To change OSPFv2 parameters on the interfaces, use any or all of the following commands. • Change the cost associated with OSPF traffic on the interface.
• • seconds: the range is from 1 to 65535 (the default is 5 seconds). The retransmit interval must be the same on all routers in the OSPF network. Change the wait period between link state update packets sent out the interface. CONFIG-INTERFACE mode ip ospf transmit-delay seconds • seconds: the range is from 1 to 65535 (the default is 1 second). The transmit delay must be the same on all routers in the OSPF network.
not take effect immediately after the authentication change wait timer expires; OSPF accepts both the old as well as new authentication schemes for a time period that is equal to two times the configured authentication change wait timer. After this time period, OSPF accepts only the new authentication scheme. This transmission stops when the period ends. The default is 0 seconds. Configuring Virtual Links Areas within OSPF must be connected to the backbone area (Area ID 0.0.0.0).
Hello due in 00:00:02 Dell# Creating Filter Routes To filter routes, use prefix lists. OSPF applies prefix lists to incoming or outgoing routes. Incoming routes must meet the conditions of the prefix lists. If they do not, OSPF does not add the route to the routing table. Configure the prefix list in CONFIGURATION PREFIX LIST mode prior to assigning it to the OSPF process. • Create a prefix list and assign it a unique name. CONFIGURATION mode ip prefix-list prefix-name • You are in PREFIX LIST mode.
distribute-list dilling in Dell(conf-router_ospf)# Troubleshooting OSPFv2 Dell Networking OS has several tools to make troubleshooting easier. Be sure to check the following, as these questions represent typical issues that interrupt an OSPFv2 process. NOTE: The following is not a comprehensive list, just some examples of typical troubleshooting checks.
If you do not enter a process ID, the command applies to the first OSPF process. To view debug messages for a specific operation, enter one of the optional keywords: • event: view OSPF event messages. • packet: view OSPF packet information. • spf: view SPF information. • database-timers rate-limit: view the LSAs currently in the queue. Example of Viewing OSPF Configuration Dell#show run ospf ! router ospf 3 ! router ospf 4 router-id 4.4.4.4 network 4.4.4.
Figure 101. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Gl 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface TenGigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface TenGigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Gl 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.
OSPF Area 0 — Gl 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface TenGigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface TenGigabitEthernet 2/2 ip address 10.2.22.2/24 no shutdown Configuration Task List for OSPFv3 (OSPF for IPv6) This section describes the configuration tasks for Open Shortest Path First version 3 (OSPF for IPv6) on the switch.
timers spf 2 5 msec Dell(conf-ipv6-router_ospf)# Dell(conf-ipv6-router_ospf)#end Dell# Enabling IPv6 Unicast Routing To enable IPv6 unicast routing, use the following command. • Enable IPv6 unicast routing globally. CONFIGURATION mode ipv6 unicast routing Assigning IPv6 Addresses on an Interface To assign IPv6 addresses to an interface, use the following commands. 1 Assign an IPv6 address to the interface.
CONFIGURATION mode ipv6 router ospf {process ID} • The range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} • number: the IPv4 address. The format is A.B.C.D. NOTE: Enter the router-id for an OSPFv3 router as an IPv4 IP address. • Disable OSPF. CONFIGURATION mode no ipv6 router ospf process-id • Reset the OSPFv3 process.
Configuring Stub Areas To configure IPv6 stub areas, use the following command. • Configure the area as a stub area. CONF-IPV6-ROUTER-OSPF mode area area-id stub [no-summary] • no-summary: use these keywords to prevent transmission in to the area of summary ASBR LSAs. • Area ID: a number or IP address assigned when creating the area. You can represent the area ID as a number from 0 to 65536 if you assign a dotted decimal format rather than an IP address.
• route-map map-name: enter a name of a configured route map. • tag tag-value: The range is from 0 to 4294967295. Configuring a Default Route To generate a default external route into the OSPFv3 routing domain, configure the following parameters. To specify the information for the default route, use the following command. • Specify the information for the default route.
By default, OSPFv2 supports both planned and unplanned restarts. Selecting one or the other mode restricts OSPFv2 to the single selected mode. 3 Configure the graceful restart role or roles that this OSPFv2 router performs. CONFIG-ROUTEROSPF- id mode graceful-restart role [helper-only | restart-only] Dell Networking OS supports the following options: • Helper-only: the OSPFv2 router supports graceful-restart only as a helper router.
router ospf 1 router-id 200.1.1.1 log-adjacency-changes graceful-restart grace-period 180 network 20.1.1.0/24 area 0 network 30.1.1.0/24 area 0 ! ipv6 router ospf 1 log-adjacency-changes graceful-restart grace-period 180 The following example shows the show ipv6 ospf database database-summary command. Dell#show ipv6 ospf database database-summary ! OSPFv3 Router with ID (200.1.1.
IPsec is a set of protocols developed by the internet engineering task force (IETF) to support secure exchange of packets at the IP layer. IPsec supports two encryption modes: transport and tunnel. • Transport mode — encrypts only the data portion (payload) of each packet, but leaves the header untouched. • Tunnel mode — is more secure and encrypts both the header and payload. On the receiving side, an IPsec-compliant device decrypts each packet.
• IPsec security associations (SAs) are supported only in Transport mode (Tunnel mode is not supported). • ESP with null encryption is supported for authenticating only OSPFv3 protocol headers. • ESP with non-null encryption is supported for full confidentiality. • 3DES, DES, AES-CBC, and NULL encryption algorithms are supported; encrypted and unencrypted keys are supported. NOTE: To encrypt all keys on a router, use the service password-encryption command in Global Configuration mode.
NOTE: When you configure encryption using the ipv6 ospf encryption ipsec command, you enable both IPsec encryption and authentication. However, when you enable authentication on an interface using the ipv6 ospf authentication ipsec command, you do not enable encryption at the same time. The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router. Configure the same authentication policy (the same SPI and key) on each OSPFv3 interface in a link.
• area area-id: specifies the area for which OSPFv3 traffic is to be authenticated. For area-id, enter a number or an IPv6 prefix. • spi number: is the SPI value. The range is from 256 to 4294967295. • MD5 | SHA1: specifies the authentication type: message digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1). • key-encryption-type: (optional) specifies if the key is encrypted. The valid values are 0 (key is not encrypted) or 7 (key is encrypted).
• Display the configuration of IPsec encryption policies on the router. show crypto ipsec policy Displaying OSPFv3 IPsec Security Policies To display the configuration of IPsec authentication and encryption policies, use the following commands. • Display the AH and ESP parameters configured in IPsec security policies, including the SPI number, key, and algorithms used. EXEC Privilege mode show crypto ipsec policy [name name] • • name: displays configuration details about a specified policy.
Outbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb7c0c30808825fb5 Inbound ESP Cipher Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba10345a1039ba8f8a Outbound ESP Cipher Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba10345a1039ba8f8a Transform set : esp-128-aes esp-sha1-hmac The following example shows the show crypto ipsec sa ipv6 command.
• Did you configure the interfaces for Layer 3 correctly? • Is the router in the correct area type? • Did you include the routes in the OSPF database? • Did you include the OSPF routes in the routing table (not just the OSPF database)? Some useful troubleshooting commands are: • show ipv6 interfaces • show ipv6 protocols • debug ipv6 ospf events and/or packets • show ipv6 neighbors • show ipv6 routes Viewing Summary Information To get general route, configuration, links status, and debug i
NOTE: The OSPFv2 network area command enables OSPF on multiple interfaces with the single command. Use the OSPFv3 ipv6 ospf area command on each interface that runs OSPFv3. All IPv6 addresses on an interface are included in the OSPFv3 process that is created on the interface. Enable OSPFv3 for IPv6 by specifying an OSPF process ID and an area in INTERFACE mode. If you have not created an OSPFv3 process, it is created automatically.
To return to the default bandwidth or to assign cost based on the interface type, use the no auto-cost [referencebandwidth ref-bw] command. • ref-bw: The range is from 1 to 4294967. The default is 100 megabits per second. Assigning IPv6 Addresses on an Interface To assign IPv6 addresses to an interface, use the following commands. 1 Assign an IPv6 address to the interface.
router-id {number} • number: the IPv4 address. The format is A.B.C.D. NOTE: Enter the router-id for an OSPFv3 router as an IPv4 IP address. • Disable OSPF. CONFIGURATION mode no ipv6 router ospf process-id • Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Assigning OSPFv3 Process ID and Router ID to a VRF To assign, disable, or reset OSPFv3 on a non-default VRF, use the following commands. • Enable the OSPFv3 process on a non-default VRF and enter OSPFv3 mode.
• no-summary: use these keywords to prevent transmission in to the area of summary ASBR LSAs. • Area ID: a number or IP address assigned when creating the area. You can represent the area ID as a number from 0 to 65536 if you assign a dotted decimal format rather than an IP address. Configuring Passive-Interface To suppress the interface’s participation on an OSPFv3 interface, use the following command. This command stops the router from sending updates on that interface.
• Specify the information for the default route. CONF-IPV6-ROUTER-OSPF mode default-information originate [always [metric metric-value] [metric-type type-value]] [routemap map-name] Configure the following required and optional parameters: • always: indicate that default route information is always advertised. • metric metric-value: The range is from 0 to 4294967295. • metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2.
• Disable OSPFv3 graceful-restart. CONF-IPV6-ROUTER-OSPF mode no graceful-restart grace-period Displaying Graceful Restart To display information on the use and configuration of OSPFv3 graceful restart, enter any of the following commands. • Display the graceful-restart configuration for OSPFv2 and OSPFv3 (shown in the following example). EXEC Privilege mode • show run ospf Display the Type-11 Grace LSAs sent and received on an OSPFv3 router (shown in the following example).
LSA count Summary LSAs Rtr LSA Count Net LSA Count Inter Area Pfx LSA Count Inter Area Rtr LSA Count Group Mem LSA Count 12010 1 4 3 12000 0 0 The following example shows the show ipv6 ospf database grace-lsa command. Dell#show ipv6 ospf database grace-lsa ! Type-11 Grace LSA (Area 0) LS Age Link State ID Advertising Router LS Seq Number Checksum Length Associated Interface Restart Interval Restart Reason : : : : : : : : : 10 6.16.192.66 100.1.1.
You decide the set of IPsec protocols that are employed for authentication and encryption and the ways in which they are employed. When you correctly implement and deploy IPsec, it does not adversely affect users or hosts. AH and ESP are designed to be cryptographic algorithm-independent. OSPFv3 Authentication Using IPsec: Configuration Notes OSPFv3 authentication using IPsec is implemented according to the specifications in RFC 4552.
• Enable IPsec authentication for OSPFv3 packets on an IPv6-based interface. INTERFACE mode ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} [key-encryption-type] key} • null: causes an authentication policy configured for the area to not be inherited on the interface. • ipsec spi number: the security policy index (SPI) value. The range is from 256 to 4294967295. • MD5 | SHA1: specifies the authentication type: Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1).
• • key-authentication-type: (optional) specifies if the authentication key is encrypted. The valid values are 0 or 7. Remove an IPsec encryption policy from an interface. no ipv6 ospf encryption ipsec spi number • Remove null encryption on an interface to allow the interface to inherit the encryption policy configured for the OSPFv3 area. no ipv6 ospf encryption null • Display the configuration of IPsec encryption policies on the router.
NOTE: When you configure encryption using the area encryption command, you enable both IPsec encryption and authentication. However, when you enable authentication on an area using the area authentication command, you do not enable encryption at the same time. If you have enabled IPsec authentication in an OSPFv3 area using the area authentication command, you cannot use the area encryption command in the area at the same time.
• For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. • For a port channel interface, enter the keywords port-channel then a number. • For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Examples of the show crypto ipsec Commands In the first example, the keys are not encrypted (shown in bold). In the second and third examples, the keys are encrypted (shown in bold). The following example shows the show crypto ipsec policy command.
STATUS : ACTIVE inbound esp sas outbound esp sas Interface: TenGigabitEthernet 1/2 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 The
show ipv6 route [vrf vrf-name] summary • View the summary information for the OSPFv3 database. EXEC Privilege mode show ipv6 ospf [vrf vrf-name] database • View the configuration of OSPFv3 neighbors. EXEC Privilege mode show ipv6 ospf [vrf vrf-name] neighbor • View debug messages for all OSPFv3 interfaces. EXEC Privilege mode debug ipv6 ospf [vrf vrf-name] [event | packet] {type slot/port} 672 • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
40 Policy-based Routing (PBR) Policy-based routing (PBR) allows a switch to make routing decisions based on policies applied to an interface. Overview When a router receives a packet, the router decides where to forward the packet based on the destination address in the packet, which is used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria: size, source, protocol type, destination, and so on.
• Destination port • TCP Flags After you apply a redirect-list to an interface, all traffic passing through it is subjected to the rules defined in the redirect-list. Traffic is forwarded based on the following: • Next-hop addresses are verified. If the specified next hop is reachable, traffic is forwarded to the specified next-hop. • If the specified next-hops are not reachable, the normal routing table is used to forward the traffic.
• Apply a Redirect-list to an Interface using a Redirect-group PBR Exceptions (Permit) To create an exception to a redirect list, use thepermit command. Exceptions are used when a forwarding decision should be based on the routing table rather than a routing policy. The Dell Networking OS assigns the first available sequence number to a rule configured without a sequence number and inserts the rule into the PBR CAM region next to the existing entries.
• number is the number in sequence to initiate this rule • ip-address is the Forwarding router’s address • tunnel is used to configure the tunnel settings • tunnel-id is used to redirect the traffic • track is used to track the object-id • track is to enable the tracking • FORMAT: A.B.C.
You can apply multiple rules to a single redirect-list. The rules are applied in ascending order, starting with the rule that has the lowest sequence number in a redirect-list displays the correct method for applying multiple rules to one list.
Example: Applying a Redirect-list to an Interface Dell(conf-if-te-1/1)#ip redirect-group xyz Dell(conf-if-te-1/1)# Example: Applying a Redirect-list to an Interface Dell(conf-if-te-1/1)#ip redirect-group test Dell(conf-if-te-1/1)#ip redirect-group xyz Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address ip redirect-group test ip redirect-group xyz shutdown Dell(conf-if-te-1/1)# Dell(conf-if-gi-1/1)#ip redirect-group test Dell(conf-if-gi-1/1)#ip redirect-group xyz Dell(conf-if-gi
seq 35 redirect 42.1.1.2 seq 40 redirect 43.1.1.2 seq 45 redirect 31.1.1.2 [up], Next-hop reachable [up], Next-hop reachable [up], Next-hop reachable [up], Next-hop reachable [up], Next-hop reachable [up], Next-hop reachable icmp host 8.8.8.8 any, Next-hop reachable (via Vl 20) tcp 155.55.2.0/24 222.22.2.0/24, Next-hop reachable (via Vl 30) track 200 ip 12.0.0.0 255.0.0.197 13.0.0.0 255.0.0.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-2/23)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.254 ip 192.
View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23) seq 10 redirect 10.99.99.254 ip 192.168.2.0/24 any, Next-hop reachable (via Te 3/23) seq 15 permit ip any any Applied interfaces: Te 2/11 EDGE_ROUTER# Creating a PBR list using Explicit Track Objects for Redirect IPs Create Track Objects to track the Redirect IPs: Dell#configure terminal Dell(conf)#track 3 ip host 42.1.1.
seq 20 redirect 42.1.1.2 track 3 udp any host 144.144.144.144, Track 3 [up], Next-hop reachable (via Vl 20) seq 25 redirect 43.1.1.2 track 4 ip host 7.7.7.7 host 144.144.144.144, Track 4 [up], Next-hop reachable (via Vl 20) Applied interfaces: Te 2/28 Dell# Creating a PBR list using Explicit Track Objects for Tunnel Interfaces Creating steps for Tunnel Interfaces: Dell#configure terminal Dell(conf)#interface tunnel 1 Dell(conf-if-tu-1)#tunnel destination 40.1.1.2 Dell(conf-if-tu-1)#tunnel source 40.1.1.
Dell(conf-if-te-2/28)#exit Dell(conf)#end Verify the Applied Redirect Rules: Dell#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.0/24, Track 1 [up], Next-hop reachable (via Te 1/32) seq 10 redirect tunnel 1 track 1 tcp any any, Track 1 [up], Next-hop reachable (via Te 1/32) seq 15 redirect tunnel 1 track 1 udp 155.55.0.0/16 host 144.144.144.
41 PIM Sparse-Mode (PIM-SM) PIM-sparse mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
3 If a host on the same subnet as another multicast receiver sends an IGMP report for the same multicast group, the gateway takes no action. If a router between the host and the RP receives a PIM Join message for which it already has a (*,G) entry, the interface on which the message was received is added to the outgoing interface list associated with the (*,G) entry, and the message is not (and does not need to be) forwarded towards the RP.
CONFIGURATION mode ip multicast-routing 2 Enable PIM-Sparse Mode. INTERFACE mode ip pim sparse-mode Examples of the show ip pim Commands To display which interfaces are enabled with PIM-SM, use the show ip pim interface command from EXEC Privilege mode. Dell#show ip pim interface Address Interface VIFindex Ver/ Mode 189.87.5.6 Te 4/11 0x2 v2/S 189.87.3.2 Te 4/12 0x3 v2/S 189.87.31.6 Te 7/11 0x0 v2/S 189.87.50.6 Te 7/13 0x4 v2/S Dell# Nbr Count 1 1 0 1 Query Intvl 30 30 30 30 DR DR Prio 1 127.87.5.
To configure a global expiry time or to configure the expiry time for a particular (S,G) entry, use the following commands. 1 Enable global expiry timer for S, G entries. CONFIGURATION mode ip pim sparse-mode sg-expiry-timer seconds The range is from 211 to 86,400 seconds. The default is 210. 2 Create an extended ACL. CONFIGURATION mode ip access-list extended access-list-name 3 Specify the source and group to which the timer is applied using extended ACLs with permit rules only.
Example of Viewing an RP on a Loopback Interface Dell#sh run int loop0 ! interface Loopback 0 ip address 1.1.1.1/32 ip pim sparse-mode no shutdown Dell#sh run pim ! ip pim rp-address 1.1.1.1 group-address 224.0.0.0/4 Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration.
show ip pim interface Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs). PMBRs connect each PIM domain to the rest of the Internet. Create multicast boundaries and domains by filtering inbound and outbound bootstrap router (BSR) messages per interface. The following command is applied to the subsequent inbound and outbound updates.
42 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Configure PIM-SSM Configuring PIM-SSM is a two-step process. 1 Configure PIM-SSM. 2 Enable PIM-SSM for a range of addresses. Related Configuration Tasks • Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1 Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2 Enter the ip pim ssm-range command and specify the ACL you created.
To display the source to which a group is mapped, use the show ip igmp ssm-map [group] command. If you use the group option, the command displays the group-to-source mapping even if the group is not currently in the IGMP group table. If you do not specify the group option, the display is a list of groups currently in the IGMP group table that has a group-to-source mapping. To display the list of sources mapped to a group currently in the IGMP group table, use the show ip igmp groups group detail command.
! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:07 Member Ports: Te 1/1 239.0.0.1 Vlan 400 INCLUDE 00:00:10 Never 10.11.4.2 R1(conf)#do show ip igmp ssm-map IGMP Connected Group Membership Group Address Interface Mode Uptime 239.0.0.
4 The BSR floods the RP-Set throughout the domain periodically in case new C-RPs are announced, or an RP failure occurs. To enable RP election, perform the following steps: 1 Enter the following command to make a PIM router a BSR candidate: CONFIGURATION ip pim bsr-candidate 2 Enter the following command to make a PIM router a RP candidate: CONFIGURATION ip pim rp-candidate 3 Display Bootstrap Router information.
43 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
• Single MD can be monitored on max. of 4 MG ports. Port Monitoring Port monitoring is supported on both physical and logical interfaces, such as VLAN and port-channel interfaces. The source port (MD) with monitored traffic and the destination ports (MG) to which an analyzer can be attached must be on the same switch. You can configure up to 128 source ports in a monitoring session. Only one destination port is supported in a monitoring session.
No N/A Dell# N/A yes Example of Configuring Another Monitoring Session with a Previously Used Destination Port Dell(conf)#monitor session 300 Dell(conf-mon-sess-300)#source TenGig 1/17 destination TenGig 1/4 direction tx % Error: Exceeding max MG ports for this MD port pipe.
Dell Networking OS Behavior: All monitored frames are tagged if the configured monitoring direction is egress (TX), regardless of whether the monitored port (MD) is a Layer 2 or Layer 3 port. If the MD port is a Layer 2 port, the frames are tagged with the VLAN ID of the VLAN to which the MD belongs. If the MD port is a Layer 3 port, the frames are tagged with VLAN ID 4095. If the MD port is in a Layer 3 VLAN, the frames are tagged with the respective Layer 3 VLAN ID.
Dell(conf)#monitor session 1 Dell(conf-mon-sess-1)#source vl 40 dest ten 1/3 dir rx Dell(conf-mon-sess-1)#flow-based enable Dell(conf-mon-sess-1)#exit Dell(conf)#do show monitor session SessID Source Destination Dir Mode Source IP Gre-Protocol FcMonitor ------ ------------------ ---------------------- --------0 Te 1/1 Te 1/2 rx Port 0.0.0.0 A N/A No 0 Po 10 Te 1/2 rx Port 0.0.0.0 A N/A No 1 Vl 40 Te 1/3 rx Flow 0.0.0.0 A N/A No Dest IP DSCP TTL Drop Rate -------- ---- --- ---- ---- 0.0.0.
MONITOR SESSION mode flow-based enable 2 Define IP access-list rules that include the keyword monitor. For port monitoring, Dell Networking OS only considers traffic matching rules with the keyword monitor. CONFIGURATION mode ip access-list Refer to Access Control Lists (ACLs). 3 Apply the ACL to the monitored port.
In a remote-port mirroring session, monitored traffic is tagged with a VLAN ID and switched on a user-defined, non-routable L2 VLAN. The VLAN is reserved in the network to carry only mirrored traffic, which is forwarded on all egress ports of the VLAN. Each intermediate switch that participates in the transport of mirrored traffic must be configured with the reserved L2 VLAN.
Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
• • • • • • • Maximum number of destination sessions supported on a switch: 64 Maximum number ports supported in a destination session: 64. You can configure any port as a destination port. You can configure additional destination ports in an active session. You can tunnel the mirrored traffic from multiple remote-port source sessions to the same destination port. By default, destination port sends the mirror traffic to the probe port by stripping off the rpm header.
* R R NUM 1 100 300 Status Inactive Active Active Description Q Ports T Fo 1/20/1 T Fo 1/24/1 Configuring the Sample Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches). Table 63.
Dell(conf)#interface vlan 100 Dell(conf-if-vl-100)#mac access-group mac_acl1 in Dell(conf-if-vl-100)#exit Dell(conf)#inte te 1/30 Dell(conf-if-te-1/30)#no shutdown Dell(conf-if-te-1/30)#switchport Dell(conf-if-te-1/30)#exit Dell(conf)#interface vlan 30 Dell(conf-if-vl-30)#mode remote-port-mirroring Dell(conf-if-vl-30)#tagged te 1/30 Dell(conf-if-vl-30)#exit Dell(conf)#interface port-channel 10 Dell(conf-if-po-10)#channel-member te 1/28-29 Dell(conf-if-po-10)#no shutdown Dell(conf-if-po-10)#exit Dell(conf)#m
Dell(conf-mon-sess-1)#exit Dell(conf)#monitor session 2 type rpm Dell(conf-mon-sess-2)#source remote-vlan 20 destination te 1/5 Dell(conf-mon-sess-2)#tagged destination te 0/4 Dell(conf-mon-sess-2)#exit Dell(conf)#monitor session 3 type rpm Dell(conf-mon-sess-3)#source remote-vlan 30 destination te 1/6 Dell(conf-mon-sess-3)#tagged destination te 1/6 Dell(conf-mon-sess-3)#end Dell# Dell#show monitor session SessID Source Destination Dir Mode Source IP ------ ------------------ ---- --------1 remote-vlan 10 T
Encapsulated Remote Port Monitoring Encapsulated Remote Port Monitoring (ERPM) copies traffic from source ports/port-channels or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the destination IP address specified in the session. NOTE: When configuring ERPM, follow these guidelines • The Dell Networking OS supports ERPM source session only. Encapsulated packets terminate at the destination IP address or at the analyzer.
6 Enter the no disable command to enable the ERPM session. no disable The following example shows an ERPM configuration: Dell(conf)#monitor session 0 type erpm Dell(conf-mon-sess-0)#source tengigabitethernet 1/9 direction rx Dell(conf-mon-sess-0)#source port-channel 1 direction tx Dell(conf-mon-sess-0)#erpm source-ip 1.1.1.1 dest-ip 7.1.1.
ERPM Behavior on a typical Dell Networking OS The Dell Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported. Figure 105.
• b Some tools support options to edit the capture file. We can make use of such features (for example: editcap ) and chop the ERPM header part and save it to a new trace file. This new file (i.e. the original mirrored packet) can be converted back into stream and fed to any egress interface. Using Python script • Either have a Linux server's ethernet port ip as the ERPM destination ip or connect the ingress interface of the server to the ERPM MirrorToPort.
VLTi link is added as an implicit member of the RPM vlan. As a result, the mirrored traffic also reaches the peer VLT device effecting VLTi link's bandwidth usage. To mitigate this issue, the L2 VLT egress mask drops the duplicate packets that egress out of the VLT port. If the LAG status of the peer VLT device is OPER-UP, then the other VLT peer blocks the transmission of packets received through VLTi to its port or LAG.
Scenario RPM Restriction Recommended Solution Mirroring Orphan Ports across VLT Devices — In this scenario, an orphan port on the primary VLT device is mirrored to another orphan port on the secondary VLT device through the ICL LAG. The port analyzer is connected to the secondary VLT device. No restrictions apply to the RPM session. The following example shows the configuration on the primary VLT device:source orphan port destination remote vlan direction rx/tx/both.
44 Private VLANs (PVLAN) Private VLANs (PVLANs) extend the Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN). For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell Networking OS Command Line Reference Guide. A PVLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair.
• • A primary VLAN has one or more secondary VLANs. • A primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs in the switch. • A primary VLAN has one or more promiscuous ports. • A primary VLAN might have one or more trunk ports, or none. Secondary VLAN — a subdomain of the primary VLAN. • There are two types of secondary VLAN — community VLAN and isolated VLAN.
• Display PVLANs and/or interfaces that are part of a PVLAN. EXEC mode or EXEC Privilege mode show vlan private-vlan [community | interface | isolated | primary | primary_vlan | interface interface] • Display primary-secondary VLAN mapping. EXEC mode or EXEC Privilege mode show vlan private-vlan mapping • Set the PVLAN mode of the selected port.
• trunk (inter-switch PVLAN hub port) Example of the switchport mode private-vlan Command For interface details, refer to Enabling a Physical Interface in the Interfaces chapter. NOTE: You cannot add interfaces that are configured as PVLAN ports to regular VLANs. You also cannot add “regular” ports (ports not configured as PVLAN ports) to PVLANs. The following example shows the switchport mode private-vlan command on a port and on a port channel.
Add PVLAN trunk ports to the VLAN only as tagged interfaces. You can enter interfaces in numeric or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add promiscuous ports or PVLAN trunk ports to the PVLAN (no host or regular ports). 6 (OPTIONAL) Assign an IP address to the VLAN. INTERFACE VLAN mode ip address ip address 7 (OPTIONAL) Enable/disable Layer 3 communication between secondary VLANs.
interface vlan vlan-id 2 Enable the VLAN. INTERFACE VLAN mode no shutdown 3 Set the PVLAN mode of the selected VLAN to isolated. INTERFACE VLAN mode private-vlan mode isolated 4 Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add ports defined as host to the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 106. Sample Private VLAN Topology The following configuration is based on the example diagram for the S5000–1: • TenGig 0/0 and TenGig 23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. • TenGig 0/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. • TenGig 0/24 and TenGig 0/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
• For transmission between switches, tagged packets originating from host PVLAN ports in one secondary VLAN and destined for host PVLAN ports in the other switch travel through the promiscuous ports in the local VLAN 4000 and then through the trunk ports (0/25 in each switch). Inspecting the Private VLAN Configuration The standard methods of inspecting configurations also apply in PVLANs. To inspect your PVLAN configurations, use the following commands. • Display the specific interface configuration.
4001 4003 Community Yes Isolated Yes Te 0/4-5 Te 0/6 The following example shows using the show vlan private-vlan mapping command output from S5000–2. S5000-2#show vlan private-vlan mapping Private Vlan: Primary : 4000 Isolated : 4003 Community : 4001 NOTE: In the following example, notice the addition of the PVLAN codes – P, I, and C – in the left column. The following example shows the show vlan command output from S5000–2.
45 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of Spanning Tree — developed by a third party — that allows you to configure a separate Spanning Tree instance for each VLAN. For more information about Spanning Tree, refer to Spanning Tree Protocol (STP).
Protocol Overview Figure 107. Per-VLAN Spanning Tree The Dell Networking OS supports three other variations of spanning tree, as shown in the following table. Table 66. Spanning Tree Variations Dell Networking OS Supports Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
Configure Per-VLAN Spanning Tree Plus Configuring PVST+ is a four-step process. 1 Configure interfaces for Layer 2. 2 Place the interfaces in VLANs. 3 Enable PVST+. 4 Optionally, for load balancing, select a nondefault bridge-priority for a VLAN.
protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Influencing PVST+ Root Selection As shown in the previous per-VLAN spanning tree illustration, all VLANs use the same forwarding topology because R2 is elected the root, and all Ten-GigabitEthernet ports have the same cost. The following per-VLAN spanning tree illustration changes the bridge priority of each bridge so that a different forwarding topology is generated for each VLAN.
The range is from 0 to 61440. The default is 32768. Example of the show spanning-tree pvst vlan Command To display the PVST+ forwarding topology, use the show spanning-tree pvst [vlan vlan-id] command from EXEC Privilege mode. Dell(conf)#do show spanning-tree pvst vlan 100 VLAN 100 Root Identifier has priority 4096, Address 0001.e80d.b6d6 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 4096, Address 0001.e80d.
The VLAN range is from 1 to 4094. The range is from 1 to 10. • The default is 2 seconds. Change the max-age parameter. PROTOCOL PVST mode vlan vlan-range max-age value The VLAN range is from 1 to 4094. The range is from 6 to 40. The default is 20 seconds. The values for global PVST+ parameters are given in the output of the show spanning-tree pvst command.
• Change the port priority of an interface. INTERFACE mode spanning-tree pvst vlan vlan-range priority value. The range is from 0 to 240, in increments of 16. The default is 128. The values for interface PVST+ parameters are given in the output of the show spanning-tree pvst command, as previously shown. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner.
Enabling PVST+ Extend System ID In the following example, ports P1 and P2 are untagged members of different VLANs. These ports are untagged because the hub is VLAN unaware. There is no data loop in this scenario; however, you can employ PVST+ to avoid potential misconfigurations. If you enable PVST+ on the Dell Networking switch in this network, P1 and P2 receive BPDUs from each other.
! interface Vlan 200 no ip address tagged TenGigabitEthernet 1/22,32 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/22,32 no shutdown Example of PVST+ Configuration (R2) protocol spanning-tree pvst no disable vlan 200 bridge-priority 4096 interface TenGigabitEthernet 2/12 no ip address switchport no shutdown ! interface TenGigabitEthernet 2/32 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TenGigabitEthernet 2/12,32 no shutdown ! interface Vlan 200
tagged TenGigabitEthernet 3/12,22 no shutdown Per-VLAN Spanning Tree Plus (PVST+) 731
46 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 68.
Feature Direction Create Policy Maps Ingress + Egress Create Input Policy Maps Ingress Honor DSCP Values on Ingress Packets Ingress Honoring dot1p Values on Ingress Packets Ingress Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 110.
• Implementation Information • Port-Based QoS Configurations • Policy-Based QoS Configurations • DSCP Color Maps • Enabling QoS Rate Adjustment • Enabling Strict-Priority Queueing • Weighted Random Early Detection • Pre-Calculating Available QoS CAM Space • Configuring Weights and ECN for WRED • Configuring WRED and ECN Attributes • Guidelines for Configuring ECN for Classifying and Color-Marking Packets • Applying Layer 2 Match Criteria on a Layer 3 Interface • Applying DSCP and VL
Example of Configuring a dot1p Priority on an Interface Dell#configure terminal Dell(conf)#interface tengigabitethernet 1/1 Dell(conf-if-te-1/1)#switchport Dell(conf-if-te-1/1)#dot1p-priority 1 Dell(conf-if-te-1/1)#end Honoring dot1p Priorities on Ingress Traffic By default, Dell Networking OS does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel.
Example of the rate police Command The following example shows configuring rate policing.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 111. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, Dell Networking OS matches packets against match criteria in the order that you configure them.
Use step 1 or step 2 to start creating a Layer 3 class map. 1 Create a match-any class map. CONFIGURATION mode class-map match-any 2 Create a match-all class map. CONFIGURATION mode class-map match-all 3 Specify your match criteria. CLASS MAP mode match {ip | ipv6 | ip-any} After you create a class-map, Dell Networking OS places you in CLASS MAP mode. Match-any class maps allow up to five ACLs. Match-all class-maps allow only one ACL. 4 Link the class-map to a queue.
Use Step 1 or Step 2 to start creating a Layer 2 class map. 1 Create a match-any class map. CONFIGURATION mode class-map match-any 2 Create a match-all class map. CONFIGURATION mode class-map match-all 3 Specify your match criteria. CLASS MAP mode match mac After you create a class-map, Dell Networking OS places you in CLASS MAP mode. Match-any class maps allow up to five access-lists. Match-all class-maps allow only one. You can match against only one VLAN ID. 4 Link the class-map to a queue.
Examples of Traffic Classifications The following example shows incorrect traffic classifications.
Create a QoS Policy There are two types of QoS policies — input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. • Layer 3 — QoS input policies allow you to rate police and set a DSCP or dot1p value. In addition, you can configure a drop precedence for incoming packets based on their DSCP value by using a DSCP color map. For more information, see DSCP Color Maps.
Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1 Create an output QoS policy. CONFIGURATION mode qos-policy-output 2 After you configure an output QoS policy, do one or more of the following: Scheduler Strict — Policy-based Strict-priority Queueing configuration is done through scheduler strict. It is applied to Qos-policyoutput. When scheduler strict is applied to multiple Queues, high queue number takes precedence.
• Assign each queue a bandwidth percentage ranging from 1 to 100%, in increments of 1%. bandwidth-percentage Specifying WRED Drop Precedence You can configure the WRED drop precedence in an output QoS policy. • Specify a WRED profile to yellow and/or green traffic. QOS-POLICY-OUT mode wred For more information, refer to Applying a WRED Profile to Traffic. Create Policy Maps There are two types of policy maps: input and output.
Honoring DSCP Values on Ingress Packets Dell Networking OS provides the ability to honor DSCP values on ingress packets using Trust DSCP feature. The following table lists the standard DSCP definitions and indicates to which queues Dell Networking OS maps DSCP values. When you configure trust DSCP, the matched packets and matched bytes counters are not incremented in the show qos statistics. Table 70.
trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, you can create service classes based the queueing strategy in Honoring dot1p Values on Ingress Packets. You may apply this queuing strategy globally by entering the following command from CONFIGURATION mode. • All dot1p traffic is mapped to Queue 0 unless you enable service-class dynamic dot1p on an interface or globally.
Applying an Output Policy Map to an Interface 3 Apply the policy map to an interface. Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. • Apply an output QoS policy to queues. INTERFACE mode service-queue Specifying an Aggregate QoS Policy To specify an aggregate QoS policy, use the following command. • Specify an aggregate QoS policy.
• All DSCP values that are not specified as yellow or red are colored green (low drop precedence). • A DSCP value cannot be in both the yellow and red lists. Setting the red or yellow list with any DSCP value that is already in the other list results in an error and no update to that DSCP list is made. • Each color map can only have one list of DSCP values for each color; any DSCP values previously listed for that color that are not in the new DSCP list are colored green.
Display a specific DSCP color map. Dell# show qos dscp-color-map mapTWO Dscp-color-map mapTWO yellow 16,55 Displaying a DSCP Color Policy Configuration To display the DSCP color policy configuration for one or all interfaces, use the show qos dscp-color-policy {summary [interface] | detail {interface}} command in EXEC mode. summary: Displays summary information about a color policy on one or more interfaces.
• Specify the number of bytes of packet overhead to include in rate limiting, policing, and shaping calculations. CONFIGURATION mode qos-rate-adjust overhead-bytes For example, to include the Preamble and SFD, type qos-rate-adjust 8. For variable length overhead fields, know the number of bytes you want to include. The default is disabled. Enabling Strict-Priority Queueing In strict-priority queuing, the system de-queues all packets from the assigned queue before servicing any other queues.
Figure 112. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Creating WRED Profiles To create WRED profiles, use the following commands. 1 Create a WRED profile. CONFIGURATION mode wred-profile 2 Specify the minimum and maximum threshold values. WRED mode threshold Applying a WRED Profile to Traffic After you create a WRED profile, you must specify to which traffic Dell Networking OS should apply the profile.
Displaying Default and Configured WRED Profiles To display the default and configured WRED profiles, use the following command. • Display default and configured WRED profiles and their threshold values. EXEC mode show qos wred-profile Displaying WRED Drop Statistics To display WRED drop statistics, use the following command. • Display the number of packets Dell Networking OS the WRED profile drops.
19 Dell# MCAST 0 0 0 0 0 0 0 0 Pre-Calculating Available QoS CAM Space Before Dell Networking OS version 7.3.1, there was no way to measure the number of CAM entries a policy-map would consume (the number of CAM entries that a rule uses is not predictable; from 1 to 16 entries might be used per rule depending upon its complexity). Therefore, it was possible to apply to an interface a policy-map that requires more entries than are available.
and traffic manager (BTM) (ingress or egress) can be consumed by only one or few types of traffic, leaving no space for other types. You can apply a WRED profile to a policy-map so that the specified traffic can be prevented from consuming too much of the BTM resources. WRED drops packets when the average queue length exceeds the configured threshold value to signify congestion.
Table 72. Scenarios of WRED and ECN Configuration Queue Configuration Service-Pool Configuration WRED Threshold Expected Functionality Relationship Q threshold = Q-T, Service pool threshold = SP-T WRED ECN WRED ECN 0 0 X X X WRED/ECN not applicable 1 0 0 X X Queue based WRED, 1 X Q-T < SP-T No ECN marking SP-T < Q-T SP based WRED, No ECN marking 1 1 0 X X Queue-based ECN marking above queue threshold.
mode Dell(conf) #service-pool wred green pool0 thresh-1 pool1 thresh-2 Dell(conf) #service-pool wred yellow pool0 thresh-3 pool1 thresh-4 Dell(conf) #service-pool wred weight pool0 11 pool1 4 5 Create a service class and associate the threshold weight of the shared buffer with each of the queues per port in the egress direction.
class-map match-any ecn_0_cmap match ip access-group ecn_0 set-color yellow ! policy-map-input ecn_0_pmap service-queue 0 class-map ecn_0_cmap Applying this policy-map “ecn_0_pmap” will mark all the packets with ‘ecn == 0’ as yellow packets on queue0 (default queue). Classifying Incoming Packets Using ECN and Color-Marking Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded.
You can use the ecn keyword with the ip access-list standard, ip access-list extended, seq, and permit commands for standard and extended IPv4 ACLs to match incoming packets with the specified ECN values. Similar to ‘dscp’ qualifier in the existing L3 ACL command, the ‘ecn’ qualifier can be used along with all other supported ACL match qualifiers such as SIP/DIP/TCP/UDP/SRC PORT/DST PORT/ ICMP. Until Release 9.3(0.
Sample configuration to mark non-ecn packets as “yellow” with single traffic class Consider the use case where the packet with DSCP value “40” need to be enqueued in queue#2 and packets with DSCP value as 50 need to be enqueued in queue#3. And all the packets with ecn value as ‘0’ must be marked as ‘yellow’. The above requirement can be achieved using either of the two approaches. The above requirement can be achieved using either of the two approaches.
match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50_ecn ! policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Applying Layer 2 Match Criteria on a Layer 3 Interface To process Layer 3 packets that contain a dot1p (IEEE 802.1p) VLAN Layer 2 header, configure VLAN tags on a Layer 3 port interface which is configured with an IP address but has no VLAN associated with it.
Dell(conf-class-map)#match ipdscp 5 3 Configure an IP VLAN ID as a match criterion. CLASS-MAP mode Dell(conf-class-map)#match ip vlan 5 4 Create a QoS input policy. CONFIGURATION mode Dell(conf)#qos-policy-input pp_qospolicy 5 Configure the DSCP value to be set on matched packets. QOS-POLICY-IN mode Dell(conf-qos-policy-in)#set ip-dscp 5 6 Create an input policy map. CONFIGURATION mode Dell(conf)#policy-map-input pp_policmap 7 Create a service queue to associate the class map and QoS policy map.
As a part of this feature, the 2-bit ECN field of the IPv4 packet will also be available to be configured as one of the match qualifier. This way the entire 8-bit ToS field of the IPv4 header shall be used to classify traffic. The Dell Networking OS Release 9.3(0.0) supports the following QOS actions in the ingress policy based QOS: 1 Rate Policing 2 Queuing 3 Marking For the L3 Routed packets, the DSCP marking is the only marking action supported in the software.
• set the packet color as ‘yellow’ • set the packet color as ‘yellow’ and set a new DSCP for the packet This marking action to set the color of the packet is allowed only on the ‘match-any’ logical operator of the class-map.
class-map match-any ecn_0_cmap match ip access-group ecn_0 set-color yellow ! policy-map-input ecn_0_pmap service-queue 0 class-map ecn_0_cmap Applying this policy-map “ecn_0_pmap” will mark all the packets with ‘ecn == 0’ as yellow packets on queue0 (default queue). Sample configuration to mark non-ecn packets as “yellow” with single traffic class Consider the use case where the packet with DSCP value “40” need to be enqueued in queue#2 and packets with DSCP value as 50 need to be enqueued in queue#3.
seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40_ecn ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50_ecn ! policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Enabling Buffer Statistics Tracking You can enable the tracking of statistical values of buffer spaces at a global
Unit 1 unit: 3 port: 13 (interface Fo 1/156) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------MCAST 3 0 Unit 1 unit: 3 port: 17 (interface Fo 1/160) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------MCAST 3 0 Unit 1 unit: 3 port: 21 (interface Fo 1/164) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------MCAST 3 0 Unit 1 unit: 3 port: 25
MCAST MCAST MCAST MCAST MCAST MCAST 766 3 4 5 6 7 8 0 0 0 0 0 0 Quality of Service (QoS)
47 Routing Information Protocol (RIP) RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter. Topics: • Protocol Overview • Implementation Information • Configuration Information • RIP Configuration Example Protocol Overview RIP is the oldest interior gateway protocol. There are two versions of RIP: RIP version 1 (RIPv1) and RIP version 2 (RIPv2).
Implementation Information Dell Networking OS supports both versions of RIP and allows you to configure one version globally and the other version on interfaces or both versions on the interfaces. The following table lists the defaults for RIP in Dell Networking OS. Table 73.
Enabling RIP Globally By default, RIP is not enabled in Dell Networking OS. To enable RIP globally, use the following commands. 1 Enter ROUTER RIP mode and enable the RIP process on Dell Networking OS. CONFIGURATION mode router rip 2 Assign an IP network address as a RIP network to exchange routing information.
192.161.1.0/24 auto-summary 192.162.3.0/24 [120/1] via 29.10.10.12, 00:01:22, Fa 0/0 192.162.3.0/24 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode. Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes. By default, interfaces that you enable and configure with an IP address in the same subnet as the RIP network address receive RIPv1 and RIPv2 routes and send RIPv1 routes.
Examples of the RIP Process To see whether the version command is configured, use the show config command in ROUTER RIP mode. The following example shows the RIP configuration after the ROUTER RIP mode version command is set to RIPv2. When you set the ROUTER RIP mode version command, the interface (GigabitEthernet 0/0) participating in the RIP process is also set to send and receive RIPv2 (shown in bold). To view the routing protocols configuration, use the show ip protocols command in EXEC mode.
Generating a Default Route Traffic is forwarded to the default route when the traffic’s network is not explicitly listed in the routing table. Default routes are not enabled in RIP unless specified. To generate a default route into RIP, use the default-information originate command in ROUTER RIP mode. In Dell Networking OS, default routes received in RIP updates from other routes are advertised if you configure the default-information originate command. • Specify the generation of a default route in RIP.
• • weight: the range is from 1 to 255. The default is 120. • ip-address mask: the IP address in dotted decimal format (A.B.C.D), and the mask in slash format (/x). • access-list-name: the name of a configured IP ACL. Apply an additional number to the incoming or outgoing route metrics.
Figure 113. Example of a RIP Topology RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Example of Configuring RIPv2 on Core 2 Core2(conf-if-te-2/31)# Core2(conf-if-te-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
10.0.0.0/8 auto-summary 192.168.1.0/24 [120/1] via 10.11.20.1, 00:00:03, TenGigabitEthernet 2/31 192.168.1.0/24 auto-summary 192.168.2.0/24 [120/1] via 10.11.20.1, 00:00:03, TenGigabitEthernet 2/31 192.168.2.0/24 auto-summary Core2# The following example shows the show ip route command to show the RIP setup on Core 2.
RIP Configuration on Core3 The following example shows how to configure RIPv2 on a host named Core3. Example of Configuring RIPv2 on Core3 Core3(conf-if-te-3/21)#router rip Core3(conf-router_rip)#version 2 Core3(conf-router_rip)#network 192.168.1.0 Core3(conf-router_rip)#network 192.168.2.0 Core3(conf-router_rip)#network 10.11.30.0 Core3(conf-router_rip)#network 10.11.20.0 Core3(conf-router_rip)#show config ! router rip network 10.0.0.0 network 192.168.1.0 network 192.168.2.
Destination Gateway Dist/Metric Last Change ----------- ------- --------------------R 10.11.10.0/24 via 10.11.20.2, Te 3/21 120/1 00:01:14 C 10.11.20.0/24 Direct, Te 3/21 0/0 00:01:53 C 10.11.30.0/24 Direct, Te 3/11 0/0 00:06:00 R 10.200.10.0/24 via 10.11.20.2, Te 3/21 120/1 00:01:14 R 10.300.10.0/24 via 10.11.20.2, Te 3/21 120/1 00:01:14 C 192.168.1.0/24 Direct, Te 3/43 0/0 00:06:53 C 192.168.2.
10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.0 The following example shows viewing the RIP configuration on Core 3. ! interface TenGigabitEthernet 3/11 ip address 10.11.30.1/24 no shutdown ! interface TenGigabitEthernet 3/21 ip address 10.11.20.1/24 no shutdown ! interface TenGigabitEthernet 3/43 ip address 192.168.1.1/24 no shutdown ! interface TenGigabitEthernet 3/44 ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
48 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
Setting the rmon Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. • Set an alarm on any MIB object.
CONFIGURATION mode [no] rmon event number [log] [trap community] [description string] [owner string] • number: assigned event number, which is identical to the eventIndex in the eventTable in the RMON MIB. The value must be an integer from 1 to 65,535 and be unique in the RMON Event Table. • log: (Optional) generates an RMON log entry when the event is triggered and sets the eventType in the RMON MIB to log or logand-trap. Default is no log.
[no] rmon collection history {controlEntry integer} [owner ownername] [buckets bucket-number] [interval seconds] • controlEntry: specifies the RMON group of statistics using a value. • integer: a value from 1 to 65,535 that identifies the RMON group of statistics. The value must be a unique index in the RMON History Table. • owner: (Optional) specifies the name of the owner of the RMON group of statistics. The default is a null-terminated string.
49 Rapid Spanning Tree Protocol (RSTP) Rapid spanning tree protocol (RSTP) is supported on Dell Networking OS. Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). The Dell Networking OS supports three other variations of spanning tree, as shown in the following table. Table 74.
• Adding a group of ports to a range of VLANs sends multiple messages to the rapid spanning tree protocol (RSTP) task, avoid using the range command. When using the range command, Dell Networking recommends limiting the range to five ports and 40 VLANs. RSTP and VLT Virtual link trunking (VLT) provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures.
Figure 114. Example of Configuring Interfaces for Layer 2 Mode 1 If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2 Place the interface in Layer 2 mode. INTERFACE mode switchport 3 Enable the interface. INTERFACE mode no shutdown Example of Verifying that an Interface is in Layer 2 Mode and Enabled To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode.
switchport no shutdown Dell(conf-if-gi-1/1)# Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. • Only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports.
Figure 115. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.379, designated path cost 0 Number of transitions to forwarding state 1 BPDU : sent 121, received 5 The port is not in the Edge port mode Port 380 (TenGigabitEthernet 2/4) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.380 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
NOTE: Dell Networking recommends that only experienced network administrators change the Rapid Spanning Tree group parameters. Poorly planned modification of the RSTP parameters can negatively affect network performance. The following table displays the default values for RSTP. Table 75.
Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • Port cost — a value that is based on the interface type. The previous table lists the default values. The greater the port cost, the less likely the port is selected to be a forwarding port. • Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
• Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). • Disable global spanning tree (the no spanning-tree command in CONFIGURATION mode). To enable EdgePort on an interface, use the following command. • Enable EdgePort on an interface.
snmp-server enable traps xstp 792 Rapid Spanning Tree Protocol (RSTP)
50 Software-Defined Networking (SDN) The Dell Networking OS supports software-defined networking (SDN). For more information, see the SDN Deployment Guide.
51 Security This chapter describes several ways to provide security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Line Reference Guide.
Enabling AAA Accounting The aaa accounting command allows you to create a record for any or all of the accounting functions monitored. To enable AAA accounting, use the following command. • Enable AAA accounting and create a record for monitoring the accounting function. CONFIGURATION mode aaa accounting {commands | exec | suppress | system level} {default | name} {start-stop | wait-start | stop-only} {tacacs+} The variables are: • system: sends accounting information of any other AAA configuration.
Example of Configuring AAA Accounting to Track EXEC and EXEC Privilege Level Command Use In the following sample configuration, AAA accounting is set to track all usage of EXEC commands and commands on privilege level 15.
NOTE: If a console user logs in with RADIUS authentication, the privilege level is applied from the RADIUS server if the privilege level is configured for that user in RADIUS, whether you configure RADIUS authorization. Configuration Task List for AAA Authentication The following sections provide the configuration tasks.
3 Assign a method-list-name or the default list to the terminal line. LINE mode login authentication {method-list-name | default} To view the configuration, use the show config command in LINE mode or the show running-config in EXEC Privilege mode. NOTE: Dell Networking recommends using the none method only as a backup. This method does not authenticate users. The none and enable methods do not work with secure shell (SSH). You can create multiple method lists and assign them to different terminal lines.
To use local authentication for enable secret or enable sha256-password on the console, while using remote authentication on VTY lines, issue the following commands. The following example shows enabling local authentication for console and remote authentication for the VTY lines.
Example: Dell(config)#radius-server host 192.100.0.12 Force all logged-in users to re-authenticate (y/n)? Dell(config)#no radius-server host 192.100.0.12 Force all logged-in users to re-authenticate (y/n)? Obscuring Passwords and Keys By default, the service password-encryption command stores encrypted passwords.
Privilege levels 2 through 14 are not configured and you can customize them for different users and access. After you configure other privilege levels, enter those levels by adding the level parameter after the enable command or by configuring a user name or password that corresponds to the privilege level. For more information about configuring user names, refer to Configuring a Username and Password. By default, commands in Dell Networking OS are assigned to different privilege levels.
Configuring the Enable Password Command To configure Dell Networking OS, use the enable command to enter EXEC Privilege level 15. After entering the command, Dell Networking OS requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level. You can always change a password for any privilege level. To change to a different privilege level, enter the enable command, then the privilege level.
CONFIGURATION mode enable password [level level] [encryption-mode] password Configure the optional and required parameters: • level level: specify a level from 0 to 15. Level 15 includes all levels. • encryption-type: enter 0 for plain text or 7 for encrypted text. • password: enter a string up to 25 characters long. To change only the password for the enable command, configure only the password parameter. 3 Configure level and commands for a mode or reset a command’s level.
Connected to 172.31.1.53. Escape character is '^]'.
EXEC Privilege mode disable level-number • level-number: The level-number you wish to set. If you enter disable without a level-number, your security level is 1. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol. This protocol transmits authentication, authorization, and configuration information between a central RADIUS server and a RADIUS client (the Dell Networking system).
• The administrator changes the idle-time of the line on which the user has logged in. • The idle-time is lower than the RADIUS-returned idle-time. ACL Configuration Information The RADIUS server can specify an ACL. If an ACL is configured on the RADIUS server, and if that ACL is present, the user may be allowed access based on that ACL. If the ACL is absent, authorization fails, and a message is logged indicating this.
To view the configuration, use the show config in LINE mode or the show running-config command in EXEC Privilege mode. Defining a AAA Method List to be Used for RADIUS To configure RADIUS to authenticate or authorize users on the system, create a AAA method list. Default method lists do not need to be explicitly applied to the line, so they are not mandatory. To create a method list, use the following commands.
• auth-port port-number: the range is from 0 to 65535. Enter a UDP port number. The default is 1812. • retransmit retries: the range is from 0 to 100. Default is 3. • timeout seconds: the range is from 0 to 1000. Default is 5 seconds. • key [encryption-type] key: enter 0 for plain text or 7 for encrypted text, and a string for the key. The key can be up to 42 characters long. This key must match the key configured on the RADIUS server host.
Monitoring RADIUS To view information on RADIUS transactions, use the following command. • View RADIUS transactions to troubleshoot problems. EXEC Privilege mode debug radius Microsoft Challenge-Handshake Authentication Protocol Support for RADIUS Authentication Dell Networking OS supports Microsoft Challenge-Handshake Authentication Protocol (MS-CHAPv2) with RADIUS authentication. RADIUS is used to authenticate Telnet, SSH, console, REST, and OMI access to the switch based on the AAA configuration.
TACACS+ Dell Networking OS supports terminal access controller access control system (TACACS+ client, including support for login authentication. Configuration Task List for TACACS+ The following list includes the configuration task for TACACS+ functions. • • • Choosing TACACS+ as the Authentication Method Monitoring TACACS+ TACACS+ Remote Authentication For a complete listing of all commands related to TACACS+, refer to the Security chapter in the Dell Networking OS Command Line Reference Guide.
First bold line: Server key purposely changed to incorrect value. Second bold line: User authenticated using the secondary method.
Dell(conf-std-nacl)#deny any Dell(conf)# Dell(conf)#aaa authentication login tacacsmethod tacacs+ Dell(conf)#aaa authentication exec tacacsauthorization tacacs+ Dell(conf)#tacacs-server host 25.1.1.
• Configure the Dell Networking system as an SSH server that uses only version 1 or 2. CONFIGURATION mode ip ssh server version {1|2} • Display SSH connection information. EXEC Privilege mode show ip ssh Specifying an SSH Version The following example uses the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting. Dell(conf)#ip ssh server version 2 Dell(conf)#do show ip ssh SSH server : disabled. SSH server version : v2.
• ip ssh pub-key-file: specify the file the host-based authentication uses. • ip ssh rhostsfile: specify the rhost file the host-based authorization uses. • ip ssh rsa-authentication enable: enable RSA authentication for the SSHv2 server. • ip ssh rsa-authentication: add keys for the RSA authentication. • show crypto: display the public part of the SSH host-keys. • show ip ssh client-pub-keys: display the client public keys used in host-based authentication.
Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. Using RSA Authentication of SSH The following procedure authenticates an SSH client based on an RSA key using RSA authentication. This method uses SSH version 2. 1 On the SSH client (Unix machine), generate an RSA key, as shown in the following example. 2 Copy the public key id_rsa.pub to the Dell Networking system. 3 Disable password authentication if enabled.
ip ssh hostbased-authentication enable 7 Bind shosts and rhosts to host-based authentication. CONFIGURATION mode ip ssh pub-key-file flash://filename or ip ssh rhostsfile flash://filename Examples of Creating shosts and rhosts The following example shows creating shosts. admin@Unix_client# cd /etc/ssh admin@Unix_client# ls moduli sshd_config ssh_host_dsa_key.pub ssh_host_key.pub ssh_host_rsa_key.pub ssh_config ssh_host_dsa_key ssh_host_key ssh_host_rsa_key admin@Unix_client# cat ssh_host_rsa_key.
hmac-algorithm: Enter a space-delimited list of keyed-hash message authentication code (HMAC) algorithms supported by the SSH server. The following HMAC algorithms are available: • hmac-md5 • hmac-md5-96 • hmac-sha1 • hmac-sha1-96 • hmac-sha2-256 The default HMAC algorithms are the following: • hmac-sha2-256 • hmac-sha1 • hmac-sha1-96 • hmac-md5 • hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256,hmac-sha1,hmac-sha1-96.
Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list. Dell(conf)# ip ssh mac hmac-sha1-96 Configuring the SSH Server Cipher List To configure the cipher list supported by the SSH server, use the ip ssh server cipher cipher-list command in CONFIGURATION mode. cipher-list-: Enter a space-delimited list of ciphers the SSH server will support. The following ciphers are available.
The following example shows you how to configure a cipher list. Dell(conf)#ip ssh cipher aes128-ctr aes128-cbc 3des-cbc Troubleshooting SSH To troubleshoot SSH, use the following information. You may not bind id_rsa.pub to RSA authentication while logged in via the console. In this case, this message displays:%Error: No username set for this term. Enable host-based authentication on the server (Dell Networking system) and the client (Unix machine).
1 Create a username. 2 Enter a password. 3 Assign an access class. 4 Enter a privilege level. You can assign line authentication on a per-VTY basis; it is a simple password authentication, using an access-class as authorization. Configure local authentication globally and configure access classes on a per-user basis. Dell Networking OS can assign different access classes to different users by username.
VTY MAC-SA Filter Support Dell Networking OS supports MAC access lists which permit or deny users based on their source MAC address. With this approach, you can implement a security policy based on the source MAC address. To apply a MAC ACL on a VTY line, use the same access-class command as IP ACLs. The following example shows how to deny incoming connections from subnet 10.0.0.0 without displaying a login prompt.
Configuring Challenge Response Authentication for SSHv2 To configure challenge response authentication for SSHv2, perform the following steps: 1 Enable challenge response authentication for SSHv2. CONFIGURATION mode ip ssh challenge-response-authentication enable 2 View the configuration. EXEC mode show ip ssh Dell# show ip ssh SSH server : enabled. SSH server version : v1 and v2. SSH server vrf : default. SSH server ciphers : aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128cbc,3des-cbc.
You can configure the Dell Networking OS to suppress the following ICMPv4 and ICMP6 message types: Table 77.
NOTE: The Dell Networking OS does not suppress the following ICMPv6 message types: • Packet too big (2) • Echo request (128) • Multicast listener query (130) • Multicast listener report (131) • Multicast listener done (132) • Router solicitation (133) • Router advertisement (134) • Neighbor solicitation (135) • Neighbor advertisement (136) • Redirect (137) • Router renumbering (138) • MLD v2 listener report (143) • Duplicate Address Request (157) • Duplicate Address Confirmation (
52 Service Provider Bridging Service provider bridging is supported on Dell Networking OS. VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which are an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. Using only 802.
Figure 116. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. • Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
3 Enable VLAN-Stacking for a VLAN. Related Configuration Tasks • Configuring the Protocol Type Value for the Outer VLAN Tag • Dell Networking OS Options for Trunk Ports • Debugging VLAN Stacking • VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. • Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN.
Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. • Enable VLAN-Stacking for the VLAN. INTERFACE VLAN mode vlan-stack compatible Example of Viewing VLAN Stack Member Status To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLAN-Stackingenabled VLAN are marked with an M in column Q.
[tagged | untagged] In the following example, TenGigabitEthernet 0/1 a trunk port that is configured as a hybrid port and then added to VLAN 100 as untagged VLAN 101 as tagged, and VLAN 103, which is a stacking VLAN.
VLAN Stacking in Multi-Vendor Networks The first field in the VLAN tag is the tag protocol identifier (TPID), which is 2 bytes. In a VLAN-stacking network, after the frame is double tagged, the outer tag TPID must match the TPID of the next-hop system. While 802.1Q requires that the inner tag TPID is 0x8100, it does not require a specific value for the outer tag TPID.
Figure 117.
Figure 118.
Figure 119. Single and Double-Tag TPID Mismatch The following table details the outcome of matched and mismatched TPIDs in a VLAN-stacking network. Table 79. Behaviors for Mismatched TPID Network Position Incoming Packet TPID System TPID Match Type 9.1(1.
Network Position Incoming Packet TPID Egress Access Point System TPID Match Type 9.1(1.
Precedence Description Yellow Lower-priority packets that are treated as best-effort. Red Lowest-priority packets that are always dropped (regardless of congestion status). • Honor the incoming DEI value by mapping it to a Dell Networking OS drop precedence. INTERFACE mode dei honor {0 | 1} {green | red | yellow} You may enter the command once for 0 and once for 1. Packets with an unmapped DEI value are colored green.
Figure 120. Statically and Dynamically Assigned dot1p for VLAN Stacking When configuring Dynamic Mode CoS, you have two options: • • Mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. In this case, you must have other dot1p QoS configurations; this option is classic dot1p marking. Mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p.
! qos-policy-input 3 layer2 rate-police 30 ! interface TenGigabitEthernet 1/21 no ip address switchport vlan-stack access vlan-stack dot1p-mapping c-tag-dot1p 0-3 sp-tag-dot1p 7 service-policy input in layer2 no shutdown Mapping C-Tag to S-Tag dot1p Values To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly, use the following commands. 1 Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag.
Figure 121. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 122. VLAN Stacking with L2PT Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. • No protocol packets are tunneled when you enable VLAN stacking. • L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1 Verify that the system is running the default CAM profile. Use this CAM profile for L2PT.
show cam-profile 2 Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3 Tunnel BPDUs the VLAN. INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell Networking OS uses a Dell Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command.
Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad — Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. 802.
53 sFlow The Dell Networking Operating System (OS) supports sFlow version 5.
Figure 123. sFlow Traffic Monitoring System Implementation Information Dell Networking sFlow is designed so that the hardware sampling rate is per line card port-pipe and is decided based on all the ports in that port-pipe. If you do not enable sFlow on any port specifically, the global sampling rate is downloaded to that port and is to calculate the port-pipe’s lowest sampling rate. This design supports the possibility that sFlow might be configured on that port in the future.
• Only Destination and Destination Peer AS number are packed in the dst-as-path field in extended gateway element. • If the packet being sampled is redirected using policy-based routing (PBR), the sFlow datagram may contain incorrect extended gateway/router information. • The source virtual local area network (VLAN) field in the extended switch element is not packed in case of routed packet. • The destination VLAN field in the extended switch element is not packed in a Multicast packet.
Global default counter polling interval: 86400 Global default extended maximum header size: 256 bytes Global extended information enabled: none 1 collectors configured Collector IP addr: 100.1.1.12, Agent IP addr: 100.1.1.
Collector IP addr: 133.33.33.53, Agent IP addr: 133.33.33.116, UDP port: 6343 77 UDP packets exported 0 UDP packets dropped 165 sFlow samples collected 69 sFlow samples dropped due to sub-sampling Displaying Show sFlow on an Interface To view sFlow information on a specific interface, use the following command. • Display sFlow configuration information and statistics on a specific interface.
Configuring Specify Collectors The sflow collector command allows identification of sFlow collectors to which sFlow datagrams are forwarded. You can specify up to two sFlow collectors. If you specify two collectors, the samples are sent to both. Changing the Polling Intervals The sflow polling-interval command configures the polling interval for an interface in the maximum number of seconds between successive samples of counters sent to the collector.
54 Simple Network Management Protocol (SNMP) NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
MIBs are hierarchically structured and use object identifiers to address managed objects, but managed objects also have a textual name called an object descriptor. Implementation Information The following describes SNMP implementation information. • Dell Networking OS supports SNMP version 1 as defined by RFC 1155, 1157, and 1212, SNMP version 2c as defined by RFC 1901, and SNMP version 3 as defined by RFC 2571. • Dell Networking OS supports up to 16 trap receivers.
SNMP version 3 (SNMPv3) is a user-based security model that provides password authentication for user security and encryption for data security and privacy. Three sets of configurations are available for SNMP read/write operations: no password or privacy, password privileges, password and privacy privileges. You can configure a maximum of 16 users even if they are in different groups.
snmp-server view view-name oid-tree {included | excluded} NOTE: To give a user read and write view privileges, repeat this step for each privilege type. • Configure the user with an authorization password (password privileges only). CONFIGURATION mode snmp-server user name group-name 3 noauth auth md5 auth-password • Configure an SNMP group (password privileges only). CONFIGURATION mode snmp-server group groupname {oid-tree} auth read name write name • Configure an SNMPv3 view.
Examples of Reading the Value of Managed Objects In the following example, the value “4” displays in the OID before the IP address for IPv4. For an IPv6 IP address, a value of “16” displays. > snmpget -v 2c -c mycommunity 10.11.131.161 sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (32852616) 3 days, 19:15:26.16 > snmpget -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1.3.0 The following example shows reading the value of the next managed object. > snmpgetnext -v 2c -c mycommunity 10.11.131.
snmp-server location text You may use up to 55 characters. • The default is None. (From a management station) Identify the system manager along with this person’s contact information (for example, an email address or phone number). CONFIGURATION mode snmpset -v version -c community agent-ip sysContact.0 s “contact-info” You may use up to 55 characters. • The default is None.
Enable all of the RFC-defined traps using the snmp-server enable traps snmp command from CONFIGURATION mode. 3 Specify the interfaces out of which Dell Networking OS sends SNMP traps. CONFIGURATION mode snmp-server trap-source Example of RFC-Defined SNMP Traps and Related Enable Commands The following example lists the RFC-defined SNMP traps and the command used to enable each. The coldStart and warmStart traps are enabled using a single command. snmp authentication string.
envmon temperature MINOR_TEMP: Minor alarm: chassis temperature MINOR_TEMP_CLR: Minor alarm cleared: chassis temperature normal (%s %d temperature is within threshold of %dC) MAJOR_TEMP: Major alarm: chassis temperature high (%s temperature reaches or exceeds threshold of %dC) MAJOR_TEMP_CLR: Major alarm cleared: chassis temperature lower (%s %d temperature is within threshold of %dC) envmon fan FAN_TRAY_BAD: Major alarm: fantray %d is missing or down FAN_TRAY_OK: Major alarm cleared: fan tray %d present FA
Enabling an SNMP Agent to Notify Syslog Server Failure You can configure a network device to send an SNMP trap if an audit processing failure occurs due to loss of connectivity with the syslog server. If a connectivity failure occurs on a syslog server that is configured for reliable transmission, an SNMP trap is sent and a message is displayed on the console.
Copy Configuration Files Using SNMP To do the following, use SNMP from a remote client. • copy the running-config file to the startup-config file • copy configuration files from the Dell Networking system to a server • copy configuration files from a server to the Dell Networking system You can perform all of these tasks using IPv4 or IPv6 addresses. The examples in this section use IPv4 addresses; however, you can substitute IPv6 addresses for the IPv4 addresses in all of the examples.
MIB Object OID Object Values Description copyDestFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.6 1 = flash Specifies the location of destination file. 2 = slot0 3 = tftp • 4 = ftp If copyDestFileLocation is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. 5 = scp copyDestFileName .1.3.6.1.4.1.6027.3.5.1.1.1.1.7 Path (if the file is not in the default directory) and filename. Specifies the name of destination file. copyServerAddress .1.3.6.1.4.1.6027.3.5.1.1.
NOTE: You can use the entire OID rather than the object name. Use the form: OID.index i object-value. To view more information, use the following options in the snmpset command. • -c: View the community, either public or private. • -m: View the MIB files for the SNMP command. • -r: Number of retries using the option • -t: View the timeout. • -v: View the SNMP version (either 1, 2, 2d, or 3). The following examples show the snmpset command to copy a configuration.
FTOS-COPY-CONFIG-MIB::copySrcFileType.7 = INTEGER: runningConfig(3) FTOS-COPY-CONFIG-MIB::copyDestFileType.7 = INTEGER: startupConfig(2) The following example shows how to copy configuration files from a UNIX machine using OID. >snmpset -c public -v 2c 10.11.131.162 .1.3.6.1.4.1.6027.3.5.1.1.1.1.2.8 i 3 .1.3.6.1.4.1.6027.3.5.1.1.1.1.5.8 i 2 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.2.8 = INTEGER: 3 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.5.
Copy a Binary File to the Startup-Configuration To copy a binary file from the server to the startup-configuration on the Dell Networking system via FTP, use the following command. • Copy a binary file from the server to the startup-configuration on the Dell Networking system via FTP. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 1 copySrcFileLocation.index i 4 copySrcFileName.index s filepath/ filename copyDestFileType.index i 3 copyServerAddress.
MIB Object OID Values Description copy. The state is set to active when the copy is completed. Obtaining a Value for MIB Objects To obtain a value for any of the MIB objects, use the following command. • Get a copy-config MIB object value. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address [OID.index | mibobject.index] index: the index value used in the snmpset command used to complete the copy operation. NOTE: You can use the entire OID rather than the object name.
Viewing the Available Flash Memory Size • To view the available flash memory using SNMP, use the following command. snmpget -v2c -c public 192.168.60.120 .1.3.6.1.4.1.6027.3.10.1.2.9.1.6.1 enterprises.6027.3.10.1.2.9.1.5.1 = Gauge32: 24 The output above displays that 24% of the flash memory is used. MIB Support to Display the Software Core Files Generated by the System Dell Networking provides MIB objects to display the software core files generated by the system.
enterprises.6027.3.10.1.2.10.1.2.1.3 = "/CORE_DUMP_DIR/FTP_STK_MEMBER/ f10cp_vrrp_140522124357_Stk1.acore.gz" enterprises.6027.3.10.1.2.10.1.2.2.1 = "/CORE_DUMP_DIR/FTP_STK_MEMBER/f10cp_sysd_140617134445_Stk0.acore.gz" enterprises.6027.3.10.1.2.10.1.3.1.1 = "Fri Mar 14 11:51:46 2014" enterprises.6027.3.10.1.2.10.1.3.1.2 = "Fri Nov 8 08:11:16 2013" enterprises.6027.3.10.1.2.10.1.3.1.3 = "Fri May 23 05:05:16 2014" enterprises.6027.3.10.1.2.10.1.3.2.1 = "Tue Jun 17 14:19:26 2014" enterprises.6027.3.10.1.2.10.
• .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.4 = INTEGER: 76200 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.1 = INTEGER: 40932 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.2 = INTEGER: 3922316 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.3 = INTEGER: 138868 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.4 = INTEGER: 4109908 .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.1 = STRING: "/tmp" .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.2 = STRING: "/usr/pkg" .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.3 = STRING: "/f10/ConfD/db" .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.
MIB Support to Display Egress Queue Statistics Dell Networking OS provides MIB objects to display the information of the ECMP group count information. The following table lists the related MIB objects: Table 88. MIB Objects to display ECMP Group Count MIB Object OID Description dellNetInetCidrECMPGrpMax 1.3.6.1.4.1.6027.3.9.1.6 Total CAM for ECMP group. dellNetInetCidrECMPGrpUsed 1.3.6.1.4.1.6027.3.9.1.7 Used CAM for ECMP group. dellNetInetCidrECMPGrpAvl 1.3.6.1.4.1.6027.3.9.1.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.10.1.1.0.24.0.0.0.0 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.10.1.1.1.32.1.4.10.1.1.1.1.4.10.1.1.1 = HexSTRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.10.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.20.1.1.0.24.0.0.0.0 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.20.1.1.1.32.1.4.20.1.1.1.1.4.20.1.1.1 = HexSTRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.100.100.100.0.24.1.4.30.1.1.1.1.4.30.1.1.1 = STRING: "Po 20" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.10.1.1.0.24.0.0.0.0 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.10.1.1.1.32.1.4.10.1.1.1.1.4.10.1.1.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.10.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.20.1.1.0.24.0.0.0.0 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.
MIB Object OID Description entAliasMappingIdentifier 1.3.6.1.2.1.47.1.3.2.1.2 Identifies a particular conceptual row associated with the indicated entPhysicalIndex and entLogicalIndex pair. Viewing the entAliasMappingTable MIB • To view the entAliasMappingTable generated by the system, use the following command. snmpwalk -v 2c -c public -On 10.16.150.97 1.3.6.1.2.1.47.1.3.2.1 .1.3.6.1.2.1.47.1.3.2.1.2.5.0 = OID: .1.3.6.1.2.1.2.2.1.1.2097157 .1.3.6.1.2.1.47.1.3.2.1.2.9.0 = OID: .1.3.6.1.2.1.2.2.1.1.
MIB Object OID Description dot3adAggAggregateOrIndividual 1.2.840.10006.300.43.1.1.1.1.4 Contains a read–only boolean value (True or False) indicating whether the Aggregator represents an Aggregate or an Individual link. dot3adAggActorAdminKey 1.2.840.10006.300.43.1.1.1.1.5 Contains a 16–bit read–write value which is the current administrative key. dot3adAggActorOperKey 1.2.840.10006.300.43.1.1.1.1.6 Contains a 16–bit read–write value which is the operational key. dot3adAggPartnerSystemID 1.2.
Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object. The snmpset operation shown in the following example creates VLAN 10 by specifying a value of 4 for instance 10 of the dot1qVlanStaticRowStatus object. Example of Creating a VLAN using SNMP > snmpset -v2c -c mycommunity 123.45.6.78 .1.3.6.1.2.1.17.7.1.4.3.1.5.10 i 4 SNMPv2-SMI::mib-2.17.7.1.4.3.1.5.
To display the ports in a VLAN, send an snmpget request for the object dot1qStaticEgressPorts using the interface index as the instance number, as shown. The following example shows viewing VLAN ports using SNMP with no ports assigned. > snmpget -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.
NOTE: Whether adding a tagged or untagged port, specify values for both dot1qVlanStaticEgressPorts and dot1qVlanStaticUntaggedPorts. Example of Adding an Untagged Port to a VLAN using SNMP In the following example, Port 0/2 is added as an untagged member of VLAN 10. >snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.
To set time to wait till bgp session are up set 1.3.6.1.4.1.6027.3.18.1.3 and 1.3.6.1.4.1.6027.3.18.1.6 Enabling and Disabling a Port using SNMP To enable and disable a port using SNMP, use the following commands. 1 Create an SNMP community on the Dell system. CONFIGURATION mode snmp-server community 2 From the Dell Networking system, identify the interface index of the port for which you want to change the admin status.
The value of dot1dTpFdbPort is the port number of the port off which the system learns the MAC address. In this case, of TenGigabitEthernet 1/21, the manager returns the integer 118.
To display the interface number, use the following command. • Display the interface index number. EXEC Privilege mode show interface Example of Deriving the Interface Index Number To view the system image on Flash Partition A, use the chSysSwInPartitionAImgVers object or, to view the system image on Flash Partition B, use the chSysSwInPartitionBImgVers object. Table 92. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImgVers 1.3.6.1.4.1.
dot3aCurAggMacAddr SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.2.1.0.0.0.0.0.1.1 = Hex-STRING: 00 00 00 00 00 01 dot3aCurAggIndex SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.3.1.0.0.0.0.0.1.1 = INTEGER: 1 dot3aCurAggStatus SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.4.1.0.0.0.0.0.1.1 = INTEGER: 1 << Status active, 2 – status inactive Example of Viewing Changed Interface State for Monitored Ports Layer 3 LAG does not include this support. SNMP trap works for the Layer 2 / Layer 3 / default mode LAG.
SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.5.2106373 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.6.2106373 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.7.2106373 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.8.2106373 = = = = STRING: STRING: STRING: STRING: "AFBR-79E4Z-D-FT1" "750382760048" "0.0" "-2.273117" Table 93. SNMP OIDs for Transceiver Monitoring Field (OID) Description SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.1 Device Name SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.2 Port SNMPv2-SMI::enterprises.
55 Stacking Stacking provides a single point of management and network interface controller (NIC) teaming for high availability and higher throughput. Stacking is supported on the 10 GbE data ports of Ethernet module. Stacking is not supported on Fibre Channel/Ethernet Universal Port Modules. You can connect up to six S5000 switches in a single stack using port cables; no special cabling is required.
Figure 124. Four Stacked S5000 Switches Stack Management Roles The stack elects the management units for the stack management. • Stack master — primary management unit, also called the master unit. • Standby — secondary management unit. The master holds the control plane and the other units maintain a local copy of the forwarding databases. From the stack master you can configure: • System-level features that apply to all stack members. • Interface-level features for each stack member.
Stack Master Election By default, the stack determines a master and standby unit at bootup time by electing the units with the highest MAC addresses. You can preconfigure the units which are elected master and standby by assigning higher priorities to these units. (By default, all stack units have priority 0. Valid priority values are from 0 to 14. A higher value means a higher priority.
Use the following command to configure a virtual IP: Dell(conf)#virtual-ip {ip-address | ipv6–address | dhcp} Failover Roles If the stack master fails (for example, is powered off), it is removed from the stack topology. The standby unit detects the loss of peering communication and takes ownership of the stack management, switching from the standby role to the master role. The distributed forwarding tables are retained during the failover, as is the stack MAC address.
Stack-unit State: Stack-unit SW Version: Link to Peer: Active 9.1(1.0) Up -- PEER Stack-unit Status ---------------------------------------Stack-unit State: Standby Peer stack-unit ID: 2 Stack-unit SW Version: 9.1(1.
terminal upload Dell(standby)# Set terminal line parameters Upload file -----------------CONSOLE ACCESS ON A MEMBER---------------------------Dell(stack-member-1)#? reset-self Reset this unit alone show Show running system information You can connect two units with two or more stacking cables in case of a stacking port or cable failure. Removal of only one of the cables does not trigger a reset. Stacking Installation Tasks The following are the stacking installation tasks.
When a unit is added to a stack, the management unit performs a system check on the new unit to ensure the hardware type is compatible. A similar check is performed on the Dell Networking OS version. If the stack is running Dell Networking OS version 8.3.12.0 and the new unit is running an earlier software version, the new unit is put into a card problem state. • If the unit is running Dell Networking OS version 8.3.10.
Creating a New Stack Prior to creating a stack, know which unit will be the management unit and which will be the standby unit. Enable the front ports of the units for stacking. For more information, refer to Enabling Front End Port Stacking. To create a new stack, use the following commands. 1 Power up all units in the stack. 2 Verify that each unit has the same Dell Networking OS version prior to stacking them together.
stacking ports. Please save and reload for config to take effect Dell(conf)# Dell#02:39:18: %STKUNIT4-M:CP %SYS-5-CONFIG_I: Configured from console Reload each unit in the stack. After the reload is complete, the four units come up as a stack with unit 1 as the management unit, unit 2 as the standby unit, and the remaining units as stack-members. All units in the stack can be accessed from the management unit.
Adding a Configured Unit to an Existing Stack To add a configured unit to an existing stack, use the following commands. If a stack unit goes down and is removed from the stack, the logical provisioning configured for that stack-unit number is saved on the master and standby units. When a new unit is added to the stack, if a stack group configuration conflict occurs between the new unit and the provisioned stack unit, the configuration of the new unit takes precedence.
• If there is no unit numbering conflict, the stack members retain their previous unit numbers. Otherwise, the stack manager assigns new unit numbers, based on the order that they come online. • The stack manager overwrites the startup and running config on the losing stack members with its own to synchronize the configuration on the new stack members. Split a Stack To split a stack, unplug the desired stacking cables.
Stack Group Ports 7 28 to 31 8 32 to 35 9 36 to 39 10 40 to 43 11 44 to 47 12 48 13 52 14 56 15 60 For example, to configure 10-Gigabit Ethernet ports 16 to 19 on stack unit 0 for stacking, enter the stack-unit 0 stack-group 4 command in Global Configuration mode. Figure 126. S5000 Stack-Group Assignments Supported Stacking Topologies The S5000 supports stacking up to six units in a ring or a daisy chain topology.
Figure 127. S5000 Supported Stacking Topologies Configuring an S5000 Switch Stack To configure and bring up a switch stack, follow these steps. 1 Power down the switches stack and attach port cables to connect the ports between pairs of switches. Connect ports with the same speed on each pair of stacked switches. 2 Power up each stack unit. 3 Configure the stacking ports on each switch, including unit number and priority.
• Stacking is not supported on 40 GbE ports operating in 4x10G (quad) mode. To convert a fixed 40 GbE port on the front panel from 4x10GbE mode of operation to 40 GbE mode, refer to Converting Four 10 GbE Ports to 40 GbE Ports for Stacking. • If you use three or more units in an S5000 stack, you can connect up to eight 10 GbE or two 40 GbE links between peer switches. If you use only two units in an S5000 stack, you can connect up to four 40 GbE links between peer switches.
Assigning a Priority to Stacked Switches By default, each stack unit is assigned priority 0. The switch with the highest priority number is elected master. The switch with the next highest priority number is elected standby and takes over stack management if the master switch fails. The range of valid priority values is from 1 to 14. To configure or revert assigning stacked switch priority, use the following commands.
Dell> enable Dell# configure 3 Configure the priority used to determine the stack master and standby roles in the stack, where stack-unit 0 is the default stack-unit number. CONFIGURATION mode stack-unit 0 priority value • stack-unit 0 is the default stack-unit number. • priority value specifies the management priority. The range is from 1 to 14. The default is 0. The unit with the highest priority is elected stack master.
To verify the stack-unit number assigned to each switch in the stack, use the show system brief command. To display complete information on an stack, use the show system command. The following examples show how to configure two new S5000 switches for stacking using 10 GbE ports. The second example shows how to verify the stack configuration.
-- Module Info -Unit Module No Status Module Type Ports -----------------------------------------------------1 0 online S5000-MOD-12xETH10-F 12 1 1 online S5000-MOD-12xETH10-F 12 1 2 not present No Module 0 1 3 not present No Module 0 2 0 online S5000-MOD-12xETH10-F 12 2 1 online S5000-MOD-12xETH10-F 12 2 2 online S5000-MOD-12xETH10-F 12 2 3 online S5000-MOD-12xETH10-F 12 The following example displays a stack configuration.
0 absent or down 0 1 up 0 2 up up up 12000 up 12000 up 12000 up 12000 up 12000 up 12000 up 12000 12000Speed in RPM -- Unit 1 -Unit Type : Member Unit Status : not present Required Type : -- Unit 2 -Unit Type : Member Unit Status : not present Required Type : -- Unit 3 -Unit Type : Member Unit Status : not present Required Type : -- Unit 4 -Unit Type : Member Unit Status : not present Required Type : -- Unit 5 -Unit Type : Member Unit Status : not present Required Type : -- Unit 6 -Unit Type : Member U
CONFIGURATION mode stack-unit unit-number provision S5000 2 Save the provisioning configuration. EXEC Privilege mode write memory 3 Reload the stack for the provisioning reconfiguration to take effect. EXEC Privilege mode reload Dell Networking OS Behavior: A stacking configuration is handled as follows: • If a stack unit goes down and is removed from the stack, the logical provisioning configured for the stack-unit number is saved on the master and standby switches.
no stack-unit unit-number stack-group group 2 Save the port configuration. EXEC Privilege mode write memory 3 Reload the stack for the port reconfiguration to take effect. EXEC Privilege mode reload Remove a Switch from a Stack After you remove all ports from an S5000 stack, the switch functions in standalone mode but retains the running and startup configuration that was last synchronized by the master switch while it operated as a stack unit.
Adding a Standalone Switch to a Stack The following steps describe adding a standalone switch to a stack with no configured stack groups (steps from 1 to 6) and with configured stack groups (steps 7 and 8). To add a standalone switch with no stack groups configured to a stack, follow these steps. 1 Attach port cables to connect ports on the switch to one or more switches in the stack. 2 Power on the switch. 3 Log on to the CLI and enter Global Configuration mode.
• Dell networking OS selects a master switch for the merged stack from the existing masters in the two stacks. To ensure that one of the two master switches wins the master election in the merged stack, use the stack-unit priority command to configure the highest priority for the unit (refer to Assigning a Priority to Stacked Switches). • All the units in the losing stack reboot and then merge with the winning stack that has the stack master.
EXEC Privilege mode • reset stack-unit unit-number Reload a member unit from the unit itself. EXEC Privilege mode • reset-self Reset a stack-unit when the unit is in a problem state. EXEC Privilege mode reset stack-unit unit-number hard Verify a Stack Configuration The following lists the status of a stacked switch (master, standby master, or member unit) according to the color of the System Status LED on its front panel.
-----------------------------------------1 2 The following example shows the show system stack-unit stack-group command. Dell#show system stack-unit 0 stack-group Stack group Ports -----------------------0 0/0,1,2,3 1 0/4,5,6,7 2 0/8,9,10,11 3 0/12,13,14,15 4 0/16,17,18,19 5 0/20,21,22,23 6 0/24,25,26,27 7 0/28,29,30,31 8 0/32,33,34,35 9 0/36,37,38,39 10 0/40,41,42,43 11 0/44,45,46,47 12 0/48 13 0/52 14 0/56 15 0/60 The following example shows the show system stack-ports (ring) command.
The following example shows the show system stack-ports (daisy chain) command.
1/15 2/4 2/5 2/6 2/7 2/8 2/11 1/8 1/9 1/10 1/11 1/12 Troubleshooting a Switch Stack To perform troubleshooting operations on a switch stack, use the following commands on the master switch. Command Output show system stack-ports status Displays the status of stacked ports on stack units. show redundancy Displays the standby unit status, failover configuration, and result of the last master-standby synchronization; allows you to verify the readiness for a stack failover.
Stack-unit State: Stack-unit SW Version: Link to Peer: Active S5000-9-1-0-1 Up -- PEER Stack-unit Status ------------------------------------------------Stack-unit State: Standby Peer stack-unit ID: 3 Stack-unit SW Version: S5000-9-1-0-10 -- Stack-unit Redundancy Configuration ------------------------------------------------Primary Stack-unit: mgmt-id 0 Auto Data Sync: Full Failover Type: Hot Failover Auto reboot Stack-unit: Disabled Auto failover limit: 3 times in 60 minutes -- Stack-unit Failover Record
Failure Scenarios The following sections describe some of the common fault conditions that can happen in a switch stack and how they are resolved. Stack Member Fails Problem: A unit that is not the stack master fails in an operational stack. Resolution: If a stack member fails in a daisy chain topology, a split stack occurs. If a member unit fails in a ring topology, traffic is re-routed over existing stack links.
To re-enable a downed stacking port, power cycle the stacked switch where the port is installed. --------------------------------------MANAGMENT UNIT----------------------------------------Error: Stack Port 48 has flapped 5 times within 10 seconds.Shutting down this stack port now. Error: Please check the stack cable/module and power-cycle the stack. 10:55:20: %STKUNIT1-M:CP %KERN-2-INT: Error: Stack Port 52 has flapped 5 times within 10 seconds.Shutting down this stack port now.
Dell#show system stack-unit 2 -- Unit 2 -Unit Type Status Next Boot Required Type Current Type Master priority Hardware Rev : : : : : : : Member Unit card problem - ipc timeout online S5000 - 4-module, 4-port GE/TE/FG (SH) S5000 - 4-module, 4-port GE/TE/FG (SH) NA 1.
reload The following example shows how to upgrade all switches in a stack, including the master switch. Dell# upgrade system ftp: A: Address or name of remote host []: 10.11.200.241 Source file name []: Dell-SH-9.0.(1.0).bin User name to login remote host: ftp Password to login remote host: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Erasing IOM Primary Image, please wait .!.......................................... .......Writing.............................. ..........................................
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!! Image upgraded to Stack unit 2 Dell# configure Dell(conf)# boot system stack-unit 2 primary system: A: Dell(conf)# end Dell#Jan 3 14:27:00: %STKUNIT0-M:CP %SYS-5-CONFIG_I: Configured from console Dell# write memory Jan 3 14:27:10: %STKUNIT0-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default Synchronizing data to peer Stack-unit !!!
56 Storm Control The storm control feature allows you to control unknown-unicast, muticast, and broadcast control traffic on Layer 2 and Layer 3 physical interfaces. The minimum number of packets per second (PPS) that storm control can limit is two. Dell Networking Operating System (OS) Behavior: Dell Networking OS supports broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic.
• Configure storm control. • INTERFACE mode Configure the percentage of broadcast traffic allowed on an interface (ingress only). INTERFACE mode storm-control broadcast packets_per_second in • Configure the percentage of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only. INTERFACE mode storm-control multicast packets_per_second in • Shut down the port if it receives the PFC/LLFC packets more than the configured rate.
57 Spanning Tree Protocol (STP) Spanning tree protocol (STP) is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network.
Configure Spanning Tree Configuring spanning tree is a two-step process.
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 128. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1 If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2 Place the interface in Layer 2 mode. INTERFACE switchport 3 Enable the interface.
Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address switchport no shutdown Dell(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default.
no disable Examples of Verifying Spanning Tree Information To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 Removing an Interface from the Spanning Tree Group To remove a Layer 2 interface from the spanning tree topology, use the following command. • Disable spanning tree on a Layer 2 interface. INTERFACE mode no spanning-tree 0 Modifying Global Parameters You can modify the spanning tree parameters.
hello-time seconds NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. • the default is 2 seconds. Change the max-age parameter (the refresh interval for configuration information that is generated by recomputing the spanning tree topology). PROTOCOL SPANNING TREE mode max-age seconds The range is from 6 to 40. The default is 20 seconds.
it receives a BPDU. When you only implement bpduguard, although the interface is placed in an Error Disabled state when receiving the BPDU, the physical interface remains up and spanning-tree drops packets in the hardware after a BPDU violation. BPDUs are dropped in the software after receiving the BPDU violation. CAUTION: Enable PortFast only on links connecting to an end station. PortFast can cause loops if it is enabled on an interface connected to a network.
• Disable the shutdown-on-violation command on the interface (the no spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] command). • Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). • Disabling global spanning tree (the no spanning-tree in CONFIGURATION mode). Figure 130. Enabling BPDU Guard Dell Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features.
Interface Name Role PortID Prio Cost Sts Cost Link-type Edge ---------- ------ -------- ---- ------- --- ---------------Te 0/6 Root 128.263 128 20000 FWD 20000 P2P No Te 0/7 ErrDis 128.264 128 20000 EDS 20000 P2P No Dell(conf-if-gi-0/7)#do show ip int br gi 0/7 Interface IP-Address OK Method Status Protocol TenGigabitEthernet 0/7 unassigned YES Manual up up Global BPDU Filtering By default, when you enable BPDU filtering globally, it stops transmitting BPDUs on the operational portfast-enabled ports.
Figure 132. BPDU Filtering Enabled on an Interface Selecting STP Root STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. • Assign a number as the bridge priority or designate it as the root or secondary root.
Because any switch in an STP network with a lower priority can become the root bridge, the forwarding topology may not be stable. The location of the root bridge can change, resulting in unpredictable network behavior. The STP root guard feature ensures that the position of the root bridge does not change. Root Guard Scenario For example, as shown in the following illustration (STP topology 1, upper left) Switch A is the root bridge in the network core.
Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
• Configure LACP to be hitless. CONFIGURATION mode redundancy protocol lacp • Configure all spanning tree types to be hitless.
Figure 134. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with loop guard: • Loop guard is supported on any STP-enabled port or port-channel interface.
• • Enabling Portfast BPDU guard and loop guard at the same time on a port results in a port that remains in a blocking state and prevents traffic from flowing through it. For example, when Portfast BPDU guard and loop guard are both configured: • If a BPDU is received from a remote device, BPDU guard places the port in an Err-Disabled Blocking state and no traffic is forwarded on the port.
58 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell Networking device. For more information on SmartScripts, see Dell Networking Open Automation guide. Figure 135.
Configuring SupportAssist Using a Configuration Wizard You are guided through a series of queries to configure SupportAssist. The generated commands are added to the running configuration, including the DNS resolve commands, if configured. This command starts the configuration wizard for the SupportAssist. At any time, you can exit by entering Ctrl-C. If necessary, you can skip some data entry. Enable the SupportAssist service.
making such transfers, Dell shall ensure appropriate protection is in place to safeguard the Collected Data being transferred in connection with SupportAssist. If you are downloading SupportAssist on behalf of a company or other legal entity, you are further certifying to Dell that you have appropriate authority to provide this consent on behalf of that entity.
support-assist activity {full-transfer | core-transfer} start now Dell#support-assist activity full-transfer start now Dell#support-assist activity core-transfer start now Configuring SupportAssist Activity SupportAssist Activity mode allows you to configure and view the action-manifest file for a specific activity. To configure SupportAssist activity, use the following commands. 1 Move to the SupportAssist Activity mode for an activity. Allows you to configure customized details for a specific activity.
action-manifest remove Dell(conf-supportassist-act-full-transfer)#action-manifest remove custom_file1.json Dell(conf-supportassist-act-full-transfer)# Dell(conf-supportassist-act-event-transfer)#action-manifest remove custom_event_file1.json Dell(conf-supportassist-act-event-transfer)# 6 Enable a specific SupportAssist activity. By default, the full transfer includes the core files. When you disable the core transfer activity, the full transfer excludes the core files.
Configuring SupportAssist Person SupportAssist Person mode allows you to configure name, email addresses, phone, method and time zone for contacting the person. SupportAssist Person configurations are optional for the SupportAssist service. To configure SupportAssist person, use the following commands. 1 Configure the contact name for an individual.
SUPPORTASSIST SERVER mode [no] proxy-ip-address {ipv4-address | ipv6-address}port port-number [ username userid password [encryption-type] password ] Dell(conf-supportassist-serv-default)#proxy-ip-address 10.0.0.1 port 1024 username test password 0 test1 Dell(conf-supportassist-serv-default)# 3 Enable communication with the SupportAssist server.
activity event-transfer enable action-manifest install default ! activity core-transfer enable ! contact-company name Dell street-address F lane , Sector 30 address city Brussels state HeadState country Belgium postalcode S328J3 ! contact-person first Fred last Nash email-address primary des@sed.com alternate sed@dol.com phone primary 123422 alternate 8395729 preferred-method email time-zone zone +05:30 start-time 12:23 end-time 15:23 ! server Dell enable url http://1.1.1.
59 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Following conventions established by the telephone industry [BEL86], the accuracy of each server is defined by a number called the stratum, with the topmost level (primary servers) assigned as one and each level downwards (secondary servers) in the hierarchy assigned as one greater than the preceding level. Dell Networking OS synchronizes with a time-serving host to get the correct time. You can set Dell Networking OS to poll specific NTP time-serving hosts for the current time.
Related Configuration Tasks • Configuring NTP Broadcasts • Disabling NTP on an Interface • Configuring a Source IP Address for NTP Packets (optional) Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell Networking system synchronizes. To specify multiple servers, enter the command multiple times. You may specify an unlimited number of servers at the expense of CPU resources. • Specify the NTP server to which the Dell Networking system synchronizes.
Disabling NTP on an Interface By default, NTP is enabled on all active interfaces. If you disable NTP on an interface, Dell Networking OS drops any NTP packets sent to that interface. To disable NTP on an interface, use the following command. • Disable NTP on the interface. INTERFACE mode ntp disable To view whether NTP is configured on the interface, use the show config command in INTERFACE mode. If ntp disable is not listed in the show config command output, NTP is enabled.
CONFIGURATION mode ntp authenticate 2 Set an authentication key. CONFIGURATION mode ntp authentication-key number md5 key Configure the following parameters: 3 • number: the range is from 1 to 4294967295. This number must be the same as the number in the ntp trusted-key command. • key: enter a text string. This text string is encrypted. Define a trusted key. CONFIGURATION mode ntp trusted-key number Configure a number from 1 to 4294967295.
ref org rec xmt inp CD7E14FD.43F7CED9 CD7F5368.D0535000 CD7F5368.D0000000 CD7F5368.D0000000 CD7F5368.D1974000 (16:29:49.265 UTC Wed Apr 1 2009) (15:8:24.813 UTC Thu Apr 2 2009) (15:8:24.812 UTC Thu Apr 2 2009) (15:8:24.812 UTC Thu Apr 2 2009) (15:8:24.
Configuring a Custom-defined Period for NTP time Synchronization You can configure the system to send an audit log message to a syslog server if the time difference from the NTP server is greater than a threshold value (offset-threshold). However, time synchronization still occurs. To configure the offset-threshold, follow this procedure. • Specify the threshold time interval before which the system generates an NTP audit log message if the system time deviates from the NTP server.
Setting the Timezone Universal time coordinated (UTC) is the time standard based on the International Atomic Time standard, commonly known as Greenwich Mean time. When determining system time, include the differentiator between UTC and your local timezone. For example, San Jose, CA is the Pacific Timezone with a UTC offset of -8. To set the clock timezone, use the following command. • Set the clock to the appropriate timezone.
• end-day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. • end-year: enter a four-digit number as the year. The range is from 1993 to 2035. • end-time: enter the time in hours:minutes. For the hour variable, use the 24-hour format; example, 17:15 is 5:15 pm. • offset: (OPTIONAL) enter the number of minutes to add during the summer-time period. The range is from 1 to1440. The default is 60 minutes.
Examples of the clock summer-time recurring Command The following example shows the clock summer-time recurring command.
60 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
no ip address ipv6 address 2::1/64 tunnel destination 90.1.1.1 tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): Dell(conf)#interface tunnel 3 Dell(conf-if-tu-3)#tunnel source 5::5 Dell(conf-if-tu-3)#tunnel destination 8::9 Dell(conf-if-tu-3)#tunnel mode ipv6 Dell(conf-if-tu-3)#ip address 3.1.1.
The following sample configuration shows how to use the interface tunnel configuration commands. Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 ip address 20.1.1.1/24 ipv6 address 20:1::1/64 no shutdown Dell(conf)#interface tunnel 1 Dell(conf-if-tu-1)#ip unnumbered tengigabitethernet 1/1 Dell(conf-if-tu-1)#ipv6 unnumbered tengigabitethernet 1/1 Dell(conf-if-tu-1)#tunnel source 40.1.1.
! interface Tunnel 1 ip address 1.1.1.1/24 ipv6 address 1abd::1/64 tunnel source anylocal tunnel allow-remote 40.1.1.
61 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with NIC teaming, automatic recovery from a failed link. Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
Figure 137. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 138. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number by using the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group. This calculation ensures that there is no traffic drops due to insufficient bandwidth on the upstream links to the routers/switches.
• If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error. The order in which downstream ports are disabled is from the lowest numbered port to the highest.
To revert to the default setting, use the no downstream disable links command. 4 (Optional) Enable auto-recovery so that UFD-disabled downstream ports in the uplink-state group come up when a disabled upstream port in the group comes back up. UPLINK-STATE-GROUP mode downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5 (Optional) Enters a text description of the uplink-state group.
02:36:43: 13/1 02:36:43: 13/3 02:36:43: 13/5 02:36:43: 02:36:43: 02:36:43: 02:36:43: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Downstream interface set to UFD error-disabled: Fo %RPM0-P:CP %IFMGR-5-OSTATE_DN: Downstream interface set to UFD error-disabled: Fo %RPM0-P:CP %IFMGR-5-OSTATE_DN: Downstream interface set to UFD error-disabled: Fo %RPM0-P:CP %RPM0-P:CP %RPM0-P:CP %RPM0-P:CP %IFMGR-5-OSTATE_DN: %IFMGR-5-OSTATE_DN: %IFMGR-5-OSTATE_DN: %IFMGR-5-OSTATE_DN: Changed Changed Changed Changed interface interface i
• Display the current configuration of all uplink-state groups or a specified group. EXEC mode or UPLINK-STATE-GROUP mode (For EXEC mode) show running-config uplink-state-group [group-id] (For UPLINK-STATE-GROUP mode) show configuration • group-id: The values are from 1 to 16. Examples of Viewing UFD Information (S50) The following example shows viewing the uplink state group status for the S50.
0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 0 packets, 0 bytes, 0 underruns 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions Rate info (interval 299 seconds): Input 00.
uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstream TenGigabitEthernet 0/1-2,5,9,11-12 upstream TenGigabitEthernet 0/3-4 Dell(conf-uplink-state-group-3)# Dell(conf-uplink-state-group-3)#exit Dell(conf)#exit Dell# 00:13:06: %STKUNIT0-M:CP %SYS-5-CONFIG_I: Configured from console by console Dell# show running-config uplink-state-group ! uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstream TenGigabitEthernet 0/1-2,5,9,11-12 upstream T
62 Upgrade Procedures To find the upgrade procedures, go to the Dell Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell Networking OS version. To upgrade your system type, follow the procedures in the Dell Networking OS Release Notes. Get Help with Upgrades Direct any questions or concerns about the Dell Networking OS upgrade procedures to the Dell Technical Support Center. You can reach Technical Support: • On the web: http://dell.
63 Virtual LANs (VLANs) VLANs are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The Dell Networking operating system (OS) supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
Default VLAN When you configure interfaces for Layer 2 mode, they are automatically placed in the Default VLAN as untagged interfaces. Only untagged interfaces can belong to the Default VLAN. The following example displays the outcome of placing an interface in Layer 2 mode. To configure an interface for Layer 2 mode, use the switchport command.
VLANs and Port Tagging To add an interface to a VLAN, the interface must be in Layer 2 mode. After you place an interface in Layer 2 mode, the interface is automatically placed in the Default VLAN. Dell Networking OS supports IEEE 802.1Q tagging at the interface level to filter traffic. When you enable tagging, a tag header is added to the frame after the destination and source MAC addresses. That information is preserved as the frame moves through the network.
• Configure a port-based VLAN (if the VLAN-ID is different from the Default VLAN ID) and enter INTERFACE VLAN mode. CONFIGURATION mode interface vlan vlan-id To activate the VLAN, after you create a VLAN, assign interfaces in Layer 2 mode to the VLAN. Example of Verifying a Port-Based VLAN To view the configured VLANs, use the show vlan command in EXEC Privilege mode.
Except for hybrid ports, only a tagged interface can be a member of multiple VLANs. You can assign hybrid ports to two VLANs if the port is untagged in one VLAN and tagged in all others.
The only way to remove an interface from the Default VLAN is to place the interface in Default mode by entering the no switchport command in INTERFACE mode.
Enabling Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured. This presents a vulnerability because both interfaces are initially placed in the native VLAN, VLAN 1, and for that period customers are able to access each other's networks.
64 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Dell Networking OS Command Line Reference Guide.
Figure 140. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: • Proxy gateway is supported only for VLT; for example, across a VLT domain. • You must enable the VLT peer-routing command for the VLT proxy gateway to function.
• You cannot change the VLT LAG to a legacy LAG when it is part of proxy-gateway. • You cannot change the link layer discovery protocol (LLDP) port channel interface to a legacy LAG when you enable a proxy gateway. • Dell Networking recommends the vlt-peer-mac transmit command only for square VLTs without diagonal links. • The virtual router redundancy (VRRP) protocol and IPv6 routing is not supported. • Private VLANs (PVLANs) are not supported.
• You must configure the interface proxy gateway LLDP to enable or disable a proxy-gateway LLDP TLV on specific interfaces. • The interface is typically a VLT port-channel that connects to a remote VLT domain. • The new proxy gateway TLV is carried on the physical links under the port channel only. • You must have at least one link connection to each unit of the VLT domain. Following are the prerequisites for Proxy Gateway LLDP configuration: • You must globally enable LLDP.
LLDP VLT Proxy Gateway in a Square VLT Topology Figure 141. Sample Configuration for a VLT Proxy Gateway • The preceding figure shows a sample square VLT Proxy gateway topology. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This causes sub-optimal routing.
• Any L3 packet, when it gets an L3 hit and is routed, it has a time to live (TTL) decrement as expected. • You can disable the VLT Proxy Gateway for a particular VLAN using an "Exclude-VLAN" configuration. The configuration has to be done in both the VLT domains [C and D in VLT domain 1 and C1 and D1 in VLT domain 2].
65 Virtual Link Trunking (VLT) Virtual link trunking (VLT) allows physical links between two chassis to appear as a single virtual link to the network core or other switches such as Edge, Access or ToR. VLT reduces the role of Spanning Tree protocols by allowing LAG terminations on two separate distribution or core switches, and by supporting a loop free topology. (A Spanning Tree protocol is still needed to prevent the initial loop that may occur prior to VLT being established.
• Assures high availability. CAUTION: Dell Networking does not recommend enabling Stacking and VLT simultaneously. If you enable both features at the same time, unexpected behavior occurs. As shown in the following example, VLT presents a single logical Layer 2 domain from the perspective of attached devices that have a virtual link trunk terminating on separate chassis in the VLT domain. However, the two VLT chassis are independent Layer2/Layer3 (L2/L3) switches for devices in the upstream network.
The following illustration shows stacking at the access, VLT in aggregation, and Layer 3 at the core. The aggregation layer is mostly in the L2/L3 switching/routing layer. For better resiliency in the aggregation, Dell Networking recommends running the internal gateway protocol (IGP) on the VLTi VLAN to synchronize the L3 routing table across the two nodes on a VLT system. Figure 143.
Figure 144. Example of a Multiple VLT Configuration VLT Terminology The following are key VLT terms. • • • • • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. VLT backup link — The backup link monitors the vitality of VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches.
• VLT is not supported on an S5000 configured for FCoE transit or NPIV proxy gateway. • VLT port channel interfaces must be switch ports. • If you include RSTP on the system, configure it before VLT. Refer to Configuring Rapid Spanning Tree. • Dell Networking strongly recommends that the VLTi (VLT interconnect) be a static LAG and that you disable LACP on the VLTi. • Ensure that the spanning tree root bridge is at the Aggregation layer.
• Port-channel link aggregation (LAG) across the ports in the VLT interconnect is required; individual ports are not supported. Dell Networking strongly recommends configuring a static LAG for VLTi. • The VLT interconnect synchronizes L2 and L3 control-plane information across the two chassis. • The VLT interconnect is used for data traffic only when there is a link failure that requires using VLTi in order for data packets to reach their final destination.
VLT domain, configure the port interfaces on each VLT peer as hybrid ports before adding them to the port channel (refer to Connecting a VLT Domain to an Attached Access Device (Switch or Server)). To configure a port in Hybrid mode so that it can carry untagged, single-tagged, and double-tagged traffic, use the portmode hybrid command in Interface Configuration mode as described in Configuring Native VLANs.
• • If the primary chassis fails, the secondary chassis takes on the operational role of the primary. The SNMP MIB reports VLT statistics. RSTP and VLT VLT provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures.
VLT Port Delayed Restoration When a VLT node boots up, if the VLT ports have been previously saved in the start-up configuration, they are not immediately enabled. To ensure MAC and ARP entries from the VLT per node are downloaded to the newly enabled VLT node, the system allows time for the VLT ports on the new node to be enabled and begin receiving traffic. The delay-restore feature waits for all saved configurations to apply, then starts a configurable timer.
Figure 145. Example of PIM-Sparse Mode on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This allows multicast traffic that originates from the source that is connected to the VLT ports to reach the PIM router which has downstream neighbors.
RSTP Configuration RSTP is supported in a VLT domain. Before you configure VLT on peer switches, configure RSTP in the network. RSTP is required for initial loop prevention during the VLT startup phase. You may also use RSTP for loop prevention in the network outside of the VLT port channel. For information about how to configure RSTP, Rapid Spanning Tree Protocol (RSTP). Run RSTP on both VLT peer switches.
Configure RSTP on VLT Peers to Prevent Forwarding Loops (VLT Peer 1) Dell_VLTpeer1(conf)#protocol spanning-tree rstp Dell_VLTpeer1(conf-rstp)#no disable Dell_VLTpeer1(conf-rstp)#bridge-priority 4096 Configure RSTP on VLT Peers to Prevent Forwarding Loops (VLT Peer 2) Dell_VLTpeer2(conf)#protocol spanning-tree rstp Dell_VLTpeer2(conf-rstp)#no disable Dell_VLTpeer2(conf-rstp)#bridge-priority 0 Configuring VLT To configure VLT, use the following procedure.
channel-member interface interface: specify one of the following interface types: 4 • 10 Gigabit Ethernet: Enter tengigabitethernet slot/port. • 40 Gigabit Ethernet: Enter fortygigabitethernet slot/port. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 5 Repeat Steps 1 to 4 on the VLT peer switch to configure the VLT interconnect. Enabling VLT and Creating a VLT Domain To enable VLT and create a VLT domain, use the following steps.
Configuring a VLT Backup Link To configure a VLT backup link, use the following command. 1 Specify the management interface to use for the backup link through an out-of-band management network. CONFIGURATION mode interface managementethernet slot/ port Enter the slot (0-1) and the port (0). 2 Configure an IPv4 address (A.B.C.D) or IPv6 address (X:X:X:X::X) and mask (/x) on the interface.
vlt domain domain-id The range of domain IDs is from 1 to 1000. 2 (Optional) After you configure the VLT domain on each peer switch on both sides of the interconnect trunk, by default, Dell Networking OS elects a primary and secondary VLT peer device. VLT DOMAIN CONFIGURATION mode primary-priority value To reconfigure the primary role of VLT peer switches, use the primary-priority command. To configure the primary role on a VLT peer, enter a lower value than the priority value of the remote peer.
INTERFACE PORT-CHANNEL mode no ip address 3 Place the interface in Layer 2 mode. INTERFACE PORT-CHANNEL mode switchport 4 Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 5 • 10 Gigabit Ethernet: enter tengigabitethernet slot/port. • 40 Gigabit Ethernet: enter fortygigabitethernet slot/port. Ensure that the port channel is active.
The range is from 1 to 4094. Configuring Enhanced VLT (Optional) To configure enhanced VLT (eVLT) between two VLT domains on your network, use the following procedure. For a sample configuration, refer to eVLT Configuration Example. To set up the VLT domain, use the following commands. 1 Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode.
VLT DOMAIN CONFIGURATION mode unit-id {0 | 1} The unit IDs are used for internal system operations. Configure a different unit ID (0 or 1) on each peer switch. Use this command to minimize the time required for the VLT system to determine the unit ID assigned to each peer switch when one peer switch reboots. 8 Configure enhanced VLT. Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode.
19 Repeat steps 1 through 16 for the VLT peer node in Domain 2. To verify the configuration of a VLT domain, use any of the show commands described in Verifying a VLT Configuration. PVST+ Configuration PVST+ is supported in a VLT domain. Before you configure VLT on peer switches, configure PVST+ in the network. PVST+ is required for initial loop prevention during the VLT startup phase. You may also use PVST+ for loop prevention in the network outside of the VLT port channel.
Te 1/13 Dell# Desg 128.233 128 2000 FWD 0 P2P No VLT Sample Configuration To review a sample VLT configuration setup, study these steps. 1 Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2. VLT DOMAIN mode vlt domain domain id 2 Configure the VLTi between VLT peer 1 and VLT peer 2. 3 You can configure LACP/static LAG between the peer units (not shown).
In the following sample VLT configuration steps, VLT peer 1 is S5000-2, VLT peer 2 is S5000-4, and the ToR is S60-1. NOTE: To avoid potential problems if the VLT peers are rebooted, if you use a third-party ToR unit, Dell Networking recommends using static LAGs with VLT peers. Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2. S5000-2(conf)#vlt domain 5 S5000-2(conf-vlt-domain)# S5000-4(conf)#vlt domain 5 S5000-4(conf-vlt-domain)# Configure the VLTi between VLT peer 1 and VLT peer 2.
S5000-2#show running-config interface port-channel 2 ! interface Port-channel 2 no ip address switchport vlt-peer-lag port-channel 2 no shutdown S5000-2# S5000-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG Mode Status Uptime Ports L 2 L2L3 up 03:33:14 Te 0/40 (Up) S5000-2# In the ToR unit, configure LACP on the physical ports.
Verify that the VLT LAG is up in both VLT peer units. S5000-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG Mode Status Uptime Ports L 2 L2L3 up 03:43:24 Te 0/40 (Up) S5000-2# S5000-4#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG Mode Status Uptime Ports L 2 L2L3 up 03:33:31 Te 0/18 (Up) S5000-4# eVLT Configuration Example The following example demonstrates the steps to configure enhanced VLT (eVLT) in a network.
Configure eVLT on Peer 1. Domain_1_Peer1(conf)#interface port-channel 100 Domain_1_Peer1(conf-if-po-100)# switchport Domain_1_Peer1(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer1(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 1.
Next, configure the VLT domain and VLTi on Peer 4. Domain_2_Peer4#configure Domain_2_Peer4(conf)#interface port-channel 1 Domain_2_Peer4(conf-if-po-1)# channel-member TenGigabitEthernet 1/8-9 Domain_1_Peer4#no shutdown Domain_2_Peer4(conf)#vlt domain 200 Domain_2_Peer4(conf-vlt-domain)# peer-link port-channel 1 Domain_2_Peer4(conf-vlt-domain)# back-up destination 10.18.130.
VLT_Peer2(conf-if-vl-4001)#ip igmp snooping mrouter interface port-channel 128 VLT_Peer2(conf-if-vl-4001)#exit VLT_Peer2(conf)#end Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, use any of the following show commands on the primary and secondary VLT switches. • Display information on backup link operation. EXEC mode • show vlt backup-link Display general status information about VLT domains currently configured on the switch.
Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.18 Up 1 3 34998 1026 1025 Dell_VLTpeer2# show vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.20 Up 1 3 34998 1030 1014 The following example shows the show vlt brief command.
2 100 127 100 UP UP UP UP 20, 30 10, 20, 30 The following example shows the show vlt role command.
Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 4096, Address 0001.e88a.d656 Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------- -------- ---- ------- --------- ------- -----------------Po 1 128.2 128 200000 DIS 800 4096 0001.e88a.d656 128.2 Po 3 128.4 128 200000 DIS 800 4096 0001.e88a.d656 128.4 Po 4 128.5 128 200000 DIS 800 4096 0001.e88a.d656 128.5 Po 100 128.101 128 800 FWD(VLTi) 800 0 0001.e88a.
Configure the port channel to an attached device. Dell_VLTpeer1(conf)#interface port-channel 110 Dell_VLTpeer1(conf-if-po-110)#no ip address Dell_VLTpeer1(conf-if-po-110)#switchport Dell_VLTpeer1(conf-if-po-110)#channel-member fortyGigE 0/52 Dell_VLTpeer1(conf-if-po-110)#no shutdown Dell_VLTpeer1(conf-if-po-110)#vlt-peer-lag port-channel 110 Dell_VLTpeer1(conf-if-po-110)#end Verify that the port channels used in the VLT domain are assigned to the same VLAN.
10 Active U Po110(Fo 0/48) T Po100(Fo 0/46,50) Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access Switch) On an access device, verify the port-channel connection to a VLT domain. Dell_TORswitch(conf)# show running-config interface port-channel 11 ! interface Port-channel 11 no ip address switchport channel-member fortyGigE 1/18,22 no shutdown Troubleshooting VLT To help troubleshoot different VLT issues that may occur, use the following information.
Description Behavior at Peer Up Behavior During Run Time Action to Take System MAC mismatch A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated. Verify that the unit ID of VLT peers is not the same on both units and that the MAC address is the same on both units. Unit ID mismatch The VLT peer does not boot up. The VLTi is forced to a down state. The VLT peer does not boot up. The VLTi is forced to a down state.
The association of PVLAN with the VLT LAG must also be identical. After the VLT LAG is configured to be a member of either the primary or secondary PVLAN (which is associated with the primary), ICL becomes an automatic member of that PVLAN on both switches. This association helps the PVLAN data flow received on one VLT peer for a VLT LAG to be transmitted on that VLT LAG from the peer. You can associate either a VLT VLAN or a VLT LAG to a PVLAN.
The PVLAN mode of VLT LAGs on one peer is validated against the PVLAN mode of VLT LAGs on the other peer. MAC addresses that are learned on that VLT LAG are synchronized between the peers only if the PVLAN mode on both the peers is identical. For example, if the MAC address is learned on a VLT LAG and the VLAN is a primary VLT VLAN on one peer and not a primary VLT VLAN on the other peer, MAC synchronization does not occur.
Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN The following table illustrates the association of the VLTi link and PVLANs, and the MAC synchronization of VLT nodes in a PVLAN (for various modes of operations of the VLT peers): Table 97.
VLT LAG Mode Peer1 PVLAN Mode of VLT VLAN Peer2 Access Access Access Access ICL VLAN Membership Mac Synchronization Yes Yes Secondary (Isolated) Secondary (Isolated) No No - Primary VLAN X - Primary VLAN Y No No Secondary (Community) Secondary (Community) No No - Primary VLAN Y - Primary VLAN X No No Peer1 Peer2 - Primary VLAN X - Primary VLAN X Promiscuous Access Primary Secondary No No Trunk Access Primary/Normal Secondary No No Configuring a VLT VLAN or LAG in a PV
5 To configure the VLT interconnect, repeat Steps 1–4 on the VLT peer switch. 6 Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 7 Enter the port-channel number that acts as the interconnect trunk.
8 Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). • Specified with this command even before they have been created. • Amended by specifying the new secondary VLAN to be added to the list. Proxy ARP Capability on VLT Peer Nodes The proxy ARP functionality is supported on VLT peer nodes.
The IP address of the VLT node VLAN interface is synchronized with the VLT peer over ICL when the VLT peers are up. Whenever you add or delete an IP address, this updated information is synchronized with the VLT peer. IP address synchronization occurs regardless of the VLAN administrative state. IP address addition and deletion serve as the trigger events for synchronization. When a VLAN state is down, the VLT peer might perform a proxy ARP operation for the IP addresses of that VLAN interface.
multicast outgoing interface (OIF), after a VLT peer node failure, using the multicast peer-routing-timeout command in VLT DOMAIN mode. Using the bootstrap router (BSR) mechanism, you can configure both the VLT nodes in a VLT domain as the candidate RP for the same group range. When an RP fails, the VLT peer automatically takes over the role of the RP. This phenomenon enables resiliency by the PIM BSR protocol. Configuring VLAN-Stack over VLT To configure VLAN-stack over VLT, follow these steps.
no ip address switchport vlan-stack access vlt-peer-lag port-channel 10 no shutdown Dell# Dell(conf)#interface port-channel 20 Dell(conf-if-po-20)#switchport Dell(conf-if-po-20)#vlt-peer-lag port-channel 20 Dell(conf-if-po-20)#vlan-stack trunk Dell(conf-if-po-20)#no shutdown Dell#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown Dell# Configure the VLAN as a VLAN-Stack VLAN and add the VLT LAG as Membe
vlt domain 1 peer-link port-channel 1 back-up destination 10.16.151.
NUM 50 Status Active Description Dell# Q M M V Ports Po10(Te 1/8) Po20(Te 1/20) Po1(Te 1/30-32) IPv6 Peer Routing in VLT Domains Overview VLT enables the physical links between two devices that are called VLT nodes or peers, and within a VLT domain, to be considered as a single logical link to external devices that are connected using LAG bundles to both the VLT peers.
• During failure cases, when a VLT node goes down and comes back up all the ND entries learned via VLT interface must synchronize to the peer VLT node. Synchronization of IPv6 ND Entries in a Non-VLT Domain Layer 3 VLT provides a higher resiliency at the Layer 3 forwarding level. Routed VLT allows you to replace VRRP with routed VLT to route the traffic from Layer 2 access nodes. With ND synchronization, both the VLT nodes perform Layer 3 forwarding on behalf of each other.
Figure 147. Sample Configuration of IPv6 Peer Routing in a VLT Domain Sample Configuration of IPv6 Peer Routing in a VLT Domain Consider a sample scenario as shown in the following figure in which two VLT nodes, Unit1 and Unit2, are connected in a VLT domain using an ICL or VLTi link. To the south of the VLT domain, Unit1 and Unit2 are connected to a ToR switch named Node B. Also, Unit1 is connected to another node, Node A, and Unit2 is linked to a node, Node C.
Figure 148. Sample Configuration of IPv6 Peer Routing in a VLT Domain Neighbor Solicitation from VLT Hosts Consider a case in which NS for VLT node1 IP reaches VLT node1 on the VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in the ToR. When VLT node1 receives NS from VLT VLAN interface, it unicasts the NA packet on the VLT interface. When NS reaches VLT node2, it is flooded on all interfaces including ICL.
Consider a situation in which NA for VLT node1 reaches VLT node1 on a non-VLT interface and NA for VLT node1 reaches VLT node2 on a non-VLT interface. When VLT node1 receives NA on a VLT interface, it learns the Host MAC address on the received interface. This learned neighbor entry is synchronized to VLT node2 as it is learned on ICL.
Non-VLT host to Non-VLT host traffic flow When VLT node receives traffic from non-VLT host intended to the non-VLT host, it does neighbor entry lookup and routes traffic over ICL interface. If traffic reaches wrong VLT peer, it routes the traffic over ICL. Router Solicitation When VLT node receives router Solicitation on VLT interface/non-VLT interface it consumes the packets and will send RA back on the received interface. VLT node will drop the RS message if it is received over ICL interface.
66 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time. VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices.
Figure 149. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
If the next-hop IP in a static route VRF statement is VRRP IP of another VRF, this static route does not get installed on the VRRP master. VRF supports some routing protocols only on the default VRF (default-vrf) instance. Table 1 displays the software features supported in VRF and whether they are supported on all VRF instances or only the default VRF. NOTE: To configure a router ID in a non-default VRF, configure at least one IP address in both the default as well as the nondefault VRF. Table 98.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF OSPFv3 Yes Yes IS-IS Yes Yes BGP Yes Yes ACL Yes No Multicast No No NDP Yes Yes RAD Yes Yes DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance.
Assigning an Interface to a VRF You must enter the ip vrf forwarding command before you configure the IP address or any other setting on an interface. NOTE: You can configure an IP address or subnet on a physical or VLAN interface that overlaps the same IP address or subnet configured on another interface only if the interfaces are assigned to different VRFs. If two interfaces are assigned to the same VRF, you cannot configure overlapping IP subnets or the same IP address on them.
show ip vrf [vrf-name] Assigning an OSPF Process to a VRF Instance OSPF routes are supported on all VRF instances. See the Open Shortest Path First (OSPFv2) chapter for complete OSPF configuration information. Assign an OSPF process to a VRF instance . Return to CONFIGURATION mode to enable the OSPF process. The OSPF Process ID is the identifying number assigned to the OSPF process, and the Router ID is the IP address associated with the OSPF process.
Task Command Syntax Command Mode 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 43, Gratuitous ARP sent: 0 Virtual MAC address: 00:00:5e:00:01:0a Virtual IP address: 10.1.1.100 Authentication: (none) Configuring Management VRF You can assign a management interface to a management VRF. 1 Create a management VRF. CONFIGURATION ip vrf management 2 Assign a management port to a management VRF.
management route ip-address mask managementethernet ormanagement route ipv6-address prefixlength managementethernet You can also have the management route to point to a front-end port in case of the management VRF. For example: management route 2::/64 tengigabitethernet 1/1. • Configure a static entry in the IPv6 neighbor discovery. CONFIGURATION ipv6 neighbor vrf management 1::1 tengigabitethernet 1/1 xx:xx:xx:xx:xx:xx Sample VRF Configuration The following configuration illustrates a typical VRF set-up.
Figure 151. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface TenGigabitEthernet no ip address switchport no shutdown ! interface TenGigabitEthernet ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding orange ip address 20.0.0.
ip vrf forwarding green ip address 30.0.0.1/24 no shutdown ! interface Vlan 128 ip vrf forwarding blue ip address 1.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.
ip address 2.0.0.2/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.2/24 tagged TenGigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/2 ! ip route vrf green30.0.0.0/24 3.0.0.
Dell#show ip route vrf orange Codes: C - connected, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set C C O Destination ----------2.0.0.0/24 20.0.
O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination Gateway ----------------C 1.0.0.0/24 Direct, Vl 128 O 10.0.0.0/24 via 1.0.0.1, Vl 128 C 11.0.0.
interface TenGigabitEthernet 1/10 ip vrf forwarding VRF2 ip address 140.0.0.1/24 ip route vrf VRF1 20.0.0.0/16 140.0.0.2 vrf VRF2 ip route vrf VRF2 40.0.0.0/16 120.0.0.2 vrf VRF1 Dynamic Route Leaking Route Leaking is a powerful feature that enables communication between isolated (virtual) routing domains by segregating and sharing a set of services such as VOIP, Video, and so on that are available on one routing domain with other virtual domains.
ip address ip—address mask A non-default VRF named VRF-Shared is created and the interface 1/4 is assigned to this VRF. 2 Configure the export target in the source VRF:. ip route-export 1:1 3 Configure VRF-red. ip vrf vrf-red interface-type slot/port ip vrf forwarding VRF-red ip address ip—address mask A non-default VRF named VRF-red is created and the interface is assigned to this VRF. 4 Configure the import target in VRF-red. ip route-import 1:1 5 Configure the export target in VRF-red.
ip vrf ip ip ! ip vrf ! ip vrf ip ip ip VRF-Blue route-export route-import 3:3 1:1 VRF-Green VRF-shared route-export route-import route-import 1:1 2:2 3:3 Show routing tables of all the VRFs (without any route-export and route-import tags being configured) Dell# show ip route vrf VRF-Red O 11.1.1.1/32 via 111.1.1.1 110/0 C 111.1.1.0/24 Direct, Te 1/11 0/0 00:00:10 22:39:59 Dell# show ip route vrf VRF-Blue O 22.2.2.2/32 via 122.2.2.2 110/0 00:00:11 C 122.2.2.
C 122.2.2.0/24 O 44.4.4.4/32 00:00:11 Direct, VRF-Blue:Te 1/22 0/0 via 144.4.4.4 110/0 C Direct, Te 1/4 144.4.4.0/24 0/0 22:39:61 00:32:36 Important Points to Remember • If the target VRF conatins the same prefix as either the sourced or Leaked route from some other VRF, then route Leaking for that particular prefix fails and the following error-log is thrown. SYSLOG (“Duplicate prefix found %s in the target VRF %d”, address, import_vrf_id) with The type/level is EVT_LOGWARNING.
ip address ip—address mask A non-default VRF named VRF-red is created and the interface is assigned to this VRF. 2 Define a route-map export_ospfbgp_protocol. Dell(config)route-map export_ospfbgp_protocol permit 10 3 Define the matching criteria for the exported routes. Dell(config-route-map)match source-protocol ospf Dell(config-route-map)match source-protocol bgp This action specifies that the route-map contains OSPF and BGP as the matching criteria for exporting routes from vrf-red.
O 44.4.4.4/32 via vrf-red:144.4.4.4 0/0 00:32:36 << only OSPF and BGP leaked from VRF-red Important Points to Remember • Only Active routes are eligible for leaking. For example, if VRF-A has two routes from BGP and OSPF, in which the BGP route is not active. In this scenario, the OSPF route takes precedence over BGP. Even though the Target VRF-B has specified filtering options to match BGP, the BGP route is not leaked as that route is not active in the Source VRF.
67 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. VRRP Overview VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN). The MASTER router is chosen from the virtual routers by an election process and forwards packets sent to the next hop IP address.
Figure 152. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation The S5000 supports a total of 255 VRRP groups on a switch. Within a single VRRP group, up to 12 virtual IP addresses are supported.
CAUTION: Increasing the advertisement interval increases the VRRP Master dead interval, resulting in an increased failover time for Master/Backup election. Take caution when increasing the advertisement interval, as the increased dead interval may cause packets to drop during that switch-over time. Table 100.
• NOTE: The interface must already have a primary IP address defined and be enabled, as shown in the second example. Delete a VRRP group. INTERFACE mode no vrrp-group vrid Examples of Configuring and Verifying VRRP The following examples how to configure VRRP. Dell(conf)#int Te 1/1 Dell(conf-if-Te-1/1)#vrrp-group 111 Dell(conf-if-Te-1/1-vrid-111)# The following examples how to verify the VRRP configuration. Dell(conf-if-Te-1/1)#show conf ! interface TenGigabitEthernet 1/1 ip address 10.10.10.
priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 ! vrrp-group 222 no shutdown Dell(conf-if-te-1/1)# The following example shows the same VRRP group (VRID 111) configured on multiple interfaces on different subnets. Dellshow vrrp -----------------TenGigabitEthernet 1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.
TenGigabitEthernet 1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 2343, Gratuitous ARP sent: 5 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------TenGigabitEthernet 1/2, VRID: 111, Net: 10.10.2.1 State: Master, Priority: 125, Master: 10.10.2.
Disabling Preempt The preempt command is enabled by default. The command forces the system to change the MASTER router if another router with a higher priority comes online. Prevent the BACKUP router with the higher priority from becoming the MASTER router by disabling preempt. NOTE: You must configure all virtual routers in the VRRP group the same and configure all with preempt enabled or configure all with preempt disabled.
The range is from 1 to 255 seconds. The default is 1 second. Examples of the advertise-interval Command The following example shows how to change the advertise interval using the advertise-interval command. Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)#advertise-interval 10 Dell(conf-if-te-1/1-vrid-111)# The following example shows how to verify the advertise interval change using the show conf command.
Tracking an Interface To track an interface, use the following commands. NOTE: The sum of all the costs for all tracked interfaces must be less than the configured priority of the VRRP group. • Monitor an interface and, optionally, set a value to be subtracted from the interface’s VRRP group priority. INTERFACE-VRID mode track interface [priority-cost cost] The cost range is from 1 to 254. • The default is 10.
5 changes, last change 00:02:16 Metric threshold down 255 up 254 First-hop interface is TenGigabitEthernet 13/2 Tracked by: VRRP GigabitEthernet 7/30 IPv6 VRID 1 Track 3 IPv6 route 2050::/64 reachability Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is TenGigabitEthernet 13/2 Tracked by: VRRP TenGigabitEthernet 7/30 IPv6 VRID 1 The following example shows verifying the VRRP status.
• Set the delay time for VRRP initialization on an individual interface. INTERFACE mode vrrp delay minimum seconds This time is the gap between an interface coming up and being operational, and VRRP enabling. The seconds range is from 0 to 900. • The default is 0. Set the delay time for VRRP initialization on all the interfaces in the system configured for VRRP. INTERFACE mode vrrp delay reload seconds This time is the gap between system boot up completion and VRRP enabling.
Figure 153. VRRP for IPv4 Topology Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. R2(conf)#int te 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface TenGigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.
R2#show vrrp -----------------TenGigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#int te 3/21 R3(conf-if-te-3/21)#ip address 10.1.1.2/24 R3(conf-if-te-3/21)#vrrp-group 99 R3(conf-if-te-3/21-vrid-99)#virtual 10.1.1.
Figure 154. Example of VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-0/0)#end R2#show vrrp -----------------TenGigabitEthernet 0/0, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default-vrf State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 135 Virtual MAC address: 00:00:5e:00:02:0a Virtual IP address: 1::10 fe80::10 Rout
VRRP in a VRF: Non-VLAN Scenario The following example shows how to enable VRRP in a non-VLAN. The following example shows a typical use case in which you create three virtualized overlay networks by configuring three VRFs in two ESeries switches. The default gateway to reach the internet in each VRF is a static route with the next hop being the virtual IP address configured in VRRP. In this scenario, a single VLAN is associated with each VRF.
S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface TenGigabitEthernet 12/1 S1(conf-if-te-12/1)#ip vrf forwarding VRF-1 S1(conf-if-te-12/1)#ip address 10.10.1.5/24 S1(conf-if-te-12/1)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177. S1(conf-if-te-12/1-vrid-101)#priority 100 S1(conf-if-te-12/1-vrid-101)#virtual-address 10.10.1.2 S1(conf-if-te-12/1)#no shutdown ! S1(conf)#interface TenGigabitEthernet 12/2 S1(conf-if-te-12/2)#ip vrf forwarding VRF-2 S1(conf-if-te-12/2)#ip address 10.10.
VLAN Scenario In another scenario, to connect to the LAN, VRF-1, VRF-2, and VRF-3 use a single physical interface with multiple tagged VLANs (instead of separate physical interfaces). In this case, you configure three VLANs: VLAN-100, VLAN-200, and VLAN-300. Each VLAN is a member of one VRF. A physical interface (gigabitethernet 0/1) attaches to the LAN and is configured as a tagged interface in VLAN-100, VLAN-200, and VLAN-300. The rest of this example is similar to the non-VLAN scenario.
S2(conf)#interface TenGigabitEthernet 12/4 S2(conf-if-te-12/4)#no ip address S2(conf-if-te-12/4)#switchport S2(conf-if-te-12/4)#no shutdown ! S2(conf-if-te-12/4)#interface vlan 100 S2(conf-if-vl-100)#ip vrf forwarding VRF-1 S2(conf-if-vl-100)#ip address 10.10.1.2/24 S2(conf-if-vl-100)#tagged tengigabitethernet 12/4 S2(conf-if-vl-100)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177. S2(conf-if-vl-100-vrid-101)#priority 255 S2(conf-if-vl-100-vrid-101)#virtual-address 10.10.1.
Figure 156. VRRP for IPv6 Topology NOTE: This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, and so on.
NOTE: The virtual IPv6 address you configure should be the same as the IPv6 subnet to which the interface belongs.
Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 Dell#show vrrp tengigabitethernet 2/8 TenGigabitEthernet 2/8, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:e9ed VRF: 0 default State: Master, Priority: 110, Master: fe80::201:e8ff:fe8a:e9ed (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 120 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe
Displaying VRRP in a VRF Configuration To display information on a VRRP group that is configured on an interface that belongs to a VRF instance, use the following commands. • Display information on a VRRP group that is configured on an interface that belongs to a VRF instance. show running-config track [interface interface] • Display information on VRRP groups configured on interfaces that belong to a VRF instance.
68 S5000 Debugging and Diagnostics Topics: • Offline Diagnostics • Trace Logs • Hardware Watchdog Timer • Using the Show Hardware Commands • Enabling Environmental Monitoring • Buffer Tuning • Troubleshooting Packet Loss • Enabling Application Core Dumps • Mini Core Dumps • Enabling TCP Dumps Offline Diagnostics The diagnostics tests are grouped into three levels: • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications.
Running Offline Diagnostics To run offline diagnostics, use the following commands. For more information, refer to the examples following the steps. 1 Place the unit in the offline state. EXEC Privilege mode offline stack-unit You cannot enter this command on a MASTER or Standby stack unit. NOTE: The system reboots when the offline diagnostics complete. This is an automatic process.
Unit UnitType Status ReqTyp CurTyp Version Ports -----------------------------------------------------0 Management online S5000 S5000 9-0-1-0 64 1 Member not present 2 Member not present 3 Member not present 4 Member not present 5 Member not present 6 Member not present 7 Member not present 8 Member not present 9 Member not present 10 Member not present 11 Member not present -- Module Info -Unit Module No Status Module Type Ports ------------------------------------------------------0 0 online S5000-MOD-12X
The following shows the output of the S5000 master and member units when you run offline diagnostics on a member unit.
Trace Logs In addition to the syslog buffer, Dell Networking OS buffers trace messages which are continuously written by various Dell Networking OS software tasks to report hardware and software events and status information. Each trace message provides the date, time, and name of the Dell Networking OS process. All messages are stored in a ring buffer. You can save the messages to a file either manually or automatically after failover.
EXEC Privilege mode show hardware stack-unit {0-11} buffer unit {0-0} port {1-64 | all} buffer-info • View the forwarding plane statistics containing the packet buffer statistics per COS per port. EXEC Privilege mode show hardware stack-unit {0-11} buffer unit {0-0} port {1-64} queue {0-14 | all} buffer-info • View input and output statistics on the party bus, which carries inter-process communication traffic between CPUs.
Enabling Environmental Monitoring The S5000 components use environmental monitoring hardware to detect transmit power readings, receive power readings, and temperature updates. To receive periodic power updates, you must enable the following command. • Enable environmental monitoring.
When the system detects a genuine over-temperature condition, it powers off the card. To recognize this condition, look for the following system messages: CHMGR-2-MAJOR_TEMP: Major alarm: chassis temperature high (temperature reaches or exceeds threshold of [value]C) CHMGR-2-TEMP_SHUTDOWN_WARN: WARNING! temperature is [value]C; approaching shutdown threshold of [value]C To view the programmed alarm thresholds levels, including the shutdown value, use the show alarms threshold command.
OID String OID Name Description .1.3.6.1.4.1.6027.3.10.1.2.5.1.8 chSysPortXfpTxPower OID displays the transmitting power of the connected optics. chSysPortXfpRecvTemp OID displays the temperature of the connected optics. Temperature .1.3.6.1.4.1.6027.3.10.1.2.5.1.7 NOTE: These OIDs only generate if you enable the enable opticinfo-update-interval is enabled command. Hardware MIB Buffer Statistics .1.3.6.1.4.1.6027.3.27.1.
CONFIGURATION mode buffer-profile global [1Q|4Q] If the default buffer profile dynamic is active, Dell Networking OS displays an error message instructing you to remove the default configuration using the no buffer-profile global command. Troubleshooting Packet Loss The show hardware stack-unit command is intended primarily to troubleshoot packet loss. To troubleshoot packet loss, use the following commands.
1 2 0 0 2 3 0 0 3 4 0 0 !--------------- output 0 0 0 0 0 0 0 0 0 truncated --------------! Example of show hardware drops interface interface Dell#show hardware drops interface tengigabitethernet 2/1 Drops in Interface Te 2/1: --- Ingress Drops --Ingress Drops IBP CBP Full Drops PortSTPnotFwd Drops IPv4 L3 Discards Policy Discards Packets dropped by FP (L2+L3) Drops Port bitmap zero Drops Rx VLAN Drops --- Ingress MAC counters--Ingress FCSDrops Ingress MTUExceeds --- MMU Drops --Ingress MMU Drops HOL DRO
Dataplane Statistics The show hardware stack-unit cpu data-plane statistics command provides insight into the packet types coming to the CPU. The show hardware stack-unit cpu party-bus statistics command displays input and output statistics on the party bus, which carries inter-process communication traffic between CPUs. The command output in the following example has been augmented, providing detailed RX/ TX packet statistics on a per-queue basis.
Display Stack Port Statistics The show hardware stack-unit stack-port command displays input and output statistics for a stack-port interface.
• Enable RPM core dumps and specify the Shutdown mode. CONFIGURATION mode logging coredump server To undo this command, use the no logging coredump server command. Mini Core Dumps Dell Networking OS supports mini core dumps on the application and kernel crashes. The mini core dump applies to Master, Standby, and Member units. Application and kernel mini core dumps are always enabled. The mini core dumps contain the stack space and some other minimal information that you can use to debug a crash.
Enabling TCP Dumps A TCP dump captures CPU-bound control plane traffic to improve troubleshooting and system manageability. When you enable TCP dump, it captures all the packets on the local CPU, as specified in the CLI. You can save the traffic capture files to flash, FTP, SCP, or TFTP. The files saved on the flash are located in the flash://TCP_DUMP_DIR/ Tcpdump_/ directory and labeled tcpdump_*.pcap. There can be up to 20 Tcpdump_ directories.
69 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking Operating System (OS), Dell Networking OS also supports predecessor standards. One way to search for predecessor standards is to use the http:// tools.ietf.org/ website.
SFF-8431 SFP+ Direct Attach Cable (10GSFP+Cu) MTU 9,252 bytes RFC and I-D Compliance Dell Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell Networking OS first supports the standard. General Internet Protocols The following table lists the Dell Networking OS support per platform for general internet protocols. Table 102. General Internet Protocols RFC# Full Name Dell networking OS 9.
General IPv4 Protocols The following table lists the Dell Networking OS support per platform for general IPv4 protocols. Table 103. General IPv4 Protocols RFC# Full Name Dell networking OS 9.1(1.
RFC# Full Name Dell networking OS 9.1(1.
RFC# Full Name S-Series/Z-Series draft-ietf-idrrestart- 06 Graceful Restart Mechanism for BGP √ Open Shortest Path First (OSPF) The following table lists the Dell Networking OS support per platform for OSPF protocol. Table 106.
RFC# Full Name Dell networking OS 9.1(1.0) 5306 Restart Signaling for IS-IS Not supported 5308 Routing IPv6 with IS-IS √ draft-ietf-isis-igpp2p- over-lan-06 Point-to-point operation over LAN in link-state routing protocols Not supported draft-kaplan-isis-e xt-eth-02 Extended Ethernet Frame Size Support Not supported Routing Information Protocol (RIP) The following table lists the Dell Networking OS support per platform for RIP protocol. Table 108.
Network Management The following table lists the Dell Networking OS support per platform for network management protocol. Table 110. Dell Networking OS support per platform for network management protocol RFC# Full Name Dell networking OS 9.1(1.
RFC# Full Name Dell networking OS 9.1(1.
RFC# Full Name Dell networking OS 9.1(1.0) 3416 Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) √ 3418 Management Information Base (MIB) for the √ Simple Network Management Protocol (SNMP) 3434 Remote Monitoring MIB Extensions for High √ Capacity Alarms, High-Capacity Alarm Table (64 bits) 3580 IEEE 802.
RFC# Full Name Dell networking OS 9.1(1.0) information. (LLDP DOT1 MIB and LLDP DOT3 MIB) ruzin-mstp-mib-0 2 (Traps) Definitions of Managed Objects for Bridges with Multiple Spanning Tree Protocol √ sFlow.org sFlow Version 5 √ sFlow.
https://www.force10networks.com/CSPortal20/Main/Login.aspx Some pages of iSupport require a login. To request an iSupport account, go to: https://www.force10networks.com/CSPortal20/AccountRequest/AccountRequest.aspx If you have forgotten or lost your account information, contact Dell TAC for assistance.
70 X.509v3 Dell Networking OS supports X.509v3 standards. Topics: • • • • • • • • • Introduction to X.509v3 certification X.509v3 support in Dell Networking OS Information about installing CA certificates Information about Creating Certificate Signing Requests (CSR) Information about installing trusted certificates Transport layer security (TLS) Online Certificate Status Protocol (OSCP) Verifying certificates Event logging Introduction to X.509v3 certification X.
1 An entity or organization that wants a digital certificate requests one through a CSR. 2 To request a digital certificate through a CSR, a key pair is generated and the CSR is signed using the secret private key. The CSR contains information identifying the applicant and the applicant's public key. This public key is used to verify the signature of the CSR and the Distinguished Name (DN). 3 This CSR is sent to a Certificate Authority (CA).
The Root CA generates a private key and a self-signed CA certificate. The Intermediate CA generates a private key and a Certificate Signing Request (CSR). Using its private key, the root CA signs the intermediate CA’s CSR generating a CA certificate for the Intermediate CA. This intermediate CA can then sign certificates for hosts in the network and also for further intermediate CAs.
During the initial TLS protocol negotiation, both participating parties also check to see if the other’s certificate is revoked by the CA. To do this check, the devices query the CA’s designated OCSP responder on the network. The OCSP responder information is included in the presented certificate, the Intermediate CA inserts the info upon signing it, or it may be statically configured on the host. Information about installing CA certificates Dell Networking OS enables you to download and install X.
If you do not specify the cert-file option, the system prompts you to enter metadata information related to the CSR as follows: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value; if you enter '.', the field will be left blank.
NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS. This trusted certificate is also presented to the TLS server implementations that require client authentication such as Syslog.
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS compression is disabled by default. TLS session resumption is also supported to reduce processor and traffic overhead due to public key cryptographic operations and handshake traffic. However, the maximum time allowed for a TLS session to resume without repeating the TLS authentication or handshake process is configurable with a default of 1 hour.
NOTE: If you have an IPv6 address in the URL, then enclose this address in square brackets. For example, http:// [1100::203]:6514. Configuring OCSP behavior You can configure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders. To configure this behavior, follow this step: In CONFIGURATION mode, enter the following command: crypto x509 ocsp {[nonce] [sign-request]} Both the none and sign-request parameters are optional.
Verifying Server certificates Verifying server certificates is mandatory in the TLS protocol. As a result, all TLS-enabled applications require certificate verification, including Syslog servers. The system checks the Server certificates against installed CA certificates. NOTE: As part of the certificate verification, the hostname or IP address of the server is verified against the hostname or IP address specified in the application.
