Dell EMC SmartFabric OS10 User Guide Release 10.5.1 09 2020 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: About this guide......................................................................................................... 27 Conventions........................................................................................................................................................................ 27 Related Documents...........................................................................................................................................................
boot.................................................................................................................................................................................64 commit........................................................................................................................................................................... 64 configure..........................................................................................................................................
Batch mode.......................................................................................................................................................................100 batch.............................................................................................................................................................................100 Linux shell commands.................................................................................................................................
Configuration notes...................................................................................................................................................169 Configure Precision Time Protocol........................................................................................................................ 170 View PTP information...............................................................................................................................................
S4148U-ON port profiles.........................................................................................................................................268 Configure negotiation modes on interfaces............................................................................................................. 269 Configure breakout mode.............................................................................................................................................
show system.............................................................................................................................................................. 306 show unit-provision.................................................................................................................................................. 306 show vlan...............................................................................................................................................................
Configure multi-hop FSB..........................................................................................................................................371 Verify multi-hop FSB configuration.......................................................................................................................377 Sample Multi-hop FSB configuration....................................................................................................................378 Configuration guidelines............
fip-snooping fc-map................................................................................................................................................. 420 fip-snooping port-mode...........................................................................................................................................420 FCoE commands..............................................................................................................................................................
Configure LLDP.......................................................................................................................................................... 471 Example: Advertise TLVs configuration............................................................................................................... 478 View LLDP configuration.........................................................................................................................................
BFD commands..........................................................................................................................................................604 Border Gateway Protocol...............................................................................................................................................611 Sessions and peers....................................................................................................................................................
Load balancing........................................................................................................................................................... 698 Maximum ECMP groups and paths...................................................................................................................... 702 ECMP commands......................................................................................................................................................702 IPv4 routing.......
Configuration.............................................................................................................................................................. 810 Create virtual router.................................................................................................................................................. 811 Group version.......................................................................................................................................................
Multicast routing table synchronization.............................................................................................................. 886 IGMP message synchronization.............................................................................................................................887 Egress mask................................................................................................................................................................887 Spanned VLAN..............
show mac address-table count extended........................................................................................................... 954 show mac address-table count nve......................................................................................................................954 show mac address-table count virtual-network................................................................................................955 show mac address-table extended..................................
802.1X port access control ................................................................................................................................... 1186 Port security..............................................................................................................................................................1186 Chapter 18: OpenFlow.............................................................................................................. 1202 OpenFlow logical switch instance....
Egress ACL filters..........................................................................................................................................................1240 VTY ACLs......................................................................................................................................................................... 1241 SNMP ACLs...............................................................................................................................................
mac access-group................................................................................................................................................... 1265 mac access-list........................................................................................................................................................ 1266 permit....................................................................................................................................................................
match ip address..................................................................................................................................................... 1298 match ip next-hop................................................................................................................................................... 1299 match ipv6 address.................................................................................................................................................
bandwidth.................................................................................................................................................................. 1351 buffer-statistics-tracking....................................................................................................................................... 1351 class...................................................................................................................................................................
show control-plane statistics................................................................................................................................1373 show hardware deep-buffer-mode..................................................................................................................... 1374 show interface priority-flow-control...................................................................................................................1375 show qos interface.......................
peer-routing-timeout............................................................................................................................................... 1417 primary-priority......................................................................................................................................................... 1417 show running-configuration vlt.............................................................................................................................
iSCSI commands...................................................................................................................................................... 1469 Converged network DCB example............................................................................................................................ 1473 Chapter 24: sFlow.................................................................................................................... 1480 Enable sFlow................................
CLI commands for RESTCONF API...........................................................................................................................1514 rest api restconf....................................................................................................................................................... 1514 rest https cipher-suite............................................................................................................................................
Alarm commands......................................................................................................................................................1573 Logging commands................................................................................................................................................. 1579 Log into OS10 device....................................................................................................................................................
1 About this guide This guide is intended for system administrators who are responsible for configuring and maintaining networks. It covers the following details: ● Installation and set up of Dell EMC SmartFabric OS10. ● Description, configuration information, and examples of features that SmartFabric OS10 supports. ● Reference information and examples on configuring protocols.
2 Change history The following table provides an overview of the changes to this guide from a previous OS10 release to the 10.5.1 release. For more information about the new features, see the respective sections. Table 1. New in 10.5.1.6 Revision Date Feature Description A01 2020–09-03 TACACS as Primary Authentication Support for TACACS as the primary authentication method. MX-IOM Hardware Replacement Procedure to replace an IOM module. Table 2. New in 10.5.1.
Table 2. New in 10.5.1.0 (continued) Revision Date Feature Description AAA authorization Support for AAA authorization Port security Port security features: ● MAC learning limit ● Sticky MAC addresses ● MAC move PBR in VLT setup PBR support for VLT Configure BFD Support for 50 ms BFD timer OSPF ignore MTU Ignore the MTU size of the OSPF peer interface Secure boot Verify the authenticity and integrity of OS10 image Downgrade to Release 10.5.0.
3 Getting Started with Dell EMC SmartFabric OS10 Dell EMC SmartFabric OS10 is a network operating system (NOS) supporting multiple architectures and environments. The SmartFabric OS10 solution allows multi-layered disaggregation of network functionality. SmartFabric OS10 bundles industrystandard management, monitoring, and Layer 2 and Layer 3 networking stacks over CLI, SNMP, and REST interfaces. Users can choose their own third-party networking, monitoring, management, and orchestration applications.
Starting from Release 10.5.1.0, SmartFabric OS10 comes with a single partition. Both the active and standby software images are stored in this partition. OS10 installation and upgrade procedures continue to work as usual. However, after you install 10.5.1.0 (or later) image, if you want to downgrade to 10.5.0.0 (or earlier) image, you must backup the configuration and license files. See Downgrade to Release 10.5.0.0 or earlier releases for more information.
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Dell EMC Network Operating System (OS10) *-* *-* Copyright (c) 1999-2018 by Dell Inc. All Rights Reserved.
To upgrade an existing OS10 image, first download a new OS10 Enterprise Edition image from DDL. 1. 2. 3. 4. 5. 6. 7. Sign into DDL using your account credentials. Locate the entry for your entitlement ID and order number, and then select the product name. Select the Available Downloads tab on the Product page. Select the OS10 Enterprise Edition image to download, and then click Download. Read the Dell End User License Agreement, and then scroll to the end of the agreement and click Yes, I agree.
6. Install the OS10 standby image using the image install file-url command in EXEC mode, where filename is the name of the image file downloaded in Step 3 with the image download command; for example: OS10# image install image://OS10EE.bin NOTE: OS10 has two images: A and B. One image is active, which is the current running version and used as the running software at the next system reload. The other image remains standby, used for software upgrades.
Architecture: x86_64 Up Time: 04:40:37 Restrictions on Upgrade to Release 10.5.1.0 or later version After you install the 10.5.1.x image and before you perform a reload, the following images are available in the switch: ● Image A: 10.5.0.0 (active) ● Image B: 10.5.1.0 (standby) During this state, you must not install 10.5.0.x or an earlier release again in the switch. Release 10.5.1.x ONIE preparation and setup is not reversible and the switch only boots using the 10.5.1.x image.
image cancel Cancels an image or firmware file download that is in progress. Syntax image cancel Parameters None Default Not configured Command Mode EXEC Usage Information The image cancel command cancels a file download from a server, such as an OS10 binary image or firmware upgrade, that is in progress. After an image download completes, the command has no effect. The command also removes any pending firmware upgrades on the switch. Example Supported Releases OS10# image cancel 10.2.
significant amount of disk space. Dell EMC Networking recommends that you remove unnecessary image files from the image directory by using the delete command; for example: delete image://OS10EE-10.2.0.bin Use the show image status command to view the download progress. When using the scp and sftp options, always enter an absolute file path instead of a path relative to the home directory of the user account; for example: image download sftp://dellos10:password@10.1.1.1/home/dellos10/images/ PKGS_OS10EE-10.
Usage Information Example Use the boot system command to set the boot image for the next reboot. OS10# show boot Current system image information: =================================== Type Boot Type Active Standby Next-Boo -----------------------------------------------------------------------------------Node-id 1 Flash Boot Example (Detail) Supported Releases [A] 10.5.0.4 [B] 10.5.1.
3.35.5.1 Success onie-updater-x86_64-dellemc_mxseries-r0 3.35.1.1 Success OS10# show image firmware Pending Firmware Upgrade(s) ==================================== # Name Date --- ------------------------------------------------------------------ --------------------- Version Past Firmware Upgrade(s) ==================================== Name Version Result --------------------------------------------------------- ---------------------------onie-firmware-x86_64-dellemc_s5200_c3538-r0.3.40.5.1-6. 3.40.5.
show version Displays software version information. Syntax show version Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show version Network Operating System OS Version: 10.5.1.0 Build Version: 10.5.1.0.123 Build Time: 2020-02-12T02:34:02+0000 System Type: Z9100-ON Architecture: x86_64 Up Time: 04:40:37 10.2.0E or later Check OS10 license To check the status of the pre-installed OS10 license, use the show license status command.
Re-install license OS10 Enterprise Edition runs with a perpetual license on a device with OS10 factory-loaded. The license file is pre-installed on the switch. If the license becomes corrupted or is deleted, you must download the license from DDL under the purchaser's account and re-install the license. 1. Sign in to DDL using your account credentials. 2. Locate the hardware product name with the entitlement ID and order number. 3.
To uninstall OS9 or a third-party OS on a Dell EMC ONIE switch, boot up the switch and watch for the ONIE boot menu to display. Immediately use the Arrow keys to scroll the asterisk and select the ONIE: Uninstall OS option to avoid the switch booting to ONIE: Install OS by default.
Installation using ONIE CAUTION: Installing OS10 or another OS using ONIE erases all software configurations on the switch. The configuration settings are not recoverable. Back up all software configurations and installed licenses on the switch before performing OS updates or changes. Store a regular backup of the switch configuration off the switch. If you purchase an ONIE-only switch or if you want to replace an existing OS, download an OS10 image as described in Download OS10 image.
6. Start a TFTP waterfall. The ONIE automatic discovery process locates the stored software image, downloads and installs it, and reboots the device with the new image. Auto-discovery repeats until a successful software image installation occurs and reboots the switch. ONIE discovery — Usage information ● All ONIE auto-discovery methods download and run only supported default file names, such as onie-installer.
1. Save the OS10 software image on an SCP/TFTP/FTP server. 2. Power up the switch and select ONIE Rescue for manual installation. 3. Stop DHCP discovery. $ onie-discovery-stop 4. Configure the IP addresses on the Management port, where x.x.x.x represents your internal IP address. After you configure the Management port, the response is up. $ ifconfig eth0 x.x.x.x netmask 255.255.0.0 up 5. Install the software on the device.
Change the default admin password after the first OS10 login. The system saves the new password for future logins. After you change the password through the CLI, use the write memory command to save the configuration. For example: OS10 login: admin Password: admin Last login: Sat Oct 6 00:25:33 UTC 2018 on ttyS0 Linux OS10 4.9.110 #1 SMP Debian 4.9.
● tftp://hostip/filepath — Copy from a remote TFTP server. ● usb://filepath — Install from a file directory on a storage device connected to the USB storage port on the switch. ● filepath/filename — Enter the directory path where the license file is stored. NOTE: When installing a license through a VRF instance, OS10 supports only some file transfer methods. Refer to the following table for the file transfer methods supported in the default, management, and non-default VRF instances. Table 3.
Install license using management VRF OS10(config)# ip vrf management OS10(conf-vrf)# interface management OS10(conf-vrf)# exit OS10(config)# ip sftp vrf management OS10(config)# exit OS10# license install sftp://user:userpwd@10.1.1.10/0ANNX42-NOSEnterprise-License.xml License installation success.
NOTE: While downgrading to an earlier release, OS10 removes the existing 10.5.1.0 image. This process takes about 10 minutes to 20 minutes of downtime, depending on your device. Prerequisites Obtain a backup of the configuration data. Ensure that you have a copy of the license files. Reapply the configuration data and licenses files after you reload the 10.5.0.0 or earlier image. 1. Back up the current running configuration to the startup configuration in EXEC mode.
OS Version: 10.5.0.0 Build Version: 10.5.0.270 Build Time: 2019-07-29T23:35:01+0000 System Type: S4148F-ON Architecture: x86_64 Up Time: 1 day 00:54:13 9. Apply the saved configuration and license files, and reload the switch. OS10# copy ftp://userid:passwd@hostip/filepath/10.5.0.0-startup.xml config:// startup.xml OS10# license install scp://user:passwd@hostip/0A900Q2-NOSEnterprise-License.xml OS10# reload NOTE: While reloading, if the CLI prompts to save, select no for the save option.
See Zero-touch deployment. Ansible-automated switch provisioning Automate OS10 switch configuration using Ansible, a third-party DevOps tool. Create and execute Ansible playbooks to configure multiple devices. For more information, see Using Ansible. Feature limitation on the Z9100-ON and S5200-ON series switches On the Z9100-ON and S5200-ON series switches, system flow is enabled by default.
2. By default, DHCP client is enabled on the Management interface. Disable the DHCP client operations in INTERFACE mode. no ip address dhcp 3. Configure an IPv4 or IPv6 address on the Management interface in INTERFACE mode. ip address A.B.C.D/mask ipv6 address A:B/prefix-length 4. Enable the Management interface in INTERFACE mode.
Enter the password in clear text. It is converted to SHA-512 format in the running configuration. A password must have at least nine characters, including alphanumeric and special characters, and at least five different characters from the password that is previously used for the same username. For example: OS10(config)# username admin password alpha404! role sysadmin For backward compatibility with OS10 release 10.3.1E and earlier, passwords entered in MD-5, SHA-256, and SHA-512 format are supported.
4 CLI Basics The OS10 CLI is the software interface you use to access a device running the software — from the console or through a network connection. The CLI is an OS10-specific command shell that runs on top of a Linux-based OS kernel. By leveraging industry-standard tools and utilities, the CLI provides a powerful set of commands that you can use to monitor and configure devices running OS10.
Changing the configuration mode of the current session to the Transaction-Based Configuration mode does not affect the configuration mode of other CLI sessions. ● After you explicitly enter the commit command to save changes to the candidate configuration, the session switches back to the default behavior of automatically saving the configuration changes to the running configuration.
Check device status Use show commands to check the status of a device and monitor activities. Refer Related Videos section for more information. ● Enter show ? from EXEC mode to view a list of commands to monitor a device; for example: OS10# show ? acl-table-usage alarms alias bfd boot candidate-configuration class-map clock ...
-- Fan Status -FanTray Status AirFlow Fan Speed(rpm) Status ---------------------------------------------------------------1 up NORMAL 1 13195 up 2 up NORMAL 1 13151 up 3 up NORMAL 1 13239 up 4 up NORMAL 1 13239 up Related Videos Check Device Status Command help To view a list of valid commands in any CLI mode, enter ?; for example: OS10# ? alarm alias batch boot clear clock commit configure copy crypto ...
Candidate configuration When you use OS10 configuration commands in Transaction-based configuration mode, changes do not take effect immediately and are stored in the candidate configuration. The configuration changes become active only after you commit the changes using the commit command. Changes in the candidate configuration are validated and applied to the running configuration. The candidate configuration allows you to avoid introducing errors during an OS10 configuration session.
To display only interface-related configurations in the candidate configuration, use the show candidate-configuration compressed and show running-configuration compressed commands. These views display only the configuration commands for VLAN and physical interfaces. OS10# show candidate-configuration compressed interface breakout 1/1/1 map 40g-1x interface breakout 1/1/2 map 40g-1x interface breakout 1/1/3 map 40g-1x interface breakout 1/1/4 map 40g-1x ...
Prevent configuration changes You can prevent configuration changes that are made on the switch in sessions other than the current CLI session using the lock command. To prevent and allow configuration changes in other sessions, use the lock and unlock commands in EXEC mode. When you enter the lock command, users in other active CLI sessions cannot make configuration changes.
OS10(conf-range-po-3)# switchport trunk allowed vlan 2-5 OS10(conf-range-po-3)# exit OS10(config)# no interface range vlan 2-4 OS10(conf-range-po-3)# % Error: Range configuration conflict - the last command was not applied. Please commit (or discard) the rest of the configuration changes and retry. If you see the error message in bold, commit the entire configuration and then delete a sub set of VLANs.
Copy running configuration to local directory or remote server OS10# copy running-configuration {config://filepath | home://filepath | ftp://userid:passwd@hostip/filepath | scp://userid:passwd@hostip/filepath | sftp://userid:passwd@hostip/filepath | tftp://hostip/filepath} OS10# copy running-configuration scp://root:calvin@10.11.63.120/tmp/qaz.
Restore startup file from server OS10# copy scp://admin:admin@hostip/backup-9-28.xml config://startup.xml OS10# reload System configuration has been modified. Save? [yes/no]:no Reload system image Reboot the system manually using the reload command in EXEC mode. You are prompted to confirm the operation. OS10# reload System configuration has been modified.
Common OS10 commands boot Configures the OS10 image to use the next time the system boots up. Syntax boot system [active | standby] Parameters ● active — Reset the running image as the next boot image. ● standby — Set the standby image as the next boot image. Default Not configured Command Mode EXEC Usage Information Use this command to configure the OS10 image that is reloaded at boot time. Use the show boot command to verify the next boot image. The boot system command applies immediately.
Example Supported Releases OS10# configure terminal OS10(config)# 10.2.0E or later copy Copies the current running configuration to the startup configuration and transfers files between an OS10 switch and a remote device.
Directory contents for folder: coredump Date (modified) Size (bytes) Name --------------------- ------------ -----------------2017-02-15T19:05:41Z 12402278 core.netconfdpro.2017-02-15_19-05-09.gz OS10# copy coredump://core.netconfd-pro.2017-02-15_19-05-09.gz scp:// os10user:os10passwd@10.11.222.1/home/os10/core.netconfd-pro.2017-02 -15_19-05-09.
● usb://filepath — (Optional) Delete from the USB file system. Default Not configured Command Mode EXEC Usage Information Use this command to remove a regular file, software image, or startup configuration. Removing the startup configuration restores the system to the factory default. You must reboot the switch using the reload command for the operation to take effect. NOTE: ● Use caution when removing the startup configuration.
--------------------2017-04-26T15:23:46Z -----------26704 OS10# dir severity-profile Date (modified) Size (bytes) --------------------- -----------2019-03-27T15:24:06Z 46741 2019-04-01T11:22:33Z 456 Supported Releases ----------startup.xml Name ------------default.xml mySevProf.xml 10.2.0E or later discard Discards changes made to the candidate configuration file.
end Returns to EXEC mode from any other command mode. Syntax end Parameters None Default Not configured Command Mode All Usage Information Use the end command to return to EXEC mode to verify currently configured settings with show commands. Example Supported Releases OS10(config)# end OS10# 10.2.0E or later exit Returns to the next higher command mode.
Supported on the MX9116n and MX5108n switches in Full-Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric Services mode starting in 10.5.0. The no version of this command resets the host name to OS10. Example Supported Releases OS10(config)# hostname R1 R1(config)# 10.3.0E or later license Installs a license file from a local or remote location.
Example Supported Releases OS10# lock 10.2.0E or later management route Configures an IPv4/IPv6 static route the Management port uses. To configure multiple management routes, repeat the command. Syntax management route {ipv4-address/mask | ipv6-address/prefix-length} {forwarding-router-address | managementethernet} Parameters ● ipv4-address/mask — Enter an IPv4 network address in dotted-decimal format (A.B.C.D), then a subnet mask in prefix-length format (/xx).
Date (modified) --------------------2017-04-26T15:23:46Z Supported Releases Size (bytes) -----------26704 Name ----------startup.xml 10.2.0E or later no Disables or deletes commands in EXEC mode. Syntax no [alias | debug | support-assist-activity | terminal] Parameters ● ● ● ● Default Not configured Command Mode EXEC Usage Information Use this command in EXEC mode to disable or remove a configuration. Use the no ? in CONFIGURATION mode to view available commands.
● -i interval — (Optional) Enter the interval in seconds to wait between sending each packet, the default is 1 second. ● -I interface-name or interface-ip-address — (Optional) Enter the source interface name without spaces or the interface IP address: ○ For a physical Ethernet interface, enter ethernetnode/slot/port; for example, ethernet1/1/1. ○ For a VLAN interface, enter vlanvlan-id; for example, vlan10. ○ For a Loopback interface, enter loopbackid; for example, loopback1.
64 bytes from 20.1.1.1: icmp_seq=1 ttl=64 time=0.079 ms 64 bytes from 20.1.1.1: icmp_seq=2 ttl=64 time=0.081 ms 64 bytes from 20.1.1.1: icmp_seq=3 ttl=64 time=0.133 ms 64 bytes from 20.1.1.1: icmp_seq=4 ttl=64 time=0.124 ms ^C --- 20.1.1.1 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 2997ms rtt min/avg/max/mdev = 0.079/0.104/0.133/0.025 ms Supported Releases 10.2.0E or later ping6 Tests network connectivity to an IPv6 device.
● -Q tos — (Optional) Enter a maximum of 1500 bytes in decimal or hex datagrams to set the quality of service (QoS)-related bits. ● -s packetsize — (Optional) Enter the number of data bytes to send, from 1 to 65468, default 56. ● -S sndbuf — (Optional) Set the sndbuf socket. By default, the sndbuf socket buffers one packet maximum. ● -t ttl — (Optional) Enter the IPv6 time-to-live (TTL) value in seconds. ● -T timestamp option — (Optional) Set special IP timestamp options.
Example OS10# reload Proceed to reboot the system? [confirm yes/no]:y Supported Releases 10.2.0E or later show boot Displays detailed information about the boot image. Syntax show boot [detail] Parameters None Default Not configured Command Mode EXEC Usage Information The Next-Boot field displays the image that the next reload uses.
Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● aaa — (Optional) Current operating AAA configuration. access-list — (Optional) Current operating access-list configuration. as-path — (Optional) Current operating as-path configuration. bfd — (Optional) Current operating BFD configuration. bgp — (Optional) Current operating BGP configuration. class-map — (Optional) Current operating class-map configuration.
Default Not configured Command Mode EXEC Usage Information None Example Example (compressed) OS10# show candidate-configuration ! Version 10.2.9999E ! Last configuration change at Apr 11 10:36:43 2017 ! username admin password $6$q9QBeYjZ$jfxzVqGhkxX3smxJSH9DDz7/3OJc6m5wjF8nnLD7/ VKx8SloIhp4NoGZs0I/UNwh8WVuxwfd9q4pWIgNs5BKH. aaa authentication local snmp-server contact http://www.dell.com/support snmp-server location "United States" logging monitor disable ip route 0.0.0.0/0 10.11.58.
! class-map type application class-iscsi Supported Releases 10.2.0E or later show environment Displays information about environmental system components, such as temperature, fan, and voltage.
---------------------------------------------------------------------------------* 1 S4148F-ON 09H9MN X01 TW-09H9MN-28298-713-0026 9531XC2 1 S4148F-ON-PWR-1-AC 06FKHH A00 CN-06FKHH-28298-6B5-03NY 1 S4148F-ON-FANTRAY-1 0N7MH8 X01 TW-0N7MH8-28298-713-0101 1 S4148F-ON-FANTRAY-2 0N7MH8 X01 TW-0N7MH8-28298-713-0102 1 S4148F-ON-FANTRAY-3 0N7MH8 X01 TW-0N7MH8-28298-713-0103 1 S4148F-ON-FANTRAY-4 0N7MH8 X01 TW-0N7MH8-28298-713-0104 Supported Releases 10.2.
2001:34::0/64 2001:68::0/64 Supported Releases ManagementEthernet 1/1 2001:34::16 Connected Active 10.2.2E or later show license status Displays license status information. Syntax show license status Parameters None Default Not configured Command Mode EXEC Usage Information Use the show license status command to verify the current license for running OS10, its duration, and the service tag assigned to the switch.
● as-path — (Optional) Current operating as-path configuration. ● bfd — (Optional) Current operating BFD configuration. ● bgp] — (Optional) Current operating BGP configuration. ○ [vrf vrf-name] — Enter the VRF name. ○ [neighbor [ip-address | interface interface-type Enter the interface IP address or interface name. ○ ● class-map — (Optional) Current operating class-map configuration. ● community-list — (Optional) Current operating community-list configuration.
● vrf — (Optional) Current operating VRF configuration. ● wred-profile — (Optional) Current operating WRED profile configuration. Default Not configured Command Mode EXEC Usage Information None Example Example (compressed) OS10# show running-configuration ! Version 10.2.9999E ! Last configuration change at Apr 11 01:25:02 2017 ! username admin password $6$q9QBeYjZ$jfxzVqGhkxX3smxJSH9DDz7/3OJc6m5wjF8nnLD7/ VKx8SloIhp4NoGZs0I/UNwh8WVuxwfd9q4pWIgNs5BKH.
! support-assist ! policy-map type application policy-iscsi ! class-map type application class-iscsi Supported Releases 10.2.0E or later show startup-configuration Displays the contents of the startup configuration file. Syntax show startup-configuration [compressed] Parameters compressed — (Optional) View a compressed version of the startup configuration file.
switchport access vlan 1 no shutdown ! interface vlan 1 no shutdown ! interface mgmt1/1/1 ip address 10.11.58.145/8 no shutdown ipv6 enable ipv6 address autoconfig ! support-assist ! policy-map type application policy-iscsi ! class-map type application class-iscsi Supported Releases 10.2.0E or later show system Displays system information. Syntax show system [brief | node-id] Parameters ● brief — View an abbreviated list of the system information. ● node-id — View the node ID number.
-- Fan Status -FanTray Status AirFlow Fan Speed(rpm) Status ---------------------------------------------------------------1 up NORMAL 1 13195 up Example (nodeid) 2 up NORMAL 1 13151 up 3 up NORMAL 1 13239 up 4 up NORMAL 1 13239 up OS10# show system node-id 1 fanout-configured Interface Breakout capable Breakout state ----------------------------------------------------Eth 1/1/5 No BREAKOUT_1x1 Eth 1/1/6 No BREAKOUT_1x1 Eth 1/1/7 No BREAKOUT_1x1 Eth 1/1/8 No BREAKOUT_1x1 Eth 1/1/9 No BRE
show version Displays software version information. Syntax show version Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show version Network Operating System OS Version: 10.5.1.0 Build Version: 10.5.1.0.123 Build Time: 2020-02-12T02:34:02+0000 System Type: Z9100-ON Architecture: x86_64 Up Time: 04:40:37 10.2.0E or later start Activates Transaction-Based Configuration mode for the active session.
Example Supported Releases OS10# system bash admin@OS10:~$ pwd /config/home/admin admin@OS10:~$ exit OS10# 10.2.0E or later system-cli disable Disables the system command. Syntax system-cli disable Parameters None Default Enabled Command Mode CONFIGURATION Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.3.0. Also supported in SmartFabric mode starting in release 10.5.0. The no version of this command enables OS10 system command.
Default Not configured Command Mode CONFIGURATION Usage Information The system ID displays in the stack LED on the switch front panel. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0. Example Supported Releases OS10(config)# system identifier 1 10.3.0E or later terminal Sets the number of lines to display on the terminal and enables logging.
○ -N squeries — (Optional) Enter the number of probe packets sent out simultaneously to accelerate traceroute. The default is 16. ○ -t tos — (Optional) For IPv4, enter the type of service (ToS) and precedence values to use. 16 sets a low delay; 8 sets a high throughput. ○ -UL — (Optional) Use UDPLITE for tracerouting. The default port is 53. ○ -w waittime — (Optional) Enter the time in seconds to wait for a response to a probe. The default is 5 seconds.
Supported Releases 10.2.0E or later username password role Creates an authentication entry based on a user name and password, and assigns a role to the user. Syntax username username password password role role [priv-lvl privilege-level] Parameters ● username username—Enter a text string. A maximum of 32 alphanumeric characters; one character minimum. ● password password—Enter a text string. A maximum of 32 alphanumeric characters; nine characters minimum.
write Copies the current running configuration to the startup configuration file. Syntax write {memory} Parameters memory — Copy the current running configuration to the startup configuration. Default Not configured Command Mode EXEC Usage Information This command has the same effect as the copy running-configuration startupconfiguration command. The running configuration is not saved to a local configuration file other than the startup configuration.
5 Advanced CLI tasks Command alias Provides information to create shortcuts for commonly used commands, see Command alias. Batch mode Provides information to run a batch file to execute multiple commands, see Batch mode. Linux shell commands Provides information to run commands from the Linux shell, see Linux shell commands. OS9 commands Provides information to enter configuration commands using an OS9 command syntax, see Using OS9 commands.
View alias output for goint OS10(config)# goint 1/1/1 OS10(conf-if-eth1/1/1)# View alias information OS10# show alias Name ---govlt goint shconfig showint shver Type ---Config Config Local Local Local Number of config aliases : 2 Number of local aliases : 3 View alias information brief. Displays the first 10 characters of the alias value. OS10# show alias brief Name Type ------govlt Config goint Config shconfig Local showint Local shver Local Value ----"vlt-domain..." "interface ..." "show runni...
● (Optional) You can enter the default values to use for the parameters defined as $n in ALIAS mode. default n input-value ● (Optional) Enter a description for the multi-line alias in ALIAS mode. description string ● Use the no form of the command to delete an alias in CONFIGURATION mode. no alias alias-name You can modify an existing multi-line alias by entering the corresponding ALIAS mode.
Number of config aliases : 1 Number of local aliases : 0 View alias information brief. Displays the first 10 characters of each line of each alias. OS10# show alias brief Name Type ------mTest Config Value ----line 1 "interface ..." line 2 "no shutdow..." line 3 "show confi..." default 1 "ethernet" default 2 "1/1/1" Number of config aliases : 1 Number of local aliases : 0 View alias detail. Displays the entire alias value.
Eth 1/1/3 up 40G A 1 Eth 1/1/4 up 40G A 1 Eth 1/1/5 up 40G A 1 Eth 1/1/6 up 40G A 1 Eth 1/1/7 up 40G A 1 Eth 1/1/8 up 40G A 1 Eth 1/1/9 up 40G A 1 Eth 1/1/10 up 40G A 1 Eth 1/1/11 up 40G A 1 Eth 1/1/12 up 40G A 1 Eth 1/1/13 up 40G A 1 Eth 1/1/14 up 40G A 1 Eth 1/1/15 up 40G A 1 Eth 1/1/16 up 40G A 1 Eth 1/1/17 up 40G A 1 Eth 1/1/18 up 40G A 1 Eth 1/1/19 up 40G A 1 Eth 1/1/20 up 40G A 1 Eth 1/1/21 up 40G A 1 Eth 1/1/22 up 40G A 1 Eth 1/1/23 up 40G A 1 Eth 1/1/24 up 40G A 1 Eth 1/1/25 up 40G A 1 Eth 1/1/26 up
default (alias) Configures default values for input parameters in a multi-line alias. Syntax default n value Parameters ● n — Enter the number of the argument, from 1 to 9. ● value — Enter the value for the input parameter. Default Not configured Command Mode ALIAS Usage Information To use special characters in the input parameter value, enclose the string in double quotation marks ("). The no version of this command removes the default value.
Usage Information Example Supported Releases The no version of this command removes the line number and the corresponding command from the multi-line alias. OS10(config)# alias mTest OS10(config-alias-mTest)# line 1 "interface $1 $2" OS10(config-alias-mTest)# line 2 "no shutdown" OS10(config-alias-mTest)# line 3 "show configuration" 10.4.0E(R1) or later show alias Displays configured alias commands available in both Persistent and Non-Persistent modes.
shconfig showint shver Local Local Local default 2 "1/1/1" "show running-configuration" "show interface $*" "show version" Number of config aliases : 3 Number of local aliases : 3 Supported Releases 10.3.0E or later Batch mode To execute a sequence of multiple commands, create and run a batch file. A batch file is an unformatted text file that contains two or more commands. Store the batch file in the home directory.
● /home/filepath — Enter the username and the filepath as follows: batch /home/username/ filename. ● config://filepath — Enter the filepath. Default Not configured Command Mode EXEC Usage Information Use this command to create a batch command file on a remote machine. Copy the command file to the home directory on your switch. This command executes commands in batch mode. OS10 automatically commits all commands in a batch file; you do not have to enter the commit command.
! router bgp 100 ! neighbor 100.1.1.1 remote-as 104 no shutdown admin@OS10:/opt/dell/os10/bin$ User admin logged out at session 16 ● Use the ifconfig -a command to display the interface configuration. The Linux kernel port numbers that correspond to front-panel port, port-channel, and VLAN interfaces are displayed. Port-channel interfaces are in boportchannelnumber format. VLAN interfaces are in brvlan-id format. In this example, e101-001-0 identifies port 1/1/1.
Architecture: x86_64 Up Time: 05:40:23 Using OS9 commands To enter configuration commands using an OS9 command syntax, use the feature config-os9-style command in CONFIGURATION mode and log out of the session. If you do not log out of the OS10 session, configuration changes made with OS9 command syntaxes do not take effect. After you log in again, you can enter OS9 commands, but only in the new session.
6 Dell EMC SmartFabric OS10 zero-touch deployment Zero-touch deployment (ZTD) allows OS10 users to automate switch deployment: ● Upgrade an existing OS10 image. ● Execute a CLI batch file to configure the switch. ● Execute a post-ZTD script to perform additional functions. ZTD is enabled by default when you boot up a switch with a factory-installed OS10 for the first time or when you perform an ONIE: OS Install from the ONIE boot menu.
ZTD guidelines ● You can store the ZTD provisioning script, OS10 image, CLI batch file, and post-ZTD script on the same server, including the DHCP server. ● Write the ZTD provisioning script in bash. ● Write the post-ZTD script in bash or Python. Enter #!/bin/bash or #!/usr/bin/python as the first line in the script. The default python interpreter in OS10 is 2.7. Use only common Linux commands, such as curl, and common Python language constructs.
ZTD DHCP server configuration For ZTD operation, configure a DHCP server in the network by adding the required ZTD options; for example: option domain-name "example.org"; option domain-name-servers ns1.example.org, ns2.example.org; option ztd-provision-url code 240 = text; default-lease-time 600; max-lease-time 7200; subnet 50.0.0.0 netmask 255.255.0.0 { range 50.0.0.10 50.0.0.254; option routers rtr-239-0-1.example.org, rtr-239-0-2.example.
POST_SCRIPT_FILE="http://50.0.0.1/no_post_script.py" ################### DO NOT MODIFY THE LINES BELOW ####################### sudo os10_ztd_start.sh "$IMG_FILE" "$CLI_CONFIG_FILE" "$POST_SCRIPT_FILE" ######################## **END** ############################### ZTD CLI batch file Create a CLI batch file that ZTD downloads and executes to configure a switch. The ZTD CLI batch file consists of two sections: PRE-CONFIG and POST-CONFIG.
Post-ZTD script As a general guideline, use a post-ZTD script to perform any additional functions required to configure and operate the switch. In the ZTD provisioning script, specify the post-ZTD script path for the POST_SCRIPT_FILE variable. You can use a script to notify an orchestration server that the ZTD configuration is complete. The server can then configure additional settings on the switch.
19:31:57 2018 ----------------------------------OS10# show ztd-status ----------------------------------ZTD Status : disabled ZTD State : failed Protocol State : idle Reason : ZTD process failed to download post script file ----------------------------------● ZTD Status — Current operational status: enabled or disabled. ● ZTD State — Current ZTD state: initialized, in-progress, successfully completed, failed, or canceled while in progress.
7 Dell EMC SmartFabric OS10 provisioning OS10 supports automated switch provisioning — configuration and monitoring — using: ● RESTCONF API — REST-like protocol that uses HTTPS connections. Use the OS10 RESTCONF API to set up the configuration parameters on OS10 switches with JavaScript Object Notation (JSON)-structured messages. You can use any programming language to create and send JSON messages; see RESTCONF API.
Ansible playbooks use /etc/ansible/hosts as the default inventory file. To specify a different inventory file, use the -i filepath command as an option when you run an Ansible playbook. Ansible playbook file Using playbooks, Ansible can configure multiple devices. Playbooks are human-readable scripts that are expressed in YAML format. An Ansible playbook takes inventory and playbook files as arguments and maps the group of hosts in the inventory files to the tasks listed in the playbook file.
2. Download and install Dell EMC Networking Ansible roles from the Ansible Galaxy web page; for example: $ ansible-galaxy install dell-networking.dellos-users $ ansible-galaxy install dell-networking.dellos-logging $ ansible-galaxy install dell-networking.dellos-ntp 3. Create a directory to store inventory and playbook files; for example: $ mkdir AnsibleOS10 4. Navigate to the directory and create an inventory file. $ cd AnsibleOS10/ $ vim inventory.yaml 5.
role: sysadmin privilege: 0 state: present dellos_ntp: server: - ip: 3.3.3.3 The dellos_cfg_generate parameter creates a local copy of the configuration commands applied to the remote switch on the Ansible controller node, and saves the commands in the directory defined in the build_dir path. 8. Create a playbook file. $ vim playbook.yaml - hosts: OS10switch-1 OS10switch-2 connection: network_cli roles: - dell-networking.dellos-logging - dell-networking.dellos-users - dell-networking.
8 System management System banners Provides information to configure a system login and message of the day (MOTD) text banners, see System banners. User session management Provides information to manage the active user sessions, see User session management. Telnet server Provides information to set up Telnet TCP/IP connections on the switch, see Telnet server. To set up secure, encrypted the secure shell (SSH) connections to the switch, see SSH server.
DellEMC S4148U-ON login Enter your username and password % To delete a login banner and reset it to the Dell EMC default banner, use the no banner login command. To disable the configured login banner, use the banner login disable command. Message of the day banner Configure a message of the day (MOTD) banner that displays after you log in. Enter any single delimiter character to start and end the MOTD banner.
Usage Information Example Supported Releases ● To enter a multiline banner text, use the interactive mode. Enter the command with the delimiter character and press Enter. Then enter each line and press Enter. Complete the banner configuration by entering a line that contains only the delimiter character. ● To delete a login banner and reset it to the Dell EMC default banner, use the no banner login command. To disable the configured login banner, use the banner login disable command.
Clear user session OS10# kill-session 3 View active user sessions OS10# show sessions Current session's operation mode: Non-transaction Session-ID User In-rpcs In-bad-rpcs Out-rpc-err Out-notify Login-time Lock -----------------------------------------------------------------------------------------3 snmp_user 114 0 0 0 2017-07-10T23:58:39Z 4 snmp_user 57 0 0 0 2017-07-10T23:58:40Z 6 admin 17 0 0 4 2017-07-12T03:55:18Z *7 admin 10 0 0 0 2017-07-12T04:42:55Z OS10# The asterisk (*) in the Session-ID column in
show sessions Displays the active management sessions. Syntax show sessions Parameters None Default Not configured Command Mode EXEC Usage Information Use this command to view information about the active user management sessions.
Telnet commands ip telnet server enable Enables Telnet TCP/IP connections to an OS10 switch. Syntax ip telnet server enable Parameters None Default Disabled Command Mode CONFIGURATION Usage Information By default, the Telnet server is disabled. When you enable the Telnet server, use the IP address configured on the management or any front-panel port to connect to an OS10 switch. After you reload the switch, the Telnet server configuration is maintained.
OS10 supports standard and private SNMP MIBs, including all get requests. MIBs are hierarchically structured and use object identifiers to access managed objects. For a list of MIBs supported in the OS10 version running on a switch, see the OS10 Release Notes for the release. OS10 supports different security models and levels in SNMP communication between SNMP managers and agents. Each security model refers to an SNMP version used in SNMP messages.
Table 4. Standards MIBs (continued) Module Standard IP-MIB RFC 4293 LLDP-EXT-DOT1-MIB IEEE 802.1AB LLDP-EXT-DOT3-MIB IEEE 802.1AB LLDP-MIB IEEE 802.1AB OSPF-MIB RFC 4750 OSPFV3-MIB RFC 5643 Q-BRIDGE-MIB IEEE 802.
SNMP engine ID An engine ID identifies the SNMP entity that serves as the local agent on the switch. The engine ID is an octet colon-separated number; for example, 00:00:17:8B:02:00:00:01. When you configure an SNMPv3 user, you can specify that a localized authentication and/or privacy key be generated. The localized password keys are generated using the engine ID of the switch. A localized key is more complex and provides greater privacy protection.
NOTE: Create a remote engine ID with the snmp-server engineID command before you configure a remote user with the snmp-server user command. If you change the configured engine ID for a remote device, you must reconfigure the authentication and privacy passwords for all remote users associated with the remote engine ID.
To configure a view of the MIB tree on the SNMP agent, use the snmp-server view command. To configure an SNMPv3 user's authentication and privacy settings, use the snmp-server user command. To display the configured SNMP groups, use the show snmp group command.
OS10(config)# snmp-server user n3user ngroup remote 172.31.1.
snmp-server host {ipv4–address | ipv6–address} {informs version version-number | traps version version-number | version version-number} [snmpv3-security-level] [community-name] [udp-port port-number] [dom | entity | envmon | lldp | snmp] Configure SNMP v1 or v2C traps OS10(config)# snmp-server host 10.11.73.
show snmp engineID Displays the SNMP engine ID on the switch or on remote devices that access the SNMP agent on the switch. Syntax show snmp engineID {local | remote} Parameters ● local — Display the local engine ID. ● remote — Display the SNMP engine ID of remote devices configured on the switch. Defaults None Command Mode EXEC Usage Information To configure the local engine ID or the engine ID for a remote device, use the snmp-server engineID command.
Command Mode EXEC Usage Information To configure an SNMP user, use the snmp-server user command. Example Supported Releases OS10# show snmp user User name Group Version Authentication Protocol Privacy Protocol : : : : : privuser v3group 3 MD5 AES 10.4.2.0 or later show snmp view Displays the SNMP views configured on the switch, including the SNMP object ID at which the view starts.
● You can only apply permit ACL rues to an SNMP community. deny ACL rules do not take effect if you apply them. ● To permit SNMP requests for multiple hosts, apply individual permit ACL rules for hosts or prefixes. The no version of the command removes the configured community text string. Example Supported Releases OS10(config)# snmp-server community admin rw OS10(config)# snmp-server community public ro acl snmp-read-only-acl 10.2.
Defaults Not configured Command Mode CONFIGURATION Usage Information If you do not enter a notification-type or notification-option parameter with command, all traps are enabled. If you enter only a notification-type, all notification-option traps associated with the type are enabled. To enable specific SNMP trap types, re-enter the command multiple times with different notification types and options. To configure a host to receive SNMP notifications, use the snmp-server host command.
OS10(config)# snmp-server engineID remote 1.1.1.2 udp-port 432 0xabeecc Supported Releases 10.4.2.0 or later snmp-server group Configures the views allowed for the users in an SNMP group. Syntax snmp-server group group-name {v1 | v2c | v3 security-level} [access aclname] [read view-name] [write view-name] [notify view-name] Parameters ● group-name — Enter the name of the group. A maximum of 32 alphanumeric characters. ● v1 — SNMPv1 provides no user authentication or privacy protection.
snmp-server host Configures a host to receive SNMP notifications. Syntax snmp-server host {ipv4–address | ipv6–address} {informs version versionnumber | traps version version-number | version version-number} [snmpv3security-level] [community-name] [udp-port port-number] [dom | entity | envmon | lldp | snmp] Parameters ● ● ● ● ipv4–address | ipv6–address — Enter the IPv4 or IPv6 address of the SNMP host. informs — Send inform messages to the SNMP host. traps — Send trap messages to the SNMP host.
Example — Send SNMP notifications to host Supported Releases OS10(config)# snmp-server host 1.1.1.1 version 3 noauth u1 snmp lldp 10.2.0E or later snmp-server location Configures the location of the SNMP server. Syntax snmp-server location text Parameters text — Enter an alphanumeric string. A maximum of 55 characters. Default None Command Mode CONFIGURATION Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S).
● localized — (SNMPv3 only) Generate an SNMPv3 authentication and/or privacy key in localized key format. ● access acl-name — (Optional) Enter the name of an IPv4 or IPv6 access list to filter SNMP requests on the switch. A maximum of 16 characters. ● remote ip-address/prefix-length udp-port port-number — (Optional) Enter the IPv4 or IPv6 address of the user's remote device and the UDP port number used to connect to the SNMP agent on the switch, from 0 to 65535. The default is 162.
Usage Information The oid-tree value specifies the OID in the MIB tree hierarchy at which a view starts. Enter included or excluded to include or exclude the remaining part of the MIB sub-tree contents in the view. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.2.0. Also supported in SmartFabric mode starting in release 10.5.0.1. The no version of the command removes an SNMPv3 view. Example Supported Releases OS10(config)# snmp-server view readview 1.3.6.
OS10(config)# do show snmp view view name : readview OID : 1.3.6.1.2.1.2.2 included : True view name OID excluded : snview : .1 : True System clock OS10 uses the Network Time Protocol (NTP) to synchronize the system clock with a time-serving host. When you enable NTP, it overwrites the system time. If you do not use NTP, set the system time and time zone after you disable NTP. Use the clock set command to set the current system time and date.
Set time and date OS10# clock set 13:00:00 2018-08-30 View system time and date OS10# show clock 2018-08-30T13:01:01.45+00:00 Set time zone OS10(config)# clock timezone standard-timezone Brazil/West View time zone configured OS10# show clock timezone Brazil/West (-04, -0400) In this example, -04:00 is the negative offset from UTC for Brazil/West. Time zones and UTC offset reference This section lists the different time zones and corresponding UTC offset. Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7.
Table 7. Time zones and UTC offset (continued) Continent/Country City UTC offset Eastern −05:00 East-Indiana −05:00 Hawaii −10:00 Indiana-Starke −06:00 Michigan −05:00 Mountain −07:00 Pacific −08:00 Pacific-New −08:00 Samoa −11:00 UTC +00:00 WET +00:00 W-SU +03:00 Zulu +00:00 System Clock commands clock set Sets the system time.
Parameters ● standard-timezone-name — Enter the standard time zone name that is supported in Linux. To view a list of supported standard time zone names, see the Time zones and UTC offset reference section. ● timezone-string — Enter the name of the time zone. ● hours — Enter the hour offset from UTC, ranging from -23 to 23. ● minutes — Enter the minute offset from UTC, ranging from 0 to 59.
Example Supported Releases OS10# show clock timezone Brazil/West (-04, -0400) 10.5.0 or later Network Time Protocol Network Time Protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients. The protocol coordinates time distribution in a large, diverse network. NTP clients synchronize with NTP servers that provide accurate time measurement.
● Enter the IP address of the NTP server where the system synchronizes in CONFIGURATION mode. ntp server ip-address View system clock state OS10(config)# do show system peer: system peer mode: leap indicator: stratum: precision: root distance: root dispersion: reference ID: reference time: system flags: jitter: stability: broadcastdelay: authdelay: ntp status 0.0.0.0 unspec 11 16 -22 0.00000 s 1.28647 s [73.78.73.84] 00000000.00000000 Mon, Jan monitor ntp kernel stats 0.000000 s 0.000 ppm 0.000000 s 0.
● Configure a source IP address for NTP packets in CONFIGURATION mode. ntp source interface ○ ○ ○ ○ ○ ethernet node/slot/port[:subport]—Enter the Ethernet interface information. port-channel channel-id—Enter the port-channel ID, from 1 to 128. vlan vlan-id—Enter the VLAN ID number, from 1 to 4093. loopback id—Enter the Loopback interface ID number, from 0 to 16383. mgmt node/slot/port—Enter the physical port interface for the Management interface. The default is 1/1/1.
Configure NTP OS10(config)# OS10(config)# OS10(config)# OS10(config)# OS10(config)# ntp ntp ntp ntp ntp authenticate trusted-key 345 authentication-key 345 md5 0 5A60910FED211F02 server 1.1.1.1 key 345 master 7 View NTP configuration OS10(config)# do show running-configuration ! ntp authenticate ntp authentication-key 345 md5 0 5A60910FED211F02 ntp server 1.1.1.1 key 345 ntp trusted-key 345 ntp master 7 ... Sample NTP configuration The following example shows an NTP master (11.0.0.2), server (10.0.0.
b. Configure the NTP master IP address on the NTP server. (In the example, NTP master 11.0.0.2, is reachable only through VRF Red.) OS10(config)# ntp server 11.0.0.2 OS10(config)# do show running-configuration ntp ntp server 11.0.0.2 OS10(config)# c. Configure NTP in the VRF Red instance.
ntp master 8 OS10(config)# c. Configure NTP in the VRF Red instance. OS10(config)# ntp enable vrf red “% Warning: NTP server/client will be disabled in default VRF and enabled on a red VRF” Do you wish to continue? (y/n): y OS10(config)# do show running-configuration ntp ntp master 8 ntp enable vrf red OS10(config)# 4. Verify that the NTP client (10.0.0.2) is connected to the NTP server (10.0.0.1) running in VRF Red.
symm. auth. delay: OS10(config)# 0.000 NTP commands ntp authenticate Enables authentication of NTP traffic between the device and the NTP time serving hosts. Syntax ntp authenticate Parameters None Default Not configured Command Mode CONFIGURATION Usage Information Configure an authentication key for NTP traffic using the ntp authentication-key command. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S).
ntp broadcast client Configures all active interfaces to receive NTP broadcasts from an NTP server. Syntax ntp broadcast client Parameters None Default Not configured Command Mode GLOBAL CONFIGURATION Usage Information The no version of this command disables NTP broadcasts. Example Supported Releases OS10(config)# ntp broadcast client 10.2.0E or later ntp disable By default, NTP is enabled on all interfaces. Disable NTP to prevent an interface from receiving NTP packets.
ntp master Configures an NTP Master Server. Syntax ntp master stratum Parameters stratum—Enter the stratum number to identify the NTP server hierarchy, from 2 to 10. Default 8 Command Mode CONFIGURATION Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1 The no version of this command resets the value to the default.
Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the configuration. Example Supported Releases OS10(config)# ntp source ethernet 1/1/24 10.2.0E or later ntp trusted-key Sets a key to authenticate the system to which NTP synchronizes with. Syntax ntp trusted-key number Parameters number—Enter the trusted key ID, from 1 to 4294967295.
● poll—Polling interval in seconds. ● reach—Reachability to the peer in octal bitstream. ● delay—Time interval or delay for a packet to complete a round-trip to the NTP time source in milliseconds. ● offset—Relative time of the NTP peer clock to the network device clock in milliseconds. ● disp—Dispersion. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.
leap indicator: stratum: precision: root distance: root dispersion: reference ID: reference time: system flags: jitter: stability: broadcastdelay: authdelay: OS10# 00 4 -23 0.00027 s 0.94948 s [1.1.1.2] ddc78084.f17ea38b ntp kernel stats 0.000000 s 0.000 ppm 0.000000 s 0.000000 s Tue, Nov 28 2017 6:28:20.943 OS10# show ntp status vrf red associd=0 status=0618 leap_none, sync_ntp, 1 event, no_sys_peer, system peer: 11.0.0.
Best master clock algorithm PTP uses the best master clock algorithm (BMCA) to compare clocks in a network. BMCA determines the status of ports in the network: ● Master—A clock that provides time to other clocks in the network. ● Slave—A clock that receives time from other clocks in the network. ● Passive—A port that is not a master or slave. This algorithm determines if the newly discovered foreign clock is better than the local clock.
○ Pdelay_Resp—Link node B sends a Pdelay_Resp message to measure peer-to-peer delay. ● General messages: Do not require accurate timestamps. ○ Follow_Up—In a two-step clock, the master sends a Follow_Up message after sending the Sync message. ○ Delay_Resp—Master sends a Delay_Resp message to measure the end-to-end delay. ○ Pdelay_Resp_FollowUp—Link node B sends a Pdelay_Resp_FollowUp message to measure peer-to-peer delay. ○ Announce—Master sends an Announce message to establish a synchronization hierarchy.
● G.8275.1 profile Supported transport methods OS10 supports the following PTP transport methods: ● Layer2 (Ethernet) ● IPv4 (Unicast and multicast) ● IPv6 (Unicast and multicast) For the multicast transport method, as defined in the IEEE 1588 standard, PTP uses 224.0.1.129 as the multicast destination IPv4 address. PTP uses FF0X:0:0:0:0:0:0:181 as the multicast destination IPv6 address. NOTE: OS10 supports IPv6 multicast only between two directly-connected IPv6 PTP nodes.
● System time settings: When you enable PTP as the system time source, PTP sets the system time. When you enable PTP on a system, the system cannot act as an NTP client, but can act as an NTP server. The following table describes the system clock behavior depending on whether you choose PTP or NTP as the system time source: Table 9. System clock behavior System time settings/time source System clock behavior When PTP is the system time source: ○ You cannot configure the system as an NTP client.
Configure the PTP clock type on the switch and optionally specify a profile for the clock. OS10 supports the following clock types: boundary and end-to-end transparent. OS10 supports the system default profile and ITU G.8275.1 profile. The profile defines the set of parameters, allowed values of parameters, and default value of parameters.
While measuring the time delay between the master and slave nodes, PTP takes into account the communication delay. This delay is measured using a delay request message from the slave and a delay response message from the master. To configure PTP delay mechanism: OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp delay-mechanism end-to-end Configure the PTP transport Supported PTP transport methods include Layer2 (ethernet), IPv4 (unicast and multicast), and IPv6 (unicast and multicast).
You can configure the time interval in units of log 2 seconds between two successive announce messages. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp announce interval 1 Configure the PTP synchronization message interval You can configure the time interval in units of log 2 seconds between two successive synchronization messages.
Offset From Master(ns) Number of Ports : 6 : 2 View the PTP local parent and grandmaster clock OS10# show ptp parent Parent Clock Idenitity Parent Port Number Grandmaster Clock Identity Grandmaster Clock Quality Class Accuracy OffsetLogScaledVariance Grandmaster Clock Priority1 Grandmaster Clock Priority2 : 00:16:00:ff:fe:00:02:00 : 1 : 00:16:00:ff:fe:00:02:00 : : : : : 6 <=100ns 0 100 128 View time scale information OS10# show ptp time-properties Current UTC Offset Valid : False Current UTC Offset : 0
Delay request messages received Delay response messages transmitted Delay response messages received Management messages transmitted Management messages received Signaling messages transmitted Signaling messages received Interface : Ethernet1/1/23 Total number of peers : 1 Peer index : 0 Peer Clock Identity Peer Port number Peer Port Address Receiving Interface Announce messages transmitted Announce messages received Sync messages transmitted Sync messages received Follow up messages transmitted Follow up m
Example: Configure boundary clock with IPv4 multicast transport method You must connect the grandmaster clock to one of the interfaces. In this example, interface 1 is connected to the grandmaster clock. Configure a boundary clock with two PTP interfaces using IPv4 multicast transport. The interface that is connected to the grandmaster clock or the best master clock becomes the slave device. The other interface becomes the master device.
OS10(conf-ethernet1/1/1-ptp-ipv4-slave)# master 10.10.10.2 OS10(conf-ethernet1/1/1-ptp-ipv4-slave)# exit OS10(conf-if-eth1/1/1)# ptp enable 3. Enable PTP on interface 2 with IPv4 unicast transport mode. For both L2 and L3 interfaces, the configured source IP address is used as the source IP address for unicast transport from the master device to the slave device. OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/1)# ip address 30.30.30.
Example: Configure boundary clock with IPv4 unicast transport method and L3 VLAN Ensure that the interface connected to the grandmaster clock is configured as a slave device with a list of master clock IP addresses. Configure the other interface as a master clock with a list of slave device IP addresses. Both the interfaces are only reachable through the L3 VLAN. In this example: ● ● ● ● Interface 1 that is part of VLAN 100 is connected to the grandmaster clock.
● The unicast IP traffic flows through PTP-enabled interface, interface 2. The system applies hardware time stamps on PTP packets. OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# ip address 20.20.20.1/24 OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# switchport access vlan 200 OS10(conf-if-eth1/1/2)# ptp transport ipv4 unicast master OS10(conf-ethernet1/1/2-ptp-ipv4-master)# source 20.20.20.1 OS10(conf-ethernet1/1/2-ptp-ipv4-master)# slave 20.20.20.
CR1 switch 1. Configure PTP globally. CR1(config)# CR1(config)# CR1(config)# CR1(config)# CR1(config)# ptp ptp ptp ptp ptp clock boundary local-priority 127 source ipv4 10.0.0.5 source ipv6 10:0:0::6 system-time enable 2. Configure PTP on the interfaces.
CR1(conf-if-eth1/1/3:1)# ptp transport ipv4 multicast CR1(config)# interface ethernet 1/1/9:1 CR1(conf-if-eth1/1/9:1)# ptp enable CR1(conf-if-eth1/1/9:1)# ptp transport ipv4 multicast CR1(config)# interface ethernet 1/1/16:1 CR1(conf-if-eth1/1/16:1)# ptp enable CR1(conf-if-eth1/1/16:1)# ptp transport ipv4 multicast CR1(config)# interface ethernet 1/1/17:1 CR1(conf-if-eth1/1/17:1)# ptp enable CR1(conf-if-eth1/1/17:1)# ptp transport ipv4 multicast CR1(config)# interface ethernet 1/1/25:1 CR1(conf-if-eth1/1/25
CR2(conf-ethernet1/1/28:2-ptp-ipv4-slave)# master 2001:200:1:1::99 CR2(conf-ethernet1/1/28:2-ptp-ipv4-slave)# source 2001:200:1:1::5 AG1 switch 1. Configure PTP globally. AG1(config)# AG1(config)# AG1(config)# AG1(config)# ptp ptp ptp ptp clock boundary source ipv4 10.0.0.1 source ipv6 10:0:0::1 system-time enable 2. Configure PTP on the interfaces.
AG1(conf-ethernet1/1/9:1-ptp-ipv6-master)# AG1(conf-ethernet1/1/9:1-ptp-ipv6-master)# AG1(conf-ethernet1/1/9:1-ptp-ipv6-master)# AG1(conf-ethernet1/1/9:1-ptp-ipv6-master)# AG1(conf-ethernet1/1/9:1-ptp-ipv6-master)# slave 2001:101:2::2024 slave 2001:101:2::2025 slave 2001:101:2::2026 slave 2001:101:2::2027 source 2001:101:2::1 AG1(config)# interface ethernet 1/1/17:1 AG1(conf-if-eth1/1/17:1)# ptp enable AG1(conf-if-eth1/1/17:1)# ptp transport ipv4 multicast AG1(config)# interface ethernet 1/1/19:4 AG1(conf
AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# AG2(conf-ethernet1/1/9:1-ptp-ipv4-maste
TR1(conf-if-eth1/1/39)# ptp transport ipv4 multicast TR1(config)# interface ethernet 1/1/46 TR1(conf-if-eth1/1/46)# ptp enable TR1(conf-if-eth1/1/46)# ptp transport ipv4 multicast AG3 switch 1. Configure PTP globally. AG3(config)# AG3(config)# AG3(config)# AG3(config)# ptp ptp ptp ptp clock boundary source ipv4 10.0.0.3 source ipv6 10:0:0::3 system-time enable 2. Configure PTP on the interfaces.
TR2(conf-if-eth1/1/1:1)# ptp transport ipv4 multicast TR2(config)# interface ethernet 1/1/25:1 TR2(conf-if-eth1/1/25:1)# ptp enable TR2(conf-if-eth1/1/25:1)# ptp transport ipv4 multicast PTP commands clear ptp counters Resets the statistics of the PTP packets that are received at or transmitted from an interface. Syntax clear ptp counters [{ethernet node/slot/port[:subport]} | {port-channel port-channel-id}] Parameters ● ethernet node/slot/port[:subport]—Enter the Ethernet interface information.
Supported Releases 10.5.1.0 or later master Configures master clocks for the PTP slave devices. Syntax master ip-address Parameters ip-address—Specifies the IP addresses of the master clock devices. Defaults None for IP address; unicast negotiation disabled Command Mode INTERFACE CONFIGURATION - SLAVE submode Security and Access Netadmin and sysadmin Usage Information You can configure a maximum of eight master clock devices.
ptp clock Configures the PTP clock type on the switch and specifies the profile for the clock. Syntax ptp clock {boundary | end-to-end-transparent} [profile {g8275.1 | systemdefault}] Parameters ● ● ● ● Defaults System default profile, when PTP clock is configured. Command Mode CONFIGURATION Security and Access Netadmin and sysadmin Usage Information Enables the PTP clock and configures the clock type and profile on the switch. The clock identity is an array of 8 bytes.
Parameters log2-seconds—Configures the logarithmic time interval in seconds between successive delay request messages. For the system default profile, enter a value from -7 to 5 (1/128 s to 32 s). For the ITU G.8275.1 profile, enter a value from -7 to 4 (1/128 s to 16 s). Defaults -4 Command Mode INTERFACE CONFIGURATION Security and Access Netadmin and sysadmin Usage Information This configuration is applicable only with end-to-end delay mechanism.
on either the port channel interface or the port channel member interfaces, but not both. The no form of this command removes the configuration. Example Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp enable 10.5.1.0 or later ptp local-priority Configures the local priority for the PTP clock. Syntax ptp local-priority priority-number Parameters priority-number—Enter a value from 1 to 255.
ptp priority2 Configures the priority2 attribute for advertising PTP clock. Syntax ptp priority2 priority-number Parameters priority-number—Priority2 has the fifth precedence among the six attributes that are used in the selection of the master clock. Enter a value from 0 to 255. Defaults 128 Command Mode CONFIGURATION Security and Access Netadmin and sysadmin Usage Information The lower the value of this attribute, the higher is the priority.
Security and Access Netadmin and sysadmin Usage Information Supports both IPv4 and IPv6 addresses. The version of the source IP address (IPv4 or IPv6) depends on the transport mode that you configured using the ptp transport command. The IPv4 or IPv6 address that you specify must correspond to a configured L3 interface (physical, Loopback, VLAN, or port channel) and the interface must be operationally up. The no form of this command removes the configuration. Example OS10(config)# ptp source ipv4 10.
Supported Releases 10.5.1.0 or later ptp transport Configures the PTP transport method for an interface. Syntax ptp transport {ipv4 {multicast | unicast {master [negotiation-enable] | slave [negotiation-enable]}} | ipv6 {multicast | unicast {master [negotiation-enable] | slave [negotiation-enable]}} | layer2 [address {forwardable | non-forwardable}] Parameters ● ipv4 multicast—Enables IPv4 multicast as the transport method. ● ipv4 unicast master—Enables IPv4 unicast master mode.
Example Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp transport ipv4 unicast master 10.5.1.0 or later ptp vlan Configures a VLAN for the PTP-enabled interface. Syntax ptp vlan vlan-id Parameters vlan-id—Specifies VLAN for the PTP interface. Defaults None Command Mode INTERFACE CONFIGURATION Security and Access Netadmin and sysadmin Usage Information You can configure only one PTP VLAN per interface.
Number of Ports : 2 ---------------------------------------------------------------------------Interface State Port Identity ---------------------------------------------------------------------------Ethernet1/1/22 Slave 68:4f:64:ff:ff:01:db:ec:1 Ethernet1/1/23 Master 68:4f:64:ff:ff:01:db:ec:2 ---------------------------------------------------------------------------Number of slave ports :1 Number of master ports :1 Example End-to-end transparent clock Supported Releases OS10# show ptp PTP Clock : Delay M
show ptp counters Displays the count of the PTP packets received at or transmitted from an interface. Syntax show ptp counters [{ethernet node/slot/port[:subport]} | {port-channel port-channel-id}] Parameters ● ethernet node/slot/port—Enter the Ethernet interface information. ● port-channel port-channel-id—Enter the port channel interface number.
show ptp foreign-masters Displays PTP information about foreign masters. Syntax show ptp foreign-masters [{ethernet node/slot/port[:subport]} | {portchannel port-channel-id}] Parameters ● ethernet node/slot/port—Enter the Ethernet interface information. ● port-channel port-channel-id—Enter the port channel interface number. Defaults None Command Mode EXEC Security and Access Netadmin and sysadmin Usage Information The maximum number of foreign master data set entries is 10.
Port State Vlan Transport Log Delay Request Minimum interval Log Announce Interval Announce Receipt Timeout Multiplier Log Sync Interval Delay Mechanism Supported Releases : : : : : : : : Master Ipv4-multicast -4 1 3 -4 End-to-end 10.5.1.0 or later show ptp parent Displays information about the local PTP parent and grandmaster clock.
Total number of peers : 1 Peer index : 0 Peer Clock Identity Peer Port number Peer Port Address Receiving Interface Announce messages transmitted Announce messages received Sync messages transmitted Sync messages received Follow up messages transmitted Follow up messages received Delay request messages transmitted Delay request messages received Delay response messages transmitted Delay response messages received Management messages transmitted Management messages received Signaling messages transmitted Sig
show ptp time-properties Displays information about the time scale. Syntax show ptp time-properties Parameters None Defaults None Command Mode EXEC Security and Access Netadmin and sysadmin Usage Information This command is not applicable for transparent clocks.
Defaults None Command Mode ● INTERFACE CONFIGURATION - MASTER submode ● INTERFACE CONFIGURATION - SLAVE submode Security and Access Netadmin and sysadmin Usage Information This command is applicable for unicast transport mode. This configuration is required for an L2 interface. For an L3 interface, if you do not configure the source IP address, the system uses the interface IP address as the source IP address for the PTP packets. The no form of this command removes the configuration.
● DHCP client on management interface-DHCP client is enabled by default on the management interface. The management interface automatically tries to obtain an IP address from a DHCP server. To manually configure an IP address on the management port, disable the DHCP client using the no ip address dhcp command in Interface mode ● The DHCP server does not start unless at least one interface matches one of the configured network pools.
In the DHCP packet format, configuration parameters are options in the DHCP packet in type, length, value (TLV) format. To limit the number of parameters that servers provide, hosts enter the parameters that they require and the server sends only those parameters. DHCP uses the User Datagram Protocol (UDP) as its transport protocol. The following options are commonly used in DHCP packets.
DHCP server The Dynamic Host Configuration Protocol (DHCP) server provides network configuration parameters to DHCP clients on request. A DHCP server dynamically allocates four required IP parameters to each system on the virtual local area network (VLAN)—the IP address, network mask, default gateway, and name server address. DHCP IP address allocation works on a client/server model where the server assigns the client reusable IP information from an address pool.
Show running configuration OS10(conf-dhcp-Dell)# do show running-configuration ... ! ip dhcp server ! pool Dell network 20.1.1.0/24 default-router 20.1.1.1 range 20.1.1.2 20.1.1.8 Address lease time Use the lease {days [hours] [minutes] | infinite} command to configure an address lease time. The default is 24 hours. OS10(config)# ip dhcp server OS10(conf-dhcp)# pool Dell OS10(conf-dhcp-Dell)# lease 36 Default gateway Ensure the IP address of the default router is on the same subnet as the client. 1.
2. Create an IP address pool and enter the name in DHCP mode. pool name 3. Create a domain and enter the domain name in DHCP mode. domain-name name 4. Enter the DNS servers in order of preference that is available to a DHCP client in DHCP mode. dns-server address DNS address resolution OS10(config)# ip dhcp OS10(conf-dhcp)# pool OS10(conf-dhcp-Dell)# OS10(conf-dhcp-Dell)# server Dell domain-name dell.com dns-server 192.168.1.
3. Enter the client hardware address in DHCP mode. hardware-address hardware-address Configure manual binding OS10(config)# ip dhcp server OS10(conf-dhcp)# pool static OS10(conf-dhcp-static)# host 20.1.1.2 OS10(conf-dhcp-static)# hardware-address 00:01:e8:8c:4d:0a View the DHCP binding table OS10# show ip dhcp binding IP Address Hardware address Lease expiration Hostname +-------------------------------------------------------------------------11.1.1.
DHCP relay agent A DHCP relay agent relays DHCP messages to and from a remote DHCP server, even if the client and server are on different IP networks. You can configure the IP address of the remote DHCP server. You can configure a device either as a DHCP server or a DHCP relay agent — but not both. If routes are not leaked between VRFs, the DHCP relay agent supports multi-virtual routing and forwarding (VRF) instances. The client-facing and server-facing interfaces must be in the same VRF.
By default, DHCP snooping is disabled globally and enabled on VLANs. For the DHCP snooping feature to work, enable it globally. NOTE: If you move a DHCP client from an untrusted interface to another untrusted interface within the VLAN, the DHCP snooping binding database is not updated. The switch drops subsequent packets from the client. However, if you move a DHCP client from an untrusted interface to a trusted interface, there is no impact to the traffic from the client.
DHCP snooping in a VLT environment OS10 supports DHCP snooping in a VLT environment. DHCP snooping switches in a VLT topology synchronize DHCP snooping binding information between them. The system interprets the VLTi link between VLT peers as trusted interfaces. To configure DHCP snooping in a VLT environment: ● Enable DHCP snooping on both VLT peers. ● Configure the VLT port-channel interfaces facing the DHCP server as trusted interfaces.
Enable and configure DHCP snooping globally 1. Enable DHCP snooping globally in CONFIGURATION mode. ip dhcp snooping 2. Specify physical or port-channel interfaces that have connections towards DHCP servers as trusted in INTERFACE mode. ip dhcp snooping trust Add static DHCP snooping entry in the binding table ● Add a static DHCP snooping entry in the binding table in CONFIGURATION mode.
● Remove a static DHCP snooping entry from the binding table in CONFIGURATION mode. no ip dhcp snooping binding mac mac-address vlan vlan-id interface [ethernet slot/ port/sub-port | port-channel port-channel-id] Example for removing static DHCP snooping entry in the binding table OS10(config)# no ip dhcp snooping binding mac 00:04:96:70:8a:12 vlan 100 ip 100.1.1.
DHCP server OS10(config)# interface ethernet 1/1/1 S10(conf-if-eth1/1/1)# no shutdown OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ip address 10.1.1.1/24 OS10(conf-if-eth1/1/1)# exit OS10(config)# ip dhcp server OS10(config-dhcp)# no disable OS10(config-dhcp)# pool dell_server1 OS10(config-dhcp-dell_server1)# lease 0 1 0 OS10(config-dhcp-dell_server1)# network 10.1.1.0/24 OS10(config-dhcp-dell_server1)# range 10.1.1.2 10.1.1.
DHCP snooping switch as a relay agent This example uses a simple topology with a DHCP snooping switch configured as a DHCP relay agent. A DHCP server and a DHCP client are connected to the snooping switch through different VLANs. A rogue DHCP server attempts to pose as a legitimate DHCP server. With a configuration similar to the following, the DHCP snooping switch drops packets from the rogue DHCP server which is connected to an untrusted interface.
DHCP server OS10# configure terminal OS10(config)# ip dhcp server OS10(config-dhcp)# no disable OS10(config-dhcp)# pool dell_1 OS10(config-dhcp-dell_1)# network 10.1.1.0/24 OS10(config-dhcp-dell_1)# range 10.1.1.2 10.1.1.250 OS10(config-dhcp-dell_1)# exit OS10(config-dhcp)# pool dell_2 OS10(config-dhcp-dell_2)# network 10.2.1.
● Enable DHCP snooping globally. OS10(config)# ip dhcp snooping VLAN configuration ● Create a VLAN. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown VLT configuration 1. Create a VLT domain and configure VLTi. OS10(config)# interface range ethernet 1/1/4-1/1/5 OS10(conf-range-eth1/1/4-1/1/5)# no switchport OS10(conf-range-eth1/1/4-1/1/5)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet 1/1/4-1/1/5 2. Configure a VLT MAC address.
● Create a VLAN. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown VLT configuration 1. Create a VLT domain and configure VLTi. OS10(config)# interface range ethernet 1/1/4-1/1/5 OS10(conf-range-eth1/1/4-1/1/5)# no switchport OS10(conf-range-eth1/1/4-1/1/5)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet 1/1/4-1/1/5 2. Configure a VLT MAC address. OS10(conf-vlt-1)# vlt-mac 12:5e:23:f4:23:54 3.
The following output shows that the DHCP snooping switches (VLT peers) snooped DHCP messages. The interface column displays the local VLT port channel number. OS10# show ip dhcp snooping binding Number of entries : 1 Codes : S - Static D - Dynamic IPv4 Address MAC Address Expires(Sec) Type Interface VLAN ======================================================================================= 10.1.1.
● Create another VLAN and assign an IP address to it which can communicate with the DHCP server. OS10# configure terminal OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# no shutdown OS10(conf-if-vl-200)# ip address 10.2.1.1/24 OS10(conf-if-vl-200)# exit ● Configure SW 1 as the DHCP relay agent for the clients in the VM. The IP address that you specify here is the IP address of the DHCP server OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip helper-address 10.2.1.
● Enable DHCP snooping globally. OS10(config)# ip dhcp snooping VLAN configuration ● Create a VLAN and assign an IP address to it which acts as the gateway for the VMs. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown OS10(conf-if-vl-100)# ip address OS10(conf-if-vl-100)# ip address 10.1.1.2/24 OS10(conf-if-vl-100)# exit ● Create another VLAN and assign an IP address to it which can communicate with the DHCP server.
OS10(conf-if-po-20)# exit OS10(config)# interface ethernet 1/1/1,1/1/6 OS10(conf-if-eth1/1/1,1/1/6)# no shutdown OS10(conf-if-eth1/1/1,1/1/6)# channel-group 20 ( Optional) Peer routing configuration ● Configure peer routing. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# peer-routing DHCP server VLAN configuration OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# exit OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# ip address 10.2.1.
DAI violation logging You can configure the system to log DAI validation failures corresponding to ARP packets. DAI violations are logged at the console if it is enabled. DAI violation logging is disabled by default. If you configure an interface as trusted, the switch interprets ARP packets that ingress the interface from hosts as legitimate packets. By default, all interfaces are in DAI untrusted state. For DAI to work, enable the DHCP snooping feature on the switch. DAI is disabled by default.
Address Hardware Address Interface VLAN -------------------------------------------------------------------10.2.1.1 00:40:50:00:00:00 port-channel100 vlan3001 10.1.1.13 00:2a:10:01:00:00 port-channel100 vlan3001 10.1.1.62 00:2a:10:01:00:01 port-channel100 vlan3001 View DAI statistics You can view valid and invalid ARP requests that the switch has received and replies that the switch has sent.
Source IP and MAC address validation This feature filters IP traffic, based on both source IP and source MAC addresses and permits traffic only from clients found in the DHCP snooping binding table. The switch compares the following in the packet to the DHCP snooping binding table: ● ● ● ● Source MAC address Source IP address The VLAN to which the client is connected The interface (physical or port channel) to which the client is connected If there is a match, the switch forwards the packet.
2. Add names to complete unqualified hostnames in CONFIGURATION mode. ip domain-list name You can configure a domain name and list corresponding to a non-default VRF instance. 1. Enter a domain name corresponding to a non-default VRF instance in the CONFIGURATION mode. ip domain-name vrf vrf-name server-name 2. Add names to complete unqualified hostnames corresponding to a non-default VRF instance.
Command Mode INTERFACE Usage Information The DHCP server is supported only on L3 interfaces. After you configure an IP helper address, the address forwards UDP broadcasts to the DHCP server. You can configure multiple helper addresses on an interface by repeating the same command for each DHCP server address. The no version of this command returns the value to the default. The client-facing and server-facing interfaces must be in the same VRF.
Table 10. Option 82 status (continued) Example Supported Releases Enable Disable Does not add option 82 information to the packet. Disable Enable Does not add option 82 information to the packet. Disable Disable Does not add option 82 information to the packet. OS10(config)# ip dhcp relay information-option trust-downstream 10.2.0E or later show vlt mismatch Displays mismatches in a VLT domain configuration.
VLT Unit ID Mismatch VLAN List ---------------------------------* 1 1 2 2 VLT ID : 2 VLT Unit ID Mismatch VLAN List ----------------------------------* 1 1 2 2 Example (mismatch peer routing) Example (mismatch VLAN) Example (mismatch VLT VLAN) Example (mismatch — Virtual Network (VN) name not available in the peer) Example (mismatch of VLTi and VLAN) Example (mismatch of VN mode) Example (mismatch of port and VLAN list) 228 OS10# show vlt 1 mismatch peer-routing Peer-routing mismatch: VLT Unit ID Pee
* 2 (vlt-port-channel10,vlan99) Virtual Network: 103 VLT Unit ID Mismatch (VLT Port,Vlan) List --------------------------------------------1 (vlt-port-channel10,vlan103) * 2 (vlt-port-channel10,vlan104) Example (mismatch of untagged interfaces) Example (Anycast MAC address) Example (Anycast MAC address not available on one of the peers) Example (Virtual network interface anycast IP address) OS10# show vlt all mismatch virtual-network Virtual Network: 104 VLT Unit ID Mismatch Untagged VLT Port-channel
1 * 2 Example (Virtual network mismatch and Anycast IP addresses mismatch) ABSENT 10.16.128.30 Interface virtual-network Anycast-IP mismatch: Virtual-network: 10 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.25 * 2 10.16.128.20 Virtual-network: 20 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.26 * 2 ABSENT Virtual-network: 30 VLT Unit ID Anycast-IP ------------------------------------1 ABSENT * 2 10.16.128.
DHCP server commands default-router address Assigns a default gateway to clients based on the IP address pool. Syntax default-router address [address2...address8] Parameters ● address — Enter an IPv4 or IPv6 address to use as the default gateway for clients on the subnet in A.B.C.D or A:B format. ● address2...address8 — (Optional) Enter up to eight IP addresses, in order of preference.
dns-server address Assigns a DNS server to clients based on the address pool. Syntax dns-server address [address2...address8] Parameters ● address — Enter the DNS server IP address that services clients on the subnet in A.B.C.D or A::B format. ● address2...address8 — (Optional) Enter up to eight DNS server addresses, in order of preference. Default Not configured Command Mode DHCP-POOL Usage Information None Example Supported Releases OS10(conf-dhcp-Dell)# dns-server 192.168.1.1 10.2.
ip dhcp server Enters DHCP configuration mode. Syntax ip dhcp server Parameters None Default Not configured Command Mode CONFIGURATION Usage Information Use the ip dhcp server command to enter the DHCP mode required to enable DHCP server-assigned dynamic addresses on an interface. Example Supported Releases OS10(config)# ip dhcp server OS10(conf-dhcp)# 10.2.0E or later lease Configures a lease time for the IP addresses in a pool.
Supported Releases 10.2.0E or later netbios-node-type Configures the NetBIOS node type for the DHCP client. Syntax netbios-node-type type Parameters type — Enter the NetBIOS node type: ● Broadcast — Enter b-node. ● Hybrid — Enter h-node. ● Mixed — Enter m-node. ● Peer-to-peer — Enter p-node. Default Hybrid Command Mode DHCP-POOL Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(conf-dhcp-Dell)# netbios-node-type h-node 10.2.
Example Supported Releases OS10(conf-dhcp)# pool Dell OS10(conf-dhcp-Dell)# 10.2.0E or later range Configures a range of IP addresses. Syntax range {ip-address1 [ip-address2]} Parameters ● ip-address1 — First IP address of the IP address range. ● ip-address2 — Last IP address of the IP address range.
DHCP snooping commands arp inspection Enables Dynamic ARP Inspection (DAI) on a VLAN. Syntax arp inspection Parameters None Defaults Disabled Command Mode INTERFACE VLAN Usage Information Dell EMC Networking recommends enabling DAI before enabling DHCP snooping. Example Supported Releases OS10(conf-if-vl-230)# arp inspection 10.5.0 or later arp inspection-trust Configures a port as trusted so that ARP frames are not validated against the DAI database.
clear ip arp inspection statistics Clear the Dynamic ARP Inspection statistics. Syntax clear ip arp inspection statistics [vlan vlan-id] Parameters ● vlan vlan-id—Enter the VLAN ID. The range is from 1 to 4093. Defaults None Command Mode EXEC Usage Information This command is accessible to users with sysadmin and secadmin roles. Example (Global) Supported Release OS10# clear ip dhcp snooping binding 10.5.
Command Mode CONFIGURATION Usage Information When you enable this feature, the switch begins to monitor all transactions between DHCP servers and DHCP clients and use the information to build the DHCP snooping binding table. If you disable DHCP snooping, the system removes the DHCP snooping binding table. Source Address Validation and Dynamic ARP Inspection entries are also removed. This command is accessible to users with sysadmin and secadmin roles.
Before creating a static entry for a VLAN, create the VLAN. If you do not create a VLAN before creating a static entry, the system displays an error message. Before deleting a port-channel or VLAN, remove any associated DHCP snooping entries. This command is accessible to users with sysadmin and secadmin roles. The no version of this command deletes the static entry from the DHCP snooping binding table.
show ip arp inspection database Displays the contents of the DAI database. Syntax show ip arp inspection database Parameters None Defaults None Command Mode EXEC Usage Information This command displays the list of snooped hosts from which ARP packets were processed. Example OS10# show ip arp inspection database Number of entries : 3 Address Hardware Address Interface VLAN -----------------------------------------------------------------------55.2.1.
Address Hw-Address Port VLAN First-detected-time Packet-count -----------------------------------------------------------------------------10.1.1.1 12:d3:43:a1:2e:23 ethernet1/1/1 10 00:23:14 2 Supported Releases 10.5.0 or later show ip dhcp snooping binding Displays the contents of the DHCP snooping binding table. Syntax show ip dhcp snooping binding [vlan vlan-id] Parameters ● vlan vlan-id—Enter the VLAN ID. The range is from 1 to 4093.
Supported Releases 10.2.0E or later ip domain-name Configures the default domain and appends to incomplete DNS requests. Syntax ip domain-name [vrf vrf-name] server-name Parameters ● vrf vrf-name — (Optional) Enter vrf and then the name of the VRF to configure the domain corresponding to that VRF. ● server-name — (Optional) Enter the server name the default domain uses. Default Not configured Command Mode CONFIGURATION Usage Information This domain appends to incomplete DNS requests.
Usage Information Example Supported Releases OS10 does not support sending DNS queries over a VLAN. DNS queries are sent out on all other interfaces, including the Management port. You can separately configure both IPv4 and IPv6 domain name servers. In a dual stack setup, the system sends both A (request for IPv4) and AAAA (request for IPv6) record requests to a DNS server even if you only configure this command. The no version of this command removes the IP name-server configuration.
● Use the following commands in the OS10 Linux Shell: sudo systemctl enable docker sudo systemctl start docker NOTE: When you run the docker run command to create a container, you must use the --net=host parameter. Install a Docker image ● To pull the latest Docker image from a Docker hub: docker pull nginx Or docker pull nginx:latest NOTE: Docker downloads the latest image if you do not specify the image file name.
● Open an interactive terminal inside a container: docker exec -it --name container-name Manage volumes ● Create a Docker volume: docker volume create volume-name ● Run a Docker in a particular volume mapped to "/work" inside the container: docker run -d -it -v workvol1:/work puppet-agent /bin/bash ● Display details of a volume: docker volume inspectvolume-name ● List all the volumes in the system: docker volume ls ● Remove a volume: docker volume rm volume-name Docker Management ● List all running Docker c
9 Interfaces You can configure and monitor physical interfaces (Ethernet), port-channels, and virtual local area networks (VLANs) in Layer 2 (L2) or Layer 3 (L3) modes. Table 11.
Unified port groups In an OS10 unified port group, all ports operate in either Ethernet or Fibre Channel (FC) mode. You cannot mix modes for ports in the same unified port group. To activate Ethernet interfaces, configure a port group to operate in Ethernet mode and specify the port speed. To activate Fibre Channel interfaces, see Fibre Channel interfaces. S4148U-ON On the S4148U-ON switch, the available Ethernet and Fibre Channel interfaces in a port group depend on the currently configured port profile.
3. Return to CONFIGURATION mode. exit 4. Enter Ethernet Interface mode to configure other settings. Enter a single interface, a hyphen-separated range, or multiple interfaces separated by commas.
On the Z9264F-ON switch, the available Ethernet interfaces in a port group depends on the currently configured port-group profile. For details about the supported breakout modes in port-group profiles, see the profile CLI command. To enable Ethernet interfaces: 1. Configure a Z9264F-ON port group in CONFIGURATION mode. Enter 1/1 for node/slot. The port-group range is from 1 to 32. port-group node/slot/port-group 2. Configure the restricted profile in PORT-GROUP mode.
port-group1/1/1 port-group1/1/2 port-group1/1/3 port-group1/1/4 port-group1/1/5 port-group1/1/6 Eth Eth Eth Eth Eth Eth 10g-4x 10g-4x 10g-4x 100g-1x 100g-1x 100g-1x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 - Table 12.
Table 13.
Table 14.
Table 14.
Table 15.
Table 15.
3. Return to CONFIGURATION mode. exit 4. Enter Interface breakout mode to configure other settings, such as, speed.
L3 mode configuration Ethernet and port-channel interfaces are in L2 access mode by default. When you disable the L2 mode and then assign an IP address to an Ethernet port interface, you place the port in L3 mode. Configure one primary IP address in L3 mode. You can configure up to 255 secondary IP addresses on an interface. At least one interface in the system must be in L3 mode before you configure or enter a L3–protocol mode, such as OSPF. 1. Remove a port from L2 switching in INTERFACE mode.
Figure 4. MX9116n Fabric Switching Engine — Unified port groups 1. Configure a unified port group in CONFIGURATION mode. Enter 1/1 for node/slot. The port-group range depends on the switch. port-group node/slot/port-group 2. Activate the unified port group for FC operation in PORT-GROUP mode. The available FC modes depend on the switch.
Wavelength is 850 Receive power reading is 0.
2. By default, DHCP client is enabled on the Management interface. Disable the DHCP client operations in INTERFACE mode. no ip address dhcp 3. Configure an IP address and mask on the Management interface in INTERFACE mode. ip address A.B.C.D/prefix-length 4. Enable the Management interface in INTERFACE mode. no shutdown Configure management interface OS10(config)# interface OS10(conf-if-ma-1/1/1)# OS10(conf-if-ma-1/1/1)# OS10(conf-if-ma-1/1/1)# mgmt 1/1/1 no ip address dhcp ip address 10.1.1.
Reconfigure default VLAN OS10# show vlan Q: A - Access (Untagged), T - Tagged NUM Status Description * 1 up Eth1/1/1-1/1/25,1/1/29,1/1/31-1/1/54 Q Ports A OS10(config)# interface vlan 10 Sep 19 17:28:10 OS10 dn_ifm[932]: Node.1-Unit.1:PRI:notice [os10:notify], %Dell EMC (OS10) %IFM_ASTATE_UP: Interface admin state up :vlan10 OS10(conf-if-vl-10)# exit OS10(config)# default vlan-id 10 Sep 19 17:28:15 OS10 dn_ifm[932]: Node.1-Unit.
Loopback interfaces A Loopback interface is a virtual interface where the software emulates an interface. Because a Loopback interface is not associated to physical hardware entities, the Loopback interface status is not affected by hardware status changes. Packets routed to a Loopback interface process locally to the OS10 device. Because this interface is not a physical interface, to provide protocol stability you can configure routing protocols on this interface.
Create port-channel You can create a maximum of 128 port-channels, with up to 32 port members per group. Configure a port-channel similarly to a physical interface, enable or configure protocols, or ACLs to a port channel. After you enable the port-channel, place it in L2 or L3 mode. To place the port-channel in L2 mode or configure an IP address to place the port-channel in L3 mode, use the switchport command. ● Create a port-channel in CONFIGURATION mode.
Minimum links Configure minimum links in a port-channel LAG that must be in oper up status to consider the port-channel to be in oper up status. NOTE: If the minimum links criteria that you have configured is not met, the port channel operationally goes down only in the device in which you have configured the minimum links and not on the device at the other side of the port channel.
Load balance traffic Use hashing to load balance traffic across member interfaces of a port-channel. Load balancing uses source and destination packet information to distribute traffic over multiple interfaces when transferring data to a destination. For packets without an L3 header, OS10 automatically uses the load-balancing mac—selection destination-mac command for hash algorithms by default.
You can configure a default VLAN only if the interface range being configured consists of only VLAN ports. When a configuration in one of the VLAN ports fails, all the VLAN ports in the interface range are affected. Create an interface range allowing other commands to be applied to that interface range using the interface range command.
● Management interface 1/1/1 configuration ● Management IPv4/IPv6 static routes ● System hostname ● Unified Forwarding Table (UFT) mode ● ECMP maximum paths You must manually reconfigure other settings on a switch after you apply a new port profile and reload the switch. NOTE: After you change the switch-port profile, do not immediately back up and restore the startup file without using the write memory command and reloading the switch using the reload command.
1GE mode: 1GE is supported only on SFP+ ports; 1GE is not supported on QSFP+ and QSFP28 ports 25-26. Breakout interfaces: Use the interface breakout command in Configuration mode to configure 4x10G, 4x25G, and 2x50G breakout interfaces. To view the ports that belong to each port group, use the show port-group command. S4148U-ON port profiles S4148U-ON port profiles determine the available front-panel unified and Ethernet ports and supported breakout interfaces.
*profile-1 and profile-2 activate the same port mode capability on unified and Ethernet ports. The difference is that in profile-1, by default SFP+ unified ports 1-24 come up in Fibre Channel mode with 2x16GFC breakouts per port group. In profile-2, by default SFP+ unified ports 1-24 come up in Ethernet 10GE mode. profile-1 allows you to connect FC devices for plug-and-play; profile-2 is designed for a standard Ethernet-based data network.
The following examples show that the nondefault configuration is added to the running configuration: OS10(conf-if-eth1/1/50)# negotiation off OS10(conf-if-eth1/1/50)# show configuration ! interface ethernet1/1/50 no shutdown switchport access vlan 1 negotiation off flowcontrol receive on OS10(conf-if-eth1/1/50)# negotiation on OS10(conf-if-eth1/1/50)# show configuration ! interface ethernet1/1/50 no shutdown switchport access vlan 1 negotiation on flowcontrol receive on The following examples show that the
● ● ● ● ● ● node/slot/port — Enter the physical port information. 10g-4x — Split a QSFP28 or QSFP+ port into four 10G interfaces. 25g-4x — Split a QSFP28 port into four 25G interfaces. 40g-1x — Set a QSFP28 port to use with a QSFP+ 40G transceiver. 50g-2x — Split a QSFP28 port into two 50G interfaces. 100g-1x — Reset a QSFP28 port to 100G speed. To configure an Ethernet breakout interface, use the interface ethernet node/slot/port:subport command in CONFIGURATION mode.
Eth 1/1/2 Eth 1/1/25 Eth 1/1/29 down down down 0 0 0 auto auto auto A A A 1 1 1 - After you enter feature auto-breakout and plug a breakout cable in Ethernet port 1/1/25: OS10# show interface status -----------------------------------------------------------------Port Description Status Speed Duplex Mode Vlan Tagged-Vlans -----------------------------------------------------------------Eth 1/1/1 down 0 auto Eth 1/1/2 down 0 auto A 1 Eth 1/1/25:1 down 0 auto A 1 Eth 1/1/25:2 down 0 auto A 1 Eth 1/1/25
no shutdown no switchport negotiation on ip address 1.2.3.4/24 ip address 2.2.2.2/24 secondary ip address 3.3.3.3/24 secondary ipv6 address 10::1/64 ip access-group test in lldp med network-policy add 10 ip ospf priority 10 flowcontrol transmit on OS10(conf-if-eth1/1/2)# exit S10(config)# default interface ethernet 1/1/2 Proceed to cleanup the interface config? [confirm yes/no]:y Sep 9 01:06:28 OS10 dn_l3_core_services[968]: Node.1-Unit.
View FEC configuration OS10# show interface ethernet 1/1/41 Ethernet 1/1/41 is up, line protocol is up Hardware is Dell EMC Eth, address is e4:f0:04:3e:1a:06 Current address is e4:f0:04:3e:1a:06 Pluggable media present, QSFP28 type is QSFP28_100GBASE_CR4_2M Wavelength is 64 Receive power reading is Interface index is 17306108 Internet address is not set Mode of IPv4 Address Assignment: not set Interface IPv6 oper status: Disabled MTU 1532 bytes, IP MTU 1500 bytes LineSpeed 100G, Auto-Negotiation on FEC is c
Enable energy-efficient Ethernet EEE is disabled by default. To reduce power consumption, enable EEE. 1. Enter the physical Ethernet interface information in CONFIGURATION mode. interface ethernet node/slot/port[:subport] 2. Enable EEE in INTERFACE mode.
View EEE statistics for a specified interface OS10# show interface ethernet 1/1/48 eee statistics Eth 1/1/48 EEE : on TxIdleTime(us) : 2560 TxWakeTime(us) : 5 Last Clearing : 18:45:53 TxEventCount : 0 TxDuration(us) : 0 RxEventCount : 0 RxDuration(us) : 0 View EEE statistics on all interfaces OS10# show interface eee statistics Port EEE TxEventCount TxDuration(us) RxEventCount RxDuration(us) -----------------------------------------------------------------------------Eth 1/1/1 off 0 0 0 0 ...
Example Supported Releases OS10# clear counters interface 1/1/48 eee Clear eee counters on ethernet1/1/48 [confirm yes/no]:yes 10.3.0E or later eee Enables or disables energy-efficient Ethernet (EEE) on physical ports. Syntax eee Parameters None Default Enabled on Base-T devices and disabled on S3048-ON and S4048T-ON switches. Command Mode Interface Usage Information To disable EEE, use the no version of this command.
show interface eee statistics Displays EEE statistics for all interfaces. Syntax show interface eee statistics Parameters None Default Not configured Command Mode EXEC Example OS10# show interface eee statistics Port EEE TxEventCount TxDuration(us) RxEventCount RxDuration(us) -----------------------------------------------------------------------------Eth 1/1/1 off 0 0 0 0 ... Eth 1/1/47 on 0 0 0 0 Eth 1/1/48 on 0 0 0 0 Eth 1/1/49 n/a ... Eth 1/1/52 n/a Supported Releases 10.3.
TxEventCount TxDuration(us) RxEventCount RxDuration(us) Supported Releases : : : : 0 0 0 0 10.3.0E or later View interface configuration To view basic interface information, use the show interface, show running-configuration, and show interface status commands. Stop scrolling output from a show command by entering CTRL+C. Display information about a physical or virtual interface in EXEC mode, including up/down status, MAC and IP addresses, and input/output traffic counters.
Pluggable media present, QSFP+ type is QSFP+ 40GBASE CR4 Wavelength is 64 Receive power reading is 0.
shutdown ... View L3 interfaces OS10# show ip interface brief Interface Name IP-Address OK Method Status Protocol ========================================================================================= Ethernet 1/1/1 unassigned NO unset up down Ethernet 1/1/2 unassigned YES unset up up Ethernet 1/1/3 3.1.1.1/24 YES manual up up Ethernet 1/1/4 4.1.1.
OS 10.5.1.0 allows you to configure Interface names with upper case characters, but the Interface is not programmed correctly. To ensure proper configuration, always use lower case to configure Interface names. Examples: OS10(Config)# interface vlan20 OS10(Config)# interface port-channel20 Digital optical monitoring The digital optical monitoring (DOM) feature monitors the digital optical media for temperature, voltage, bias, transmission power (Tx), and reception power (Rx).
You can enable or disable the DOM feature, configure traps, and view the DOM status. Enable DOM and DOM traps To generate DOM alarms, do the following. 1. Enable DOM. OS10(config)# dom enable 2. Enable DOM traps. OS10(config)# snmp-server enable traps dom You can run the show alarms command in EXEC mode to view any alarms that are generated.
Default MTU Configuration Maximum transmission unit (MTU) defines the largest packet size that an interface can transmit without fragmentation. The MTU of an interface determines whether to accept the packet ingress and egress in the switch. The interface drops any packet with size exceeding the MTU. If you have not configured the MTU value for an interface, a default value of 1532 bytes is set automatically. Any packet exceeding this value is dropped.
Interface commands channel-group Assigns an interface to a port-channel group. Syntax channel-group channel-number mode {active | on | passive} Parameters ● ● ● ● ● Default Not configured Command Mode INTERFACE Usage Information The no version of this command resets the value to the default, and unassigns the interface from the port-channel group. Example Supported Releases channel-number — Enter a port-channel number, from 1 to 128. mode — Sets LACP Actor mode.
no switchport ip address 101.1.2.2/30 ipv6 address 2101:100:2:1::2/64 ipv6 ospf 65535 area 0.0.0.0 ipv6 ospf cost 10 ip ospf 65535 area 0.0.0.0 ip ospf cost 10 OS10# configure terminal OS10(config)# default interface ethernet 1/1/15 Proceed to cleanup the interface config? [confirm yes/no]:yes Mar 5 22:00:48 OS10 dn_l3_core_services[590]: Node.1-Unit.1:PRI:notice [os10:trap], %Dell EMC (OS10) %log-notice:IP_ADDRESS_DEL: IP Address delete is successful. IP 101.1.2.
Proceed to cleanup interface range config? [confirm yes/no]:yes Mar 5 22:21:12 OS10 dn_l3_core_services[590]: Node.1-Unit.1:PRI:notice [os10:trap], %Dell EMC (OS10) %log-notice:IP_ADDRESS_DEL: IP Address delete is successful. IP 192.21.43.1/31 deleted successfully Mar 5 22:21:12 OS10 dn_l3_core_services[590]: Node.1-Unit.1:PRI:notice [os10:trap], %Dell EMC (OS10) %log-notice:IP_ADDRESS_DEL: IP Address delete is successful.
interface vlan1 no shutdown ! interface vlan10 no shutdown ! interface ethernet1/1/1 no shutdown switchport access vlan 10 ! interface ethernet1/1/2 no shutdown switchport access vlan 10 ! interface ethernet1/1/3 no shutdown switchport access vlan 10 ! interface ethernet1/1/4 no shutdown switchport access vlan 10 Supported Releases 10.4.0E(R1) or later description (Interface) Configures a textual description of an interface.
Command Mode CONFIGURATION Usage Information You can only use this command on the Management port. The no version of this command removes the duplex mode configuration from the management port. Example Supported Releases OS10(conf-if-ma-1/1/1)# duplex auto 10.3.0E or later enable dom Enables or disables the DOM feature. Syntax dom enable Parameters None Default Disabled Command Mode CONFIGURATION Usage Information The no version of this command disables digital optical monitoring.
feature auto-breakout Enables front-panel Ethernet ports to automatically detect SFP media and autoconfigure breakout interfaces. Syntax feature auto-breakout Parameters None Default Not configured Command mode CONFIGURATION Usage information After you enter the feature auto-breakout command and plug a supported breakout cable in a QSFP+ or QSFP28 port, the port autoconfigures breakout interfaces for media type and speed. Use the interface breakout command to manually configure breakout interfaces.
● 25g-4x — Split a QSFP28 port into four 25GE interfaces. ● 10g-4x — Split a QSFP28 or QSFP+ port into four 10GE interfaces Default Not configured Command Mode CONFIGURATION Usage Information ● Each breakout interface operates at the configured speed; for example, 10G, 25G, or 50G. ● The no interface breakout node/slot/port command resets a port to its default speed: 40G or 100G. ● To configure breakout interfaces on a unified port, use the mode {Eth | FC} command in PortGroup Configuration mode.
Supported Releases 10.2.0E or later interface mgmt Configures the Management port. Syntax interface mgmt node/slot/port Parameters node/slot/port — Enter the physical port interface information for the Management interface. Default Enabled Command Mode CONFIGURATION Usage Information You cannot delete a Management port. To assign an IP address to the Management port, use the ip address command. Example Supported Releases OS10(config)# interface mgmt 1/1/1 OS10(conf-if-ma-1/1/1)# 10.2.
Supported Releases 10.2.0E or later interface range Configures a range of Ethernet, port-channel, or VLAN interfaces for bulk configuration. Syntax interface range {ethernet node/slot/port[:subport]-node/slot/ port[:subport],[...]} | {port-channel IDnumber-IDnumber,[ ...]} | vlan vlanID-vlanID,[...]} Parameters ● node/slot/port[:subport]-node/slot/port[:subport] — Enter a range of Ethernet interfaces. ● IDnumber-IDnumber — Enter a range of port-channel numbers, from 1 to 128.
link-bundle-utilization Configures link-bundle utilization. Syntax link-bundle-utilization trigger-threshold value Parameters value — Enter the percentage of port-channel bandwidth that triggers traffic monitoring on portchannel members, from 0 to 100. Default Disabled Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# link-bundle-utilization trigger-threshold 10 10.2.
● To view the currently active ports and subports, use the show interfaces status command. ● The no version of the command resets port-group interfaces to the default Ethernet port mode/ speed. Use the no mode command before you reset the mode on an interface. Example OS10(conf-pg-1/1/2)# mode FC 16g-4x OS10(conf-pg-1/1/8)# mode Eth 10g-4x Example: Reset mode Supported Releases OS10(conf-pg-1/1/2)# mode FC 16g-4x OS10(conf-pg-1/1/2)# no mode OS10(conf-pg-1/1/2)# mode Eth 10g-4x 10.3.
○ Tagged members must have a link MTU 4 bytes higher than untagged members to account for the packet tag. ○ Ensure that the MTU of VLAN members is greater than or equal to the VLAN MTU. OS10 selects the lowest MTU value configured on the VLAN or VLAN members to be the VLAN MTU. For example, the VLAN contains tagged members with Link MTU of 1522 and IP MTU of 1500 and untagged members with Link MTU of 1518 and IP MTU of 1500.
switchport access vlan 1 negotiation on flowcontrol receive on OS10(conf-if-eth1/1/50)# no negotiation OS10(conf-if-eth1/1/50)# show configuration ! interface ethernet1/1/50 no shutdown switchport access vlan 1 flowcontrol receive on OS10(conf-if-eth1/1/50)# do show interface ethernet 1/1/50 Ethernet 1/1/50 is up, line protocol is up Hardware is Eth, address is e4:f0:04:3e:2d:86 Current address is e4:f0:04:3e:2d:86 Pluggable media present, QSFP28 type is QSFP28 100GBASE-CR4-2.
port-group Configures a group of front-panel unified ports, or a double-density QSFP28 (QSFP28-DD) or single-density QSFP28 port group. Syntax port-group node/slot/port-group Parameters ● node/slot — Enter 1/1 for node/slot when you configure a port group. ● port-group — Enter the port-group number, from 1 to 16. The available port-group range depends on the switch.
scale-profile vlan Configures the L2 VLAN scale profile on a switch. Syntax scale-profile vlan Parameters None Defaults Not configured Command Mode CONFIGURATION Usage Information Use the VLAN scale profile when you scale the number of VLANs so that the switch consumes less memory. Enable the scale profile before you configure VLANs on the switch. The scale profile globally applies L2 mode on all VLANs you create and disables L3 transmission. The no version of the command disables L2 VLAN scaling.
show interface Displays interface information. Syntax show interface [type] Parameters interface type — Enter the interface type: ● phy-eth node/slot/port[:subport] — Display information about physical ports connected to the interface. ● status — Display interface status. ● ethernet node/slot/port[:subport] — Display Ethernet interface information. ● loopback id — Display Loopback IDs, from 0 to 16383. ● mgmt node/slot/port — Display Management interface information.
Interface index is 85886081 Internet address is not set Mode of IPv4 Address Assignment: not set MTU 1532 bytes LineSpeed 0 Minimum number of links to bring Port-channel up is 1 Maximum active members that are allowed in the portchannel is 5 Members in this channel: ARP type: ARPA, ARP Timeout: 60 OS10# show interface port-channel summary LAG Mode Status Uptime Ports 22 L2 up 20:38:08 Eth 1/1/10 (Up) Eth 1/1/11 (Down) Eth 1/1/12 (Inact) 23 L2 up 20:34:32 Eth 1/1/20 (Up) Eth 1/1/21 (Up) Eth 1/1/22 (Up) Examp
show inventory media Displays installed media in switch ports. Syntax show inventory media Parameters None Command Mode EXEC Usage Information Use the show inventory media command to verify the media type inserted in a port. Example Example: MX9116n Fabric Engine 302 Interfaces On the MX9116n Fabric Switching Engine and MX5108n Ethernet Switch, server-facing interfaces are on the backplane and are enabled by default.
Example: MX5108n Ethernet switch Supported Releases OS10# show inventory media ---------------------------------------------------------System Inventory Media ---------------------------------------------------------Node/Slot/Port Category Media Serial Dell EMC Number Qualified ---------------------------------------------------------1/1/1 FIXED INTERNAL true 1/1/2 FIXED INTERNAL true 1/1/3 FIXED INTERNAL true 1/1/4 FIXED INTERNAL true 1/1/5 FIXED INTERNAL true 1/1/6 FIXED INTERNAL true 1/1/7 FIXED INTERN
Example (Interface) OS10(conf-range-eth1/1/10-1/1/11,1/1/13,1/1/14)# do show port-channel summary Flags: D - Down U - member up but inactive P - member up and active U - Up (port-channel) Group Port-Channel Type Protocol Member Ports 22 port-channel22 (U) Eth STATIC 1/1/10(P) 1/1/11(P) 1/1/12(P) 1/1/13(P) 1/1/14(P) 1/1/15(P) 1/1/16(P) 1/1/17(P) 1/1/18(P) 1/1/19(P) 23 port-channel23 (D) Eth STATIC OS10(config)# interface range e1/1/12-1/1/13,1/1/15,1/1/17-1/1/18 OS10(conf-range-eth1/1/12-1/1/13,1/1/15,1/1/1
port-group1/1/12 port-group1/1/13 port-group1/1/14 port-group1/1/15 port-group1/1/16 Example: Z9264F-ON Supported Releases Eth Eth Eth Eth Eth 100g-2x 100g-1x 100g-1x 100g-1x 100g-1x 39 41 42 43 44 OS10(config)# show port-group hybrid-group profile port-group1/1/1 restricted port-group1/1/2 restricted port-group1/1/3 restricted port-group1/1/4 restricted port-group1/1/5 restricted port-group1/1/6 restricted port-group1/1/7 restricted port-group1/1/8 restricted 40 Ports 1/1/1 1/1/2 1/1/3
show system Displays the status of the DOM feature, whether it is enabled or disabled.
1 1 1 1 Supported Releases | | | | 79 80 81 82 | | | | | | | | | | | | | | | | 10.4.0E(R3S) or later show vlan Displays the current VLAN configuration. Syntax show vlan [vlan-id] Parameters vlan-id — (Optional) Enter a VLAN ID, from 1 to 4093.
speed (Fibre Channel) Configures the transmission speed of a Fibre Channel interface. Syntax speed {8 | 16 | 32 | auto} Parameters Set the speed of a Fibre Channel interface to: ● 8 — 8GFC ● 16 — 16GFC ● 32 — 32GFC ● auto — Set the port speed to the speed of the installed media. Defaults Auto Command Mode INTERFACE Usage Information ● To configure oversubscription for bursty storage traffic on a FC interface, use the speed command.
Command Mode CONFIGURATION Usage Information ● S4148-ON Series port profiles: ○ profile-1 — SFP+ 10G ports (1-24 and 31-54) and QSFP28 100G ports (25-26 and 29-30) are enabled. QSFP28 ports support 100GE and 4x10G, 4x25G, and 2x50G breakouts. ○ profile-2 — SFP+ 10G ports (1-24 and 31-50), QSFP+ 40G ports (27-28), and QSFP28 ports in 40G mode (25-26 and 29-30) are enabled. QSFP+ and QSFP28 ports support 40GE and 4x10G breakouts.
SFP+ unified ports operate in Ethernet 10GE mode by default. SFP+ unified port groups support 4x8GFC and 2x16GFC breakouts (ports 1 and 3) in FC mode. ■ QSFP28 unified ports operate in Ethernet 100GE mode by default and support 4x25G and 4x10G breakouts. QSFP28 ports support 2x16GFC and 4x16GFC breakouts in FC mode. ■ SFP+ Ethernet ports operate at 10GE. ○ profile-4 — SFP+ unified ports (1-24), QSFP28 unified ports (25-26 and 29-30), and SFP+ Ethernet ports (31-54) are enabled.
switchport mode Places an interface in L2 Access or Trunk mode. Syntax switchport mode {access | trunk} Parameters ● access — Enables L2 switching of untagged frames on a single VLAN. ● trunk — Enables L2 switching of untagged frames on the access VLAN, and of tagged frames on the VLANs specified with the switchport trunk allowed vlan command.
Parameters ● node/unit-id — Enter 1 for node with an unassigned unit ID displayed in the show unitprovision output. ● provision_name — Enter the service tag of the Fabric Expander displayed in the show discovered-expanders output. Default None Command Mode CONFIGURATION Usage Information ● To verify the currently configured mode on a Fabric Engine, use the show switch-operatingmode command.
Example OS10# default mtu 9216 OS10# no default mtu Supported Releases 10.3.1E or later show default mtu Display the default MTU at system level. Syntax show default mtu Parameters None Defaults None Command Mode EXEC Usage Information The interface-level MTU may be different from the system-level MTU. Example Supported Releases OS10# show default mtu Default MTU 9216 bytes 10.3.
10 PowerEdge MX Ethernet I/O modules The Dell EMC PowerEdge MX7000 supports the following Ethernet modules: MX9116n Fabric Switching Engine, MX7116n Fabric Expander Module, and MX5108n Ethernet Switch. For detailed information, see the Dell EMC PowerEdge MX7000 documentation. ● The MX9116n Fabric Switching Engine is a scalable L2/L3 switch designed that provides high-bandwidth, low-latency 25GE networking; for example, in private cloud and software-defined storage (SDS) networks.
● View the physical topology. ● Use power control. SmartFabric mode In SmartFabric mode, the PowerEdge MX switches operate as Layer 2 I/O aggregation devices. The OpenManage Enterprise Modular interface supports most switch configuration settings. Use SmartFabric mode to configure your switch. SmartFabric mode supports all OS10 show commands and the following subset of CLI configuration commands: Other CLI configuration commands are not available. ● clock — Configure clock parameters.
Changing operating modes To switch an MX9116n Fabric Switching Engine or MX5108n Ethernet Switch between Full Switch and SmartFabric modes, use the OpenManage Enterprise - Modular interface to create a new fabric. Full Switch to SmartFabric mode All Full Switch CLI configuration changes are deleted except for the subset of supported configuration commands that you can also enter and save in SmartFabric mode (see Operating modes).
QSFP28-DD Ethernet interfaces support Fabric Expander mode (FEM) and native Ethernet mode. ● In FEM mode, an 8x25GE interface connects only to an attached Fabric Expander using supported cables. ● In native Ethernet mode, an interface connects to an upstream switch, rack server, or other Ethernet device. By default, QSFP28-DD port groups 1 to 9 are configured in FEM mode with 8x25GE breakout interfaces enabled.
Configure QSFP28-DD interface OS10(config)# port-group 1/1/7 OS10(conf-pg-1/1/7)# mode Eth 25g-8x OS10(conf-pg-1/1/7)# exit OS10(config)# interface ethernet 1/1/29:4 OS10(conf-if-eth-1/1/29:4)# View QSFP28-DD interface OS10(config)# interface ethernet 1/1/29:4 OS10(conf-if-eth1/1/29:4)# show configuration ! interface ethernet1/1/29:4 no shutdown View QSFP28-DD port groups and default modes OS10# show port-group Port-group Mode port-group1/1/1 Eth 25g-8x port-group1/1/2 Eth 25g-8x port-group1/1/3 Eth 25g-8x
Virtual ports A virtual port is a logical OS10 port that connects to a downstream server and has no physical hardware location on the switch. Virtual ports are created when an MX9116n Fabric Switching Engine onboards an MX7116n Fabric Expander Module. The onboarding process consists of discovery and configuration. Fabric Expander discovery A Fabric Expander functions as an unmanaged Ethernet repeater with sixteen 25GE server-facing ports and two QSFP28-DD uplink ports.
3. Configure the unit ID for the service tag (provision name) of the Fabric Expander in CONFIGURATION mode. OS10(config)# unit-provision node/unit-id provision_name ● node/unit-id — Enter 1 for node with an unassigned unit ID from the show unit-provision output. ● provision_name — Enter the service tag of the Fabric Expander from the Service-tag field in the show discovered-expanders output. 4. Verify the discovered Fabric Expander and its virtual slot ID in EXEC mode.
5. Verify the virtual ports on the Fabric Expander that are up and connected to servers in CONFIGURATION mode. Unit IDs 71 to 82 are used as virtual slot numbers 1/71 to 1/82 on the Fabric Expander. OS10# show interface status 6. Configure a Fabric Expander virtual port to transmit server traffic in CONFIGURATION mode. OS10# interface ethernet node/virtual-slot/port ● node is 1 for a Fabric Expander. ● virtual-slot is the unit ID number assigned to the Fabric Expander, from 71 to 82.
For information about how to configure QSFP28-DD port groups 1 to 12 to operate in Ethernet mode, see Double-density QSFP28 interfaces. For information about how to configure unified port groups 15 and 16 to operate in Ethernet or Fibre Channel mode, see Unified port groups. Figure 6. MX9116n Fabric Switching Engine — QSFP28 port groups 1. To configure a QSFP28 port-group interface, enter PORT-GROUP mode from CONFIGURATION mode. Enter 1/1 for node/ slot. The QSFP28 port-group range is 13 to 14.
View QSFP28 breakout interfaces OS10# show interface status --------------------------------------------------------------------------Port Description Status Speed Duplex Mode Vlan Tagged-Vlans --------------------------------------------------------------------------... Eth 1/1/41:1 down 0 auto A 1 Eth 1/1/41:2 down 0 auto A 1 Eth 1/1/41:3 down 0 auto A 1 Eth 1/1/41:4 down 0 auto A 1 Eth 1/1/42:1 down 0 auto A 1 Eth 1/1/42:2 down 0 auto A 1 Eth 1/1/42:3 down 0 auto A 1 Eth 1/1/42:4 down 0 auto A 1 ...
1/1/4 1/1/5 1/1/6 1/1/7 1/1/8 ...
2. Verify the firmware version and configure the IOM settings, see Verify and configure IOM settings. 3. Connect the cables to the new IOM, see Connect the cables to the new IOM. Replace an IOM in SmartFabric To replace an IOM that is part of a SmartFabric: 1. 2. 3. 4. Physically remove the faulty IOM and insert the new IOM, see Remove and replace the IOM. Verify the firmware version and configure the IOM settings, see Verify and configure IOM settings.
If the command is run on a member, the system displays only the details of the master IOM. The system displays information such as service tag and IPv6 address of the master. If the command is run in a master, the system displays the details of all the IOMs in the chassis deployment. Log in to the master IOM using the displayed IPv6 address before using the module replacement command. Also you can view the IPv4 address of the master IOM using the show smartfabric cluster command.
2. Log in to the master IOM using the IPv6 address displayed in the IOM. admin@MX9116N-A1:~$ ssh admin@ Output example when you log in to the master IOM from the member IOM: admin@OS10:~$ ssh admin@fde1:53ba:e9a0:cccc:3417:ebff:fe2c:ca84 Debian GNU/Linux 9 Dell EMC Networking Operating System (OS10) admin@fde1:53ba:e9a0:cccc:3417:ebff:fe2c:ca84's password: Linux OS10 4.9.110 #1 SMP Debian 4.9.
Password: % Total % Received % Xferd 100 100 100 142 89 53 Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 646 384 --:--:-- --:--:-- --:--:-- 649 Node replacement work-flow is initiated, the node JDB1XC2 will reboot into Fabric mode. After successful authentication, the system initiates the module replacement workflow and the new IOM reboots and is placed in the SmartFabric Services mode.
11 Fibre Channel OS10 switches with Fibre Channel (FC) ports operate in one of the following modes: Direct attach (F_Port), NPIV Proxy Gateway (NPG). In the FSB mode, you cannot use the FC ports. E_Port Expansion port (E_Port) in a switch is used to connect two fiber channel switches to form a multiswitch SAN fabric. The default port mode in a multiswitch setup is F.
NOTE: OS10 supports multiple E-Nodes in F_Port mode. NOTE: Remove all the NPIV Proxy Gateways (NPG), F-Port and vfabric related configurations from startup configuration before changing the IOM operating modes. Using the discovered information, the switch installs ACL entries that provide security and point-to-point link emulation.
Configure FIP snooping 1. Enable FIP snooping globally using the feature fip-snooping command in CONFIGURATION mode. 2. Before applying FIP snooping to a VLAN, ensure that the VLAN already contains Ethernet or LAG members that are enabled with FCF Port mode. Enable FCF mode on an Ethernet or port-channel using the fip-snooping port-mode fcf command in INTERFACE mode. 3. Enable FIP snooping on the VLAN using the fip-snooping enable command in VLAN INTERFACE mode.
Enodes Sessions : 2 : 17 OS10# show fcoe sessions Enode MAC Enode Interface FC-ID PORT WWPN FCF MAC PORT WWNN FCF interface VLAN FCoE MAC aa:bb:cc:00:00:00 ethernet1/1/54 aa:bb:cd:00:00:00 port-channel5 100 0e:fc:00:01:00:01 01:00:01 31:00:0e:fc:00:00:00:00 21:00:0e:fc:00:00:00:00 aa:bb:cc:00:00:00 ethernet1/1/54 aa:bb:cd:00:00:00 port-channel5 100 0e:fc:00:01:00:02 01:00:02 31:00:0e:fc:00:00:00:00 21:00:0e:fc:00:00:00:00 OS10# show fcoe fcf FCF MAC FCF Interface VLAN FC-MAP --------------------------
1. Configure a vfabric using the vfabric fabric-ID command in CONFIGURATION mode. The switch enters vfabric CONFIGURATION mode 2. Associate a VLAN ID to the vfabric with the vlan vlan-ID command. 3. Add an FC map with the fcoe fcmap fc-map command. 4. Activate a zoneset using the zoneset activate zoneset-name command. 5. Allow access to all logged-in members in the absence of an active zoneset configuration using the zone default-zone permit command.
fibrechannel1/1/20 fibrechannel1/1/21 fibrechannel1/1/22 fibrechannel1/1/23 fibrechannel1/1/24 fibrechannel1/1/25:1 fibrechannel1/1/29:1 fibrechannel1/1/30:1 fibrechannel1/1/30:3 ========================================== To configure a vfabric in NPG mode: 1. Configure a vfabric using the vfabric fabric-ID command in CONFIGURATION mode. The switch enters vfabric CONFIGURATION mode. 2. Associate a VLAN ID to the vfabric with the vlan vlan-ID command. 3.
fcoe fka-adv-period 8 fcoe vlan-priority 3 Fibre Channel zoning Fibre Channel (FC) zoning partitions a FC fabric into subsets to restrict unnecessary interactions, improve security, and manage the fabric more effectively. Create zones and add members to the zone. Identify a member by an FC alias, world wide name (WWN), or FC ID. A zone can have a maximum of 255 unique members. Create zonesets and add the zones to a zoneset.
50:00:d3:10:00:ec:f9:1b 50:00:d3:10:00:ec:f9:05 50:00:d3:10:00:ec:f9:1f 20:35:78:2b:cb:6f:65:57 View FC zoneset configuration OS10(conf-fc-zoneset-set)# show configuration ! fc zoneset set member hba1 member hba2 OS10# show fc zoneset active vFabric id: 100 Active Zoneset: set ZoneName ZoneMember ================================================ hba2 *20:01:00:0e:1e:e8:e4:99 20:35:78:2b:cb:6f:65:57 50:00:d3:10:00:ec:f9:05 50:00:d3:10:00:ec:f9:1b 50:00:d3:10:00:ec:f9:1f hba1 *10:00:00:90:fa:b8:22:19 *21:00:0
Pinning FCoE traffic to a specific port of a portchannel You can isolate FIP and FCoE traffic by configuring a pinned port at the FCoE LAG. FCoE LAG is the port-channel used for FIP and FCoE traffic in the intermediate switches between server and storage devices. VLT provides Active/Active LAN connectivity on converged links by forwarding traffic in multiple paths to multiple upstream devices without STP blocking any of the uplinks.
Fibre Channel
Sample FSB configuration on VLT network 1. Enable the FIP snooping feature globally. OS10(config)# feature fip-snooping 2. Create the FCoE VLAN. OS10(config)#interface vlan 1001 OS10(conf-if-vl-1001)# fip-snooping enable 3. Configure the VLTi interface. OS10(config)# interface ethernet 1/1/27 OS10(conf-if-eth1/1/27)# no shutdown OS10(conf-if-eth1/1/27)# no switchport 4. Configure the VLT. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.151.
OS10(conf-if-eth1/1/1)# service-policy input type network-qos PFC OS10(conf-if-eth1/1/1)# priority-flow-control mode on OS10(config)# interface OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# ethernet 1/1/2 description uplink_port_channel_member2 no shutdown channel-group 10 mode active no switchport service-policy input type network-qos PFC priority-flow-control mode on OS10(config)# interface OS10(conf-if-eth
Discovered FCFs: OS10# show fcoe fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
8. Enable DCBX. OS10(config)# dcbx enable 9. Apply the vfabric on the interfaces.
Sample FSB configuration on non-VLT network The following examples illustrate configurations in intermediate switches in non-vlt network, to communicate with server. 1. Enable the FIP snooping feature globally. OS10(config)# feature fip-snooping 2. Create the FCoE VLAN. OS10(config)#interface vlan 1001 OS10(conf-if-vl-1001)# fip-snooping enable 3. Enable DCBX. OS10(config)# dcbx enable 4. Enable the PFC parameters on the interfaces.
OS10(conf-if-eth1/1/3)# service-policy input type network-qos PFC OS10(conf-if-eth1/1/3)# priority-flow-control mode on OS10(config)# interface OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# ethernet 1/1/4 no shutdown channel-group 20 mode active no switchport service-policy input type network-qos PFC priority-flow-control mode on View the configuration Discovered ENodes: OS10# show fcoe enode Enode MAC Enode Interface VLAN FCFs Sess
5. Create vfabric and activate the FC zoneset. OS10(config)# vfabric OS10(conf-vfabric-1)# OS10(conf-vfabric-1)# OS10(conf-vfabric-1)# 1 vlan 1001 fcoe fcmap 0xEFC00 zoneset activate zonesetA 6. Enable DCBX. OS10(config)# dcbx enable 7. Apply the vfabric on the interfaces.
----------------- ---------------- ----------------Po 10 Eth 1/1/9 Up Multiswitch fabric (E Port) E Ports are interfaces that connect the FC switches to form a multiswitch SAN fabric. These ports carry control frames between the switches to configure and maintain the fabric. An Inter-Switch Link (ISL) is created when you connect two E Ports to one another. FC ISL maintains the information in FC frames as the traffic flows between multiple switches. The multiswitch configuration sets the port mode as E.
compute the shortest path to reach a switch in the fabric. The name server service uses these routes to synchronize the name server database across the fabric. Hence, FSPF helps in building the fabric connectivity. Configure the same hold-time value on all the switches to ensure a consistent route convergence, and to avoid intermittent forwarding loop. When you configure a shorter hold-time, the route update is faster.
● ACL entries that are installed for control and data traffic use statically reserved CAM entries. Dynamic ACL space allocation is not supported. ● The switch supports zoning configurations like the F port mode. Configure the same zoning configurations on all switches in the fabric to avoid the Logical Unit Numbers (LUNs) being lost, during topology changes. Configure multiswitch fabric (E Port) This section describes the procedure to configure multiswitch fabric (E Port).
5. Configure FC interface. OS10(config)# interface fibrechannel 1/1/1 OS10(conf-if-fc1/1/1)# no shutdown OS10(conf-if-fc1/1/1)# vfabric 1 OS10(conf-if-fc1/1/1)# exit OS10(config)# interface fibrechannel 1/1/2 OS10(conf-if-fc1/1/2)# no shutdown OS10(conf-if-fc1/1/2)# vfabric 1 6. Configure the FC switch port mode. OS10(conf-if-fc1/1/2)# fc port-mode E 7. Add VLAN 1001 and fcmap to switch-1 to activate vFabric.
6. Configure the FC switch port mode. OS10(conf-if-fc1/1/2)# fc port-mode E 7. Add VLAN 1001 and fcmap to switch-2 to activate vFabric. OS10(config)# vfabric OS10(conf-vfabric-1)# OS10(conf-vfabric-1)# OS10(conf-vfabric-1)# 1 vlan 1001 fcoe fcmap 0xefc00 exit 8. Create zones. OS10(config)# fc zone zoneA OS10(config-fc-zone-zoneA)# member wwn 20:01:f4:e9:d4:f9:fc:44 OS10(config-fc-zone-zoneA)# member wwn 20:02:00:11:0d:a5:56:01 9. Create and activate a zone set.
port-group port-group port-group port-group 1/1/7 Eth 100g-1x 1/1/8 Eth 40g-1x 1/1/9 Eth 100g-1x 1/1/10 Eth 40g-1x 25 26 29 30 - ● To verify the fabric details in switch-1, run the show fc fabric command.
● To verify the fabric name server registration on switch-1, run the show fc ns fabric command.
zoneA 20:01:f4:e9:d4:f9:fc:44 20:02:00:11:0d:a5:56:01 ● To verify the vFabric in switch-1, run the show vfabric command.
Id type State code -----------------------------------------------------------------------------------10 fc1/1/3 UPSTREAM EPORT NONE 10:00:14:18:77:20:7f:cf 20:00:14:18:77:20:7f:d0 10 fc1/1/1 NONPRINPLISL EPORT NONE 10:00:14:18:77:20:7f:cf 20:00:14:18:77:20:7f:d2 OS10# ● To display the summary of principal switch election states, in switch-2, run the show fc fabric interface command.
LSR Type = 1 Advertising domain ID = 0x65(101) LSR Age = 1686 LSR Incarnation number = 0x80000024 LSR Checksum = 0x3caf Number of links = 1 NbrDomainId IfIndex NbrIfIndex Link Type Cost -------------------------------------------------------------0x77(119) 0x00001085 0x00001095 1 125 FSPF Link State Database for Vfabric-Id 1 Domain 0x77(119) LSR Type = 1 Advertising domain ID = 0x77(119) LSR Age = 1686 LSR Incarnation number = 0x80000024 LSR Checksum = 0x3caf Number of links = 1 NbrDomainId IfIndex NbrIfInd
Number of packets received: LSU 8 LSA 8 Hello 118 Error packets 0 Number of packets transmitted : LSU 8 LSA 8 Hello 119 Retransmitted LSU 0 Supported Releases 10.5.1.0 or later clear fc fabric statistics Clears the fabric statistics for all the interfaces. Syntax clear fc fabric statistics [interface type node/slot/port[:subport] | vfabric vfabric-id] Parameters ● node/slot/port[:subport]—Enter interface information. ● vfabric-id—Enter the vfabric ID.
34 32 31 33 35 Supported Releases 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10.5.1.0 or later clear fc fspf statistics Clears FSPF statistics for all the interfaces. Syntax clear fc fspf statistics [interface type node/slot/port[:subport] | vfabric vfabric-id Parameters ● node/slot/port[:subport]—Enter interface information. ● vfabric-id—Enter the vfabric ID.
Defaults Dynamic Configuration Command Mode Vfabric CONFIGURATION Usage Information ● The configurations are supported only in the multiswitch mode. The configured domain ID can be preferred or dynamic. ● If the domain ID is preferred, the switch requests preferred domain ID to the principal switch. ● You can change the domain ID only when the vfabric is in an inactive state. To activate vfabric, add vlan and fcmap configuration under the vfabric configuration view.
Usage Information ● The configurations are supported only in the multiswitch mode. In F_port mode, all the ports operate as F Port. On enabling the multiswitch mode, a port works as either a F_port or an E_port. ● To change modes, disable current mode and enable the new mode. This operation leads to traffic disruption on the corresponding port. ● You can disable the multiswitch mode only if you delete the related configurations. ● For NPG switch mode, the default port mode is N.
Example Supported Releases OS10(config-if-fc-1/1/1)#fspf cost 90 10.5.1.0 or later fspf dead-interval Configures the FSPF dead Interval value for every interface. Syntax fspf dead-interval timeout-val Parameters timeout-val—Valid values are from 1 to 65535. Defaults 80 s Command Mode Fiber channel INTERFACE Usage Information ● The configurations are supported only in the multiswitch mode. ● This command specifies the maximum interval.
Usage Information Example Supported Releases ● The configurations are supported only in multiswitch mode. ● This command configures the hold-time between two consecutive route computations in milliseconds, for the entire vfabric. If the specified time is shorter, the routing update is faster. However, the processor consumption increases accordingly. NOTE: Configure the same hold timer value on all the switches for consistent route convergence, and to avoid intermittent traffic loop.
r_a_tov Configures the R_A_TOV FC timer value for vfabric. Syntax r_a_tov timeout-val Parameters timeout-val—Valid values are from 5000 to 10000. Defaults 10000ms Command Mode VFabric CONFIGURATION Usage Information ● The configurations are supported only in multiswitch mode. ● This timer is used to mark the error conditions during domain ID allocation, SW-RSCN, and NS QUERY. Match this value with the other end, during port initialization.
Parameters None Defaults Not applicable Command Mode EXEC Usage Information ● Use this command to display the summary of principal switch election states, ILS link type, port state, remote switch, and port name. ● The Fabric states are Build Fabric, Reconfigure Fabric, EFP-Idle, EFP-Send, Principal-Switch, NonPrincipal-Switch, No Domain, and Stable states. ● The Link types are Unknown, Non-Principal ISL, Upstream Principal ISL, and Downstream Principal ISL.
Example Supported Releases OS10#show fc fabric statistics interface fibrechannel 1/1/1 Number of Request packets received : ELP 8 EFP 12 BF 3 RCF 2 DIA 5 RDI 5 Number of Accept packets received : ELP ACC 8 EFP ACC 12 BF ACC 3 RCF ACC 2 DIA ACC 5 RDI ACC 5 Number of Reject packets received : ELP RJT 8 EFP RJT 12 BF RJT 3 RCF RJT 2 DIA RJT 5 RDI RJT 5 Number of Request packets transmitted : ELP 8 EFP 12 BF 3 RCF 2 DIA 5 RDI 5 Number of Accept packets transmitted : ELP ACC 8 EFP ACC 12 BF ACC 3 RCF ACC 2 DIA
show fc fspf database Displays the FSPF link state database information of a switch. Syntax show fc fspf database Parameters None Defaults Not applicable Command Mode GLOBAL CONFIGURATION Usage Information Use this command to display the FSPF link state database information of a switch. The database information includes the entire LSR information of the fabric that is constructed based on the LSRs received from other switches.
show fc fspf route Displays the server and target ports. Syntax show fc fspf route Parameters None Defaults Not applicable Command Mode GLOBAL CONFIGURATION Usage Information Use this command to display the FSPF route information, and the route to reach every other switch in the fabric. Example Supported Releases OS10#show fc fspf route vfabric-Id Dest-Domain Route-Cost Next-hop --------------------------------------------------------------100 0x66(102) 125 fc1/1/2 10.5.1.
Usage Information Example Supported Releases Use this command to briefly display all the remote name server entries in the FC fabric. OS10#show fc ns fabric brief Total number of devices = 2 Domain FC-ID WWPN WWNN ------------------------------------------------------------------2 02:09:00 32:11:0e:fc:00:00:00:88 22:11:0e:fc:00:00:00:88 1 01:04:00 10:00:8c:7c:ff:17:f8:01 20:00:8c:7c:ff:17:f8:01 10.5.1.0 or later show fc ns switch statistics Shows the Name Server statistics for an interface.
Supported Releases RSCN 0 SW_RSCN GE_PT GE_ID ReqRx 0 0 0 ReqTx 0 0 0 AccRx 0 0 0 AccTx 0 0 0 RejRx 0 0 0 RejTx 0 0 0 ReqReTx 0 0 0 10.5.1.0 or later show fc switch Shows the multiswitch mode. Syntax show fc switch Parameters None Defaults Not applicable Command Mode GLOBAL CONFIGURATION Usage Information Use this command to display the current configured switch mode. Example Supported Releases OS10# show fc switch 10.5.1.
Output statistics: 0 frames, 0 bytes 0 class 2 frames, 0 class 3 frames 0 BB credit 0, 0 oversize frames 0 total errors Rate Info: Input 0 bytes/sec, 0 frames/sec, 0% of line rate Output 0 bytes/sec, 0 frames/sec, 0% of line rate Time since last interface status change: 1 day 16:33:57 Supported Releases 10.5.1.0 or later show vfabric Shows the fc timer, E_D_TOV, R_A_TOV, principal switch priority, and domain ID values in the show vfabric command.
show vfabric fspf Displays FSPF information at the vfabric level. Syntax show vfabric fspf Parameters None Defaults Not applicable Command Mode GLOBAL CONFIGURATION Usage Information Use this command to display the FSPF information of an interface.
session. The ENode takes a long time to identify the issue and to recover from it. At times, interface flapping occurs and might require manual intervention to recover. To recover automatically, FSB sends a Clear Virtual Link (CVL) frame from the FCF to the ENode. Configuration notes ● If you configure FSB with port pinning on the uplink or downlink side, you must configure the FCF-facing interface as FCF port mode.
d. Create class-maps. L2switch(config)# class-map type network-qos c3 L2switch(config-cmap-nqos)# match qos-group 3 L2switch(config)# class-map type queuing q0 L2switch(config-cmap-queuing)# match queue 0 L2switch(config-cmap-queuing)# exit L2switch(config)# class-map type queuing q3 L2switch(config-cmap-queuing)# match queue 3 L2switch(config-cmap-queuing)# exit e. Create policy-maps.
FSB1(config)# interface ethernet 1/1/2 FSB1(conf-if-eth1/1/2)# no flowcontrol receive FSB1(conf-if-eth1/1/2)# no flowcontrol transmit b. Enable FIP snooping with cvl option. FSB1(config)# feature fip-snooping with-cvl c. Enable DCBX. FSB1(config)# dcbx enable d. Create an FCoE VLAN and configure FIP snooping on the FCoE VLAN. FSB1(config)# interface vlan 777 FSB1(conf-if-vl-777)# fip-snooping enable e. Create class-maps.
FSB1(conf-if-eth1/1/2)# qos-map traffic-class tc-q-map1 FSB1(conf-if-eth1/1/2)# service-policy input type network-qos nqpolicy FSB1(conf-if-eth1/1/2)# service-policy output type queuing ets_policy i. Configure VLAN on CNA1, L2 switch, and FSB2 connected interfaces.
FSB2(config-pmap-c-nqos)# pause FSB2(config-pmap-c-nqos)# pfc-cos 3 FSB2(config)# policy-map type queuing ets_policy FSB2(config-pmap-queuing)# class q0 FSB2(config-pmap-c-que)# bandwidth percent 30 FSB2(config-pmap-c-que)# class q3 FSB2(config-pmap-c-que)# bandwidth percent 70 g. Create a qos-map. FSB2(config)# qos-map traffic-class tc-q-map1 FSB2(config-qos-map)# queue 3 qos-group 3 FSB2(config-qos-map)# queue 0 qos-group 0-2,4-7 h. Apply the QoS configurations on FSB1 and FCF connected interfaces.
c. Create zones. FCF(config)# fc zone zoneA FCF(config-fc-zone-zoneA)# member wwn 20:01:f4:e9:d4:a4:7d:c3 FCF(config-fc-zone-zoneA)# member wwn 21:00:00:24:ff:7c:ae:0e d. Create zoneset. FCF(config)# fc zoneset zonesetA FCF(conf-fc-zoneset-set)# member zoneA e. Create a vfabric VLAN. FCF(config)# interface vlan 777 f. Create vfabric and activate the zoneset. FCF(config)# vfabric FCF(conf-vfabric-2)# FCF(conf-vfabric-2)# FCF(conf-vfabric-2)# 2 vlan 777 fcoe fcmap 0xEFC00 zoneset activate zonesetA g.
k. Apply QoS configurations on the interface connected to FSB2.
Intf# fibrechannel1/1/3 20:04:00:11:0d:64:67:00 ethernet1/1/13 23:00:55:2c:cf:55:00:00 Domain FC-ID Enode-WWPN 2 02:00:00 21:00:00:24:ff:7c:ae:0e 2 02:01:00 20:01:f4:e9:d4:a4:7d:c3 Enode-WWNN ● To verify the active zoneset on the FCF, use the show fc zoneset active command.
Table 19. High-level configurations on FSB1, FSB3, and FCF1 FSB1/FSB2 FSB3/FSB4 FCF1/FCF2 1. Enable FIP snooping. 2. Enable DCBX. 3. Create FCoE VLAN and configure FIP snooping. 4. Create class-maps. 5. Create policy-maps. 6. Create a qos-map. 7. Configure port channel. 8. Configure VLTi interface member links. 9. Configure VLT domain. 10. Configure VLAN. 11. Apply QoS configurations on uplink (FSB3/FSB4) and downlink interfaces (CNA-1/CNA-2). Configure the uplink interface as pinned-port. 12.
FSB1(config-pmap-c-nqos)# pause FSB1(config-pmap-c-nqos)# pfc-cos 3 FSB1(config)# policy-map type queuing ets_policy FSB1(config-pmap-queuing)# class q0 FSB1(config-pmap-c-que)# bandwidth percent 30 FSB1(config-pmap-c-que)# class q3 FSB1(config-pmap-c-que)# bandwidth percent 70 6. Create a qos-map. FSB1(config)# qos-map traffic-class tc-q-map1 FSB1(config-qos-map)# queue 3 qos-group 3 FSB1(config-qos-map)# queue 0 qos-group 0-2,4-7 7. Configure port channel.
FSB1(conf-if-eth1/1/36)# FSB1(conf-if-eth1/1/36)# FSB1(conf-if-eth1/1/36)# FSB1(conf-if-eth1/1/36)# qos-map traffic-class tc-q-map1 service-policy input type network-qos nqpolicy service-policy output type queuing ets_policy fcoe-pinned-port FSB1(config)# interface ethernet 1/1/31 FSB1(conf-if-eth1/1/31)# flowcontrol receive off FSB1(conf-if-eth1/1/31)# priority-flow-control mode on FSB1(conf-if-eth1/1/31)# ets mode on FSB1(conf-if-eth1/1/31)# trust-map dot1p default FSB1(conf-if-eth1/1/31)# qos-map traff
6. Create a qos-map. FSB2(config)# qos-map traffic-class tc-q-map1 FSB2(config-qos-map)# queue 3 qos-group 3 FSB2(config-qos-map)# queue 0 qos-group 0-2,4-7 7. Configure port channel. FSB2(config)# interface port-channel 10 FSB2(conf-if-po-10)# no shutdown FSB2(conf-if-po-10)# vlt-port-channel 1 8. Configure VLTi interface member links.
FSB2(conf-if-eth1/1/2)# FSB2(conf-if-eth1/1/2)# FSB2(conf-if-eth1/1/2)# FSB2(conf-if-eth1/1/2)# trust-map dot1p default qos-map traffic-class tc-q-map1 service-policy input type network-qos nqpolicy service-policy output type queuing ets_policy 12. Configure FIP snooping port mode on the port channel interface. The default port mode is ENode. Hence, the interface connected to CNA-2 does not require additional configuration.
7. Configure port channel. FSB3(config)# interface port-channel 10 FSB3(conf-if-po-10)# no shutdown FSB3(conf-if-po-10)# vlt-port-channel 1 8. Configure VLTi interface member links.
12. Configure FIP snooping port mode on the port channel and the interface connected to FCF1. FSB3(config)# interface port-channel 10 FSB3(conf-if-po-10)# fip-snooping port-mode enode-transit FSB3(config)# interface ethernet 1/1/45 FSB3(conf-if-eth1/1/45)# fip-snooping port-mode fcf FSB4 configuration 1. Enable FIP snooping. FSB4(config)# feature fip-snooping with-cvl 2. Enable DCBX. FSB4(config)# dcbx enable 3. Create FCoE VLAN and configure FIP snooping.
8. Configure VLTi interface member links. FSB4(config)# interface ethernet1/1/34 FSB4(conf-if-eth1/1/34)# no shutdown FSB4(conf-if-eth1/1/34)# no switchport FSB4(conf-if-eth1/1/34)# channel-group 10 FSB4(config)# interface ethernet1/1/37 FSB4(conf-if-eth1/1/37)# no shutdown FSB4(conf-if-eth1/1/37)# no switchport FSB4(conf-if-eth1/1/37)# channel-group 10 9. Configure VLT domain. FSB4(config)# vlt-domain 3 FSB4(conf-vlt-2)# discovery-interface ethernet1/1/40 FSB4(conf-vlt-2)# vlt-mac 1a:2b:3c:2a:1b:1c 10.
3. Create zoneset. FCF1(config)# fc zoneset zonesetA FCF1(conf-fc-zoneset-setA)# member zoneA 4. Create a vfabric VLAN. FCF1(config)# interface vlan 1001 5. Create vfabric and activate the zoneset. FCF1(config)# vfabric FCF1(conf-vfabric-1)# FCF1(conf-vfabric-1)# FCF1(conf-vfabric-1)# 1 vlan 1001 fcoe fcmap 0xEFC00 zoneset activate zonesetA 6. Enable DCBX. FCF1(config)# dcbx enable 7. Create class-maps.
11. Apply vfabric on the interfaces connected to FSB3 and the target. FCF1(config)# interface ethernet 1/1/45 FCF1(conf-if-eth1/1/45)# switchport access vlan 1 FCF1(conf-if-eth1/1/45)# vfabric 1 FCF1(config)# interface fibrechannel 1/1/3 FCF1(conf-if-fc1/1/3)# description target_connected_port FCF1(conf-if-fc1/1/3)# no shutdown FCF1(conf-if-fc1/1/3)# vfabric 1 FCF2 configuration 1. Enable Fiber Channel F-Port mode globally. FCF2(config)# feature fc domain-id 3 2. Create zones.
FCF2(config-pmap-c-que)# class q3 FCF2(config-pmap-c-que)# bandwidth percent 70 9. Create a qos-map. FCF2(config)# qos-map traffic-class tc-q-map1 FCF2(config-qos-map)# queue 3 qos-group 3 FCF2(config-qos-map)# queue 0 qos-group 0-2,4-7 10. Apply QoS configurations on the interface connected to FSB4.
MAC FC-ID PORT WWPN PORT WWNN -----------------------------------------------------------------------------------------------------------------------------------------------00:0e:1e:f1:f1:84 Eth 1/1/1 14:18:77:20:80:ce Po 10(Eth 1/1/44:1)1002 0e:fc:00:02:01:00 02:01:00 20:01:00:0e:1e:f1:f1:84 20:00:00:0e:1e:f1:f1:84 FSB2# show fcoe fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
14:18:77:20:80:ce 1 Eth 1/1/42 F FSB4# show fcoe system Mode CVL Status FCOE VLAN List (Operational) FCFs Enodes Sessions : : : : : : 1002 0e:fc:00 8000 FSB Enabled 1001,1002 1 1 1 FCF1 FCF1# show fcoe sessions Enode MAC Enode Interface FCF MAC FCF interface VLAN FCoE MAC FC-ID PORT WWPN PORT WWNN ----------------------------------------------------------------------------------------------------------------------------------------------f4:e9:d4:f9:fc:42 Eth 1/1/45 14:18:77:20:86:ce ~ 1001 0e:fc:00:
● While configuring or unconfiguring the FC-Gateway uplink, the uplink interface flaps. As UFD is enabled by default for NPG (FCGateway Uplink) in SmartFabric mode; UFD brings down the server facing ports which are deployed with same FCoE VLAN as FCGateway uplink. ● Fibrechannel port flaps are observed on the IOM side if the IOM is operationally up and is connected to a storage device without configuring the FCDirectAttach uplink (vfabric) on this port.
5. Enable DCBX globally. OS10(config)# dcbx enable 6. Create a class map and policy map. OS10(config)# class‐map type network‐qos cmap1 OS10(config‐cmap‐nqos)# match qos‐group 3 OS10(config)# policy‐map type network‐qos pmap1 OS10(config‐pmap‐network‐qos)# class cmap1 OS10(config‐pmap‐c‐nqos)# pause OS10(config‐pmap‐c‐nqos)# pfc‐cos 3 7. Disable LLFC on the interface that connects to CNA 1. OS10(config)# interface ethernet 1/1/50 OS10(conf‐if‐eth1/1/50)# no flowcontrol receive 8.
OS10(config‐pmap‐c‐nqos)# pause OS10(config‐pmap‐c‐nqos)# pfc‐cos 3 7. Disable LLFC on the interface that connects to CNA 2. OS10(config)# interface ethernet 1/1/1 OS10(conf‐if‐eth1/1/1)# no flowcontrol receive 8. Enable PFC mode on the interface that connects to CNA 2. OS10(config)# interface ethernet 1/1/1 OS10(conf‐if‐eth1/1/1)# priority‐flow‐control mode on 9. Apply the service policy on the interface that connects to CNA 2.
Load balancing after system reboot After reboot, upstream FC connections to the end-devices become operational first and carry more sessions than the other upstream FC connections to SAN. This requires load balancing. You can address load balancing in the following ways: ● After reboot, check the system state and trigger rebalance using the CLI. ● Configure the delay fcf-adv timer. The delay timer starts when a new FC upstream interface is available.
Create VLAN OS10(config)# interface vlan 100 Create vFabric OS10(config)# vfabric 100 OS10(conf-vfabric-100)# vlan 100 OS10(conf-vfabric-100)# name NPG_Fabric OS10(conf-vfabric-100)# fcoe fcmap 0efc01 OS10(conf-vfabric-100)# exit Apply vFabric and FC port-mode configuration on the interface that connects to FC end point (HBA) OS10(config)# interface range fibrechannel 1/1/9,1/1/10 OS10(conf-range-fc1/1/9,1/1/10)# vfabric 100 OS10(conf-range-fc1/1/9,1/1/10)# fc port-mode F OS10(conf-range-fc1/1/9,1/1/10)# no
Apply vFabric configuration on the interface that connects to FCoE end points (CNA) OS10(config)# interface range ethernet 1/1/54,1/1/55 OS10(conf-range-eth1/1/54,1/1/55)# vfabric 100 OS10(conf-range-eth1/1/54,1/1/55)# no shut OS10(conf-range-eth1/1/54,1/1/55)# exit Apply vFabric configuration on the FC upstream interfaces OS10(config)# interface range fibrechannel 1/1/1,1/1/2 OS10(conf-range-fc1/1/1,1/1/2)# vfabric 100 OS10(conf-range-fc1/1/1,1/1/2)# no shut OS10(conf-range-fc1/1/1,1/1/2)# exit Apply FCoE
You can use manual rebalancing when you: Add new FC uplink to a balanced system Consider a topology with the following structure: ● NPG switch with two FC uplinks (fc 1/1/1 and fc 1/1/2) of the same speed (16G) ● Ports connecting to both FCoE and FC end points (eth 1/1/54, eth 1/1/55, fc 1/1/9 and fc 1/1/10) All the end points (servers) are logged in to the storage through the NPG switch. One FLOGI session is associated with each server.
Receive Fabric Discovery Request (FDISC) from an end point Consider the NPG switch with: ● two FC uplinks (fc 1/1/1 and fc 1/1/2) of different speed (8 G and 16 G) ● two ports (eth 1/1/54, eth 1/1/55) connecting the FCoE end points Each end point has one session that is associated with it. The NPG switch maps one session to each FC uplink to balance the system. Consider the end point connected to eth 1/1/55 establishes four more Fabric Discovery Sessions (FDISC).
fc alias Creates an FC alias. After creating the alias, add members to the FC alias. An FC alias can have a maximum of 255 unique members. Syntax fc alias alias-name Parameters alias-name — Enter a name for the FC alias. Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes the FC alias. To delete an FC alias, first remove it from the FC zone. Supported on the MX9116n switch in Full Switch mode starting in release 10.4.1.0.
Usage Information Example Supported Releases The no version of this command removes the FC zoneset. Supported on the MX9116n switch in Full Switch mode starting in release 10.4.1.0. Also supported in SmartFabric mode starting in release 10.5.0.1. OS10(config)# fc zoneset set OS10(conf-fc-zoneset-set)# member hba1 10.3.1E or later feature fc Enables the F_Port globally. Syntax feature fc domain-id domain-id Parameters domain-id — Enter the domain ID of the F_Port, from 1 to 239.
member (zone) Adds members to existing zones. Identify a member by an FC alias, a world wide name (WWN), or an FC ID. Syntax member {alias-name alias-name | wwn wwn-ID | fc-id fc-id} Parameters ● alias-name — Enter the FC alias name. ● wwn-ID — Enter the WWN name. ● fc-id — Enter the FC ID name. Defaults Not configured Command Mode Zone CONFIGURATION Usage Information Supported on the MX9116n switch in Full Switch mode starting in release 10.4.0E(R3S).
Example OS10# show fc alias Alias Name Alias Member ============================================== test 21:00:00:24:ff:7b:f5:c9 20:25:78:2b:cb:6f:65:57 OS10# Supported Releases 10.3.1E or later show fc interface-area-id mapping Displays the FC ID to interface mapping details.
Registered with NameServer Registered for SCN Example (brief) Supported Releases Yes No OS10# show fc ns switch brief Total number of devices = 1 Intf# Domain Enode-WWNN port-channel10(Eth 1/1/9) 4 20:00:00:90:fa:b8:22:18 FC-ID 04:00:00 Enode-WWPN 10:00:00:90:fa:b8:22:18 10.3.1E or later show fc zone Displays the FC zones and the zone members. Syntax show fc zone [zone-name] Parameters zone-name — Enter the FC zone name.
Command Mode EXEC Usage Information None Example OS10# show fc zoneset ZoneSetName ZoneName ZoneMember ========================================================= set hba1 21:00:00:24:ff:7b:f5:c8 10:00:00:90:fa:b8:22:19 21:00:00:24:ff:7f:ce:ee 21:00:00:24:ff:7f:ce:ef hba2 20:01:00:0e:1e:e8:e4:99 50:00:d3:10:00:ec:f9:1b 50:00:d3:10:00:ec:f9:05 50:00:d3:10:00:ec:f9:1f 20:35:78:2b:cb:6f:65:57 vFabric id: 100 Active Zoneset: set ZoneName ZoneMember ============================================== hba2 20:01:
zone default-zone permit Enables access between all logged-in FC nodes of the vfabric in the absence of an active zoneset configuration. Syntax zone default-zone permit Parameters None Defaults Not configured Command Mode Vfabric CONFIGURATION Usage Information A default zone advertises a maximum of 255 members in the registered state change notification (RSCN) message. The no version of this command disables access between the FC nodes in the absence of an active zoneset.
Usage Information Example Supported Releases Configure the port mode when the port is in Shut mode and when NPG mode is enabled. The no version of this command returns the port mode to default. OS10(config)# interface fibrechannel 1/1/1 OS10(conf-if-fc1/1/1)# fc port-mode F 10.4.1.0 or later feature fc npg Enables the NPG mode globally.
Po 10(Eth 1/1/9) LOGGED_IN Supported Releases 20:01:d4:ae:52:1a:ee:54 1001 Fc 1/1/25 10 10.4.0E(R1) or later show npg uplink-interface Display information in a FC upstream interface. Syntax show npg uplink-interfaces [vfabric vfabric-id [fcf-info] | [fcf-info]] Parameters ● fcf-info - FCF Availability Status, fabric name of the FC upstream switch connected, error reason, FCF advertisement delay timeout left and duplicate FC id assignment counter.
--Fc 1/1/1 Fc 1/1/2 01:00:01 01:00:02 2 4 8 16 3 1 3 9 6 10 6 15 VFabric Id : 200 Uplink Speed Intf FC Id BB Credit (Gbps) FLOGI FDISC Total Redistributed -------------------------------------------------------------------------------Fc 1/1/11 01:00:0B 2 8 3 3 6 10 Fc 1/1/12 01:00:0C 4 16 1 0 1 1 VFabric Id : 300 Uplink Speed Intf FC Id BB Credit (Gbps) FLOGI FDISC Total Redistributed --------------------------------------------------------------------------------Fc 1/1/13 01:00:03 2 8 3 3 6 0 Fc 1/
clear fc statistics Clears FC statistics for specified vfabric or fibre channel interface. Syntax clear fc statistics [vfabric vfabric-ID | interface fibrechannel] Parameters ● vfabric-ID — Enter the vfabric ID. ● fibrechannel — Enter the fibre channel interface name. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# clear fc statistics vfabric 100 OS10# clear fc statistics interface fibrechannel1/1/25 10.4.1.
Default Not configured Command Mode Global config Usage Information Time to wait after the last FCF connects to the NPG switch to send the Multicast discovery Advertisement. This command is supported in NPG mode. Example Supported Releases OS10(config)# fcoe delay fcf-adv 16 10.4.0E(R1) or later In previous releases, the command is not available in full switch mode. From this release, the command is available both in full switch mode and fabric mode. name Configures a vfabric name.
Table 21. Fields and Descriptions (continued) Example Fields Description FDISC Number of Fabric Discovery Sessions in the FC uplink interface Load Total number of sessions (FLOGI and FDISC) in the FC uplink interface Speed Link speed of the FC uplink interface Excess Load Excess load is the absolute (Current load on the link - ((Minimum load per 8G speed in c state) * port-speed/8G)).
22:01:d4:ae:52:1a:ee:54 23:01:d4:ae:52:1a:ee:54 Fc 1/1/2 Fc 1/1/2 Fc 1/1/1 Fc 1/1/1 2 2 OS10#re-balance npg sessions vfabric 100 Fabric Id 100 State before Re-balancing Uplink FLOGI FDISC Load Speed Excess Intf (Gbps) Load ----------------------------------------------------------------Fc 1/1/1 1 9 10 8 7 Fc 1/1/2 3 3 6 16 0 ----------------------------------------------------------------4 12 16 24 7 ----------------------------------------------------------------Session Displacements: Total No.
1. FC Port Down 2. No Response For FLOGI 3. Duplicate FC ID 4. FLOGI Rejected 5. Vfabric Inactive Duplicate FC IDs—Number of Duplicate address(FC ID) assignments happened in the interface. FC ID—FC-ID allocated to the initial FLOGI request from NPG switch on the interface. BB Credit—Transmit Buffer to Buffer Credit. Speed—Link speed of the FC uplink interface. FLOGI—Number of Fabric Login Sessions in the FC uplink interface. FDISC—Number of Fabric Discovery Session in the FC uplink interface.
Uplink Duplicate Intf Upstream Fabric-Name Error Reason FC-Id(s) ----------------------------------------------------------------Fc 1/1/13 20:01:d4:ae:52:1a:ee:53 NONE 1 Fc 1/1/14 20:01:d4:ae:52:7d:aa:54 NONE 0 OS10#show npg uplink-interfaces vfabric 200 fcf-info VFabric Id : 200 FAD Timeout Left : 10 second(s) FCF Availability Status : No Uplink Duplicate Intf Upstream Fabric-Name Error Reason FC-Id(s) ----------------------------------------------------------------Fc 1/1/11 10:01:d4:ae:52:1a:ee:50 FLOGI_R
--------------------------------------------------Fc 1/1/9 1 1 2 Fc 1/1/10 1 1 2 Eth 1/1/54 1 1 2 Eth 1/1/55 1 9 10 VFabric Id : 200 Node Intf FLOGI FDISC Re-distributed --------------------------------------------------Fc 1/1/7 1 1 2 VFabric Id : 300 Node Intf FLOGI FDISC Re-distributed --------------------------------------------------Eth 1/1/51 1 9 10 Supported Releases 10.4.0E(R1) or later show fc statistics Displays the FC statistics.
show fc switch Displays FC switch parameters. Syntax show fc switch Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show fc switch Switch Mode : FPORT Switch WWN : 10:00:14:18:77:20:8d:cf 10.3.1E or later show running-config vfabric Displays the running configuration for the vfabric.
Fabric Type FPORT Fabric Id 10 VlanId 1001 FC-MAP 0EFC00 Config-State ACTIVE Oper-State UP ========================================== Switch Config Parameters ========================================== Domain ID 4 ========================================== Switch Zoning Parameters ========================================== Default Zone Mode: Deny Active ZoneSet: zoneset5 ========================================= Members fibrechannel1/1/25 port-channel10(Eth 1/1/9) Supported Releases 10.3.
Example OS10(config)# interface fibrechannel 1/1/1 OS10(conf-if-fc1/1/1)# vfabric 100 OS10(config)# interface ethernet 1/1/10 OS10(conf-if-eth1/1/10)# vfabric 200 Supported Releases 10.3.1E or later vlan Associates an existing VLAN ID to the vfabric to carry traffic. Syntax vlan vlan-ID Parameters vlan-ID — Enter an existing VLAN ID. Defaults Not configured Command Mode Vfabric CONFIGURATION Usage Information Create the VLAN ID before associating it to the vfabric.
Example OS10(config)# feature fip-snooping OS10(config)# feature fip-snooping with-cvl Supported Releases 10.4.0E(R1) or later fip-snooping enable Enables FIP snooping on a specified VLAN. Syntax fip-snooping enable Parameters None Defaults Disabled Command Mode VLAN INTERFACE Usage Information Enable FIP snooping on a VLAN only after enabling the FIP snooping feature globally using the feature fip-snooping command. OS10 supports FIP snooping on a maximum of 12 VLANs.
Command Mode INTERFACE Usage Information OS10 supports this configuration only on a switch running FSB mode, and on Ethernet and port-channel interfaces. You cannot configure FIP snooping port mode on a port channel member. Use this command to change the port mode. By default, the port mode of an interface is set to ENode. Configure the port mode only after you enable FIP snooping. Before you disable FIP snooping, reset the port mode to its default value, ENode.
Usage Information Example Supported Releases If you do not specify the interface interface-type information, the command clears the statistics for all the interfaces and VLANs. OS10# clear fcoe statistics interface ethernet 1/1/1 OS10# clear fcoe statistics interface port-channel 5 10.4.0E(R1) or later fcoe delay fcf-adv Delay the Multicast Discovery Advertisement from FCFs to be sent to Enodes. Syntax fcoe delay fcf-adv timeout Parameters timeout - Timeout range specified in seconds.
Defaults 32 Command Mode CONFIGURATION Usage Information The no version of this command resets the number of sessions to the default value. Example Supported Releases NOTE: This command is not available in the fabric mode of MX9116N-ON. So in MX9116N-ON, the number of FCoE sessions is always 32. If the device is in Full-switch mode, you can configure the maximum number of FCoE sessions per ENode to be 64 using the fcoe max-sessions-per-enodemac 64 command.
re-balance fc npg sessions vfabric Re-balances the FC sessions across FC uplinks. Syntax re-balance fc npg sessions vfabric vfabric-id [dry-run][brief] Parameters None Defaults Not configured Command Mode EXEC Usage Information Triggers the load-balancing mechanism to redistribute the sessions across the FC uplinks. The dry-run option displays the current state of the system, sessions that are cleared, and the system state after the load balancing is done without actually doing it.
------------------------------------------------------------------4 12 16 24 1 ------------------------------------------------------------------OS10#re-balance npg sessions vfabric 100 dry-run brief Fabric Id 100 Session Displacements: Total No. of Node(s) : 4 No. of Node(s) displaced : 4 ----------------------------------------------------------------------Node WWPN From Uplink Intf To Uplink Intf No.
Usage Information Example Supported Releases None OS10# show fcoe enode Enode MAC Enode Interface VLAN FCFs Sessions ----------------- ---------------- ---- ---- -------d4:ae:52:1b:e3:cd Po 20(Eth 1/1/3) 1001 1 1 10.4.0E(R1) or later show fcoe fcf Displays details of the FCFs connected to the switch. Syntax show fcoe fcf [fcf-mac-address] Parameters fcf-mac-address — (Optional) Enter the MAC address of the FCF. This option displays details of the specified FCF.
show fcoe pinned-port Displays the port-channel, the corresponding pinned-port configuration, and the port status if the FCoE sessions are formed. Syntax show fcoe pinned-port [port-channel port-channel-id] Parameters port-channel-id—Enter the port-channel ID to display the corresponding configuration.
Parameters interface-type — (Optional) Enter the type of interface. This option displays statistics of the specified interface.
show fcoe vlan Displays details of FIP-snooping VLANs. Syntax show fcoe vlan Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show fcoe vlan * = Default VLAN VLAN FC-MAP FCFs Enodes ---- ------ ---- -----*1 100 0X0EFC00 1 2 Sessions -------17 10.4.
12 Layer 2 802.1X Verifies device credentials before sending or receiving packets using the Extensible Authentication Protocol (EAP), see 802.1X Commands. Link Aggregation Control Protocol (LACP) Exchanges information between two systems and automatically establishes a link aggregation group (LAG) between the systems, see LACP Commands.
NOTE: OS10 supports only RADIUS as the back-end authentication server. The authentication process contains three devices: ● Supplicant — The device attempting to access the network performs the role of supplicant. Regular traffic from this device does not reach the network until the port associated to the device is authorized. Before that, the supplicant can only exchange 802.1x messages (EAPOL frames) with the authenticator.
6. If the identity information the supplicant provides is valid, the authentication server sends an Access Accept frame that specifies the network privileges. The authenticator changes the port state to authorize and forwards an EAP Success frame. If the identity information is invalid, the server sends an Access Reject frame. If the port state remains unauthorized, the authenticator forwards an EAP Failure frame. EAP over RADIUS 802.
Enable 802.1X 1. Enable 802.1X globally in CONFIGURATION mode. dot1x system-auth-control 2. Enter an interface or a range of interfaces in CONFIGURATION mode. interface range 3. Enable 802.1X on the supplicant interface only in INTERFACE mode. dot1x port-control auto Configure and verify 802.
Identity retransmissions If the authenticator sends a Request Identity frame but the supplicant does not respond, the authenticator waits 30 seconds and then retransmits the frame. There are several reasons why the supplicant might fail to respond—the supplicant maybe booting when the request arrived, there may be a physical layer problem, and so on. 1.
The Request Identity Retransmit interval is for an unresponsive supplicant. You can configure the interval for a maximum of 10 times for an unresponsive supplicant. 1. Configure the amount of time that the authenticator waits to retransmit a Request Identity frame after a failed authentication in INTERFACE mode from 1 to 65535, default 60 seconds.
● Place a port in the auto, force-authorized (default), or force-unauthorized state in INTERFACE mode. dot1x port-control {auto | force-authorized | force-unauthorized} Configure and verify force-authorized state OS10(conf-range-eth1/1/7-1/1/8)# dot1x port-control force-authorized OS10(conf-range-eth1/1/7-1/1/8)# do show dot1x interface ethernet 1/1/7 802.
Tx Period: Quiet Period: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: 120 seconds 120 seconds 30 seconds 30 seconds 3600 seconds 5 MULTI_HOST Initialize Initialize View interface running configuration OS10(conf-range-eth1/1/7-1/1/8)# do show running-configuration interface ...
View interface running configuration OS10(conf-range-eth1/1/7-1/1/8)# do show running-configuration interface ...
Command Mode INTERFACE Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# dot1x host-mode multi-host 10.2.0E or later dot1x max-req Changes the maximum number of requests that the device sends to a supplicant before restarting 802.1X authentication. Syntax dot1x max-req retry-count Parameters max-req retry-count — Enter the retry count for the request sent to the supplicant before restarting 802.
Default Disabled Command Mode INTERFACE Usage Information The no version of this command disables the periodic reauthentication of 8021.X supplicants. Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# dot1x re-authentication 10.2.0E or later dot1x timeout quiet-period Sets the number of seconds that the device remains in the quiet state following a failed authentication exchange with a supplicant.
Default 30 seconds Command Mode INTERFACE Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# dot1x server-timeout 60 10.2.0E or later dot1x timeout supp-timeout Sets the number of seconds that the device waits for the supplicant to respond to an EAP request frame before the device retransmits the frame.
Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show dot1x PAE Capability: Protocol Version: System Auth Control: Auth Server: Authenticator only 2 Enable Radius 10.2.0E or later show dot1x interface Displays 802.1X configuration information. Syntax show dot1x interface ethernet node/slot/port[:subport] Parameters ethernet node/slot/port[:subport]—Enter the Ethernet interface information.
RADIUS server commands radius-server host Configures a RADIUS server and the key used to authenticate the switch on the server. Syntax radius-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] Parameters ● hostname — Enter the host name of the RADIUS server. ● ip-address — Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server. ● key 0 authentication-key — Enter an authentication key in plain text.
Default TCP port 2083 on a RADIUS server for RADIUS over TLS communication Command Mode CONFIGURATION Usage Information For RADIUS over TLS authentication, configure the radsec shared key on the server and OS10 switch. The show running-configuration output displays both the unencrypted and encrypted key in encrypted format. Configure global settings for the timeout and retransmit attempts allowed on a RADIUS over TLS servers using the radius-server retransmit and radius-server timeout commands.
The no version of this command resets the value to the default. Example Supported Releases OS10(config)# radius-server retransmit 5 10.2.0E or later radius-server timeout Configures the timeout used to resend RADIUS authentication requests. Syntax radius-server timeout seconds Parameters seconds — Enter the time in seconds for retransmission, from 1 to 100. Default An OS10 switch stops sending RADIUS authentication requests after five seconds.
peer for the time interval of three times the configured FEFD message interval, the local switch assumes that the peer link is down. The default interval for FEFD message interval is 15 seconds. For example, with the default configuration, if the local switch does not receive an echo message for 45 seconds from its peer, it brings the peer link down.
If the interface state changes to err-disabled, use the fefd reset [interface] global command to reset these interfaces. The unknown or err-disabled state brings the line protocol down so that the protocols above it can detect that the peer link is down. Table 23.
● Configure FEFD Normal mode globally using the fefd-global mode normal command in CONFIGURATION mode. OS10(Config)# fefd-global mode normal ● Configure FEFD Aggressive mode globally using the fefd-global mode aggressive command in CONFIGURATION mode. OS10(Config)# fefd-global mode aggressive 2. (Optional) Configure the FEFD interval using the fefd-global interval command in CONFIGURATION mode and enter the interval in seconds. The range is from 3 to 255 seconds. OS10(Config)# fefd-global interval 20 3.
The following is a sample output of FEFD global information: OS10# show fefd FEFD is globally 'ON', interval is 15 seconds, mode is Normal.
Usage Information The fefd command without any arguments enables the normal mode with the default FEFD interval of 15 seconds. If you use the no fefd command, the system does not disable FEFD if the fefd mode command is already present in the configuration. Similarly, if you use the no fefd mode command, the system does not disable FEFD if the fefd command is already present in the configuration. To disable FEFD on an interface when FEFD globally enabled, use the fefd disable command on the interface.
fefd reset Resets interfaces that are in error-disabled state because FEFD is set to Aggressive mode. Syntax fefd reset [interface] Parameters ● (Optional) interface—Enter the interface name to reset the error-disabled state of the interface because FEFD is set to Aggressive mode. Default Not configured Command Mode EXEC Usage Information If you do not enter the interface name, this command resets the error-disabled state of all interfaces because FEFD is set to Aggressive mode.
eth1/1/1 eth1/1/2 eth1/1/3 eth1/1/4 eth1/1/5 eth1/1/6 eth1/1/7 eth1/1/8 eth1/1/9 eth1/1/10 Supported Releases Normal Normal Normal Normal Normal Normal Normal Normal Aggressive Normal 22 22 22 22 22 22 22 22 22 22 Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Err-disabled Unknown 10.4.3.0 or later Link Aggregation Control Protocol Group Ethernet interfaces to form a single link layer interface called a LAG or port channel.
1. Configure the system priority in CONFIGURATION mode (1 to 65535; the higher the number, the lower the priority; default 32768). lacp system-priority priority-value 2. Configure the LACP port priority in INTERFACE mode (1 to 65535; the higher the number, the lower the priority; default 32768). lacp port-priority priority-value 3. Configure the LACP rate in INTERFACE mode (default normal).
Rates Protocol data units (PDUs) are exchanged between port channel (LAG) interfaces to maintain LACP sessions. PDUs are transmitted at either a slow or fast transmission rate, depending on the LACP timeout value. The configured rate interval is used to check whether the partner link is alive or not. The links are ungrouped if three consecutive LACP PDUs are missed. The timeout value depends on the configured rate interval. If the rate interval is fast, then LACP PDUs are sent once every second.
Alpha LAG configuration summary OS10(config)# interface port-channel 1 OS10(conf-if-po-1)# exit OS10(config)# interface ethernet 1/1/29 OS10(conf-if-eth1/1/29)# no switchport OS10(conf-if-eth1/1/29)# channel-group 1 mode active OS10(conf-if-eth1/1/29)# interface ethernet 1/1/30 OS10(conf-if-eth1/1/30)# no switchport OS10(conf-if-eth1/1/30)# channel-group 1 mode active OS10(conf-if-eth1/1/30)# interface ethernet 1/1/31 OS10(conf-if-eth1/1/31)# no switchport OS10(conf-if-eth1/1/31)# channel-group 1 mode activ
Interface index is 13 Internet address is not set Mode of IPv4 Address Assignment: not set Interface IPv6 oper status: Disabled MTU 1532 bytes, IP MTU 1500 bytes LineSpeed 10G, Auto-Negotiation off Flowcontrol rx on tx off ARP type: ARPA, ARP Timeout: 60 Last clearing of "show interface" counters: 1 weeks 2 days 17:28:08 Queuing strategy: fifo Input statistics: 15106397000 packets, 11528982238100 octets 3060849 64-byte pkts, 14861427 over 64-byte pkts, 1517469049 over 127-byte pkts 3034145980 over 255-byte
Verify LAG status OS10# show lacp port-channel Port-channel 51 is up, line protocol is up Address is 14:18:77:16:87:9c, Current address is 14:18:77:16:87:9c Interface index is 49 Internet address is not set Mode of IPv4 Address Assignment: not set Interface IPv6 oper status: Disabled MTU 1532 bytes, IP MTU 1500 bytes LineSpeed 160G Minimum number of links to bring Port-channel up is 1 Maximum active members that are allowed in the portchannel is 32 Members in this channel: Eth 1/1/1-1/1/8,1/1/25:1-1/1/25:4,
LACP_Timeout=Long Timeout(30s) Synchronization=IN_SYNC Collecting=true Distributing=true Partner Admin State=BDEGIKMP Partner Oper State=ADEGIKNP LACP fallback LACP fallback allows downstream devices, like servers which are connected to ports of a switch configured as LACP, to establish a link when the system is not able to finalize the LACP handshake. For example, when servers boot in PXE mode, the server cannot exchange LACP PDUs and the switch does not enable the ports.
OS10(conf-if-po-1)# lacp fallback enable OS10(conf-if-po-1)# lacp fallback timeout 20 OS10(conf-if-po-1)# lacp fallback preemption enable View LACP fallback configuration OS10# show port-channel summary Flags: D - Down I - member up but inactive P - member up and active U - Up (port-channel) F - Fallback enabled -------------------------------------------------------------------------------Group Port-Channel Type Protocol Member Ports ---------------------------------------------------------------------
LACP fallback in VLT domain In a VLT domain, LACP fallback enables rebooting of ToR or server that is connected to VLT nodes through VLT port channel. The other end of the VLT nodes is connected to a DHCP/PXE server, as shown in the following figure: In the above scenario, LACP fallback works as follows: 1. The ToR/server boots 2. One of the VLT peers takes care of controlling the LACP fallback mode.
● passive — Enter to only enable LACP if it detects a device. The interface is in the Passive Negotiation state when the port responds to the LACP packets that it receives but does not initiate negotiation until it detects a device. Default Not configured Command Mode INTERFACE Usage Information When you delete the last physical interface from a port channel, the port channel remains. Configure these attributes on an individual member port.
Example Supported Releases OS10# configure terminal OS10(config)# interface port-channel 1 OS10(conf-if-po-1)# lacp fallback enable 10.3.2E(R3) or later lacp fallback preemption Enables or disables LACP fallback port preemption. Syntax lacp fallback preemption {enable | disable} Parameters ● enable—Enables preemption on the port channel. ● disable—Disables preemption on the port channel.
Supported Releases 10.3.2E(R3) or later lacp max-bundle Configures the maximum number of active members that are allowed in a port channel. Syntax lacp max-bundle max-bundle-number Parameters max-bundle-number — Enter the maximum bundle size (1 to 32). Default 32 Command Mode INTERFACE Usage Information The no version of this command resets the maximum bundle size to the default value. Example Supported Releases OS10(conf-if-po-10)# lacp max-bundle 10 10.2.
Supported Releases 10.2.0E or later lacp system-priority Sets the system priority of the device for LACP. Parameters priority — Enter the priority value for physical interfaces (0 to 65535). Default 32768 Command Mode CONFIGURATION Usage Information Each device that runs LACP has an LACP system priority value. LACP uses the system priority with the MAC address to form the system ID and also during negotiation with other systems. The system ID is unique for each device.
Default Not configured Command Mode EXEC Usage Information The LACP_activity field displays if you configure the link in Active or Passive port channel mode. The Port Identifier field displays the port priority as part of the information including the port number. For example, Port Identifier=0x8000,0x101, where the port priority value is 0x8000 and the port number value is 0x101. Example OS10# show lacp interface ethernet 1/1/129 Invalid Port id, Max.
Example OS10# show lacp neighbor interface port-channel 1 Flags:S-Device is sending Slow LACPDUs F-Device is sending Fast LACPdus A-Device is in Active mode P-Device is in Passive mode Port-channel port-channel1 neighbors Port: ethernet1/1/29 Partner System Priority: 32768 Partner System ID: 00:01:e8:8a:fd:9e Partner Port: 178 Partner Port Priority: 32768 Partner Oper Key: 1 Partner Oper State:aggregation synchronization collecting distributing defaulted expired Supported Releases 10.2.
Usage Information Example The LACP system ID is a combination of the configurable LACP system priority value and the MAC address. Each system that runs LACP has an LACP system priority value. Configure a value between 1 and 65535. The default value is 32768. LACP uses the system priority with the MAC address to form the system ID and uses the system priority during negotiation with other devices. A higher system priority value means a lower priority. The system ID is different for each device.
Mandatory TLVs OS10 supports the three mandatory TLVs. These mandatory TLVs are at the beginning of the LLDPDU in the following order: ● Chassis ID TLV ● Port ID TLV ● Time-to-live TLV Table 24. Mandatory TLVs Mandatory TLVs Type Description Chassis ID 1 Identifies the chassis. Port ID 2 Identifies a port through which the LAN device transmits LLDPDUs. Time-to-live 3 Number of seconds that the received information in this LLDPDU is valid. End of LLDPDU 0 Marks the end of an LLDPDU.
Table 25. Basic TLVs (continued) TLV Type Description System name 5 User-defined alphanumeric string that identifies the system. System description 6 Includes the following information: ● Host description ● Dell OS version ● Dell application software version ● Build timestamp System capabilities 7 Determines the capabilities of the system. Management address 8 Network address of the management interface. Organizationally specific TLVs Table 26. 802.
Table 28. Service tag TLV (Type – 127, OUI – 0xF8-0xB1-0x56) TLV Subtype Description Service tag 21 Indicates the service tag that is associated with the device. Table 29. Solution ID TLVs (Type – 127, OUI – 0xF8-0xB1-0x56) TLV Subtype Description Product base 22 Indicates the product base. Product serial number 23 Indicates the product serial number. Product part number 24 Indicates the product part number. Custom TLVs iDRAC organizationally specific TLVs Table 30.
Isilon organizationally-specific TLVs Table 31. Isilon-related TLVs (Type – 127, OUI – 0xF8-0xB1-0x56) TLV Subtype Description Subtypes used in LLDP custom TLVs that are transacted by the Isilon nodes Originator 1 Indicates the Isilon string that is used as the originator. This string enables the OS10 switches to identify the Isilon originated LLDPDUs. RA prefix 2 Indicates the IPV6 address prefix for SLAAC.
● Disable LLDP on an interface, use the lldp transmit and lldp receive commands in INTERFACE mode. OS10(conf-if-eth1/1/2)# no lldp transmit OS10(conf-if-eth1/1/2)# no lldp receive Management interface: OS10(conf-if-ma-1/1/1)# no lldp transmit OS10(conf-if-ma-1/1/1)# no lldp receive Enable LLDP When LLDP is disabled on a switch, you can reenable LLDP globally or on an interface. ● To enable LLDP globally: Enable LLDP globally in CONFIGURATION mode.
Enter the multiplier value for the hold time in CONFIGURATION mode. lldp holdtime-multiplier OS10(config)# lldp timer 60 OS10(config)# lldp reinit 5 View LLDP timers OS10# show lldp timers LLDP Timers: Holdtime in seconds: 240 Reinit-time in seconds: 5 Transmit interval in seconds: 60 Time to live TTL or hold time is the amount of time, in seconds, that a receiving system waits to hold the information before discarding it.
Advertise VLAN Name TLVs You can configure the system to advertise the names of VLANs in LLDPDUs. Configure the VLAN names before you configure the system to advertise VLAN names. By default, this feature is disabled. After you enable this feature, the system starts sending LLDPDUs with the configured name of the default VLAN. If the default VLAN does not have a configured name, the system does not send an LLDPDU with a VLAN name TLV. Transmit VLAN name of the default VLAN 1.
OS10(conf-if-vl-3)#vlan-name vlan4 OS10(config)# interface vlan 4 OS10(conf-if-vl-4)#vlan-name vlan4 OS10(config)# interface vlan 5 OS10(conf-if-vl-5)#vlan-name vlan5 OS10(config)# interface vlan 6 OS10(conf-if-vl-6)#vlan-name vlan6 OS10(config)# interface vlan 7 OS10(conf-if-vl-7)#vlan-name vlan7 OS10(config)# interface vlan 8 OS10(conf-if-vl-8)#vlan-name vlan8 OS10(config)# interface vlan 9 OS10(conf-if-vl-9)#vlan-name vlan9 OS10(config)# interface vlan 10 OS10(conf-if-vl-10)#vlan-name vlan10 OS10(config)
Following output shows that the interface deletes VLAN 3 and starts sending the name of VLAN 9: OS10# show lldp interface ethernet 1/1/1 local-device Device ID: 34:17:eb:f2:05:c4 Port ID: ethernet1/1/1 System Name: OS10 Capabilities: Router, Bridge, Repeater System description: Dell EMC Networking OS10 Enterprise. Copyright (c) 1999-2019 by Dell Inc. All Rights Reserved. System Description: OS10 Enterprise. OS Version: 10.4.9999EX.
Disable and enable LLDP TLVs on management ports By default, management ports advertise all LLDP TLVs except VLAN name TLV. You can disable the LLDP TLV advertisement on management ports using the following commands: ● Disable LLDP TLVs in INTERFACE mode.
Example: Advertise TLVs configuration The following configuration example describes how to configure the system to advertise LLDP TLVs. Sample configuration on R1: Enable the list of LLDP TLVs needs to be advertised from R1.
Total Total Total Total Total Frames In : 0 Frames Received In Error : 0 Frames Discarded : 0 TLVS Unrecognized : 0 TLVs Discarded : 0 View LLDP interface traffic OS10# show lldp traffic interface ethernet 1/1/1 LLDP Traffic Statistics: Total Frames Out : 0 Total Entries Aged : 0 Total Frames In : 0 Total Frames Received In Error : 0 Total Frames Discarded : 0 Total TLVS Unrecognized : 0 Total TLVs Discarded : 0 LLDP MED Traffic Statistics: Total Med Frames Out : Total Med Frames In : Total Med Frames Dis
Information valid for next 105 seconds Time since last information change of this neighbor: 00:00:15 Remote System Name: LLDP-pkt-gen Remote Management Address (IPv4): 10.1.1.
Table 32.
Table 34. LLDP-MED device types (continued) Bit position Device type 3 Endpoint Class 3 4 Network connectivity 5-255 Reserved LLED-MED network policies TLVs A network policy in the context of LLDP-MED is a VLAN configuration of a device and associated L2 and L3 configurations. LLDP-MED network policies TLV include: ● ● ● ● VLAN ID VLAN tagged or untagged status L2 priority DSCP value You can configure a LLDP-MED network policy to generate an individual network policy TLV for each application type.
Table 35. LLDP-MED Network policies TLVs (continued) Type Application Description supporting streaming video services that require specific network policy treatment. 8 Video signaling Used only if video control packets use a separate network policy than the video data. 9-255 Reserved — Disable and reenable LLDP-MED By default, LLDP-MED is enabled on all interfaces except on the management interface.
○ add — Attach the network policy to an interface. ○ remove — Remove the network policy from an interface. ○ number — Enter a network policy index number, from 1 to 32. Configure advertise LLDP-MED network policies OS10(conf-if-eth1/1/5)# lldp med network-policy add 1 Change the fast start repeat count Fast start repeat enables a network-connectivity device to advertise itself at a faster rate for a limited amount of time.
Usage Information Neighbor information clears on all interfaces. Example Supported Releases OS10# clear lldp table 10.2.0E or later lldp enable Enables or disables LLDP globally. Syntax lldp enable Parameters None Default Enabled Command Mode CONFIGURATION Usage Information This command enables LLDP globally for all Ethernet PHY interfaces, except on those interfaces where you manually disable LLDP.
Usage Information Example Supported Releases None OS10(config)# lldp med fast-start-repeat-count 5 10.2.0E or later lldp med Enables or disables LLDP-MED on an interface. Syntax lldp med {enable | disable} Parameters ● enable — Enable LLDP-MED on the interface. ● disable — Disable LLDP-MED on the interface. Default Enabled with network-policy TLV Command Mode INTERFACE Usage Information LLDP-MED communicates the types of TLVs that the endpoint device and network-connectivity device support.
Usage Information Example Supported Releases You can create a maximum of 32 network policies and associate the LLDP-MED network policies to a port. OS10(config)# lldp med network-policy 10 app voice vlan 10 vlan-type tag priority 2 dscp 1 10.2.0E or later lldp med network-policy (Interface) Attaches or deletes an LLDP-MED network policy to or from an interface. Syntax lldp med network-policy {add | remove} number Parameters ● add — Attach the network policy to an interface.
Command Mode INTERFACE Usage Information Determines whether to advertise the interface description or the port ID in the port description TLV. According to RFC 2863, the LLDPLocPortDesc and ifDescr object values must be identical. To be compliant with RFC 2863, use the port-id option with the lldp port-description-tlv advertise command. The port-id option in this command returns the same value (port ID) for both LLDPLocPortDesc and ifDescr objects.
Parameters seconds — Enter the LLDP timer rate in seconds, from 5 to 254. Default 30 seconds Command Mode CONFIGURATION Usage Information The no version of this command sets the LLDP timer back to its default value. Example Supported Releases OS10(config)# lldp timer 25 10.2.0E or later lldp tlv-select basic-tlv Enables or disables TLV attributes to transmit and receive LLDP packets.
Example Supported Releases OS10(config)# lldp management-addr-tlv ipv4 virtual-ip OS10(conf-if-eth1/1/3)# lldp management-addr-tlv ipv6 virtual-ip 10.5.0 or later lldp tlv-select dot1tlv Enables or disables the dot.1 TLVs to transmit in LLDP packets. Syntax lldp tlv-select dot1tlv { port-vlan-id | link-aggregation | vlan-name} Parameters ● port-vlan-id — Enter the port VLAN ID. ● link-aggregation — Enable the link aggregation TLV.
lldp transmit Enables the transmission of LLDP packets on a specific interface. Syntax lldp transmit Parameters None Default Not configured Command Mode INTERFACE Usage Information The no version of this command disables the transmission of LLDP packets on a specific interface. Example Supported Releases OS10(conf-if-eth1/1/9)# lldp transmit 10.2.0E or later lldp vlan-name-tlv allowed vlan Specifies a single or multiple VLANs' names to transmit in LLDPDUs.
Command Mode EXEC Usage Information Use the med parameter to view MED information for a specific interface. Use the local-device parameter to view inventory details.
Command Mode EXEC Usage Information None Example Supported Release OS10# Total Total Total show lldp errors Memory Allocation Failures: 0 Input Queue Overflows: 0 Table Overflows: 0 10.2.0E or later show lldp med Displays the LLDP MED information for all the interfaces. Syntax show lldp med Parameters None Default Not configured Command Mode EXEC Usage Information Use the show lldp interface command to view MED information for a specific interface.
show lldp neighbors Displays the system information of the LLDP neighbors. Syntax show lldp neighbors [detail | interface ethernet node/slot/port[:subport]] Parameters ● detail — View LLDP neighbor detailed information ● interface ethernet node/slot/port[:subport] — Enter the Ethernet interface information. Command Mode EXEC Usage Information This command status information includes local port ID, remote hostname, remote port ID, remote VLAN names, and remote node ID.
show lldp timers Displays the LLDP hold time, delay time, and update frequency interval configuration information. Syntax show lldp timers Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show lldp timers LLDP Timers: Holdtime in seconds: 120 Reinit-time in seconds: 6 Transmit interval in seconds: 30 10.2.0E or later show lldp tlv-select interface Displays the TLVs enabled for an interface.
Usage Information Example Example (Interface) None OS10# show lldp traffic LLDP Traffic Statistics: Total Frames Out Total Entries Aged Total Frames In Total Frames Received In Error Total Frames Discarded Total TLVS Unrecognized Total TLVs Discarded : : : : : : : OS10# show lldp traffic interface ethernet 1/1/2 LLDP Traffic Statistics: Total Frames Out : 45 Total Entries Aged : 1 Total Frames In : 33 Total Frames Received In Error : 0 Total Frames Discarded : 0 Total TLVS Unrecognized : 0 Total TLVs D
Media Access Control All Ethernet switching ports maintain media access control (MAC) address tables. Each physical device in your network contains a MAC address. OS10 devices automatically enter learned MAC addresses as dynamic entries in the MAC address table. Learned MAC address entries are subject to aging. Set the aging timer to zero (0) to disable MAC aging.
View MAC Address Table Entries OS10# show mac address-table VlanId Mac Address 1 00:00:15:c6:ca:49 1 00:00:20:2a:25:55 1 90:b1:1c:f4:aa:ce 1 90:b1:1c:f4:aa:c6 10 34:17:eb:02:8c:33 Type dynamic dynamic dynamic dynamic static Interface ethernet1/1/21 ethernet1/1/21 ethernet1/1/21 ethernet1/1/21 ethernet1/1/1 View MAC Address Table Count OS10# show mac address-table count MAC Entries for all vlans : Dynamic Address Count : Static Address (User-defined) Count : Total MAC Addresses in Use: 4 1 5 Clear MAC A
Usage Information Example Example (VLAN) Supported Releases Use the all parameter to remove all dynamic entries from the address table. OS10# clear mac address-table dynamic all OS10# clear mac address-table dynamic vlan 20 10.2.0E or later mac address-table aging-time Configures the aging time for entries in the L2 address table. Syntax mac address-table aging-time seconds Parameters seconds — Enter the aging time for MAC table entries in seconds, from 0 to 1000000.
show mac address-table Displays information about the MAC address table. Syntax show mac address-table [address mac-address | aging-time | [count [vlan vlan-id] | dynamic | interface {ethernet node/slot/port[:subport] | portchannel number}]| static [address mac-address] | vlan vlan-id Parameters ● ● ● ● ● address mac-address — (Optional) Displays MAC address table information. aging-time — (Optional) Displays MAC address table aging-time information.
For RPVST with force-version STP convergence to work, ensure that the default VLAN is set to VLAN1. You must not configure it to any VLAN number other than VLAN1. Introduction to STP The spanning-tree protocol is a Layer 2 network protocol that prevents loops in a network topology. Spanning-tree is useful when more than one network path exists and devices in the network are either competing for or sharing these paths.
The system discards regular data traffic after a BPDU violation. BPDU filtering Stops sending or receiving BPDUs from a faulty device, there by protecting the network from unexpected flooding of BPDUs. Enabling BPDU Filtering on an interface causes the system to stop sending or receiving BPDUs. BPDU guard Blocks the L2 bridged ports and LAG ports connected to end hosts and servers from receiving any BPDUs.
● Enabling BPDU guard and loop guard at the same time on a port results in a port that remains in blocking state and prevents traffic from flowing through it. For example, when you configure both Portfast BPDU guard and loop guard: ○ If a BPDU is received from a remote device, BPDU guard places the port in the Err-Disabled Blocking state and no traffic forwards on the port.
Boundary: No, Bpdu-filter: Enable, Bpdu-Guard: Enable, Shutdown-on-Bpdu-Guard-violation: Yes Root-Guard: Enable, Loop-Guard: Disable Bpdus (MRecords) Sent: 6, Received: 6410 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID -------------------------------------------------------------------------------------------ethernet1/1/7 128.56 128 500 FWD 500 32769 90b1.1cf4.a625 128.56 Recover from BPDU guard violations 1.
MAC flush optimization OS10 offers a MAC address clearing technique that optimizes the number of MAC flush calls sent by the Spanning Tree Protocol (STP) module. If the number of calls sent to the hardware is too high, traffic is dropped or flooded impacting system performance. To prevent traffic drops and flooding, you can use the MAC flush optimization feature.
OS10 assumes a port that runs in half-duplex mode is a shared link, to which the fast transition feature is not applicable. Also, If you explicitly designate a port as a shared link, you cannot use the fast transition feature, regardless of the duplex setting. To hasten the spanning-tree state transitions, you can set the link type to point-to-point. To set the link type to point-to-point: ● Use the following command in INTERFACE mode.
2 3 11-20 21-30 EdgePort EdgePort allows the interface to forward traffic approximately 30 seconds sooner as it skips the Blocking and Learning states. CAUTION: Configure EdgePort only on links connecting to an end station. EdgePort can cause loops if you enable it on an interface connected to a network. Edge ports do not receive BPDUs.
○ ethernet node/slot/port[:subport] — Deletes the spanning-tree counters from a physical port. ○ port-channel number — Deletes the spanning-tree counters for a port-channel interface, from 1 to 128. Default Not configured Command Mode EXEC Usage Information Clear all STP counters on the device per the Ethernet interface or port-channel. Example Supported Releases OS10# clear spanning-tree counters interface port-channel 10 10.2.
Supported Releases 10.4.2.0 or later errdisable recovery cause bpduguard Enables to recover the ports shut down due to BPDU Guard violation. Syntax errdisable recovery cause bpduguard Parameters None Default Disabled Command Mode CONFIGURATION Usage Information This command applies only to STP-enabled ports. The command takes effect only when BPDU guard is configured on a port and errdisable detect cause bpduguard is enabled.
○ ethernet node/slot/port[:subport] — Enter the Ethernet interface information, from 1 to 48. ○ port-channel number — Enter the port-channel number, from 1 to 128. Default Not configured Command Mode EXEC Usage Information Use this command to force the port to re-negotiate with neighbors. If you use this command without parameters, the command applies to each device port. Example Supported Release OS10# clear spanning-tree detected-protocol interface ethernet 1/1/1 10.2.
spanning-tree disable Disables Spanning-Tree mode configured with the spanning-tree mode command globally on the switch or specified interfaces. Syntax spanning-tree disable Parameters None Default Not configured. Usage Information The no version of this command re-enables STP and applies the currently configured spanning-tree settings. Command Mode CONFIGURATION INTERFACE Example Supported Releases OS10(config)# interface ethernet 1/1/4 OS10(config-if-eth1/1/4)# spanning-tree disable 10.3.
As half-duplex mode is considered as a shared link, the fast transition feature is not applicable for shared links. If you designate a port as a shared link, you cannot use the fast transition feature, regardless of the duplex setting. Example Supported Releases OS10(config-inf)# spanning-tree link-type point-to-point OS10 legacy command. spanning-tree mac-flush-timer Enables or disables MAC flush optimization.
Default Not configured Command Mode INTERFACE Usage Information When you configure an EdgePort on a device running STP, the port immediately transitions to the Forwarding state. Only configured ports connected to end hosts act as EdgePorts. Example Supported Releases OS10(config-inf)# spanning-tree port type edge 10.2.0E or later show errdisable Displays information on errdisable configurations and port recovery status.
show spanning-tree interface Displays spanning-tree interface information for Ethernet and port-channels. Syntax show spanning-tree interface {ethernet node/slot/port [:subport] | portchannel port-id} [detail] Parameters ● ethernet node/slot/port[:subport] — Displays spanning-tree information for a physical interface. ● port-channel port-id — Displays spanning-tree information for a port-channel number, from 1 to 128. ● detail — (Optional) Displays detailed information on the interface.
Each VLAN is assigned an incremental default bridge priority. For example, if VLAN 1 is assigned a bridge priority value of 32769, then VLAN 2 (if created) is assigned a bridge priority value of 32770; similarly, VLAN 10 (if created) is assigned a bridge priority value of 32778, and so on. All three instances have the same forwarding topology. NOTE: Z9332F-ON supports a total of 64 instances, of which 3 VLANs are used for internal purposes.
To achieve Rapid-PVST load balancing, assign a different priority on each bridge. Enable Rapid-PVST By default, Rapid-PVST is enabled and creates an instance during VLAN creation. To participate in Rapid-PVST, port-channel or physical interfaces must be a member of a VLAN. ● Enable Rapid-PVST mode in CONFIGURATION mode.
---ethernet1/1/5 No ethernet1/1/6 No ethernet1/1/7 No ethernet1/1/8 No ethernet1/1/9 No ethernet1/1/10 No ethernet1/1/25 No ethernet1/1/26 No ethernet1/1/27 No ethernet1/1/28 No Altr 128.40 128 500 BLK 500 AUTO Altr 128.48 128 500 BLK 500 AUTO Desg 128.56 128 500 FWD 500 AUTO Altr 128.64 128 500 BLK 500 AUTO Altr 128.72 128 500 BLK 500 AUTO Altr 128.80 128 500 BLK 500 AUTO Desg 128.200 128 500 FWD 500 AUTO Root 128.208 128 500 FWD 0 AUTO Altr 128.
VLAN 1 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 4097, Address 90b1.1cf4.a523 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 4097, Address 90b1.1cf4.a523 We are the root of VLAN 1 Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID --------------------------------------------------------------------------------ethernet1/1/1 128.260 128 200000000 FWD 0 32769 0000.0000.0000 128.
● Configure the device as the root or secondary root in CONFIGURATION mode. spanning-tree vlan vlan-id root {primary | secondary} ○ vlan-id — Enter the VLAN ID number, from 1 to 4093. ○ primary — Enter the bridge as primary or root bridge. The primary bridge value is 24576. ○ secondary — Enter the bridge as the secondary root bridge. The secondary bridge value is 28672.
Bridge ID Priority 32769, Address 90b1.1cf4.a523 We are the root of VLAN 1 Configured hello time 2, max age 20, forward delay 15 Rapid-PVST commands show spanning-tree vlan Displays Rapid-PVST status and configuration information by VLAN ID. Syntax show spanning-tree vlan vlan-id Parameters vlan vlan-id — Enter the VLAN ID number, from 1 to 4093.
spanning-tree vlan disable Disables spanning tree on a specified VLAN. Syntax spanning-tree vlan vlan-id disable Parameters vlan-id — Enter the VLAN ID number, from 1 to 4093. Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command enables spanning tree on the specified VLAN. Example Supported Releases OS10(config)# spanning-tree vlan 100 disable 10.4.
spanning-tree vlan hello-time Sets the time interval between generation and transmission of Rapid-PVST BPDUs. Syntax spanning-tree vlan vlan-id hello-time seconds Parameters ● vlan-id — Enter the VLAN ID number, from 1 to 4093. ● seconds — Enter a hello-time interval value in seconds, from 1 to 10. Default 2 seconds Command Mode CONFIGURATION Usage Information Dell EMC recommends increasing the hello-time for large configurations, especially configurations with multiple ports.
Supported Releases 10.2.0E or later spanning-tree vlan priority Sets the priority value for Rapid-PVST. Syntax spanning-tree vlan vlan-id priority priority value Parameters priority priority value — Enter a bridge-priority value in increments of 4096, from 0 to 61440. Valid priority values are: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440. All other values are rejected.
Example Supported Releases OS10(config)# spanning-tree vlan 1 root primary 10.2.0E or later spanning-tree rapid-pvst force-version Configures a forced version of spanning-tree to transmit BPDUs. Syntax spanning-tree rapid-pvst force-version stp Parameters ● stp — Forces the version for the BPDUs transmitted by Rapid-PVST to STP Default Not configured Command Mode CONFIGURATION Usage Information Forces a bridge that supports Rapid-PVST to operate in an STP-compatible mode.
● Re-enable an interface in INTERFACE mode. no spanning-tree disable View all port participating in RSTP OS10# show spanning-tree Spanning tree enabled protocol rstp with force-version rstp Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 3417.4455.667f Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 90b1.1cf4.
ethernet1/1/28 128.368 128 200000000 BLK 0 0 0000.0000.0000 ethernet1/1/29 128.372 128 200000000 BLK 0 0 0000.0000.0000 ethernet1/1/30 128.376 128 200000000 BLK 0 0 0000.0000.0000 ethernet1/1/31 128.380 128 200000000 BLK 0 0 0000.0000.0000 ethernet1/1/32 128.384 128 200000000 BLK 0 0 0000.0000.0000 Interface Name Role PortID Prio Cost Sts Cost Link-type Edge ------------------------------------------------------------------------ethernet1/1/1 Disb 128.260 128 200000000 BLK 0 AUTO No ethernet1/1/2 Disb 128.
Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ------------------------------------------------------------------ethernet1/1/1 244.128 128 500 BLK 0 32768 90b1.1cf4.9b8a 128.244 ethernet1/1/2 248.128 128 500 BLK 0 32768 90b1.1cf4.9b8a 128.248 ethernet1/1/3 252.128 128 500 FWD 0 32768 90b1.1cf4.9b8a 128.252 ethernet1/1/4 256.128 128 500 BLK 0 32768 90b1.1cf4.9b8a 128.
● Assign a number as the bridge priority or designate it as the primary or secondary root bridge in CONFIGURATION mode. Configure the priority value range, from 0 to 65535 in multiples of 4096, default 32768. The lower the number assigned, the more likely the bridge becomes the root bridge.
We are the root Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------------------------------------------------------------------ethernet1/1/1 244.128 128 500 BLK 0 32768 90b1.1cf4.9b8a 128.244 ethernet1/1/2 248.128 128 500 BLK 0 32768 90b1.1cf4.9b8a 128.248 ethernet1/1/3 252.128 128 500 FWD 0 32768 90b1.1cf4.9b8a 128.252 ethernet1/1/4 256.128 128 500 BLK 0 32768 90b1.1cf4.9b8a 128.
spanning-tree rstp forward-time Configures a time interval for the interface to wait in the Blocking state or Learning state before moving to the Forwarding state. Syntax spanning-tree rstp forward-time seconds Parameters seconds — Enter the number of seconds an interface waits in the Blocking or Learning States before moving to the Forwarding state, from 4 to 30.
Supported Releases 10.4.0E(R1) or later spanning-tree rstp max-age Configures the time period the bridge maintains configuration information before refreshing the information by recomputing the RSTP topology. Syntax max-age seconds Parameters seconds — Enter a maximum age value in seconds, from 6 to 40. Default 20 seconds Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree rstp max-age 10 10.2.
Configuring MST is a four-step process: 1. Enable MST, if the current running spanning-tree protocol (STP) version is not MST. 2. (Optional) Map the VLAN to different instances in such a way that the traffic is load balanced well and the link utilization is efficient. 3. Ensure the same region name is configured in all the bridges running MST. 4. (Optional) Configure the revision number. The revision number is the same on all the bridges.
1. Enter an instance number in CONFIGURATION mode. spanning tree mst configuration 2. Enter the MST instance number in MULTIPLE-SPANNING-TREE mode, from 0 to 63. For Z9332F-ON platform, the MULTIPLE-SPANNING-TREE mode is from 0 to 61. instance instance-number 3. Enter the VLAN and IDs to participate in the MST instance in MULTIPLE-SPANNING-TREE mode, from 1 to 4096.
ethernet1/1/4:4 128.35 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.35 ethernet1/1/5 128.40 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.40 ethernet1/1/6 128.48 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.48 ethernet1/1/7 128.56 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.56 ethernet1/1/8 128.64 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.64 ethernet1/1/9 128.72 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.72 ethernet1/1/10 128.80 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.80 ethernet1/1/11 128.
ethernet1/1/3 AUTO No ethernet1/1/4:1 AUTO No ethernet1/1/4:2 AUTO No ethernet1/1/4:3 AUTO No ethernet1/1/4:4 AUTO No ethernet1/1/5 AUTO No ethernet1/1/6 AUTO No ethernet1/1/7 AUTO No ethernet1/1/8 AUTO No ethernet1/1/9 AUTO No ethernet1/1/10 AUTO No ethernet1/1/11 AUTO No ethernet1/1/12 AUTO No ethernet1/1/13 AUTO No ethernet1/1/14 AUTO No ethernet1/1/15 AUTO No ethernet1/1/16 AUTO No ethernet1/1/17 AUTO No ethernet1/1/18 AUTO No ethernet1/1/19 AUTO No ethernet1/1/20 AUTO No ethernet1/1/21 AUTO No ethernet
You can set the priority value to 0 to force a switch to become the root switch. Value 0 is the highest priority. ● Assign a bridge priority number to a specific instance in CONFIGURATION mode, from 0 to 61440 in increments of 4096, default 32768.
1 2 100 200-300 Modify parameters The root bridge sets the values for forward-delay, hello-time, max-age, and max-hops and overwrites the values set on other MST bridges. Forward-time Time an interface waits in the Discarding state and Learning state before it transitions to the Forwarding state. Hello-time Interval in which the bridge sends MST BPDUs. Max-age Length of time the bridge maintains configuration information before it refreshes that information by recomputing the MST topology.
Interface parameters Adjust two interface parameters to increase or decrease the likelihood that a port becomes a forwarding port. Port cost Interface type value. The greater the port cost, the less likely the port is a forwarding port. Port priority Influences the likelihood that a port is selected as a forwarding port if several ports have the same port cost. Default values for the port cost by interface: ● ● ● ● ● ● 1.
Supported Releases 10.2.0E or later name Assigns a name to the MST region. Syntax name region-name Parameters region-name — Enter a name for an MST region. A maximum of 32 characters. Default System MAC address Command Mode MULTIPLE-SPANNING-TREE Usage Information By default, the MST protocol assigns the system MAC address as the region name. Two MST devices within the same region must share the same region name, including matching case.
Usage Information Example Supported Releases The MSTP determines the root bridge but you can assign one bridge a lower priority to increase the probability it being the root bridge. A lower priority-value increases the probability of the bridge becoming a root bridge. The no version of this command resets the value to the default. OS10(config)# spanning-tree mst 0 priority 0 OS10(config)# spanning-tree mst 2 root primary 10.2.
Supported Releases 10.2.0E or later spanning-tree mst disable Disables spanning tree on the specified MST instance. Syntax spanning-tree mst instance-number disable Parameters instance-number—Enter the instance number, from 0 to 63.For Z9332F-ON platform, enter a MST instance value from 0 to 61. Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command enables spanning tree on the specified MST instance.
Supported Releases 10.2.0E or later spanning-tree mst hello-time Sets the time interval between generation and transmission of MSTP BPDUs. Syntax spanning-tree mst hello-time seconds Parameters seconds — Enter a hello-time interval value in seconds, from 1 to 10. Default 2 seconds Command Mode CONFIGURATION Usage Information Dell EMC recommends increasing the hello-time for large configurations, especially configurations with multiple ports.
Example Supported Releases OS10(config)# spanning-tree mst max-age 10 10.2.0E or later spanning-tree mst max-hops Configures the maximum hop count for a BPDU to travel before it is discarded. Syntax spanning-tree mst max-hops number Parameters number — Enter a maximum hop value, from 6 to 40. Default 20 Command Mode CONFIGURATION Usage Information A device receiving BPDUs waits until the max-hops value expires before discarding it.
Parameters ● instance-number — (Optional) Displays MST instance information, from 0 to 63. For Z9332F-ON platform, enter a MST instance value from 0 to 61. ● brief — (Optional) Displays MST instance summary information. ● guard — (Optional) Displays which guard is enabled and the current port state. ● virtual-interface—(Optional) Displays MST information specific to VLT.
ethernet1/1/3 ethernet1/1/4 ethernet1/1/5 ethernet1/1/6 ethernet1/1/7 ethernet1/1/8 ...
NOTE: The IOM cluster running 10.5.x and 10.4.x does not work as expected when the untagged VLAN is not VLAN1 on the server ports. Use the show vlan command to verify that the interface is part of the default VLAN (VLAN 1).
Create VLAN OS10(config)# interface vlan 108 Delete VLAN OS10(config)# no interface vlan 108 View configured VLANs OS10# show interface vlan Vlan 1 is up, line protocol is up Address is , Current address is Interface index is 69208865 Internet address is not set MTU 1532 bytes LineSpeed auto Flowcontrol rx off tx off ARP type: ARPA, ARP Timeout: 240 Last clearing of "show interface" counters Queueing strategy: fifo Time since last interface status change: Vlan 200 is up, line protocol is up Address is , Cur
Configure port in Access mode OS10(config)# interface ethernet 1/1/9 OS10(config-if-eth1/1/9)# switchport mode access OS10(config-if-eth1/1/9)# switchport access vlan 604 Show running configuration OS10# show running-configuration ... ! interface ethernet1/1/5 ... switchport access vlan 604 no shutdown ! interface vlan1 no shutdown ... Trunk mode A trunk port can be a member of multiple VLANs set up on an interface. A trunk port transmits traffic for all VLANs.
Do not assign an IP address to the default VLAN (VLAN 1). NOTE: However, the zero-touch deployment (ZTD) application requires this functionality. While ZTD is in progress, the system assigns an IP address to the default VLAN to establish connectivity. After ZTD is complete, the system removes the IP address that is assigned to the default VLAN. You can place VLANs and other logical interfaces in L3 mode to receive and send routed traffic. 1. Create a VLAN in CONFIGURATION mode, from 1 to 4093.
● View the VLAN status and configuration information in EXEC mode. show vlan ● View the VLAN interface configuration in EXEC mode. show interface vlan ● View the VLAN interface configuration for a specific VLAN ID in EXEC mode.
View interface configuration for specific VLAN OS10# show interface vlan 320 Vlan 320 is up, line protocol is up Address is , Current address is Interface index is 69209184 Internet address is not set MTU 1532 bytes LineSpeed auto Flowcontrol rx off tx off ARP type: ARPA, ARP Timeout: 240 Last clearing of "show interface" counters Queueing strategy: fifo Time since last interface status change: VLAN Scaling When VLANs are created, traffic class is specified for each VLAN that maps the VLAN traffic to a spe
Usage Information ● To use special characters as a part of the description string, enclose the string in double quotes. ● To use comma as a part of the description string add double back slash before the comma. Example Supported Releases OS10(config)# interface vlan 3 OS10(conf-if-vl-3)# description vlan3 10.2.0E or later interface vlan Creates a VLAN interface. Syntax interface vlan vlan-id Parameters vlan-id — Enter the VLAN ID number, from 1 to 4093.
Port monitoring Port monitoring monitors ingress or egress traffic of one port to another for analysis. A monitoring port (MG) or destination port is the port where the monitored traffic is sent for analysis. A monitored port (MD) or source port is the source interface that is monitored for traffic analysis. NOTE: This feature is not supported on the Z9332F-ON platform. The different types of port monitoring are: ● Local port monitoring—Port monitoring is done in the same switch.
Configure source and destination port, and traffic direction OS10(conf-mon-local-1)# source interface ethernet 1/1/7-1/1/8 rx OS10(conf-mon-local-1)# destination interface ethernet1/1/1 OS10(conf-mon-local-1)# no shut View configured monitoring sessions In the State field, true indicates that the port is enabled. In the Reason field, Is UP indicates that hardware resources are allocated. OS10# show monitor session all S.
● ● ● ● The member port of the reserved VLAN must have the MTU and IPMTU value as MAX+4 to hold the VLAN tag parameter. To associate with the source session, the reserved VLAN can have up to four member ports. To associate with the destination session, the reserved VLAN can have multiple member ports. The reserved VLAN cannot have untagged ports. Reserved L2 VLAN ● MAC address learning in the reserved VLAN is automatically disabled.
Create remote monitoring session OS10(config)# monitor session 10 type rpm-source OS10(conf-mon-rpm-source-10)# Configure source and destination port, and traffic direction OS10(conf-mon-rpm-source-10)# source interface vlan 10 rx OS10(conf-mon-rpm-source-10)# destination remote-vlan 100 OS10(conf-mon-rpm-source-10)# no shut View monitoring session OS10(conf-mon-rpm-source-10)# do show monitor session all S.
3. Configure source and destination IP addresses, and protocol type in MONITOR-SESSION mode. source-ip source ip-address destination-ip destination ip-address [gre-protocol protocol-value] 4. Configure TTL and DSCP values in MONITOR-SESSION mode. ip {ttl ttl-number | dscp dscp-number} 5. Enable the monitoring interface in MONITOR-SESSION mode.
4. Define access-list rules using seq, permit, and deny statements in CONFIG-ACL mode. ACL rules describe the traffic to monitor. seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte]] [fragments] [threshold-in-msgs count] [capture session session-id] 5. Return to CONFIGURATION mode. exit 6. Apply the flow-based monitoring ACL to the monitored source port in CONFIGURATION mode. The access list name can have a maximum of 140 characters.
Table 36. RPM on VLT scenarios (continued) Scenario Recommendation no shutdown remote-span ! 2. Create an L2 ACL for the RPM VLAN - RPM session and attach it to VLTi LAG interface. ! mac access-list rpm seq 10 permit any any capture session 10 vlan 100 ! interface ethernet 1/1/1 no shutdown switchport access vlan 1 mac access-group rpm in ! 3. Create a flow-based RPM session on the peer VLT device to monitor the VLTi LAG interface as the source.
Table 36. RPM on VLT scenarios (continued) Scenario Recommendation intermediate devices. The packet analyzer connects to the ToR switch. Mirror a VLT LAG to any orphan port on the same VLT device. If the packet analyzer directly connects to the VLT peer The packet analyzer connects to the local VLT device through where the source session is configured, use local port the orphan port. monitoring instead of RPM.
destination Sets the destination where monitored traffic is sent to. The monitoring session can be local or RPM. Syntax destination {interface interface-type | remote-vlan vlan-id} Parameters interface-type—Enter the interface type for a local monitoring session. ● ethernet node/slot/port[:subport]—Enter the Ethernet interface information as the destination. ● port-channel id-number—Enter a port-channel number as the destination, from 1 to 128.
ip Configures the IP time-to-live (TTL) value and the differentiated services code point (DSCP) value for the ERPM traffic. Syntax ip {ttl ttl-number | dscp dscp-number} Parameters ● ttl-number—Enter the TTL value, from 1 to 255. ● dscp-number—Enter the DSCP value, from 0 to 63. Default ● TTL: 255 ● DSCP: 0 Command Mode MONITOR-SESSION (ERPM) Usage Information The no version of this command removes the configured TTL and DSCP values.
show monitor session Displays information about a monitoring session. Syntax show monitor session {session-id | all} Parameters ● session-id—Enter the session ID number, from 1 to 18. ● all—View all monitoring sessions. Default All Command Mode EXEC Usage Information In the State field, true indicates that the port is enabled.
Supported Releases 10.2.0E or later source Configures a source for port monitoring. The monitoring session can be: local, RPM, or ERPM. Syntax source interface interface-type {both | rx | tx} Parameters ● interface-type—Enter the interface type: ○ ethernet node/slot/port[:subport]—Enter the Ethernet interface information as the monitored source. ○ port-channel id-number—Enter the port-channel interface number as the monitored source, from 1 to 128.
Example Supported Releases OS10(config)# monitor session 10 OS10(conf-mon-erpm-source-10)# source-ip 10.16.132.181 destination-ip 172.16.10.11 gre-protocol 35006 10.4.
13 Layer 3 Bidirectional forwarding detection (BFD) Provides rapid failure detection in links with adjacent routers (see BFD commands). Border Gateway Protocol (BGP) Provides an external gateway protocol that transmits inter-domain routing information within and between autonomous systems (see BGP Commands). Equal Cost Multi- Provides next-hop packet forwarding to a single destination over multiple best paths (see ECMP Path (ECMP) Commands).
2. Add the management interface using the interface management command in VRF CONFIGURATION mode. Configure management VRF OS10(config)# ip vrf management OS10(conf-vrf)# interface management You can enable various services in both management or default VRF instances. The services that are supported in the management and default VRF instances are: Table 37.
Configuration notes All Dell EMC PowerSwitches except MX-Series, S4200-Series, S5200 Series, and Z9332F-ON: Before you assign the management port to the management VRF instance, you must remove all configured settings on the management port, including the IP address. Perform this action from the console. Removing the IP address disconnects all existing SSH and Telnet sessions on the switch.
Configure non-default VRF instances In addition to a management VRF instance and default VRF, OS10 also supports non-default VRF instances. You can create a maximum of 512 non-default VRF instances. While you can assign management interfaces only to the management VRF instance, you can assign any physical or logical interface – VLAN, port channel, or loopback, to a non-default VRF instance. When you create a new non-default VRF instance, OS10 does not assign any interface to it.
INTERFACE CONFIGURATION ip vrf forwarding vrf-test Before assigning a n interface to a VRF instance, ensure that no IP address is configured on the interface. 3. Assign an IPv4 address to the interface. INTERFACE CONFIGURATION ip address 10.1.1.1/24 4. Assign an IPv6 address to the interface. INTERFACE CONFIGURATION ipv6 address 1::1/64 You can also auto configure an IPv6 address using the ipv6 address autoconfig command. Assign an interface back to the default VRF instance Table 38.
no ipv6 address 4. Assign the management interface back to the default VRF instance. CONFIGURATION VRF no interface management Deleting a non-default VRF instance Before deleting a non-default VRF instance, ensure all the dependencies and associations corresponding to that VRF instance are first deleted or disabled. The following procedure describes how to delete a non-default VRF instance: After deleting all dependencies, you can delete the non-default VRF instances that you have created.
Figure 7. Setup VRF Interfaces Router 1 ip vrf blue ! ip vrf orange ! ip vrf green ! interface ethernet 1/1/1 no shutdown switchport mode trunk switchport access vlan 1 switchport trunk allowed vlan 128,192,256 flowcontrol receive off ! interface ethernet1/1/2 no shutdown no switchport ip vrf forwarding blue ip address 20.0.0.
no switchport ip vrf forwarding orange ip address 30.0.0.1/24 ! interface ethernet1/1/4 no shutdown no switchport ip vrf forwarding green ip address 40.0.0.1/24 ! interface vlan128 mode L3 no shutdown ip vrf forwarding blue ip address 1.0.0.1/24 ! interface vlan192 mode L3 no shutdown ip vrf forwarding orange ip address 2.0.0.1/24 ! ! interface vlan256 mode L3 no shutdown ip vrf forwarding green ip address 3.0.0.1/24 ! ip route vrf green 31.0.0.0/24 3.0.0.
ip vrf forwarding orange ip address 2.0.0.2/24 ! interface vlan256 mode L3 no shutdown ip vrf forwarding green ip address 3.0.0.2/24 ! ip route vrf green 30.0.0.0/24 3.0.0.
Router 2 show command output OS10# show ip vrf VRF-Name blue Interfaces Eth1/1/5 Vlan128 default Mgmt1/1/1 Vlan1,24-25,200 green Eth1/1/7 Vlan256 orange Eth1/1/6 Vlan192 OS10# show ip route vrf blue Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, * - candidate default, + - summary route, > - non-active route Gateway of las
Static route leaking Route leaking enables routes that are configured in a default or non-default VRF instance to be made available to another VRF instance. You can leak routes from a source VRF instance to a destination VRF instance. The routes need to be leaked in both source and destination VRFs to achieve end-to-end traffic flow. If there are any connected routes in the same subnet as statically leaked routes, then the connected routes take precedence.
OS10(config)# do show ip route vrf VRF1 Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, * - candidate default, + - summary route, > - non-active route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change --------------------------------------------------------------------------------------------------C 120
CONFIGURATION ip vrf destination-vrf-name ip route-import 1:1 The routes that you exported from the source VRF instance are now available in the destination VRF instance. Route leaking using route maps You can leak routes in one VRF instance to another VRF instance using route maps. To leak routes in one VRF instance using route maps: 1. Enter the VRF from which you want to leak routes using route targets. CONFIGURATION ip vrf source-vrf-name ip vrf VRF-A 2. Configure the IP prefix.
ip route-import route-target ip route-import 1:1 OS10(config)#interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ip vrf forwarding VRF1 OS10(conf-if-eth1/1/1)# ip address 120.0.0.1/24 OS10(config)#interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# ip vrf forwarding VRF2 OS10(conf-if-eth1/1/2)# ip address 140.0.0.1/24 OS10(config)#ip route vrf VRF1 160.0.0.0/24 120.0.0.
2. Configure loopback interfaces. Assign the loopback interfaces as source interfaces for the VRF. VTEP1(config)# interface loopback 2 VTEP1(conf-if-lo-2)# ip vrf forwarding GREEN VTEP1(conf-if-lo-2)# ip address 51.1.1.1/32 VTEP1(conf-if-lo-2)# exit VTEP1(config)# interface loopback 3 VTEP1(conf-if-lo-3)# ip vrf forwarding RED VTEP1(conf-if-lo-3)# ip address 52.1.1.
Example: Route leaking between VRFs with symmetric IRB routing With symmetric IRB routing, the virtual networks to which the hosts are connected might be disjoint or stretched virtual networks. A disjoint virtual network does not span across VTEPs whereas a stretched virtual network spans across VTEPs. In this example, the virtual networks are disjoint. ● ● ● ● VTEP1 has virtual network 10 configured in tenant VRF GREEN. VTEP2 has virtual network 20 configured in tenant VRF RED.
VTEP1(config)# ip vrf RED VTEP1(conf-vrf)# update-source-ip loopback 3 VTEP1(conf-vrf)# exit 3. Leak the client-connected networks to the tenant VRF to which the client is connected. VTEP1(config)# ip route vrf RED 10.1.1.0/24 interface virtual-network 10 VTEP1(config)# ip route vrf RED 51.1.1.2/32 interface loopback 2 4. Advertise the client network-leaked routes through EVPN type-5 routes to the server-connected VRF.
VRF commands interface management Adds a management interface to the management VRF instance. Syntax interface management Parameters None Default Not configured Command Mode VRF CONFIGURATION Usage Information The no version of this command removes the management interface from the management VRF instance. Example Supported Releases OS10(config)# ip vrf management OS10(conf-vrf)# interface management 10.4.
Command Mode CONFIGURATION Usage Information The no version of this command removes the domain name from the management or non-default VRF instance. Example Supported Releases OS10(config)# ip domain-name vrf management dell.com or OS10(config)# ip domain-name vrf blue dell.com 10.4.0E(R1) or later ip vrf Create a non-default VRF instance. Syntax ip vrf vrf-name Parameters ● vrf-name—Enter the name of the non-default VRF that you want to create.
ip host vrf Configures a hostname for the management VRF instance or a non-default VRF instance and maps the hostname to an IPv4 or IPv6 address. Syntax ip host vrf {management | vrf-name} hostname {IP-address | Ipv6–address} Parameters ● management—Enter the keyword management to configure a hostname for the management VRF instance. ● vrf-name—Enter the name of the non-default VRF instance to configure a hostname for that VRF instance. ● hostname—Enter the hostname.
Command Mode CONFIGURATION Usage Information The no version of this command removes the name server from the management or non-default VRF instance. Example Supported Releases OS10(config)# ip name-server vrf management or OS10(config)# ip name-server vrf blue 10.4.0E(R1) or later ip route-import Imports an IPv4 route into a VRF instance from another VRF instance.
ipv6 route-import Imports an IPv6 route into a VRF instance from another VRF instance. Syntax [no] ipv6 route-import route-target Parameters ● route-target—Enter the route-target of the VRF instance. Default Not configured Command Mode VRF CONFIG Usage Information You can import IPv6 routes corresponding only to a nondefault or a default VRF instance. You cannot import IPv6 routes that belong to a management VRF instance into another VRF instance.
Example Supported Releases OS10(config)# ip scp vrf management OS10(config)# ip scp vrf vrf-blue 10.4.0E(R1) or later ip sftp vrf Configures an SFTP client for the management or non-default VRF instance. Syntax ip sftp vrf {management | vrf vrf-name} Parameters ● management — Enter the keyword to configure an SFTP client for a management VRF instance. ● vrf vrf-name — Enter the keyword then the name of the VRF to configure an SFTP client for that non-default VRF instance.
Usage Information Example Supported Releases Enter the ip vrf management command only in non-transaction-based configuration mode. Do not use transaction-based mode. The no version of this command removes the management VRF instance configuration. OS10(config)# ip vrf management OS10(conf-vrf)# 10.4.0E(R1) or later show hosts vrf Displays the host table in the management or non-default VRF instance.
Eth1/1/1-1/1/2 Vlan1 management OS10# show ip vrf management VRF-Name Interfaces management Supported Releases 10.4.0E(R1) or later update-source-ip Configures a source IP interface for any leaked route in a VRF instance. Syntax update-source-ip interface interface-id To undo this configuration, use the no update-source-ip command. Parameters ● interface interface-id — Enter the loopback interface identifier. The range is from 0 to 16383.
BFD session states To establish a BFD session between two routers, enable BFD on both sides of the link. BFD routers can operate in both active and passive roles. ● The active router starts the BFD session. Both routers can be active in the same session. ● The passive router does not start a session. It only responds to a request for session initialization from the active router. A BFD session can occur in Asynchronous and Demand modes. However, OS10 BFD supports only Asynchronous mode.
● The default session state on both ports is Down. 1. The active system sends a steady stream of control packets to indicate that its session state is Down until the passive system responds. These packets are sent at the desired transmit interval of the Active system. The Your Discriminator field is set to zero. 2. When the passive system receives a control packet, it changes its session state to Init and sends a response to indicate its state change.
Configure BFD globally Before you configure BFD for static routing or a routing protocol, configure BFD globally on each router, including the global BFD session settings. BFD is disabled by default. 1. Configure the global BFD session parameters in CONFIGURATION mode. bfd interval milliseconds min_rx milliseconds multiplier number role {active | passive} ● interval milliseconds — Enter the time interval for sending control packets to BFD peers, from 50 to 1000. The default is 200.
BFD for BGP example In this BFD for BGP configuration example, Router 1 and Router 2 use eBGP in a transit network to interconnect AS1 and AS2. The eBGP routers exchange information with each other and with iBGP routers to maintain connectivity and accessibility within each autonomous system. When you configure a BFD session with a BGP neighbor, you can: ● Establish a BFD session with a specified BGP neighbor using the neighbor ip-address and bfd commands.
the detection interval, the router informs any clients of the BFD session, and other routing protocols, about the failure. It then depends on the routing protocol that uses the BGP link to determine the appropriate response to the failure condition. The normal response is to terminate the peering session for the routing protocol and reconverge by bypassing the failed neighboring router. A log message generates whenever BFD detects a failure condition.
BFD for BGP all-neighbors configuration OS10(conf)# bfd interval 200 min_rx 200 multiplier 6 role active OS10(conf)# bfd enable OS10(conf)# router bgp 4 OS10(config-router-bgp-4)# bfd all-neighbors interval 200 min_rx 200 multiplier 6 role active BFD for BGP single-neighbor configuration OS10(conf)# bfd interval 200 min_rx 200 multiplier 6 role active OS10(conf)# bfd enable OS10(conf)# router bgp 1 OS10(config-router-bgp-1)# neighbor 150.150.1.
30.1.1.1 101 787 779 11:15:35 0 OS10(config-router-bgp-101)# show ip bgp neighbors BGP neighbor is 20.1.1.1, remote AS 101, local AS 101 internal link BGP version 4, remote router ID 30.1.1.
Establishing BFD sessions with OSPFv2 neighbors You can establish BFD sessions with all OSPF neighbors at one go. Alternatively, you can also establish BFD sessions with OSPF neighbors corresponding to a single OSPF interface. To establish BFD sessions with OSPFv2 neighbors: 1. Enable BFD globally bfd enable CONFIGURATION Mode 2. Enter ROUTER-OSPF mode router ospf ospf-instance CONFIGURATION Mode 3. Establish sessions with all OSPFv2 neighbors. bfd all-neighbors ROUTER-OSPF Mode 4.
bfd all-neighbors OS10# show running-configuration ospf ! interface vlan200 no shutdown ip vrf forwarding red ip address 20.1.1.1/24 ip ospf 200 area 0.0.0.0 ip ospf bfd all-neighbors disable ! interface vlan300 no shutdown ip vrf forwarding red ip address 30.1.1.1/24 ip ospf 200 area 0.0.0.0 ! router ospf 200 vrf red bfd all-neighbors log-adjacency-changes router-id 2.3.3.1 ! In this example OSPF is enabled in non-default VRF red.
ip ospf bfd all-neighbors disable INTERFACE CONFIGURATION Mode To re-enable BFD, disabled the interface alone using the following commands: ● no ip ospf bfd all-neighbors command ● ip ospf bfd all-neighbors Configure BFD for OSPFv3 BFD for OSPFv3 provides support for IPv6: 1. Enable BFD Globally. 2. Establish sessions with OSPFv3 neighbors. Establishing BFD sessions with OSPFv3 neighbors To establish BFD sessions with OSPFv3 neighbors: 1. Enable BFD globally bfd enable CONFIGURATION Mode 2.
VRF CONFIGURATION Mode 6. Establish BFD session with OSPFv3 neighbors in a single OSPF interface in a non-default VRF instance. ipv6 ospf bfd all-neoghbors VRF CONFIGURATION Mode 7. Enter ROUTER-OSPF mode in a non-default VRF instance. router ospf ospf-instance vrf vrf-name CONFIGURATION Mode 8. Establish BFD sessions with all OSPFv2 instances in a non-default VRF. bfd all-neighbors Changing OSPFv3 session parameters Configure BFD sessions with default intervals and a default role.
When you configure BFD, next-hop reachability depends on the BFD state of the BFD session corresponding to the specified next hop. If the BFD session of the configured next hop is down, the static route is not installed in the RIB. The BFD session must be up for the static route. You must configure BFD on both the peers pointing to its neighbor as the next hop. There is no dependency on the configuration order of the static route and BFD configuration.
Disabling BFD for IPv4 Static Routes If you disable BFD, all static route BFD sessions are torn down. A final Admin Down packet is sent to all neighbors on the remote systems, and those neighbors change to the Down state. To disable BFD for IPv4 static routes, use the following command. Disable BFD for static routes. no ip route bfd CONFIGURATION Mode Establishing BFD Sessions for IPv6 Static Routes To establish a BFD session for IPv6 static routes, use the following command.
● Configure BFD for a specific IPv4 static route using the following command in CONFIGURATION mode: ip route [vrf vrf-name] dest-ip-prefix mask {next-hop [interface interface-type] [route-preference]} bfd ● Configure BFD for a specific IPv6 static route using the following command in CONFIGURATION mode: ipv6 route [vrf vrf-name] dest-ipv6–prefix mask {next-hop [interface interface-type] [route-preference]} bfd The following is an example configuration for enabling BFD for specific static routes on the defau
Usage Information Example ● Use the bfd command to configure BFD sessions with a specified neighbor or neighbors which inherit a BGP template. Use the neighbor {ip-address | ipv6-address} command in ROUTER-BGP mode to specify the neighbor. Use the template template-name command in ROUTER-BGP mode to specify a BGP template. Use the no bfd command in ROUTER-NEIGHBOR mode to disable BFD sessions with a neighbor.
Example Supported releases OS10(conf-router-bgp)# bfd all-neighbors interval 250 min_rx 300 multiplier 4 role passive 10.4.1.0 or later bfd disable Ignores the configured bfd all-neighbors settings and disables BFD for a specified neighbor. Syntax bfd disable Parameters None Default Not configured Command Mode ROUTER-NEIGHBOR Usage Information Use the neighbor ip-address command in ROUTER-BGP mode to specify a neighbor. Use the bfd disable command to disable BFD sessions with the neighbor.
● role {active | passive} — Enter active if the router initiates BFD sessions. Both BFD peers can be active at the same time. Enter passive if the router does not initiate BFD sessions, and only responds to a request from an active BFD to initialize a session. Default The time interval for sending control packets to BFD peers is 200 milliseconds. The maximum waiting time for receiving control packets from BFD peers is 200 milliseconds.
ipv6 ospf bfd all-neighbors Enables and configures the default BFD parameters for all OSPFv3 neighbors in this interface. Syntax ipv6 ospf bfd all-neighbors [disable|[interval millisec min_rx min_rx multiplier role {active | passive}]] To disable default BFD parameters for all OSPFv3 neighbors using the no ipv6 ospf bfd allneighbors. Parameters ● disable — Disables the BFD session on an interface alone.
The BFD role is active Command Mode CONFIG Usage Information Use this command to enable or disable BFD for all the configured IPv4 static routes for the specified VRF. If you do not specify a VRF name, the command is applicable for the default VRF. The no version of this command disables BFD on a static route Example Supported releases OS10(config)# ip route bfd interval 250 min_rx 250 multiplier 4 role active 10.4.2E or later ipv6 route bfd Enables or disables BFD on IPv6 static routes.
● interface interface-type — (Optional) Enter one of the following interface types: ○ ethernet node/slot/port[:subport] — Displays Ethernet interface information. ○ port-channel id-number — Display port channel interface IDs, from 1 to 128. ○ vlan vlan-id — Displays the VLAN interface number, from 1 to 4093. Default Not configured Command Mode EXEC Usage Information Use this command to verify that a BFD session between neighbors is up using the default VRF instance.
Supported releases 10.4.1.0 or later Border Gateway Protocol Border Gateway Protocol (BGP) is an interautonomous system routing protocol that transmits interdomain routing information within and between autonomous systems (AS). BGP exchanges network reachability information with other BGP systems. BGP adds reliability to network connections by using multiple paths from one router to another. Unlike most routing protocols, BGP uses TCP as its transport protocol.
● If you use eBGP to exchange routes with switches in an SFS environment, the router must directly connect to the switch or switches present. You must use the interface IP to set up BGP peering. NOTE: This behavior is applicable only to the S4100-ON series of switches. ● By default, routes that are learned on multiple paths to eBGP peers are advertised to IBGP peers with the next-hop local IP address. This behavior allows for local repair of atomic failure of any external peers.
Martian addresses Martian addresses are invalid networks on the Internet. Martian addresses are special IPv4 and IPv6 addresses which are not routed by routing devices on the Internet. OS10 considers the following as Martian prefixes: ● 0.0.0.0/8 ● 127.0.0.0/8 ● 224.0.0.0/4 ● :: / 128 ● FF00::/8 FE80::/16 ● ::0002-::FFFF- all prefixes Route reflectors Route reflectors (RRs) reorganize the IBGP core into a hierarchy and allow route advertisement rules.
BGP session supports multiple address family interface (AFI) and sub address family interface (SAFI) combinations, BGP uses OPEN message to convey this information to the peers. As a result, the IPv6 routing information is exchanged over the IPv4 peers and vice versa. BGP routers that support IPv6 can set up BGP sessions using IPv6 peers. If the existing BGP-v4 session is capable of exchanging ipv6 prefixes, the same is used to carry ipv4 as well as ipv6 prefixes.
6. 7. 8. 9. 10. ● This comparison is only done if the first neighboring AS is the same in the two paths. The MEDs compare only if the first AS in the AS_SEQUENCE is the same for both paths. ● Configure the bgp always-compare-med command to compare MEDs for all paths. ● Paths with no MED are treated as “worst” and assigned a MED of 4294967295. Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths, and prefer the path with the lowest IGP metric to the BGP next-hop.
Multiexit discriminators If two autonomous systems connect in more than one place, use a multiexit discriminator (MED) to assign a preference to a preferred path. MED is one of the criteria used to determine best path—other criteria may also impact selection. One AS assigns the MED a value. Other AS uses that value to decide the preferred path. Assume that the MED is the only attribute applied and there are two connections between AS 100 and AS 200. Each connection is a BGP session.
For EBGP neighbors, the next-hop address corresponding to a BGP route does not resolve if the next-hop address is not the same as the neighbor IP address. The next-hop attribute also serves as a way to direct traffic to another BGP speaker, instead of waiting for a speaker to advertise. When a next-hop BGP neighbor is unreachable, the connection to that BGP neighbor goes down after the hold-down timer expires.
Avoid unnecessary BGP best path transitions between external paths under certain conditions. The bestpath router-id ignore command reduces network disruption that is caused by routing and forwarding plane changes and allows for faster convergence. Advertise cost As the default process for redistributed routes, OS10 supports IGP cost as MED. Both autosummarization and synchronization are disabled by default.
Router A, Router B, and Router C belong to AS 100, 200, and 300, respectively. Router A acquired Router B — Router B has Router C as its client. When Router B is migrating to Router A, it must maintain the connection with Router C without immediately updating Router C’s configuration. Local-AS allows Router B to appear as if it still belongs to Router B’s old network, AS 200, to communicate with Router C.
Enable BGP Before enabling BGP, assign a BGP router ID to the switch using the following command: ● In the ROUTER BGP mode, enter the router-id ip-address command. Where in, ip-address is the IP address corresponding to a configured L3 interface (physical, loopback, or LAG). BGP is disabled by default. The system supports one AS number — you must assign an AS number to your device. To establish BGP sessions and route traffic, configure at least one BGP neighbor or peer.
Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 5.1.1.2 4294967295 0 0 0 0 0 00:00:00 Active For the router ID, the system selects the first configured IP address or a random number. To view the status of BGP neighbors, use the show ip bgp neighbors command. For BGP neighbor configuration information, use the show running-config bgp command. The example shows two neighbors — one is an external BGP neighbor; and the other is an internal BGP neighbor.
4. Add a remote AS in ROUTER-NEIGHBOR mode, from 1 to 65535 for 2-byte or 1 to 4294967295 for 4-byte. remote-as as-number 5. Enable the BGP neighbor in ROUTER-NEIGHBOR mode. no shutdown 6. (Optional) Add a description text for the neighbor in ROUTER-NEIGHBOR mode. description text To reset the configuration when you change the configuration of a BGP neighbor, use the clear ip bgp * command. To view the BGP status, use the show ip bgp summary command.
4. Enable BGP on the device. router bgp as-number 5. Enter an unnumbered neighbor in ROUTER-BGP mode. neighbor interface interface-type interface interface-type — (Optional) Enter one of the following interface types: ● ethernet node/slot/port[:subport] — Display Ethernet interface information. ● port-channel id-number — Display port channel interface IDs, from 1 to 128. ● vlan vlan-id — Display the VLAN interface number, from 1 to 4093. 6. Enable the BGP neighbor in ROUTER-NEIGHBOR mode.
4_OCTET_AS(65) Extended Next Hop Encoding (5) Capabilities advertised to neighbor for IPv4 Unicast: MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) 4_OCTET_AS(65) Extended Next Hop Encoding (5) Prefixes accepted 0, Prefixes advertised 0 Connections established 1; dropped 0 Last reset never Prefixes ignored due to: Martian address 0, Our own AS in AS-PATH 0 Invalid Nexthop 0, Invalid AS-PATH length 0 Wellknown community 0, Locally originated 0 Local host: fe80::76e6:e2ff:fef5:b281, Local port: 45
IPv4: address-family ipv4 unicast IPv6: address-family ipv6 unicast 3. Change the administrative distance for BGP from the respective ADDRESS-FAMILY mode.
7. (Optional) Add a remote neighbor, and enter the AS number in ROUTER-TEMPLATE mode. remote-as as-number ● To add an EBGP neighbor, configure the as-number parameter with a number different from the BGP as-number configured in the router bgp as-number command. ● To add an IBGP neighbor, configure the as-number parameter with the same BGP as-number configured in the router bgp as-number command. NOTE: When you configure an unnumbered interface, do not configure the remote AS number. 8.
100.5.1.1 100.6.1.1 OS10# show ip bgp peer-group bg1 Peer-group bg1, remote AS 0 BGP version 4 Minimum time between advertisement runs is 30 seconds For address family: Unicast BGP neighbor is bg1, peer-group external Update packing has 4_OCTET_AS support enabled Number of peers in this group 2 Peer-group members: 40.1.1.2 ethernet 1/1/1 OS10# show ip bgp peer-group leaf_v4 summary BGP router identifier 100.0.0.8 local AS number 64601 Neighbor AS MsgRcvd MsgSent Up/Down 100.5.1.1 64802 376 325 04:28:25 100.
1. Enable BGP, and assign the AS number to the local BGP speaker in CONFIGURATION mode, from 1 to 65535 for 2 bytes, 1 to 4294967295 | 0.1 to 65535.65535 for 4 bytes, or 0.1 to 65535.65535, in dotted format. router bgp as-number 2. Enter CONFIG-ROUTER-VRF mode to create a peer template for the nondefault VRF instance that you create. vrf vrf-name 3. Create a peer template by assigning a neighborhood name to it in CONFIG-ROUTER-VRF mode. template template-name 4.
Neighbor fall-over The BGP neighbor fall-over feature reduces the convergence time while maintaining stability. When you enable fall-over, BGP tracks IP reachability to the peer remote address and the peer local address. When remote or peer local addresses become unreachable, BGP brings the session down with the peer. For example, if no active route exists in the routing table for peer IPv6 destinations/local address, BGP brings the session down. By default, the hold time governs a BGP session.
Prefixes ignored due Martian address 0, Invalid Nexthop 0, Wellknown community to: Our own AS in AS-PATH 0 Invalid AS-PATH length 0 0, Locally originated 0 For address family: IPv6 Unicast Allow local AS number 0 times in AS-PATH attribute Local host: 3.1.1.3, Local port: 58633 Foreign host: 3.1.1.1, Foreign port: 179 Verify neighbor fall-over on peer-group OS10# show running-configuration ! router bgp 102 ! address-family ipv4 unicast aggregate-address 6.1.0.0/16 ! neighbor 40.1.1.
Peer 1 in ROUTER-TEMPLATE mode OS10# configure terminal OS10(config)# interface ethernet 1/1/5 OS10(conf-if-eth1/1/5)# no switchport OS10(conf-if-eth1/1/5)# ip address 11.1.1.1/24 OS10(conf-if-eth1/1/5)# router bgp 10 OS10(config-router-bgp-10)# template pass OS10(config-router-template)# password 9 f785498c228f365898c0efdc2f476b4b27c47d972c3cd8cd9b91f518c14ee42d OS10(config-router-template)# exit OS10(config-router-bgp-10)# neighbor 11.1.1.
remote-as 20 no shutdown OS10(config-router-neighbor)# do show running-configuration bgp ! router bgp 20 neighbor 11.1.1.2 password 9 f785498c228f365898c0efdc2f476b4b27c47d972c3cd8cd9b91f518c14ee42d remote-as 20 no shutdown Fast external fallover Fast external fallover terminates EBGP sessions of any directly adjacent peer if the link used to reach the peer goes down. BGP does not wait for the hold-down timer to expire. Fast external fallover is enabled by default.
! address-family ipv6 unicast activate OS10(config-router-bgp-300)# OS10(conf-if-eth1/1/1)# do clear ip bgp * OS10# show ip bgp summary BGP router identifier 11.11.11.11 local AS number 300 Neighbor AS MsgRcvd MsgSent Up/Down State/Pfx ----------------------------------------------------------------3.1.1.1 100 7 4 00:00:08 3 3::1 100 9 5 00:00:08 4 OS10# OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# shutdown OS10(conf-if-eth1/1/1)# do show ip bgp summary BGP router identifier 11.11.11.
OS10(conf-router-template)# remote-as 100 OS10(conf-router-template)# listen 32.1.0.0/8 limit 10 Local AS During BGP network migration, you can maintain existing AS numbers. Reconfigure your routers with the new information to disable after the migration. Network migration is not supported on passive peer templates. You must configure Peer templates before assigning it to an AS.
AS number limit Sets the number of times an AS number occurs in an AS path. The allow-as parameter permits a BGP speaker to allow the AS number for a configured number of times in the updates received from the peer. The AS-PATH loop is detected if the local AS number is present more than the number of times in the command. 1. Enter the neighbor IP address to use the AS path in ROUTER-BGP mode. neighbor ip address 2. Enter Address Family mode in ROUTER-NEIGHBOR mode.
r - redistributed/network, S - stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric *>I 55::/64 172:16:1::2 0 i *>I 55:0:0:1::/64 172:16:1::2 0 i *>I 55:0:0:2::/64 172:16:1::2 0 i LocPrf 0 Weight 0 Path 100 200 300 400 0 0 100 200 300 400 0 0 100 200 300 400 Redistribute routes Add routes from other routing instances or protocols to the BGP process. You can include OSPF, static, or directly connected routes in the BGP process with the redistribute command.
MED attributes OS10 uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths from the same AS. MED comparison is not performed in paths from neighbors with different AS numbers. 1. Enable MED comparison in the paths from neighbors with different AS in ROUTER-BGP mode. always-compare-med 2. Change the best path MED selection in ROUTER-BGP mode. bestpath med {confed | missing-as-best} ● confed—Selects the best path MED comparison of paths learned from BGP confederations.
OS10(conf-route-map)# exit OS10(config)# router bgp 10 OS10(conf-router-bgp-10)# neighbor 10.1.1.
● Configure the number of ECMP groups in CONFIGURATION. ip ecmp-group maximum-paths number ● Enable multiple parallel paths in ROUTER-BGP mode. maximum-paths {ebgp | ibgp} number Enable multipath OS10(config)# ip ecmp-group maximum-paths 12 OS10(config)# router bgp 10 OS10(conf-router-bgp-10)# maximum-paths ebgp 10 Route-map filters Filtering routes allows you to implement BGP policies. Use route-maps to control which routes the BGP neighbor or peer group accepts and advertises. 1.
Configure clusters of routers where one router is a concentration router and the others are clients who receive their updates from the concentration router. 1. Assign an ID to a router reflector cluster in ROUTER-BGP mode. You can have multiple clusters in an AS. cluster-id cluster-id 2. Assign a neighbor to the router reflector cluster in ROUTER-BGP mode. neighbor {ip-address} 3. Configure the neighbor as a route-reflector client in ROUTER-NEIGHBOR mode, then return to ROUTER-BGP mode.
! router bgp 105 ! address-family ipv4 unicast aggregate-address 3.3.0.0/16 ! neighbor 32.1.1.2 remote-as 104 no shutdown ! address-family ipv4 unicast Confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, Dell EMC recommends BGP confederations only for IBGP peering involving many IBGP peering sessions per router. When you configure BGP confederations, you break the AS into smaller sub-ASs.
Route dampening When EBGP routes become unavailable, they “flap” and the router issues both WITHDRAWN and UPDATE notices. A flap occurs when a route is withdrawn, readvertised after being withdrawn, or has an attribute change. The constant router reaction to the WITHDRAWN and UPDATE notices causes instability in the BGP process. To minimize this instability, configure penalties (a numeric value) for routes that flap.
d* d* d* d* d* Total Network From 3.1.2.0/24 80.1.1.2 3.1.3.0/24 80.1.1.2 3.1.4.0/24 80.1.1.2 3.1.5.0/24 80.1.1.2 3.1.6.0/24 80.1.1.2 number of prefixes: 5 Reuse 00:00:12 00:00:12 00:00:12 00:00:12 00:00:12 Path 800 9 800 9 800 9 800 9 800 9 8 8 8 8 8 i i i i i Timers To adjust the routing timers for all neighbors, configure the timer values using the timers command. If both the peers negotiate with different keepalive and hold time values, the final hold time value is the lowest values received.
2. Enter Address Family mode in ROUTER-NEIGHBOR mode. address-family {[ipv4 | ipv6] [unicast]} 3. Configure soft-configuration for the neighbors belonging to the template. soft-reconfiguration inbound 4. Clear all information or only specific details in EXEC mode. clear ip bgp {neighbor-address | * | interface interface-type} [soft in] ● * — Clears all peers. ● neighbor-address— Clears the neighbor with this IP address. ● interface interface-type— Clears an unnumbered neighbor.
ip address 10.10.9.1 ! router bgp 20 network 192.168.100.0 neighbor 10.10.9.2 remote-as 20 address-family ipv4 unicast Configuration on Core 1 Core 1 has both OSPF and BGP configured. Core 1 has OSPF neighbor adjacency with Core 2 and BGP neighbor adjacency with BR. The iBGPtoOSPF prefix-list is configured and applied to a route-map. The match ip address prefix-list iBGPtoOSPF command processes the iBGP-learned routes. ip prefix-list iBGPtoOSPF seq 15 permit 192.168.100.
router bgp 20 neighbor 2030::2 remote-as 20 Configuration on Core 1 Core 1 has both OSPF and BGP configured. Core 1 has OSPF neighbor adjacency with Core 2 and BGP neighbor adjacency with BR. The iBGPtoOSPF prefix-list is configured and applied to a route-map. The match ip address prefix-list iBGPtoOSPF command processes the iBGP-learned routes.
Example - BGP in a VLT topology The following spine-leaf VLT topology runs BGP for Layer 3 communication. Spine 1 configuration 1. Configure a VLAN interface on which the BGP session has to be formed with VLT peers. Spine1(config)# interface vlan101 Spine1(conf-if-vl-101)# ip address 10.0.1.1/29 Spine1(conf-if-vl-101)# mtu 9216 Spine1(conf-if-vl-101)# exit 2. Configure port channel interfaces between Spine and VLT peers. Add it as part of the created VLAN.
3. Configure eBGP neighbor with VLT peer1 and VLT peer2. Spine1(config)# router bgp 65101 Spine1(config-router-bgp-65101)# router-id 10.1.1.1 Spine1(config-router-bgp-65101)# neighbor 10.0.1.2 Spine1(config-router-neighbor)# remote-as 65201 Spine1(config-router-neighbor)# no shutdown Spine1(config-router-neighbor)# exit Spine1(config-router-bgp-65101)# neighbor 10.0.1.
Leaf1(config)# interface ethernet1/1/6 Leaf1(conf-if-eth1/1/6)# channel-group 3 mode active Leaf1(conf-if-eth1/1/6)# exit 5. Configure the eBGP neighbor with Spine 1 and iBGP neighbor with ToR 1 and ToR 2. Leaf1(config)# router bgp 65201 Leaf1(config-router-bgp-65201)# router-id 10.2.1.1 Leaf1(config-router-bgp-65201)# neighbor 10.0.1.1 Leaf1(config-router-neighbor)# remote-as 65101 Leaf1(config-router-neighbor)# no shutdown Leaf1(config-router-neighbor)# exit Leaf1(config-router-bgp-65201)# neighbor 10.0.
4. Configure VLT port-channels with ToR 1 and ToR 2.
3. Configure the host facing VLAN and add host connected interfaces to it. ToR1(config)# interface vlan2001 ToR1(conf-if-vl-2001)# ip address 172.16.1.1/24 ToR1(conf-if-vl-2001)# mtu 9216 ToR1(conf-if-vl-2001)# exit ToR1(config)# interface ethernet1/1/3 ToR1(conf-if-eth1/1/3)# mtu 9216 ToR1(conf-if-eth1/1/3)# switchport mode trunk ToR1(conf-if-eth1/1/3)# switchport trunk allowed vlan 2001 ToR1(conf-if-eth1/1/3)# exit 4. Configure the iBGP neighbor with VLT peers and advertise the host subnet.
ToR2(config-router-neighbor)# no shutdown ToR2(config-router-neighbor)# exit ToR2(config-router-bgp-65201)# neighbor 10.0.2.2 ToR2(config-router-neighbor)# remote-as 65201 ToR2(config-router-neighbor)# no shutdown ToR2(config-router-neighbor)# exit Example - Three-tier CLOS topology with eBGP This section provides a sample three-tier topology with external BGP. Spine 1 configuration 1. Configure an IP address on leaf-facing interfaces.
Spine1(config)# interface Spine1(conf-if-eth1/1/4)# Spine1(conf-if-eth1/1/4)# Spine1(conf-if-eth1/1/4)# Spine1(conf-if-eth1/1/4)# Spine1(conf-if-eth1/1/4)# ethernet1/1/4 description Spine1-Leaf4 no switchport mtu 9216 ip address 10.1.2.2/31 exit 2. Configure BGP neighbors. This example uses passive peering which simplifies neighbor configuration. Spine1(config)# router bgp 65101 Spine1(config-router-bgp-65101)# router-id 10.0.0.
Leaf1(conf-if-eth1/1/2)# Leaf1(conf-if-eth1/1/2)# Leaf1(conf-if-eth1/1/2)# Leaf1(conf-if-eth1/1/2)# Leaf1(conf-if-eth1/1/2)# description Leaf1-Spine2 no switchport mtu 9216 ip address 10.2.1.1/31 exit 2. Configure an IP address on ToR facing interfaces. Leaf1(config)# interface Leaf1(conf-if-eth1/1/1)# Leaf1(conf-if-eth1/1/1)# Leaf1(conf-if-eth1/1/1)# Leaf1(conf-if-eth1/1/1)# Leaf1(conf-if-eth1/1/1)# ethernet1/1/3 description Leaf1-ToR1 no switchport mtu 9216 ip address 10.3.1.0/31 exit 3.
Leaf2(config-router-neighbor)# no shutdown Leaf2(config-router-neighbor)# exit Leaf 3 configuration 1. Configure an IP address on spine-facing interfaces.
3. Configure BGP neighbors. Leaf4(config)# router bgp 65202 Leaf4(config-router-bgp-65202)# router-id 10.0.1.4 Leaf4(config-router-bgp-65202)# neighbor 10.1.2.2 Leaf4(config-router-neighbor)# remote-as 65101 Leaf4(config-router-neighbor)# no shutdown Leaf4(config-router-neighbor)# exit Leaf4(config-router-bgp-65202)# neighbor 10.2.2.2 Leaf4(config-router-neighbor)# remote-as 65101 Leaf4(config-router-neighbor)# no shutdown Leaf4(config-router-neighbor)# exit Leaf4(config-router-bgp-65202)# neighbor 10.6.1.
ToR2(conf-if-eth1/1/1)# ToR2(config)# interface ToR2(conf-if-eth1/1/2)# ToR2(conf-if-eth1/1/2)# ToR2(conf-if-eth1/1/2)# ToR2(conf-if-eth1/1/2)# ToR2(conf-if-eth1/1/2)# exit ethernet1/1/2 description ToR2-Leaf4 no switchport mtu 9216 ip address 10.6.1.1/31 exit 2. Configure a VLAN interface and a VLAN member for end devices. ToR2(config)# interface vlan 2001 ToR2(conf-if-vl-2001)# ip address 172.16.2.
Example Supported Releases OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-bgp-neighbor-af)# activate 10.2.0E or later add-path Allows the system to advertise multiple paths for the same destination without replacing previous paths with new ones. Syntax add-path {both path count | receive | send path count} Parameters ● both path count — Enter the number of paths to advertise to the peer, from 2 to 64. ● receive — Receive multiple paths from the peer.
advertisement-interval Sets the minimum time interval for advertisement between the BGP neighbors or within a BGP peer group. Syntax advertisement-interval seconds Parameters seconds—Enter the time interval value in seconds between BGP advertisements, from 1 to 600. Default EBGP 30 seconds, IBGP 5 seconds Command Mode ROUTER-NEIGHBOR Usage Information The time interval applies to all peer group members of the template in ROUTER-TEMPLATE mode.
not add the as-set parameter to the aggregate because the aggregate flaps to track changes in the AS_PATH. The no version of this command disables the aggregate-address configuration. Example Supported Releases OS10(conf-router-bgpv4-af)# aggregate-address 6.1.0.0/16 summary-only 10.3.0E or later allowas-in Configures the number of times the local AS number can appear in the BGP AS_PATH path attribute before the switch rejects the route.
Supported Releases 10.2.0E or later as-notation Changes the AS number notation format and requires four-octet-assupport. Syntax as-format {asdot | asdot+ | asplain} Parameters ● asdot — Specify the AS number notation in asdot format. ● asdot+ — Specify the AS number notation in asdot+ format. ● asplain — Specify the AS number notation in asplain format.
bestpath med Changes the best path MED attributes during MED comparison for path selection. Syntax bestpath med {confed | missing-as-worst} Parameters ● confed — Compare MED among BGP confederation paths. ● missing-as-worst — Treat missing MED as the least preferred path. Default Disabled Command Mode ROUTER-BGP Usage Information Before you apply this command, use the always-compare-med command. The no version of this command resets the MED comparison influence.
Parameters ● vrf vrf-name — (OPTIONAL) Enter vrf then the name of the VRF to clear IPv4 or IPv6 BGP neighbor sessions corresponding to that VRF. ● IPv4–address — Enter an IPv4 address to clear a BGP neighbor configuration. ● IPv6–address — Enter an IPv6 address to clear a BGP neighbor configuration. ● * — Clears all BGP sessions. ● interface interface-type — Clears BGP information that is learned through an unnumbered neighbor.
● ipv4–prefix — (Optional) Enter an IPv4 prefix of the dampened path. ● ipv6–prefix — (Optional) Enter an IPv6 prefix of the dampened path. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# clear ip bgp dampening 1.1.15.5 10.3.0E or later clear ip bgp flap-statistics Clears all or specific IPv4 or IPv6 flap counts of prefixes.
Example Supported Releases OS10(config-router-neighbor)# connection-retry-timer 1000 OS10(config-router-template)# connection-retry-timer 100 10.3.0E or later confederation Configures an identifier for a BGP confederation. Syntax confederation {identifier as-num | peers as-number} Parameters ● identifier as-num —Enter an AS number, from 0 to 65535 for 2 bytes, 1 to 4294967295 for 4 bytes, or 0.1 to 65535.65535 for dotted format.
2. From the ROUTER BGP mode, enter the ROUTER BGP VRF mode using the vrf vrf-name command. Example Supported Releases OS10(conf-router-bgp-2)# client-to-client reflection 10.2.0E or later cluster-id Assigns a cluster ID to a BGP cluster with multiple route reflectors. Syntax cluster-id {number | ip-address} Parameters ● number—Enter a route reflector cluster ID as a 32-bit number, from 1 to 4294967295. ● ip-address—Enter an IP address as the route-reflector cluster ID.
Usage Information Example Supported Releases To reduce the instability of the BGP process, setup route flap dampening parameters. After setting up the dampening parameters, clear information about route dampening and return the suppressed routes to the Active state. You can also view statistics on route flapping or change the path selection from Default Deterministic mode to Non-Deterministic mode. The no version of this command resets the value to the default.
default-metric Assigns a default-metric of redistributed routes to locally originated routes. Syntax default-metric number Parameters number — Enter a number as the metric to assign to routes from other protocols, from 1 to 4294967295. Default Disabled Command Mode ROUTER-BGP Usage Information Assigns a metric for locally-originated routes such as redistributed routes. After you redistribute routes in BGP, use this command to reset the metric value — the new metric does not immediately take effect.
● local-distance—Enter a number to assign to routes learned from networks listed in the network command, from 1 to 255. Defaults ● external-distance—20 ● internal-distance—200 ● local-distance—200 Command Modes ● CONFIG-ROUTER-BGP-ADDRESS-FAMILY ● CONFIG-ROUTER-BGP-VRF-ADDRESS-FAMILY Usage Information This command is used to configure administrative distance for eBGP route, iBGP route, and local BGP route.
Example OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-bgp-neighbor-af)# distribute-list inbgg in OS10(conf-router-template)# address-family ipv4 unicast OS10(conf-router-bgp-template-af)# distribute-list outbgg out Supported Releases 10.4.1.0 or later bgp default local-preference Changes the default local preference value for routes exchanged between internal BGP peers.
Usage Information To verify statistics of routes rejected, use the show ip bgp neighbors command. If routes are rejected, the session is reset. In the event of a failure, the existing BGP sessions flap. For updates received from EBGP peers, BGP ensures that the first AS of the first AS segment is always the AS of the peer, otherwise the update drops and the counter increments. The no version of this command turns off the default.
2. From the ROUTER BGP mode, enter the ROUTER BGP VRF mode using the vrf vrf-name command. Example Supported Releases OS10(conf-router-bgp-10)# fast-external-fallover 10.3.0E or later graceful-restart Enables graceful or hitless restart and configures the required parameters for the restart process.
OS10(config-router-bgp-100)# neighbor interface ethernet 1/1/1 OS10(config-router-neighbor)# inherit template Group inherit-type ebgp OS10(config-router-neighbor)# no shutdown Supported Releases 10.2.0E or later listen Enables peer listening and sets the prefix range for dynamic peers. Syntax listen ip-address [limit count] Parameters ● ip-address—Enter the BGP neighbor IP address. ● limit count—(Optional) Enter a maximum dynamic peer count, from 1 to 4294967295.
Supported Releases 10.3.0E or later log-neighbor-changes Enables logging for changes in neighbor status. Syntax log-neighbor-changes Parameters None Default Enabled Command Mode ROUTER-BGP Usage Information OS10 saves logs which includes the neighbor operational status and reset reasons. To view the logs, use the show bgp config command. The no version of this command disables the feature.
maximum-prefix Configures the maximum number of prefixes allowed from a peer. Syntax maximum-prefix {number [threshold] [warning]} Parameters ● number—Enter a maximum prefix number, from 1 to 4294967295. ● threshold—(Optional) Enter a threshold percentage, from 1 to 100. ● warning-only — (Optional) Enter to set the router to send a warning log message when the maximum limit is exceeded. If you do not set this parameter, the router stops peering when the maximum prefixes limit exceeds.
OS10(conf-if-vl-100)# ipv6 nd send-ra OS10(conf-if-vl-100)# exit OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no shutdown OS10(conf-if-eth1/1/1)# switchport mode trunk OS10(conf-if-eth1/1/1)# switchport trunk allowed vlan 100 OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor interface vlan 100 OS10(config-router-neighbor)# no shutdown Supported Releases 10.3.0E or later network Configures a network as local to this AS and adds it to the BGP routing table.
Default Disabled Command Mode ROUTER-BGP Usage Information Paths compare in the order they arrive. OS10 uses this method to choose different best paths from a set of paths, depending on the order they are received from the neighbors. MED may or may not be compared between adjacent paths. When you change the path selection from deterministic to nondeterministic, the path selection for the existing paths remains deterministic until you use the clear ip bgp command to clear the existing paths.
ROUTER-TEMPLATE Usage Information Example You can enter the password either as plain text or in encrypted format. The password that is provided in ROUTER-NEIGHBOR mode takes preference over the password in ROUTER-TEMPLATE mode. The no version of this command disables authentication. OS10(conf-router-neighbor)# password abcdell OS10(conf-router-neighbor)# password 9 f785498c228f365898c0efdc2f476b4b27c47d972c3cd8cd9b91f518c14ee42d Supported Releases 10.3.
remote-as Adds a remote AS to the specified BGP neighbor or peer group. Syntax remote-as as-number Parameters as-number — Specify AS number ranging from 1 to 65535 for 2 byte or 1 to 4294967295 for 4 byte. Defaults None Command Modes CONFIG-ROUTER-NEIGHBOR CONFIG-ROUTER-TEMPLATE Usage Information Example Supported Releases The no version of this command deletes the remote AS. OS10(config)# router bgp 300 OS10(config-router-bgp-300)# template ebgppg OS10(config-router-template)# remote-as 100 10.4.
Example OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-bgp-neighbor-af)# route-map bgproutemap in OS10(conf-router-template)# address-family ipv4 unicast OS10(conf-router-bgp-template-af)# route-map bgproutemap in Supported Releases 10.4.1.0 or later route-reflector-client Configures a neighbor as a member of a route-reflector cluster.
Command Mode ROUTER-BGP Usage Information Change the router ID of a BGP router to reset peer-sessions. The no version of this command resets the value to the default. By default, OS10 sets a loopback IP address as the router ID. If there is no loopback address, the software chooses the highest IP address that is configured to a physical interface. NOTE: To configure these settings for a nondefault VRF instance, you must first enter the ROUTERCONFIG-VRF sub mode using the following commands: 1.
Example (IPv6) Supported Releases OS10(conf-router-bgp-102)# neighbor 32::1 OS10(conf-router-neighbor)# address-family ipv6 unicast OS10(conf-router-bgp-neighbor-af)# no sender-side-loop-detection 10.3.0E or later show ip bgp Displays information that BGP neighbors exchange. Syntax show ip bgp [vrf vrf-name] ip-address/mask Parameters ● vrf vrf-name — (OPTIONAL) Enter vrf and then the name of the VRF to view route information corresponding to that VRF.
*>r 32768 31.1.1.0/24 ? *> 32768 41.1.1.0/24 ? 0.0.0.0 ethernet 1/1/1 0 100 0 100 When you filter routes by IP addresses, if the system does not find a match, it displays the following error message: OS10# show ip bgp 40.40.40.0/24 %Error: Prefix does not exist. Supported Releases 10.3.0E or later show ip bgp dampened-paths Displays BGP routes that are dampened or nonactive.
● ● ● ● ● ● Example Supported Releases Network — Displays the network ID where the route is flapping. From — Displays the IP address of the neighbor advertising the flapping route. Duration — Displays the HH:MM:SS after the route first flapped. Flaps — Displays the number of times the route flapped. Reuse — Displays the HH:MM:SS until the flapped route is available. Path — Lists all AS the flapping route passed through to reach the destination network.
Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop LocPrf Weight Path *> 41.1.1.0/24 fe80::3617:ebff:fef1:dc5e 0 10 Metric 0 0 OS10# show ip bgp ipv4 unicast neighbors interface ethernet 1/1/1 routes BGP local router ID is 40.1.1.2 Status codes: s suppressed, S stale, d dampened, h history, * valid, > best Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 31.1.1.
show ip bgp ipv6 unicast Displays route information for BGP IPv6 routes. Syntax show ip bgp [vrf vrf-name] ipv6 unicast [summary | neighbors [ip-address | interface interface-type] [advertised-routes | dampened-paths | flapstatistics | denied-routes | routes]]] Parameters ● vrf vrf-name — (OPTIONAL) Enter vrf then the name of the VRF to view IPv6 unicast information corresponding to that VRF. ● neighbors — Displays IPv6 neighbor information. ● ip-address — Displays information about a specific neighbor.
*> 1001::/64 0 fe80::3617:ebff:fef1:dc5e 10 0 0 OS10# show ip bgp ipv6 unicast neighbors interface ethernet 1/1/1 deniedroutes BGP local router ID is 40.1.1.2 Status codes: D denied Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path D 1002::/64 fe80::3617:ebff:fef1:dc5e 0 0 0 10 Summary information for unnumbered neighbors: OS10# show ip bgp ipv6 unicast summary BGP router identifier 89.101.17.
Usage Information ● BGP neighbor — Displays the BGP neighbor address and its AS number. The last phrase in the line indicates whether the link between the BGP router and its neighbor is an external or internal one. If they are located in the same AS, the link is internal; otherwise the link is external. ● BGP version — Displays the BGP version, always version 4, and the remote router ID.
Prefixes ignored due to: Martian address 0, Our own AS in AS-PATH 0 Invalid Nexthop 0, Invalid AS-PATH length 0 Wellknown community 0, Locally originated 0 Local host: 2.2.2.1, Local port: 179 Foreign host: 2.2.2.2, Foreign port: 36656 OS10#show ip bgp neighbors interface ethernet 1/1/1 BGP neighbor is fe80::250:56ff:fe80:7f39 via ethernet1/1/1, remote AS 100, local AS 200 external link BGP version 4, remote router ID 2.2.2.
Prefixes ignored due to: Martian address 0, Our own AS in AS-PATH 0 Invalid Nexthop 0, Invalid AS-PATH length 0 Wellknown community 0, Locally originated 0 Local host: fe80::250:56ff:fe80:8d56, Local port: 39054 Foreign host: fe80::250:56ff:fe80:7f39, Foreign port: 179 Example advertisedroutes OS10# show ip bgp ipv6 unicast neighbors 192:168:1::2 advertised-routes BGP local router ID is 100.1.1.
Total number of prefixes: 3 OS10# Example routes Example unnumbered neighbors OS10# show ip bgp ipv6 unicast neighbors 172:16:1::2 routes BGP local router ID is 100.1.1.
unnumbered neighbors Example received-routes from unnumbered neighbors Example routes from unnumbered neighbors Example deniedroutes from unnumbered neighbors Example Global AS Status codes: s suppressed, S stale, d dampened, h history, * valid, > best Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 41.1.1.0/24 fe80::3617:ebff:fef1:dc5e 0 0 0 10 OS10# show ip bgp neighbors interface ethernet 1/1/1 received-routes BGP local router ID is 40.1.1.
● Administratively shut — Displays the status of the peer group if you do not enable the peer group. If you enable the peer group, this line does not display. ● BGP version — Displays the BGP version supported. ● Description — Displays the descriptive name that is configured for the BGP peer template. This field is displayed only when the description is configured. ● For address family — Displays IPv4 unicast as the address family. ● BGP neighbor — Displays the name of the BGP neighbor.
Command Mode EXEC Usage Information ● ● ● ● ● Neighbor—Displays the BGP neighbor address. AS—Displays the AS number of the neighbor MsgRcvd—Displays the number of BGP messages that the neighbor received. MsgSent—Displays the number of BGP messages that the neighbor sent. Up/Down—Displays the amount of time that the neighbor is in the Established stage. If the neighbor has never moved into the Established stage, the word never displays.
---------------------------------------------------------------------------------C 10.1.1.0/24 via 10.1.1.1 ethernet1/1/17 0/0 01:18:34 B IN 100.1.1.0/24 via 10.1.1.2 200/0 00:03:46 B IN 101.1.1.0/24 via 10.1.1.2 200/0 00:03:46 B IN 102.1.1.0/24 via 10.1.1.2 200/0 00:03:46 B IN 103.1.1.0/24 via 10.1.1.2 200/0 00:03:46 B IN 104.1.1.0/24 via 10.1.1.
Default Not configured Command Modes ROUTER-BGP-NEIGHBOR-AF Usage Information Example (IPv4) Example (IPv6) Supported Releases This command is not supported on a peer-group level. To enable soft-reconfiguration for peers in a peergroup, you must enable this command at a per-peer level. With soft-reconfiguration inbound, all updates that are received from this neighbor are stored unmodified, regardless of the inbound policy.
Example Supported Releases OS10(conf-router-bgp)# timers 30 90 10.3.0E or later update-source Enables using Loopback interfaces for TCP connections to stabilize BGP sessions. Syntax update—source loopback interface-id Parameters loopback interface-id — Specify a Loopback interface ID, from 0 to 16383.
Usage Information Example Supported Releases The path with the highest weight value is preferred in the best-path selection process. The no version of this command resets the value to the default. OS10(conf-router-bgp-neighbor)# weight 4096 10.3.0E or later Equal cost multi-path ECMP is a routing technique where next-hop packet forwarding to a single destination occurs over multiple best paths. When you enable ECMP, OS10 uses a hash algorithm to determine the next-hop.
IPV4 Load Balancing : Enabled IPV6 Load Balancing : Enabled MAC Load Balancing : Enabled TCP-UDP Load Balancing : Enabled Ingress Port Load Balancing : Enabled IPV4 FIELDS : source-ip destination-ip protocol vlan-id l4-destination-port l4-sourceport IPV6 FIELDS : source-ip destination-ip protocol vlan-id l4-destination-port l4-sourceport MAC FIELDS : source-mac destination-mac ethertype vlan-id TCP-UDP FIELDS: l4-destination-port l4-source-port Configuration notes Dell EMC PowerSwitch S4200–ON Series: Thelo
Examples Normal traffic flow without resilient hashing Traffic flow with resilient hashing enabled When you enable resilient hashing for ECMP groups, the flow-map table is created with 64 paths (the OS10 default maximum number of ECMP paths) and traffic is equally distributed. In the following example, traffic 1 maps to next hop 'A'; traffic 2 maps to next hop 'C'; and traffic 3 maps to next hop 'B.
Member link is added However, when a new member link is added, resilient hashing completes minimal remapping for better load balancing, as shown: Important notes ● Resilient hashing on port channels applies only for unicast traffic. ● For resilient hashing on ECMP groups, the ECMP path must be in multiples of 64. Before you enable resilient hashing, ensure that the maximum ECMP path is set to a multiple of 64. You can configure this value using the ip ecmp-group maximum-paths command.
Maximum ECMP groups and paths The maximum number of ECMP groups supported on the switch depends on the maximum ECMP paths configured on the switch. To view the maximum number of ECMP groups and paths, use the show ip ecmp-group details command. OS10# show ip ecmp-group details Maximum Number of ECMP Groups : 256 Maximum ECMP Path per Group : 64 Next boot configured Maximum ECMP Path per Group : 64 The default value for the maximum number of ECMP paths per group is 64.
● ● ● ● ● ● ● ● ● ● ● ● ● lag—Enables the LAG hash configuration for Layer 2 (L2) only. seed—Changes the hash algorithm seed value to get a better hash value. seed-value—Enter a hash algorithm seed value, from 0 to 4294967295. crc—Enables the cyclic redundancy check (CRC) polynomial for hash computation.
Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command disables the configuration. Example Supported Releases OS10(config)# link-bundle-utilization trigger-threshold 80 10.2.0E or later load-balancing Distributes or load balances incoming traffic using the default parameters in the hash algorithm.
Example (IP Selection) Supported Releases OS10(config)# load-balancing ip-selection destination-ip source-ip 10.2.0E or later show enhanced-hashing resilient-hashing Displays the status of the enhanced-hashing command. Syntax show enhanced-hashing resilient-hashing {lag | ecmp} Parameters lag | ecmp—Enter the keyword to view enhanced-hashing for a port channel or ECMP group.
Command Mode EXEC Usage Information None Example Supported Releases OS10# show ip ecmp-group details Maximum Number of ECMP Groups : 256 Maximum ECMP Path per Group : 64 Next boot configured Maximum ECMP Path per Group : 64 10.4.3.0 or later show load-balance Displays the global traffic load-balance configuration.
1. Enter the interface type information to assign an IP address in CONFIGURATION mode. interface interface ● ethernet—Physical interface ● port-channel—Port-channel ID number ● vlan—VLAN ID number ● loopback—Loopback interface ID ● mgmt—Management interface 2. Enable the interface in INTERFACE mode. no shutdown 3. Remove the interface from the default VLAN in INTERFACE mode. no switchport 4. Configure a primary IP address and mask on the interface in INTERFACE mode.
Configure static routing You can configure a manual or static route for open shortest path first (OSPF). ● Configure a static route in CONFIGURATION mode. ip route ip-prefix/mask {next-hop | interface interface [route-preference]} ○ ○ ○ ○ ○ ip-prefix—IPv4 address in dotted decimal in A.B.C.D format. mask—Mask in slash prefix-length format (/X). next-hop—Next-hop IP address in dotted decimal in A.B.C.D format.
These entries do not age, and you can only remove them manually. To remove a static ARP entry, use the no arp ipaddress command. Configure static ARP entries OS10(config)# interface ethernet 1/1/6 OS10(conf-if-eth1/1/6)# ip arp 10.1.1.5 08:00:20:b7:bd:32 View ARP entries OS10# show ip arp interface ethernet 1/1/6 Address Hardware address Interface Egress Interface -------------------------------------------------------------10.1.1.
● A.B.C.D/mask —Specify the IP route to remove from the IP routing table. This option refreshes all the routes in the routing table. Traffic flow is affected only for the specified route in the switch. Default Not configured Command Mode EXEC Usage Information This command does not remove the static routes from the routing table. Example Supported Releases OS10# clear ipv6 route 10.1.1.0/24 10.3.0E or later ip address Configure the IP address to an interface.
Default Not configured Command Mode INTERFACE Usage Information Do not use Class D (multicast) or Class E (reserved) IP addresses. Zero MAC addresses (00:00:00:00:00:00) are invalid. The no version of this command disables the IP ARP configuration. Example Supported Releases OS10(conf-if-eth1/1/6)# ip arp 10.1.1.5 08:00:20:b7:bd:32 10.2.0E or later ip arp gratuitous Enables an interface to receive or send gratuitous ARP requests and updates.
Parameters ● vrf vrf-name — (Optional) Enter vrf and then the name of the VRF to configure a static route corresponding to that VRF. Use this VRF option after the ip route keyword to configure a static route on that specific VRF. ● dest-ip-prefix — Enter the destination IP prefix in dotted decimal A.B.C.D format. ● mask — Enter the mask in slash prefix-length /x format. ● next-hop — Enter the next-hop IP address in dotted decimal A.B.C.D format.
Example (Static) OS10# show ip arp summary Total Entries Static Entries Dynamic Entries ------------------------------------------------------3994 0 3994 OS10# show ip arp 192.168.2.2 Address Hardware address Interface Egress Interface -------------------------------------------------------------------192.168.2.
-----------------------------------------------------------------C 10.1.1.0/24 via 10.1.1.1 vlan100 0/0 01:16:56 B EX 10.1.2.0/24 via 10.1.2.1 vlan101 20/0 01:16:56 O 10.1.3.0/24 via 10.1.3.1 vlan102 110/2 01:16:56 B IN 10.1.4.0/24 via 10.1.4.
● IPv6 forwarding is enabled on physical Ethernet interfaces, VLANs, and port groups. IPv6 forwarding is disabled only when you enable IPv6 address autoconfiguration on an interface and set it in host mode using the ipv6 address autoconfig command. ● IPv6 forwarding is permanently disabled on the management Ethernet interface so that it remains in Host mode and does not operate as a router regardless of the ipv6 address autoconfig setting.
● 2001:0db8:0:0::1428:57ab ● 2001:0db8::1428:57ab ● 2001:db8::1428:57ab Write IPv6 networks using CIDR notation. An IPv6 network or subnet is a contiguous group of IPv6 addresses which must be a power of two. The initial bits of addresses, which are identical for all hosts in the network, are the network's prefix. A network is denoted by the first address in the network and the size in bits of the prefix in decimal, separated with a slash.
Configure link-local address OS10(config)# interface ethernet 1/1/8 OS10(conf-if-eth1/1/8)# ipv6 address FE80::1/64 link-local Stateless autoconfiguration When an interface comes up, OS10 uses stateless autoconfiguration to generate a unique link-local IPv6 address with a FE80::/64 prefix and an interface ID generated from the MAC address. To use stateless autoconfiguration to assign a globally unique address using a prefix received in router advertisements, use the ipv6 address autoconfig command.
● ipv6 nd hop-limit hops — (Optional) Sets the hop limit advertised in RA messages and included in IPv6 data packets sent by the router, from 0 to 255; default 64. 0 indicates that no hop limit is specified by the router. ● ipv6 nd managed-config-flag — (Optional) Sent in RA messages to tell hosts to use stateful address autoconfiguration, such as DHCPv6, to obtain IPv6 addresses.
Duplicate address discovery To determine if an IPv6 unicast address is unique before assigning it to an interface, an OS10 switch sends a neighbor solicitation message. If the process of duplicate address discovery (DAD) detects a duplicate address in the network, the address does not configure on the interface. DAD is enabled by default. By default, IPv6 is not disabled when a duplicate address is detected. Only the duplicate address is not applied. Other IPv6 addresses are still active on the interface.
IPv6 destination unreachable By default, when no matching entry for an IPv6 route is found in the IPv6 routing table, a packet drops and no error message is sent. You can enable the capability to send an IPv6 destination unreachable error message to the source without dropping the packet.
IPv6 commands clear ipv6 neighbors Deletes all entries in the IPv6 neighbor discovery cache or neighbors of a specific interface. Static entries are not removed. Syntax clear ipv6 neighbors [vrf vrf-name] [ipv6-address | interface | virtualnetwork vn-id | all] Parameters ● vrf vrf-name — (Optional) Enter vrf then the name of the VRF to clear the neighbor corresponding to that VRF. If you do not specify this option, the neighbors in the default VRF clear.
ipv6 address Configures a global unicast IPv6 address on an interface. Syntax ipv6 address ipv6–address/prefix-length Parameters ipv6-address/prefix-length — Enter a full 128-bit IPv6 address with the network prefix length, including the 64-bit interface identifier. Defaults None Command Mode INTERFACE Usage Information An interface can have multiple IPv6 addresses.
Command Mode INTERFACE Usage Information The no version of this command disables DHCP operations on the interface. Example Supported Releases NOTE: Dell EMC Networking does not recommend configuring both a static IPv6 address and DHCPv6 on the same interface. OS10(config)# interface mgmt 1/1/1 OS10(conf-if-ma-1/1/1)# ipv6 address dhcp 10.3.0E or later ipv6 enable Enables and disables IPv6 forwarding on an interface configured with an IPv6 address.
ipv6 address link-local Configures a link-local IPv6 address on the interface to use instead of the link-local address that is automatically configured with stateless autoconfiguration. Syntax ipv6 address ipv6-prefix link-local Parameters ipv6-prefix — Enter an IPv6 prefix in x:x::y/mask format. Defaults None Command Mode INTERFACE Usage Information ● An interface can have only one link-local address.
Usage Information Example: Disable DAD Example: Enable DAD on link-local address Supported Releases ● An OS10 switch sends a neighbor solicitation message to determine if an autoconfigured IPv6 unicast link-local address is unique before assigning it to an interface. If the process of duplicate address discovery (DAD) detects a duplicate address in the network, the link-local address does not configure. Other IPv6 addresses are still active on the interface.
ipv6 nd max-ra-interval Sets the maximum time interval between sending RA messages. Syntax ipv6 nd max-ra-interval seconds Parameters ● max-ra-interval seconds—Enter a time interval in seconds, from 4 to 1800. Defaults 600 seconds Command Mode INTERFACE Usage Information The no version of this command restores the default time interval that is used to send RA messages. Example Supported Releases OS10(config)# interface ethernet 1/2/3 OS10(conf-if-eth1/2/3)# ipv6 nd max-ra-interval 300 10.4.
ipv6 nd prefix Configures the IPv6 prefixes that are included in messages to neighboring IPv6 routers. Syntax ipv6 nd prefix {ipv6-prefix | default} [no-advertise] [no autoconfig] [no-rtr-address] [off-link] [lifetime {valid-lifetime seconds | infinite} {preferred-lifetime seconds | infinite}] Parameters ● ipv6-prefix — Enter an IPv6 prefix in x:x::y/mask format to include the prefix in RA mesages. Include prefixes that are not already in the subnets on the interface.
ipv6 nd ra-lifetime Sets the lifetime of the default router in RA messages. Syntax ipv6 nd ra-lifetime seconds Parameters ● ra-lifetime seconds — Enter a lifetime value in milliseconds, from 0 to 9000 milliseconds. Defaults Three times the max-ra-interval value Command Mode INTERFACE Usage Information The no version of this command restores the default lifetime value. 0 indicates that this router is not used as the default router.
ipv6 nd send-ra Enables sending ICMPv6 RA messages. Syntax ipv6 nd send-ra Parameters None Defaults RA messages are disabled. Command Mode INTERFACE Usage Information ● Using ICMPv6 RA messages, the Neighbor Discovery Protocol (NDP) advertises the IPv6 addresses of IPv6-enabled interfaces and learns of any address changes in IPv6 neighbors.
ipv6 unreachables Enables generating error messages on an interface for IPv6 packets with unreachable destinations. Syntax ipv6 unreachables Parameters None Defaults ICMPv6 unreachable messages are not sent. Command Mode INTERFACE Usage Information ● By default, when no matching entry for an IPv6 route is found in the IPv6 routing table, the packet drops and no error message is sent.
show ipv6 route Displays IPv6 routes. Syntax show ipv6 route [vrf vrf-name] [all | bgp | connected | static | A::B/mask | summary] Parameters ● vrf vrf-name — (Optional) Enter vrf then the name of the VRF to display IPv6 routes corresponding to that VRF. If you do not specify this option, routes corresponding to the default VRF display. ● all—(Optional) Displays all routes including nonactive routes. ● bgp—(Optional) Displays BGP route information.
Supported Releases 10.2.0E or later show ipv6 interface brief Displays IPv6 interface information. Syntax show ipv6 interface brief Parameters brief — Displays a brief summary of IPv6 interface information. Defaults None Command Mode EXEC Usage Information Use the do show ipv6 interface brief command to view IPv6 interface information in other modes.
Areas, networks, and neighbors The backbone of the network is Area 0, also called Area 0.0.0.0, the core of any AS. All other areas must connect to Area 0. An OSPF backbone distributes routing information between areas. It consists of all area border routers and networks not wholly contained in any area and their attached routers. The backbone is the only area with a default area number. You configure all other areas Area ID. If you configure two nonbackbone areas, you must enable the B bit in OSPF.
Backbone router A backbone router (BR) is part of the OSPF Backbone, Area 0, and includes all ABRs. The BR includes routers connected only to the backbone and another ABR, but are only part of Area 0—shown as Router I in the example. Area border router Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to. It may keep multiple copies of the link state database.
DRs and BDRs are configurable. If you do not define the DR or BDR, OS10 assigns them per the protocol. To determine which routers are the DR and BDR, OSPF looks at the priority of the routers on the segment. The default router priority is 1. The router with the highest priority is elected DR. If there is a tie, the router with the higher router ID takes precedence. After the DR is elected, the BDR is elected the same way. A router with a router priority set to zero cannot become a DR or BDR.
OSPF route limit OS10 supports up to 16,000 OSPF routes. Within this range, the only restriction is on intra-area routes that scale only up to 1000 routes. Other OSPF routes can scale up to 16 K. Shortest path first throttling Use shortest path first (SPF) throttling to delay SPF calculations during periods of network instability. In an OSPF network, a topology change event triggers an SPF calculation that is performed after a start time.
View OSPFv2 SPF throttling OS10(config-router-ospf-100)# do show ip ospf Routing Process ospf 100 with ID 12.1.1.1 Supports only single TOS (TOS0) routes It is Flooding according to RFC 2328 SPF schedule delay 1200 msecs, Hold time between two SPFs 2300 msecs Convergence Level 0 Min LSA origination 0 msec, Min LSA arrival 1000 msec Min LSA hold time 5000 msec, Max LSA wait time 5000 msec Number of area in this router is 1, normal 1 stub 0 nssa 0 Area (0.0.0.
6. Enable OSPFv2 on an interface in INTERFACE mode. ip ospf process-id area area-id ● process-id—Enter the OSPFv2 process ID for a specific OSPF process, from 1 to 65535. ● area-id—Enter the OSPFv2 area ID as an IP address (A.B.C.D) or number, from 1 to 65535. Enable OSPFv2 configuration OS10(config)# router ospf 100 OS10(conf-router-ospf-100)# exit OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no shutdown OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ip address 11.1.1.
Enable OSPFv2 configuration OS10(config)# ip vrf vrf-blue OS10(config-vrf-blue)# router ospf 100 vrf-blue OS10(conf-router-ospf-100)# exit OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# no shutdown OS10(conf-if-eth1/1/2)# no switchport OS10(conf-if-eth1/1/2)# ip vrf forwarding vrf-blue OS10(conf-if-eth1/1/1)# ip address 11.1.1.1/24 OS10(conf-if-eth1/1/1)# ip ospf 100 area 0.0.0.
2. Configure an area as a stub area in ROUTER-OSPF mode. area area-id stub [no-summary] ● area-id—Enter the OSPF area ID as an IP address in A.B.C.D format or number, from 1 to 65535. ● no-summary—(Optional) Enter to prevent an ABR from sending summary LSA to the stub area. Configure stub area OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# area 10.10.5.1 stub View stub area configuration OS10# show ip ospf Routing Process ospf 10 with ID 130.6.196.
You can disable a passive interface using the no ip ospf passive command. Fast convergence Fast convergence sets the minimum origination and arrival LSA parameters to zero (0), allowing rapid route calculation. A higher convergence level can result in occasional loss of OSPF adjacency. Convergence level 1 meets most convergence requirements. The higher the number, the faster the convergence, and the more frequent the route calculations and updates.
2. Change the cost associated with OSPF traffic on the interface in INTERFACE mode, from 1 to 65535. The default depends on the interface speed. ip ospf cost 3. Change the time interval, from 1 to 65535, that the router waits before declaring a neighbor dead in INTERFACE mode. The default time interval is 40. The dead interval must be four times the hello interval and must be the same on all routers in the OSPF network. ip ospf dead-interval seconds 4.
○ route-map map-name—Enter the name of a configured route map.
When you enable graceful restart, the restarting device retains the routes learned by OSPF in the forwarding table. To re-establish OSPF adjacencies with neighbors, the restart OSPF process sends a grace LSA to all neighbors. In response, the helper router enters Helper mode and sends an acknowledgement back to the restarting device. OS10 supports graceful restart Helper mode. Use the graceful-restart role helper-only command to enable Helper mode in ROUTER OSPF mode.
● Are the OSPF routes included in the routing table in addition to the OSPF database? ● Are you able to ping the IPv4 address of adjacent router interface? Troubleshooting OSPF with show commands ● View a summary of all OSPF process IDs enabled in EXEC mode. show running-configuration ospf ● View summary information of IP routes in EXEC mode. show ip route summary ● View summary information for the OSPF database in EXEC mode.
Example Supported Releases OS10(conf-router-ospf-10)# area 10.10.1.5 default-cost 10 10.2.0E or later area nssa Defines an area as a NSSA. Syntax area area-id nssa [default-information-originate | no-redistribution | nosummary] Parameters ● area-id — Enter the OSPF area ID as an IP address in A.B.C.D format or number, from 1 to 65535. ● no-redistribution — (Optional) Prevents the redistribute command from distributing routes into the NSSA. Use no-redistribution command only in an NSSA ABR.
Command Mode ROUTER-OSPF Usage Information The no version of this command deletes a stub area. Example Supported Releases OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# area 10.10.1.5 stub 10.2.0E or later auto-cost reference-bandwidth Calculates default metrics for the interface based on the configured auto-cost reference bandwidth value.
● vrf vrf-name — (Optional) Enter the keyword vrf followed by the name of the VRF to clear OSPF traffic statistics in that configured VRF. Default Not configured Command Mode EXEC Usage Information This command clears the OSPF traffic statistics in a specified instance or in all the configured OSPF instances, and resets them to zero. Example Supported Releases OS10# clear ip ospf 10 vrf vrf-test statistics 10.4.
Command Mode ROUTER-OSPF Usage Information The no version of this command disables the default-metric configuration. Example Supported Releases OS10(conf-router-ospf-10)# default-metric 2000 10.2.0E or later fast-converge Sets the minimum LSA origination and arrival times to zero (0) allowing more rapid route computation so convergence takes less time. Syntax fast-converge convergence-level Parameters convergence-level — Enter a desired convergence level value, from 1 to 4.
Default Not configured Command Mode INTERFACE Usage Information The no version of this command removes an interface from an OSPF area. Example Supported Releases OS10(conf-if-vl-10)# ip ospf 10 area 5 10.2.0E or later ip ospf authentication-key Configures a text authentication key to enable OSPF traffic on an interface. Syntax ip ospf authentication-key key Parameters key — Enter an eight-character string for the authentication key.
Default 40 seconds Command Mode INTERFACE Usage Information The dead interval is four times the default hello-interval by default. The no version of this command resets the value to the default. Example Supported Releases OS10(conf-if-vl-10)# ip ospf dead-interval 10 10.2.0E or later ip ospf hello-interval Sets the time interval between the hello packets sent on the interface. Syntax ip ospf hello-interval seconds Parameters seconds — Enter the hello-interval value in seconds, from 1 to 65535.
Default Not configured Command Mode INTERFACE Usage Information If the MTU size of the peer interface is greater than the local interface, switches that run OSPF do not form adjacencies with neighbors. Use this command to override this behavior and form adjacency. If you try to disable a neighborship using the no ip ospf mtu-ignore command after a neighborship is formed using the ip ospf mtu-ignore command, the neighborship still continues.
ip ospf priority Sets the priority of the interface to determine the DR for the OSPF network. Syntax ip ospf priority number Parameters number — Enter a router priority number, from 0 to 255. Default 1 Command Mode INTERFACE Usage Information When two routers attached to a network attempt to become the DR, the one with the higher router priority takes precedence. The no version of this command resets the value to the default.
log-adjacency-changes Enables logging of syslog messages regarding changes in the OSPF adjacency state. Syntax log-adjacency-changes Parameters None Default Disabled Command Mode ROUTER-OSPF Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# log-adjacency-changes 10.2.
redistribute Redistributes information from another routing protocol or routing instance to the OSPFv2 process. Syntax redistribute {bgp as-number| imported-ospf-routes | connected | static} [route-map map-name] Parameters ● as-number — Enter an autonomous number to redistribute BGP routing information throughout the OSPF instance, from 1 to 4294967295. ● connected — Enter the information from the connected active routes on interfaces to redistribute.
Command Mode CONFIGURATION Usage Information Assign an IP address to an interface before using this command. The no version of this command deletes an OSPF instance. Example Supported Releases OS10(config)# router ospf 10 vrf vrf-test 10.2.0E or later show ip ospf Displays OSPF instance configuration information. Syntax show ip ospf [instance-number] [vrf vrf-name] Parameters ● instance-number — View OSPF information for a specified instance number from, 1 to 65535.
Example OS10# show ip ospf 10 asbr RouterID 112.2.1.1 111.2.1.1 Supported Releases Flags E/-/-/ E/-/-/ Cost 1 0 Nexthop 110.1.1.2 0.0.0.0 Interface vlan3050 - Area 0.0.0.0 - 10.2.0E or later show ip ospf database Displays all LSA information. You must enable OSPF to generate output. Syntax show ip ospf [process-id] [vrf vrf-name] database Parameters ● process-id — (Optional) View LSA information for a specific OSPF process ID.
Parameters ● process-id—(Optional) Displays the AS boundary LSA information for a specified OSPF process ID. If you do not enter a process ID, this applies only to the first OSPF process. ● vrf vrf-name — (Optional) Displays the AS boundary LSA information for a OSPF process ID corresponding to the specified VRF. Default Not configured Command Mode EXEC Usage Information ● ● ● ● ● ● ● ● ● ● ● Example LS Age—Displays the LS age. Options—Displays optional capabilities. LS Type—Displays the LS type.
● ● ● ● Example Length — Displays the LSA length in bytes. Network Mask — Identifies the network mask implemented on the area. TOS — Displays the ToS options. The only option available is zero. Metric — Displays the LSA metric. OS10# show ip ospf 10 database external OSPF Router with ID (111.2.1.1) (Process ID 10) Type-5 AS External LS age: 1424 Options: (No TOS-capability, No DC, E) LS type: Type-5 AS External Link State ID: 110.1.1.0 Advertising Router: 111.2.1.
Link State ID: 110.1.1.2 Advertising Router: 112.2.1.1 LS Seq Number: 0x80000008 Checksum: 0xd2b1 Length: 32 Network Mask: /24 Attached Router: 111.2.1.1 Attached Router: 112.2.1.1 Supported Releases 10.2.0E or later show ip ospf database nssa external Displays information about the NSSA-External Type 7 LSA. Syntax show ip ospf [process-id] [vrf vrf-name] database nssa external Parameters ● process-id — (Optional) Displays NSSA-External Type7 LSA information for a specified OSPF process ID.
Advertising Router: 2.2.2.2 LS Seq Number: 0x80000001 Checksum: 0x2526 Length: 36 Network Mask: /0 Metric Type: 1 TOS: 0 Metric: 0 Forward Address: 0.0.0.0 External Route Tag: 0 LS age: 65 Options: (No TOS-Capability, No DC, No Type 7/5 translation) LS type: NSSA External Link State ID: 12.1.1.0 Advertising Router: 2.2.2.2 LS Seq Number: 0x80000001 Checksum: 0xBDEA Length: 36 Network Mask: /24 Metric Type: 2 TOS: 0 Metric: 20 Forward Address: 0.0.0.
Default Not configured Command Mode EXEC Usage Information ● ● ● ● ● ● ● ● ● ● Example LS Age — Displays the LS age. Options — Displays the optional capabilities available on the router. LS Type — Displays the LS type. Link State ID — Identifies the router ID. Advertising Router — Identifies the advertising router’s ID. LS Seq Number — Identifies the LS sequence number. This identifies old or duplicate LSAs. Checksum — Displays the Fletcher checksum of an LSA’s complete contents.
Type-11 AS Opaque LS age: 3600 Options: (No TOS-Capability, No DC) LS type: Type-11 AS Opaque Link State ID: 8.1.1.3 Advertising Router: 2.2.2.2 LS Seq Number: 0x8000000D Checksum: 0x61D3 Length: 36 Opaque Type: 8 Opaque ID: 65795 Supported Releases 10.2.0E or later show ip ospf database opaque-link Displays information about the opaque-link Type 9 LSA.
show ip ospf database router Displays information about the router Type 1 LSA. Syntax show ip ospf process-id [vrf vrf-name] database router Parameters ● process-id — (Optional) Displays the router Type 1 LSA for an OSPF process ID. If you do not enter a process ID, this command applies only to the first OSPF process. ● vrf vrf-name — (Optional) Displays the router Type 1 LSA for an OSPF process ID corresponding to a VRF.
show ip ospf database summary Displays the network summary Type 3 LSA routing information. Syntax show ip ospf [process-id] [vrf vrf-name] database summary Parameters ● process-id—(Optional) Displays LSA information for a specific OSPF process ID. If you do not enter a process ID, this command applies only to the first OSPF process. ● vrf vrf-name — (Optional) Displays LSA information for a specified OSPF process ID corresponding to a VRF.
Command Mode Example Supported Releases EXEC OS10# show ip ospf 10 interface ethernet1/1/1 is up, line protocol is up Internet Address 110.1.1.1/24, Area 0.0.0.0 Process ID 10, Router ID 1.1.1.1, Network Type broadcast, Cost: 10 Transmit Delay is 1 sec, State WAIT, Priority 1 BFD enabled(Interface level) Interval 300 Min_rx 300 Multiplier 3 Role Active Designated Router (ID) , Interface address 0.0.0.0 Backup Designated router (ID) , Interface address 0.0.0.
Usage Information Example Supported Releases This command displays OSPFv2 traffic statistics for a specified instance or interface, or for all OSPFv2 instances and interfaces.
Supported Releases 10.2.0E or later summary-address Configures a summary address for an ASBR to advertise one external route as an aggregate for all redistributed routes covered by a specified address range. Syntax summary-address ip-address/mask [not-advertise | tag tag-value] Parameters ● ip-address/mask—Enter the IP address to summarize along with the mask. ● not-advertise—(Optional) Suppresses IP addresses that do not match the network prefix/mask.
● max-wait — 10000 milliseconds Command Mode ROUTER-OSPF Usage Information By default, SPF timers are disabled in an OSPF instance. Use SPF throttling to delay SPF calculations during periods of network instability. In an OSPF network, a topology change event triggers an SPF calculation after a start time. When the start timer finishes, a hold time may delay the next SPF calculation for an additional time.
OSPFv3 OSPFv3 is an IPv6 link-state routing protocol that supports IPv6 unicast address families (AFs). OSPFv3 is disabled by default. You must configure at least one interface, either physical or Loopback. The OSPF process automatically starts when OSPFv3 is enabled for one or more interfaces. Any area besides area 0 can have any number ID assigned to it. Enable OSPFv3 1. Enable OSPFv3 globally and configure an OSPFv3 instance in CONFIGURATION mode. router ospfv3 instance-number 2.
6. Associate the interface with the non-default VRF instance that you created earlier. ip vrf forwarding vrf-name 7. Enable the OSPFv3 on an interface. ipv6 ospfv3 process-id area area-id ● process-id — Enter the OSPFv3 process ID for a specific OSPFv3 process, from 1 to 65535. ● area-id — Enter the OSPF area ID as an IP address in A.B.C.D format or number, from 1 to 65535.
Configure Stub Areas Type 5 LSAs are not flooded into stub areas. The ABR advertises a default route into the stub area where it is attached. Stub area routers use the default route to reach external destinations. 1. Enable OSPFv3 routing and enter ROUTER-OSPFv3 mode, from 1 to 65535. router ospfv3 instance number 2. Configure an area as a stub area in ROUTER-OSPFv3 mode. area area-id stub [no-summary] ● area-id — Enter the OSPFv3 area ID as an IP address in A.B.C.D format or number, from 1 to 65535.
Enable Passive Interfaces A passive interface is one that does not send or receive routing information. Configuring an interface as a passive interface suppresses both the receiving and sending routing updates. Although the passive interface does not send or receive routing updates, the network on that interface is included in OSPF updates sent through other interfaces. You can remove an interface from passive interfaces using the no ipv6 ospf passive command. 1. Enter an interface type in INTERFACE mode.
6. Change the default setting to ignore the MTU mismatch with the peer, when the MTU size of the peer interface is higher than the local MTU size.
Apply IPsec authentication or encryption on a physical, port-channel, or VLAN interface or in an OSPFv3 area. Each configuration consists of a security policy index (SPI) and the OSPFv3 packets validation key. After you configure an IPsec protocol for OSPFv3, IPsec operation is invisible to the user. You can only enable one authentication or encryption security protocol at a time on an interface or for an area.
● Enable IPsec encryption for OSPFv3 packets in Interface mode. ipv6 ospf encryption ipsec spi number esp encryption-type key authentication-type key ○ ipsec spi number — Enter a unique security policy index (SPI) value, from 256 to 4294967295. ○ esp encryption-type key — Enter the encryption algorithm used with ESP (3DES, DES, AES-CBC, or NULL). For AES-CBC, only the AES-128 and AES-192 ciphers are supported. ○ key — Enter the text string used in the encryption algorithm.
When you configure encryption at the area level, both IPsec encryption and authentication are enabled. You cannot configure encryption if you have already configured an IPsec area authentication using the area ospf authentication ipsec command. To configure encryption, you must first delete the authentication policy. ● Enable IPsec encryption for OSPFv3 packets in an area in Router-OSPFv3 mode.
View OSPF Configuration OS10# show running-configuration ospfv3 ! interface ethernet1/1/1 ip ospf 100 area 0.0.0.0 ! router ospf 100 log-adjacency-changes OSPFv3 Commands area authentication Configures authentication for an OSPFv3 area. Syntax area area-id authentication ipsec spi number {MD5 | SHA1} key Parameters ● ● ● ● ● Default OSPFv3 area authentication is not configured.
● When you configure encryption at the area level, both IPsec encryption and authentication are enabled. You cannot configure encryption if you have already configured an IPsec area authentication using the area ospf authentication ipsec command. To configure encryption, you must first delete the authentication policy. ● All OSPFv3 routers in the area must share the same encryption key to decrypt information. Only a non-encrypted key is supported.
clear ipv6 ospf process Clears all OSPFv3 routing tables. Syntax clear ipv6 ospf {instance-number} [vrf vrf-name] process Parameters ● instance-number — Enter an OSPFv3 instance number, from 1 to 65535. ● vrf vrf-name — (Optional) Enter the keyword vrf followed by the name of the VRF to clear OSPFv3 processes in that VRF. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# clear ipv6 ospf 3 process 10.3.
default-information originate Generates and distributes a default external route information to the OSPFv3 routing domain. Syntax default-information originate [always] Parameters always — (Optional) Always advertise the default route. Defaults Disabled Command Mode ROUTER-OSPFv3 Usage Information The no version of this command disables the distribution of default route.
● The SPI value must be unique to one IPsec authentication or encryption security policy on the router. You cannot configure the same SPI value on another interface even if it uses the same authentication or encryption algorithm. ● You cannot use an IPsec MD5 or SHA1 authentication type and the null setting at same time on an interface. These settings are mutually exclusive. ● All neighboring OSPFv3 routers must share the key to exchange information. Only a non-encrypted key is supported.
ipv6 ospf encryption Configures OSPFv3 encryption on an IPv6 interface. Syntax ipv6 ospf encryption {ipsec spi number esp encryption-type key authentication-type key | null} Parameters ● ipsec spi number — Enter a unique security policy index number, from 256 to 4294967295. ● esp encryption-type — Enter the encryption algorithm used with ESP (3DES, DES, AES-CBC, or NULL). For AES-CBC, only the AES-128 and AES-192 ciphers are supported. ● key — Enter the text string used in the encryption algorithm.
ipv6 ospf mtu-ignore Disables MTU size detection on received Database Descriptor (DBD) packets when forming OSPFv3 adjacency. Syntax ipv6 ospf mtu-ignore Parameters None Default Not configured Command Mode INTERFACE Usage Information If the MTU size of the peer interface is greater than the local interface, switches that run OSPFv3 do not form adjacencies with neighbors. Use this command to override this behavior and form adjacency.
network information corresponding to these loopback interfaces is still announced in OSPF LSAs that are sent through other interfaces configured for OSPF. Example Supported Releases OS10(config)# interface ethernet 1/1/6 OS10(conf-if-eth1/1/6)# ipv6 ospf passive 10.3.0E or later ipv6 ospf priority Sets the priority of the interface to determine the DR for the OSPFv3 network. Syntax ipv6 ospf priority number Parameters number — Enter a router priority number, from 0 to 255.
Usage Information Example Supported Releases The no version of this command resets the value to the default. OS10(config)# router ospfv3 OS10(config-router-ospfv3-100)# maximum-paths 1 10.3.0E or later redistribute Redistributes information from another routing protocol or routing instance to the OSPFv3 process.
router ospfv3 Enters Router OSPFv3 mode and configures an OSPFv3 instance. Syntax router ospfv3 instance-number [vrf vrf-name] Parameters ● instance-number—Enter a router OSPFv3 instance number, from 1 to 65535. ● vrf vrf-name — Enter the keyword vrf followed by the name of the VRF to configure an OSPFv3 instance in that VRF. Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes an OSPFv3 instance.
show ipv6 ospf database Displays all LSA information. You must enable OSPFv3 to generate output. Syntax show ipv6 ospf process-id [vrf vrf-name] database Parameters ● process-id — Enter the OSPFv3 process ID to view a specific process. If you do not enter a process ID, the command applies to all the configured OSPFv3 processes. ● vrf vrf-name — Enter the keyword vrf followed by the name of the VRF to display LSA information for that VRF.
○ port-channel — Port-channel interface, from 1 to 128. ○ vlan — VLAN interface, from 1 to 4093. ● vrf vrf-name — (Optional) Enter the keyword vrf followed by the name of the VRF to display the configured OSPFv3 enabled interfaces in that VRF. Default Not configured Command Mode EXEC Example Supported Releases OS10# show ipv6 ospf interface ethernet1/1/1 is up, line protocol is up Link Local Address fe80::20c:29ff:fe0a:d59/64, Interface ID 5 Area 0.0.0.0, Process ID 200, Instance ID 0, Router ID 10.0.
○ port-channel number — Enter the port-channel interface number, from 1 to 128. ○ vlan vlan-id — Enter the VLAN ID number, from 1 to 4093. Default Not configured Command Mode EXEC Usage Information This command displays OSPFv3 traffic statistics for a specified instance or interface, or for all OSPFv3 instances and interfaces.
If you do not specify a start-time, hold-time, or max-wait value, the default values are used. The no version of this command removes the configured SPF timers and disables SPF throttling in an OSPF instance. Example OS10(config)# router ospfv3 100 OS10(config-router-ospfv3-100)# timers spf 1345 2324 9234 OS10(config-router-ospfv3-100)# do show ipv6 ospf Routing Process ospfv3 100 with ID 129.240.244.
Figure 10. Object tracking Interface tracking You can create an object that tracks the line-protocol state of an L2 interface, and monitors its operational up or down status. You can configure up to 500 objects. Each object is assigned a unique ID. When the link-level status goes down, the tracked resource status is also considered Down. If the link-level status goes up, the tracked resource status is also considered Up.
2. (Optional) Enter interface object tracking on the line-protocol state of an L2 interface in OBJECT TRACKING mode. interface interface line-protocol 3. (Optional) Configure the time delay used before communicating a change to the status of a tracked interface in OBJECT TRACKING mode, from 0 to 80 seconds; default 0. delay [up seconds] [down seconds] 4. (Optional) View the tracked object information in EXEC mode. show track object-id 5. (Optional) View all interface object information in EXEC mode.
OS10 (conf-track-2)# do show track 2 IP Host 1.1.1.
View interface object tracking information OS10# show track interface TrackID Resource Parameter Status LastChange --------------------------------------------------------------------------------1 line-protocol ethernet1/1/1 DOWN 2017-02-03T08:41:25Z1 OS10# show track ip TrackID Resource Parameter Status LastChange --------------------------------------------------------------------------------2 ipv4-reachablity 1.1.1.
● loopback — Enter the Loopback interface identifier. ● mgmt — Enter the Management interface. Defaults Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(conf-track-100)# interface ethernet line-protocol 10.3.0E or later ip reachability Configures an object to track a specific next-hop host's reachability. Syntax ip host-ip-address reachability Parameters host-ip-address — Enter the IPv4 host address.
Defaults 0 seconds Command Mode CONFIGURATION Usage Information Set the interval to 0 to disable the refresh. Example Supported Releases OS10(conf-track-100)# reachability-refresh 600 10.3.0E or later show track Displays tracked object information. Syntax show track [brief] [object-id] [interface] [ip | ipv6] Parameters ● ● ● ● ● Defaults None Command Mode CONFIGURATION Usage Information None Example (Brief) Supported Releases brief — (Optional) Displays brief tracked object information.
Policy-based routing PBR provides a mechanism to redirect IPv4 and IPv6 data packets based on the policies defined to override the switch’s forwarding decisions based on the routing table. Policy-based route-maps A route-map is an ordered set of rules that controls the redistribution of IP routes into a protocol domain. When you enable PBR on an interface, all IPv4 or IPv6 data packets process based on the policies that you define in the route-maps.
Apply match and set parameters to IPv6 route-map OS10(conf-route-map)# route-map map1 OS10(conf-route-map)# match ipv6 address acl8 OS10(conf-route-map)# set ipv6 next-hop 20::20 Assign route-map to interface You can assign a route-map to an interface for IPv4 or IPv6 policy-based routing to an interface. ● Assign the IPv4 or IPv6 policy-based route-map to an interface in INTERFACE mode.
Policy-based routing per VRF Configure PBR per VRF instance for both IPv4 and IPv6 traffic flows. Policy-based routing (PBR) enables packets with certain match criteria, such as packets from specific source and destination addresses, to be re-directed to a different next-hop. You can also use PBR to re-direct packets arriving on a VRF instance to a next-hop that is reachable through a different VRF instance.
SW1 VLAN configuration ● Create a VLAN and assign an IP address to it which acts as the gateway for the hosts in the VM. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown OS10(conf-if-vl-100)# ip address 10.1.1.1/24 OS10(conf-if-vl-100)# exit ● Create another VLAN, and assign an IP address to it. OS10# configure terminal OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# no shutdown OS10(conf-if-vl-200)# ip address 10.2.1.
3. Specify the management IP address of the VLT peer as a backup link. OS10(conf-vlt-1)# backup destination 10.10.10.2 4. Configure VLT port channels.
OS10(conf-if-vl-200)# ip address 10.2.1.3/24 OS10(conf-if-vl-200)# exit VLT configuration 1. Create a VLT domain, and configure VLTi. OS10(config)# interface range ethernet 1/1/4-1/1/5 OS10(conf-range-eth1/1/4-1/1/5)# no switchport OS10(conf-range-eth1/1/4-1/1/5)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet 1/1/4-1/1/5 2. Configure a VLT MAC address. OS10(conf-vlt-1)# vlt-mac 12:5e:23:f4:23:54 3. Specify the management IP address of the VLT peer as a backup link.
Using the following PBR configuration, you can re-direct traffic ingresssing to VRF RED to a destination that is reachable through the next-hop IP address 2.2.2.2 in VRF BLUE: 1. Create a route-map. OS10(config)# route-map test 2. Enter the IP address to match the specified access list. OS10(config-route-map)# match ip 4.4.4.4 acl1 3. Set the next-hop address to 2.2.2.2, which is reachable through VRF BLUE. OS10(config-route-map)# OS10(config-route-map)# set ip vrf BLUE next-hop 2.2.2.
ip ip-address reachablility vrf vrf-name OS10(conf-track-200)# OS10(conf-track-200)# ip 1.1.1.1 reachability vrf red OS10(conf-track-200)#exit 3. Configure the route-map. route-map route-map-name OS10(config-route-map)# OS10(config-route-map)# match ip address acl1 4. Set the track ID configured in step 1 to the route-map. set ip vrf vrf-name nexy-hop next-hop-address track-id track-id-number OS10(config-route-map)# set ip vrf red next-hop 1.1.1.1 track-id 200 5.
seq 30 permit tcp 10.99.0.0/16 10.0.0.0/8 eq 21 seq 40 permit icmp 10.99.0.0/16 10.0.0.0/8 ● Create a route-map to block specific traffic from PBR processing. route-map TEST-RM deny 5 match ip address TEST-ACL-DENY ● Create a route-map to permit traffic for PBR processing. route-map TEST-RM permit 10 match ip address TEST-ACL set ip next-hop 10.0.40.235 ● Apply the policy to the previously created interface.
PBR commands clear route-map pbr-statistics Clears all PBR counters. Syntax clear route-map [map-name] pbr-statistics Parameters map-name—Enter the name of a configured route-map. A maximum of 140 characters. Defaults None Command Mode EXEC Usage Information None Example Supported Releases OS10# clear route-map map1 pbr-statistics 10.3.0E or later match address Matches the access-list to the route-map. Syntax match {ip | ipv6} address [name] Parameters name—Enter the name of an access-list.
route-map pbr-statistics Enables counters for PBR statistics. Syntax route-map [map-name] pbr-statistics Parameters map-name—Enter the name of a configured route-map. A maximum of 140 characters. Defaults Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# route-map map1 pbr-statistics 10.3.0E or later set next-hop Sets an IPv4 or IPv6 next-hop address for policy-based routing.
Command Mode ROUTE-MAP Usage Information You must configure next-hop IP address tracking and PBR next-hop with the same VRF instance. For next-hop reachability in the same VRF instance, you must configure both PBR per VRF and object tracking. Missing either the next-hop IP address tracking or PBR next-hop configuration in a VRF instance results in an erroneous configuration. However, the system does not display an error message indicating problems in the configuration.
VRRP: ● Provides a virtual default routing platform ● Provides load balancing ● Supports multiple logical IP subnets on a single LAN segment ● Enables simple traffic routing without the single point of failure of a static default route ● Avoids issues with dynamic routing and discovery protocols ● Takes over a failed default router: ○ Within a few seconds ○ With a minimum of VRRP traffic ○ Without any interaction from hosts NOTE: The default behavior of VRRP is active-active.
The example shows a typical network configuration using VRRP. Instead of configuring the hosts on network 10.10.10.0 with the IP address of either Router A or Router B as the default router, the default router of all hosts is set to the IP address of the virtual router. When any host on the LAN segment requests Internet access, it sends packets to the IP address of the virtual router.
Migrate IPv4 group from VRRPv2 to VRRPv3 OS10_backup_switch1(config)# vrrp version 2 OS10_backup_switch2(config)# vrrp version 2 Set master switch to VRRPv3 OS10_master_switch(config)# vrrp version 3 Set backup switches to VRRPv3 OS10_backup_switch1(config)# vrrp version 3 OS10_backup_switch2(config)# vrrp version 3 Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP group (VRID).
no switchport no shutdown ! vrrp-group 10 virtual-address 10.1.1.8 ! interface ethernet1/1/2 switchport access vlan 1 no shutdown ! interface ethernet1/1/3 switchport access vlan 1 no shutdown ! interface ethernet1/1/4 switchport access vlan 1 --more-View VRRP information When the VRRP process completes initialization, the State field contains either master or backup.
INTERFACE CONFIGURATION Mode 6. Configure a VRRP group. vrrp-group group-id INTERFACE CONFIGURATION Mode 7. Configure virtual IP address for the VRRP ID. virtual-address ip-address INTERFACE VRRP Mode OS10(config)# ip vrf vrf-test OS10(config-vrf)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ip vrf forwarding vrf-test OS10(conf-if-eth1/1/1)# ip address 10.1.1.1/24 OS10(conf-if-eth1/1/1)# vrrp-group 10 OS10(conf-eth1/1/1-vrid-10)# virtual-address 10.1.1.
Authentication Simple authentication of VRRP packets ensures that only trusted routers participate in VRRP processes. When you enable authentication, OS10 includes the password in its VRRP transmission. The receiving router uses that password to verify the transmission. You must configure all virtual routers in the VRRP group with the same password. You must enable authentication with the same password or authentication is disabled. Authentication for VRRPv3 is not supported. 1.
username admin password $6$q9QBeYjZ$jfxzVqGhkxX3smxJSH9DDz7/3OJc6m5wjF8nnLD7/ VKx8SloIhp4NoGZs0I/UNwh8WVuxwfd9q4pWIgNs5BKH. aaa authentication system:local ! interface ethernet1/1/5 ip address 1.1.1.1/16 no switchport no shutdown ! vrrp-group 254 priority 125 virtual-address 1.1.1.3 no preempt ! Advertisement interval By default, the master router transmits a VRRP advertisement to all members of the VRRP group every one second, indicating it is operational and is the master router.
switchport access vlan 1 no shutdown Interface/object tracking You can monitor the state of any interface according to the virtual group. OS10 supports a maximum of 10 track groups and each track group can track only one interface. If the tracked interface goes down, the VRRP group’s priority decreases by a default value of 10 — also known as cost. If the tracked interface’s state goes up, the VRRP group’s priority increases by the priority cost.
switchport access vlan 1 no shutdown ! interface ethernet1/1/4 switchport access vlan 1 no shutdown ! interface ethernet1/1/5 switchport access vlan 1 no shutdown ! interface ethernet1/1/6 switchport access vlan 1 no shutdown ! ..... ..... interface vlan1 no shutdown ! interface mgmt1/1/1 no shutdown ! support-assist ! track 10 interface ethernet1/1/7 line-protocol To associate a track object with a VRRP group, use the track command inside VRRP GROUP CONFIGURATION mode.
Usage Information Example Supported Releases With authentication enabled, OS10 ensures that only trusted routers participate in routing in an autonomous network. The no version of this command disables authentication of VRRP data exchanges. OS10(conf-ethernet1/1/6-vrid-250)# authentication simple-text eureka 10.2.0E or later preempt Permits or preempts a backup router with a higher priority value to become the master router.
● ipv6 group-id — (Optional) Enter a VRRP group ID number to view the specific IPv6 group operational status information, from 1 to 255. Default All IPv4 VRRP group configuration Command Mode EXEC Usage Information Displays all active VRRP groups. If no VRRP groups are active, the system displays No Active VRRP group.
track interface Monitors an interface and lowers the priority value of the VRRP group on that interface, if disabled. Syntax interface {ethernet node/slot/port[:subport]} [line-protocol] Parameters ● ethernet node/slot/port[:subport] — (Optional) Enter the keyword and the interface information to track. ● line-protocol — (Optional) Tracks the interface line-protocol operational status.
Example Supported Releases OS10(config)# vrrp delay reload 5 10.4.0E(R1) or later vrrp-group Assigns a VRRP group identification number to an IPv4 interface or VLAN Syntax vrrp-group vrrp-id Parameters vrrp-id — Enter a VRRP group identification number, from 1 to 255. Default Not configured Command Mode INTERFACE-VRRP Usage Information The VRRP group only becomes active and sends VRRP packets when you configure a virtual IP address.
Usage Information Example Supported Releases The no version of this command disables the VRRP version for the IPv4 group. OS10(config)# vrrp version 2 10.2.
14 Multicast Multicast is a technique that allows networking devices to send data to a group of interested receivers in a single transmission. For instance, this technique is widely used for streaming videos. Multicast allows you to more efficiently use network resources, specifically for bandwidth-consuming services such as audio and video transmission.
NOTE: Layer 3 (L3) PIM and IGMP multicast is not supported on the S3048-ON switch. IGMP and Multicast Listener Discovery (MLD) snooping is supported on all switches. Configure multicast routing Configuring multicast routing is a two-step process that involves configuring multicast routing and enabling PIM sparse mode (PIM-SM) on a Layer 3 (L3) interface. The following procedure describes how to configure multicast routing.
With multicast flood control, multicast frames, whose destination is not known, are forwarded only to the designated mrouter port. OS10 learns of the mrouter interface dynamically based on the interface where an IGMP membership query is received. You can also statically configure the mrouter interface using the ip igmp snooping mrouter and ipv6 mld snooping mrouter commands.
Enable multicast flood control Multicast flood control is enabled on OS10 by default. If it is disabled, use the following procedure to enable multicast flood control: 1. Configure IGMP snooping. To know how to configure IGMP snooping, see the IGMP snooping section. 2. Configure MLD snooping. To know how to configure MLD snooping, see the MLD Snooping section. 3. Enable the multicast flood control feature.
● Multicast address-and-source-specific query—To learn if any of the sources from the specified list for a multicast source has any listeners.
When the IGMP querier receives a leave message, it sends a group-specific query message to ensure if any other host in the network is interested in the multicast flow. By default, the group-specific query messages are sent every 1000 milliseconds. You can configure this value using the ip igmp last-member-query-interval command.
To view IGMP-enabled interfaces: OS10# show ip igmp interface Vlan103 is up, line protocol is up Internet address is 2.1.1.2 IGMP is enabled on interface IGMP version is 3 IGMP query interval is 60 seconds IGMP querier timeout is 130 seconds IGMP last member query response interval is 1000 ms IGMP max response time is 10 seconds IGMP immediate-leave is disabled on this interface IGMP joins count: 0 IGMP querying router is 2.1.1.1 Vlan105 is up, line protocol is up Internet address is 3.1.1.
NOTE: OS10 supports IGMP snooping only with proxy reporting. OS10 does not relay the IGMP join packets received from hosts as is. Instead, OS10 generates, bundles, and sends IGMP join packets to mrouter port based on the version of IGMP queries received from IGMP routers. Proxy reporting reduces the number of IGMP control packets sent to the multicast router.
View IGMP snooping information OS10# show ip igmp snooping groups Total Number of Groups: 480 IGMP Connected Group Membership Group Address Interface Mode 225.1.0.0 vlan3531 IGMPv2-Compat Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 225.1.0.1 vlan3531 IGMPv2-Compat Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 225.1.0.2 vlan3531 IGMPv2-Compat Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 225.1.0.
Supported Releases 10.4.3.0 or later ip igmp immediate-leave Enables IGMP immediate leave. Syntax ip igmp immediate-leave Parameters None Default None Command Mode INTERFACE Usage Information The querier sends some group-specific queries when it receives a leave message before deleting the group from the membership database. If you need to immediately delete a group from the membership database, use the ip igmp immediate-leave command. The no version of this command disables IGMP immediate leave.
Usage Information Example Supported Releases None OS10# configure terminal OS10# interface vlan12 OS10(conf-if-vl-12)# ip igmp query-interval 60 10.4.3.0 or later ip igmp query-max-resp-time Configures the maximum query response time advertised in general queries. Syntax ip igmp query-max-resp-time seconds Parameters seconds—Enter the amount of time in seconds, from 1 to 25.
Usage Information Example Supported Releases When you enable IGMP snooping globally, the configuration applies to all VLAN interfaces. You can disable IGMP snooping on specified VLAN interfaces. The no version of this command disables IGMP snooping on the specified VLAN interface. OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no ip igmp snooping 10.4.0E(R1) or later ip igmp snooping fast-leave Enables fast leave in IGMP snooping for specified VLAN.
Usage Information Example Supported Releases The no version of this command removes the multicast router configuration from the VLAN member port. OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip igmp snooping mrouter interface ethernet 1/1/1 10.4.0E(R1) or later ip igmp snooping querier Enables IGMP querier processing for the specified VLAN interface.
Usage Information The no version of this command resets the query response time to default value. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip igmp snooping query-max-resp-time 15 10.4.1.0 or later ip igmp version Configures IGMP version. Syntax ip igmp version version-number Parameters version-number—Enter the version number as 2 or 3.
225.1.1.2 225.1.1.3 225.1.1.4 225.1.1.5 225.1.1.6 225.1.1.7 225.1.1.8 225.1.1.9 225.1.1.10 225.1.1.11 225.1.1.12 225.1.1.13 225.1.1.14 225.1.1.15 225.1.1.
show ip igmp snooping groups Displays IGMP snooping group membership details. Syntax show ip igmp snooping groups [detail | [vlan vlan-id [detail | ipaddress]]] Parameters ● vlan-id—(Optional) Enter the VLAN ID, from 1 to 4093. ● detail—(Optional) Enter detail to display the IGMPv3 source information. ● ip-address—(Optional) Enter the IP address of the multicast group.
225.1.0.2 00:01:30 Member-ports 225.1.0.3 00:01:30 Member-ports 225.1.0.4 00:01:30 Member-ports 225.1.0.5 00:01:30 Member-ports 225.1.0.6 00:01:30 Member-ports 225.1.0.7 00:01:30 Member-ports 225.1.0.8 00:01:30 Member-ports 225.1.0.9 00:01:30 Member-ports 225.1.0.
ethernet1/1/52:1 Include Interface vlan3041 Group 232.11.0.2 Source List 101.41.0.21 Member Port Mode port-channel51 Include --more-Example (with VLAN and multicast IP address) Supported Releases 1d:20:26:08 00:01:46 Uptime 1d:20:26:07 Expires 00:01:41 OS10# show ip igmp snooping groups vlan 3041 232.11.0.0 detail Interface vlan3041 Group 232.11.0.0 Source List 101.41.0.
IGMP snooping is enabled on interface IGMP snooping query interval is 60 seconds IGMP snooping querier timeout is 130 seconds IGMP snooping last member query response interval is 1000 ms IGMP Snooping max response time is 10 seconds IGMP snooping fast-leave is disabled on this interface IGMP snooping querier is disabled on this interface Multicast snooping flood-restrict is enabled on this interface Vlan3 is up, line protocol is up IGMP version is 3 IGMP snooping is enabled on interface IGMP snooping query
vlan3035 vlan3036 vlan3037 vlan3038 vlan3039 vlan3040 vlan3041 vlan3042 vlan3043 vlan3044 vlan3045 vlan3046 vlan3047 vlan3048 vlan3049 vlan3050 vlan3051 vlan3052 --more-- port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 <
● (Optional) Configure the time interval for sending MLD general queries with the ipv6 mld snooping queryinterval query-interval-time command in VLAN INTERFACE mode. ● (Optional) Configure the maximum time for responding to a query advertised in MLD queries using the ipv6 mld snooping query-max-resp-time query-response-time command in VLAN INTERFACE mode.
MLD snooping fast-leave is disabled on this interface MLD snooping querier is disabled on this interface OS10# show ipv6 mld snooping interface vlan 2 Vlan2 is up, line protocol is up MLD version is 2 MLD snooping is enabled on interface MLD snooping query interval is 60 seconds MLD snooping querier timeout is 130 seconds MLD snooping last member query response interval is 1000 ms MLD snooping max response time is 10 seconds MLD snooping fast-leave is disabled on this interface MLD snooping querier is disab
ipv6 mld snooping fast-leave Enables fast leave in MLD snooping for specified VLAN. Syntax ipv6 mld snooping fast-leave Parameters None Default Disabled Command Mode VLAN INTERFACE Usage Information The fast leave option allows the MLD snooping switch to remove an interface from the multicast group immediately on receiving the leave message. The no version of this command disables the fast leave functionality.
ipv6 mld snooping querier Enables MLD querier on the specified VLAN interface. Syntax ipv6 mld snooping querier Parameters None Default Not configured Command Mode VLAN INTERFACE Usage Information The no version of this command disables the MLD querier on the VLAN interface. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ipv6 mld snooping querier 10.4.1.0 or later ipv6 mld snooping query-interval Configures the time interval for sending MLD general queries.
ipv6 mld version Configures the MLD version. Syntax ipv6 mld version version-number Parameters version-number—Enter the version number as 1 or 2. Default 2 Command Mode VLAN INTERFACE Usage Information The no version of this command resets the version number to the default value. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ipv6 mld version 1 10.4.1.0 or later show ipv6 mld snooping groups Displays MLD snooping group membership details.
00:01:56 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 ff0e:225:2::2 vlan3532 MLDv1-Compat 00:01:56 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52
Interface vlan3041 Group ff3e:232:b::1 Source List 2001:101:29::1b Member Port Mode port-channel31 Include ethernet1/1/51:1 Include ethernet1/1/52:1 Include
Example OS10# show ipv6 mld snooping interface vlan 3031 Vlan3031 is up, line protocol is up MLD version is 2 MLD snooping is enabled on interface MLD snooping query interval is 60 seconds MLD snooping querier timeout is 130 seconds MLD snooping last member query response interval is 1000 ms MLD snooping max response time is 10 seconds MLD snooping fast-leave is disabled on this interface MLD snooping querier is disabled on this interface OS10# show ipv6 mld snooping interface vlan 2 Vlan2 is up, line prot
PIM terminology Table 40. PIM terminology Terminology Definition Rendezvous point (RP) The RP is a single root node that the shared tree uses, called the rendezvous point. (*, G) (*, G) refers to an entry in the PIM table for a group. (S, G) (S, G) refers to an entry in the PIM table for a source and group on the RP tree (RPT). (S, G, RPT) (S, G, RPT) refers to an entry in the RP tree. First hop router (FHR) The FHR is the router that is directly connected to the multicast source.
You must enable PIM-SM on each of the participating interfaces. Be sure to have multicast routing enabled on the system. To do this, use the ip multicast-routing command from CONFIGURATION mode. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip pim sparse-mode PIM-SSM PIM-SSM uses source-based trees. A separate multicast distribution tree is built for each multicast source that sends data to a multicast group.
You can use the show ip pim ssm-range command to view the groups added in PIM-SSM configuration. OS10# show ip pim ssm-range Group Address / MaskLen 236.0.0.0 / 8 Configure expiry timers for S, G entries You can configure expiry timers for S, G entries globally. The S, G entries expire in 210 seconds by default.
To view the RP for a multicast group range, use the show ip pim rp mapping command. OS10# show ip pim rp mapping PIM Group-to-RP Mappings Group(s): 230.1.1.1/32 RP:14.1.1.1, v2 Info source: 42.1.1.1, via bootstrap, priority 255 expires: 00:01:53 Group(s): 231.1.1.1/32 RP: 9.1.1.1, v2 Info source: 42.1.1.1, via bootstrap, priority 254 expires: 00:01:54 Configure dynamic RP using the BSR mechanism You can configure a subset of PIM routers within the domain as candidate BSRs (C-BSRs).
To configure dynamic RP using the BSR mechanism: 1. Configure a candidate BSR using the ip pim bsr-candidate command. OS10# configure terminal OS10(config)# interface ethernet 1/1/9 OS10(conf-if-eth1/1/9)# ip address 10.1.1.8/24 OS10(conf-if-eth1/1/9)# no shutdown OS10(conf-if-eth1/1/9)# exit OS10(config)# ip pim bsr-candidate ethernet 1/1/9 hash-mask-len 31 priority 255 To view the PIM candidate and elected BSR: OS10# show ip pim bsr-router This system is the Bootstrap Router (v2) BSR address: 10.1.1.
To view RP-mapping details: OS10# show ip pim rp mapping Group(s) : 225.1.1.0/24 RP : 10.1.2.8, v2 Info source: 10.1.1.8, via bootstrap, priority 0 expires: 00:00:00 4. (Optional) Configure the RP timers. OS10(config)# ip pim rp-candidate-timers loopback 10 advt-interval 10 hold-time 25 To view candidate RP details: OS10# show ip pim bsr-router This system is the Bootstrap Router (v2) BSR address: 10.1.1.
Usage Information When you run this command on a node, it deletes: ● All the multicast routes from the PIM tree information base (TIB) ● The entire multicast route table and all the entries in the data plane With VLT multicast routing, when you run this command on a local VLT node, it deletes: ● All the multicast routes from the local PIM TIB ● All the local mroute entries in the data plane ● The synchronized mroute entries from the VLT peer node Example Supported Releases OS10# clear ip pim vrf vrf1 tib
Example Supported Releases OS10# configure terminal OS10(config)# ip pim vrf red bsr-candidate loopback 10 hash-mask-len 31 priority 11 10.5.0 or later ip pim bsr-candidate-timers Configures the time interval between candidate BSR advertisements.
ip pim dr-priority Changes the designated router (DR) priority for the interface. Syntax ip pim dr-priority priority-value Parameters priority-value—Enter a number from 0 to 4294967295. Default 1 Command Mode INTERFACE CONFIGURATION Usage Information The router with the highest value assigned to an interface becomes the DR. If two interfaces have the same DR priority value, the interface with the highest IP address becomes the DR.
Usage Information First hop routers use this address to send register packets on behalf of the source multicast hosts. The RP addresses are stored in the order in which they are entered. The RP is chosen based on a longer prefix match for a group. You can specify the range of group addresses for which a given node is configured as an RP. The RP selection does not depend on static or dynamic RP assignments.
ip pim rp-candidate-timers Configures the time interval between periodic candidate RP advertisements.
ip pim sparse-mode sg-expiry-timer Enables expiry timers globally for all sources. Syntax ip pim [vrf vrf-name] sparse-mode sg-expiry-timer seconds Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. ● seconds—Enter the number of seconds the S, G entries are retained. The range is from 211 to 65535 seconds. Default 210 seconds Command Mode CONFIGURATION Usage Information This command configures the expiry timers for all S, G entries.
BSR Priority: 199, Hash mask length: 31 Expires: 00:00:24 This system is a candidate BSR Candidate BSR address: 104.0.0.1, priority: 99, hash mask length: 31 Next Cand_RP_advertisement in 00:00:15 RP: 104.0.0.1(loopback101) Supported Releases 10.5.0 or later show ip pim interface Displays information about IP PIM-enabled interfaces. Syntax show ip pim [vrf vrf-name] interface Parameters vrf vrf-name—Enter the keyword vrf, then the name of the VRF.
(*, 225.1.1.1), flags: S Incoming interface: Vlan 502 outgoing interface list: Vlan 2002 (S) (2.2.2.2, 225.1.1.1), flags: S Incoming interface: Vlan 501 outgoing interface list: Vlan 1000, Vlan 2003 (S) OS10# show ip pim mcache PIM Multicast Routing Cache Table (*, 225.1.1.1) Incoming interface : vlan105 Outgoing interface list : vlan121 (101.1.1.10,225.1.1.1) Incoming interface : vlan103 Outgoing interface list : vlan121 Supported Releases 10.4.3.0 or later show ip pim neighbor Displays PIM neighbors.
● group-address—Enter the multicast group address mask in dotted-decimal format to view the RP for a specific group (A.B.C.D). Default None Command Mode EXEC Usage Information None Examples OS10# show ip pim rp Group RP --------------------------------225.1.1.1 171.1.1.1 225.1.1.2 171.1.1.1 225.1.1.3 171.1.1.1 225.1.1.4 171.1.1.1 225.1.1.5 171.1.1.1 225.1.1.6 171.1.1.1 225.1.1.7 171.1.1.1 225.1.1.8 171.1.1.1 225.1.1.9 171.1.1.1 225.1.1.10 171.1.1.1 225.1.1.11 171.1.1.1 225.1.1.12 171.1.1.1 225.1.1.
show ip pim summary Displays PIM summary. Syntax show ip pim [vrf vrf-name] summary Parameters vrf vrf-name—Enter the keyword vrf, then the name of the VRF.
Usage Information Example This command displays the following: ● S, G—Displays the entry in the multicast PIM database ● uptime—Displays the amount of time the entry has been in the PIM route table ● expires—Displays the amount of time until the entry expires and is removed from the database ● RP—Displays the IP address of the RP or source for the entry ● Incoming interface—Displays the reverse path forwarding (RPF) interface towards the RP/ source ● RPF neighbor—Displays the next hop IP address from this
Supported Releases 10.4.3.0 or later PIM-SM sample configuration This section describes how to enable PIM-SM in the FHR, RP, and LHR nodes using the topology show in the following illustration. To enable PIM-SM, perform the following configurations on each of the nodes (FHR, RP, and LHR): ● Enable multicast routing on all the nodes using the ip multicast-routing command . ● Enable PIM-SM on all the required Layer 3 interfaces of the nodes using the ip pim sparse-mode command .
FHR(config)# FHR# configure terminal FHR(config)# interface ethernet 1/1/48 FHR(conf-if-eth1/1/48)# no switchport FHR(conf-if-eth1/1/48)# ip address 22.1.1.2/24 FHR(conf-if-eth1/1/48)# ip pim sparse-mode FHR(conf-if-eth1/1/48)# ip ospf 1 area 0 FHR(conf-if-eth1/1/48)# The show ip pim interface command displays the PIM-enabled interfaces in FHR.
--------------------------------------------------------------------------------------------------3.3.3.1 ethernet1/1/31 v2/S 1 30 1 3.3.3.2 1.1.1.2 ethernet1/1/43 v2/S 1 30 1 1.1.1.2 RP# The show ip pim neighbor command displays the PIM neighbor of RP and the interface to reach the neighbor. RP# show ip pim neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority/Mode ---------------------------------------------------------------------------------------------3.3.3.
2.2.2.2 1.1.1.2 ethernet1/1/17 ethernet1/1/29 00:02:58/00:01:24 00:07:49/00:01:31 v2 v2 1 1 / DR S / DR S LHR# show ip pim rp mapping Group(s) : 224.0.0.0/4, Static RP : 192.168.1.25, v2 The following show command output examples display the PIM states across all nodes after IGMP join and multicast traffic is received. PIM states in FHR node The show ip pim tib command output displays the PIM tree information base (TIB).
00:01:59 LHR# 15.1.1.10 LHR# show ip pim tib PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 224.1.1.1), uptime 00:00:05, expires 00:00:54, RP 192.168.1.25, flags: SCJ Incoming interface: ethernet1/1/29, RPF neighbor 1.1.1.2 Outgoing interface list: vlan2001 Forward/Sparse 00:00:05/Never (22.1.1.10, 224.1.1.
R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# no ip vrf forwarding no switchport channel-group 11 end R1# configure terminal R1(config)# interface ethernet 1/1/7 R1(conf-if-eth1/1/7)# no switchport R1(conf-if-eth1/1/7)# interface ethernet 1/1/7 R1(conf-if-eth1/1/7)# ip vrf forwarding red R1(conf-if-eth1/1/7)# ip address 201.1.1.
R2(conf-if-eth1/1/40:1)# end R2# configure terminal R2(config)# interface port-channel 11 R2(conf-if-po-11)# no switchport R2(conf-if-po-11)# ip vrf forwarding red R2(conf-if-po-11)# end R2# configure terminal R2(config)# interface ethernet 1/1/26:1 R2(conf-if-eth1/1/26:1)# no ip vrf forwarding R2(conf-if-eth1/1/26:1)# no switchport R2(conf-if-eth1/1/26:1)# channel-group 11 R2(conf-if-eth1/1/26:1)# end R2# configure terminal R2(config)# interface vlan 2001 R2(conf-if-vl-2001)# ip vrf forwarding red R2(conf-
--------------------------------------------------------------------------193.1.1.2 port-channel11 02:34:33/00:01:17 v2 1 / DR S The show ip pim vrf red ssm-range command displays the specified multicast address range. R1# show ip pim vrf red ssm-range Group Address / MaskLen 224.1.1.0 / 24 The show ip pim vrf red tib command output displays the PIM tree information base (TIB).
The show ip pim vrf red ssm-range command displays the specified multicast address range. R2# show ip pim vrf red ssm-range Group Address / MaskLen 224.1.1.0 / 24 The show ip pim vrf red mcache command output displays multicast route entries. R2# show ip pim vrf red mcache PIM Multicast Routing Cache Table (201.1.1.1, 224.1.1.
Multicast VRF sample configuration This section describes how to configure IPv4 multicast in a non-default VRF instance using the topology shown in the following illustration. Perform the following configuration on each of the nodes, R1, R2, R3, and R4.
R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# no ip vrf forwarding no switchport channel-group 11 end R1# configure terminal R1(config)# interface ethernet 1/1/7 R1(conf-if-eth1/1/7)# no switchport R1(conf-if-eth1/1/7)# interface ethernet 1/1/7 R1(conf-if-eth1/1/7)# ip vrf forwarding red R1(conf-if-eth1/1/7)# ip address 201.1.1.
R2(conf-vrf)# end R2# configure terminal R2(config)# interface vlan 1001 R2(conf-if-vl-1001)# ip vrf forwarding red R2(conf-if-vl-1001)# end R2# configure terminal R2(config)# interface ethernet 1/1/21:4 R2(conf-if-eth1/1/21:4)# switchport mode trunk R2(conf-if-eth1/1/21:4)# switchport trunk allowed vlan 1001 R2(conf-if-eth1/1/21:4)# end R2# configure terminal R2(config)# interface ethernet 1/1/12:1 R2(conf-if-eth1/1/12:1)# no switchport R2(conf-if-eth1/1/12:1)# ip vrf forwarding red R2(conf-if-eth1/1/12:1)
R3(conf-if-eth1/1/12)# switchport trunk allowed vlan 1001 R3(conf-if-eth1/1/12)# end R3# configure terminal R3(config)# interface port-channel 12 R3(conf-if-po-12)# no switchport R3(conf-if-po-12)# ip vrf forwarding red R3(conf-if-po-12)# end R3# configure terminal R3(config)# interface ethernet 1/1/5 R3(conf-if-eth1/1/5)# no ip vrf forwarding R3(conf-if-eth1/1/5)# no switchport R3(conf-if-eth1/1/5)# channel-group 12 R3(conf-if-eth1/1/5)# end R3# configure terminal R3(config)# interface vlan 1001 R3(conf-if
R3(config)# ip pim vrf red rp-address 182.190.168.224 group-address 224.0.0.
R4(conf-if-po-12)# end R4# configure terminal R4(config)# interface Lo0 R4(conf-if-lo-0)# ip vrf forwarding red R4(conf-if-lo-0)# ip address 4.4.4.
--------------------------------224.1.1.1 182.190.168.224 R1# show ip pim vrf red rp mapping Group(s) : 224.0.0.0/4, Static RP : 182.190.168.224, v2 R1# show ip pim vrf red mcache PIM Multicast Routing Cache Table (201.1.1.1, 224.1.1.1) Incoming interface : ethernet1/1/7 Outgoing interface list : port-channel11 Rendezvous point (R3) R3# show ip pim vrf red neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority / Mode ---------------------------------------------------------------------------192.
--------------------------------224.1.1.1 182.190.168.224 R3# show ip pim vrf red tib PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 224.1.1.1), uptime 00:04:41, expires 00:00:00, RP 182.190.168.224, flags: S Incoming interface: Null, RPF neighbor 0.0.0.
(*, 224.1.1.1), uptime 00:05:44, expires 00:00:15, RP 182.190.168.224, flags: SCJ Incoming interface: port-channel12, RPF neighbor 194.1.1.1 Outgoing interface list: vlan2001 Forward/Sparse 00:05:44/Never (201.1.1.1, 224.1.1.1), uptime 00:02:58, expires 00:00:31, flags: CT Incoming interface: port-channel11, RPF neighbor 193.1.1.1 Outgoing interface list: vlan2001 Forward/Sparse 00:02:58/Never R4# show ip pim vrf red mcache PIM Multicast Routing Cache Table (*, 224.1.1.
● Provides traffic resiliency in the event of a VLT node failure. The traffic is forwarded until the PIM protocol reconverges and builds a new tree. IGMP message synchronization VLT nodes use the VLTi link to synchronize IGMP messages across their peers. Any IGMP join message that is received on one of the VLT nodes synchronizes with the peer node. Therefore, the IGMP tables are identical in a VLT domain.
Sample configuration on core: core# configure terminal core(config)# ip multicast-routing core(config)# ip pim rp-address 103.0.0.3 group-address 224.0.0.0/4 core(config)# router ospf 100 core(config-router-ospf-100)# exit core(config)# interface ethernet 1/1/32:1 core(conf-if-eth1/1/32:1)# no shutdown core(conf-if-eth1/1/32:1)# no switchport core(conf-if-eth1/1/32:1)# ip address 16.0.0.
12.0.0.1 12.0.0.2 vlan12 vlan12 00:01:06/00:01:43 00:01:03/00:01:42 v2 v2 10 10 / S / S PIM states in core The output of the show ip pim tib command. core# show ip pim tib PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 225.1.1.1), uptime 00:04:16, expires 00:00:00, RP 103.0.0.
AG1(config)# interface ethernet 1/1/32:1 AG1(conf-if-eth1/1/32:1)# no shutdown AG1(conf-if-eth1/1/32:1)# no switchport AG1(conf-if-eth1/1/32:1)# ip address 16.0.0.1/24 AG1(conf-if-eth1/1/32:1)# flowcontrol receive off AG1(conf-if-eth1/1/32:1)# ip pim sparse-mode AG1(conf-if-eth1/1/32:1)# ip ospf 100 area 0.0.0.0 AG1(conf-if-eth1/1/32:1)# exit AG1(config)# interface vlan 11 AG1(conf-if-vlan-11)# no shutdown AG1(conf-if-vlan-11)# ip address 11.0.0.
The show ip igmp groups command output displays the IGMP database. AG1# show ip igmp groups Total Number of Groups: 1 IGMP Connected Group Membership Group Address Interface Expires Last Reporter 225.1.1.1 vlan11 00:01:53 0.0.0.0 Mode Uptime Exclude 00:01:55 The show ip pim tib command output displays the PIM tree information base (TIB).
The show ip pim mcache command displays the multicast route entries. AG1# show ip pim mcache PIM Multicast Routing Cache Table (*, 225.1.1.1) Incoming interface : vlan12 Outgoing interface list : vlan11 (16.0.0.10, 225.1.1.1) Incoming interface : vlan12 Outgoing interface list : vlan11 The show ip pim mcache vlt command displays multicast route entries. AG1# show ip pim mcache vlt PIM Multicast Routing Cache Table Flags: S - Synced (*, 225.1.1.
AG2(conf-if-vlan-12)# ip ospf 100 area 0.0.0.0 AG2(conf-if-vlan-12)# exit AG2(config)# interface vlan 13 AG2(conf-if-vlan-13)# no shutdown AG2(conf-if-vlan-13)# ip address 13.0.0.2/24 AG2(conf-if-vlan-13)# ip pim sparse-mode AG2(conf-if-vlan-13)# ip pim dr-priority 1000 AG2(conf-if-vlan-13)# ip ospf 100 area 0.0.0.0 AG2(conf-if-vlan-13)# ip ospf cost 4000 AG2(conf-if-vlan-13)# exit AG2(config)# interface loopback 102 AG2(conf-if-lo-102)# no shutdown AG2(conf-if-lo-102)# ip address 102.0.0.
Outgoing interface list: vlan11 Forward/Sparse 00:02:15/Never The show ip pim mcache command output displays multicast route entries. AG2# show ip pim mcache PIM Multicast Routing Cache Table (*, 225.1.1.1) Incoming interface : vlan12 Outgoing interface list : vlan11 AG2# show ip pim mcache vlt PIM Multicast Routing Cache Table Flags: S - Synced (*, 225.1.1.
Sample configuration on TOR: TOR# configure terminal TOR(config)# ip igmp snooping enable TOR(config)# interface vlan 11 TOR(conf-if-vlan-11)# no shutdown TOR(conf-if-vlan-11)# exit TOR(config)# interface port-channel 11 TOR(conf-if-po-11)# no shutdown TOR(conf-if-po-11)# switchport mode trunk TOR(conf-if-po-11)# switchport access vlan 1 TOR(conf-if-po-11)# switchport trunk allowed vlan 11 TOR(conf-if-po-11)# exit TOR(config)# interface ethernet 1/1/32:1 TOR(conf-if-eth1/1/32:1)# no shutdown TOR(conf-if-eth
● ● ● ● CR1, CR2, AG1, AG2, AG3, and AG4 are multicast routers. CR1 and CR2 are the BSR and RP nodes. TR1 and TR2 are IGMP-enabled L2 nodes. OSPFv2 is the unicast routing protocol. CR1 switch 1. Configure RSTP. CR1(config)# spanning-tree disable 2. Configure the VLT domain.
CR1(conf-vlt-128)# CR1(conf-vlt-128)# CR1(conf-vlt-128)# CR1(conf-vlt-128)# CR1(conf-vlt-128)# backup destination 10.222.208.160 discovery-interface ethernet1/1/27:2 peer-routing primary-priority 1 vlt-mac 9a:00:00:aa:aa:aa 3. Configure a port channel interface towards AG1 and AG2.
● VLAN 1001 towards AG1 and AG2 CR1(config)# interface vlan 1001 CR1(conf-if-vl-1001)# ip address 10.1.2.5/24 CR1(conf-if-vl-1001)# ip ospf 1 area 0.0.0.0 CR1(conf-if-vl-1001)# ip pim sparse-mode CR1(conf-if-vl-1001)# ip igmp snooping mrouter interface port-channel11 ● VLAN 1101 towards AG3 CR1(config)# interface vlan 1101 CR1(conf-if-vl-1101)# ip address 10.1.3.5/24 CR1(conf-if-vl-1101)# ip ospf 1 area 0.0.0.
3. Configure a port channel interface towards AG1 and AG2. CR2(config)# interface port-channel 11 CR2(config)# interface ethernet 1/1/1:1 CR2(conf-if-eth1/1/1:1)# channel-group 11 mode active CR2(config)# interface ethernet 1/1/9:1 CR2(conf-if-eth1/1/9:1)# channel-group 11 mode active CR2(config)# interface port-channel 11 CR2(conf-if-po-11)# vlt-port-channel 11 4. Configure a port channel interface towards AG3.
CR2(conf-if-vl-1001)# ip pim sparse-mode CR2(conf-if-vl-1001)# ip igmp snooping mrouter interface port-channel11 ● VLAN 1151 towards AG3 CR2(config)# interface vlan 1151 CR2(conf-if-vl-1151)# ip address 10.110.1.5/24 CR2(conf-if-vl-1151)# ip ospf 1 area 0.0.0.0 CR2(conf-if-vl-1151)# ip pim sparse-mode CR2(conf-if-vl-1151)# ip ospf cost 65535 CR2(conf-if-vl-1151)#ip igmp snooping mrouter interface port-channel22 ● VLAN 1251 towards AG4 CR2(config)# interface vlan 1251 CR2(conf-if-vl-1251)# ip address 10.192.
AG1(conf-if-eth1/1/1:1)# channel-group 11 mode active AG1(config)# interface ethernet 1/1/3:1 AG1(conf-if-eth1/1/3:1)# channel-group 11 mode active AG1(config)# interface port-channel 11 AG1(conf-if-po-11)# vlt-port-channel 11 AG1(conf-if-po-11)# spanning-tree disable 4. Configure a port channel interface towards AG3 and AG4.
10. Configure the interfaces as VLAN trunk ports and specify the allowed VLANs.
AG2(config)# interface ethernet 1/1/17:1 AG2(conf-if-eth1/1/17:1)# channel-group 41 mode active 6. Configure Loopback interface and enable PIM-SM. AG2(config)# interface loopback 1 AG2(conf-if-lo-1)# ip address 10.1.100.2/32 AG2(conf-if-lo-1)# ip pim sparse-mode 7. Enable multicast routing on the default VRF. AG2(config)# ip multicast-routing 8. Configure OSPF for unicast routing.
AG3 switch 1. Configure RSTP. AG3(config)# spanning-tree mode rstp AG3(config)# spanning-tree rstp priority 8192 2. Configure the VLT domain. AG3(config)# interface ethernet 1/1/25:1 AG3(conf-if-eth1/1/25:1)# no switchport AG3(config)#vlt-domain 1 AG3(conf-vlt-255)# backup destination 10.222.208.39 AG3(conf-vlt-255)# discovery-interface ethernet1/1/25:1 AG3(conf-vlt-255)# peer-routing AG3(conf-vlt-255)# primary-priority 1 AG3(conf-vlt-255)# vlt-mac f0:ce:10:f0:ce:10 3.
AG3(conf-if-vl-1101)# ip pim sparse-mode AG3(conf-if-vl-1101)# ip igmp snooping mrouter interface port-channel21 ● VLAN 1151 towards CR2 AG3(config)# interface vlan 1151 AG3(conf-if-vl-1151)# ip address 10.110.1.3/24 AG3(conf-if-vl-1151)# ip ospf 1 area 0.0.0.0 AG3(conf-if-vl-1151)# ip pim sparse-mode AG3(conf-if-vl-1151)# ip igmp snooping mrouter interface port-channel22 ● VLAN 1301 towards AG1 and AG2 AG3(config)# interface vlan 1301 AG3(conf-if-vl-1301)# ip address 10.112.1.
AG4(conf-vlt-255)# peer-routing AG4(conf-vlt-255)# primary-priority 65535 AG4(conf-vlt-255)# vlt-mac f0:ce:10:f0:ce:10 3. Configure a port channel interface towards CR1. AG4(config)# interface port-channel 31 AG4(config)# interface ethernet 1/1/1:1 AG4(conf-if-eth1/1/1:1)# channel-group 31 mode active 4. Configure a port channel interface towards CR2. AG4(config)# interface port-channel 32 AG4(config)# interface ethernet 1/1/4:1 AG4(conf-if-eth1/1/4:1)# channel-group 32 mode active 5.
AG4(conf-if-vl-1301)# ip pim sparse-mode AG4(conf-if-vl-1301)# ip igmp snooping mrouter interface port-channel1 ● VLAN 2001 towards TR2 AG4(config)# interface vlan 2001 AG4(conf-if-vl-2001)# ip address 192.168.1.4/24 AG4(conf-if-vl-2001)# ip pim sparse-mode AG4(conf-if-vl-2001)# ip igmp snooping mrouter interface port-channel1 10. Configure the interfaces as VLAN trunk ports and specify the allowed VLANs.
TR1(conf-if-eth1/1/31)# switchport trunk allowed vlan 2001 TR1(conf-if-eth1/1/31)# spanning-tree port type edge TR1(config)# interface ethernet 1/1/32 TR1(conf-if-eth1/1/32)# switchport mode trunk TR1(conf-if-eth1/1/32)# switchport trunk allowed vlan 2001 TR1(conf-if-eth1/1/32)# spanning-tree port type edge TR2 switch 1. Configure RSTP. TR2(config)# spanning-tree mode rstp 2. Configure a port channel interface towards AG3.
The show ip pim neighbor command displays the PIM neighbor of the node and the interface to reach the neighbor. CR1# show ip pim neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority / Mode ------------------------------------------------------------------------------------10.1.1.6 vlan100 00:24:19/00:01:25 v2 4294967295 / DR S 10.1.3.3 vlan1101 00:20:28/00:01:18 v2 1 / S 10.1.4.4 vlan1201 00:18:21/00:01:24 v2 1 / S 10.1.2.1 vlan1001 00:22:12/00:01:36 v2 1 / S 10.1.2.
(172.16.1.201, 225.1.0.0), uptime 01:24:45, expires 00:02:46, flags: CTP Incoming interface: vlan100, RPF neighbor 0.0.0.0 Outgoing interface list: The show ip pim mcache command displays the multicast route entries. CR1# show ip pim mcache PIM Multicast Routing Cache Table (192.168.1.201, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan1 (192.168.1.202, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan1 (172.16.1.201, 225.1.0.
--------------------------------225.1.0.0 10.1.100.6 CR1# show ip pim rp mapping Group(s) : 225.0.0.0/8 RP : 10.1.100.5, v2 Info source: 10.1.100.5, via bootstrap, priority 100 expires: 00:00:56 Group(s) : 225.0.0.0/8 RP : 10.1.100.6, v2 Info source: 10.1.100.5, via bootstrap, priority 100 expires: 00:01:07 The show ip igmp snooping groups command displays the IGMP database. CR1# show ip igmp snooping groups Total Number of Groups: 320 CR1# show ip igmp snooping groups vlan 1 225.1.0.
TIB Summary: 20/20 (*,G) entries in PIM-TIB/MFC 39/39 (S,G) entries in PIM-TIB/MFC 39/0 (S,G,Rpt) entries in PIM-TIB/MFC 2 RP 3 sources 16 Register states Message Summary: 208/885 Joins/Prunes sent/received 60/0 Candidate-RP advertisements sent/received 310/405 BSR messages sent/received 205 Null Register messages received 268/181 Register-stop messages sent/received Data path event summary: 11 last-hop switchover messages received 28/28 pim-assert messages sent/received 186/79 register messages sent/receiv
Outgoing interface list : vlan1 (192.168.1.202, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan1 (172.16.1.201, 225.1.0.0) Incoming interface : vlan1 Outgoing interface list : vlan1001 vlan1251 The show ip pim mcache vlt command displays the multicast route entries synchronized between the VLT peers. CR2# show ip pim mcache vlt PIM Multicast Routing Cache Table Flags: S - Synced (192.168.1.201, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan1 (192.168.1.
The show ip igmp snooping groups command displays the IGMP database. CR2# show ip igmp snooping groups Total Number of Groups: 320 CR2# show ip igmp snooping groups vlan 1 225.1.0.0 detail Interface vlan1 Group 225.1.0.0 Source List -Member Port Mode Uptime Expires port-channel1000 IGMPv2-Compat 01:57:20 00:01:39 ethernet1/1/28:4 IGMPv2-Compat 01:57:31 00:01:39 AG1 The show ip pim interface command displays the PIM-enabled interfaces on the node.
0/459 Register-stop messages sent/received Data path event summary: 20 last-hop switchover messages received 23/159 pim-assert messages sent/received 499/0 register messages sent/received VLT Multicast summary: 0(*,G) synced entries in MFC 0(S,G) synced entries in MFC 0(S,G,Rpt) synced entries in MFC The show ip pim tib command displays the PIM tree information base (TIB).
(192.168.1.201, 225.1.0.0) Incoming interface : vlan2001 Outgoing interface list : vlan1001 vlan2002 vlan2003 vlan2004 vlan2005 (192.168.1.202, 225.1.0.0) Incoming interface : vlan2001 Outgoing interface list : vlan1001 vlan2002 vlan2003 vlan2004 vlan2005 (172.16.1.201, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan2002 vlan2003 vlan2004 vlan2005 The show ip pim mcache vlt command displays the multicast route entries synchronized between the VLT peers.
BSR Priority: 199, Hash mask length: 31 Expires: 00:00:23 The show ip pim rp mapping command displays information about all multicast group-to-RP mappings. AG1# show ip pim rp Group RP --------------------------------225.1.0.0 10.1.100.6 AG1# show ip pim rp mapping Group(s) : 225.0.0.0/8 RP : 10.1.100.5, v2 Info source: 10.1.100.5, via bootstrap, priority 100 expires: 00:00:45 Group(s) : 225.0.0.0/8 RP : 10.1.100.6, v2 Info source: 10.1.100.
The show ip pim summary command displays the PIM summary.
The show ip pim mcache command displays the multicast route entries. AG2# show ip pim mcache PIM Multicast Routing Cache Table (*, 225.1.0.0) Incoming interface : vlan1001 Outgoing interface list : vlan2002 vlan2003 vlan2004 vlan2005 (192.168.1.201, 225.1.0.0) Incoming interface : vlan2001 Outgoing interface list : vlan1001 vlan2002 vlan2003 vlan2004 vlan2005 (192.168.1.202, 225.1.0.0) Incoming interface : vlan2001 Outgoing interface list : vlan1001 vlan2002 vlan2003 vlan2004 vlan2005 (172.16.1.201, 225.1.
Incoming interface : vlan1001 Outgoing interface list : vlan2002 (S) vlan2003 (S) vlan2004 (S) vlan2005 (S) The show ip pim bsr-router command displays information about the BSR. AG2# show ip pim bsr-router PIMv2 Bootstrap information BSR address: 10.1.100.5 BSR Priority: 199, Hash mask length: 31 Expires: 00:00:26 The show ip pim rp mapping command displays information about all multicast group-to-RP mappings. AG2# show ip pim rp Group RP --------------------------------225.1.0.0 10.1.100.
-----------------------------------------------------------------------10.112.1.1 vlan1301 00:22:45/00:01:24 v2 1 / S 10.112.1.2 vlan1301 00:20:24/00:01:20 v2 1 / S 10.112.1.4 vlan1301 00:21:09/00:01:20 v2 1 / DR S 192.168.1.4 vlan2001 00:22:47/00:01:22 v2 4294967295 / DR S 192.168.1.3 vlan2001 00:20:22/00:01:22 v2 4294967290 / S 192.168.1.1 vlan2001 00:21:07/00:01:23 v2 1 / S 10.110.1.5 vlan1151 00:22:58/00:01:16 v2 1 / DR S 10.1.3.
(192.168.1.201, 225.1.0.0), uptime 01:26:40, expires 00:00:52, flags: CTP Incoming interface: vlan2001, RPF neighbor 0.0.0.0 Outgoing interface list: (192.168.1.202, 225.1.0.0), uptime 01:26:40, expires 00:00:52, flags: CTP Incoming interface: vlan2001, RPF neighbor 0.0.0.0 Outgoing interface list: The show ip pim mcache command displays the multicast route entries. AG3# show ip pim mcache PIM Multicast Routing Cache Table (192.168.1.201, 225.1.0.
AG4 The show ip pim interface command displays the PIM-enabled interfaces on the node. AG4# show ip pim interface Address Interface Ver/Mode Nbr Count Query Intvl DR Prio DR -----------------------------------------------------------------------------10.1.4.4 vlan1201 v2/S 1 30 1 10.1.4.5 10.112.1.4 vlan1301 v2/S 3 30 1 10.112.1.4 192.168.1.1 vlan2001 v2/S 3 30 1 192.168.1.4 10.192.168.4 vlan1251 v2/S 1 30 1 10.192.168.
PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 225.1.0.0), uptime 01:40:17, expires 00:00:58, RP 10.1.100.6, flags: SCJ Incoming interface: vlan1251, RPF neighbor 10.192.168.
--------------------------------225.1.0.0 10.1.100.6 AG4# show ip pim rp mapping Group(s) : 225.0.0.0/8 RP : 10.1.100.5, v2 Info source: 10.1.100.5, via bootstrap, priority 100 expires: 00:01:02 Group(s) : 225.0.0.0/8 RP : 10.1.100.6, v2 Info source: 10.1.100.5, via bootstrap, priority 100 expires: 00:00:43 The show ip igmp snooping groups command displays the IGMP database. AG4# show ip igmp snooping groups Total Number of Groups: 1600 AG4# show ip igmp snooping groups vlan 2001 225.1.0.
225.1.0.2 vlan2001 IGMPv2-Compat 00:01:36 Member-ports :ethernet1/1/21,ethernet1/1/22 <> VLT multicast routing commands show vlt inconsistency ip mcache Displays information about mismatched IIF routes between the local and peer VLT nodes. Syntax show vlt inconsistency ip mcache [vrf vrf-name] Parameters vrf vrf-name—(Optional) Enter the keyword then the name of the VRF to display information about mismatched IIF routes corresponding to that non-default VRF.
Supported Releases 10.5.
15 VXLAN A virtual extensible LAN (VXLAN) extends Layer 2 (L2) server connectivity over an underlying Layer 3 (L3) transport network in a virtualized data center. A virtualized data center consists of virtual machines (VMs) in a multi-tenant environment. OS10 supports VXLAN as described in RFC 7348. VXLAN provides a L2 overlay mechanism on an existing L3 network by encapsulating the L2 frames in L3 packets.
Configuration notes All Dell EMC PowerSwitches except MX-Series, S4200-Series, S5200 Series, and Z9332F-ON: In a static VXLAN, overlay routing is supported on: ● ● ● ● ● S4100-ON Series S4200-ON Series S5200-ON Series S4048T-ON S6010-ON VXLAN concepts Network virtualization overlay (NVO) An overlay network extends L2 connectivity between server virtual machines (VMs) in a tenant segment over an underlay L3 IP network.
Port-scoped VLAN A Port,VLAN pair that maps to a virtual network ID (VNID) in OS10. Assign an individual member interface to a virtual network either with an associated tagged VLAN or as an untagged member. Using a portscoped VLAN, you can configure: ● The same VLAN ID on different access interfaces to different virtual networks. ● Different VLAN IDs on different access interfaces to the same virtual network.
3. Return to CONFIGURATION mode. exit 4. Enter NVE mode from CONFIGURATION mode. NVE mode allows you to configure the VXLAN tunnel endpoint on the switch. nve 5. Configure the Loopback interface as the source tunnel endpoint for all virtual networks on the switch in NVE mode. source-interface loopback number 6. Return to CONFIGURATION mode. exit Configure a VXLAN virtual network To create a VXLAN, assign a VXLAN segment ID (VNI) to a virtual network ID (VNID) and configure a remote VTEP.
2. Configure port interfaces as trunk members of the VLAN in Interface mode. interface ethernet node/slot/port[:subport] switchport mode trunk switchport trunk allowed-vlan vlan-id exit The local physical ports assigned to the VLAN transmit packets over the virtual network. NOTE: A switch-scoped VLAN assigned to a virtual network cannot have a configured IP address and cannot participate in L3 routing; for example: OS10(config)# interface vlan 102 OS10(conf-if-vlan-102)# ip address 1.1.1.
2. Configure port interfaces as trunk members and remove the access VLAN in Interface mode. interface ethernet node/slot/port[:subport] switchport mode trunk no switchport access vlan exit 3. Assign the trunk interfaces as untagged members of the virtual network in VIRTUAL-NETWORK mode. You cannot use the reserved VLAN ID for a legacy VLAN or for tagged traffic on member interfaces of virtual networks.
no shutdown exit 4. Configure an anycast gateway IPv4 or IPv6 address for each virtual network in INTERFACE-VIRTUAL-NETWORK mode. This anycast IP address must be in the same subnet as the IP address of the virtual-network interface in Step 3. Configure the same IPv4 or IPv6 address as the anycast IP address on all VTEPs in a virtual network. All hosts use the anycast gateway IP address as the default gateway IP address in the subnet that connects to the virtual-network interface configured in Step 3.
Table 41. MAC address for all VTEPs (continued) Virtual network VTEP Anycast gateway MAC address VTEP 3 00.11.22.33.44.55 ● Configure a unique IP address on the virtual-network interface on each VTEP across all virtual networks. Configure the same anycast gateway IP address on all VTEPs in a virtual-network subnet. For example: Table 42. IP address on the virtual-network interface on each VTEP Virtual network VTEP Virtual-network IP address Anycast gateway IP address VNID 11 VTEP 1 10.10.1.
● If you use a port-scoped VLAN to assign tagged access interfaces to a virtual network, to identify traffic belonging to each virtual network, you must configure a unique VLAN ID for the VLT Interconnect (VLTi) link. ● Configure a VLAN to transmit VXLAN traffic over the VLTi link in VIRTUAL-NETWORK mode. All traffic sent and received from a virtual network on the VLTi carries the VLTi VLAN ID tag. Configure the same VLTi VLAN ID on both VLT peers.
L3 VXLAN route scaling The S4100-ON series, S5200-ON series, S4048T-ON, S4248-ON series, and S6010-ON switches support native VxLAN routing — routing in and out of tunnels (RIOT). RIOT requires dedicated hardware resources reserved for overlay routing. You cannot use these dedicated resources for underlay routing. Each overlay ARP entry requires a routing next-hop in the hardware to bind a destination tenant VM IP address to the corresponding tenant VM MAC address and VNI.
default-overlay-routing 8192 57344 2048 14336 disable-overlay-routing 0 65536 0 16384 balanced-overlay-routing 32768 32768 8192 8192 scaled-overlay-routing 53248 12288 12288 4096 ● View the currently configured overlay routing profile; for example, in the S5200-ON series: show hardware overlay-routing-profile mode Overlay Setting Mode Next-hop Entries Current default-overlay-routing 8192 Next-boot default-overlay-routing 8192 Underlay Next-hop Entries 57344 57344 Overlay L3 RIF Entries
VLTi-VLAN: 2500 Members: VLAN 1000: port-channel1, ethernet1/1/9, ethernet1/1/10 VLAN 2500: port-channel1000 VxLAN Virtual Network Identifier: 16775000 Source Interface: loopback100(222.222.222.222) Remote-VTEPs (flood-list): 55.55.55.55(DP),77.1.1.
---------------------------------------------------------------------10.10.10.10 857/8570 257/23709 20.20.20.20 457/3570 277/13709 View the VXLAN virtual network by VNID OS10# show nve vxlan-vni VNI Virtual-Network Source-IP Remote-VTEPs -----------------------------------------------------101 101 44.44.44.44 11.11.11.11,22.22.22.22,33.33.33.33 102 102 44.44.44.44 11.11.11.11,22.22.22.22,33.33.33.33 103 103 44.44.44.44 11.11.11.11,22.22.22.22,33.33.33.33 104 104 44.44.44.44 11.11.11.11,22.22.22.22,33.33.33.
VXLAN MAC addresses Use the show mac address-table virtual-network or show mac address-table extended commands to display the MAC addresses learned on a VXLAN virtual network or learned on both VXLAN virtual networks and legacy VLANs. Use the clear mac address-table dynamic virtual-network and clear mac address-table dynamic nve remote-vtep commands to delete address entries from the MAC address virtual-network table.
Table 44. Display VXLAN MAC addresses (continued) Command Description local: Displays the number of locally-learned MAC addresses. remote: Displays the number of remote MAC addresses learned on all or a specified virtual network. static: Displays the number of static MAC addresses learned on all or a specified virtual network. interface ethernet node/slot/port:subport: Displays the number of MAC addresses learned on the specified interface.
VXLAN commands hardware overlay-routing-profile Configures the number of reserved ARP table entries for VXLAN overlay routing.
Example Supported releases OS10(config)# interface virtual-network 10000 OS10(config-if-vn-10000)# ip vrf forwarding tenant1 OS10(config-if-vn-10000)# ip address 10.1.0.1/16 OS10(config-if-vn-10000)# no shutdown 10.4.3.0 or later ip virtual-router address Configures an anycast gateway IP address for a VXLAN virtual network. Syntax ip virtual-router address ip-address Parameters address ipaddress Enter the IP address of the anycast L3 gateway.
Parameters ethernet node/slot/ port[:subport ] Assign the specified interface to a virtual network. port-channel number Assign the specified port channel to a virtual network. untagged Assign untagged traffic on an interface or port channel to a virtual network. vlan-tag vlan-id Assign tagged traffic on the specified VLAN to a virtual network.
Example Supported releases OS10(config-vn-vxlan-vni)# remote-vtep 20.20.20.1 OS10(config-vn-vxlan-vni-remote-vtep)# exit OS10(config-vn-vxlan-vni)# remote-vtep 30.20.20.1 10.4.2.0 or later show hardware overlay-routing-profile mode Displays the number of hardware resources available for overlay routing in different profiles. Syntax show hardware overlay-routing-profile mode [all] Parameters all View the number of tenant entries available in each hardware partition for overlay routing profiles.
Interface index is 66 Internet address is 12.12.12.2/24 Mode of IPv4 Address Assignment: MANUAL Interface IPv6 oper status: Enabled Link local IPv6 address: fe80::1618:77ff:fe25:6eb9/64 MTU 1532 bytes, IP MTU 1500 bytes ARP type: ARPA, ARP Timeout: 60 Last clearing of "show interface" counters: 10:24:21 Queuing strategy: fifo Input statistics: 89 packets, 10056 octets Output statistics: 207 packets, 7376 octets Time since last interface status change: 10:23:21 Supported releases 10.4.3.
Usage information Example Supported releases Use this command to display input and output statistics for VXLAN traffic on a remote VTEP. A VTEP is identified by its IP address. Use the clear nve remote-vtep [ip-address] counters command to clear VXLAN packet statistics. OS10# show nve remote-vtep counters Peer Input (Packets/Bytes) 10.10.10.10 857/8570 20.20.20.20 457/3570 Output (Packets/Bytes) 257/23709 277/13709 10.4.2.
Source Interface: loopback100(222.222.222.222) Remote-VTEPs (flood-list): 55.55.55.55(DP),77.1.1.1(DP) Supported releases 10.4.2.0 or later show virtual-network counters Displays packet statistics for virtual networks. Syntax Parameters show virtual-network [vn-id] counters vn-id Enter a virtual-network ID, from 1 to 65535. Default Not configured Command mode EXEC Usage information Use this command to monitor the packet throughput on virtual networks, including VXLANs.
Supported releases 10.4.2.0 or later show virtual-network interface Displays the VXLAN virtual networks and server VLANs where a port is assigned. Syntax show virtual-network interface {ethernet node/slot/port:subport | portchannel number} Parameters interface ethernet node/slot/ port[:subport ] Enter the port information for an Ethernet interface. interface port-channel number Enter a port-channel number, from 1 to 128.
show vlan (virtual network) Displays the VLANs assigned to virtual networks. Syntax show vlan Parameters None Default Not configured Command mode EXEC Usage information Use this command to display the VLAN port interfaces that transmit VXLAN packets over a virtual network.
virtual-network Creates a virtual network for VXLAN tunneling. Syntax virtual-network vn-id Parameters vn-id Enter the virtual-network ID, from 1 to 65535. Default Not configured Command mode CONFIGURATION Usage information The virtual network operates as a L2 bridging domain. To add a VXLAN to the virtual network, use the vxlan-vni command. The no version of this command removes the configured virtual network. Example Supported releases OS10(config)# virtual-network 1000 OS10(config-vn)# 10.4.
VXLAN MAC commands clear mac address-table dynamic nve remote-vtep Clears all MAC addresses learned from a remote VTEP. Syntax Parameters clear mac address-table dynamic nve remote-vtep ip-address remote-vtep ip-address Clear MAC addresses learned from the specified remote VTEP. Default Not configured Command mode EXEC Usage information To display the MAC addresses learned from a remote VTEP, use the show mac address-table nve remote-vtep command.
Example Supported releases OS10# clear mac address-table dynamic virtual-network 10.4.2.0 or later show mac address-table count extended Displays the number of MAC addresses learned on all VLANs and VXLAN virtual networks. Syntax show mac address-table count extended [interface {ethernet node/slot/ port:subport | port-channel number}] Parameters interface ethernet node/slot/ port[:subport ] Display the number of MAC addresses learned on all VLANs and VXLANs on the specified interface.
Static Address (User-defined) Count : Total MAC Addresses in Use: 0 1 OS10# show mac address-table count nve remote-vtep 32.1.1.1 MAC Entries for all vlans : Dynamic Address Count : 2 Static Address (User-defined) Count : 0 Total MAC Addresses in Use: 2 Supported releases 10.4.2.0 or later show mac address-table count virtual-network Displays the number of MAC addresses learned on virtual networks.
Parameters address macaddress Display only information about the specified MAC address. interface ethernet node/slot/ port[:subport ] Display only MAC addresses learned on the specified interface. interface port-channel number Display only MAC addresses learned on the specified port channel. static Display only static MAC addresses. dynamic Display only dynamic MAC addresses. Default Not configured Command mode EXEC Usage information By default, MAC learning from a remote VTEP is enabled.
Example OS10# show mac address-table nve remote-vtep 32.1.1.1 Virtual-Network VNI MAC Address Type Remote-VTEP --------------------------------------------------------------10000 9999 00:00:00:00:00:77 dynamic VxLAN(32.1.1.1) 20000 19999 00:00:00:00:00:88 dynamic VxLAN(32.1.1.1) OS10# show mac address-table nve vxlan-vni 9999 Virtual-Network VNI MAC Address Type Remote-VTEP --------------------------------------------------------------10000 9999 00:00:00:00:00:77 dynamic VxLAN(32.1.1.
Supported releases 10.4.2.0 or later Example: VXLAN with static VTEP This example uses a typical Clos leaf-spine topology with static VXLAN tunnel endpoints (VTEPs) in VLT dual-homing domains. The individual switch configuration shows how to set up an end-to-end VXLAN. The underlay IP network routes advertise using OSPF. ● On VTEPs 1 and 2, access ports are assigned to the virtual network using a switch-scoped VLAN configuration.
Do not configure the same IP address for the router ID and the source loopback interface in Step 2. OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 172.16.0.1 OS10(config-router-ospf-1)# exit 2. Configure a Loopback interface. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# ip ospf 1 area 0.0.0.0 OS10(conf-if-lo-0)# exit 3. Configure the Loopback interface as the VXLAN source tunnel interface.
OS10(conf-if-eth1/1/6)# no switchport OS10(conf-if-eth1/1/6)# exit 7. Configure upstream network-facing ports. OS10(config)# interface OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# ethernet1/1/1 no shutdown no switchport mtu 1650 ip address 172.16.1.0/31 ip ospf 1 area 0.0.0.
9. Configure overlay IP routing Create the tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure the anycast L3 gateway MAC address for all VTEPs. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing with an anycast gateway IP address for each virtual network. OS10(config)# interface virtual-network 10000 OS10(config-if-vn-10000)# ip vrf forwarding tenant1 OS10(config-if-vn-10000)# ip address 10.1.0.231/16 OS10(config-if-vn-10000)# ip virtual-router address 10.1.
5. Assign a switch-scoped VLAN to a virtual network. OS10(config)# interface OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config)# interface OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config-if-vl-100)# vlan100 virtual-network 10000 no shutdown exit vlan200 virtual-network 20000 no shutdown exit 6. Configure access ports as VLAN members.
OS10(config)# interface port-channel20 OS10(conf-if-po-20)# vlt port-channel 20 OS10(conf-if-po-20)# exit Configure VLTi member links. OS10(config)# interface OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# ethernet1/1/3 no shutdown no switchport exit OS10(config)# interface OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# ethernet1/1/4 no shutdown no switchport exit Configure a VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.
Do not configure the same IP address for the router ID and the source loopback interface in Step 2. OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 172.18.0.1 OS10(config-router-ospf-1)# exit 2. Configure a Loopback interface. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.2.1/32 OS10(conf-if-lo-0)# ip ospf 1 area 0.0.0.0 OS10(conf-if-lo-0)# exit 3. Configure the Loopback interface as the VXLAN source tunnel interface.
OS10(config)# virtual-network 20000 OS10(config-vn-20000)# member-interface port-channel 20 untagged OS10(config-vn-20000)# exit NOTE: This step shows how to add access ports using port-scoped VLAN-to-VNI mapping. You can also add access ports using a switch-scoped VLAN-to-VNI mapping. However, you cannot use both methods at the same time; you must use either a port-scoped or switch-scoped VLAN-to-VNI mapping. 8. Configure upstream network-facing ports.
Configure a VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.3 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:dd:cc:ff:ee OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
4. Configure VXLAN virtual networks with a static VTEP. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# remote-vtep OS10(config-vn-vxlan-vni-remote-vtep)# OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# remote-vtep OS10(config-vn-vxlan-vni-remote-vtep)# OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 192.168.1.1 exit 192.168.1.
OS10(conf-if-eth1/1/2)# ip ospf 1 area 0.0.0.0 OS10(conf-if-eth1/1/2)# exit 9. Configure VLT Configure VLTi VLAN for the VXLAN virtual network. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vlti-vlan 200 OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vlti-vlan 100 OS10(config-vn-20000)# exit Configure a dedicated L3 underlay path to reach the VLT Peer in case of network failure.
Configure an anycast L3 gateway for all VTEPs in all virtual networks. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing with an anycast gateway IP address for each virtual network. OS10(config)# interface virtual-network 10000 OS10(config-if-vn-10000)# ip vrf forwarding tenant1 OS10(config-if-vn-10000)# ip address 10.1.0.234/16 OS10(config-if-vn-10000)# ip virtual-router address 10.1.0.
OS10(conf-if-eth1/1/1)# exit OS10(config)# interface OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# ethernet1/1/2 no shutdown no switchport ip address 172.17.2.1/31 ip ospf 1 area 0.0.0.0 exit OS10(config)# interface OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# ethernet1/1/3 no shutdown no switchport ip address 172.18.2.1/31 ip ospf 1 area 0.0.0.
Table 46. Differences between Static VXLAN and VXLAN BGP EVPN Static VXLAN VXLAN BGP EVPN To start sending and receiving virtual-network traffic to and from a remote VTEP, manually configure the VTEP as a member of the virtual network. No manual configuration is required. Each remote VTEP is automatically learned as a member of a virtual network from the EVPN routes received from the remote VTEP. After a remote VTEP address is learned, VXLAN traffic is sent to, and received from, the VTEP.
Leaf nodes are typically top-of-rack (ToR) switches in a data center network. They act as the VXLAN tunnel endpoints and perform VXLAN encapsulation and decapsulation. Leaf nodes also participate in the MP-BGP EVPN to support control plane and data plane functions. Control plane functions include: ● Initiate and maintain route adjacencies using any routing protocol in the underlay network. ● Advertise locally learned routes to all MP-BGP EVPN peers.
the export RT associated with the EVI. A receiving VTEP downloads information in the BGP EVPN route to EVIs that have a matching import RT value. You can autogenerate or manually configure the RT import and export for each EVI. In auto-EVI mode, RT autogenerates. In manual EVI configuration mode, you can autogenerate or manually configure the RT. The RT consists of a 2-octet type and a 6-octet value.
g. Assign the BGP neighbor to an autonomous system in ROUTER-BGP-NEIGHBOR mode. remote-as as-number h. Enable the peer session with the BGP neighbor in ROUTER-BGP-NEIGHBOR mode. no shutdown i. Return to ROUTER-BGP mode. exit For each BGP peer session in the overlay network: a. Configure the BGP peer using its Loopback IP address on the VTEP in ROUTER-BGP mode. neighbor loopback-ip-address b. Assign the BGP neighbor Loopback address to the autonomous system in ROUTER-BGP-NEIGHBOR mode.
OS10(config-router-neighbor-af)# exit OS10(config-router-bgp-neighbor)# exit ● On each spine switch, disable sender-side loop detection to leaf switch neighbors in ROUTER-BGP-NEIGHBOR-AF mode. OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit m.
Display the EVPN instance configuration OS10# show evpn evi 1 EVI : 65447, State : up Bridge-Domain : Route-Distinguisher : Route-Targets : Inclusive Multicast : (Virtual-Network)100, (VNI)100 1:110.111.170.102:65447(auto) 0:101:268435556(auto) both 110.111.170.107 Display the VXLAN overlay for the EVPN instance OS10# show VXLAN-VNI 100001 100010 evpn EVI 1 2 vxlan-vni Virtual-Network-Instance 1 2 Display the BGP neighbors in the EVPN instances OS10# show ip bgp neighbors 110.111.170.
*> Route distinguisher: 110.111.170.107:64536 [3]:[0]:[32]:[110.111.170.107]/152 110.111.170.107 0 100 0 100 101 ? Display the EVPN routes for host MAC addresses OS10# show evpn mac Type -(lcl): Local (rmt): remote EVI 50 50 Mac-Address 00:00:00:aa:aa:aa 00:00:00:cc:cc:cc Type rmt lcl Seq-No 0 0 Interface/Next-Hop 55.1.1.3 ethernet1/1/8:1 Seq-No 0 0 Interface/Next-Hop 55.1.1.
The ingress VTEP is configured with all destination virtual networks, and has the ARP entries and MAC addresses for all destination hosts in its hardware tables. Each VTEP learns the host MAC and MAC-to-IP bindings using ARP snooping for local addresses and type-2 route advertisements from remote VTEPs. For VXLAN BGP EVPN examples that use asymmetric IRB, see Example: VXLAN with BGP EVPN and Example: VXLAN BGP EVPN — Multiple AS topology.
OS10(config-evpn-vrf-vrf-tenant)# route-target {auto | value {import | export | both} [asn4]} OS10(config-evpn-vrf-vrf-tenant)# exit 3. (Optional) Advertise the IP prefixes learned from external networks and directly connected networks into EVPN type-5 route advertisements in EVPN-VRF mode; for example: OS10(config)# evpn OS10(config-evpn)# vrf vrf-tenant1 OS10(config-evpn-vrf-vrf-tenant1)# advertise {ipv4 | ipv6} {connected | static| ospf | bgp} [route-map map-name] 4.
Route-Distinguisher : 1:80.80.1.1:5050(auto) Route-Targets : 0:200:268430506(auto) both Remote VTEP : 4.4.4.4 Display the router MAC address used in overlay network for symmetric IRB show evpn router-mac Local Router MAC : 14:18:77:25:4e:4d Remote-VTEP 4.4.4.4 5.5.5.5 Router's-MAC 14:18:77:25:6f:4d 00:00:01:00:a3:b4 Display the learned EVPN Type 5 routes OS10# show ip bgp l2vpn evpn BGP local RIB : Routes to be Added , Replaced , Withdrawn BGP local router ID is 95.0.0.
BGP EVPN with VLT OS10 supports BGP EVPN operation between VLT peers that you configure as VTEPs. For more information about configurations and best practices to set up VLT for VXLAN, see Configure VXLAN — Configure VLT. This information also applies to BGP EVPN for VXLAN. Dell EMC recommends configuring iBGP peering for the IPv4 address family between the VTEPs in a VLT pair on a dedicated L3 VLAN that is used when connectivity to the underlay L3 network is lost.
Figure 14. BGP EVPN in VLT domain VXLAN BGP commands activate (l2vpn evpn) Enables the exchange of L2 VPN EVPN address family information with a BGP neighbor or peer group. Syntax activate Parameters None Default Not configured Command Mode ROUTER-BGP-NEIGHBOR-AF Usage Information Use this command to exchange L2 VPN EVPN address information for VXLAN host-based routing with a BGP neighbor. The IPv4 unicast address family is enabled by default.
Example Supported Releases OS10(conf-router-neighbor)# address-family l2vpn evpn unicast OS10(conf-router-bgp-neighbor-af)# activate 10.2.0E or later address-family l2vpn evpn Configures the L2 VPN EVPN address family for VXLAN host-based routing to a BGP neighbor.
sender-side-loop-detection Enables the sender-side loop detection process for a BGP neighbor. Syntax sender-side-loop-detection Parameters None Default Enabled Command Mode ROUTER-BGP-NEIGHBOR-AF Usage Information This command helps detect routing loops, based on the AS path before it starts advertising routes. To configure a neighbor to accept routes use the neighbor allowas-in command. The no version of this command disables sender-side loop detection for that neighbor.
*> Route distinguisher: 110.111.170.107:64536 [3]:[0]:[32]:[110.111.170.107]/152 110.111.170.107 0 100 101 ? OS10# show BGP router Neighbor State/Pfx 3.3.3.3 4.4.4.4 5.5.5.5 6.6.6.6 0 100 ip bgp l2vpn evpn summary identifier 2.2.2.2 local AS number 4294967295 AS MsgRcvd MsgSent Up/Down 4294967295 4294967295 4294967295 4294967295 2831 2364 4947 2413 9130 9586 8399 7310 05:57:27 05:56:43 01:10:39 05:51:56 504 504 11514 504 OS10# show ip bgp l2vpn evpn neighbors BGP neighbor is 3.3.3.
Received 20 messages 1 opens, 0 notifications, 0 updates 19 keepalives, 0 route refresh requests Sent 20 messages 1 opens, 1 notifications, 0 updates 18 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast: MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) 4_OCTET_AS(65) MP_L2VPN_EVPN(1) Extended Next Hop Encoding (5) Capabilities advertised to neighbor
Supported releases 10.4.2.0 or later VXLAN EVPN commands advertise Advertises the IP prefixes learned from external networks and directly connected neighbors into EVPN. Syntax advertise {ipv4 | ipv6} {connected | static | ospf | bgp} [route-map mapname] Parameters ● ● ● ● ● ● ● Default None Command Mode EVPN-VRF Usage Information EVPN uses Type 5 route advertisements. To specify the types of learned routes to use in EVPN Type 5 advertisements in a tenant VRF, use the advertise command.
Example Supported releases OS10(config)# evpn OS10(config-evpn)# auto-evi 10.4.2.0 or later disable-rt-asn Sets the ASN value to 0 in auto-derived route targets. Syntax disable-rt-asn Parameters None Default Not configured Command mode EVPN Usage information In a Clos leaf-spine topology, if you configure the leaf nodes (VTEPs) in separate ASNs, the system cannot use the route targets that are automatically generated using the auto-evi or route-target auto commands.
Usage information Example Supported releases If an MP-BGP network uses 4-byte autonomous systems or to specify the RD and RT values, manually configure EVPN instances and associate each EVI with the overlay VXLAN virtual network. The EVI activates only when you configure the VXLAN network ID (VNI), RD, RT, and virtual network. OS10(config)# evpn OS10(config-evpn)# evi 10 OS10(config-evpn-evi)# 10.4.2.0 or later evpn Enables the EVPN control plane for VXLAN.
Supported releases 10.4.2.0 or later redistribute l2vpn evpn Redistributes L2VPN EVPN routes into BGP and OSPF IPv4/IPv6 routes. Syntax redistribute l2vpn evpn [route-map map name] Parameters ● route-map map-name — (Optional) Filter the L2VPN EVPN routes that are redistributed in BGP and OSPF.
Example OS10(config)# evpn OS10(config-evpn)# evi OS10(config-evpn-evi)# OS10(config-evpn-evi)# OS10(config-evpn-evi)# 10 vni 10000 rd 111.111.111.111:65535 route-target 1:3 both OS10(config)# evpn OS10(config-evpn)# vrf vrf-blue OS10(config-evpn-vrf-vrf-blue)# route-target auto Supported releases 10.4.2.0 or later router-mac Configure the local router MAC address that is used by remote VTEPs as the destination address in VXLAN encapsulated packets sent to the switch.
show evpn mac Displays BGP EVPN routes for host MAC addresses. Syntax show evpn mac {count | mac-address nn.nn.nn.nn | evi id [mac-address nn.nn.nn.nn | count | next-hop ip-address count]} Parameters ● count — Displays the total number of local and remote host MAC addresses in EVPN instances. ● mac-address nn.nn.nn.nn — Displays the BGP EVPN routes for a specific 48-bit host MAC address. ● evi id — Displays the host MAC addresses and next hops in a specified EVPN instance, from 1 to 65535.
Default Not configured Command mode EXEC Usage information Use this command to view the MAC-IP address binding for host communication in VXLAN tenant segments. The type 2 routes received from the remove VTEP is displayed only if there is a corresponding EVI configured locally.
Supported releases 10.4.3.0 or later show evpn router-mac remote-vtep Displays both the local and remote router MAC addresses used in symmetric IRB. Syntax show evpn router-mac {router-vtep [vtep-ip-address]} Parameters vtep-ip-address — (Optional) Enter the IP address of a remote VTEP. Default Not configured Command mode EXEC Usage information Use the show evpn router-mac remote-vtep command to display the router MAC address used on the switch and on specified remote VTEPs.
show evpn vrf l3-vni Displays the configuration of the tenant VRF instances used for symmetric IRB. Syntax show evpn vrf l3-vni [tenant-vrf-name] Parameters tenant- vrf-name — (Optional) Enter the name of a non-default tenant VRF instance. Default Not configured Command mode EXEC Usage information Use the show evpn vrf l3-vni command to display the configuration settings of each tenant VRF with its unique VXLAN VNI.
VXLAN-VNI 100 Supported releases EVI 65447 Bridge-Domain 65447 10.4.2.0 or later vni Associates an EVPN instance with a VXLAN VNI or configures a VXLAN VNI to use for L3 EVPN symmetric IRB traffic. Syntax vni vni Parameters vni Enter a VXLAN virtual-network ID, from 1 to 16,777,215. Default Not configured Command mode EVPN-EVI and EVPN-VRF Usage information Use this command: ● In EVPN-EVI mode to configure an EVPN instance with RD and RT values for an overlay VXLAN virtual network.
underlay network, and EVPN routes in the VXLAN overlay network. All spine nodes are in one autonomous system—AS 101. All leaf nodes are in another autonomous system—AS 100. ● On VTEPs 1 and 2: Access ports are assigned to the virtual network using a switch-scoped VLAN. EVPN is configured using auto-EVI mode. ● On VTEPs 3 and 4: Access ports are assigned to the virtual network using a port-scoped VLAN. The EVPN instance is configured using manual configuration mode.
VTEP 1 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure VXLAN virtual networks.
OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# no switchport mtu 1650 ip address 172.16.1.0/31 exit OS10(config)# interface OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# ethernet1/1/2 no shutdown no switchport mtu 1650 ip address 172.16.2.0/31 exit 7. Configure eBGP. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# router-id 172.16.0.
OS10(config-router-bgp-neighbor-af)# no activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# activate OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 11. Configure EVPN. Configure the EVPN instance, RD, and RT using auto-EVI mode: OS10(config)# evpn OS10(config-evpn)# auto-evi OS10(config-evpn)# exit 12.
OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 13. Configure IP switching in the overlay network. Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual networks.
OS10(config-if-vl-200)# no shutdown OS10(config-if-vl-200)# exit 5. Configure access ports as VLAN members for a switch-scoped VLAN-to-VNI mapping.
OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 9. Configure a Loopback interface for BGP EVPN peering different from VLT peer IP address. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.17.0.1/32 OS10(conf-if-lo-1)# exit 10. Configure BGP EVPN peering. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.201.0.
Configure VLTi member links. OOS10(config)# interface ethernet1/1/3 OS10(conf-if-eth1/1/3)# no shutdown OS10(conf-if-eth1/1/3)# no switchport OS10(conf-if-eth1/1/3)# exit OS10(config)# interface OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# ethernet1/1/4 no shutdown no switchport exit Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.
VTEP 3 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.2.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure VXLAN virtual networks.
7. Configure upstream network-facing ports. OS10(config)# interface OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# ethernet1/1/1 no shutdown no switchport mtu 1650 ip address 172.18.1.0/31 exit OS10(config)# interface OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# ethernet1/1/2 no shutdown no switchport mtu 1650 ip address 172.18.2.0/31 exit 8. Configure eBGP.
OS10(config-router-neighbor)# send-community extended OS10(config-router-neighbor)# update-source loopback1 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# no activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# activate OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-
Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.3 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ff:ee OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
3. Configure the VXLAN virtual networks. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4. Configure the unused VLAN ID for untagged membership. OS10(config)# virtual-network untagged-vlan 1000 5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
8. Configure eBGP. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# router-id 172.19.0.1 OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 9. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.19.1.
Configure the EVPN instance manual configuration mode, and RD, and RT configuration in auto mode: OS10(config)# evpn OS10(config-evpn)# evi 10000 OS10(config-evpn-evi-10000)# OS10(config-evpn-evi-10000)# OS10(config-evpn-evi-10000)# OS10(config-evpn-evi-10000)# OS10(config-evpn)# evi 20000 OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn)# exit vni 10000 rd auto route-target auto exit vni 20000 rd auto route-target auto exi
OS10(conf-uplink-state-group-1)# upstream port-channel10 OS10(conf-uplink-state-group-1)# upstream port-channel20 OS10(conf-uplink-state-group-1)# exit Configure iBGP IPv4 peering between the VLT peers. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.16.250.10 OS10(config-router-neighbor)# remote-as 100 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 14. Configure IP routing in the overlay network. Create a tenant VRF.
2. Configure eBGP. OS10(config)# router bgp 101 OS10(config-router-bgp-101)# router-id 172.201.0.1 OS10(config-router-bgp-101)# address-family ipv4 unicast OS10(configure-router-bgpv4-af)# redistribute connected OS10(configure-router-bgpv4-af)# exit 3. Configure eBGP IPv4 peer sessions on the P2P links. OS10(conf-router-bgp-101)# neighbor 172.16.1.
OS10(conf-router-neighbor)# update-source loopback1 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-bgp-101)# neighbor 172.18.0.
OS10(configure-router-bgpv4-af)# redistribute connected OS10(configure-router-bgpv4-af)# exit 3. Configure eBGP IPv4 peer sessions on the P2P links. OS10(conf-router-bgp-101)# neighbor 172.16.2.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.17.2.
OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-bgp-101)# neighbor 172.18.0.
IRB LEAF1# : Enabled(tenant1) 3. Verify BGP EVPN neighborship between leaf and spine nodes. LEAF1# show ip bgp l2vpn evpn summary BGP router identifier 172.16.0.1 local AS number 100 Neighbor AS MsgRcvd MsgSent Up/Down State/Pfx 172.201.0.1 101 1132 1116 13:29:00 27 172.202.0.1 101 1131 1118 13:29:02 28 LEAF1# 4. Check connectivity between host A and host B. root@HOST-A:~# ping 10.2.0.10 -c 5 PING 10.2.0.10 (10.2.0.10) 56(84) bytes of 64 bytes from 10.2.0.10: icmp_seq=1 ttl=63 64 bytes from 10.2.0.
In this example, each node in the spine network and each VTEP in the leaf network belongs to a different autonomous system. Spine switch 1 is in AS 101. Spine switch 2 is in AS 102. For leaf nodes, VLT domain 1 is in AS 99; VLT domain 2 is in AS 100. ● On VTEPs 1 and 2: Access ports are assigned to the virtual network using a switch-scoped VLAN. EVPN instance along with RD and RT values are configured in manual mode.
VTEP 1 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure VXLAN virtual networks.
OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# no switchport mtu 1650 ip address 172.16.1.0/31 exit OS10(config)# interface OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# ethernet1/1/2 no shutdown no switchport mtu 1650 ip address 172.16.2.0/31 exit 7. Configure eBGP.
11. Configure EVPN. Configure the EVPN instance with RD and RT values in manual mode: OS10(config)# evpn OS10(config-evpn)# evi 10000 OS10(config-evpn-evi-10000)# vni 10000 OS10(config-evpn-evi-10000)# rd 192.168.1.1:10000 OS10(config-evpn-evi-10000)# route-target 99:10000 both OS10(config-evpn-evi-10000)# route-target 100:10000 import OS10(config-evpn-evi-10000)#exit OS10(config-evpn)# evi 20000 OS10(config-evpn-evi-20000)# vni 20000 OS10(config-evpn-evi-20000)# rd 192.168.1.
Configure iBGP IPv4 peering between VLT peers. OS10(config)# router bgp 99 OS10(config-router-bgp-99)# neighbor 172.16.250.1 OS10(config-router-neighbor)# remote-as 99 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-99)# exit 13. Configure IP switching in the overlay network. Create a tenant VRF OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address.
OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config)# interface OS10(config-if-vl-200)# OS10(config-if-vl-200)# OS10(config-if-vl-200)# no shutdown exit vlan200 virtual-network 20000 no shutdown exit 5. Configure access ports as VLAN members for a switch-scoped VLAN-to-VNI mapping.
9. Configure a Loopback interface for BGP EVPN peering different from VLT peer IP address. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.17.0.1/32 OS10(conf-if-lo-1)# exit 10. Configure BGP EVPN peering. OS10(config)# router bgp 99 OS10(config-router-bgp-99)# neighbor 172.201.0.
Configure the VLT port channel. OS10(config)# interface port-channel10 OS10(conf-if-po-10)# vlt-port-channel 10 OS10(conf-if-po-10)# exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# vlt-port-channel 20 OS10(conf-if-po-20)# exit Configure VLTi member links.
OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# ip address 10.2.0.232/16 ip virtual-router address 10.2.0.100 no shutdown exit VTEP 3 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.2.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface.
OS10(config)# virtual-network 20000 OS10(config-vn-20000)# member-interface port-channel 20 untagged OS10(config-vn-20000)# exit 7. Configure upstream network-facing ports. OS10(config)# interface OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# ethernet1/1/1 no shutdown no switchport mtu 1650 ip address 172.18.1.
OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# no activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 12. Configure EVPN.
Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.3 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ff:ee OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
3. Configure the VXLAN virtual networks. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4. Configure the unused VLAN ID for untagged membership. OS10(config)# virtual-network untagged-vlan 1000 5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
8. Configure eBGP. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# router-id 172.19.0.1 OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 9. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.19.1.1 OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor 172.
OS10(config-evpn)# evi 20000 OS10(config-evpn-evi-20000)# vni 20000 OS10(config-evpn-evi-20000)# rd 192.168.2.1:20000 OS10(config-evpn-evi-20000)# route-target 99:20000 import OS10(config-evpn-evi-20000)# route-target 100:20000 both OS10(config-evpn-evi-20000)#exit OS10(config-evpn)# 13. Configure VLT. Configure a VLTi VLAN for the virtual network.
Configure iBGP IPv4 peering between the VLT peers. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.16.250.10 OS10(config-router-neighbor)# remote-as 100 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 14. Configure IP routing in the overlay network. Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address.
3. Configure eBGP IPv4 peer sessions on the P2P links. OS10(conf-router-bgp-101)# neighbor 172.16.1.0 OS10(conf-router-neighbor)# remote-as 99 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.17.1.0 OS10(conf-router-neighbor)# remote-as 99 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.18.1.
OS10(conf-router-bgp-101)# neighbor 172.19.0.
4. Configure a Loopback interface for BGP EVPN peering. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.202.0.1/32 OS10(conf-if-lo-1)# exit 5. Configure BGP EVPN peer sessions. OS10(config)# router bgp 102 OS10(conf-router-bgp-102)# neighbor 172.16.0.
VLAN 100: port-channel10, port-channel1000 VxLAN Virtual Network Identifier: 10000 Source Interface: loopback0(192.168.1.1) Remote-VTEPs (flood-list): 192.168.2.1(CP) Virtual Network: 20000 Members: Untagged: port-channel20 VLAN 200: port-channel1000 VxLAN Virtual Network Identifier: 20000 Source Interface: loopback0(192.168.1.1) Remote-VTEPs (flood-list): 192.168.2.1(CP) LEAF1# 2. Verify EVPN configurations and EVPN parameters.
rtt min/avg/max/mdev = 0.737/0.783/0.866/0.047 ms root@HOST-A:~# 6. Check connectivity between host A and host D. root@HOST-A:~# ping 10.2.0.20 -c 5 PING 10.2.0.20 (10.2.0.20) 56(84) bytes of 64 bytes from 10.2.0.20: icmp_seq=1 ttl=63 64 bytes from 10.2.0.20: icmp_seq=2 ttl=63 64 bytes from 10.2.0.20: icmp_seq=3 ttl=63 64 bytes from 10.2.0.20: icmp_seq=4 ttl=63 64 bytes from 10.2.0.20: icmp_seq=5 ttl=63 data. time=0.707 time=0.671 time=0.687 time=0.640 time=0.644 ms ms ms ms ms --- 10.2.0.
Figure 17. VXLAN BGP EVPN with centralized L3 gateway NOTE: This centralized L3 gateway example for VXLAN BGP EVPN uses the same configuration steps as in Example: VXLAN BGP EVPN — Multiple AS topology. Configure each spine and leaf switch as in the Multiple AS topology example, except: ● Because VTEPs 1 and 2 operate only in Layer 2 VXLAN mode, do not configure IP switching in the overlay network.
Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network10000 ip vrf forwarding tenant1 ip address 10.1.0.233/16 ip virtual-router address 10.1.0.
S4048T-ON, S6010-ON, and the S4100-ON series, routing after decapsulation is performed only between virtual networks. You can connect an egress virtual network to a VLAN in an external router, which connects to the external network. In the following example, VLT domain 1 is a VLT VTEP. VLT domain 2 is the border leaf VLT VTEP pair. All virtual networks in the data center network are configured in all VTEPs with virtual-network IP and anycast IP gateway addresses.
Figure 18. VXLAN BGP EVPN with border leaf gateway NOTE: This border leaf gateway example for VXLAN BGP EVPN uses the same configuration steps as in Example: VXLAN BGP EVPN — Multiple AS topology. Configure each spine and leaf switch as in the Multiple AS topology example and add the following additional configuration steps on each VTEP. VTEP 1 Leaf Switch 1. Configure a dedicated VXLAN virtual network.
2. Configure routing on the virtual network. OS10(config)# interface virtual-network 500 OS10(conf-if-vn-10000)# ip vrf forwarding tenant1 OS10(conf-if-vn-10000)# ip address 10.5.0.231/16 3. Configure a static route for outbound traffic sent to the anycast MAC address of the dedicated virtual network. OS10(config)#ip route 0.0.0.0/0 10.5.0.100 VTEP 2 Leaf Switch 1. Configure a dedicated VXLAN virtual network.
5. Configure a static route for outbound traffic sent to VLAN 200. OS10(config)#ip route 0.0.0.0/0 10.10.0.3 VTEP 4 Leaf Switch 1. Configure a dedicated VXLAN virtual network. OS10(config)# virtual-network 500 OS10(config-vn-500)# vxlan-vni 500 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit 2. Configure an anycast gateway MAC address on the boder leaf VTEP. This MAC address must be different from the anycast gateway MAC address configured on non-border-leaf VTEPs.
VTEP 1 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface.
3. Configure the VXLAN virtual network. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit 4. Assign VLAN member interfaces to the virtual network. Use a switch-scoped VLAN-to-VNI mapping: OS10(config)# interface OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config-if-vl-100)# vlan100 virtual-network 10000 no shutdown exit 5. Configure access ports as VLAN members for a switch-scoped VLAN-to-VNI mapping.
OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 9. Configure a Loopback interface for BGP EVPN peering different from the VLT peer IP address. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.16.0.1/32 OS10(conf-if-lo-1)# exit 10. Configure BGP EVPN peering. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.201.0.
OS10(conf-if-eth1/1/3)# no switchport OS10(conf-if-eth1/1/3)# exit OS10(config)# interface OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# ethernet1/1/4 no shutdown no switchport exit Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.1 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
15. Configure advertisement of connected networks through EVPN type-5 routes. OS10(config)# evpn OS10(config-evpn)# vrf tenant1 OS10(config-evpn-vrf-tenant1)# advertise ipv4 connected OS10(config-evpn-vrf-tenant1)# exit VTEP 2 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using the same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2.
OS10(conf-if-eth1/1/2)# ip address 172.17.2.0/31 OS10(conf-if-eth1/1/2)# exit 7. Configure eBGP. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# router-id 172.17.0.1 OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 8. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.17.1.
11. Configure EVPN for the VXLAN virtual network. Configure the EVPN instance, RD, and RT using auto-EVI mode. OS10(config)# evpn OS10(config-evpn)# auto-evi OS10(config-evpn)# exit 12. Configure VLT. Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.1/31 OS10(config-if-vl-4000)# exit Configure the VLT port channel.
Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual network. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network 10000 ip vrf forwarding tenant1 ip address 10.1.0.232/16 ip virtual-router address 10.1.0.100 no shutdown exit 14. Configure symmetric IRB.
OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# ethernet1/1/6 no shutdown channel-group 20 mode active no switchport exit 6. Add the access ports to the virtual network. OS10(config)# virtual-network 20000 OS10(config-vn-20000)# member-interface port-channel 20 untagged OS10(config-vn-20000)# exit 7. Configure upstream network-facing ports.
OS10(config-router-neighbor)# update-source loopback1 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# no activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# activate OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor
Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.3 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ff:ee OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
OS10(conf-if-eth1/1/7)# switchport mode trunk OS10(conf-if-eth1/1/7)# switchport trunk allowed vlan 200 17. Configure advertisement of the connected networks via EVPN Type-5 routes. OS10(config)# evpn OS10(config-evpn)# vrf tenant1 OS10(config-evpn-vrf-tenant1)# advertise ipv4 connected OS10(config-evpn-vrf-tenant1)# exit 18. Configure BGP session with external router on the border-leaf VTEPs. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# vrf tenant1 OS10(config-router-bgp-100-vrf)# neighbor 10.
VTEP 4 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.2.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure the VXLAN virtual network.
OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 9. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.19.1.1 OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor 172.19.2.
OS10(config-evpn-evi-20000)# route-target auto OS10(config-evpn-evi-20000)# exit OS10(config-evpn)# exit 13. Configure VLT. Configure a VLTi VLAN for the virtual network. OS10(config)# virtual-network 20000 OS10(conf-vn-20000)# vlti-vlan 200 OS10(conf-vn-20000)# exit Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.
Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual network. OS10(config)# interface OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# virtual-network 20000 ip vrf forwarding tenant1 ip address 10.2.0.234/16 ip virtual-router address 10.2.0.100 no shutdown exit 15. Configure symmetric IRB.
With connected routes of virtual networks present in an individual VTEP advertised as type-5 routes, the border-leaf router has information about all the virtual networks present in the pod.
3. Configure eBGP IPv4 peer sessions on the P2P links. OS10(conf-router-bgp-101)# neighbor 172.16.1.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.17.1.
OS10(conf-router-bgp-101)# neighbor 172.18.0.
OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.17.2.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.18.2.
OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-bgp-101)# neighbor 172.19.0.
4. Check connectivity between host A and host B. root@HOST-A:~# ping 10.2.0.20 -c 5 PING 10.2.0.10 (10.2.0.10) 56(84) bytes of 64 bytes from 10.2.0.10: icmp_seq=1 ttl=63 64 bytes from 10.2.0.10: icmp_seq=2 ttl=63 64 bytes from 10.2.0.10: icmp_seq=3 ttl=63 64 bytes from 10.2.0.10: icmp_seq=4 ttl=63 64 bytes from 10.2.0.10: icmp_seq=5 ttl=63 data. time=0.824 time=0.847 time=0.835 time=0.944 time=0.806 ms ms ms ms ms --- 10.2.0.
Example - VXLAN BGP EVPN symmetric IRB with unnumbered BGP peering The following BGP EVPN example uses a Clos leaf-spine topology with BGP over unnumbered interfaces. The following explains how the network is configured: ● External BGP (eBGP) over unnumbered interfaces is used to exchange both IPv4 routes and EVPN routes. ● You need not configure IP addresses on links that connect Spine and Leaf switches. BGP Unnumbered peering works without an IP address configuration on Spine-Leaf links.
● On leaf switches 1 and 2, access ports are assigned to a virtual network using a switch-scoped VLAN. EVPN for the overlay VXLAN is configured using auto-EVI mode. ● On leaf switches 3 and 4, access ports are assigned to a virtual network using a port-scoped VLAN. EVPN for the overlay VXLAN is configured using manual EVI mode with RT and RD values configured in auto mode.
OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-101)# neighbor interface ethernet1/1/4 OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit Spine Switch 2 configuration 1. Configure downstream ports as unnumbered interfaces.
OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit VTEP Leaf Switch 1 configuration 1. Configure a loopback interface for the VXLAN underlay using the same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the loopback interface as the VXLAN source tunnel interface.
OS10(config-router-bgp-af)# redistribute connected OS10(config-router-bgp-af)# exit 8. Configure a BGP unnumbered neighbor over network facing ports. Use a template to simplify the configuration on multiple interfaces. These neighbors are configured to carry IPv4 address family (default) and L2VPN EVPN address family.
● Configure UFD with uplink VLT ports and downlink network ports. OS10(config)# uplink-state-group OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# 1 enable downstream ethernet1/1/1-1/1/2 upstream port-channel10 exit ● Configure iBGP unnumbered peering between VLT peers with both IPv4 and L2VPN EVPN address families.
2. Configure the loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure the VXLAN virtual network. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn)# exit 4. Assign VLAN member interfaces to the virtual network. Use a switch-scoped VLAN-to-VNI mapping.
OS10(config-router-bgp-201)# neighbor interface ethernet1/1/2 OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit 9. Configure EVPN for the VXLAN virtual network. Configure the EVPN instances using Auto EVI mode and Disable ASN in the generated RT.
OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit 11. Configure IP routing in overlay network. ● Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit ● Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 ● Configure routing on the virtual network.
OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# no switchport access vlan OS10(conf-if-po-20)# exit OS10(config)# interface ethernet1/1/6 OS10(conf-if-eth1/1/6)# no shutdown OS10(conf-if-eth1/1/6)# channel-group 20 mode active OS10(conf-if-eth1/1/6)# exit 6. Add the access ports to the virtual network. OS10(config)# virtual-network 20000 OS10(config-vn-20000)# member-interface port-channel 20 untagged OS10(config-vn-20000)# exit 7.
NOTE: Use the disable-rt-asn command to autoderive RT that does not include the ASN in the RT value. This allows auto RT to be used even if the Clos leaf-spine design has separate ASN for each leaf node. Configure this command only when all the VTEPs are OS10 switches. 11. Configure VLT. ● Configure a VLTi VLAN for the virtual network.
● Create the tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit ● Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 ● Configure routing on the virtual network. OS10(config)# interface OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# virtual-network 20000 ip vrf forwarding tenant1 ip address 10.2.0.233/16 ip virtual-router address 10.2.0.100 no shutdown exit 13.
4. Configure an unused VLAN ID for untagged membership. OS10(config)# virtual-network untagged-vlan 1000 5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(config-evpn)# evi 20000 OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn)# exit vni 20000 rd auto route-target auto exit NOTE: Use the disable-rt-asn command to autoderive RT that does not include the ASN in the RT value. This allows auto RT to be used even if the Clos leaf-spine design has separate ASN for each leaf node. Configure this command only when all the VTEPs are OS10 switches. 11. Configure VLT.
OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit 12. Configure IP routing in the overlay network. ● Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit ● Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 ● Configure routing on the virtual network.
Asymmetric to Symmetric IRB migration steps 1. Make the spines to send overlay traffic only to Leaf-2 by making Leaf-1 advertise VTEP IP with a higher metric in the underlay network. Leaf-1 configuration a. Configure route-map with prefix-list to set the metric higher for the VTEP IP. Leaf-1(config)# ip prefix-list vtep_ip seq 10 permit 10.10.10.
2. Spines would now send the overlay traffic destined to VLT domain 1 (Rack1) only to Leaf-2. 3. Configure Symmetric IRB mode in Leaf-2. Leaf-2 configuration a. Configure router-mac. Leaf-2(config)# evpn Leaf-2(config-evpn)# router-mac 02:10:10:10:10:10 b. Configure IP VRF with L3 VNI. Leaf-2(config-evpn)# vrf BLUE Leaf-2(config-evpn-vrf-VRF001)# vni 65001 c. Configure RT (auto or manual) and RD (optional, default is auto). Leaf-2(config-evpn-vrf-BLUE)# route-target auto d.
b. Default route configured in VTEPs pointing to border leaf using an intermediate VNI could be removed. Default route or external routes could now be advertised to the VTEPs from border leaf using advertise commands under EVPN-IPVRF mode. Controller-provisioned VXLAN OS10 supports VXLAN provisioning using an Open vSwitch Database (OVSDB) controller. Currently, the only supported OVSDB controller is the VMware NSX controller.
Configure controller-provisioned VXLAN To configure the NSX controller, follow these steps on each OS10 VTEP: 1. Configure the source interface used for controller-based VXLAN provisioning. Assign an IPv4 address to a loopback interface. Assign the loopback interface to an NVE instance. The loopback interface must belong to the default VRF. For detailed information, see the Configure source IP address on VTEP. 2. Configure NSX controller reachability. 3.
● remove the interface from Switchport Trunk mode ● add the interface as a member of any VLAN ● remove the interface from the controller configuration if the interface has active port-scoped VLAN (Port,VLAN) pairs configured by the controller To assign an interface to be managed by the OVSDB controller: 1. Configure an interface from CONFIGURATION mode. OS10(config)# interface ethernet 1/1/1 2. Configure L2 trunking in INTERFACE mode. OS10(config-if-eth1/1/1)# switchport mode trunk 3.
Since VTEP relies on service nodes to replicate BUM traffic, we need a mechanism to monitor the connectivity between the VTEP and the service nodes. BFD can be used to monitor the connectivity between the VTEP and service nodes, and detects failures. The NSX controller provides parameters, such as the minimum TX and RX interval, and the multiplier, to initiate the BFD session between the VTEP and the service nodes. To establish a BFD session, enable the BFD on the controller and the VTEP.
● Show output with details about the replicators available for the VNID. OS10# show nve replicators vnid 10009 Codes: * - Active Replicator BFD Status:Enabled Replicators State ----------------------2.2.2.3 Up 2.2.2.2* Up *— indicates the replicator to which the VTEP sends the BUM traffic for the specific VNID. Configure and control VXLAN from VMware vCenter You can configure and control VXLAN from the VMware vCenter GUI. Complete the following steps: 1.
If successfully establishing connectivity between the VTEP and the NSX controller, the console displays the current connection status between the controller and the management IP address of the VTEP. 3. Create a logical switch. You can create a logical network that acts as the forwarding domain for virtualized and nonvirtualized server workloads on the physical and virtual infrastructure. The following steps configure the logical switch for NSX controller management. a.
4. Create a logical switch port that provides a logical connection point for a VM interface (VIF) and a L2 gateway connection to an external network. 5. (Optional) Enable or disable BFD globally. The following steps enable or disable BFD configuration in the controller. a. Click Service Definitions from the left navigation pane. b. Click the Hardware Devices tab. c. Click the Edit button in the BFD Configuration. d.
After you configure a VMware NSX controller on a server VM, connect to the controller from the VXLAN gateway switch. For more information about the NSX controller configuration in the VTEP, see Configure a connection to an OVSDB controller. For more information about NSX controller configuration, see the NSX User Guide from VMware. Example: VXLAN with a controller configuration This example shows a simple NSX controller and an hardware OS10 VTEP deployed in VXLAN environment.
● Configure the NSX controller in VMware vCenter. For more information about configuring the NSX controller using the GUI, see the Configure and control VXLAN from the VMware vCenter. You must configure an OS10 VTEP with the controller configuration so that the VTEP can communicate with the NSX controller. The NSX controller handles configurations and control plane operations in the VXLAN environment. VTEP 1 1. Configure the OSPF protocol in the underlay.
3. Create an NVE instance and configure a Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback 1 4. Specify the NSX controller reachability information. OS10(config-nve)# controller ovsdb OS10(config-nve-ovsdb)# ip 10.16.140.182 port 6640 ssl OS10(config-nve-ovsdb)# max-backoff 10000 OS10(config-nve-ovsdb)# exit 5. Assign interfaces to be managed by the controller.
----------------------13.0.0.5 Up 13.0.0.3 Up 13.0.0.2 Up To view the remote VTEP status, use the show nve remote-vtep command. OS10# show nve remote-vtep IP Address: 13.0.0.2, State: up, Encap: VxLAN VNI list: ,6000 IP Address: 13.0.0.3, State: up, Encap: VxLAN VNI list: ,6000 IP Address: 13.0.0.5, State: up, Encap: VxLAN VNI list: ,6000 IP Address: 202.0.0.
VNI list: ,6000 IP Address: 13.0.0.5, VNI list: ,6000 IP Adress: 200.0.0.1, VNI list: 6000 State: up, Encap: VxLAN State: up, Encap: Vxlan VXLAN Controller commands controller ovsdb Changes the mode to CONFIGURATION-NVE-OVSDB from where you can configure the controller parameters. Syntax controller ovsdb Parameters None Default None Command mode CONFIGURATION-NVE Usage information The controller configuration initiates the OVSDB service on the OS10 switch.
max-backoff Configures a time interval, in milliseconds (ms). This is the duration the switch waits between the connection attempts to the controller. Syntax max-backoff interval Parameters interval—Enter the amount of time, in ms. This is the duration the switch waits between the connection attempts to the controller, from 1000 to 180000 ms.
Usage information Example Supported releases This command is available only for the sysadmin and secadmin roles. This command generates the SSL certificate and restarts the OVSDB server to start using the newly generated certificate. OS10# nve controller ssl-key-generate 10.4.3.0 or later show nve controller Displays information about the controller and the controller-managed interfaces.
bGwgaWQ6MGVlZmUwYWMtNGJjOC00MmVmLTkzOTEtN2RlMmMwY2JmMTJjMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsMlD4c4fWwy+5t6VScjizlkFsNzE BOK5PJyI3B6ReRK/J14Fdxio1YmzG0YObjxiwjpUYEsqPL3Nvh0f10KMqwqJVBdf 6sXWHUVw+9A7cIfRh0aRI+HIYyUC4YD48GlnVnaCqhxYaA0tcMzJm4r2k7AjwJUl 0pDXiqS3uJwGmfxlhvmFio8EeHM/Z79DkBRD6FUMwacAnb3yCIKZH50AWq7qRmmG NZOgYUT+8oaj5tO/hEQfDYuv32E5z4d3FhiBJMFT86T4YvpJYyJkiKmaQWInkthL V3VxEMXI5vJQclMhwYbKfPB4hh3+qdS5o+uVco76CVrcWi7rO3XmsBkbnQIDAQAB MA0GCSqGSIb3DQEBDQUAA4IBAQATuFVD20GcHD8zdpYf0YaP4b6TuonUz
Default None Command mode EXEC Usage information This command is available only for netadmin, sysadmin, and secadmin roles.
------------ ------------------------------478ec8ca-9c5a-4d29-9069-633af6c48002 [] false 1000 {} {state=BACKOFF} "ssl:10.16.140.171:6640" 52f2b491-6372-43e0-98ed-5c4ab0ca8542 [] true 1000 {} {sec_since_connect="37831", sec_since_disconnect="37832", state=ACTIVE} "ssl:10.16.140.173:6640" 7b8a7e36-6221-4297-b85e-51f910abcb5c [] true 1000 {} {sec_since_connect="87", sec_since_disconnect="99", state=ACTIVE} "ssl:10.16.140.172:6640" OS10# Supported releases 10.4.3.
16 UFT modes A switch in a Layer 2 (L2) network may require a larger MAC address table size, while a switch in a Layer 3 (L3) network may require a larger routing table size. Unified forwarding table (UFT) offers the flexibility to configure internal L2/L3 forwarding table sizes. OS10 supports several UFT modes for the forwarding tables. By default, OS10 selects a UFT mode that provides a reasonable size for all tables.
Table 51. UFT Modes — Table Size for Z9264F-ON UFT Mode L2 MAC Table Size L3 Host Table Size L3 Routes Table Size Scaled-l2–switch 270336 8192 32768 Scaled-l3–hosts 8192 270336 32768 Scaled-l3–routes 8192 8192 262144 Default 139264 139264 32768 Table 52.
L3 Host Entries L3 Route Entries : : 147456 32768 212992 98304 View UFT information for all modes OS10# show hardware forwarding-table mode all Mode default scaled-l2 scaled-l3-routes L2 MAC Entries 163840 294912 32768 L3 Host Entries 147456 16384 16384 L3 Route Entries 32768 32768 131072 scaled-l3-hosts 98304 212992 98304 IPv6 extended prefix routes IPv6 addresses that contain prefix routes with mask between /64 to /128 are called as IPv6 extended prefix routes.
Syntax hardware forwarding-table mode {scaled-l2 | scaled-l3-routes | scaled-l3hosts} Parameters ● scaled-l2 —Enter the L2 MAC address table size. ● scaled-l3-routes — Enter the L3 routes table size. ● scaled-l3-hosts — Enter the L3 hosts table size. Defaults The default parameters vary according to the platform. See UFT modes on page 1101. Command Mode CONFIGURATION Usage Information Configure the sizes of internal L2 and L3 forwarding tables for your requirements of the network environment.
L2 MAC Entries L3 Host Entries L3 Route Entries Supported Releases : : : 163840 147456 32768 98304 212992 98304 10.3.0E or later show hardware forwarding-table mode all Displays table sizes for the hardware forwarding table modes.
17 Security Dell EMC SmartFabric OS10 has several security features to protect the usability and integrity of the data available in the switch. OS10 also has security features to the user network from attacks and restrict network traffic. Switch security Dell EMC SmartFabric OS10 has various inbuilt security features to secure the administrative access to the switch. User management OS10 controls the user access to the switch and what can they do after login based on the set roles and privileges.
Assign user role To limit OS10 system access, assign a role when you configure each user. ● Enter a user name, password, and role in CONFIGURATION mode. username username password password role role ○ username username — Enter a text string. A maximum of 32 alphanumeric characters; 1 character minimum. ○ password password — Enter a text string. A maximum of 32 alphanumeric characters; 9 characters minimum.
The linuxadmin password configured from the CLI takes precedence across reboots over the password configured from the Linux shell. Verify the linuxadmin password using the show running-configuration command. OS10# show running-configuration system-user linuxadmin password $6$5DdOHYg5$JCE1vMSmkQOrbh31U74PIPv7lyOgRmba1IxhkYibppMXs1KM4Y.gbTPcxyMP/PHUkMc5rdk/ ZLv9Sfv3ALtB61 Disable linuxadmin user To disable or lock the linuxadmin user, use the system-user linuxadmin disable command in CONFIGURATION mode.
○ configure — Accesses class-map, DHCP, logging, monitor, openflow, policy-map, QOS, support-assist, telemetry, CoS, Tmap, UFD, VLT, VN, VRF, WRED, and alias modes. ○ interface — Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range, port-channel, and VLAN modes. ○ route-map — Accesses route-map mode. ○ router — Accesses router-bgp and router-ospf modes. ○ line — Accesses line-vty mode. ● priv-lvl privilege-level — Enter the number of a privilege level, from 2 to 14.
○ configure — Accesses class-map, DHCP, logging, monitor, openflow, policy-map, QOS, support-assist, telemetry, CoS, Tmap, UFD, VLT, VN, VRF, WRED, and alias modes. ○ interface — Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range, port-channel, and VLAN modes. ○ route-map — Accesses route-map mode. ○ router — Accesses router-bgp and router-ospf modes. ○ line — Accesses line-vty mode. ● priv-lvl privilege-level — Enter the number of a privilege level, from 2 to 14.
When a user is locked out due to exceeding the maximum number of failed login attempts, other users can still access the switch. By default, lockout-period minutes is 0; no lockout period is configured. Failed login attempts do not lock out a user.
Display password rules OS10# show running-configuration password-attributes password-attributes min-length 7 character-restriction upper 4 numeric 2 Disable strong password check OS10(config)# password-attributes min-length 7 character-restriction upper 4 numeric 2 OS10(config)# username admin2 password 4newhire4 role sysadmin %Error: Password fail: it does not contain enough DIFFERENT characters OS10(config)# enable password 0 4newhire4 priv-lvl 5 %Error: Password it does not contain enough DIFFERENT chara
User management commands disable Lowers the privilege level. Syntax disable privilege-level Parameters ● privilege-level—Enter the privilege level, from 0 to 15. Defaults 1 Command Mode Privileged EXEC Usage Information If you do not specify a privilege level, the system assigns level 1. Example OS10# disable OS10# disable 6 Supported Releases 10.4.3.0 or later enable Enables a specific privilege level.
○ sha-256 — Use a SHA-256 encrypted password. ○ sha-512 — Use a SHA-512 encrypted password. ● priv-lvl privilege-level — Enter a privilege number from 1 to 15. Defaults Not configured Command Mode CONFIGURATION Usage Information To increase the required password strength, create stronger password rules using the passwordattributes command. The no version of this command removes a privilege-level password.
Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1. Example Supported Releases OS10(config)# password-attributes min-length 6 character-restriction upper 2 lower 2 numeric 2 10.4.0E(R1) or later password-attributes max-retry lockout-period Configures a maximum number of consecutive failed login attempts and the lockout period for the user ID.
Usage Information For users assigned to sysadmin, netadmin, and secadmin roles, you cannot configure a privilege level less than 2. If a command that you associate with a privilege level has a space, enter the command in double quotes ("). If a command does not have a space or if it has keywords separated by a hyphen, double quotes are not required. The no version of this command removes a command from a privilege level.
show users Displays information for all users logged into OS10. Syntax show users Parameters None Default Not configured Command Mode EXEC Usage Information Updated the command to display the privilege levels of all users on OS10 version .
system-user linuxadmin password Configures a password for the linuxadmin user. Syntax system-user linuxadmin password {clear-text-password | hashed-password} Parameters None Defaults Not configured Command Mode CONFIGURATION Usage Information Use this command to set a clear-text or hashed-password for the linuxadmin user. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.3.0. Also supported in SmartFabric mode starting in release 10.5.0.1.
○ sysadmin — Full access to all commands in the system, exclusive access to commands that manipulate the file system, and access to the system shell. A system administrator can create user IDs and user roles. ○ secadmin — Full access to configuration commands that set security policy and system access, such as password strength, AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic keys, login statistics, and log information.
● The default privilege levels are level 1 for netoperator, and level 15 for sysadmin, secadmin, and netadmin. Command Mode CONFIGURATION Usage Information By default, the password must be at least nine alphanumeric characters. Only the following special characters are supported: ! # % & ' ( ) ; < = > [ ] * + - . / : ^ _ Enter the password in clear text. It is converted to SHA-512 format in the running configuration. For backward compatibility with OS10 releases 10.3.
● Configure the AAA authentication method in CONFIGURATION mode. aaa authentication login {console | default} {local | group radius | group tacacs+} ○ console—Configure authentication methods for console logins. ○ default—Configure authentication methods for nonconsole such as SSH and Telnet logins. ○ local—Use the local username, password, and role entries configured with the username password role command. ○ group radius—Configure RADIUS servers using the radius-server host command.
Type = string. Valid values for Dell-group-name are sysadmin, secadmin, netadmin, and netoperator. Use the VSA Dell-group-name values when you create users on a Radius or TACACS+ server. For detailed information about how to configure vendor-specific attributes on a RADIUS or TACACS+ server, see the respective RADIUS or TACACS+ server documentation.
● Configure the number of times OS10 retransmits a RADIUS authentication request in CONFIGURATION mode, from 0 to 100 retries; the default is 3. radius-server retransmit retries ● Configure the timeout period used to wait for an authentication response from a RADIUS server in CONFIGURATION mode, from 0 to 1000 seconds; the default is 5.
ip radius source-interface mgmt 1/1/1 ... Delete RADIUS server OS10# no radius-server host 1.2.4.5 RADIUS over TLS authentication Traditional RADIUS-based user authentication runs over UDP and uses the MD5 message-digest algorithm for secure communications. To provide enhanced security in RADIUS user authentication exchanges, RFC 6614 defines the RADIUS over Transport Layer Security (TLS) protocol.
● Configure a TACACS+ authentication server in CONFIGURATION mode. By default, a TACACS+ server uses TCP port 49 for authentication. tacacs-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] Re-enter the tacacs-server host command multiple times to configure more than one TACACS+ server. If you configure multiple TACACS+ servers, OS10 attempts to connect in the order you configured them.
% Error: local authentication not configured After upgrading to 10.5.1 from an earlier release, there is no change in the AAA authentication configuration when this configuration has the local authentication method configured. After upgrading to 10.5.1 in MX-series platforms, the local authentication method is appended to the authentication list when local authentication is not configured.
Enable AAA accounting To record information about all user-entered commands, use the AAA accounting feature — not supported for RADIUS accounting. AAA accounting records login and command information in OS10 sessions on console connections using the console option and remote connections using the default option, such as Telnet and SSH.
Example Supported Releases OS10(config)# aaa accounting commands all console start-stop logging group tacacs+ 10.4.1.0 or later aaa authentication login Configures the AAA authentication method for console, SSH, and Telnet logins. Syntax aaa authentication login {console | default} {local | group radius | group tacacs+} Parameters ● console — Configure authentication methods for console logins. ● default — Configure authentication methods for SSH and Telnet logins.
● console — Configure authorization for console-entered commands. ● default — Configure authorization for non-console-entered commands and commands entered in non-console sessions, such as in SSH and VTY. ● local — Use the local username, password, and role entries configured with the username password role command for command authorization. ● group tacacs+ — Use the TACACS+ servers configured with the tacacs-server host command for command authorization.
tacacs-server host Configures a TACACS+ server and the key used to authenticate the switch on the server. Syntax tacacs-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] Parameters ● hostname — Enter the host name of the TACACS+ server. ● ip-address — Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the TACACS+ server. ● key 0 authentication-key — Enter an authentication key in plain text. A maximum of 42 characters.
radius-server host Configures a RADIUS server and the key used to authenticate the switch on the server. Syntax radius-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] Parameters ● hostname — Enter the host name of the RADIUS server. ● ip-address — Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server. ● key 0 authentication-key — Enter an authentication key in plain text. A maximum of 42 characters.
Usage Information For RADIUS over TLS authentication, configure the radsec shared key on the server and OS10 switch. The show running-configuration output displays both the unencrypted and encrypted key in encrypted format. Configure global settings for the timeout and retransmit attempts allowed on a RADIUS over TLS servers using the radius-server retransmit and radius-server timeout commands. RADIUS over TLS authentication requires that X.
Supported Releases 10.2.0E or later radius-server vrf Configures the RADIUS server for the management or non-default VRF instance. Syntax radius-server vrf {management | vrf-name} Parameters ● management — Enter the keyword to configure the RADIUS server for the management VRF instance. ● vrf-name — Enter the keyword then the name of the VRF to configure the RADIUS server for that non-default VRF instance.
● ● ● ● ● ethernet node/slot/port[:subport] — Enter a physical Ethernet interface. loopback number — Enter a Loopback interface, from 0 to 16383. mgmt 1/1/1 — Enter the management interface. port-channel channel-id — Enter a port-channel ID, from 1 to 28. vlan vlan-id — Enter a VLAN ID, from 1 to 4093. Default Not configured. Command Mode CONFIGURATION Usage Information By default, no source interface is configured.
● Enable bootloader protection in EXEC mode. Use the boot protect enable command to configure a username and password. You can configure up to three users per switch. OS10# boot protect enable username root password calvin Disable bootloader protection for a specified user by using the boot protect disable command.
● If the validation of the kernel and OS10 system binary files succeeds, OS10 loads successfully. NOTE: If you are installing OS10 image using zero touch deployment (ZTD): ● Secure boot is disabled after ZTD reloads the switch. ● ZTD cannot validate the image with Dell public key (PKI/sha256/GPG keys) and hence cannot perform secure installation of the OS10 image.
Validate OS10 image file on demand You can validate an OS10 image file at any time using the image verify command in EXEC mode. OS10 verifies the signature of the image files using hash-based authentication, GNU privacy guard (Gn uPG or GPG)-based signatures, or digital signatures (PKI-signed). image verify image://PKGS_OS10-Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin pki signature tftp://10.16.127.7/users/PKGS_OS10-Enterprise-10.4.9999EX.3342stretchinstaller-x86_64.bin.sha256.
Or $ onie-nos-install image_url sha256 signature_filepath The OS10 image installer verifies the signature of the image files using hash-based authentication or digital signatures (PKIsigned). The image files are installed after they are successfully validated. View certificate information Use the show secure-boot pki-certificates command in EXEC mode to view the certificate information.
1. Boot into ONIE. 2. Install a valid OS10 image using the onie-nos-install command. For more information, see Installation using ONIE. OS10 system binary validation fails for one installed OS10 image If the system binary validation fails for one of the installed images, you can log into OS10 CLI EXEC mode. You cannot access CONFIGURATION mode. The following log message appears when you use the show logging log-file command: Dell EMC (OS10) %SECURE_BOOT: OS10 sytem file integrity failed.
Parameters ● username — Enter the username to provide access to bootloader protection. ● password — Enter a password for the specified username. Default Disabled Command Mode EXEC Usage Information You can enable bootloader protection by executing this command. You can configure a maximum of three username / password pairs for bootloader protection. Example Supported Releases OS10# boot protect enable username root password calvin 10.4.3.
Widgits Pty Ltd Validity GMT Certificate Key Id Version Number Serial Number Signature Algorithm Issuer Widgits Pty Ltd Validity GMT Supported Releases : Aug : : : : : 1 11:45:39 2019 GMT - Jul 31 11:45:39 2020 124 3 (0x2) 17154672033164819608 (0xee11a353271dfc98) sha256WithRSAEncryption C=IN, ST=Some-State, L=some-city, O=Internet : Aug 1 11:45:39 2019 GMT - Jul 31 11:45:39 2020 10.5.1.0 or later show secure-boot Displays the secure boot or file integrity status.
● startup-config—Validate the startup configuration file.
Command Mode EXEC Usage Information This CLI is available only when you enable secure boot. If the startup configuration file is deleted or compromised, use the protected version of the startup configuration file to restore the configuration during a reboot. Example Supported Releases OS10# secure-boot protect startup-config 10.5.1.0 or later secure-boot enable Enables secure boot.
Example-sha256 Example-GPG key Example-PKI Supported Releases OS10# image verify image://PKGS_OS10-Enterprise-10.4.9999EX.3342stretchinstaller-x86_64.bin pki signature tftp://10.16.127.7/users/PKGS_OS10Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin.sha256.base64 public-key tftp://10.16.127.7/users/DellOS10.cert.pem Image verified successfully. OS10# image verify image://PKGS_OS10-Enterprise-10.4.9999EX.3342stretchinstaller-x86_64.bin gpg signature tftp://10.16.127.
Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin.sha256.base64 public-key tftp://10.16.127.7/users/DellOS10.cert.pem Supported Releases 10.5.1.0 or later image gpg-key key-server Installs the GPG key into the switch GPG key ring.
● Configure the SSH server to be reachable on the management VRF using the ip ssh server vrf command. ● Configure the SSH login timeout using the ip ssh server login-grace-time seconds command, from 0 to 300; default 60. To reset the default SSH prompt timer, use the no ip ssh server login-grace-time command. ● Configure the maximum number of authentication attempts using the ip ssh server max-auth-tries number command, from 0 to 10; default 6.
View SNMP ACL configuration OS10# show snmp community Community : public Access : read-only ACL : snmp-read-only-acl Limit concurrent login sessions To avoid an unlimited number of active sessions on a switch for the same user ID, limit the number of console and remote connections. Log in from a console connection by cabling a terminal emulator to the console serial port on the switch. Log in to the switch remotely through a virtual terminal line, such as Telnet and SSH.
3. Apply the access lists to the VTY line with the {ip | ipv6} access-class access-list-name command in LINE-VTY mode. OS10(config-line-vty)# ip access-class permit10 View VTY ACL configuration OS10(config-line-vty)# show configuration ! line vty ip access-class permit10 ipv6 access-class deny10 OS10(config-line-vty)# Switch management access OS10 provides security to all management access through console, Telnet, SSH connections, and SNMP requests. ip ssh server enable Enables the SSH server.
ip ssh server cipher Configures the list of cipher algorithms in the SSH server. Syntax ip ssh server cipher cipher-list Parameters cipher-list — Enter a list of cipher algorithms. Separate entries with a blank space. The cipher algorithms supported by the SSH server are: ● 3des-cbc ● aes128-cbc ● aes192-cbc ● aes256-cbc ● aes128-ctr ● aes192-ctr ● aes256-ctr ● aes128-gcm@openssh.com ● aes256-gcm@openssh.
ip ssh server kex Configures the key exchange algorithms used in the SSH server. Syntax ip ssh server kex key-exchange-algorithm Parameters key-exchange-algorithm — Enter the supported key exchange algorithms separated by a blank space. The SSH server supports these key exchange algorithms: ● curve25519-sha256 ● curve25519-sha256@libssh.
● ● ● ● hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com Default ● ● ● ● ● ● ● ● ● ● hmac-sha1 hmac-sha2-256 hmac-sha2-512 umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com Command Mode CONFIGURATION Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S).
The no version of this command removes the configuration. Example Supported Releases OS10(config)# ip ssh server port 255 10.3.0E or later ip ssh server pubkey-authentication Enables public key authentication for the SSH server. Syntax ip ssh server pubkey-authentication Parameters None Default Enabled Command Mode CONFIGURATION Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S).
Usage Information Example Use this command to view information about the established SSH sessions. OS10# show ip ssh SSH Server: Enabled -------------------------------------------------SSH Server Ciphers: chacha20-poly1305@openssh.com,aes128-ctr, aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256gcm@openssh.com SSH Server MACs: umac-64-etm@openssh.com,umac-128etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1etm@openssh.com,umac-64@openssh.com, umac-128@openssh.
username sshkey Enables SSH password-less login using the public key of a remote client. The remote client is not prompted to enter a password. Syntax username username sshkey sshkey-string Parameters ● username — Enter the user name. This value is the user name configured with the username password role command. ● sshkey-string — Enter the public key of remote client device, as the text string. If sshkeystring contains a blank space, enclose the string in double quotes (").
Usage Information Before you use the command, locate the public keys on a remote client in the ~/.ssh/id_rsa.pub file. Create a text file and copy the SSH public keys on the remote client into the file. Enter each public key on a separate line. Download the file to your home OS10 directory. NOTE: Entering the command when an SSH key file is not present has no effect and results in a silent failure. SSH password-less login is not enabled.
login concurrent-session limit Configures the maximum number of concurrent login sessions allowed for a user ID. Syntax login concurrent-session limit number Parameters limit number — Enter the limit of concurrent login sessions, from 1 to 12. Default 10 concurrent login sessions Command Mode CONFIGURATION Usage Information The total number of concurrent login sessions for the same user ID includes all console and remote connections, where: ● Each remote VTY connection counts as one login session.
ip access-class Filters connections in a virtual terminal line using an IPv4 access list. Syntax ip access-class access-list-name Parameters access-list-name — Enter the access list name. Default Not configured Command Mode LINE VTY CONFIGURATION Usage Information The no version of this command removes the filter. Example Supported Releases OS10(config)# line vty OS10(config-line-vty)# ip access-class deny10 10.4.
● User-based configuration changes recorded with the user ID, date, and time of the change. The specific parameter changes are not logged. ● Establishment of secure traffic flows, such as SSH, and violations on secure flows ● Certificate issues, including user access and changes made to certificate installation using crypto commands ● Adding and deleting users Audit log entries are saved locally and sent to configured Syslog servers. To set up a Syslog server, see System logging.
Default Disabled Command Mode CONFIGURATION Usage Information Only the sysadmin and secadmin roles have access to this command. When enabled, user login information, including the number of successful and failed logins, role changes, and the last time a user logged in, displays after a successful login. The no login-statistics enable command disables login statistics. Example Supported Releases OS10(config)# login-statistics enable 10.4.
Defaults Not configured Command Mode EXEC Usage Information To display the contents of the audit log, use the show logging audit command. Example Supported Releases OS10# clear logging audit Proceed to clear all audit log messages [confirm yes/no(default)]:yes 10.4.3.0 or later show logging audit Displays audit log entries. Syntax show logging audit [reverse] [number] Parameters ● reverse — Display entries starting with the most recent events.
Defaults Not configured Command Mode CONFIGURATION Usage Information Audit log entries are saved locally and sent to configured Syslog servers. Only the sysadmin and secadmin roles can enable the audit log. The no version of the command disables audit log recording. Example Supported Releases OS10(conf)# logging audit enable 10.4.3.0 or later X.509v3 certificates OS10 supports X.509v3 certificates to secure communications between the switch and a host, such as a RADIUS server.
Public key infrastructure (PKI) Application that manages the generation of private and public encryption keys, and the download, installation, and exchange of CA-signed certificates with network devices. X.509v3 Standard for the public key infrastructure that manages digital certificates and public key encryption. Public key infrastructure To use X.
○ ca-cert-filepath specifies the local path to the downloaded certificate; for example, home://CAcert.pem or usb://CA-cert.pem. ○ filename specifies an optional filename that the certificate is stored under in the OS10 trust-store directory. Enter the filename in the filename.crt format. Example: Download and install CA certificate OS10# copy scp:///tftpuser@10.11.178.103:/tftpboot/certs/Dell_rootCA1.pem home:// Dell_rootCA1.pem password: OS10# crypto ca-cert install home://Dell_rootCA1.
71:18:01:64:bb:72:2c:26:6f:6e:e8:06:9a:77:4b: 07:3b:b3:8c:71:ff:61:1b:84:d4:02:46:47:e5:4d: 79:be:22:e9:7a:8c:eb:06:38:38:a6:f7:b7:83:bf: f2:64:c9:b8:d9:7f:d1:cc:87:ac:80:b0:d0:d3:17: 35:d1:49:44:2e:6e:9f:60:9c:ca:9a:6d:cd:63:79: 7c:6d:33:72:13:74:f1:16:20:50:46:20:e7:c1:ff: b0:42:95 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 75:22:3F:BE:99:B7:FA:A1:5B:1D:68:0B:E9:5E:21:7D:83:62:AC:DB X509v3 Authority Key Identifier: keyid:75:22:3F:BE:99:B7:FA:A1:5B:1D:68:0B:E9:5E:21:7D:83:6
When a CA issues a certificate, it usually includes the CRL distribution point in the certificate. OS10 uses the CDP URL to access the server with the current CRL. OS10 supports using multiple CDPs and CRLs during a CRL revocation check. If a CRL check validates a certificate from an external device, OS10 sets up a secure connection to perform the tasks initiated by the application. Like CA certificates, CRLs are maintained in the trust store on the switch and applied to all PKI-enabled applications.
Request and install host certificates OS10 also supports the switch obtaining its own X.509v3 host certificate. In this procedure, you generate a certificate signing request (CSR) and a private key. Store the private key locally in a secure location. Copy the CSR file to a certificate authority. The CA generates a host certificate for an OS10 switch by digitally signing the switch certificate contained in the CSR.
You can copy the CSR from flash to a destination, such as a USB flash drive, using TFTP, FTP, or SCP. OS10# copy home://DellHost.pem DellHost.pem password: scp:///tftpuser@10.11.178.103:/tftpboot/certs/ The CA server signs the CSR with its private key. The CA server then makes the signed certificate available for the OS10 switch to download and install. Install host certificate 1. Use the copy command to download an X.
password: OS10# crypto cert install cert-file home://Dell_host1_CA1.pem key-file home:// Dell_host1_CA1.key Processing certificate ... Certificate and keys were successfully installed as "Dell_host1_CA1.pem" that may be used in a security profile. CN = Dell_host1_CA1 Display trusted certificates OS10# show crypto cert -------------------------------------| Installed non-FIPS certificates | -------------------------------------Dell_host1_CA1.
Delete trusted certificate OS10# OS10# crypto cert delete Dell_host1_CA1.pem Certificate and keys were successfully deleted. CN = Dell_host1_CA1 Self-signed certificates Administrators may prefer to not set up a Certificate Authority and implement a certificate trust model in the network, but still want to use the privacy features provided by the Transport Layer Security (TLS) protocol. In this case, self-signed certificates can be used. A self-signed certificate is not signed by a CA.
○ key-file {key-path | private} specifies the local path to retrieve the downloaded or locally generated private key. Enter private to install the key from a local hidden location and rename the key file with the certificate name. ○ password passphrase specifies the password used to decrypt the private key if it was generated using a password. ○ fips installs the certificate-key pair as FIPS-compliant.
b8:83:ae:34:bb:84:e6:b4:a3:fd:77:20:67:15:3f:02:76:ca: f6:74:d4:d2:36:0e:58:8c:96:13:c2:85:8a:df:ba:c0:d9:c8: Security profiles To use independent sets of security credentials for different OS10 applications, you can configure multiple security profiles and assign them to OS10 applications. A security profile consists of a certificate and private key pair. For example, you can maintain different security profiles for RADIUS over TLS authentication and SmartFabric services.
OS10# show running-configuration crypto security-profile ! crypto security-profile radius-prof certificate dv-fedgov-s6010-1 OS10# show running-configuration radius-server radius-server host radius-server-2.test.com tls security-profile radius-prof key 9 2b9799adc767c0efe8987a694969b1384c541414ba18a44cd9b25fc00ff180e9 Cluster security When you enable VLT or a fabric automation application, switches that participate in the cluster use secure channels to communicate with each other.
Successfully created CSR file /home/admin/tor6.csr and key OS10# copy home://tor6.csr scp://CAadmin:secret@172.11.222.1/s4048-001-csr.pem OS10# copy scp://CAadmin:secret@172.11.222.1/s4048-001.crt usb://s4048-001.crt OS10# crypto cert install crt-file usb://s4048-001.crt key-file usb://s4048-001.key This will replace the already installed host certificate. Do you want to proceed ? [yes/no(default)]:yes Processing certificate ... Host certificate installed successfully. 3. Configure an X.
3. Configure an X.509v3 security profile. OS10# show crypto cert -------------------------------------| Installed non-FIPS certificates -------------------------------------s4048-001-csr.pem -------------------------------------| Installed FIPS certificates | -------------------------------------- | OS10# config terminal OS10(config)# crypto security-profile radius-admin OS10(config-sec-profile)# certificate s4048-001-csr OS10(config-sec-profile)# exit 4. Configure the RADIUS over TLS server.
Usage information Example Supported releases When you enable VLT or a fabric automation application, switches that participate in the cluster use secure channels to communicate with each other. OS10 installs a default X.509v3 certificate-key pair to establish secure channels between the peer devices in a cluster. If untrusted devices access the management or data ports on the switch, replace the default certificate-key pair with a custom X.
Installed Root CA certificate CommonName = GeoTrust Universal CA IssuerName = GeoTrust Universal CA Supported releases 10.4.3.0 or later crypto cdp add Installs a certificate distribution point (CDP) on the switch. Syntax crypto cdp add cdp-name cdp-url Parameters ● cdp-name — Enter a CDP name. ● cdp-name — Enter the HTTP URL used to reach the CDP.
Usage information Example Supported releases When you delete the system's certificate, you also delete the private key. Do not delete a host certificate that is used in a security profile. To display the currently installed host certificate and associated key, use the show crypto cert command. NOTE: A FIPS-compliant and non-FIPS certificate may have the same file name. To delete a FIPScompliant certificate, you must enter the fips parameter in the command. OS10# crypto cert delete Dell_host1_CA1.
Command mode EXEC Usage information Generate a CSR when you want a CA to sign a host certificate. Generate a self-signed certificate if you do not set up a CA and implement a certificate trust model in your network. If you enter the cert-file option, you must enter all the required parameters, including the local path where the certificate and private key are stored.
● fips — (Optional) Install the certificate-key pair as FIPS-compliant. Enter fips to install a certificate-key pair that a FIPS-aware application, such as RADIUS over TLS, uses. If you do not enter fips, the certificate-key pair is stored as a non-FIPS compliant pair.
Usage Information Example Before you use the crypto crl install command, copy a CRL to the home:// or usb:// directory. If you do not enter a CRL filename in the command, you can copy and paste it when prompted. Use the show crypto crl command to view the CRLs that are already installed on the switch. In the show output, the CRLs displayed under Manually installed CRLs are installed using the crypto crl install command. OS10# copy scp:///tftpuser@10.11.178.103:/crl_example_file.
Usage information Example Supported releases Create a security profile for a specific application on the switch, such as RADIUS over TLS. A security profile associates a certificate and private key pair using the certificate command. The no form of the command deletes the security profile. OS10# crypto security-profile secure-radius-profile OS10(config-sec-profile)# 10.4.3.0 or later peer-name-check Enables peer name checking in a security profile for certificates presented by external devices.
show crypto ca-certs Displays all CA certificates installed on the switch. Syntax show crypto ca-certs [filename] Parameters filename — (Optional) Enter the text filename of a CA certificate as shown in the show crypto ca-certs output. Enter the filename in the format filename.crt. Default Display all installed CA certificates. Command mode EXEC Usage information To delete a CA certificate, use the crypto ca-cert delete command. Enter the filename as shown in the show crypto ca-certs output.
show crypto cdp Displays a list of configured certificate distribution points (CDPs). Syntax show crypto cdp [cdp-name] Parameters ● cdp-name — (Optional) Display more detailed information by entering the CDP name displayed in show crypto cdp output. Default Not configured Command Mode EXEC Usage Information Use the show crypto cdp command to verify the CDPs installed on the switch and display the URL to reach a CDP. OS10 uses the URL to access the CDP and download new CRLs.
Serial Number: 4096 (0x1000) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = California, O = Dell EMC, OU = Networking, CN = Dell_interCA1 Validity Not Before: Jul 25 19:11:19 2018 GMT Not After : Jul 22 19:11:19 2028 GMT Subject: C = US, ST = California, L = Santa Clara, O = Dell EMC, OU = Networking, CN = Dell_host1_CA1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e7:81:4b:4a:12:8d:ce:88:e6:73:3f:da:19:03: c6:56:01:19:b2:02:61:3f:5b:1e:3
Example OS10# show crypto crl -------------------------------------| Manually installed CRLs | -------------------------------------COMODO_Certification_Authority.0.crl.pem -------------------------------------| Downloaded CRLs | -------------------------------------- OS10# show crypto crl COMODO_Certification_Authority.0.crl.
802.1X port access control 802.1x defines access control that prevents unauthorized devices or users from connecting to a network. For more information about 802.1X, see 802.1X. Port security Use the port security feature to restrict the number of workstations that can send traffic through an interface and to control MAC address movement. Port security is a package of the following sub features that provide added security to the system: 1. MAC address learning limit (MLL) 2. Sticky MAC 3.
To enable sticky MAC address learning on an interface, ensure that the mac learn no-limit command is not configured. Port security violations There are two types of port security violations.
After you enable port security on an interface, the interface can learn one secure MAC address by default. This limit is applicable for both secure dynamic and secure static MAC addresses. To configure the MAC address learning limit: 1. Enter the following command in INTERFACE mode: switchport port-security 2. Configure the number of secure MAC addresses that an interface can learn in INTERFACE PORT SECURITY mode: mac-learn {limit | no-limit} For the limit keyword, the range is from 0 to 3072.
OS10(config-if-port-sec)#no disable OS10(config-if-port-sec)#mac-learn limit 100 OS10(config-if-port-sec)#sticky Permit MAC address movement Use the following command in INTERFACE PORT SECURITY mode: OS10(config-if-port-sec)#mac-move allow MAC address movement configuration example OS10# configure terminal OS10(config)#interface ethernet 1/1/1 OS10(config-if-eth1/1/1)#switchport port-security OS10(config-if-port-sec)#no disable OS10(config-if-port-sec)#mac-learn limit 100 OS10(config-if-port-sec)#mac-move a
● To clear the error-disabled state of all interfaces that was caused by all violation incidents, use the following command in CONFIGURATION mode: errdisable reset cause all Recover an error-disabled state of interfaces automatically ● To automatically recover error-disabled interfaces that was caused by a MAC address learning limit violation, use the following command in CONFIGURATION mode: errdisable recovery cause mac-learn-limit violation ● To automatically recover error-disabled interfaces that was cau
os10# show mac address-table secure dynamic VlanId 10 11 12 MAC Address 4c:76:25:e5:4f:51 4c:76:25:e5:4f:55 4c:76:25:e5:4f:59 Type dynamic dynamic dynamic os10# show mac address-table secure VlanId 10 11 12 MAC Address 4c:76:25:e5:4f:51 4c:76:25:e5:4f:55 4c:76:25:e5:4f:59 Interface port-channel120 ethernet1/1/6 ethernet1/1/7 static Type static static static Interface port-channel120 ethernet1/1/6 ethernet1/1/7 View the number of secure MAC addresses on the system ● To view the number of secure MAC a
Secure static MAC Addresses Sticky MAC Addresses Secure Dynamic MAC addresses :0 :0 :11 OS10# show switchport port-security interface ethernet 1/1/1 Global Port-security status :Enable Interface name : ethernet1/1/1 Port Security Port Status Mac-learn limit MaC-learn-limit-Violation Action Sticky Mac-move-allow Mac-move-violation Aging Total MAC Addresses Secure static MAC Addresses Sticky MAC Addresses Secure Dynamic MAC addresses :Enabled :Error-Disable :1024 :Shutdown :Enabled :Not Allowed :shutdo
Port security commands clear mac address-table secure Clears sticky and dynamic secure MAC address entries from the MAC address table. Syntax clear mac address-table secure {{dynamic | sticky} {address mac_addr | vlan vlan-id | interface {ethernet node/slot/port[:subport] | port-channel channel-number}} | all} Parameters ● ● ● ● dynamic — Displays secure dynamic MAC address table entries. sticky — Displays secure sticky MAC address table entries.
Example Supported Releases OS10(config-if-port-sec)# errdisable recovery cause mac-learn-limitviolation 10.5.1.0 or later errdisable reset cause Resets the error disabled state of interfaces. Syntax errdisable reset cause {all | mac-learn-limit-violation | mac-moveviolation} Parameters ● all — Resets the error disabled state of all interfaces. ● mac-learn-limit-violation — Resets the error disabled state of interfaces that exceeded the maximum number of MAC addresses that it can learn.
mac-learn limit violation Configures MAC address learning limit violation actions. Syntax mac-learn limit violation {drop | forward | log | shutdown} Parameters ● drop — Drops the packet when an interface receives it from a new device after the learning limit is reached. ● forward — Forwards the packet when an interface receives it from a new device after the learning limit is reached.
Parameters ● drop — Drops the received packet when an interface detects the same MAC address that the system has already learned on a different interface. ● log — Displays a log message when an interface detects the same MAC address that the system has already learned on a different interface. ● shutdown-both — Shuts down both interfaces that learned the same MAC address.
show switchport port-security Displays port security information of interfaces. Syntax show switchport port-security [interface {ethernet node/slot/port[:subport] | port-channel port-channel-number}] Parameters ● interface — Displays the interface type: ○ ethernet node/slot/port[:subport] — Displays the port security information of an Ethernet interface. ○ port-channel channel-number — Displays the port security information of an Ethernet interface, from 1 to 128.
Secure static MAC Addresses Sticky MAC Addresses Secure Dynamic MAC addresses :0 :10 :0 OS10# show switchport port-security interface port-channel 120 Supported Releases Interface name : port-channel 120 Port Security Port Status mac-learning-limit Mac-learn-limit-Violation Action Sticky Mac-move-allow Mac-move-violation Aging Total MAC Addresses Secure static MAC Addresses Sticky MAC Addresses Secure Dynamic MAC addresses :Disabled : Up :1024 :Flood :Enabled :Allowed :shutdown-offending :Disabled :1
The no version of this command disables the port security feature on the system. Example Supported Releases OS10(config)# no switchport port-security 10.5.1.0 or later sticky Enables sticky MAC address learning or converts existing dynamic MAC addresses as sticky. Syntax sticky Parameters None Default Disabled Command Mode CONFIGURATION-PORT-SECURITY Usage Information This command enables sticky MAC address learning or converts existing dynamic MAC addresses as sticky.
● sticky — Displays secure sticky MAC address table entries. ● address — Displays a specific MAC address table entry. ● vlan vlan-id — Displays all entries based on the VLAN number from the address table, from 1 to 4093. ● interface — Displays the interface type: ○ ethernet node/slot/port[:subport] — Displays the Ethernet interface configuration from the address table. ○ port-channel channel-number — Displays the port-channel interface configuration from the address table, from 1 to 128.
MAC-move-violation Enabled Recovery Time Left Interface Errdisable Cause (seconds) -------------------------------------------------------------------------ethernet1/1/1:1 bpduguard 30 ethernet1/1/1:2 bpduguard 1 ethernet1/1/10 bpduguard/mac-learning-limit/mac-move 10 port-channel100 Mac-learning-limit 50 port-channel128 mac-move 49 Supported Releases 10.4.2.0 or later show mac address-table count Displays the number of entries in the MAC address table.
18 OpenFlow Switches implement the control plane and data plane in the same hardware. Software-defined network (SDN) decouples the software (control plane) from the hardware (data plane). A centralized SDN controller handles the control plane traffic and hardware configuration for data plane flows. The SDN controller is the "brain" of an SDN.
The ONOS controller does not encode the DSCP flow entry values that are matched according to the Openflow 1.0 specification. Hence when you install a flow entry in OpenFlow 1.0, that matches the IP DSCP, the ONOS controller sets an incorrect flow-entry encoding value for IP DSCP. OpenFlow logical switch instance In OpenFlow-only mode, you can configure only one logical switch instance. After you enable OpenFlow mode, create a logical switch instance. The logical switch instance is disabled by default.
Flow table An OpenFlow flow table consists of flow entries. Each flow table entry contains the following fields: Table 56. Supported fields Fields Support match_fields Supported priority Supported counters Supported instructions Supported timeouts Supported cookie Not supported Group table Not supported Meter table Not supported Instructions Each flow entry contains a set of instructions that execute when a packet matches the entry. Table 57.
Table 58. Supported action sets (continued) Action set Support decrement TTL Not supported set Supported (selective fields) qos Not supported group Not supported output Supported Action types An action type associates with each packet. Table 59.
Table 60.
Table 60. Supported counters (continued) Required/Optional Counter Bits Support Optional In-band packet count 64 Not supported Optional In-band byte count 64 Not supported Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● In the show interface vlan command output, the VLAN octet counters are not displayed accurately. ● If a packet hits two ACL tables, the counter with higher priority statistics gets incremented and the other actions are merged and applied.
Connection setup TCP Table 64. Supported modes Modes Supported/Not supported Connection interruption ● fail-secure-mode—Supported ● fail-standalone-mode—Not supported TLS encryption Supported Multiple controller Not supported Auxiliary connections Not supported Number of logical switches One Supported controllers REST APIs on ● RYU ● ONOS Flow table modification messages Table 65.
Table 66.
Table 67.
Table 67. Supported fields (continued) Flow match fields Supported/Not supported OFPXMT_OFB_TUNNEL_ID = 38 Not supported OFPXMT_OFB_IPV6_EXTHDR = 39 Not supported Action structures Table 68.
Table 69. Supported capabilities (continued) Capabilities Supported/Not supported OFPC_IP_REASM = 1 << 5 Not supported OFPC_QUEUE_STATS = 1 << 6 Not supported OFPC_PORT_BLOCKED = 1 << 8 Not supported Multipart message types Table 70.
Table 70.
Table 72. Supported properties (continued) Property type Supported/Not supported OFPTFPT_WRITE_ACTIONS_MISS = 5 Not supported OFPTFPT_APPLY_ACTIONS = 6 Supported OFPTFPT_APPLY_ACTIONS_MISS = 7 Not supported OFPTFPT_MATCH = 8 Supported OFPTFPT_WILDCARDS = 10 Supported OFPTFPT_WRITE_SETFIELD = 12 Supported OFPTFPT_WRITE_SETFIELD_MISS = 13 Not supported OFPTFPT_APPLY_SETFIELD = 14 Supported OFPTFPT_APPLY_SETFIELD_MISS = 15 Not supported Group configuration Table 73.
Flow-removed reasons Table 76. Supported reasons Flow-removed reasons Supported/Not supported OFPRR_IDLE_TIMEOUT = 0 Supported OFPRR_HARD_TIMEOUT = 1 Supported OFPRR_DELETE = 2 Supported OFPRR_GROUP_DELETE = 3 Not supported Error types from switch to controller Table 77.
Table 77.
Table 77.
Table 77.
Table 77.
Consider the case of dynamic learning of flows for bidirectional traffic. Flows are learnt as and when a packet arrives. With dynamic learning in an OpenFlow network, the OpenFlow switch receives a packet that does not match the flow table entries and sends the packet to the SDN controller to process it. The controller identifies the path the packet has to traverse and updates the flow table with a new entry. The controller also decides the caching time of the flow table entries.
iii. Configure the logical switch instance, of-switch-1. OS10# configure terminal OS10 (config)# openflow OS10 (config-openflow)# switch of-switch-1 4. Configure one or more OpenFlow controllers with either IPv4 or IPv6 addresses to establish a connection with the logical switch instance. You can configure up to eight OpenFlow controllers.
OpenFlow commands controller Configures an OpenFlow controller that the logical switch instance connects to. Syntax controller {ipv4 ipv4-address| ipv6 ipv6-address [port port-number] [security {none|tls}] Parameters ● ipv4 ipv4-address—Enter ipv4, then the IP address of the controller. ● ipv6 ipv6-address—Enter ipv6, then the IPv6 address of the controller. ● port port-number—Enter the keyword, then the port number, from 1 to 65,535. The default port is 6653.
OS10 OS10 OS10 OS10 Supported Releases (config-openflow-switch)# (config-openflow-switch)# (config-openflow-switch)# (config-openflow-switch)# controller controller controller controller ipv4 ipv4 ipv6 ipv6 10.1.23.12 port 6633 10.1.99.121 port 6633 2025::1 port 6633 2025::12 port 6633 10.4.1.0 or later dpid-mac-address Specifies the MAC address bits of the datapath ID (DPID) of the logical switch instance.
OS10 (config-openflow)# in-band-mgmt interface ethernet 1/1/1 OS10 (config-openflow)# no shutdown Supported Releases 10.4.1.0 or later max-backoff Configures the time interval, in seconds, that the logical switch instance waits after requesting a connection with the OpenFlow controller. Syntax max-backoff interval Parameters interval—Enter the amount of time, in seconds, that the logical switch instance waits after it attempts to establish a connection with the OpenFlow controller, from 1 to 65,535.
openflow Enters OPENFLOW configuration mode. Syntax openflow Parameters None Default None Command Mode CONFIGURATION Usage Information All OpenFlow configurations are performed in this mode. The no form of this command prompts a switch reload. If you enter yes, the system deletes all OpenFlow configurations and the switch returns to the normal mode after the reload. Example OS10# configure terminal OS10(config)# openflow OS10 (config-openflow)# Supported Releases 10.4.1.
Usage Information NOTE: Only use this command should be run when the logical switch instance is disabled. Use the shutdown command to disable the logical switch instance. After you run this command, enter the no shutdown command to enable the logical switch instance again. ● When you specify, negotiate, the switch negotiates versions 1.0 and 1.3 and selects the highest of the versions supported by the controller. The negotiation is based on the hello handshake described in the OpenFlow Specification 1.3.
Supported Releases 10.4.1.0 or later show openflow Displays general OpenFlow switch and the logical switch instance information. Syntax show openflow Parameters None Default None Command Mode EXEC Usage Information None Example OS10# show openflow Manufacturer : DELL Hardware Description : Software Description : Dell Networking OS10-Premium, Dell Networking Application Software Version: 10.4.
Total flows: 1 Flow: 0 Table ID: 0, Table: Ingress ACL TCAM table Flow ID: 0 Priority: 32768, Cookie: 0 Hard Timeout: 0, Idle Timeout: 0 Packets: 0, Bytes: 0 Match Parameters: In Port: ethernet1/1/1 EType: 0x800 SMAC: 00:0b:c4:a8:22:b0/ff:ff:ff:ff:ff:ff DMAC: 00:0b:c4:a8:22:b1/ff:ff:ff:ff:ff:ff VLAN id: 2/4095 VLAN PCP: 1 IP DSCP: 4 IP ECN: 1 IP Proto: 1 Src Ip: 10.0.0.1/255.255.255.255 Dst Ip: 20.0.0.1/255.255.255.
ethernet1/1/5:4 FIBER ethernet1/1/6 NONE ethernet1/1/7 NONE ethernet1/1/8 COPPER ethernet1/1/9 NONE ethernet1/1/10 NONE ethernet1/1/11 COPPER ethernet1/1/12 COPPER ethernet1/1/13 NONE ethernet1/1/14 NONE ethernet1/1/15 NONE ethernet1/1/16 NONE ethernet1/1/17 NONE ethernet1/1/18 NONE ethernet1/1/19 NONE ethernet1/1/20 NONE ethernet1/1/21 NONE ethernet1/1/22 NONE ethernet1/1/23 NONE ethernet1/1/24 NONE ethernet1/1/25 COPPER ethernet1/1/26 COPPER ethernet1/1/27 NONE ethernet1/1/28 NONE ethernet1/1/29 NONE ethe
Command Mode EXEC Usage Information None Example OS10# show openflow switch Logical switch name: of-switch-1 Internal switch instance ID: 0 Config state: true Signal Version: negotiate Data plane: secure Max backoff (sec): 8 Probe Interval (sec): 5 DPID: 90:b1:1c:f4:a5:23 Switch Name : of-switch-1 Number of buffers: 0 Number of tables: 1 Table ID: 0 Table name: Ingress ACL TCAM table Max entries: 1000 Active entries: 0 Lookup count: 0 Matched count: 0 Controllers: 10.16.208.
Supported Releases 10.4.1.0 or later switch Creates a logical switch instance or modifies an existing logical switch instance. Syntax switch logical-switch-name Parameters logical-switch-name—Enter the name of the logical switch instance that you want to create or modify, a maximum of 15 characters. OS10 supports only one instance of the logical switch. Default None Command Mode OPENFLOW CONFIGURATION Usage Information You must configure a controller for the logical switch instance.
Table 78.
Table 78. Modes and CLI commands (continued) Mode Available CLI commands ● debug tacacs+ LAG INTERFACE CONFIGURATION LAG is not supported. LOOPBACK INTERFACE CONFIGURATION Loopback interface is not supported. INTERFACE CONFIGURATION description end exit ip mtu negotiation ntp show shutdown VLAN INTERFACE CONFIGURATION VLAN is not supported.
19 Access Control Lists OS10 uses two types of access policies — hardware-based ACLs and software-based route-maps. Use an ACL to filter traffic and drop or forward matching packets. To redistribute routes that match configured criteria, use a route-map. ACLs ACLs are a filter containing criterion to match; for example, examine internet protocol (IP), transmission control protocol (TCP), or user datagram protocol (UDP) packets, and an action to take such as forwarding or dropping packets at the NPU.
Destination MAC packet address MAC address range—address-mask in 3x4 dotted hexadecimal notation, and any to denote that the rule matches all destination addresses. Packet protocol Set by its EtherType field contents and assigned protocol number for all protocols. VLAN ID Set in the packet header Class of service Present in the packet header IPv4/IPv6 and MAC ACLs apply separately for inbound and outbound packets.
○ DST_IPv6—Destination address ○ SRC_IPv6—Source address ○ IP_TYPE—IP Type; for example, IPv4 or IPv6 ○ IP_PROTOCOL—TCP, UDP, and so on ○ L4_DST_PORT—Destination port ● MAC qualifiers: ○ OUT_PORT—Egress CPU port ○ SRC_MAC—Source MAC address ○ DST_MAC—Destination MAC address ○ ETHER_TYPE—Ethertype ○ OUTER_VLAN_ID—VLAN ID ○ IP_TYPE—IP type ○ OUTER_VLAN_PRI—DOT1P value IP fragment handling OS10 supports a configurable option to explicitly deny IP-fragmented packets, particularly for the second and subsequent
TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all TCP non-first fragments from host 10.1.1.1 are permitted. All other IP packets that are non-first fragments are denied.
Auto-generated sequence number If you are creating an ACL with only one or two filters, you can let the system assign a sequence number based on the order you configure the filters. The system assigns sequence numbers to filters using multiples of ten values. ● Configure a deny or permit filter to examine IP packets in IPV4-ACL mode. {deny | permit} {source mask | any | host ip-address} [count [byte]] [fragments] ● Configure a deny or permit filter to examine TCP packets in IPV4-ACL mode.
Rules apply in order: ● Ingress L3 ACL ● Ingress L2 ACL ● Egress L3 ACL ● Egress L2 ACL NOTE: In ingress ACLs, L2 has a higher priority than L3 and in egress ACLs, L3 has a higher priority than L2. Table 79.
seq 120 deny icmp 20.1.6.0/24 any fragment count (0 packets) seq 130 permit 150 any any dscp 63 count (0 packets) To view the number of packets matching the ACL, use the count option when creating ACL entries. ● Create an ACL that uses rules with the count option, see Assign sequence number to filter. ● Apply the ACL as an inbound or outbound ACL on an interface in CONFIGURATION mode, and view the number of packets matching the ACL.
You can use an egress ACL filter to restrict egress traffic. For example, when you isolate denial of service (DoS) attack traffic to a specific interface, and apply an egress ACL filter to block the DoS flow from exiting the network, you protect downstream devices. 1. Apply an egress access-list on the interface in INTERFACE mode. ip access-group access-group-name out 2. Return to CONFIGURATION mode. exit 3. Create the access-list in CONFIGURATION mode. ip access-list access-list-name 4.
Clear access-list counters Clear IPv4, IPv6, or MAC access-list counters for a specific access-list or all lists. The counter counts the number of packets that match each permit or deny statement in an access-list. To get a more recent count of packets matching an access-list, clear the counters to start at zero. If you do not configure an access-list name, all IP access-list counters clear. To view access-list information, use the show access-lists command. ● Clear IPv4 access-list counters in EXEC mode.
● Route-maps use commands to decide what to do with traffic. To remove the match criteria in a route-map, use the no match command. ● In a BGP route-map, if you repeat the same match statements; for example, a match metric, with different values in the same sequence number, only the last match and set values are taken into account.
Match clauses: ip address prefix-list p1 Set clauses: route-map test3, deny, sequence 10 Match clauses: ip address prefix-list p2 Set clauses: route-map test4, permit, sequence 10 Match clauses: ip address prefix-list p2 Set clauses: Match routes Configure match criterion for a route-map. There is no limit to the number of match commands per route map, but keep the number of match filters in a route-map low. The set commands do not require a corresponding match command.
● Enter an ORIGIN attribute in ROUTE-MAP mode. set origin {egp | igp | incomplete} ● Enter a tag value for the redistributed routes in ROUTE-MAP mode, from 0 to 4294967295. set tag tag-value ● Enter a value as the route’s weight in ROUTE-MAP mode, from 0 to 65535. set weight value Check set conditions OS10(config)# route-map ip permit 1 OS10(conf-route-map)# match metric 2567 Continue clause Only BGP route-maps support the continue clause.
If you configure the flow-based enable command and do not apply an ACL on the source port or the monitored port, both flow-based monitoring and port mirroring do not function. Flow-based monitoring is supported only for ingress traffic. The show monitor session session-id command displays output that indicates if a particular session is enabled for flow-monitoring. View flow-based monitoring OS10# show monitor session 1 S.
seq 15 deny udp any any capture session 2 count bytes (0 bytes) seq 20 deny tcp any any capture session 3 count bytes (0 bytes) View monitor sessions OS10(conf-if-eth1/1/1)# show monitor session all S.
1022 1024 USER_IPV4_ACL Shared:1 G2 2 3 1021 1024 USER_IPV6_ACL Shared:2 G4 1 2 510 512 PBR_V6 Shared:2 G10 1 1 511 512 SYSTEM_FLOW Shared:2 G0 49 49 975 1024 ISCSI_SNOOPING Shared:1 G8 12 12 500 512 FCOE Shared:2 G6 55 55 457 512 -----------------------------------------------------------------------------------------------------Egress ACL utilization Hardware Pools -----------------------------------------------------------------------------------------------------Pool ID App(s) Used rows Free rows Max ro
ACL logging You can configure ACLs to filter traffic, drop or forward packets that match certain conditions. The ACL logging feature allows you to get additional information about packets that match an access control list entry (ACE) applied on an interface in inbound direction. OS10 creates a log message that includes additional information about the packet, when a matching packet hits a log-enabled ACL entry.
Example Supported Releases OS10# clear ip access-list counters 10.2.0E or later clear ipv6 access-list counters Clears IPv6 access-list counters for a specific access-list. Syntax clear ipv6 access-list counters [access-list-name] Parameters access-list-name — (Optional) Enter the name of the IPv6 access-list to clear counters. A maximum of 140 characters. Default Not configured Command Mode EXEC Usage Information If you do not enter an access-list name, all IPv6 access-list counters clear.
● ● ● ● ● ● ● ● ● ● ● ● ● ● icmp — (Optional) Enter the ICMP address to deny. ip — (Optional) Enter the IP address to deny. tcp — (Optional) Enter the TCP address to deny. udp — (Optional) Enter the UDP address to deny. A.B.C.D — Enter the IP address in dotted decimal format. A.B.C.D/x — Enter the number of bits to match to the dotted decimal address. any — (Optional) Enter the keyword any to specify any source or destination IP address.
Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases OS10(config)# ipv6 access-list ipv6test OS10(conf-ipv6-acl)# deny ipv6 any any capture session 1 10.2.0E or later deny (MAC) Configures a filter to drop packets with a specific MAC address.
● log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases OS10(config)# ip access-list egress OS10(conf-ipv4-acl)# deny icmp any any capture session 1 10.2.
○ fragment — (Optional) Use ACLs to control packet fragments. ● host ip-address — (Optional) Enter the IPv4 address to use a host address only. Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases OS10(config)# ip access-list testflow OS10(conf-ipv4-acl)# deny ip any any capture session 1 count 10.2.
● ● ● ● ● ● ● ● ● ● ● ● ● ack — (Optional) Set the bit as acknowledgement. fin — (Optional) Set the bit as finish—no more data from sender. psh — (Optional) Set the bit as push. rst — (Optional) Set the bit as reset. syn — (Optional) Set the bit as synchronize. urg — (Optional) Set the bit set as urgent. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes.
○ range — Range of ports, including the specified port numbers. Default Not configured Command Mode IPV6-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases OS10(config)# ipv6 access-list ipv6test OS10(conf-ipv6-acl)# deny tcp any any capture session 1 10.2.
deny udp (IPv6) Configures a filter to drop UDP IPv6 packets that match filter criteria. Syntax deny udp [A::B | A::B/x | any | host ipv6-address [operator]] [A::B | A:B/x | any | host ipv6-address [operator]] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● A::B — Enter the IPv6 address in hexadecimal format separated by colons. A::B/x — Enter the number of bits to match to the IPv6 address.
Example Supported Releases OS10(conf-ipv4-acl)# description ipacltest 10.2.0E or later ip access-group Configures an IPv4 access group. Syntax ip access-group access-list-name {in | out} Parameters ● access-list-name — Enter the name of an IPv4 access list. A maximum of 140 characters. ● in — Apply the ACL to incoming traffic. ● out — Apply the ACL to outgoing traffic.
Parameters ● name — Enter an access list name. ● deny | permit — Reject or accept a matching route. ● regexp-string — Enter a regular expression string to match an AS-path route attribute. Defaults Not configured Command Mode CONFIGURATION Usage Information You can specify an access-list filter on inbound and outbound BGP routes. The ACL filter consists of regular expressions. If a regular expression matches an AS path attribute in a BGP route, the route is rejected or accepted.
● aa:nn — Enter the community number in the format aa:nn, where aa is the number that identifies the autonomous system and nn is a number the identifies the community within the autonomous system. ● no-advertise — BGP does not advertise this route to any internal or external peer. ● local-as — BGP does not advertise this route to external peers. ● no-export — BGP does not advertise this route outside a BGP confederation boundary ● internet — BGP does not advertise this route to an Internet community.
Example Supported Release OS10(config)# ip extcommunity-list standard STD_LIST permit 4byteasgeneric transitive 1.65412:60 10.3.0E or later ip prefix-list description Configures a description of an IP prefix list. Syntax ip prefix-list name description Parameters ● name — Enter the name of the prefix list. ● description — Enter the description for the named prefix list.
● le — Enter to indicate the network address is less than or equal to the range specified. ● prefix-len — Enter the prefix length. Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix-list. Example Supported Release OS10(config)# ip prefix-list allowprefix permit 10.10.10.1/16 ge 10 10.3.0E or later ip prefix-list seq deny Configures a filter to deny route filtering from a specified prefix list.
Supported Release 10.3.0E or later ipv6 access-group Configures an IPv6 access group. Syntax ipv6 access-group access-list-name {in | out} Parameters ● access-list-name — Enter the name of an IPv6 ACL. A maximum of 140 characters. ● in — Apply the ACL to incoming traffic. ● out — Apply the ACL to outgoing traffic.
● le — Enter to indicate the network address is less than or equal to the range specified. ● prefix-len — Enter the prefix length. Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix list. Example Supported Release OS10(config)# ipv6 prefix-list TEST deny AB10::1/128 ge 10 le 30 10.3.0E or later ipv6 prefix-list description Configures a description of an IPv6 prefix-list.
ipv6 prefix-list seq deny Configures a filter to deny route filtering from a specified prefix-list. Syntax ipv6 prefix-list [name] seq num deny {A::B/x [ge | le] prefix-len} Parameters ● ● ● ● ● ● Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix-list. Example Supported Release name — (Optional) Enter the name of the IPv6 prefix-list. num — Enter the sequence number of the specified IPv6 prefix-list.
Command Mode CONFIGURATION CONTROL-PLANE Usage Information Example Example (Control-plane ACL) Supported Releases Use this command in the CONTROL-PLANE mode to apply a control-plane ACL. Control-plane ACLs are only applied on the ingress traffic. By default, the control-plane ACL is applied to the front-panel ports. The no version of this command resets the value to the default.
● dscp value — (Optional) Permit a packet based on the DSCP values, from 0 to 63. ● fragment — (Optional) Use ACLs to control packet fragments. ● log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter.
permit (MAC) Configures a filter to allow packets with a specific MAC address. Syntax permit {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} [protocol-number | capture | count [byte] | cos | vlan] Parameters ● nn:nn:nn:nn:nn:nn — Enter the MAC address. ● 00:00:00:00:00:00 — (Optional) Enter which bits in the MAC address must match. If you do not enter a mask, a mask of 00:00:00:00:00:00 applies.
Example Supported Releases OS10(config)# ip access-list testflow OS10(conf-ipv4-acl)# permit icmp any any capture session 1 10.2.0E or later permit icmp (IPv6) Configures a filter to permit all or specific ICMP messages.
Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases OS10(conf-ipv4-acl)# permit ip any any capture session 1 10.2.0E or later permit ipv6 Configures a filter to permit all or specific packets from an IPv6 address.
● ● ● ● ● ● ● ● urg — (Optional) Set the bit set as urgent. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Permit a packet based on the DSCP values, 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged.
Supported Releases 10.2.0E or later permit udp Configures a filter that allows UDP packets meeting the filter criteria. Syntax permit udp [A.B.C.D | A.B.C.D/x | any | host ip-address [eq | lt | gt | neq | range]] [[A.B.C.D | A.B.C.D/x | any | host ip-address [eq | lt | gt | neq | range] ] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.
Parameters ● A::B — Enter the IPv6 address in hexadecimal format separated by colons. ● A::B/x — Enter the number of bits that must match the IPv6 address. ● any — (Optional) Enter the keyword any to specify any source or destination IP address. NOTE: The control-plane ACL supports only the eq operator. ● host ipv6-address — (Optional) Enter the keyword and the IPv6 address to use a host address only. ● ack — (Optional) Set the bit as acknowledgement.
seq deny Assigns a sequence number to deny IPv4 addresses while creating the filter. Syntax seq sequence-number deny [protocol-number | icmp | ip | tcp | udp] [A.B.C.D | A.B.C.D/x | any | host ip-address] [A.B.C.D | A.B.C.D/x | any | host ipaddress] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the ACL for editing and sequencing number, from 1 to 16777214. ● protocol-number — (Optional) Enter the protocol number, from 0 to 255.
● ● ● ● ● ● ● host ipv6-address — (Optional) Enter to use an IPv6 host address only. capture — (Optional) Enter to capture packets the filter processes. count — (Optional) Enter to count packets the filter processes. byte — (Optional) Enter to count bytes the filter processes. dscp value — (Optional) Enter to deny a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Enter to use ACLs to control packet fragments. log — (Optional) Enables ACL logging.
seq deny icmp Assigns a filter to deny ICMP messages while creating the filter. Syntax seq sequence-number deny icmp [A.B.C.D | A.B.C.D/x | any | host ip-address] [A.B.C.D | A.B.C.D/x | any | host ip-address] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.C.D — Enter the IPv4 address in dotted decimal format. ● A.B.C.
Usage Information Example Supported Releases OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter, or use the no seq sequence-number command if you know the filter’s sequence number. OS10(config)# ipv6 access-list ipv6test OS10(conf-ipv6-acl)# seq 10 deny icmp any any capture session 1 log 10.2.0E or later seq deny ip Assigns a sequence number to deny IPv4 addresses while creating the filter.
● ● ● ● ● ● ● host ip-address — (Optional) Enter the IPv6 address to use a host address only. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged.
Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter, or use the no seq sequence-number command if you know the filter’s sequence number. Example Supported Releases OS10(config)# ip access-list egress OS10(conf-ipv4-acl)# seq 10 deny tcp any any capture session 1 log 10.2.
Supported Releases 10.2.0E or later seq deny udp Assigns a filter to deny UDP packets while creating the filter. Syntax seq sequence-number deny udp [A.B.C.D | A.B.C.D/x | any | host ip-address [operator]] [[A.B.C.D | A.B.C.D/x | any | host ip-address [operator] ] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.C.
seq deny udp (IPv6) Assigns a filter to deny UDP packets while creating the filter. Syntax seq sequence-number deny udp [A::B | A::B/x | any | host ipv6-address [operator]] [A::B | A:B/x | any | host ipv6-address [operator]] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214.
● ● ● ● ● ● ● ● ● ● ● protocol-number — (Optional) Enter the protocol number, from 0 to 255. A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.D/x — Enter the number of bits that must match the dotted decimal address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ip-address — (Optional) Enter the IPv4 address to use a host address only. capture — (Optional) Capture packets the filter processes.
Supported Releases 10.2.0E or later seq permit (MAC) Assigns a sequence number to permit MAC addresses while creating a filter. Syntax seq sequence-number permit {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} [protocol-number | capture | cos | count [byte] | vlan] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing, from 1 to 16777214.
● dscp value — (Optional) Permit a packet based on the DSCP values, from 0 to 63. ● fragment — (Optional) Use ACLs to control packet fragments. ● log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment.
Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.C.D — Enter the IPv4 address in dotted decimal format. ● A.B.C.D/x — Enter the number of bits that must match the dotted decimal address. ● any — (Optional) Enter the keyword any to specify any source or destination IP address. ● host ip-address — (Optional) Enter the IPv4 address to use a host address only.
Supported Releases 10.2.0E or later seq permit tcp Assigns a sequence number to allow TCP packets while creating the filter. Syntax seq sequence-number permit tcp [A.B.C.D | A.B.C.D/x | any | host ip-address [operator]] [[A.B.C.D | A.B.C.D/x | any | host ip-address [operator] ] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.
seq permit tcp (IPv6) Assigns a sequence number to allow TCP IPv6 packets while creating the filter. Syntax seq sequence-number permit tcp [A::B | A::B/x | any | host ipv6-address [operator]] [A::B | A:B/x | any | host ipv6-address [operator]] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.D/x — Enter the number of bits that must match the dotted decimal address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ip-address — (Optional) Enter the IPv4 address to use a host address only. operator — (Optional) Enter a logical operator to match the packets on the specified port number.
● ● ● ● ● ● ● ● ● ● ● ● ○ neq — Not equal to ○ range — Range of ports, including the specified port numbers. ack — (Optional) Set the bit as acknowledgment. fin — (Optional) Set the bit as finish—no more data from sender. psh — (Optional) Set the bit as push. rst — (Optional) Set the bit as reset. syn — (Optional) Set the bit as synchronize. urg — (Optional) Set the bit set as urgent. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes.
Ingress IPV6 access list aaa on ethernet1/1/2 Egress IPV6 access list aaa on ethernet1/1/2 Example (Control-plane ACL - IP) OS10# show ip access-group aaa-cp-acl Ingress IP access-list aaa-cp-acl on control-plane data mgmt Example (Control-plane ACL - MAC) OS10# show mac access-group aaa-cp-acl Ingress MAC access-list aaa-cp-acl on control-plane data Example (Control-plane ACL - IPv6) OS10# show ipv6 access-group aaa-cp-acl Ingress IPV6 access-list aaa-cp-acl on control-plane data mgmt Supported Relea
Example (IP Out) Example (IPv6 In) Example (IPv6 Out) Example (IP In - Control-plane ACL) Example (IPv6 In - Control-plane ACL) Example (MAC In - Control-plane ACL) Supported Releases OS10# show ip access-lists out Egress IP access list aaaa Active on interfaces : ethernet1/1/1 ethernet1/1/2 seq 10 permit ip any any seq 20 permit tcp any any count (0 packets) seq 30 permit udp any any count bytes (0 bytes) OS10# show ipv6 access-lists in Ingress IPV6 access list bbb Active on interfaces : ethernet1/1
Parameters None Default None Command Mode EXEC Usage Information The hardware pool displays the ingress application groups (pools), the features mapped to each of these groups, and space available in each of the pools. The amount of space required to store a single ACL rule in a pool depends on th The service pool displays the amount of used and free space for each of the features. The number of ACL rules conf displayed in the configured rules column.
Ingress ACL utilization - Pipe 2 Hardware Pools ---------------------------------------------------------------------Pool ID App(s) Used rows Free rows Max rows ---------------------------------------------------------------------0 SYSTEM_FLOW 98 414 512 1 SYSTEM_FLOW 98 414 512 2 SYSTEM_FLOW 98 414 512 3 USER_IPV4_ACL 0 512 512 4 USER_IPV4_ACL 0 512 512 5 FREE 0 512 512 6 USER_IPV6_ACL 0 512 512 7 USER_IPV6_ACL 0 512 512 8 USER_IPV6_ACL 0 512 512 9 USER_L2_ACL 0 512 512 10 USER_L2_ACL 0 512 512 11 FREE 0 5
S6010-ON platform OS10# show acl-table-usage detail Ingress ACL utilization Hardware Pools ------------------------------------------------------------------Pool ID App(s) Used rows Free rows Max rows ------------------------------------------------------------------0 SYSTEM_FLOW 49 975 1024 1 SYSTEM_FLOW 49 975 1024 2 USER_IPV4_ACL 3 1021 1024 3 USER_L2_ACL 2 1022 1024 4 USER_IPV6_ACL 2 510 512 5 USER_IPV6_ACL 2 510 512 6 FCOE 55 457 512 7 FCOE 55 457 512 8 ISCSI_SNOOPING 12 500 512 9 FREE 0 512 512 10 PB
Parameters name — (Optional) Specify the name of the AS path access list. Defaults None Command Mode EXEC Usage Information None Example Supported Releases OS10# show ip as-path-access-list ip as-path access-list hello permit 123 deny 35 10.3.0E or later show ip community-list Displays the configured IP community lists in alphabetic order. Syntax show ip community-list [name] Parameters name — (Optional) Enter the name of the standard IP community list. A maximum of 140 characters.
show ip prefix-list Displays configured IPv4 or IPv6 prefix list information. Syntax show {ip | ipv6} prefix-list [prefix-name] Parameters ● ip | ipv6—(Optional) Displays information related to IPv4 or IPv6. ● prefix-name — Enter a text string for the prefix list name. A maximum of 140 characters. Defaults None Command Mode EXEC Usage Information None Example Example (IPv6) Supported Releases OS10# show ip prefix-list ip prefix-list hello: seq 10 deny 1.2.3.4/24 seq 20 permit 3.4.4.
Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes a match. Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# continue 65535 10.3.0E or later match as-path Configures a filter to match routes that have a certain AS path in their BGP paths. Syntax match as-path as-path-name Parameters as-path-name — Enter the name of an established AS-PATH ACL. A maximum of 140 characters.
● exact-match — (Optional) Select only those routes with the specified extcommunity list name. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes the extcommunity match filter. Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# match extcommunity extcommlist1 exact-match 10.3.0E or later match interface Configures a filter to match routes whose next-hop is the configured interface.
match ip next-hop Configures a filter to match based on the next-hop IP addresses specified in IP prefix lists. Syntax match ip next-hop prefix-list prefix-list Parameters prefix-list — Enter the name of the configured prefix list. A maximum of 140 characters. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes the match. Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# match ip next-hop prefix-list test100 10.3.
match metric Configures a filter to match on a specific value. Syntax match metric metric-value Parameters metric-value — Enter a value to match the route metric against, from 0 to 4294967295. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes the match. Example Supported Releases OS10(conf-route-map)# match metric 429132 10.2.0E or later match origin Configures a filter to match routes based on the origin attribute of BGP.
Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# match route-type external type-1 10.3.0E or later match tag Configures a filter to redistribute only routes that match a specific tag value. Syntax match tag tag-value Parameters tag-value — Enter the tag value to match with the tag number, from 0 to 4294967295. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes the match.
Defaults None Command Mode ROUTE-MAP Usage Information In a route map, use this set command to add a list of communities that pass a permit statement to the COMMUNITY attribute of a BGP route sent or received from a BGP peer. Use the set comm-list delete command to delete a community list from a matching route. Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# set comm-list comlist1 add 10.4.
set extcomm-list add Add communities in the specified list to the EXTCOMMUNITY attribute in a matching inbound or outbound BGP route. Syntax set extcomm-list extcommunity-list-name add Parameter extcommunity-list-name — Enter the name of an established extcommunity list. A maximum of 140 characters.
Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# set extcommunity rt 10.10.10.2:325 10.3.0E or later set local-preference Sets the preference value for the AS path. Syntax set local-preference value Parameters value — Enter a number as the LOCAL_PREF attribute value, from 0 to 4294967295. Default Not configured Command Mode ROUTE-MAP Usage Information This command changes the LOCAL_PREF attribute for routes meeting the route map criteria.
Parameters ● type-1 — Adds a route to an existing community. ● type-2 — Sends a route in the local AS. ● external — Disables advertisement to peers. Default Not configured Command Mode ROUTE-MAP Usage Information ● BGP Affects BGP behavior only in outbound route maps and has no effect on other types of route maps. If the route map contains both a set metric-type and a set metric clause, the set metric clause takes precedence.
set origin Set the origin of the advertised route. Syntax set origin {egp | igp | incomplete} Parameters ● egp — Enter to add to existing community. ● igp — Enter to send inside the local-AS. ● incomplete — Enter to not advertise to peers. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes the set clause from a route map. Example Supported Releases OS10(conf-route-map)# set origin egp 10.2.
show route-map Displays the current route map configurations. Syntax show route-map [map-name] Parameters map-name — (Optional) Specify the name of a configured route map. A maximum of 140 characters.
20 Quality of service Quality of service (QoS) reserves network resources for highly critical application traffic with precedence over less critical application traffic. QoS prioritizes different types of traffic and ensures quality of service. You can control the following traffic flow parameters: Delay, Bandwidth, Jitter, and Drop. Different QoS features control the traffic flow parameters, as the traffic traverses a network device from ingress to egress interfaces.
Configuring QoS is a three-step process: 1. Create class-maps to classify the traffic flows. The following are the different types of class-maps: ● qos (default)—Classifies ingress data traffic. ● queuing —Classifies egress queues. ● control-plane—Classifies control-plane traffic. ● network-qos—Classifies traffic-class IDs for ingress buffer configurations. ● application —Classifies application-type traffic. The reserved policy-map policy-iscsi defines the actions for class-iscsi traffic. 2.
Ingress traffic classification Ingress traffic can either be data or control traffic. OS10 groups network traffic into different traffic classes, from class 0 to 7 based on various parameters. Grouping traffic into different classes helps to identify and prioritize traffic as it goes through the switch. NOTE: Traffic class is also called as QoS group. By default, OS10 does not classify data traffic. OS10 assigns the default traffic class ID 0 to all data traffic.
2. Define the set of dot1p values mapped to traffic-class, the qos-group ID. OS10(config-tmap-dot1p-map)# qos-group 3 dot1p 0-4 OS10(config-tmap-dot1p-map)# qos-group 5 dot1p 5-7 3. Verify the map entries. OS10# show qos maps type trust-map-dot1p example-dot1p-trustmap-name DOT1P Priority to Traffic-Class Map : example-dot1p-trustmap-name Traffic-Class DOT1P Priority ------------------------------3 0-4 5 5-7 4. Apply the map on a specific interface or on system-qos, global level.
Table 82. Default DSCP trust map (continued) DSCP values Traffic class ID Color 32-35 4 G 36-39 4 Y 40-43 5 G 44-47 5 Y 48-51 6 G 52-55 6 Y 56-59 7 G 60-62 7 Y 63 7 R NOTE: You cannot modify the default DSCP trust map. User–defined DCSP trust map You can override the default mapping by creating a user-defined DSCP trust map. All the unspecified DSCP entries map to the default traffic class ID 0 and color G. Configure user–defined DSCP trust map 1. Create a DSCP trust map.
● Interface level OS10(conf-if-eth1/1/1)# trust-map dscp example-dscp-trustmap-name ● System-qos level OS10(config-sys-qos)# trust-map dscp example-dscp-trustmap-name ACL-based classification Classify the ingress traffic by matching the packet fields using ACL entries. Classify the traffic flows based on QoS-specific fields or generic fields, using IP or MAC ACLs. Create a class-map template to match the fields.
1. Create a user defined dscp or dot1p trust-map. OS10(config)# trust dscp-map userdef-dscp OS10(config-tmap-dscp-map)# qos-group 3 dscp 15 OS10(config-tmap-dscp-map)# qos-group 5 dscp 30 2. Apply user-defined trust map to an interface or in system QoS. OS10(conf-if-eth1/1/1)# trust-map dscp userdef-dscp or OS10(config)# system qos OS10(config-sys-qos)# trust-map dscp userdef-dscp 3. Create a class-map and attach it to a policy where trust is configured. This example uses 802.
○ ICMPv6-RS-NS is mapped to queue 5 ○ iSCSI is mapped to queue 0 The rate limit configuration in CoPP policy before upgrade is automatically remapped to queues 6, 5, and 0 respectively after upgrade. For example, in release 10.4.1, the following policy configuration is applied on queue 5, which in 10.4.1 is mapped to ARP_REQ, ICMPV6_RS, ICMPV6_NS, and ISCSI protocols: policy-map type control-plane test ! class test set qos-group 5 police cir 300 pir 300 After upgrade to release 10.4.
The following table lists the CoPP protocol mappings to queues, and default rate limits and buffer sizes on the S4148FE-ON platform. The number of control-plane queues is dependent on the hardware platform. Table 84. CoPP: Protocol mappings to queues, and default rate limits and buffer sizes - from release 10.4.
For information about the current protocol to queue mapping and the rate-limit configured per queue, see show control-plane info. Configure control-plane policing Rate-limiting the protocol CPU queues requires configuring control-plane type QoS policies. ● Create QoS policies, class maps and policy maps, for the desired CPU-bound queue. ● Associate the QoS policy with a particular rate-limit. ● Assign the QoS service policy to control plane queues.
● Port shaping, storm control rate shaping, and CoPP rates are converted to kbps internally, even when configured in pps. Assign service-policy Rate controlling the traffic towards CPU requires configuring the control-plane type policy. To enable CoPP, apply the defined policy-map to CONTROL-PLANE mode. 1. Enter CONTROL-PLANE mode from CONFIGURATION mode. control-plane 2. Define aninput type service-policy and configure a name for the service policy in CONTROL-PLANE mode.
Configure protocol to queue remapping You can re-map protocols or applications to queues that are mapped to unused protocols or applications. The show control-plane info default command output displays default protocol-to-queue mapping. VRRP is mapped to queue 17 by default. 1. Create a control-plane type class-map. OS10(config)# class-map type control-plane example-cmap-protocol-queue-remap 2. Apply the match criteria by specifying the names of the protocols or applications.
View configuration Use show commands to display the protocol traffic assigned to each control-plane queue and the current rate-limit applied to each queue. Use the show command output to verify the CoPP configuration.
12 13 14 15 16 17 18 19 2779 0 1265 422 0 0 0 0 462189 0 108790 36075 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Egress traffic classification Egress traffic is classified into different queues based on the traffic-class ID marked on the traffic flow. Set the traffic class ID for a flow by enabling trust or by classifying ingress traffic and mark it with a traffic class ID using a policy map. By default, the value of traffic class ID for all the traffic is 0. The order of precedence for a qos-map is: 1.
● Interface level OS10(conf-if-eth1/1/1)# qos-map traffic-class tc-q-map ● System-qos level OS10(config-sys-qos)# qos-map traffic-class tc-q-map Choose all traffic classified for a queue 1. Create a queuing type class-map to match queue 5. OS10(config)# class-map type queuing q5 2. Define the queue to match. OS10(config-cmap-queuing)# match queue 5 Policing traffic Use policing to limit the rate of ingress traffic flow.
OS10(config-pmap-c-qos)# set qos-group 3 OS10(config-pmap-c-qos)#police cir 4000 pir 6000 3. Apply the QoS type policy-map to an interface. OS10(config)# interface ethernet 1/1/15 OS10(conf-if-eth1/1/15)# service-policy input type qos example-flow-policer Mark Traffic You can select a flow and mark it with a traffic class ID. Traffic class IDs identify the traffic flow when the traffic reaches egress for queue scheduling. Mark traffic 1. Create a QoS type class-map to match the traffic flow.
2. Modify the policy-map to update the DSCP field. OS10(config)# policy-map modify-dscp OS10(config-pmap-qos)# class cmap-dscp-3 OS10(config-pmap-c-qos)# set qos-group 3 OS10(config-pmap-c-qos)# set dscp 10 Shaping traffic You can shape the rate of egress traffic. When you enable rate shaping, the system buffers all traffic exceeding the specified rate until the buffer memory is exhausted.
5. Configure a queuing class in POLICY-MAP mode. class example-que-cmap-name 6. Assign a bandwidth percent, from 1 to 100 to nonpriority queues in POLICY-MAP-CLASS-MAP mode.
1. Apply the policy-map to the interface in INTERFACE mode or all interfaces in SYSTEM-QOS mode. system qos OR interface ethernet node/slot/port[:subport] 2. Enter the output service-policy in SYSTEM-QOS mode or INTERFACE mode.
● Inter-frame gap—variable The rate adjustment feature is disabled by default. To enable rate adjustment, use the qos-rate-adjust value_of_rate_adjust command. For example: qos-rate-adjust 8 If you have configured WDRR and shaping on a particular queue, the queue can become congested. You should configure the QoS rate adjust value considering the overhead field size to avoid traffic drops on uncongested queues.
You must use the network QoS policy type to configure PFC on the ports. OS10 dedicates a separate buffer pool for CPU traffic. All default reserved buffers for the CPU port queues are from the CPU pool. The remaining buffers are shared across all CPU queues. You can modify the buffer settings of CPU queues. You can configure the size of the CPU pool using the control-plane-buffer-size command. OS10 allows configuration of buffers per priority-group and queue for each port.
NOTE: The supported speed varies for different platforms. After the reserved buffers are used, each LLFC starts consuming shared buffers from the lossless pool with the alpha value determining the threshold except for the S4200-ON series platform. The following table lists the priority flow control (PFC) buffer settings per PFC priority group: Table 89.
Deep Buffer mode NOTE: This feature is supported only on the S4200-ON series. OS10 provides the flexibility to configure the buffer mode based on your system requirements. The S4200-ON series switch comes with a default deep buffer size of 4.63 GB. You can use the hardware deep-buffermode command to enhance the deep buffer size to 6.24 GB. For information about how to configure deep buffer mode, see Configure Deep Buffer mode.
The configuration shows how to enable Deep Buffer mode in a switch. OS10# configure terminal OS10(config)# hardware deep-buffer-mode % Warning: Deep buffer mode configuration will be applied only after a save and reload. OS10(config)# exit OS10# write memory OS10# reload Proceed to reboot the system? [confirm yes/no]: Y To view Deep Buffer mode status, use the show hardware deep-buffer-mode command. The show command output displays the status of Deep Buffer mode in the current boot and the next boot.
2. Configure WRED threshold parameters for different colors in WRED CONFIGURATION mode. OS10(config-wred)# random-detect color yellow minimum-threshold 100 maximum-threshold 300 drop-probability 40 3. Configure the exponential weight value for the WRED profile in WRED CONFIGURATION mode. OS10(config-wred)# random-detect weight 4 4. Enable ECN. OS10(config-wred)# random-detect ecn 5. Enable WRED/ECN on a queue.
8. Assign a WRED profile to the specified queue. OS10(config-pmap-c-que)#random-detect example-wred-prof-1 9. Exit CLASS MAP and POLICY MAP modes. OS10(config-pmap-c-que)#exit OS10(config-pmap-queuing)#exit 10. Enter SYSTEM QOS mode. OS10(config)#configure system-qos 11. Enable ECN globally. OS10(config-sys-qos)#random-detect ecn After you enable ECN globally, ECN marks the CE bit of the ECN field in a packet as ECT.
● Use the trust-map or policy-map CLI commands to configure dot1p and DSCP traffic-class markings. For RoCEv2, classification is based only on DSCP. ● Use the qos-map CLI command to apply the traffic class to queues. ● Use the network-type policy-map to classify any of the priority values as lossless and fine-tune the respective buffer value depending on traffic congestion. ● Adjust the ECN threshold based on the traffic pattern.
OS10 OS10 OS10 OS10 (config-pmap-c-que)# bandwidth percent 30 (config-pmap-c-que)# exit (config-pmap-queuing)# class Q3 (config-pmap-c-que)# bandwidth percent 70 Bandwidth and ECN configuration for RoCEv2 with ECN queue association: OS10 OS10 OS10 OS10 (config)# class-map type queuing Q0 (config-cmap-queuing)# match queue 0 (config)# class-map type queuing Q3 (config-cmap-queuing)# match queue 3 OS10(config)# wred wred_ecn OS10(config-wred)# random-detect OS10(config-wred)# random-detect 2000 drop-proba
h. Enable PFC on the interface. OS10 (conf-if-eth1/1/1)# priority-flow-control mode on ● For RoCEv2: a. Enter INTERFACE mode and enter the no shutdown command. OS10# configure terminal OS10 (config)# interface ethernet 1/1/1 OS10 (conf-if-eth1/1/1)# no shutdown b. Apply the network-qos type policy-map to the interface. OS10 (conf-if-eth1/1/1)# service-policy input type network-qos policy_pfcdot1p3 c. Apply the queuing policy to egress traffic on the interface.
● To view qos map details such as dot1p or DSCP to traffic class mapping and traffic class to queue mapping, use the show qos maps command: OS10# show qos maps RoCE for VXLAN over VLT OS10 supports RoCE for VXLAN in a VLT setup. Configuring RoCE with VXLAN is similar to configuring RoCE without VXLAN. When you configure VXLAN and span that across a VLT topology, apply the configuration on all interfaces across the VLT topology where you want to support RoCE.
OS10(conf-if-vl-3000)# exit OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# exit OS10(config)# interface loopback 1 OS10(conf-if-lo-1)# ip address 1.1.1.1/32 OS10(conf-if-lo-1)# exit OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 8.8.8.
LLFC configuration — SW1 Instead of PFC, you can configure LLFC as follows: OS10(config)# configure terminal OS10(config)# class-map type network-qos llfc OS10(config-cmap-nqos)# match qos-group 0-7 OS10(config-cmap-nqos)# exit OS10(config)# policy-map type network-qos llfc OS10(config-pmap-network-qos)# class llfc OS10(config-pmap-c-nqos)# pause buffer-size 100 pause-threshold 50 resume-threshold 10 OS10(config-pmap-c-nqos)# end OS10# OS10# configure terminal OS10(config)# interface range ethernet 1/1/1,1/
OS10(conf-if-po-2)# vlt-port-channel 20 OS10(conf-if-po-2)# no shutdown OS10(conf-if-po-2)# exit OS10(config)# interface range ethernet 1/1/20 OS10(conf-range-eth1/1/20)# channel-group 2 mode active OS10(conf-range-eth1/1/20)# exit VXLAN configuration — VLT peer 1 OS10(config)# configure terminal OS10(config)# interface vlan 3000 OS10(conf-if-vl-3000)# ip address 5.5.5.
OS10(config-pmap-c-nqos)# pause OS10(config-pmap-c-nqos)# pfc-cos 5 OS10(config-pmap-c-nqos)# end OS10# configure terminal OS10(config)# interface range ethernet 1/1/1,1/1/20,1/1/11,1/1/12 OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# flowcontrol receive off OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# priority-flow-control mode on OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# ets mode on OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# service-policy input type network-qos p5 OS10(conf-range-eth1/1/1
OS10(conf-range-eth1/1/11,1/1/12)# no switchport mode OS10(conf-range-eth1/1/11,1/1/12)# no switchport OS10(conf-range-eth1/1/11,1/1/12)# no negotiation OS10(conf-range-eth1/1/11,1/1/12)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet 1/1/11 OS10(conf-vlt-1)# discovery-interface ethernet 1/1/12 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# end OS10# OS10# configure terminal OS10(config)# interface port-channel 2 OS10(conf-if-po-2)# vlt-port-channel 20 OS10(con
OS10(config-tmap-dot1p-map)# qos-group 7 dot1p 7 OS10(config-tmap-dot1p-map)# end OS10# configure terminal OS10(config)# class-map type network-qos c5 OS10(config-cmap-nqos)# match qos-group 5 OS10(config-cmap-nqos)# exit OS10(config)# policy-map type network-qos p5 OS10(config-pmap-network-qos)# class c5 OS10(config-pmap-c-nqos)# pause OS10(config-pmap-c-nqos)# pfc-cos 5 OS10(config-pmap-c-nqos)# end OS10# configure terminal OS10(config)# interface range ethernet 1/1/1,1/1/20,1/1/11,1/1/12 OS10(conf-range-
Enable DCBx — VLT peer 2 OS10# configure terminal OS10(config)# dcbx enable Configuration on ToR device System configuration — ToR device NOS# configure terminal NOS(config)# interface vlan 200 NOS(conf-if-vl-200)# no shutdown NOS(conf-if-vl-200)# exit NOS(config)# interface port-channel 2 NOS(conf-if-po-2)# no shutdown NOS(conf-if-po-2)# exit NOS(config)# interface range ethernet 1/1/1,1/1/2 NOS(conf-range-eth1/1/1,1/1/2)# channel-group 2 mode active NOS(conf-range-eth1/1/1,1/1/2)# end NOS# NOS# configure
NOS(config-pmap-network-qos)# class llfc NOS(config-pmap-c-nqos)# pause buffer-size 100 pause-threshold 50 resume-threshold 10 NOS(config-pmap-c-nqos)# end NOS# configure terminal NOS(config)# interface range ethernet 1/1/1,1/1/2,1/1/3 NOS(conf-range-eth1/1/1,1/1/2,1/1/3)# flowcontrol transmit on NOS(conf-range-eth1/1/1,1/1/2,1/1/3)# flowcontrol receive on NOS(conf-range-eth1/1/1,1/1/2,1/1/3)# service-policy input type network-qos llfc NOS(conf-range-eth1/1/1,1/1/2,1/1/3)# end WRED/ECN configuration — ToR d
You can choose to reset the peak buffer utilization value and determine a new peak buffer utilization value. Use the clear qos statistics type buffer-statistics-tracking command to clear the tracked value and to refresh this counter. BST tracks peak buffer utilization over a period of time. At any given point in time, the peak buffer usage from the past is displayed.
Eth 1/1/12 1 2, 3 0, 2 up Eth 1/1/13 2 2, 3 1, 3 down Eth 1/1/14 2 2, 3 1, 3 down Eth 1/1/15 2 2, 3 1, 3 down Eth 1/1/16 2 2, 3 1, 3 down Eth 1/1/17 3 0, 1 1, 3 down Eth 1/1/18 3 0, 1 1, 3 down Eth 1/1/19 3 0, 1 1, 3 down Eth 1/1/20 3 0, 1 1, 3 down Eth 1/1/21 0 0, 1 0, 2 down Eth 1/1/22 0 0, 1 0, 2 down Eth 1/1/23 0 0, 1 0, 2 down Eth 1/1/24 0 0, 1 0, 2 down Eth 1/1/25 3 0, 1 1, 3 up Eth 1/1/26 3 0, 1 1, 3 down Eth 1/1/27 3 0, 1
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1348 1/1/5:3 1/1/5:4 1/1/7:1 1/1/7:2 1/1/7:3 1/1/7:4 1/1/9:1 1/1/9:2 1/1/9:3 1/1/9:4 1/1/11:1 1/1/11:2 1/1/11:3 1/1/11:4 1/1/13:1 1/1/13:2 1/1/13:3 1/1/13:4 1/1/15 1/1/16 1/1/17:1 1/1/19:1 1/1/19:2 1/1/19:3 1/1/19:4 1/
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/51:3 1/1/51:4 1/1/53 1/1/54 1/1/55 1/1/56 1/1/57:1 1/1/57:2 1/1/57:3 1/1/57:4 1/1/59 1/1/60 1/1/61 1/1/62 1/1/63 1/1/64 1/1/65 1/1/66 3 3 3 3 3 3 2 2 2 2 2 2 2 2 3 3 2 1 0, 0, 0, 0, 0, 0, 2, 2, 2, 2, 2, 2, 2, 2, 0, 0, 2, 2, 1 1 1 1 1 1 3 3 3 3 3 3 3 3 1 1 3 3 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 2 down down down down down down down down down down down down down down down down
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1350 1/1/22:2 1/1/22:3 1/1/22:4 1/1/23:1 1/1/23:2 1/1/23:3 1/1/23:4 1/1/24:1 1/1/24:2 1/1/24:3 1/1/24:4 1/1/25:1 1/1/25:2 1/1/25:3 1/1/25:4 1/1/26:1 1/1/26:2 1/1/26:3 1/1/26:4 1/1/27:1 1/1/27:2 1/1/27:3 1/1/27:4 1/1/28
View information for a single interface: OS10# show qos port-map details interface ethernet 1/1/1 --------------------------------------------------------------------------Interface Port Pipe Ingress MMU Egress MMU Oper Status --------------------------------------------------------------------------Eth 1/1/1 3 0, 1 1, 3 down QoS commands bandwidth Assigns a percentage of weight to the queue.
Default Not configured Command Mode POLICY-MAP-QUEUEING POLICY-MAP-QOS POLICY-MAP-NQOS POLICY-MAP-CP POLICY-MAP-APPLICATION Usage Information If you define a class-map under a policy-map, the qos, queuing, or control-plane type is the same as the policy-map. You must create this map in advance. The only exception to this rule is when the policy-map type is trust, where the class type must be qos. Example Supported Releases OS10(conf-pmap-qos)# class c1 10.2.
Usage Information None Example Supported Releases OS10# clear qos statistics 10.2.0E or later clear qos statistics type Clears all queue counters, including PFC, for control-plane, qos, and queueing. Syntax clear qos statistics type {{qos | queuing | control-plane | bufferstatistics-tracking} [interface ethernet node/slot/port[:subport]]} Parameters ● ● ● ● qos—Clears qos type statistics. queuing—Clears queueing type statistics. control-plane—Clears control-plane type statistics.
Example (classmap) OS10(config)# class-map type control-plane c1 OS10(config-cmap-control-plane)# Example (policymap) Supported Releases OS10(config)# policy-map type control-plane p1 OS10(config-pmap-control-plane)# 10.2.0E or later control-plane-buffer-size Configures the buffer size for the CPU pool. Syntax control-plane-buffer-size size-of-buffer-pool Parameters size-of-buffer-pool—Enter the buffer size in KB, from 620 KB to 900 KB.
hardware deep-buffer-mode Configures Deep Buffer mode. Syntax hardware deep-buffer-mode Parameters None Defaults Disabled Command Modes CONFIGURATION Usage Information Applicable only for the S4200-ON series switches. Deep Buffer mode configuration takes effect only after you save it in the startup configuration and reboot the switch. The no version of this command disables Deep Buffer mode. Example Supported Releases OS10(config)# hardware deep-buffer-mode 10.4.3.
Usage Information In a match-any class, you can enter multiple match criteria. In a match-all class, if the match case is access-group, no other match criteria is allowed. If you attach the access-list to class-map type control—plane or qos, the access-list (IPv4, IPv6) ignores the permit and deny keywords.
match precedence Configures IP precedence values as a match criteria. Syntax match [not] {ip | ipv6 | ip-any} precedence precedence-list Parameters ● ● ● ● ● Default Not configured Command Mode CLASS-MAP Usage Information You cannot enter two match statements with the same filter-type. If you enter two match statements with the same filter-type, the second statement overwrites the first statement. Example Supported Releases not — Enter to cancel a previously applied match precedence rule.
Supported Releases 10.2.0E or later mtu Calculates the buffer size allocation for matched flows. Syntax mtu size Parameters size — Enter the size of the buffer (1500 to 9216). Default 9216 Command Mode POLICY-MAP-CLASS-MAP Usage Information The no version of this command returns the value to the default. Example Supported Releases OS10(conf-pmap-nqos-c)# mtu 2500 10.3.0E or later pause Enables a pause based on buffer limits for the port to start or stop communication to the peer.
Supported Releases 10.3.0E or later pfc-cos Configures priority flow-control for cost of service (CoS). Syntax pfc-cos cos-value Parameters cos-value — Enter a single, comma-delimited, or hyphenated range of CoS values for priority flowcontrol to enable, from 0 to 7. NOTE: The range 0-7 is invalid. All other ranges, including 0-6 and 1-7 are valid.
pfc-shared-buffer-size Changes the shared buffers size limit for priority flow-control enabled flows. Syntax pfc-shared-buffer-size buffer-size Parameters buffer-size — Enter the size of the priority flow-control buffer in KB, from 0 to 8911. Default 832 KB Command Mode SYSTEM-QOS Usage Information The no version of this command returns the value to the default. Example Supported Releases OS10(conf-sys-qos)# pfc-shared-buffer-size 2000 10.3.
Defaults ● bc committed-burst-size value is 200 KB for control plane and 100 KB for all other class-map types ● be peak-burst-size value is 200 KB for control plane and 100 KB for all other class-map types Command Mode POLICY-MAP-CLASS-MAP Usage Information If you do not provide the peak-rate pir values, the committed-rate cir values are taken as the pir values. Only the ingress QoS policy type supports this command. For control-plane policing, the rate values are in pps.
Supported Releases 10.2.0E or later priority-flow-control mode Enables or disables Priority Flow-Control mode on an interface. Syntax priority-flow-control mode [on] Parameters ● on — (Optional) Enables Priority Flow-Control mode. Default Disabled Command Mode INTERFACE Usage Information Before enabling priority flow-control on a interface, verify a matching network-qos type policy is configured with the pfc-cos value for an interface.
Usage Information If the trust map does not define DSCP values to any traffic class, those flows map to the default traffic class 0. If some of the DSCP values are already mapped to an existing traffic class, you will see an error. The no version of this command returns the value to the default. Example Supported Releases OS10(conf-tmap-dscp-qos)# qos-group 5 dscp 42 10.3.0E or later qos-map traffic-class Creates a user-defined trust map for queue mapping.
○ 45 KB (10G)/111 KB (40G) if the queue is priority flow control enabled ○ 2 KB (10G)/8 KB (40G) if the queue is lossy/link-level flow control ○ If this is a priority flow-control queue, this configuration is invalid ○ Only supported for POLICY-MAP-CLASS-MAP (pmap-c-queue) mode ● thresh-mode — (Optional) Buffer threshold mode. ● dynamic thresh-alpha-value — (Optional) Enter the value indexes to calculate the shared threshold to the enabled dynamic shared buffer threshold, from 0 to 10.
queue qos-group Configures a dot1p traffic class to a queue. Syntax queue number [qos-group dot1p-values] Parameters ● queue number — Enter the traffic single value queue ID, from 0 to 7. ● qos-group dot1p-values — (Optional) Enter either single, comma-delimited, or a hyphenated range of dot1p values, from 0 to 7. Default 0 Command Mode TRUST-MAP Usage Information If the trust map does not define traffic class values to a queue, those flows map to the default queue 0.
Example Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# random-detect test_wred 10.4.0E(R1) or later random-detect (queue) Assigns a WRED profile to the specified queue. Syntax random-detect wred-profile-name Parameters wred-profile-name — Enter the name of an existing WRED profile. Default Not configured Command Mode PMAP-C-QUE Usage Information The no version of this command removes the WRED profile from the queue.
Parameters None Default Not configured Command Mode WRED CONFIGURATION Usage Information The no version of this command disables ECN. Example Supported Releases OS10(config)# wred test_wred OS10(config-wred)# random-detect ecn 10.4.0E(R1) or later random-detect ecn Enables ECN for the system globally. Syntax random-detect ecn Default Not configured Command Mode SYSTEM QOS Usage Information The no version of this command disables ECN globally.
random-detect weight Configures the exponential weight value used to calculate the average queue depth for the WRED profile. Syntax random-detect weight weight-value Parameters weight-value — Enter a value for the weight, from 1 to 15. Default Not configured Command Mode WRED CONFIGURATION Usage Information The no version of this command removes the weight factor from the WRED profile. Example Supported Releases OS10(config)# wred test_wred OS10(config-wred)# random-detect weight 10 10.4.
Default Not configured Command Mode POLICY-MAP-CLASS-MAP Usage Information You cannot enter two set statements with the same action-type. If you enter two set statements with the same action-type, the second statement overwrites the first. When class-map type is qos, the qos-group corresponds to data queues 0 to 7. Example Supported Releases OS10(conf-pmap-c-qos)# set cos 6 10.2.0E or later set dscp Sets the drop precedence for incoming packets based on their DSCP value and color map profile.
shape Shapes the outgoing traffic rate. Syntax shape {min {kbps | mbps | pps} min-value [burst-size]} {max {kbps | mbps | pps} max-value [max-burst-size]} Parameters ● ● ● ● ● ● ● Default Maximum burst size is 50 kb or 200 packets Command Mode POLICY-MAP-CLASS-MAP Usage Information This command only supports the ingress QoS policy type. You must enter both the minimum and maximum values. If you enter the rate value in pps, the burst provided is in packets.
show control-plane buffers Displays the pool type, reserved buffer size, and the maximum threshold value for each of the CPU queues.
show control-plane buffer-stats Displays the control plane buffer statistics for each of the CPU queues. Syntax show control-plane buffer-stats Parameters None Default A predefined default profile exists.
show control-plane info Displays control-plane queue mapping and rate limits. Syntax show control-plane info [default] Parameters default—Enter the keyword default to view the default protocol-to-queue mapping and default rate limits for the particular platform. Default Not configured Command Mode EXEC Usage Information Monitors statistics for the control-plane and to troubleshoot CoPP.
Usage Information Example Supported Releases None OS10# show control-plane statistics Queue Packets Bytes Dropped Packets 0 0 0 0 1 0 0 0 2 0 0 0 3 0 0 0 4 0 0 0 5 0 0 0 6 3 204 0 7 6 408 0 8 0 0 0 9 0 0 0 10 0 0 0 11 0 0 0 12 0 0 0 13 0 0 0 14 0 0 0 15 0 0 0 16 0 0 0 17 0 0 0 18 0 0 0 19 0 0 0 20 0 0 0 21 0 0 0 22 0 0 0 OS10# 10.2.0E or later show hardware deep-buffer-mode Displays the status of Deep buffer mode in the current and next boot of the switch.
Example: switch reloaded OS10# show hardware deep-buffer-mode Deep Buffer Mode Configuration Status ------------------------------------------Current-boot Settings : Enabled Next-boot Settings Supported Releases : Enabled 10.4.3.0 or later show interface priority-flow-control Displays the priority flow-control, operational status, CoS bitmap, and statistics per port.
Example Supported Releases OS10# show qos interface ethernet 1/1/10 Ethernet 1/1/10 unknown-unicast-storm-control : 100 pps multicast-storm-control : 200 pps broadcast-storm-control : Disabled flow-control-rx: Enabled flow-control-tx: Disabled Service-policy (Input)(qos): p1 10.2.0E or later show policy-map Displays information on all existing policy-maps.
Supported Releases 10.2.0E or later show qos egress buffers interface Displays egress buffer configurations. Syntax show qos egress buffers interface [interface node/slot/port[:subport]] Parameters ● interface — (Optional) Enter the interface type. ● node/slot/port[:subport] — (Optional) Enter the port information.
Unicast Unicast Unicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Multicast Supported Releases 5 6 7 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0 0 0 10.4.3.0 or later show qos egress buffer-stats interface Displays the buffers statistics for the egress interface. Syntax show qos egress buffer-stats interface [interface node/slot/port[:subport]] [detail] Parameters ● interface — (Optional) Enter the interface type. ● node/slot/port[:subport] — (Optional) Enter the port information.
Usage Information Example Supported Releases Supported platforms include Z9100-ON series, Z9200-ON series, S5200-ON series, and MX9116n. OS10# show qos headroom-pool buffer-statistics-tracking Headroom Pool Buffers-Usage --------------------------------0 0 1 0 2 0 3 0 10.4.3.0 or later show qos ingress buffers interface Displays interface buffer configurations. Syntax show qos ingress buffers interface [interface node/slot/port[:subport]] Parameters ● interface — (Optional) Enter the interface type.
show qos ingress buffer-statistics-tracking Displays ingress priority group level peak buffer usage count in bytes for the given priority group on a given interface. Syntax show qos ingress buffer-statistics-tracking interface ethernet [node/slot/ port] [priority-group {0-7}] [detail] Parameters ● node/slot/port—Enter the port information. ● [priority-group {0-7}]—Enter the priority-group keyword, followed by the group number.
-----------------------------------------------0 9360 681824 35984 1 0 0 0 2 0 0 0 3 0 0 0 4 0 0 0 5 0 0 0 6 0 0 0 7 0 0 0 Supported Releases 10.3.0E or later show qos maps Displays the active system trust map. Syntax show qos maps type {tc-queue | trust-map-dot1p | trust-map dscp} trust-mapname Parameters ● ● ● ● Default Not configured Command Mode EXEC Usage Information None Example (dot1p) dot1p — Enter to view the dot1p trust map. dscp — Enter to view the DSCP trust map.
Traffic-Class DOT1P Priority ------------------------------0 2 1 3 2 4 3 5 4 6 5 7 6 1 DSCP Priority to Traffic-Class Map : dscp-trustmap1 Traffic-Class DSCP Priority ------------------------------0 8-15 2 16-23 1 0-7 Default Dot1p Priority to Traffic-Class Map Traffic-Class DOT1P Priority ------------------------------0 1 1 0 2 2 3 3 4 4 5 5 6 6 7 7 Default Dscp Priority to Traffic-Class Map Traffic-Class DSCP Priority ------------------------------0 0-7 1 8-15 2 16-23 3 24-31 4 32-39 5 40-47 6 48-55 7 56-
show qos maps (Z9332F-ON) Displays the QoS maps configuration of the dot1p-to-traffic class, DSCP-to-traffic class, and traffic-class to queue mapping in the device. Syntax show qos maps type tc-queue Parameters ● ● ● ● Default NA Command Mode EXEC Usage Information The command applies to the Z9332F-ON only. The command provides priority-to-traffic-class and trafficclass-to-queue mapping, both default and user configured.
Eth 1/1/5 2 2, 3 1, 3 up Eth 1/1/6 2 2, 3 1, 3 up Eth 1/1/7 2 2, 3 1, 3 up Eth 1/1/8 2 2, 3 1, 3 up Eth 1/1/9 1 2, 3 0, 2 up Eth 1/1/10 1 2, 3 0, 2 up Eth 1/1/11 1 2, 3 0, 2 up Eth 1/1/12 1 2, 3 0, 2 up Eth 1/1/13 2 2, 3 1, 3 down Eth 1/1/14 2 2, 3 1, 3 down Eth 1/1/15 2 2, 3 1, 3 down Eth 1/1/16 2 2, 3 1, 3 down Eth 1/1/17 3 0, 1 1, 3 down Eth 1/1/18 3 0, 1 1, 3 down Eth 1/1/19 3 0, 1 1, 3 down Eth 1/1/20 3 0, 1 1, 3 down Eth 1
Eth 1/1/1 1 2, 3 0, 2 up Z9264F-ON switch: OS10# show qos port-map details --------------------------------------------------------------------------Interface Port Pipe Ingress MMU Egress MMU Oper Status --------------------------------------------------------------------------Eth 1/1/1:1 0 0, 1 0, 2 up Eth 1/1/3:1 1 2, 3 0, 2 up Eth 1/1/3:2 1 2, 3 0, 2 up Eth 1/1/3:3 1 2, 3 0, 2 up Eth 1/1/3:4 1 2, 3 0, 2 up Eth 1/1/5:1 1 2, 3 0, 2 down Eth 1/1/5:2 1 2, 3 0, 2 down Eth 1/1/5:3 1 2, 3 0, 2 down Eth 1/1
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/37:4 1/1/39:1 1/1/39:2 1/1/39:3 1/1/39:4 1/1/41:1 1/1/41:2 1/1/41:3 1/1/41:4 1/1/43 1/1/44 1/1/45 1/1/46 1/1/47 1/1/48 1/1/49 1/1/50 1/1/51:1 1/1/51:2 1/1/51:3 1/1/51:4 1/1/53 1/1/54 1/1/55 1/1/56 1/1/57:1 1/1/57:2 1/1/57:3 1/1/57:4 1/1/59 1/1/60 1/1/61 1/1/62 1/1/63 1/1/64 1/1/65 1/1/66 1 1 1 1 1 0 0 0 0 0 0 0 0 1 1 2 2 3 3 3 3 3 3 3 3 2 2 2 2 2 2 2 2 3 3
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/17:2 1/1/17:3 1/1/17:4 1/1/18:1 1/1/18:2 1/1/18:3 1/1/18:4 1/1/19:1 1/1/19:2 1/1/19:3 1/1/19:4 1/1/20:1 1/1/20:2 1/1/20:3 1/1/20:4 1/1/21:1 1/1/21:2 1/1/21:3 1/1/21:4 1/1/22:1 1/1/22:2 1/1/22:3 1/1/22:4 1/1/23:1 1/1/23:
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/36 1/1/37 1/1/38 1/1/39 1/1/40 1/1/41:1 1/1/41:2 1/1/41:3 1/1/41:4 1/1/42:1 1/1/42:2 1/1/42:3 1/1/42:4 1/1/43:1 1/1/43:2 1/1/43:3 1/1/43:4 1/1/44:1 1/1/44:2 1/1/44:3 1/1/44:4 2 0 2 0 2 2 2 2 2 0 0 0 0 2 2 2 2 0 0 0 0 2, 0, 2, 0, 2, 2, 2, 2, 2, 0, 0, 0, 0, 2, 2, 2, 2, 0, 0, 0, 0, 3 1 3 1 3 3 3 3 3 1 1 1 1 3 3 3 3 1 1 1 1 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 3 2 3 2 3 3 3 3 3 2 2 2 2 3 3 3 3
Command Mode EXEC Usage Information None Example Supported Releases OS10# show qos service-pool buffer-statistics-tracking Service Pool Ingress Buffers Egress Buffers --------------------------------------------------0 0 0 1 0 0 2 0 0 3 0 0 10.4.3.0 or later show qos system Displays the QoS configuration applied to the system.
The following command is supported on platforms such as the Z9100-ON, Z9264F-ON, and MX9116n: OS10# show qos system ingress buffer detail All values are in kb Total buffers Total lossless buffers Maximum lossless buffers Total shared lossless buffers Total used shared lossless buffers Total lossy buffers Total shared lossy buffers Total used shared lossy buffers MMU 0 Total lossy buffers Total shared lossy buffers Total used shared lossy buffers MMU 1 Total lossy buffers Total shared lossy buffers Total use
Supported Releases 10.3.0E or later show qos wred-profile Displays the details of WRED profile configuration. Syntax show qos wred—profile [wred-profile-name] Parameters wred-profile-name — (Optional) Enter the Ethernet interface information. Default Not configured Command Mode EXEC Usage Information None Example Example (S4200) — When ECN is enabled globally.
Example Example (wred) Example (queue) Supported Releases OS10# show queuing statistics interface ethernet 1/1/1 Interface ethernet1/1/1 Queue Packets Bytes Dropped-Bytes 0 0 0 0 1 0 0 0 2 0 0 0 3 0 0 0 4 0 0 0 5 0 0 0 6 0 0 0 7 0 0 0 Output 0 0 Dropped 0 0 Green Drop 0 0 Yellow Drop 0 0 Red Drop 0 0 ECN marked count 0 0 0 0 0 0 0 0 0 OS10# show queuing statistics interface ethernet 1/1/1 queue 3 Interface ethernet1/1/1 Queue Packets Bytes Dropped-Packets Dropped-Bytes 3 0 0 0 0 10.
Supported Releases 10.2.0E or later trust dot1p-map Creates a user-defined trust map for dot1p flows. Syntax trust dot1p-map map-name Parameters map-name — Enter the name of the dot1p trust map. A maximum of 32 characters. Default Not configured Command Mode CONFIGURATION Usage Information If you enable trust, traffic obeys the dot1p map. default-dot1p-trust is a reserved trust-map name. The no version of this command returns the value to the default.
only during no traffic flow. Verify the correct policy maps are applied. The no version of this command returns the value to the default. The no version of this command removes the applied trust map from the interface or system QoS.
21 Virtual Link Trunking Virtual Link Trunking (VLT) is a Layer 2 aggregation protocol used between an end device such as a server and two or more connected network devices. VLT helps to aggregate ports terminating on multiple switches. OS10 currently supports VLT port channel terminations on two different switches. VLT: ● ● ● ● ● ● ● ● ● Provides node-level redundancy by using the same port channel terminating on multiple upstream nodes.
Optimized forwarding with VRRP To ensure the same behavior on both sides of the VLT nodes, VRRP requires state information coordination. VRRP Active-Active mode optimizes L3 forwarding over VLT. By default, VRRP ActiveActive mode is enabled on all the VLAN interfaces. VRRP Active-Active mode enables each peer to locally forward L3 packets, resulting in reduced traffic flow between peers over the VLTi link. Spanning-Tree Protocol VLT ports support RSTP, RPVST+, and MSTP.
● If the primary peer fails, the secondary peer takes the primary role. If the primary peer (with the lower priority) later comes back online, it is assigned the secondary role (there is no preemption). ● In a VLT domain, the peer network devices must run the same OS10 software version. NOTE: A temporary exception is allowed during the upgrade process. See the Dell EMC SmartFabric OS 10.5.0.x Release Notes for more information. ● Configure the same VLT domain ID on peer devices.
The following shows a scenario where VLT Peer A is being reloaded or going down: Until LACP convergence happens, the server continues to forward traffic to VLT Peer A resulting in traffic loss for a longer time interval.
These PDUs notify the server to direct the traffic to VLT Peer B hence minimizing traffic loss. Configure VLT Verify that both VLT peer devices are running the same operating system version. For VRRP operation, configure VRRP groups and L3 routing on each VLT peer. Configure the following settings on each VLT peer device separately: 1. To prevent loops in a VLT domain, Dell EMC Networking recommends enabling STP globally using the spanning-tree mode command.
NOTE: If a VLT peer is reloaded, it automatically becomes the secondary peer regardless of the VLT primary-priority setting. 4. Configure VLTi interfaces with the no switchport command. 5. Configure the VLTi interfaces on each peer using the discovery-interface command. After you configure both sides of the VLTi, the primary and secondary roles in the VLT domain are automatically assigned if primary priority is not configured. NOTE: Dell EMC recommends that you disable flow-control on discovery interfaces.
RPVST+ configuration Configure RPVST+ on both the VLT peers. This creates an RPVST+ instance for every VLAN configured in the system. With RPVST+ configured on both VLT nodes, OS10 supports a maximum of 60 VLANs. The RPVST+ instances in the primary VLT peer control the VLT port channels on both the primary and secondary peers. NOTE: RPVST+ is the default STP mode running on the switch. Use the following command only if you have another variant of the STP running on the switch.
RSTP configuration ● Enable RSTP on each peer node in CONFIGURATION mode.
instance instance-number vlan from-vlan-id — to-vlan-id 4. Configure the MST revision number, from 0 to 65535. MULTIPLE-SPANNING-TREE revision revision-number 5. Configure the MST region name. MULTIPLE-SPANNING-TREE name name-string The following example shows that both VLT nodes are configured with the same MST VLAN-to-instance mapping.
Number of transitions to forwarding state: 1 Edge port: No (default) Link Type: Point-to-Point BPDU Sent: 2714, Received: 1234 Port 2001 (VLT-LAG -1(vlt-portid-1)) of MSTI 0 is designated Forwarding Port path cost 200000, Port priority 128, Port Identifier 128.2001 Designated root priority: 32768, address: 34:17:44:55:66:7f Designated bridge priority: 32768, address: 90:b1:1c:f4:a5:23 Designated port ID: 128.
Peer 2 OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# exit OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# no switchport OS10(conf-if-eth1/1/2)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet1/1/1-1/1/2 Configure the VLT MAC address You can manually configure the VLT MAC address. Configure the same VLT MAC address on both the VLT peer switches to avoid any unpredictable behavior during a VLT failover.
Configure the VLT backup link using the backup destination {ip-address | ipv6 ipv6–address} [vrf management] [interval interval-time]. The interval range is from 1 to 30 seconds. The default interval is 30 seconds. Irrespective of the interval that is configured, when the VLTi link fails, the system checks for the heartbeat connection without waiting for the timed intervals, thus allowing faster convergence.
For example, as shown, after the VLTi is down, VLT peer1 learns the MAC address of Host 2: VLT Peer 2 is not synchronized with the MAC address of Host 2 because the VLTi link is down. When traffic from Host 1 is sent to VLT Peer 2, VLT Peer 2 floods the traffic. When the VLT backup link is enabled, the secondary VLT Peer 2 identifies the node liveliness through the backup link. If the primary is up, the secondary peer brings down VLT port channels.
Role of VLT backup link in the prevention of loops during VLTi failure When the VLTi is down, STP may fail to detect any loops in the system. This failure creates a data loop in an L2 network. As shown, STP is running in all three switches: In the steady state, VLT Peer 1 is elected as the root bridge. When the VLTi is down, both the VLT nodes become primary. In this state, VLT Peer 2 sends STP BPDU to TOR assuming that TOR sends BPDU to VLT Peer 1.
When the VLT backup link is enabled, the secondary VLT peer identifies the node liveliness of primary through the backup link. If the primary VLT peer is up, the secondary VLT peer brings down the VLT port channels. In this scenario, the STP opens up the orphan port and there is no loop in the system, as shown: Configure a VLT port channel A VLT port channel, also known as a virtual link trunk, links an attached device and VLT peer switches. OS10 supports a maximum of 128 VLT port channels per node. 1.
Configure VLT port channel — peer 1 OS10(config)# interface port-channel 20 OS10(conf-if-po-20)# vlt-port-channel 20 Configure VLT port channel — peer 2 OS10(config)# interface port-channel 20 OS10(conf-if-po-20)# vlt-port-channel 20 Configure VLT peer routing VLT peer routing enables optimized routing where packets destined for the L3 endpoint of the VLT peer are locally routed. VLT supports unicast routing of both IPv4 and IPv6 traffic. To enable VLT unicast routing, both VLT peers must be in L3 mode.
Migrate VMs across data centers with eVLT OS10 switches support movement of virtual machines (VMs) across data centers using VRRP Active-Active mode. Configure symmetric VRRP with the same VRRP group ID and virtual IP in VLANs stretched or spanned across data centers. VMs use the VRRP Virtual IP address of the VLAN as Gateway IP. As the VLAN configurations are symmetric across data centers, you can move the VMs from one data center to another.
● Configure VRRP on L2 links between core routers: C1(config)# interface vlan 100 C1(conf-if-vl-100)# ip address 10.10.100.1/24 C1(conf-if-vl-100)# vrrp-group 10 C1(conf-vlan100-vrid-10)# priority 250 C1(conf-vlan100-vrid-10)# virtual-address 10.10.100.
D1(config)# interface ethernet 1/1/4 D1(conf-if-eth1/1/4)# channel-group 10 D1(conf-if-eth1/1/4)# exit ● Configure OSPF on L3 side of core router: D1(config)# router ospf 100 D1(config-router-ospf-100)# redistribute connected D1(conf-router-ospf-100)# exit D1(config)# interface vlan 200 D1(conf-if-vl-200)# ip ospf 100 area 0.0.0.
● Add members to port channel 20: C2(config)# interface C2(conf-if-eth1/1/5)# C2(conf-if-eth1/1/5)# C2(config)# interface C2(conf-if-eth1/1/6)# C2(conf-if-eth1/1/6)# ethernet 1/1/5 channel-group 20 exit ethernet 1/1/6 channel-group 20 exit Sample configuration of D2: ● Configure VRRP on L2 links between core routers: D2(config)# interface vlan 100 D2(conf-if-vl-100)# ip address 10.10.100.4/24 D2(conf-if-vl-100)# vrrp-group 10 D2(conf-vlan100-vrid-10)# virtual-address 10.10.100.
View VLT information To monitor the operation or verify the configuration of a VLT domain, use a VLT show command on primary and secondary peers. ● View detailed information about the VLT domain configuration in EXEC mode, including VLTi status, local and peer MAC addresses, peer-routing status, and VLT peer parameters. show vlt domain-id ● View the role of the local and remote VLT peer in EXEC mode. show vlt domain-id role ● View any mismatches in the VLT configuration in EXEC mode.
delay-restore Configures a time interval to delay bringing up the VLT ports after reload or peer-link restoration between the VLT peer switches. Syntax delay-restore seconds Parameters seconds — Enter a delay time, in seconds, to delay bringing up VLT ports after the VLTi link is detected, from 1 to 1200.
peer-routing Enables optimized routing where packets destined for the L3 endpoint of the VLT peer are locally routed. Syntax peer-routing Parameters None Default Disabled Command Mode VLT-DOMAIN Usage Information The no version of this command disables peer routing. Example Supported Releases OS10(conf-vlt-1)# peer-routing 10.2.0E or later peer-routing-timeout Configures the delay after which, the system disables peer routing when the peer is not available.
● If the heartbeat is up and the VLTi link goes down between the VLT peers, both the VLT peers retain their primary and secondary roles. However, the VLT port channel on the secondary VLT peer shuts down. NOTE: When you configure a priority for VLT peers using this command, the configuration does not take effect immediately. The primary priority configuration comes into effect the next time election is triggered. Example Supported Releases OS10(conf-vlt-1)#primary-priority 2 10.4.1.
Root-Guard: Disable, Loop-Guard: Disable Bpdus (MRecords) Sent: 11, Received: 7 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID --------------------------------------------------------------------------------------------VFP(VirtualFabricPort) 0.1 0 1 FWD 0 32768 0078.7614.6062 0.
Example (MSTP information on VLT) OS10# show spanning-tree virtual-interface detail Port 1 (VFP(VirtualFabricPort)) of MSTI 0 is designated Forwarding Port path cost 0, Port priority 128, Port Identifier 128.1 Designated root priority: 32768, address: 34:17:44:55:66:7f Designated bridge priority: 32768, address: 90:b1:1c:f4:a5:23 Designated port ID: 128.
VLT Delay-Restore timer : 90 seconds Remaining time : 60 seconds Delay-Restore Orphan-Port enabled interfaces Eth1/1/10-1/1/15,1/1/17,1/1/20 : Po10-15,17,20 Delay-Restore Orphan-Port Ignore VLTi Fail enabled interfaces : Eth1/1/12-1/1/14,1/1/20 Po10-12,Po17 WHEN DELAY-RESTORE TIMER HAS EXPIRED/NOT-RUNNING: OS10# show vlt 1 delay-restore-orphan-port VLT Delay-Restore timer : 90 seconds Delay-Restore Orphan-Port enabled interfaces : Eth1/1/8 Eth1/1/10 Po1 Po4 Delay-Restore Orphan-Port Ignore VLTi F
show vlt mac-inconsistency Displays inconsistencies in dynamic MAC addresses learned between VLT peers across spanned-VLANs. Syntax show vlt mac-inconsistency Parameters None Default Not configured Command Mode EXEC Usage Information Use this command to check for a mismatch of MAC address table entries between VLT peers. Use this command only when you observe network convergence issues. To verify VLT configuration mismatch issues on peer switches, use the show vlt domain-name mismatch command.
The show vlt mismatch dhcp-relay command displays the mismatch in the global ip dhcp-relay information-option co The show vlt mismatch dhcp-relay command displays the presence or absence of interface level ip dhcp-relay inform Example (no mismatch) OS10# show vlt 1 mismatch Peer-routing mismatch: No mismatch VLAN mismatch: No mismatch VLT VLAN mismatch: No mismatch Example (mismatch) OS10# show vlt 1 mismatch Peer-routing mismatch: VLT Unit ID Peer-routing ----------------------------------* 1 Enabled 2
(VN) name not available in the peer) Example (mismatch of VLTi and VLAN) Example (mismatch of VN mode) Example (mismatch of port and VLAN list) VLT Unit ID Mismatch Virtual Network List ---------------------------------------------------------------------------1 10,104 * 2 OS10# show vlt all mismatch virtual-network Virtual Network: 100 VLT Unit ID Configured VLTi-Vlans ---------------------------------------------------------------------------1 101 * 2 100 OS10# show vlt all mismatch virtual-network Vi
------------------------------------1 10.16.128.25 * 2 10.16.128.20 Virtual-network: 20 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.26 * 2 10.16.128.30 Example (Anycast IP addresses not configured on one of the virtual networks on both peers) show vlt 1 mismatch virtual-network Interface virtual-network Anycast-IP mismatch: Virtual-network: 10 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.
VLT Unit ID Option-82 Link-Selection Server-Override VSS ---------------------------------------------------------------------------------* 1 Enabled - 2 Disabled Interface Relay Configuration Mismatch -------------------------------------------------------------------Interface: virtual-network10000 VLT Unit ID Option-82 Server-Override VSS Source ---------------------------------------------------------------------------------* 1 Disabled 2 Enabled OS10# Supported Releases 10.2.
VLT Unit ID Port-Channel Status Configured ports Active ports --------------------------------------------------------------------* 1 port-channel2 down 1 0 2 port-channel2 down 1 0 VLT ID : 3 VLT Unit ID Port-Channel Status Configured ports Active ports --------------------------------------------------------------------2 port-channel3 down 1 0 Supported Releases 10.2.0E or later vlt-domain Creates a VLT domain.
Default Not configured Command Mode VLT-DOMAIN Usage Information Use this command to minimize the time required to synchronize the default MAC address of the VLT domain on both peer devices when one peer switch reboots. If you do not configure a VLT MAC address, the MAC address of the primary peer is used as the VLT MAC address across all peers. This configuration must be symmetrical in all the peer switches to avoid any unpredictable behavior. For example, unit down or VLTi reset.
22 Uplink Failure Detection Uplink failure detection (UFD) indicates the loss of upstream connectivity to servers connected to the switch. A switch provides upstream connectivity for devices, such as servers. If the switch loses upstream connectivity, the downstream devices also lose connectivity. However, the downstream devices do not generally receive an indication that the upstream connectivity was lost because connectivity to the switch is still operational. To solve this issue, use UFD.
Configure uplink failure detection Consider the following before configuring an uplink-state group: ● ● ● ● ● ● ● An uplink-state group is considered to be operationally up if it has at least one upstream interface in the Link-Up state. An uplink-state group is considered to be operationally down if it has no upstream interfaces in the Link-Up state. You can assign a physical port or a port channel to an uplink-state group. You can assign an interface to only one uplink-state group at a time.
● If you disable an uplink-state group, the downstream interfaces are not disabled, regardless of the state of the upstream interfaces. ● If you do not assign upstream interfaces to an uplink-state group, the downstream interfaces are not disabled. Configuration: 1. Create an uplink-state group in CONFIGURATION mode. uplink-state-group group-id 2. Configure the upstream and downstream interfaces in UPLINK-STATE-GROUP mode.
Eth 1/1/5(Dwn) Eth 1/1/9:2(Dwn) Eth 1/1/9:3(Dwn) OS10#show uplink-state-group 1 detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled (NA): Not Available *: VLT port-channel, V: VLT status, P: Peer Operational status ^: Tracking status Uplink State Group : 1 Name: iscsi_group, Status: Enabled, Up Upstream Interfaces : eth1/1/35(Up) *po10(V:Up, ^P:Dwn) VLTi(NA) Downstream Interfaces : eth1/1/2(Up) *po20(V: Up,P: Up) OS10#show uplink-state-group 2 detail (Up): Interface up (Dwn): Interfa
Table 92. UFD on VLT network (continued) Event VLT action on primary node VLT action on secondary node UFD action VLTi Link is operationally up with heartbeat up No action VLT module sends VLT portchannel enable request to Interface Manager (IFM) for both uplink and downlink. UFD receives operationally up of upstream VLT portchannel and sends clear errordisable of downstream VLT port-channel to IFM. Reboot of VLT secondary peer No action After reboot, runs the delay restore timer.
Sample configurations of UFD on VLT The following examples show some of the uplink-state groups on VLT. In the following illustration, both the upstream and downstream members are part of VLT port-channels. The uplink-state group includes both the VLT port-channels as members. In the following example, the upstream member is part of VLT port-channel and the downstream member is an orphan port. The uplink-state group includes the VLT port-channel, VLT node, and the downstream port.
OS10 does not support adding a VLTi link member to the uplink-state group. You can add the VLTi link as upstream member to an uplink-state group using the upstream VLTi command. If the VLTi link is not available in the system, OS10 allows adding the VLTi link as an upstream member. In this case, UFD starts tracking the operational status of the VLTi link when the link is available. Until the VLTi link is available, the show uplink-state-group details command displays the status of the link as NA.
UFD commands clear ufd-disable Overrides the uplink-state group configuration and brings up the downstream interfaces. Syntax clear ufd-disable {interface interface-type | uplink-state-group group-id} Parameters ● interface-type — Enter the interface type. ● group-id — Enter the uplink state group ID, from 1 to 32. Default None Command Mode EXEC Usage Information This command manually brings up a disabled downstream interface that is in an UFD-disabled error state.
Example Supported Releases OS10(config)# uplink-state-group 1 OS10(conf-uplink-state-group-1)# downstream ethernet 1/1/1 10.4.0E(R3) or later downstream auto-recover Enables auto-recovery of the disabled downstream interfaces. Syntax downstream auto-recover Parameters None Default Enabled Command Mode UPLINK-STATE-GROUP Usage Information The no version of this command disables the auto-recovery of downstream interfaces.
Example Supported Releases OS10(config)# uplink-state-group 1 OS10(conf-uplink-state-group-1)# enable 10.4.0E(R3) or later name Configures a descriptive name for the uplink-state group. Syntax name string Parameters string — Enter a description for the uplink-state group. A maximum of 32 characters. Default Not configured Command Mode UPLINK-STATE-GROUP Usage Information The no version of this command removes the descriptive name.
Command Mode EXEC Usage Information None Example OS10# show uplink-state-group Uplink State Group: 9, Status: Enabled,down OS10# show uplink-state-group 9 Uplink State Group: 9, Status: Enabled,down OS10# Example (detail) OS10# show uplink-state-group detail (Up): Interface up (Dwn): Interface down Uplink State Group : Defer Time : Upstream Interfaces : Downstream Interfaces: Eth 1/1/4(Dwn) 1/1/9:3(Dwn) (Dis): Interface disabled 1 Status : Enabled,up Name : UFDGROUP1 10 second(s) Eth 1/1/7:1(Up)
uplink-state-group Creates an uplink-state group and enables upstream link tracking. Syntax uplink-state-group group-id Parameters group-id — Enter a unique ID for the uplink-state group, from 1 to 32. Default None Command Mode CONFIGURATION Usage Information The no version of this command removes the uplink-state group. Example Supported Releases OS10(config)# uplink-state-group 1 10.4.
23 Converged data center services OS10 supports converged data center services, including IEEE 802.1 data center bridging (DCB) extensions to classic Ethernet. DCB provides I/O consolidation in a data center network. Each network device carries multiple traffic classes while ensuring lossless delivery of storage traffic with best-effort for local area network (LAN) traffic and latency-sensitive scheduling of service traffic. ● 802.1Qbb — Priority flow control ● 802.
Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● Provisioning PFC is not supported when deep buffer mode is enabled. ● Configure the traffic class ID to queue mapping policy on egress interfaces. ● You cannot enable PFC on all the physical interfaces, when you have split the ports to multiple breakout interfaces. For more information, see the 'PFC configuration notes' section in the Dell EMC SmartFabric OS10 User Guide.
● Apply the default trust map specifying that dot1p values are trusted in SYSTEM-QOS or INTERFACE mode. trust-map dot1p default Configure a non-default dot1p-priority-to-traffic class mapping 1. Configure a trust map of dot1p traffic classes in CONFIGURATION mode. A trust map does not modify ingress dot1p values in output flows. Assign a qos-group to trusted dot1p values in TRUST mode using 1-to-1 mappings. Dot1p priorities are 0 to 7.
Default TC-to-queue mapping format The following is the format for Z9332F-ON: Default Traffic-Class to Queue Map Traffic Class Queue Number --------------------------------------------0 0 0-2 0 1 1 3-5 1 2 2 6-7 2 3 3 4 4 5 5 6 6 7 7 Type Unicast Multicast Unicast Multicast Unicast Multicast Unicast Unicast Unicast Unicast Unicast The following is the default TC-to-Queue Mapping format: Default Traffic-Class to Queue Map Traffic-Class Queue number Type ---------------------------------------0 0 Both 1 1 B
4. (Optional) Configure the PFC shared buffer for lossless traffic. Create PFC dot1p traffic classes 1. Create a network-qos class map to classify PFC traffic classes in CONFIGURATION mode, from 1 to 7. Specify the traffic classes using the match qos-group command. QoS-groups map 1:1 to traffic classes 1 to 7; for example, qos-group 1 corresponds to traffic class 1. Enter a single value, a hyphen-separated range, or multiple qos-group values separated by commas in CLASS-MAP mode.
PFC is enabled on traffic classes with dot1p 3 and 4 traffic. The two traffic classes require different ingress queue processing. In the network-qos pp1 policy map, class cc1 uses customized PFC buffer size and pause frame settings; class cc2 uses the default settings.
3 - - - - 4 - - - - 5 - - - - 6 - - - - 7 9360 static 12779520 - - View PFC system buffer configuration OS10# show qos system ingress buffer All values are in kb Total buffers Total lossless buffers Maximum lossless buffers Total shared lossless buffers Total used shared lossless buffers Total lossy buffers Total shared lossy buffers Total used shared lossy buffers - 12187 0 5512 0 11567 11192 0 OS10# show qos system egress buffer All values are in kb Total buffers - 12187 Total
Parameters ● buffer-size kilobytes — Enter the reserved (guaranteed) ingress-buffer size in kilobytes for PFC dot1p traffic, from 0 to 7787. ● pause-threshold kilobytes — Enter the buffer threshold limit (in kilobytes) to send pause frames to a transmitting device to temporarily halt the data transmission, from 0 to 7787. ● resume-threshold kilobytes — Enter the threshold limit (in kilobytes) at which a request is sent to the transmitting device to resume sending traffic, from 0 to 7787.
Example (policymap) Supported Releases OS10(config)# policy-map type network-qos pp1 OS10(conf-pmap-network-qos)# class cc1 OS10(conf-pmap-c-nqos)# pfc-cos 3 10.3.0E or later pfc-shared-buffer-size Configures the number of shared buffers available for PFC-enabled traffic on the switch. Syntax pfc-shared-buffer-size kilobytes Parameter kilobytes — Enter the total amount of shared buffers available to PFC-enabled dot1p traffic in kilobytes, from 0 to 7787.
Parameters ● thresh-mode —Specifies the Buffer threshold mode. ● static kilobytes — Enter the static followed by the fixed shared-buffer limit available for PFC traffic-class queues in kilobytes, from 0 to 7787. The value of this parameter must be within the maximum amount tuned by the pfc-shared-buffer-size command. ● dynamic weight — Enter the dynamic followed by the weight value used to dynamically determine the shared-buffer limit available for PFC traffic-class queues, from 1 to 10.
Enhanced transmission selection ETS provides customized bandwidth allocation to 802.1p classes of traffic. Assign different amounts of bandwidth to Ethernet, FCoE, or iSCSI traffic classes that require different bandwidth, latency, and best-effort treatment during network congestion. ETS divides traffic into different priority groups using their 802.1p priority value.
number is used only internally to schedule classes of ingress traffic. Enter multiple dot1p and dscp values in a hyphenated range or separated by commas. trust dot1p-map dot1p-map-name qos-group {0-7} dot1p {0-7} exit trust dscp-map dscp-map-name qos-group {0-7} dscp {0-63} exit 2. Configure a QoS map with trusted traffic-class (qos-group) to lossless-queue mapping in CONFIGURATION mode. Assign one or more qos-groups, from 0 to 7, to a specified queue in QOS-MAP mode.
8. Apply the queuing policy to egress traffic in SYSTEM-QOS or INTERFACE mode. service-policy output type queuing policy—map-name 9. Enable ETS globally in SYSTEM-QOS mode or on an interface/interface range in INTERFACE mode. NOTE: If you have not enabled PFC on all the interfaces, this configuration at the global level is not required. Enable ETS on the specific interfaces.
View QoS maps: traffic-class to queue mapping OS10# show qos maps Traffic-Class to Queue Map: tc-q-map1 queue 0 qos-group 0 queue 1 qos-group 1 Traffic-Class to Queue Map: dot1p_map1 qos-group 0 dot1p 0-3 qos-group 1 dot1p 4-7 DSCP Priority to Traffic-Class Map : dscp_map1 qos-group 0 dscp 0-31 qos-group 1 dscp 32-63 ETS commands ets mode on Enables ETS on an interface.
DCBX configuration notes ● DCBX is a prerequisite for using DCB features, such as PFC and ETS, to exchange link-level configurations in a converged network. ● DCBX, when deployed in topologies, enables lossless operation for FCoE or iSCSI traffic. In these scenarios, all network devices in the topology must have DCBX-enabled. ● DCBX uses LLDP to advertise and automatically negotiate the administrative state and PFC or ETS configuration with directly connected DCB peers.
● OS10 supports DCBX versions CEE and IEEE2.5. ● If ETS and PFC are enabled, DCBX advertises ETS configuration, ETS recommendation, and PFC configuration. When you configure application-specific parameters such as FCoE or iSCSI to be advertised, DCBX advertises the respective Application Priority TLVs. ● A DCBX-enabled port operates only in a manual role. In this mode, the port operates only with user-configured settings and does not autoconfigure with DCB settings that are received from a DCBX peer.
Interface ethernet1/1/3 Port Role is Manual DCBX Operational Status is Disabled Reason: Port Shutdown Is Configuration Source? FALSE Local DCBX Compatibility mode is AUTO Local DCBX Configured mode is AUTO Peer Operating version is Not Detected Local DCBX TLVs Transmitted: erpfi 0 Input PFC TLV pkts, 0 Output PFC TLV pkts, 0 Error PFC 0 Input ETS Conf TLV Pkts, 0 Output ETS Conf TLV Pkts, 0 0 Input ETS Reco TLV pkts, 0 Output ETS Reco TLV pkts, 0 0 Input Appln Priority TLV pkts, 0 Output Appln Priority Prio
Priority TLV Pkts Total Total Total Total DCBX DCBX DCBX DCBX Frames transmitted 0 Frames received 0 Frame errors 0 Frames unrecognized 0
Local ISCSI PriorityMap is 0x10 Remote ISCSI PriorityMap is 0x10 220 Input TLV pkts, 350 Output TLV pkts, 0 Error pkts 71 Input Appln Priority TLV pkts, 80 Output Appln Priority TLV pkts, 0 Error Appln Priority TLV Pkts View DCBX ETS TLV status OS10# show lldp dcbx interface ethernet 1/1/15 ets detail Interface ethernet1/1/15 Max Supported PG is 8 Number of Traffic Classes is 8 Admin mode is on Admin Parameters : -----------------Admin is enabled PG-grp Priority# Bandwidth TSA ------------------------------
DCBX commands dcbx enable Enables DCBX globally on all interfaces. Syntax dcbx enable Parameters None Default Disabled Command Mode CONFIGURATION Usage Information DCBX is disabled at a global level and enabled at an interface level by default. For DCBX to be operational, DCBX must be enabled at both the global and interface levels. Enable DCBX globally using the dcbx enable command to activate the exchange of DCBX TLV messages with PFC, ETS, and iSCSI configurations.
Command Mode INTERFACE Usage Information In Auto mode, a DCBX-enabled port detects an incompatible DCBX version on a peer device port and automatically reconfigures a compatible version on the local port. The no version of this command disables the DCBX version. Example Supported Releases OS10(conf-if-eth1/1/2)# dcbx version cee 10.3.0E or later debug dcbx Enables DCBX debugging.
Supported Releases 10.3.0E or later show debug dcbx Displays the list of debug options that are enabled for DCBX. Syntax show debug dcbx Parameters None Command Mode EXEC Usage Information None Example OS10# show debug dcbx Dcbx debug settings: debug dcbx all no debug dcbx events interface mgmt debug dcbx pdu in interface ethernet 1/1/1 Supported Releases 10.5.1.0 or later show lldp dcbx Displays the DCBX configuration and PFC or ETS TLV status on an interface.
Peer Operating version is Not Detected Local DCBX TLVs Transmitted: erpfi 0 Input PFC TLV pkts, 0 Output PFC TLV pkts, 0 Error PFC pkts 0 Input ETS Conf TLV Pkts, 0 Output ETS Conf TLV Pkts, 0 Error ETS Conf TLV Pkts 0 Input ETS Reco TLV pkts, 0 Output ETS Reco TLV pkts, 0 Error ETS Reco TLV Pkts 0 Input Appln Priority TLV pkts, 0 Output Appln Priority TLV pkts, 0 Error Appln Priority TLV Pkts Total Total Total Total DCBX DCBX DCBX DCBX Frames transmitted 0 Frames received 0 Frame errors 0 Frames unrecogn
Interface ethernet1/1/15 Port Role is Manual DCBX Operational Status is Enabled Is Configuration Source? FALSE Local DCBX Compatibility mode is IEEEv2.5 Local DCBX Configured mode is IEEEv2.5 Peer Operating version is IEEEv2.
6 7 0% 0% SP SP Oper status is init ETS DCBX Oper status is Up State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled 5 Input Conf TLV Pkts, 2 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 5 Input Reco TLV Pkts, 2 Output Reco TLV Pkts, 0 Error Reco TLV Pkts Example (PFC detail) OS10# show lldp dcbx interface ethernet 1/1/15 pfc detail Interface ethernet1/1/15 Admin mode is on Admin is enabled, Priority list is 4,5,6,7 Remote is enabled, Priority list is 4,5,6,7 Remote
In an iSCSI session, a switch connects CNA servers (iSCSI initiators) to a storage array (iSCSI targets) in a SAN or TCP/IP network. iSCSI optimization running on the switch uses dot1p priority-queue assignments to ensure that iSCSI traffic receives priority treatment. iSCSI configuration notes ● Enable iSCSI optimization so the switch autodetects and autoconfigures Dell EMC EqualLogic storage arrays that are directly connected to an interface.
1. Configure an interface or interface range to detect a connected storage device. interface ethernet node/slot/port:[subport] interface range ethernet node/slot/port:[subport]-node/slot/port[:subport] 2. Enable the interface to support a storage device that is directly connected to the port and not automatically detected by iSCSI. Use this command for storage devices that do not support LLDP.
OS10(config)# iscsi target port 3261 ip-address 10.1.1.
● Starting from release 10.4.1.1, when you perform a fresh installation of OS10, iSCSI autoconfig is enabled and flowcontrol receive is set to on. However, when you upgrade from an earlier release to release 10.4.1.1 or later, the existing iSCSI configuration is retained and the flowcontrol receive could be set to on or off, depending on the iSCSI configuration before the upgrade.
Command Mode CONFIGURATION Usage Information iSCSI optimization automatically detects storage arrays and autoconfigures switch ports with the iSCSI parameters that are received from a connected device. The no version of this command disables iSCSI autodetection. Starting from release 10.4.1.1, when you perform a fresh installation of OS10, iSCSI autoconfig is enabled and flow control receive is set to on. However, when you upgrade from an earlier release to release 10.4.1.
iscsi session-monitoring enable Enables iSCSI session monitoring. Syntax iscsi session-monitoring enable Parameter None Default Disabled Command Mode CONFIGURATION Usage Information To configure the aging timeout in iSCSI monitoring sessions, use the iscsi aging time command. To configure the TCP ports that listen for connected storage devices in iSCSI monitoring sessions use the iscsi target port command. The no version of this command disables iSCSI session monitoring.
Example Supported Releases OS10(conf-if-eth1/1/1)# lldp tlv-select dcbxp-appln iscsi 10.3.0E or later show iscsi Displays the current configured iSCSI settings. Syntax show iscsi Parameters None Command Mode EXEC Usage Information This command output displays global iSCSI configuration settings. To view target and initiator information use the show iscsi session command.
Initiator:iqn.1991-05.com.microsoft:win-rlkpjo4jun2 Up Time:00:00:16:02(DD:HH:MM:SS) Time for aging out:29:23:59:35(DD:HH:MM:SS) ISID:400001370000 Initiator Initiator Target Target Connection IP Address TCP Port IP Address TCP Port ID ---------------------------------------------------------10.10.10.210 54835 10.10.10.40 3260 1 Supported Releases 10.3.0E or later show iscsi storage-devices Displays information about the storage arrays directly attached to OS10 ports.
2. PFC configuration (global) PFC is enabled on traffic classes with dot1p 4, 5, 6, and 7 traffic. All the traffic classes use the default PFC pause settings for shared buffer size and pause frames in ingress queue processing in the network-qos policy map. The trust-map dot1p default honors (trusts) all dot1p ingress traffic.
OS10(config-cmap-queuing)# match queue 1 OS10(config-cmap-queuing)# exit OS10(config)# policy-map type queuing pmap1 OS10(config-pmap-queuing)# class cmap1 OS10(config-pmap-c-que)# bandwidth percent 30 OS10(config-pmap-c-que)# exit OS10(config-pmap-queuing)# class cmap2 OS10(config-pmap-c-que)# bandwidth percent 70 OS10(config-pmap-c-que)# end OS10(config)# system qos OS10(config-sys-qos)# trust-map dot1p default 5.
Total Total Total Total DCBX DCBX DCBX DCBX Frames transmitted 0 Frames received 0 Frame errors 0 Frames unrecognized 0 8.
PG-grp Priority# Bandwidth TSA -----------------------------------------------0 0,1,2,3, 30% ETS 1 4,5,6,7 70% ETS 2 0% ETS 3 0% ETS 4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Oper status is init ETS DCBX Oper status is Up State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled 2 Input Conf TLV Pkts, 27 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 2 Input Reco TLV Pkts, 27 Output Reco TLV Pkts, 0 Error Reco TLV Pkts 10.
4 Input Appln Priority TLV pkts, 3 Output Appln Priority TLV pkts, 0 Error Appln Priority TLV Pkts 12. DCBX configuration (interface) This example shows how to configure and verify different DCBX versions.
trust-map dot1p default service-policy output type queuing pmap1 ets mode on qos-map traffic-class tmap2 trust-map dot1p tmap1 priority-flow-control mode on OS10(conf-if-eth1/1/53)# do show lldp dcbx interface ethernet 1/1/53 E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Recommendation TLV disabled P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Application Priority for FCOE disabled I-Applic
24 sFlow sFlow is a standard-based sampling technology embedded within switches and routers that monitors network traffic. It provides traffic monitoring for high-speed networks with many switches and routers.
● Enable sFlow in CONFIGURATION mode. sflow enable ● Disable sFlow in CONFIGURATION mode.
sflow collector 10.16.150.1 agent-addr 10.16.132.67 6767 max-datagram-size 800 sflow collector 10.16.153.176 agent-addr 3.3.3.3 6666 ! interface ethernet1/1/1 sflow enable ! Collector configuration Configure the IPv4 or IPv6 address for the sFlow collector. When you configure the collector, enter a valid and reachable IPv4 or IPv6 address. You can configure a maximum of two sFlow collectors. If you specify two collectors, samples are sent to both.
Global default extended maximum header size: 128 bytes Global extended information enabled: none 1 collector(s) configured Collector IP addr:4.4.4.1 Agent IP addr:1.1.1.1 UDP port:6343 VRF:RED 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected Polling-interval configuration The polling interval for an interface is the number of seconds between successive samples of counters sent to the collector. You can configure the duration for polled interface statistics.
● Set the sampling rate in CONFIGURATION mode, from 4096 to 65535. The default is 32768. sflow sample-rate sampling-size ● Disable packet sampling in CONFIGURATION mode. no sflow sample-rate ● View the sampling rate in EXEC mode.
OS10(config)# sflow source-interface loopback 1 OS10(config)# sflow source-interface vlan 10 View sFlow running configuration OS10# sflow sflow sflow sflow show running-configuration sflow enable all-interfaces source-interface vlan10 collector 5.1.1.1 agent-addr 4.1.1.1 6343 collector 6.1.1.1 agent-addr 4.1.1.1 6343 OS10(config)#show running-configuration interface vlan ! interface vlan1 no shutdown ! interface vlan10 no shutdown ip address 10.1.1.
● View the sFlow running configuration in EXEC mode. OS10# show running-configuration sflow sflow enable sflow max-header-size 80 sflow polling-interval 30 sflow sample-rate 4096 sflow collector 10.16.150.1 agent-addr 10.16.132.67 6767 max-datagram-size 800 sflow collector 10.16.153.176 agent-addr 3.3.3.3 6666 ! interface ethernet1/1/1 sflow enable ! sFlow commands sflow collector Configures an sFlow collector IP address where sFlow datagrams are forwarded. You can configure a maximum of two collectors.
Default Disabled Command Mode CONFIGURATION Usage Information The no version of this command to disables sFlow.
sflow sample-rate Configures the sampling rate. Syntax sflow sample-rate value Parameter value — Enter the packet sample rate, from 4096 to 65535. The default is 32768. Default 32768 Command Mode CONFIGURATION Usage Information Sampling rate is the number of packets skipped before the sample is taken. For example, if the sampling rate is 4096, one sample generates for every 4096 packets observed. The no version of the command resets the sampling rate to the default value.
Parameter interface type — (Optional) Enter either ethernet or port-channel for the interface type. Command Mode EXEC Usage Information OS10 does not support statistics for UDP packets dropped and samples received from the hardware.
25 Telemetry Network health relies on performance monitoring and data collection for analysis and troubleshooting. Network data is often collected with SNMP and CLI commands using the pull mode. In pull mode, a management device sends a get request and pulls data from a client. As the number of objects in the network and the metrics grow, traditional methods limit network scaling and efficiency. Using multiple management systems further limits network scaling.
Table 95. BGP peers YANG Container Minimum sampling interval (milliseconds) infra-bgp/peer-state/peer-status 0 Buffer statistics Table 96. Buffer statistics YANG Container Minimum sampling interval (milliseconds) base-qos/queue-stat 15000 base-qos/priority-group-stat 15000 base-qos/buffer-pool-stat 15000 base-qos/buffer-pool 15000 Device information Table 97.
System statistics Table 101. System statistics YANG Container Minimum sampling interval (milliseconds) system-status/current-status 15000 Configure telemetry NOTE: To set up a streaming telemetry collector, download and use the OS10 telemetry .proto files from the Dell EMC Support site. To enable the streaming of telemetry data to destinations in a subscription profile: 1. Enable telemetry on the switch. 2. Configure a destination group. 3.
1. Enter the destination group name in TELEMETRY mode. A maximum of 32 characters. OS10(conf-telemetry)# destination-group group-name 2. Enter the IPv4 or IPv6 address and transport-service port number in DESTINATION-GROUP mode. Only one destination is supported in the 10.4.3.0 release. You can enter a fully qualified domain name (FQDN) for ip-address. The destination domain name resolves to an IP address — see System domain name and list.
View telemetry configuration Use the following show commands to display telemetry configuration. OS10# show telemetry Telemetry Status : enabled -- Telemetry Destination Groups -Group : dest1 Destination : 10.11.56.
View destination group OS10# show telemetry destination-group Telemetry Status : enabled -- Telemetry Destination Groups -Group : dest1 Destination : 10.11.56.
Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The connection 10.11.56.204:40001 is in connected state Verify telemetry in running configuration OS10# show running-configuration telemetry ! telemetry enable ! destination-group dest1 destination 10.11.56.
Default Telemetry is disabled on the switch. Command mode CONFIGURATION Usage information Enable and disable streaming telemetry in Telemetry mode. Example Supported releases OS10(config)# telemetry OS10(conf-telemetry)# 10.4.3.0 or later enable Enables telemetry on the switch. Syntax enable Parameters None Default Telemetry is disabled. Command mode TELEMETRY Usage information Enter the no enable command to disable telemetry. Example Supported releases OS10(conf-telemetry)# enable 10.4.
● domain-name — Enter the fully qualified domain name of the destination device. A maximum of 32 characters. ● port-number — Enter the transport-service port number to which telemetry data is sent on the destination device. Default Not configured Command mode DESTINATION-GROUP Usage information When you associate a destination group with a subscription, telemetry data is sent to the IP address and port specified by the destination command. In the 10.4.3.0 release, only one destination is supported.
Supported releases 10.4.3.0 or later sensor-group (subscription-profile) Assigns a sensor group with sampling interval to a subscription profile for streaming telemetry.
Usage information This command assigns the sensors from which data is collected for streaming telemetry to a subscription profile and specifies the sampling rate. To add sensor groups to the subscription profile, reenter the command. The interface sensor group supports only physical and port channel interfaces. The no version of this command deletes the sensor group from the subscription profile. NOTE: The subscription profile should contain either OS10 sensor groups or openconfig sensor groups.
transport Configures the transport protocol used to stream telemetry data to a remote management device. Syntax transport protocol [no-tls] Parameters ● protocol — Enter the gRPC (Google remote procedure call) transport protocol used for telemetry sessions. ● no-tls — (Optional) Disable Transport Security Layer (TLS) certificate exchange with gRPC transport. Default OS10 telemetry uses the gRPC protocol for transport with TLS certificates enabled.
show telemetry Displays the configured destination-group, sensor-group, and subscription profiles for streaming telemetry. Syntax show telemetry [destination-group [group-name] | sensor-group [group-name] | subscription-profile [profile-name]] Parameters ● destination-group — Display only destination groups or a specified group. ● sensor-group — Display only sensor groups or a specified group. ● subscription-profile — Display only subscription profiles or a specified profile.
Sensor Path : openconfig-lacp/lacp Group : oc-lag Sensor Path : openconfig-interfaces/interfaces/interface Group : oc-lldp Sensor Path : openconfig-lldp/lldp Group : oc-stp Sensor Path : openconfig-spanning-tree/stp Group : oc-system Sensor Path : openconfig-system/system Sensor Path : openconfig-platform/components/component Group : oc-vendor-ufd Sensor Path : ufd/uplink-state-group-stats/ufd-groups Group : oc-vendor-vxlan Sensor Path : vxlan/vxlan-state/remote-endpoint/stats Group : oc-vlan Sensor Path :
Sensor Path : openconfig-bgp/bgp/neighbors/neighbor Sensor Path : openconfig-bgp/bgp/rib/afi-safis/afi-safi Group : oc-buffer Sensor Path : openconfig-qos/qos/interfaces/interface Group : oc-device Sensor Path : openconfig-platform/components/component Sensor Path : openconfig-network-instance/network-instances/networkinstance Group : oc-environment Sensor Path : openconfig-platform/components/component Group : oc-interface Sensor Path : openconfig-interfaces/interfaces/interface Group : oc-lacp Sensor Path
Name : subscription-2 Destination Groups(s) : dest2 Sensor-group Sample-interval ----------------------------------oc-bfd 15000 oc-bgp 15000 oc-buffer 15000 oc-device 15000 oc-environment 15000 oc-interface 15000 oc-lacp 15000 oc-lag 0 oc-lldp 15000 oc-stp 15000 oc-system 15000 oc-vendor-ufd 15000 oc-vendor-vxlan 15000 oc-vlan 15000 oc-vrrp 15000 Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The conne
Sensor Path : infra-bgp/peer-state/peer-status Group : buffer Sensor Path : base-qos/queue-stat Sensor Path : base-qos/priority-group-stat Sensor Path : base-qos/buffer-pool-stat Sensor Path : base-qos/buffer-pool Group : device Sensor Path : base-pas/chassis Sensor Path : base-pas/card Sensor Path : base-switch/switching-entities/switch-stats Group : environment Sensor Path : base-pas/entity Sensor Path : base-pas/psu Sensor Path : base-pas/fan-tray Sensor Path : base-pas/fan Sensor Path : base-pas/led Sen
interface lag system 180000 0 300000 Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The connection 10.11.56.
26 RESTCONF API RESTCONF is a representational state transfer (REST)-like protocol that uses HTTPS connections. Use the OS10 RESTCONF API to set up the configuration parameters on OS10 switches using JavaScript Object Notation (JSON)-structured messages. Use any programming language to create and send JSON messages. The examples in this chapter use curl. The OS10 RESTCONF implementation complies with RFC 8040. You can use the RESTCONF API to configure and monitor an OS10 switch.
● ecdhe-rsa-with-aes-256-gcm-SHA384 rest https cipher-suite 4. Enable RESTCONF API in CONFIGURATION mode. rest api restconf RESTCONF API configuration OS10(config)# rest https server-certificate name OS10.dell.
Error {"ietf-restconf:errors":{"error":[{"error-type":"rpc","error-tag":"invalid-value","errorapp-tag":"data-invalid","error-path":"/classifier-entry","error-message":"unknown resource instance","error-info":{"bad-value":"/restconf/data/dell-diffservclassifier:classifier-entry=test","error-number":388}}]}} POST request curl -i -k -H "Accept: application/json" -H "Content-Type: application/ json" -u $USER_NAME:$PASSWORD -d '{"dell-diffserv-classifier:classifier-entry": [{"name":"test","mtype":"qos","match":"
interface ethernet 1/1/1 Restconf request(s): curl -i -k -H "Accept: application/json" -H "Content-Type: application/ json" -u $USER_NAME:$PASSWORD -d '{"ietf-interfaces:interfaces":{"interface": [{"name":"ethernet1/1/1","type":"iana-if-type:ethernetCsmacd"}]}}' -X PATCH https:// $MGMT_IP/restconf/data/ietf-interfaces:interfaces REST-TRANSLATE-OS10(conf-if-eth1/1/1)# description "ethernet 1/1/1" CLI command: description "ethernet 1/1/1" Restconf request(s): curl -i -k -H "Accept: application/json" -H "Conte
REST-TRANSLATE-OS10# CLI commands generate Multiple RESTCONF requests: ● If the command updates multiple objects (within same module or across modules), the command translates into multiple RESTCONF requests. It is because the target resource in the URI can only be a single object. ● If the command performs multiple operations in a single request (merge and delete on leafs), the CLI first generates a DELETE request and then PATCH with the remaining objects.
no ip ospf 1 area 100 Restconf request(s): curl -i -k -H"Accept: application/json"-H"Content-Type: application/json"-u $USER_NAME: $PASSWORD -X DELETE https://$MGMT_IP/restconf/data/ietf-interfaces:interfaces/interface/ dell-ospf-v2:ospf-info/dell-ospf-v2:proc-id curl -i -k -H"Accept: application/json"-H"Content-Type: application/json"-u $USER_NAME: $PASSWORD -X DELETE https://$MGMT_IP/restconf/data/ietf-interfaces:interfaces/interface/ dell-ospf-v2:ospf-info/dell-ospf-v2:area-id curl -i -k -H"Accept: appli
The following is an example of a RS256 signed token: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNTUzNjcyMjcxfQ. nDydDFFjLju6jYuR9waxmvVZ6iVHoJZSrqey2p3S_0B_fD5U2GU8tOjTr3paJ3Wvs1a3TQpKQ_xAp-9zxBwUoJFTC 2qjKH6uMgTgfWxltrfcb3_9JF1SIsyGHaT-oUzcdCmC47TlXRIRLzcZ9w4Q5vFqxKYv1sRA47T9sSnAZac" Access token You can use the HTTP Bearer Authentication to pass the access token to subsequent REST API requests.
rest https cipher-suite Limits the ciphers to encrypt and decrypt REST HTTPS data. Syntax rest https cipher-suite cipher-list Parameters cipher-list — Enter the ciphers supported in a REST API HTTPS session. Separate multiple entries with a blank space. Valid cipher suites are: ● dhe-rsa-with-aes-128-gcm-SHA256 ● dhe-rsa-with-aes-256-gcm-SHA384 ● ecdhe-rsa-with-aes-128-gcm-SHA256 ● ecdhe-rsa-with-aes-256-gcm-SHA384 Default All cipher suites installed with OS10 are supported.
Example Supported Releases OS10(config)# rest https session timeout 60 10.4.1.0 or later cli mode rest-translate Enable RESTCONF translation mode in CLI session. Syntax cli mode rest-translate Parameters None Default None Command Mode Exec Usage Information This command enables translation of CLI command into equivalent RESTCONF requests in the current session. Example Supported Releases OS10# cli mode rest-translate 10.5.1.
Example OS10# show cli mode Current CLI session mode : rest-translate Translated requests are available as supportbundle:// restconf_requests_1132.txt OS10# Supported Releases 10.5.1.0 or later rest authentication token validity Configures the validity duration for the tokens. Syntax rest authentication token validity minutes Parameters minutes — Enter the validity duration (0 to 1200 minutes) for the REST Access Token. 0 indicates that the token has no expiry.
rest authentication token algorithm Configures the token signing algorithm. Syntax rest authentication token algorithm[HS256 | RS256 | ES256] Parameters hs256, rs256, es256 — Enter the algorithm standard to be used to sign the tokens. Default RS256 Command Mode CONFIGURATION Usage Information This command updates the token signing algorithm. The no version of the command resets to the default value.
● It is recommended to use POST request instead of PUT, to replace the target data resources. View XML structure of CLI commands To use the RESTCONF API to configure and monitor an OS10 switch, create an HTTPS request with data parameters in JSON format. The JSON data parameters correspond to the same parameters in the XML structure of an OS10 command. To display the parameter values in the XML code of an OS10 command as reference, use the debug cli netconf command in EXEC mode.
OS10(config)# do no debug cli netconf RESTCONF API Examples Some common RESTCONF API operations include configuring system hostname, and interfaces such as loopback interface. The examples in this section use curl commands to send the HTTPS request.
Configure a loopback interface IP address RESTCONF endpoint JSON content /restconf/data/interfaces/interface/loopback1 { } Parameters Example "dell-ip:ipv4":{ "address": { "primary-addr":"6.6.6.6/24" } } ● primary-addr ip-address/prefix-length — Enter the loopback IP address in dotteddecimal A.B.C.D/x format. curl -X POST -k -u admin:admin "https://10.11.86.
27 Troubleshoot Dell EMC SmartFabric OS10 Critical workloads and applications require constant availability. Dell EMC Networking offers tools to help you monitor and troubleshoot problems before they happen.
* 1 S4148F-ON 985 006 10 1 S4148F-ON-PWR-1-AC 1 S4148F-ON-FANTRAY-1 1 S4148F-ON-FANTRAY-2 1 S4148F-ON-FANTRAY-3 1 S4148F-ON-FANTRAY-4 09H9MN X01 TW-09H9MN-28298-713-0026 06FKHH 0N7MH8 0N7MH8 0N7MH8 0N7MH8 A00 X01 X01 X01 X01 CN-06FKHH-28298-6B5-03NY TW-0N7MH8-28298-713-0101 TW-0N7MH8-28298-713-0102 TW-0N7MH8-28298-713-0103 TW-0N7MH8-28298-713-0104 9531XC2 198 Boot information Display system boot and image information. ● View all boot information in EXEC mode.
30452 admin 1 root 2 root 3 root 5 root 7 root 8 root 10 root 11 root 12 root 13 root 14 root 15 root 16 root 17 root 19 root 20 root 21 root 22 root 23 root 24 root 25 root --more-- 20 20 20 20 0 20 20 20 20 20 rt rt rt rt 20 0 0 20 0 20 0 25 0 0 0 0 -20 0 0 0 0 0 0 0 0 0 0 -20 -20 0 -20 0 -20 5 22076 112100 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2524 5840 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2100 3032 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 R S S S S R S S S S S S S S S S S S S S S S 6.1 0.0 0.
Capture packets from Ethernet interface $ tcpdump -i e101-003-0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on e101-003-0, link-type EN10MB (Ethernet), capture size 262144 bytes 01:39:22.457185 IP 3.3.3.1 > 3.3.3.4: ICMP echo request, id 5320, seq 26, length 64 01:39:22.457281 IP 3.3.3.1 > 3.3.3.
When you execute a traceroute, the output shows the path a packet takes from your device to the destination IP address. It also lists all intermediate hops (routers) that the packet traverses to reach its destination, including the total number of hops traversed. Check IPv4 connectivity OS10# ping 172.31.1.255 Type Ctrl-C to abort. Sending 5, 100-byte ICMP Echos to 172.31.1.255, timeout is 2 seconds: Reply to request 1 from 172.31.1.208 0 ms Reply to request 1 from 172.31.1.
1 3ffe:501:ffff:100:201:e8ff:fe00:4c8b 000.000 ms 000.000 ms 000.000 ms View solution ID Dell EMC networking switches that are part of a larger solution require a solution identifier (ID). To view the solution ID including the product base, product serial number, and product part number, use the following show commands: View inventory OS10# show inventory Product : S6000-ON Description : S6000-ON 32x40GbE QSFP+ Interface Module Software version : 10.4.
Software version : 10.4.9999EX Product Base : ECS Gen3 Product Serial Number : APM001123456789 Product Part Number : 900-590-001 ----------------------------------------------------------------<
Node Id MAC Number of MACs Up Time : : : : 1 14:18:77:15:c3:e8 256 1 day 00:48:58 -- Unit 1 -Status System Identifier Down Reason Digital Optical Monitoring System Location LED Required Type Current Type Hardware Revision Software Version Physical Ports BIOS System CPLD Master CPLD Slave CPLD : : : : : : : : : : up 1 unknown disable off S4148F S4148F X01 10.5.1.0 48x10GbE, 2x40GbE, 4x100GbE : 3.33.0.0-3 : 0.4 : 0.10 : 0.
location-led system Changes the location LED of the system. Syntax location-led system {node-id | node-id/unit-id} {on | off} Parameters ● node-id | node-id/unit-id — Enter the system ID. ● on | off — Set the system LED to be on or off. Default Not configured Command Mode EXEC Usage Information Use this command to change the location LED for the specified system ID. Example Supported Releases OS10# location-led system 1 on OS10# location-led system 1 off 10.3.
show diag Displays diagnostic information for port adapters and modules. Syntax show diag Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show diag 00:00.0 Host bridge: Intel Corporation Atom processor C2000 SoC Transaction Router (rev 02) 00:01.0 PCI bridge: Intel Corporation Atom processor C2000 PCIe Root Port 1 (rev 02) 00:02.0 PCI bridge: Intel Corporation Atom processor C2000 PCIe Root Port 2 (rev 02) 00:03.
Thermal sensors Unit Sensor-Id Sensor-name Temperature -----------------------------------------------------------------------------1 1 CPU On-Board temp sensor 32 1 2 Switch board temp sensor 28 1 3 System Inlet Ambient-1 temp sensor 27 1 4 System Inlet Ambient-2 temp sensor 25 1 5 System Inlet Ambient-3 temp sensor 26 1 6 Switch board 2 temp sensor 31 1 7 Switch board 3 temp sensor 41 1 8 NPU temp sensor 43 Supported Releases 10.2.0E or later show hash-algorithm Displays hash algorithm information.
1 1 Supported Releases S4148F-ON-FANTRAY-3 S4148F-ON-FANTRAY-4 0N7MH8 0N7MH8 X01 X01 TW-0N7MH8-28298-713-0103 TW-0N7MH8-28298-713-0104 10.2.0E or later show processes View process CPU utilization information. Syntax show processes node-id node-id-number [pid process-id] Parameters ● node-id-number — Enter the Node ID number as 1. ● process-id — (Optional) Enter the process ID number, from 1 to 2147483647.
21 root kdevtmpfs 22 root 23 root khungtaskd 24 root writeback 25 root --more-- 20 0 0 0 0 S 0.0 0.0 0:00.00 0 -20 20 0 0 0 0 0 0 S 0 S 0.0 0.0 0.0 0.0 0:00.00 netns 0:00.41 0 -20 0 0 0 S 0.0 0.0 0:00.00 0 0 0 S 0.0 0.0 0:00.00 ksmd 25 5 OS10# show processes node-id 1 pid 1019 top - 09:21:58 up 5 days, 8 min, 2 users, load average: 0.18, 0.30, 0.31 Tasks: 1 total, 0 running, 1 sleeping, 0 stopped, 0 zombie %Cpu(s): 9.7 us, 3.9 sy, 0.3 ni, 85.8 id, 0.0 wa, 0.0 hi, 0.3 si, 0.
PSU-ID Status Type AirFlow Fan Speed(rpm) Status ---------------------------------------------------------------1 up AC NORMAL 1 13312 up 2 fail -- Fan Status -FanTray Status AirFlow Fan Speed(rpm) Status ---------------------------------------------------------------1 up NORMAL 1 13195 up Example (nodeid) 2 up NORMAL 1 13151 up 3 up NORMAL 1 13239 up 4 up NORMAL 1 13239 up OS10# show system node-id 1 fanout-configured Interface Breakout capable Breakout state -------------------------
4 Supported Releases up NORMAL 1 13239 up 10.2.0E or later traceroute Displays the routes that packets take to travel to an IP address. Syntax traceroute [vrf {management | vrf-name}] host [-46dFITnreAUDV] [-f first_ttl] [-g gate,...
3 10.11.27.254 (10.11.27.254) 2.233 ms 2.207 ms 2.391 ms 4 Host65.hbms.com (63.80.56.65) 3.583 ms 3.776 ms 3.757 ms 5 host33.30.198.65 (65.198.30.33) 3.758 ms 4.286 ms 4.221 ms 6 3.GigabitEthernet3-3.GW3.SCL2.ALTER.NET (152.179.99.173) 4.428 ms 2.593 ms 3.243 ms 7 0.xe-7-0-1.XL3.SJC7.ALTER.NET (152.63.48.254) 3.915 ms 3.603 ms 3.790 ms 8 TenGigE0-4-0-5.GW6.SJC7.ALTER.NET (152.63.49.254) 11.781 ms 10.600 ms 9.402 ms 9 23.73.112.54 (23.73.112.54) 3.606 ms 3.542 ms 3.
6. At the root prompt, enter usermod -s /bin/bash linuxadmin to enable the linuxadmin user. root@OS10: /# usermod -s /bin/bash linuxadmin 7. Verify the linuxadmin password status by entering the passwd -S linuxadmin command. If the password is locked, L is displayed following linuxadmin in the command output. Unlock the password by entering the passwd -u linuxadmin command.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Dell EMC Network Operating System (OS10) *-* *-* Copyright (c) 1999-2018 by Dell Inc. All Rights Reserved. *-* *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*This product is protected by U.S. and international copyright and intellectual property laws. Dell EMC and the Dell EMC logo are trademarks of Dell Inc.
s4048t-1# configure terminal s4048t-1(config)# 9. Configure the recovered password for the user name using the username password role command in CONFIGURATION mode; for example: s4048t-1(config)# username admin password admin12345 role sysadmin Restore factory defaults To restore your system factory defaults, reboot the system to ONIE: Uninstall OS mode. CAUTION: Restoring factory defaults erases any installed operating system and requires a long time to erase storage.
SupportAssist The SupportAssist feature monitors the devices in your network that run the Dell EMC Networking Operating System. This feature offers an extra layer of service to your IT support capabilities by: ● Identifying issues and helping you resolve them quickly. ● Proactively monitoring the network and minimizing the risk of downtime. SupportAssist periodically collects information about configuration, inventory, logs, and so on, from the network devices.
2. Accept the EULA. OS10(config)# eula-consent support-assist accept 3. Enter SupportAssist mode from CONFIGURATION mode. OS10(config)# support-assist OS10(conf-support-assist)# 4. (Required) Specify the SupportAssist server URL or IP address in SUPPORT-ASSIST mode, and specify your Dell Digital Locker (DDL) credentials to access the SupportAssist server. This account must have entitlements to the OS10 switch in DDL. You can enter default to specify the SupportAssist server URL (https://esrs3.emc.com).
Configure SupportAssist company OS10(conf-support-assist)# contact-company name ExampleCompanyName OS10(conf-support-assist-ExampleCompanyName)# address city San Jose state California country USA zipcode 95125 OS10(conf-support-assist-ExampleCompanyName)# street-address "123 Example Street" "Bldg 999" OS10(conf-support-assist-ExampleCompanyName)# territory Sales Set contact information Configure contact details in SUPPORT-ASSIST mode.
○ hourly min number—Enter the time to schedule an hourly task, from 0 to 59. ○ daily hour number min number—Enter the time to schedule a daily task, from 0 to 23 hours and 0 to 59 minutes. ○ weekly day-of—week number hour number min number—Enter the time to schedule a weekly task, from 0 to 6 days, 0 to 23 hours, and 0 to 59 minutes. ○ monthly day number hour number min number—Enter the time to schedule a monthly task, from 1 to 31 days, 0 to 23 hours, and 0 to 59 minutes.
16:15:19 event-notification 16:04:39 keep-alive 17:30:03 Success 2019-06-13 16:04:35 2019-06-13 Success 2019-06-13 18:00:00 2019-06-13 Server Status : Last KeepAlive Status Last KeepAlive Successful Last KeepAlive Failed at Last MFT Status : Last MFT Successful at : Last MFT Failed at : : Failed at : 2019-06-13 17:30:03 : 2019-06-13 18:00:03 Success 2019-06-13 16:15:19 Never View EULA license OS10# show support-assist eula SUPPORTASSIST ENTERPRISE - SOFTWARE TERMS *** IMPORTANT INFORMATION - PLEASE
View SupportAssist logs To view a list of SupportAssist activities with the ESRS and TechDirect servers, use the following show command: OS10# show support-assist logs 1 Thu Jun 27 15:32:46 UTC 2019 2 Fri Jun 28 03:11:46 UTC 2019 3 Fri Jun 28 03:11:55 UTC 2019 4 Fri Jun 28 03:11:58 UTC 2019 5 Fri Jun 28 05:08:49 UTC 2019 6 Fri Jun 28 03:00:00 UTC 2019 7 Fri Jun 29 03:00:00 UTC 2019 8 Fri Jun 29 03:11:46 UTC 2019 9 Fri Jun 30 05:13:37 UTC 2019 error 10 Fri Jun 30 05:14:00 UTC 2019 11 Fri Jun 30 05:14:03 UTC
Table 104.
Table 104.
Table 104.
Table 104.
Table 104.
Table 104.
Table 104. Country names and codes (continued) Country name Country code Western Sahara ESH Yemen YEM Zambia ZMB Zimbabwe ZWE SupportAssist commands eula-consent Accepts or rejects the SupportAssist end-user license agreement (EULA). Syntax eula—consent {support-assist} {accept | reject} Parameters ● support-assist — Enter to accept or reject the EULA for the service. ● accept — Enter to accept the EULA-consent. ● reject — Enter to reject EULA-consent.
Supported Releases 10.2.0E or later show support-assist warranty Displays warranty information for the OS10 switch and the relevant service contracts. Syntax show support-assist warranty Parameters None Default None Command Mode EXEC Usage Information This command displays the warranty information for the OS10 switch and the relevant service contracts.
Supported Releases 10.5.1.0 or later support-assist Enters SupportAssist subconfiguration mode. Syntax support-assist Parameters None Default Not applicable Command Mode CONFIGURATION Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1 Example Supported Releases OS10(config)# support-assist OS10(conf-support-assist)# 10.2.
The no version of this command removes the configuration.
The no version of this command disables the activity. Examples OS10(conf-support-assist)# activity event-notification enable OS10(conf-support-assist)# activity full-transfer enable Supported Releases 10.2.0E or later contact-company Configures the company contact information. Syntax contact-company name company-name Parameters company-name—Enter the contact company name. Default Not configured Command Mode SUPPORT-ASSIST Usage Information You can enter only one contact company.
show configuration Displays the SupportAssist configuration currently running on the device. Syntax show configuration Parameters None Default Not configured Command Mode SUPPORT-ASSIST Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0. Example Supported Releases OS10(conf-support-assist)# show configuration ! support-assist server url https://esrs3stg.emc.
phone primary 0001234567 alternate 1234567890 preferred-method email Supported Releases 10.2.0E or later show support-assist eula Displays the EULA for SupportAssist. Syntax show support-assist eula Parameters None Default None Command Mode EXEC Usage Information Use this command to view the EULA for SupportAssist. Example Supported Releases Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S).
City State Country Zipcode Territory Contact-person Primary email Alternate email Primary phone Alternate phone Contact method Server(configured) : : : : : : : : : : : : SanJose California USA 95123 West Firstname Lastname youremail@example.com emailid@example.
Examples OS10(conf-support-assist)# source-interface ethernet 1/1/4 OS10(conf-support-assist)# source-interface loopback 1 OS10(conf-support-assist)# source-interface mgmt 1/1/1 OS10(conf-support-assist)# source-interface port-channel 10 OS10(conf-support-assist)# source-interface vlan 100 Supported Releases 10.4.0E(R1) or later SupportAssist company commands address Configures the company address.
The no version of this command removes the configuration. Example Supported Releases OS10(conf-support-assist-ExampleCompanyName)# contact-person first Firstname last Lastname 10.2.0E or later street-address Configures the street address of the company. Syntax street-address {line-1} [line-2] [line-3] Parameters line-1 line-2 line-3 — Enter the address of the company, from 1 to 3 lines. Enclose the text within double quotes. Insert a space after each line of text.
Parameters email-id—Enter the email address of the contact person. Default Not configured Command Mode SUPPORT-ASSIST Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0. The no version of this command removes the configuration. Example Supported Releases OS10(conf-support-assist-ExampleCompanyName-FirstnameLastname)# emailaddress primary youremail@example.
Examples OS10(conf-support-assist-ExampleCompanyName-FirstnameLastname)# preferred-method email OS10(conf-support-assist-ExampleCompanyName-FirstnameLastname)# preferred-method phone OS10(conf-support-assist-ExampleCompanyName-FirstnameLastname)# preferred-method no-contact Supported Releases 10.2.0E or later Support bundle The Support Bundle is based on the sosreport tool.
Support bundle generation failure Apr 19 17:0:14: %Node.1-Unit.1:PRI:OS10 %log-notice:SUPPORT_BUNDLE_FAILURE: Failure in generate support-bundle execution:All Plugin options disabled Apr 19 17:0:14: %Node.1-Unit.1:PRI:OS10 %log-notice:SUPPORT_BUNDLE_FAILURE: Failure in generate support-bundle execution:All Plugin options enabled generate support-bundle Generates an sosreport tar file that collects configuration and diagnostic information on Linux systems.
● MINOR—A minor error or noncritical condition occurred that, if left unchecked, might cause system service interruption or performance degradation. A minor alarm requires monitoring or maintenance. ● WARNING—A warning condition was observed, but it may or may not result in an error condition. ● INFORMATIONAL—An informational event had occurred, but it does not impact performance. Out of memory, temperature crossing a critical point, and so on, are examples of conditions when the system triggers an alarm.
Configure custom severity profile To modify the severity of events or disable event notification: Your user account must have any one of the following privileges: System admin (sysadmin), security admin (secadmin), or network admin (netadmin). 1. Use the dir command to view the list of available severity profiles in the severity-profile:// partition.
Delete custom severity profile You can delete custom severity profiles that you no longer need. However, you cannot delete the default or active severity profile. To delete a custom severity profile, use the delete severity-profile://profile-name command. For example: OS10# delete severity-profile://mySevProf_1.xml System logging You can change the system logging default settings using the severity level to control the type of system messages that log.
● Reenable any logging command in CONFIGURATION mode. no logging enable Enable server logging for log notice OS10(config)# logging server 10.11.86.139 severity log-notice System logging over TLS To provide enhanced security and privacy in the logged system messages sent to a syslog server, you can use the Transport Layer Security (TLS) protocol.
You determine if the certificate-key pair is generated as FIPS-compliant. Do not use FIPS-compliant certificate-key pairs outside of FIPS mode. When FIPS mode is enabled, you can still generate CSRs for non-FIPS certificates for use with non-FIPS applications. Be sure to install these certificates as non-FIPS with the crypto cert install command. 3. Configure a security profile for system logging over TLS using an X.509v3 certificate. a. Create a Syslog security profile in CONFIGURATION mode.
-------------------------------------| Installed non-FIPS certificates | -------------------------------------clientcert.crt -------------------------------------| Installed FIPS certificates | -------------------------------------OS10(config)# crypto security-profile dellprofile OS10(config-sec-profile)# certificate clientcert OS10(config-sec-profile)# exit OS10(config)# logging security-profile dellprofile OS10(config)# logging server 10.11.86.
dn_infra_afs dn_issu dn_l2_services dn_l2_services_ dn_l2_services_ dn_l2_services_ dn_l2_services_ dn_l3_core_serv dn_l3_service dn_lacp dn_lldp dn_mgmt_entity_ --More-- Environmental monitoring Monitors the hardware environment to detect temperature, CPU, and memory utilization.
Alarm commands alarm acknowledge Acknowledges an active alarm. Syntax alarm acknowledge sequence-number Parameters ● sequence-number — Acknowledge the alarm corresponding to the sequence number. Default Not configured Command Mode EXEC Usage Information Use the show alarm command to view all active alarms. Use active alarm sequence numbers to acknowledge specific alarms. Example Supported Releases OS10# alarm acknowledge 1 10.4.
Example OS10# show alarms Sq No Severity Name Source ------------------------------------------------------------------- -----7563 critical EQM_MORE_PSU_FAULT 19:26:16 2019 /pus/1 7566 warning EQM_TML_MINOR_CROSSED 19:30:22 2019 /pus/1 7569 information L2_SERV_LACP_CMS_CPS_SEND_FAIL 19:55:40 2019 /pus/1 Supported Releases Timestamp Fri Jul 26 Fri Jul 26 Fri Jul 26 10.2.0E or later show alarms acknowledged Displays all acknowledged alarms.
Active-alarm details - 732 ------------------------------------------Sequence Number: 732 Severity: critical Source: /psu/2 Name: EQM_MORE_PSU_FAULT Description: psu 2 is not working correctly Raise-time: Mon Jul 29 06:12:30 2019 Ack-time: New: true Acknowledged: false ------------------------------------------Alarm is acknowledged: OS10# show alarms details Active-alarm details - 732 ------------------------------------------Sequence Number: 732 Severity: critical Source: /psu/2 Name: EQM_MORE_PSU_FAULT De
show alarms severity Displays all active alarms corresponding to a specific severity level. Syntax show alarms severity severity Parameters severity — Set the alarm severity: ● critical — Critical alarm severity. ● major — Major alarm severity. ● minor — Minor alarm severity. ● warning — Warning alarm severity.
show alarms summary Displays the summary of all active alarms. Syntax show alarms summary Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show alarms summary Active-alarm Summary ------------------------------------------Total-count: 2 Critical-count: 0 Major-count: 1 Minor-count: 1 Warning-count: 0 ------------------------------------------10.2.
Example (reverse) Example (sequence) Example (details) Example (summary) 3 2 Raised Raised EQM_MORE_PSU_FAULT Sun 10-07-2018 18:39:44 /psu/2 EQM_FANTRAY_FAULT Sun 10-07-2018 16:39:42 /fantray/3 OS10# Sq No ----1 2 3 4 5 6 show event history reverse State Name Timestamp -------- ------------------ ----------------------Stateless SYSTEM_REBOOT Sun 10-07-2018 15:39:41 Raised EQM_FANTRAY_FAULT Sun 10-07-2018 16:39:42 Raised EQM_MORE_PSU_FAULT Sun 10-07-2018 18:39:44 Raised EQM_MORE_PSU_FAULT Sun 10-07-2
show event severity-profile Displays the active severity profile and the profile that becomes active after a system restart. Syntax show event severity-profile Parameters None Default None Command Mode EXEC Usage Information None Example Supported Releases OS10# show event severity-profile Severity Profile Details -----------------------Currently Active : default Active after restart : mySevProf.xml 10.5.0 or later Logging commands clear logging Clears messages in the logging buffer.
● log-debug—Set to debug messages. Default Log-notice Command Mode CONFIGURATION Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1. To set the severity to the default level, use the no logging console severity command. The default severity level is log-notice. NOTE: The system rate-limits syslog messages to a maximum of 10 per second on the console.
Default Log-notice Command Mode CONFIGURATION Usage Information To reset the log-file severity to the default level, use the no logging log-file severity command. The default severity level is log-notice. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1.
Command mode CONFIGURATION Usage information Use this command to specify the configured crypto security profile to use to send system messages to a remote server over TLS. TLS requires an X.509v3 certificate-key pair installed on the switch. Example Supported releases OS10(config)# logging security-profile prof1 10.5.0 or later logging server Configures a remote syslog server.
show logging Displays system logging messages by log file, process-names, or summary. Syntax show logging {log-file [process-name | line-numbers] | process-names} Parameters ● process-name — (Optional) Enter the process-name to use as a filter in syslog messages. ● line-numbers — (Optional) Enter the number of lines to include in the logging messages, from 1 to 65535. Default None Command Mode EXEC Usage Information The output from this command is the /var/log/eventlog file.
Example Supported Releases OS10# show trace May 23 17:10:03 OS10 base_nas: [NETLINK:NHEVENT]:ds_api_linux_neigh.c:nl_to_nei gh_info:109, Operation:Add-NH family:IPv4(2) flags:0x0 state:Failed(32) if-idx:4 May 23 17:10:03 OS10 base_nas: [NETLINK:NHEVENT]:ds_api_linux_neigh.c:nl_to_nei gh_info:120, NextHop IP:192.168.10.
the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Dell EMC Network Operating System (OS10) *-* *-* Copyright (c) 1999-2017 by Dell Inc. All Rights Reserved. *-* *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*This product is protected by U.S.
Hardware What are the default console settings for ON-Series devices? ● Set the data rate to 115200 baud ● Set the data format to 8 bits, stop bits to 1, and no parity ● Set flow control to none How do I view the hardware inventory? Use the show inventory command to view complete system inventory. How do I view the process-related information? Use the show processes node-id node-id-number [pid process-id] command to view the process CPU utilization information.
Use the show ip ospf neighbor command. System management How can I view the current interface configuration? Use the show running-configuration command to view all currently configured interfaces. How can I view a list of all system devices? Use the show inventory command to view a complete list. How can I view the software version? Use the show version command to view the currently running software version.
Monitoring How can I check if SupportAssist is enabled? Use the show support-assist status command to view current configuration information. How can I view a list of alarms? Use the show alarms details to view a list of all system alarms. How do I enable or disable system logging? Use the logging enable command or the logging disable command. How do I view system logging messages? Use the show logging command to view messages by log file or process name.
28 Support resources The Dell EMC Support site provides a range of documents and tools to assist you with effectively using Dell EMC devices. Through the support site you can obtain technical information regarding Dell EMC products, access software upgrades and patches, download available management software, and manage your open cases. The Dell EMC support site provides integrated, secure access to these services. To access the Dell EMC Support site, go to www.dell.com/support/.
Index B bgp unnumbered 1067