Dell EMC SmartFabric OS10 User Guide Release 10.5.2 04 2021 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 -2021 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: About this guide......................................................................................................... 29 Conventions........................................................................................................................................................................29 Related Documents...........................................................................................................................................................
Command help................................................................................................................................................................... 80 Candidate configuration................................................................................................................................................... 81 Copy running configuration ....................................................................................................................................
Multi-line alias.............................................................................................................................................................. 117 alias................................................................................................................................................................................ 119 alias (multi-line).................................................................................................................................
Simple Network Management Protocol..................................................................................................................... 150 SNMP security models and levels.......................................................................................................................... 151 MIBs...............................................................................................................................................................................151 SNMPv3.........
System domain name and list.................................................................................................................................298 DHCP commands...................................................................................................................................................... 299 DNS commands......................................................................................................................................................... 329 Containers....
Configure polling interval for Ethernet interface counters...................................................................................380 Interface commands.......................................................................................................................................................380 channel-group............................................................................................................................................................ 380 default interface...
wavelength................................................................................................................................................................. 409 default mtu................................................................................................................................................................. 409 show default mtu...............................................................................................................................................
member (zone).......................................................................................................................................................... 490 member (zoneset).................................................................................................................................................... 490 show fc alias..............................................................................................................................................................
show npg node-interface......................................................................................................................................... 517 show npg uplink-interface....................................................................................................................................... 518 Debug FC commands.....................................................................................................................................................520 debug fc....
Common STP commands........................................................................................................................................600 Rapid per-VLAN spanning-tree..............................................................................................................................607 Rapid Spanning-Tree Protocol............................................................................................................................... 618 Multiple Spanning-Tree.............
BFD three-way handshake......................................................................................................................................768 BFD configuration..................................................................................................................................................... 769 Configure BFD globally............................................................................................................................................ 769 BFD for BGP..
Neighbor soft-reconfiguration............................................................................................................................... 825 Redistribute iBGP route to OSPF......................................................................................................................... 826 View BGP routes information.................................................................................................................................827 Example - BGP in a VLT topology...
Set address to match route-map..........................................................................................................................999 Assign route-map to interface............................................................................................................................. 1000 View PBR information............................................................................................................................................ 1000 Policy-based routing per VRF..
Standards compliance............................................................................................................................................ 1058 PIM-SM..................................................................................................................................................................... 1058 PIM-SSM..................................................................................................................................................................
show hardware overlay-routing-profile mode.................................................................................................... 1131 show interface virtual-network.............................................................................................................................1132 show nve remote-vtep............................................................................................................................................1132 show nve remote-vtep counters..........
UFT commands.............................................................................................................................................................. 1298 hardware forwarding-table mode........................................................................................................................ 1298 hardware l3 ipv6-extended-prefix ......................................................................................................................
show openflow ports.............................................................................................................................................. 1433 show openflow switch............................................................................................................................................1434 show openflow switch controllers.......................................................................................................................1435 switch..................
description.................................................................................................................................................................1463 ip access-group........................................................................................................................................................1463 ip access-list.....................................................................................................................................................
seq permit icmp....................................................................................................................................................... 1490 seq permit icmp (IPv6)........................................................................................................................................... 1491 seq permit ip..............................................................................................................................................................
Marking Traffic.............................................................................................................................................................. 1528 Queuing............................................................................................................................................................................1528 Policing traffic.....................................................................................................................................
priority-flow-control mode.................................................................................................................................... 1584 qos-group dot1p.......................................................................................................................................................1585 qos-group dscp........................................................................................................................................................
trust-map................................................................................................................................................................... 1616 wred.............................................................................................................................................................................1617 Chapter 22: Virtual Link Trunking............................................................................................. 1618 Terminology.........
Chapter 23: Uplink Failure Detection........................................................................................1663 Configure uplink failure detection............................................................................................................................. 1664 Uplink failure detection on VLT................................................................................................................................. 1666 Sample configurations of UFD on VLT.................
sflow max-header-size............................................................................................................................................ 1721 sflow polling-interval................................................................................................................................................1721 sflow sample-rate....................................................................................................................................................
Chapter 28: Troubleshoot Dell EMC SmartFabric OS10.............................................................1756 Diagnostic tools............................................................................................................................................................. 1756 Boot information...................................................................................................................................................... 1757 Monitor processes............................
Layer 2....................................................................................................................................................................... 1826 Layer 3....................................................................................................................................................................... 1826 System management.......................................................................................................................................
1 About this guide This guide is intended for system administrators who are responsible for configuring and maintaining networks. It covers the following details: ● Installation and setup of Dell EMC SmartFabric OS10. ● Description, configuration information, limitations and restrictions, and examples of features that SmartFabric OS10 supports. ● Reference information and examples on configuring protocols.
Table 1. SmartFabric OS10 Documentation Related Documentation Description Link ● SFS for leaf and spine switches ● SFS for PowerEdge MX ● Data Center PowerSwitch OS Table 2.
2 Change history The following table provides an overview of the changes to this guide from a previous OS10 release to the 10.5.2.4 release. For more information about the new features, see the respective sections. Table 3. New in 10.5.2.4 Revision Date Feature Description A04 2021-04-14 OME-M Catalog Support OME-M supports catalog method to help and manage the upgrade of all components and dependencies among components.
Table 4. New in 10.5.2.3 (continued) Revision Date Feature Description enhanced to display the LPM route matching the destination prefix when the mask is not provided. 32 Change history Advertise ECMP route to iBGP session without changing next-hop to self Support for a new command, ibgpecmp-next-hop-self to advertise ECMP routes to iBGP neighbors with nexthop-self or with lowest nexthop IP address.
Table 4. New in 10.5.2.3 Revision Date Feature Description ● show smartfabric upgrade-status ● show logging smartfabric Table 5. New in 10.5.2.2 Revision Date Feature Description A02 2020-12-16 Dynamic discovery of nonintegrated devices SmartFabric Services (SFS) can discover end-host devices (unknown servers) dynamically based on standard LLDP PDUs without custom TLVs sent out through the connected ports.
Table 6. New in 10.5.2.1 (continued) Revision Date Feature Description from the extended community list. 34 Change history CLI enhancements ● The show techsupport command now displays transceiver information. ● The transceiver and interface parameters are now optional for the show interface phyeth command. ● Based on the BGP as-notation present in the configuration, the OSPFv2/v3 and BGP show configuration commands now display asnotation based output.
Table 6. New in 10.5.2.1 Revision Date Feature Description interface-ID (option 18) and remote-ID (option 37). Configuring BGP templates Ability to configure the BGP templates to support the following attributes in IPv4 and IPv6 address family level: next-hop-self, soft re-configuration inbound, maximum-prefix, and addpath. Initiate SSH session with another switch Support to enable or disable the ssh command that lets you establish a connection between two switches. Table 7. New in 10.5.2.
Table 7. New in 10.5.2.0 Revision Date Feature Description ● Configuration of local user authentication by smart card with password ● Configuration of local user authentication by smart card without a password ● Security profile settings used by X.
3 Getting Started with Dell EMC SmartFabric OS10 Dell EMC SmartFabric OS10 is a network operating system (NOS) supporting multiple architectures and environments. The SmartFabric OS10 solution allows multi-layered disaggregation of network functionality. SmartFabric OS10 bundles industrystandard management, monitoring, and Layer 2 and Layer 3 networking stacks over CLI, SNMP, and REST interfaces. Users can choose their own third-party networking, monitoring, management, and orchestration applications.
Starting from Release 10.5.1.0, SmartFabric OS10 comes with a single partition. Both the active and standby software images are stored in this partition. OS10 installation and upgrade procedures continue to work as usual. However, after you install 10.5.1.0 (or later) image, if you want to downgrade to 10.5.0.0 (or earlier) image, you must backup the configuration and license files. See Downgrade to Release 10.5.0.0 or earlier releases for more information.
Log in Connect a terminal emulator to the console serial port on the switch using a serial cable. Serial port settings are 115200 baud rate, 8 data bits, and no parity. To log in to an OS10 switch, power up and wait for the system to perform a power-on self-test (POST). Enter admin for both the default user name and user password. Change the default admin password after the first OS10 login. The system saves the new password for future logins.
Architecture: x86_64 Up Time: 1 day 00:54:13 Install firmware upgrade You may need to upgrade the firmware components on an OS10 switch without upgrading the OS10 image. NOTE: Do not upgrade the ONIE firmware and OS10 image simultaneously. Perform the ONIE firmware upgrade first before you upgrade the OS10 image. To upgrade firmware components in a separate operation: 1.
Upgrade OS10 manually from the CLI To upgrade an OS10 image, first download and unpack the new OS10 binary image as described in Download OS10 image for upgrade. Then copy the binary image file to a local server and follow the steps in Install OS10 upgrade. NOTE: ● To upgrade a Dell EMC ONIE switch to OS10 from OS9 or another network operating system (NOS), follow the procedure in Baremetal switch with only ONIE installed.
● If you are upgrading OS10 on a Z9100-ON switch, we recommend that you perform an ONIE fresh installation. See Installation using ONIE for more information. ● On an MX-Series I/O module, install OS10 upgrades in downloaded DUP files by following the instructions in the Dell EMC SmartFabric OS10 Release Notes—Release 10.5.0. ● While performing an upgrade from 10.4.0E.R4S to 10.5.0.
8. (Optional) Verify the standby image version. OS10# show boot detail Current system image information detail: ========================================== Type: Node-id 1 Boot Type: Flash Boot Active Partition: B Active SW Version: 10.5.0.0 Active SW Build Version: 10.5.0.270 Active Kernel Version: Linux 4.9.168 Active Build Date/Time: 2020-03-07T23:35:01Z Standby Partition: A Standby SW Version: 10.5.2.0 Standby SW Build Version: 10.5.2.
Upgrade OS10 on VLT nodes with minimal traffic loss This section describes the steps to upgrade OS10 on VLT peer nodes. When you upgrade VLT peer nodes, you might see minimal traffic loss. In this example topology: ● ● ● ● VLT-Peer1 and VLT-Peer2 are leaf nodes that are connected to the spine switch through port channel 10. Host1 is connected to both the VLT peer nodes through port channel 20. Host2 uses switch-independent NIC teaming. Switch1 is connected to the VLT peer nodes through port channel 30.
● You must not make any configuration changes when the VLT peer nodes are running different versions of the software. Detailed Upgrade Steps 1. Download the new software image on both the VLT peer nodes from the Dell Support Site. Extract the bin files from the tar file, and save the file in EXEC mode. Download the extracted bin file to the OS10 switch using the image download command.
Install started. 4. Use the show image status command to view the installation status.
11. Reload VLT-Peer2. VLT-Peer2# reload 12. Wait for VLT-Peer2 to come up. VLT adjacency will be established. VLT-Peer2 becomes the secondary node. Wait until VLT-Peer2 starts to forward traffic after the delay-restore timer expires. Upgrade on VLT peer nodes is now complete. Both the nodes actively forward traffic. After upgrade, VLT-Peer1 is the primary node and VLT-Peer2 is the secondary node. VLT upgrade with minimal loss for upgrades from 10.5.0.x or previous release to 10.5.1.
3. Remove the route-map on both VLT peers one after the other. OS10(config)# router bgp OS10(config-router-bgp- route-map set_origin OS10(configure-router-bgpv4-af)# network OS10(configure-router-bgpv4-af)# Check OS10 license To check the status of the pre-installed OS10 license, use the show license status command. A factory-installed OS10 image runs with a perpetual license.
Upgrade commands boot system Sets the boot image to use for the next reboot. Syntax boot system {active | standby} Parameters ● active — Reset the running image as the next boot image. ● standby — Set the standby image as the next boot image. Default Active Command Mode EXEC Usage Information Use this command to configure the location of the OS10 image used to reload the software at boot time. Use the show boot command to view the configured next boot image.
Supported Releases 10.2.0E or later image download Downloads a new software image or firmware file to the local file system. Syntax image download file-url Parameters file-url—Enter the URL of the image file: ● ftp://userid:passwd@hostip/filepath—Enter the path to copy from the remote FTP server. ● http://hostip/filepath—Enter the path to copy from the remote HTTP server. ● scp://userid:passwd@hostip/filepath—Enter the path to copy from the remote SCP file system.
○ image://filename—Enter the path to use to install the image from a local file system. ○ usb://filepath—Enter the path to use to install the image from the USB file system. Default All Command Mode EXEC Usage Information Use the show image status command to view the installation progress. Example Supported Releases OS10# image install ftp://10.206.28.174:/PKGS_OS10-Enterprise-10.4.0E.55installer-x86_64.bin 10.2.0E or later reload onie Uninstalls existing operating system and reloads to ONIE.
Example OS10# show boot Current system image information: =================================== Type Boot Type Active Standby Next-Boo -----------------------------------------------------------------------------------Node-id 1 Flash Boot Example (Detail) Supported Releases [A] 10.5.0.4 [B] 10.5.1.0 [B] stand OS10# show boot detail Current system image information detail: ========================================== Type: Node-id 1 Boot Type: Flash Boot Active Partition: A Active SW Version: 10.5.0.
onie-updater-x86_64-dellemc_mxseries-r0 3.35.1.1 Success OS10# show image firmware Pending Firmware Upgrade(s) ==================================== # Name Date --- ------------------------------------------------------------------ --------------------- Version Past Firmware Upgrade(s) ==================================== Name Version Result --------------------------------------------------------- ---------------------------onie-firmware-x86_64-dellemc_s5200_c3538-r0.3.40.5.1-6. 3.40.5.
show version Displays software version information. Syntax show version Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show version Dell EMC Networking OS10 Enterprise Copyright (c) 1999-2021 by Dell Inc. All Rights Reserved. OS Version: 10.5.2.4 Build Version: 10.5.2.4.215 Build Time: 2021-04-11T21:35:41+0000 System Type: S5248F-ON Architecture: x86_64 Up Time: 1 day 00:54:13 10.2.
To download OS10 Enterprise Edition and the license, follow the steps for an ONIE switch without an OS installed; see Download OS10 image, Installation using ONIE, and Install OS10 license. Uninstall existing OS CAUTION: To install OS10 on a switch running OS9 or another third-party OS, you must first uninstall the existing OS. The Uninstall option deletes the switch configuration and all disk partitions.
Restrictions on Downgrade from 10.5.1.x or later to 10.5.0.x or earlier version After rollback to release 10.5.0.x or an earlier release, the following images are available in the switch: ● Image A: 10.5.0.0 (active) ● Image B: N/A During this state, you must not use the boot system standby command and reload as the switch might get stuck in the GRUB shell. Installation using ONIE CAUTION: Installing OS10 or another OS using ONIE erases all software configurations on the switch.
Automatic installation You can automatically install an OS10 image on a Dell EMC ONIE-enabled device. This process is known as zero-touch install. After the device boots to ONIE: Install OS, ONIE auto-discovery follows these steps to locate the installer file and uses the first successful method: 1. 2. 3. 4. 5. 6. Use a statically configured path that is passed from the boot loader. Search file systems on locally attached devices, such as USB. Search the exact URLs from a DHCPv4 server.
busid passed, refusing all cards [ 5.120111] intel_rapl: driver does not support CPU family 6 model 77 [ 4.226593] systemd-fsck[493]: OS10-SYSROOT1: clean, 23571/426544 files, 312838/1704960 blocks Debian GNU/Linux 8 OS10 ttyS0 Dell EMC Networking Operating System (OS10) OS10 login: Manual installation If you do not use the ONIE-based automatic installation of an OS10 image and if a DHCP server is not available, you can manually install the image.
The ONIE auto-discovery process discovers the image file at the specified USB path, loads the software image, and reboots the switch. For more information, see the ONIE User Guide. Log in Connect a terminal emulator to the console serial port on the switch using a serial cable. Serial port settings are 115200 baud rate, 8 data bits, and no parity. To log in to an OS10 switch, power up and wait for the system to perform a power-on self-test (POST).
2. Open the zip file and locate the license file in the Dell folder. Copy the license file to a local or remote workstation. 3. Install the license file from the workstation in EXEC mode. license install {ftp: | http: | localfs: | scp: | sftp: | tftp: | usb:} filepath/ filename ● ● ● ● ● ● ● ● ● ftp://userid:passwd@hostip/filepath — Copy from a remote FTP server. http://hostip/filepath — Copy from a remote HTTP server. http://hostip — Send a request to a remote HTTP server.
3. Verify that the license is present in the home directory of your system. OS10# dir home Directory contents for folder: home Date (modified) Size (bytes) Name --------------------- ------------ ----------------------2019-02-15T00:47:25Z 3795 0A900Q2-NOSEnterprise-License.XML 4. Enter the license install command with the path to the home directory location where the license was downloaded in step 1. OS10# license install localfs://home/admin/0A900Q2-NOSEnterprise-License.XML [ 5784.
Downgrade to Release 10.5.0.0 or earlier releases NOTE: ● If the version that you are downgrading to is present in the system as the standby image, you can rollback to that release without losing any configuration or license data. Use the show boot detail command to view the standby image version. See Rollback from 10.5.1.0 or later release to 10.5.0.0 or earlier release for more information.
● During this stage, the show boot detail command displays the details of the previous image that was installed. The boot system active | standby command is not applicable during this state. ● If you install a new image using the image install command, the current staging image is replaced with the new image that you have installed and you cannot downgrade to the previous version. 9. Reload the new software image in EXEC mode. This command performs a fresh installation of Release 10.5.0.0. Release 10.5.0.
Downgrade to Release 10.5.1.0 or later releases In this example, the OS10 switch runs the 10.5.2.0 software and the following procedure downgrades the system to Release 10.5.1.0. NOTE: ● If the version that you are downgrading to is present in the system as the standby image, you can rollback to that release without losing any configuration or license data. Use the show boot detail command to view the standby image version. See the Rollback from 10.5.2.0 or later release to 10.5.1.
9. Use the show boot detail to view the standby image. Change the next boot image to standby image in EXEC mode. Reload the device. The device comes up with 10.5.1.x software image. OS10# show boot detail OS10# boot system standby OS10# reload 10. Use the show version command in EXEC mode to verify that the downloaded OS10 image is installed as the current running version. OS10# show version Dell EMC Networking OS10 Enterprise Copyright (c) 1999-2019 by Dell Inc. All Rights Reserved. OS Version: 10.5.1.
Active Build Date/Time: 2020-03-07T11:43:33+0000 Active Partition: B Standby Partition: A Standby SW Version: 10.5.1.0 Standby SW Build Version: 10.5.1.0.200 Standby Build Date/Time: 2020-03-07T23:35:01Z Next-Boot: standby[A] 2. Change the next boot image to the standby image in EXEC mode. OS10# boot system standby 3. Reload the new software image in EXEC mode. OS10# reload Switch deployment options After you log in to OS10, configure the switch: ● Manually by using the command-line interface.
Table 9. MX7000 components (continued) Component Version Qlogic 26XX series Fibre Channel adapters 15.05.12 Qlogic 27XX series Fibre Channel adapters 15.05.12 Qlogic 41xxx series adapters 15.05.14 Mellanox ConnectX-4 Lx Ethernet Adapter Firmware 14.25.80.00 Intel NIC Family Version 19.5.x Firmware for X710, XXV710, and XL710 adapters 19.5.12 Emulex Fibre Channel Adapter Firmware 03.02.18 OpenManage Enterprise Modular 1.10.20 MX9116n Fabric Switching Engine OS10 10.5.0.
to download the latest device drivers associated with firmware update. c. If the current version is 1.00.01 or 1.00.10, an update to the bridge version 1.10.00 or 1.10.10 is required before updating to 10.10.20. Follow the steps to update to 1.10.10. NOTE: Updating to 1.1.x may log alert HWC7522 and require MX7116n or PTM IOMs to be rebooted. . i. ii. iii. iv. v. From the global menu, click Devices and select Chassis from the dropdown. This list all the Chassis devices.
MASTER-IPV4 : 100.69.101.170 PREFERRED-MASTER : --------------------------------------------------------MX9116N-A1# Sample output from a Chassis-group Master: MX9116N-A2# show smartfabric cluster --------------------------------------------------------CLUSTER DOMAIN ID : 159 VIP : fde1:53ba:e9a0:de14:0:5eff:fe00:1159 ROLE : MASTER SERVICE-TAG : MXWV122 MASTER-IPV4 : 100.69.101.170 PREFERRED-MASTER : --------------------------------------------------------MX9116N-A2# ii.
section in the existing SmartFabric Release Notes for additional instructions. v. For upgrading the networking switches from 10.5.0.x to 10.5.0.5, it is recommended to upgrade via CLI, detailed in the "Networking Switch CLI upgrade procedure" section. vi. Power cycle the MX7000 chassis after updating all applicable solution components. b. Networking I/O Module CLI Upgrade Procedure i.
NOTE: Some Windows unzip applications insert extra carriage returns (CR) or line feeds (LF) when they extract the contents of a .tar file, which may corrupt the downloaded OS10 binary image. Turn off this option if you use a Windows-based tool to untar an OS10 binary file. iv. (Optional) View the current software download status in EXEC mode. Table 13. Command description Command Description OS10# show image status View the current software download status. v. Install the 10.5.0.
Table 18. Command description Command Description OS10# reload Reload the new software. x. After the installation is complete, enter the show version command to check if the latest version of the software is running in the system. The example below shows that the 10.5.0.5 software is installed and running on the system. Table 19. Command description Command OS10# show version MX9116N-A2# show version Dell EMC Networking OS10 Enterprise Copyright (c) 1999-2020 by Dell Inc. All Rights Reserved.
Table 20.
Feature limitation on the Z9100-ON and S5200-ON series switches On the Z9100-ON and S5200-ON series switches, system flow is enabled by default.
4. Enable the Management interface in INTERFACE mode. no shutdown Configure Management interface OS10(config)# interface OS10(conf-if-ma-1/1/1)# OS10(conf-if-ma-1/1/1)# OS10(conf-if-ma-1/1/1)# mgmt 1/1/1 no ip address dhcp ip address 10.1.1.10/24 no shutdown Configure Management route To set up remote access to OS10, configure a management route after you assign an IPv4 or IPv6 address to the Management port. The Management port uses the default management route to communicate with a different network.
● Create a username and password in CONFIGURATION mode. username username password password role role ○ username username — Enter a text string. A maximum of 32 alphanumeric characters; one character minimum. ○ password password — Enter a text string. A maximum of 32 alphanumeric characters; nine characters minimum. ○ role role — Enter a user role: ■ sysadmin — Full access to all commands in the system, exclusive access to commands that manipulate the file system, and access to the system shell.
4 CLI Basics The OS10 CLI is the software interface you use to access a device running the software — from the console or through a network connection. The CLI is an OS10-specific command shell that runs on top of a Linux-based OS kernel. By leveraging industry-standard tools and utilities, the CLI provides a powerful set of commands that you can use to monitor and configure devices running OS10.
until you commit them to activate the configuration. The start transaction command applies only to the current session. Changing the configuration mode of the current session to the Transaction-Based Configuration mode does not affect the configuration mode of other CLI sessions. ● After you explicitly enter the commit command to save changes to the candidate configuration, the session switches back to the default behavior of automatically saving the configuration changes to the running configuration.
Check device status Use show commands to check the status of a device and monitor activities. Refer Related Videos section for more information. ● Enter show ? from EXEC mode to view a list of commands to monitor a device; for example: OS10# show ? acl-table-usage alarms alias bfd boot candidate-configuration class-map clock ...
-- Fan Status -FanTray Status AirFlow Fan Speed(rpm) Status ---------------------------------------------------------------1 up NORMAL 1 13195 up 2 up NORMAL 1 13151 up 3 up NORMAL 1 13239 up 4 up NORMAL 1 13239 up Related Videos Check Device Status Command help To view a list of valid commands in any CLI mode, enter ?; for example: OS10# ? alarm alias batch boot clear clock commit configure copy crypto ...
Candidate configuration When you use OS10 configuration commands in Transaction-based configuration mode, changes do not take effect immediately and are stored in the candidate configuration. The configuration changes become active only after you commit the changes using the commit command. Changes in the candidate configuration are validated and applied to the running configuration. The candidate configuration allows you to avoid introducing errors during an OS10 configuration session.
To display only interface-related configurations in the candidate configuration, use the show candidate-configuration compressed and show running-configuration compressed commands. These views display only the configuration commands for VLAN and physical interfaces. OS10# show candidate-configuration compressed interface breakout 1/1/1 map 40g-1x interface breakout 1/1/2 map 40g-1x interface breakout 1/1/3 map 40g-1x interface breakout 1/1/4 map 40g-1x ...
Prevent configuration changes You can prevent configuration changes that are made on the switch in sessions other than the current CLI session using the lock command. To prevent and allow configuration changes in other sessions, use the lock and unlock commands in EXEC mode. When you enter the lock command, users in other active CLI sessions cannot make configuration changes.
OS10(conf-range-po-3)# switchport trunk allowed vlan 2-5 OS10(conf-range-po-3)# exit OS10(config)# no interface range vlan 2-4 OS10(conf-range-po-3)# % Error: Range configuration conflict - the last command was not applied. Please commit (or discard) the rest of the configuration changes and retry. If you see the error message in bold, commit the entire configuration and then delete a sub set of VLANs.
Copy running configuration to local directory or remote server OS10# copy running-configuration {config://filepath | home://filepath | ftp://userid:passwd@hostip/filepath | scp://userid:passwd@hostip/filepath | sftp://userid:passwd@hostip/filepath | tftp://hostip/filepath} OS10# copy running-configuration scp://root:calvin@10.11.63.120/tmp/qaz.
Restore startup file from server OS10# copy scp://admin:admin@hostip/backup-9-28.xml config://startup.xml OS10# reload System configuration has been modified. Save? [yes/no]:no Reload system image Reboot the system manually using the reload command in EXEC mode. You are prompted to confirm the operation. OS10# reload System configuration has been modified.
Common OS10 commands boot Configures the OS10 image to use the next time the system boots up. Syntax boot system [active | standby] Parameters ● active — Reset the running image as the next boot image. ● standby — Set the standby image as the next boot image. Default Not configured Command Mode EXEC Usage Information Use this command to configure the OS10 image that is reloaded at boot time. Use the show boot command to verify the next boot image. The boot system command applies immediately.
Example Supported Releases OS10# configure terminal OS10(config)# 10.2.0E or later copy Copies the current running configuration to the startup configuration and transfers files between an OS10 switch and a remote device.
Directory contents for folder: coredump Date (modified) Size (bytes) Name --------------------- ------------ -----------------2017-02-15T19:05:41Z 12402278 core.netconfdpro.2017-02-15_19-05-09.gz OS10# copy coredump://core.netconfd-pro.2017-02-15_19-05-09.gz scp:// os10user:os10passwd@10.11.222.1/home/os10/core.netconfd-pro.2017-02 -15_19-05-09.
● usb://filepath — (Optional) Delete from the USB file system. Default Not configured Command Mode EXEC Usage Information Use this command to remove a regular file, software image, or startup configuration. Removing the startup configuration restores the system to the factory default. You must reboot the switch using the reload command for the operation to take effect. NOTE: ● Use caution when removing the startup configuration.
--------------------2017-04-26T15:23:46Z -----------26704 OS10# dir severity-profile Date (modified) Size (bytes) --------------------- -----------2019-03-27T15:24:06Z 46741 2019-04-01T11:22:33Z 456 Supported Releases ----------startup.xml Name ------------default.xml mySevProf.xml 10.2.0E or later discard Discards changes made to the candidate configuration file.
end Returns to EXEC mode from any other command mode. Syntax end Parameters None Default Not configured Command Mode All Usage Information Use the end command to return to EXEC mode to verify currently configured settings with show commands. Example Supported Releases OS10(config)# end OS10# 10.2.0E or later exit Returns to the next higher command mode.
Supported on the MX9116n and MX5108n switches in Full-Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric Services mode starting in 10.5.0. The no version of this command resets the host name to OS10. Example Supported Releases OS10(config)# hostname R1 R1(config)# 10.3.0E or later license Installs a license file from a local or remote location.
Example Supported Releases OS10# lock 10.2.0E or later management route Configures an IPv4/IPv6 static route the Management port uses. To configure multiple management routes, repeat the command. Syntax management route {ipv4-address/mask | ipv6-address/prefix-length} {forwarding-router-address | managementethernet} Parameters ● ipv4-address/mask — Enter an IPv4 network address in dotted-decimal format (A.B.C.D), then a subnet mask in prefix-length format (/xx).
Date (modified) --------------------2017-04-26T15:23:46Z Supported Releases Size (bytes) -----------26704 Name ----------startup.xml 10.2.0E or later no Disables or deletes commands in EXEC mode. Syntax no [alias | debug | support-assist-activity | terminal] Parameters ● ● ● ● Default Not configured Command Mode EXEC Usage Information Use this command in EXEC mode to disable or remove a configuration. Use the no ? in CONFIGURATION mode to view available commands.
● -i interval — (Optional) Enter the interval in seconds to wait between sending each packet, the default is 1 second. ● -I interface-name or interface-ip-address — (Optional) Enter the source interface name without spaces or the interface IP address: ○ For a physical Ethernet interface, enter ethernetnode/slot/port; for example, ethernet1/1/1. ○ For a VLAN interface, enter vlanvlan-id; for example, vlan10. ○ For a Loopback interface, enter loopbackid; for example, loopback1.
64 bytes from 20.1.1.1: icmp_seq=1 ttl=64 time=0.079 ms 64 bytes from 20.1.1.1: icmp_seq=2 ttl=64 time=0.081 ms 64 bytes from 20.1.1.1: icmp_seq=3 ttl=64 time=0.133 ms 64 bytes from 20.1.1.1: icmp_seq=4 ttl=64 time=0.124 ms ^C --- 20.1.1.1 ping statistics --4 packets transmitted, 4 received, 0% packet loss, time 2997ms rtt min/avg/max/mdev = 0.079/0.104/0.133/0.025 ms Supported Releases 10.2.0E or later ping6 Tests network connectivity to an IPv6 device.
● -Q tos — (Optional) Enter a maximum of 1500 bytes in decimal or hex datagrams to set the quality of service (QoS)-related bits. ● -s packetsize — (Optional) Enter the number of data bytes to send, from 1 to 65468, default 56. ● -S sndbuf — (Optional) Set the sndbuf socket. By default, the sndbuf socket buffers one packet maximum. ● -t ttl — (Optional) Enter the IPv6 time-to-live (TTL) value in seconds. ● -T timestamp option — (Optional) Set special IP timestamp options.
Example OS10# reload Proceed to reboot the system? [confirm yes/no]:y Supported Releases 10.2.0E or later show boot Displays detailed information about the boot image. Syntax show boot [detail] Parameters None Default Not configured Command Mode EXEC Usage Information The Next-Boot field displays the image that the next reload uses.
Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 100 CLI Basics aaa — (Optional) Current operating AAA configuration. access-list — (Optional) Current operating access-list configuration. as-path — (Optional) Current operating as-path configuration. bfd — (Optional) Current operating BFD configuration. bgp — (Optional) Current operating BGP configuration. class-map — (Optional) Current operating class-map configuration.
Default Not configured Command Mode EXEC Usage Information None Example Example (compressed) OS10# show candidate-configuration ! Version 10.2.9999E ! Last configuration change at Apr 11 10:36:43 2017 ! username admin password $6$q9QBeYjZ$jfxzVqGhkxX3smxJSH9DDz7/3OJc6m5wjF8nnLD7/ VKx8SloIhp4NoGZs0I/UNwh8WVuxwfd9q4pWIgNs5BKH. aaa authentication local snmp-server contact http://www.dell.com/support snmp-server location "United States" logging monitor disable ip route 0.0.0.0/0 10.11.58.
! class-map type application class-iscsi Supported Releases 10.2.0E or later show environment Displays information about environmental system components, such as temperature, fan, and voltage.
---------------------------------------------------------------------------------* 1 S4148F-ON 09H9MN X01 TW-09H9MN-28298-713-0026 9531XC2 1 S4148F-ON-PWR-1-AC 06FKHH A00 CN-06FKHH-28298-6B5-03NY 1 S4148F-ON-FANTRAY-1 0N7MH8 X01 TW-0N7MH8-28298-713-0101 1 S4148F-ON-FANTRAY-2 0N7MH8 X01 TW-0N7MH8-28298-713-0102 1 S4148F-ON-FANTRAY-3 0N7MH8 X01 TW-0N7MH8-28298-713-0103 1 S4148F-ON-FANTRAY-4 0N7MH8 X01 TW-0N7MH8-28298-713-0104 Supported Releases 10.2.
2001:34::0/64 2001:68::0/64 Supported Releases ManagementEthernet 1/1 2001:34::16 Connected Active 10.2.2E or later show license status Displays license status information. Syntax show license status Parameters None Default Not configured Command Mode EXEC Usage Information Use the show license status command to verify the current license for running OS10, its duration, and the service tag assigned to the switch.
● as-path — (Optional) Current operating as-path configuration. ● bfd — (Optional) Current operating BFD configuration. ● bgp] — (Optional) Current operating BGP configuration. ○ [vrf vrf-name] — Enter the VRF name. ○ [neighbor [ip-address | interface interface-type Enter the interface IP address or interface name. ● class-map — (Optional) Current operating class-map configuration. ● community-list — (Optional) Current operating community-list configuration.
● wred-profile — (Optional) Current operating WRED profile configuration. Default Not configured Command Mode EXEC Usage Information None Example Example (compressed) 106 CLI Basics OS10# show running-configuration ! Version 10.2.9999E ! Last configuration change at Apr 11 01:25:02 2017 ! username admin password $6$q9QBeYjZ$jfxzVqGhkxX3smxJSH9DDz7/3OJc6m5wjF8nnLD7/ VKx8SloIhp4NoGZs0I/UNwh8WVuxwfd9q4pWIgNs5BKH. aaa authentication local snmp-server contact http://www.dell.
! support-assist ! policy-map type application policy-iscsi ! class-map type application class-iscsi Supported Releases 10.2.0E or later show startup-configuration Displays the contents of the startup configuration file. Syntax show startup-configuration [compressed] Parameters compressed — (Optional) View a compressed version of the startup configuration file.
no shutdown ! interface vlan 1 no shutdown ! interface mgmt1/1/1 ip address 10.11.58.145/8 no shutdown ipv6 enable ipv6 address autoconfig ! support-assist ! policy-map type application policy-iscsi ! class-map type application class-iscsi Supported Releases 10.2.0E or later show system Displays system information. Syntax show system [brief | node-id] Parameters ● brief — View an abbreviated list of the system information. ● node-id — View the node ID number.
FanTray Status AirFlow Fan Speed(rpm) Status ---------------------------------------------------------------1 up NORMAL 1 13195 up Example (nodeid) 2 up NORMAL 1 13151 up 3 up NORMAL 1 13239 up 4 up NORMAL 1 13239 up OS10# show system node-id 1 fanout-configured Interface Breakout capable Breakout state ----------------------------------------------------Eth 1/1/5 No BREAKOUT_1x1 Eth 1/1/6 No BREAKOUT_1x1 Eth 1/1/7 No BREAKOUT_1x1 Eth 1/1/8 No BREAKOUT_1x1 Eth 1/1/9 No BREAKOUT_1x1 Eth 1
show version Displays software version information. Syntax show version Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show version Dell EMC Networking OS10 Enterprise Copyright (c) 1999-2021 by Dell Inc. All Rights Reserved. OS Version: 10.5.2.4 Build Version: 10.5.2.4.215 Build Time: 2021-04-11T21:35:41+0000 System Type: S5248F-ON Architecture: x86_64 Up Time: 1 day 00:54:13 10.2.
Example Supported Releases OS10# system bash admin@OS10:~$ pwd /config/home/admin admin@OS10:~$ exit OS10# 10.2.0E or later system-cli disable Disables the system command. Syntax system-cli disable Parameters None Default Enabled Command Mode CONFIGURATION Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.3.0. Also supported in SmartFabric mode starting in release 10.5.0. The no version of this command enables OS10 system command.
Default Not configured Command Mode CONFIGURATION Usage Information The system ID displays in the stack LED on the switch front panel. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0. Example Supported Releases OS10(config)# system identifier 1 10.3.0E or later terminal Sets the number of lines to display on the terminal and enables logging.
○ -N squeries — (Optional) Enter the number of probe packets sent out simultaneously to accelerate traceroute. The default is 16. ○ -t tos — (Optional) For IPv4, enter the type of service (ToS) and precedence values to use. 16 sets a low delay; 8 sets a high throughput. ○ -UL — (Optional) Use UDPLITE for tracerouting. The default port is 53. ○ -w waittime — (Optional) Enter the time in seconds to wait for a response to a probe. The default is 5 seconds.
Supported Releases 10.2.0E or later username password role Creates an authentication entry based on a user name and password, and assigns a role to the user. Syntax username username password password role role [priv-lvl privilege-level] Parameters ● username username—Enter a text string. A maximum of 32 alphanumeric characters; one character minimum. ● password password—Enter a text string. A maximum of 32 alphanumeric characters; nine characters minimum.
write Copies the current running configuration to the startup configuration file. Syntax write {memory} Parameters memory — Copy the current running configuration to the startup configuration. Default Not configured Command Mode EXEC Usage Information This command has the same effect as the copy running-configuration startupconfiguration command. The running configuration is not saved to a local configuration file other than the startup configuration.
5 Advanced CLI tasks Command alias Provides information to create shortcuts for commonly used commands, see Command alias. Batch mode Provides information to run a batch file to execute multiple commands, see Batch mode. Linux shell commands Provides information to run commands from the Linux shell, see Linux shell commands. OS9 commands Provides information to enter configuration commands using an OS9 command syntax, see Using OS9 commands.
View alias output for goint OS10(config)# goint 1/1/1 OS10(conf-if-eth1/1/1)# View alias information OS10# show alias Name ---govlt goint shconfig showint shver Type ---Config Config Local Local Local Number of config aliases : 2 Number of local aliases : 3 View alias information brief. Displays the first 10 characters of the alias value. OS10# show alias brief Name Type ------govlt Config goint Config shconfig Local showint Local shver Local Value ----"vlt-domain..." "interface ..." "show runni...
● (Optional) You can enter the default values to use for the parameters defined as $n in ALIAS mode. default n input-value ● (Optional) Enter a description for the multi-line alias in ALIAS mode. description string ● Use the no form of the command to delete an alias in CONFIGURATION mode. no alias alias-name You can modify an existing multi-line alias by entering the corresponding ALIAS mode.
Number of config aliases : 1 Number of local aliases : 0 View alias information brief. Displays the first 10 characters of each line of each alias. OS10# show alias brief Name Type ------mTest Config Value ----line 1 "interface ..." line 2 "no shutdow..." line 3 "show confi..." default 1 "ethernet" default 2 "1/1/1" Number of config aliases : 1 Number of local aliases : 0 View alias detail. Displays the entire alias value.
Eth 1/1/3 up 40G A 1 Eth 1/1/4 up 40G A 1 Eth 1/1/5 up 40G A 1 Eth 1/1/6 up 40G A 1 Eth 1/1/7 up 40G A 1 Eth 1/1/8 up 40G A 1 Eth 1/1/9 up 40G A 1 Eth 1/1/10 up 40G A 1 Eth 1/1/11 up 40G A 1 Eth 1/1/12 up 40G A 1 Eth 1/1/13 up 40G A 1 Eth 1/1/14 up 40G A 1 Eth 1/1/15 up 40G A 1 Eth 1/1/16 up 40G A 1 Eth 1/1/17 up 40G A 1 Eth 1/1/18 up 40G A 1 Eth 1/1/19 up 40G A 1 Eth 1/1/20 up 40G A 1 Eth 1/1/21 up 40G A 1 Eth 1/1/22 up 40G A 1 Eth 1/1/23 up 40G A 1 Eth 1/1/24 up 40G A 1 Eth 1/1/25 up 40G A 1 Eth 1/1/26 up
default (alias) Configures default values for input parameters in a multi-line alias. Syntax default n value Parameters ● n — Enter the number of the argument, from 1 to 9. ● value — Enter the value for the input parameter. Default Not configured Command Mode ALIAS Usage Information To use special characters in the input parameter value, enclose the string in double quotation marks ("). The no version of this command removes the default value.
Usage Information Example Supported Releases The no version of this command removes the line number and the corresponding command from the multi-line alias. OS10(config)# alias mTest OS10(config-alias-mTest)# line 1 "interface $1 $2" OS10(config-alias-mTest)# line 2 "no shutdown" OS10(config-alias-mTest)# line 3 "show configuration" 10.4.0E(R1) or later show alias Displays configured alias commands available in both Persistent and Non-Persistent modes.
shconfig showint shver Local Local Local default 2 "1/1/1" "show running-configuration" "show interface $*" "show version" Number of config aliases : 3 Number of local aliases : 3 Supported Releases 10.3.0E or later Batch mode To execute a sequence of multiple commands, create and run a batch file. A batch file is an unformatted text file that contains two or more commands. Store the batch file in the home directory.
● /home/filepath — Enter the username and the filepath as follows: batch /home/username/ filename. ● config://filepath — Enter the filepath. Default Not configured Command Mode EXEC Usage Information Use this command to create a batch command file on a remote machine. Copy the command file to the home directory on your switch. This command executes commands in batch mode. OS10 automatically commits all commands in a batch file; you do not have to enter the commit command.
! router bgp 100 ! neighbor 100.1.1.1 remote-as 104 no shutdown admin@OS10:/opt/dell/os10/bin$ User admin logged out at session 16 ● Use the ifconfig -a command to display the interface configuration. The Linux kernel port numbers that correspond to front-panel port, port-channel, and VLAN interfaces are displayed. Port-channel interfaces are in boportchannelnumber format. VLAN interfaces are in brvlan-id format. In this example, e101-001-0 identifies port 1/1/1.
Architecture: x86_64 Up Time: 1 day 00:54:13 Using OS9 commands To enter configuration commands using an OS9 command syntax, use the feature config-os9-style command in CONFIGURATION mode and log out of the session. If you do not log out of the OS10 session, configuration changes made with OS9 command syntaxes do not take effect. After you log in again, you can enter OS9 commands, but only in the new session.
6 Dell EMC SmartFabric OS10 zero-touch deployment Zero-touch deployment (ZTD) allows OS10 users to automate switch deployment: ● Upgrade an existing OS10 image. ● Execute a CLI batch file to configure the switch. ● Execute a post-ZTD script to perform additional functions. ZTD is enabled by default when you boot up a switch with a factory-installed OS10 for the first time or when you perform an ONIE: OS Install from the ONIE boot menu.
3. If you specify an OS10 CLI batch file with configuration commands for CLI_CONFIG_FILE, ZTD executes the commands in the PRE-CONFIG and POST-CONFIG sections. After executing the PRE-CONFIG commands, the switch reloads with the new OS10 image and then executes the POST-CONFIG commands. For more information, see ZTD CLI batch file. 4. If you specify a post-ZTD script file for POST_SCRIPT_FILE, ZTD executes the script. For more information, see Post-ZTD script.
ZTD generates log messages about its current status. [os10:notify], %Dell EMC (OS10) %ZTD-IN-PROGRESS: Zero Touch Deployment applying post configurations. ZTD also generates failure messages. [os10:notify], %Dell EMC (OS10) %ZTD-FAILED: Zero Touch Deployment failed to download the image. Troubleshoot configuration locked When ZTD is enabled, the CLI configuration is locked. If you enter a CLI command, the error message configuration is locked displays.
For the IMG_FILE, CLI_CONFIG_FILE, and POST_SCRIPT_FILE files, you can specify HTTP, SCP, SFTP, or TFTP URLs.
snmp-server community public ro snmp-server contact NOC@dell.com snmp-server location delltechworld ! clock timezone GMT 0 0 ! hostname LEAF-1 ! ip domain-list networks.dell.com ip name-server 8.8.8.8 1.1.1.1 ! ntp server 132.163.96.5 key 1 prefer ntp server 129.6.15.32 ! ! logging server 10.22.0.99 Post-ZTD script As a general guideline, use a post-ZTD script to perform any additional functions required to configure and operate the switch.
Default None Command Mode EXEC Usage Information None Examples OS10# show ztd-status ----------------------------------ZTD Status : disabled ZTD State : completed Protocol State : idle Reason : ZTD process completed successfully at Mon Jul 16 19:31:57 2018 ----------------------------------OS10# show ztd-status ----------------------------------ZTD Status : disabled ZTD State : failed Protocol State : idle Reason : ZTD process failed to download post script file ----------------------------------● ZT
ztd start Starts the ZTD process. Syntax ztd start Parameters None Default Not configured Command Mode EXEC Security and Access Sysadmin and secadmin Usage Information When you enter this command, if there are any configuration changes, the system prompts you for a confirmation to delete the startup configuration. If you have made configuration changes after the ZTD process stops, the system reloads. This command is similar to the reload ztd command.
7 Dell EMC SmartFabric OS10 provisioning OS10 supports automated switch provisioning — configuration and monitoring — using: ● RESTCONF API — REST-like protocol that uses HTTPS connections. Use the OS10 RESTCONF API to set up the configuration parameters on OS10 switches with JavaScript Object Notation (JSON)-structured messages. You can use any programming language to create and send JSON messages; see RESTCONF API.
Ansible inventory file The inventory file contains the list of hosts on which you want to run commands. Ansible can run tasks on multiple hosts at the same time. Ansible playbooks use /etc/ansible/hosts as the default inventory file. To specify a different inventory file, use the -i filepath command as an option when you run an Ansible playbook. Ansible playbook file Using playbooks, Ansible can configure multiple devices. Playbooks are human-readable scripts that are expressed in YAML format.
After you install Ansible, verify the version by entering: $ ansible --version 2. Download and install Dell EMC Networking Ansible roles from the Ansible Galaxy web page; for example: $ ansible-galaxy install dell-networking.dellos-users $ ansible-galaxy install dell-networking.dellos-logging $ ansible-galaxy install dell-networking.dellos-ntp 3. Create a directory to store inventory and playbook files; for example: $ mkdir AnsibleOS10 4. Navigate to the directory and create an inventory file.
state: present dellos_users: - username: u1 password: Test@1347 role: sysadmin privilege: 0 state: present dellos_ntp: server: - ip: 3.3.3.3 The dellos_cfg_generate parameter creates a local copy of the configuration commands applied to the remote switch on the Ansible controller node, and saves the commands in the directory defined in the build_dir path. 8. Create a playbook file. $ vim playbook.yaml - hosts: OS10switch-1 OS10switch-2 connection: network_cli roles: - dell-networking.
8 SmartFabric Director SmartFabric Director manages the switches in a data center with or without any virtual infrastructure. SmartFabric Director provides a single view of operating, managing, and troubleshooting of physical and virtual networks. SmartFabric Director features ● ● ● ● ● ● ● Define, build, and maintain a Layer 2 or Layer 3 leaf-spine data center fabric (underlay).
Set security profile to gNMI agent Before establishing a connection to the gNMI client in SmartFabric director, set a valid application-specific security profile for the gNMI agent. Also, configure an FQDN or an IP address for entry to the SmartFabric director server; assign client and CA certificates. A user role in SmartFabric director with Super Admin privileges can be used to access the agent. The security profile that is assigned to the gNMI agent must be pre-configured on the switch.
Table 21. Openconfig device Sensor group name YANG container oc-device ● openconfig-platform/components/component ● openconfig-network-instance/network-instances/network-instance Table 22. Openconfig system Sensor group name YANG container oc-system ● openconfig-system/system ● openconfig-platform/components/component Table 23. Openconfig environment Sensor group name YANG container oc-environment openconfig-platform/components/component Table 24.
Table 31. Openconfig STP Sensor group name YANG container oc-stp openconfig-spanning-tree/stp Table 32. Vendor UFD Sensor group name YANG container oc-vendor-ufd ufd/uplink-state-group-stats/ufd-groups Table 33. Vendor VXLAN Sensor group name YANG container oc-vendorvxlan vxlan/vxlan-state/remote-endpoint/stats Table 34. Openconfig VLAN Sensor group name YANG container oc-vlan openconfig-interfaces/interfaces/interface Table 35.
Table 37. activate API API Name Description activate Activates the newly installed OS10 image. Activation is a two stage process. In the first stage, the boot partition is set to standby for subsequent boot cycles. In the second stage, a system reload is issued to boot the newly installed OS10 image from the standby partition. The activate-image operation requires a system reload. As a result, the current services are affected. Table 38.
Example Supported releases OS10(config)# switch-operating-mode Full-Switch 10.4.3.0 or later gnmi-security-profile Set the security profile for the gNMI agent. Syntax gnmi-security-profile profile-name Parameters profile-name — Enter the name of the security profile to be associated with the gNMI agent. Default Not configured Command mode CONFIGURATION Usage information Before establishing a connection to the gNMI agent, set a valid application-specific security profile for the gNMI agent.
Examples Supported releases 144 OS10# show sfd status Controller IP Port Status ----------------------------------------------------------------------------10.14.8.102 8443 active OS10# 10.5.0.
9 System management System banners Provides information to configure a system login and message of the day (MOTD) text banners, see System banners. User session management Provides information to manage the active user sessions, see User session management. Telnet server Provides information to set up Telnet TCP/IP connections on the switch, see Telnet server. To set up secure, encrypted the secure shell (SSH) connections to the switch, see SSH server.
DellEMC S4148U-ON login Enter your username and password % To delete a login banner and reset it to the Dell EMC default banner, use the no banner login command. To disable the configured login banner, use the banner login disable command. Message of the day banner Configure a message of the day (MOTD) banner that displays after you log in. Enter any single delimiter character to start and end the MOTD banner.
Usage Information Example Supported Releases ● To enter a multiline banner text, use the interactive mode. Enter the command with the delimiter character and press Enter. Then enter each line and press Enter. Complete the banner configuration by entering a line that contains only the delimiter character. ● To delete a login banner and reset it to the Dell EMC default banner, use the no banner login command. To disable the configured login banner, use the banner login disable command.
Clear user session OS10# kill-session 3 View active user sessions OS10# show sessions Current session's operation mode: Non-transaction Session-ID User In-rpcs In-bad-rpcs Out-rpc-err Out-notify Login-time Lock -----------------------------------------------------------------------------------------3 snmp_user 114 0 0 0 2017-07-10T23:58:39Z 4 snmp_user 57 0 0 0 2017-07-10T23:58:40Z 6 admin 17 0 0 4 2017-07-12T03:55:18Z *7 admin 10 0 0 0 2017-07-12T04:42:55Z OS10# The asterisk (*) in the Session-ID column in
show sessions Displays the active management sessions. Syntax show sessions Parameters None Default Not configured Command Mode EXEC Usage Information Use this command to view information about the active user management sessions.
Telnet commands ip telnet server enable Enables Telnet TCP/IP connections to an OS10 switch. Syntax ip telnet server enable Parameters None Default Disabled Command Mode CONFIGURATION Usage Information By default, the Telnet server is disabled. When you enable the Telnet server, use the IP address configured on the management or any front-panel port to connect to an OS10 switch. After you reload the switch, the Telnet server configuration is maintained.
OS10 supports standard and private SNMP MIBs, including all get requests. MIBs are hierarchically structured and use object identifiers to access managed objects. For a list of MIBs supported in the OS10 version running on a switch, see the OS10 Release Notes for the release. OS10 supports different security models and levels in SNMP communication between SNMP managers and agents. Each security model refers to an SNMP version used in SNMP messages.
Table 40. Standards MIBs Module Standard IP-FORWARD-MIB RFC 4292 IP-MIB RFC 4293 LLDP-EXT-DOT1-MIB IEEE 802.1AB LLDP-EXT-DOT3-MIB IEEE 802.1AB LLDP-MIB IEEE 802.1AB OSPF-MIB RFC 4750 OSPFV3-MIB RFC 5643 Q-BRIDGE-MIB IEEE 802.
To configure SNMPv3-specific security settings — user authentication and message encryption — use the snmp-server user command. You can generate localized keys with enhanced security for authentication and privacy (encryption) passwords. SNMP engine ID An engine ID identifies the SNMP entity that serves as the local agent on the switch. The engine ID is an octet colon-separated number; for example, 00:00:17:8B:02:00:00:01.
NOTE: Create a remote engine ID with the snmp-server engineID command before you configure a remote user with the snmp-server user command. If you change the configured engine ID for a remote device, you must reconfigure the authentication and privacy passwords for all remote users associated with the remote engine ID.
To configure a view of the MIB tree on the SNMP agent, use the snmp-server view command. To configure an SNMPv3 user's authentication and privacy settings, use the snmp-server user command. To display the configured SNMP groups, use the show snmp group command.
OS10(config)# snmp-server user n3user ngroup remote 172.31.1.
snmp-server host {ipv4–address | ipv6–address} {informs version version-number | traps version version-number | version version-number} [snmpv3-security-level] [community-name] [udp-port port-number] [dom | entity | envmon | lldp | snmp] Configure SNMP v1 or v2C traps OS10(config)# snmp-server host 10.11.73.
Parameters None Defaults None Command Mode EXEC Usage Information To configure an SNMP community, use the snmp-server community command. Example OS10# show snmp community Community : public Access : read-only Community Access ACL Supported Releases : dellOS10 : read-write : dellacl 10.4.2.0 or later show snmp engineID Displays the SNMP engine ID on the switch or on remote devices that access the SNMP agent on the switch.
groupname version security level notifyview readview writeview Supported Releases : : : : : : v3group 3 priv alltraps readview writeview 10.4.2.0 or later show snmp user Displays the users configured to access the SNMP agent on the switch, including the SNMP group and security model. Syntax show snmp user Parameters None Defaults None Command Mode EXEC Usage Information To configure an SNMP user, use the snmp-server user command.
Parameters ● community name — Set the community name string to act as a password for SNMPv1 and SNMPv2c access. A maximum of 20 alphanumeric characters. ● ro — Set read-only access for the SNMP community. ● rw — Set read-write access for the SNMP community. ● acl acl-name — Enter an existing IPv4 ACL name to limit SNMP access in the SNMP community. Defaults An SNMP community has read-only access.
Table 42. Notification types and options Notification type Notification option entity — Enable entity change traps. None envmon — Enable SNMP environmental monitor traps. ○ fan — Enable fan traps. ○ power-supply — Enable power-supply traps. ○ temperature — Enable temperature traps. lldp — Enable LLDP state change traps. ○ rem-tables-change — Enable the lldpRemTablesChange trap. snmp — Enable SNMP traps. ○ authentication — Enable authentication traps.
Command Mode CONFIGURATION Usage Information The local engine ID generates the localized keys for the authentication and privilege passwords. These passwords authenticate SNMP users and encrypt SNMP messages. If you reconfigure the local Engine ID, the localized keys also change. The existing values are no longer valid, and a warning message displays. As a result, you must reconfigure SNMP users with new localized password keys.
Enter an access acl-name value to limit access to the SNMP agent to only ACL-allowed users. A read-view provides read-only access to the SNMP agent. A read-write view allows read-write access. A notify-view allows SNMP notifications to be sent to group members. Supported on the MX9116n and MX5108n switches in both Full Switch mode starting in release 10.4.2.0. Also supported in SmartFabric mode starting in release 10.5.0.1. The no version of the command deletes an SNMP group.
An SNMP host does not acknowledge the trap messages and notifications received from the SNMP agent. SNMP hosts send an acknowledgement when receiving informs. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1. The no version of the command disables the local agent from sending SNMP traps, informs, or notifications to a host receiver.
○ 3 — SNMPv3 provides optional user authentication and encryption for SNMP messages. ● noauth — (SNMPv3 only) Configure SNMPv3 messages to send without user authentication and privacy encryption. ● auth — (SNMPv3 only) Include a user authentication key for SNMPv3 messages sent to the user: ○ md5 — Generate an authentication key using the MD5 algorithm. ○ sha — Generate an authentication key using the SHA algorithm.
snmp-server view Configures an SNMPv3 view. Syntax snmp-server view view-name oid-tree [included | excluded] Parameters ● view-name — Enter the name of a read-only, read-write, or notify view. A maximum of 32 characters. ● oid-tree — Enter the SNMP object ID at which the view starts in 12-octet dotted-decimal format. ● included — (Optional) Include the MIB family in the view. ● excluded — (Optional) Exclude the MIB family from the view.
● The no version of this command removes the configured source interface. Example Supported Releases OS10(config)# snmp-server source-interface loopback 1 10.5.2.0 or later Example: Configure SNMP This example shows how to configure SNMP on the switch, including SNMP engine ID, views, groups, and users.
NOTE: Dell Technologies recommends configuring a standard time zone supported in Linux. Use the ? character for command completion to view a list of supported standard time zones.
Table 43.
Table 43.
Table 43.
Table 43.
Table 43.
Table 43.
Table 43.
Table 43.
Table 43.
Table 43.
Table 43.
Table 43.
Table 43.
Table 43.
Table 43.
Table 43.
System Clock commands clock set Sets the system time. Syntax Parameters clock set time year-month-day time Enter time in the format hour:minute:second, where hour is 1 to 24; minute is 1 to 60; second is 1 to 60. For example, enter 5:15 PM as 17:15:00. year-month-day Enter year-month-day in the format YYYY-MM-DD, where YYYY is a four-digit year, such as 2016; MM is a month from 1 to 12; DD is a day from 1 to 31.
show clock Displays the current system clock settings. Syntax show clock Parameters None Default Not configured Command Mode EXEC Usage Information The universal time coordinated (UTC) value is the number of hours that your time zone is later or earlier than UTC/Greenwich mean time. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1.
NOTE: OS10 supports both NTP server and client roles. Enable NTP NTP is disabled by default. To enable NTP, configure an NTP server where the system synchronizes. To configure multiple servers, enter the command multiple times. Multiple servers may impact CPU resources. ● Enter the IP address of the NTP server where the system synchronizes in CONFIGURATION mode.
10.16.150.185 10.16.151.123 16 1024 0 0.00000 0.000000 3.99217 OS10# show ntp associations remote local st poll reach delay offset disp ======================================================================= 10.16.150.185 10.16.151.123 16 1024 0 0.00000 0.000000 3.99217 Broadcasts Receive broadcasts of time information and set all the interfaces within the system to receive NTP information through broadcast. NTP is enabled on all active interfaces by default.
Authentication NTP authentication and the corresponding trusted key provide a reliable exchange of NTP packets with trusted time sources. NTP authentication begins with creating the first NTP packet after the key configuration. NTP authentication uses the message digest 5 (MD5), SHA-1, and SHA2-256 algorithms. The key is embedded in the synchronization packet that is sent to an NTP time source. 1. Enable NTP authentication in CONFIGURATION mode. ntp authenticate 2.
Sample NTP configuration The following example shows an NTP master (11.0.0.2), server (10.0.0.1), and client (10.0.0.2) connected through a nondefault VRF instance (VRF Red). OS10 acts as an NTP server to synchronize its clock with the NTP master available in the nondefault VRF instance red and provides time to NTP clients in the VRF. To create this sample NTP configuration: 1. Configure the NTP server: a. Create a nondefault VRF instance and assign an interface to the VRF.
a. Create a nondefault VRF instance and assign an interface to the VRF. OS10(config)# ip vrf red OS10(conf-vrf)# exit OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ip vrf forwarding red OS10(conf-if-eth1/1/1)# ip address 10.0.0.2/24 OS10(conf-if-eth1/1/1)# exit OS10(config)# b. Configure the NTP server IP address on the NTP client. OS10(config)# ntp server 10.0.0.1 OS10(config)# do show running-configuration ntp ntp server 10.0.0.1 OS10(config)# c.
OS10# show ntp status vrf red associd=0 status=0615 leap_none, sync_ntp, 1 event, clock_sync, system peer: 10.0.0.1:123 system peer mode: client leap indicator: 00 stratum: 11 log2 precision: -24 root delay: 0.991 root dispersion: 1015.099 reference ID: 10.0.0.1 reference time: dbc7b087.5d47aaa6 Sat, Nov 5 2016 1:12:39.364 system jitter: 0.000000 clock jitter: 0.462 clock wander: 0.003 broadcast delay: -50.000 symm. auth. delay: 0.000 OS10# 5. Verify that the NTP server (10.0.0.
Example Supported Releases OS10(config)# ntp authenticate 10.2.0E or later ntp authentication-key Configures the authentication key for trusted time sources. Syntax ntp authentication-key number {md5 | sha1 | sha2-256} {0 | 9} key Parameters ● ● ● ● ● ● ● Default 0 Command Mode CONFIGURATION Usage Information The authentication number must be the same as the number parameter configured in the ntp trusted-key command. Use the ntp authenticate command to enable NTP authentication.
Parameters None Default Enabled Command Mode INTERFACE Usage Information Use this command to configure OS10 to not listen to a particular server and prevent the interface from receiving NTP packets. The no version of this command reenables NTP on an interface. Example Supported Releases OS10(conf-if-eth1/1/7)# ntp disable 10.2.0E or later ntp enable vrf Enables NTP for the management or nondefault VRF instance.
Parameters ● hostname—Enter the hostname of the server. ● ipv4–address | ipv6–address—Enter the IPv4 address in A.B.C.D format or IPv6 address in A::B format of the NTP server. ● key keyid—(Optional) Enter the NTP peer key ID, from 1 to 4294967295. ● prefer—(Optional) Configures this peer to have priority over other servers. Default Not configured Command Mode CONFIGURATION Usage Information You can configure multiple time-serving hosts.
Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1 The no version of this command removes the key. Example Supported Releases OS10(config)# ntp trusted-key 234567 10.2.0E or later show ntp associations Displays the NTP master and peers.
show ntp status Displays NTP configuration information. Syntax show ntp status [vrf {management | vrf-name] Parameters ● status—(Optional) View the NTP status. ● management—(Optional) Enter the keywords to display NTP information corresponding to the management VRF. ● vrf-name—(Optional) Enter the keyword then the name of the VRF to display NTP information corresponding to that nondefault VRF.
Supported Releases 10.2.0E or later Precision Time Protocol Precision Time Protocol (PTP), defined in the IEEE1588-2008 standard, is a protocol that uses a master-slave hierarchy to synchronize clocks on network devices. PTP uses hardware time stamping to achieve submicrosecond synchronization. PTP defines how real-time clocks in a network synchronize with each other. A network where PTP operates is called a PTP domain.
Message types ● Event messages: Timed messages with an accurate timestamp that is generated at both the transmit time and receive time. ○ Sync—Master sends a Sync message to distribute the time of the day. ○ Delay_Req—Slave sends a Delay_Req message to the master for end-to-end delay measurement, the requestresponse delay mechanism. ○ Pdelay_Req—Link node A sends a Pdelay_Req message to measure peer-to-peer delay. ○ Pdelay_Resp—Link node B sends a Pdelay_Resp message to measure peer-to-peer delay.
The following is the sequence of PTP messages during time synchronization: 1. 2. 3. 4. 5. 6. 7. Master sends a Sync message and makes note of the time t1 when the message was sent. Slave receives the Sync message and makes note of the time t2 when the message was sent. Master embeds the timestamp t1 in the Sync message. Slave sends a Delay_request message to the master and makes note of the time t3 when the message was sent.
● Priority1—Has the highest preference in the list of attributes used for master clock device selection. ● Priority2—Has the fifth preference in the list of attributes used for master clock device selection. ● LocalPriority—(Applicable only for the G.8275.1 profile) Determines the master clock device when two clocks are similar to each other.
● You can configure PTP on the port-channel interface and the port-channel member interfaces. ○ Port-channel interface: If the link aggregation is between two peer nodes, configure PTP on the port-channel interface. The forward and reverse paths must be symmetrical for PTP. In this case, the links of the port channel need not be the same for both forward and reverse paths. NOTE: Dell EMC recommends that you configure PTP on port-channel member interfaces.
Configure the PTP clock type on the switch and optionally specify a profile for the clock. OS10 supports the following clock types: boundary and end-to-end transparent. OS10 supports the system default profile and ITU G.8275.1 profile. The profile defines the set of parameters, allowed values of parameters, and default value of parameters.
While measuring the time delay between the master and slave nodes, PTP takes into account the communication delay. This delay is measured using a delay request message from the slave and a delay response message from the master. To configure PTP delay mechanism: OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp delay-mechanism end-to-end Configure the PTP transport Supported PTP transport methods include Layer2 (ethernet), IPv4 (unicast and multicast), and IPv6 (unicast and multicast).
You can configure the time interval in units of log 2 seconds between two successive announce messages. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp announce interval 1 Configure the PTP synchronization message interval You can configure the time interval in units of log 2 seconds between two successive synchronization messages.
Offset From Master(ns) Number of Ports : 6 : 2 View the PTP local parent and grandmaster clock OS10# show ptp parent Parent Clock Idenitity Parent Port Number Grandmaster Clock Identity Grandmaster Clock Quality Class Accuracy OffsetLogScaledVariance Grandmaster Clock Priority1 Grandmaster Clock Priority2 : 00:16:00:ff:fe:00:02:00 : 1 : 00:16:00:ff:fe:00:02:00 : : : : : 6 <=100ns 0 100 128 View time scale information OS10# show ptp time-properties Current UTC Offset Valid : False Current UTC Offset : 0
Delay request messages received Delay response messages transmitted Delay response messages received Management messages transmitted Management messages received Signaling messages transmitted Signaling messages received Interface : Ethernet1/1/23 Total number of peers : 1 Peer index : 0 Peer Clock Identity Peer Port number Peer Port Address Receiving Interface Announce messages transmitted Announce messages received Sync messages transmitted Sync messages received Follow up messages transmitted Follow up m
2. Enable PTP on interface 1 with L2 multicast transport mode. PTP role is dynamic by default. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp transport layer2 OS10(conf-if-eth1/1/1)# ptp enable 3. Enable PTP on interface 2 with L2 multicast transport mode. PTP role is dynamic by default.
PTP role is dynamic by default. For multicast transport mode, when you enable PTP, the system sends a join message. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp transport ipv4 multicast OS10(conf-if-eth1/1/1)# ptp enable 4. Enable PTP on interface 2 with IPv4 multicast transport mode. PTP role is dynamic by default. For IPv4, multicast is the default transport mode.
For both L2 and L3 interfaces, the configured source IP address is used as the source IP address for unicast transport from the master device to the slave device. OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/1)# ip address 30.30.30.1/24 OS10(conf-if-eth1/1/2)# ptp transport ipv4 unicast master OS10(conf-ethernet1/1/2-ptp-ipv4-master)# source 20.20.20.1 OS10(conf-ethernet1/1/2-ptp-ipv4-master)# slave 20.20.20.
Example: Configure boundary clock with IPv4 unicast transport method and L3 VLAN Ensure that the interface connected to the grandmaster clock is configured as a slave device with a list of master clock IP addresses. Configure the other interface as a master clock with a list of slave device IP addresses. Both the interfaces are only reachable through the L3 VLAN. In this example: ● ● ● ● Interface 1 that is part of VLAN 100 is connected to the grandmaster clock.
● The unicast IP traffic flows through PTP-enabled interface, interface 2. The system applies hardware time stamps on PTP packets. OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# ip address 20.20.20.1/24 OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# switchport access vlan 200 OS10(conf-if-eth1/1/2)# ptp transport ipv4 unicast master OS10(conf-ethernet1/1/2-ptp-ipv4-master)# source 20.20.20.1 OS10(conf-ethernet1/1/2-ptp-ipv4-master)# slave 20.20.20.
Table 46. Example PTP topology—Switch connections, port numbers, and IP addresses From To Port number IP address CR1 GM Eth1/1/28:1 Nondefault VLAN 1 IP as source AG1 Eth1/1/1:1 (VLT PO11) AG1 Eth1/1/3:1 (VLT PO11) Global IPv4/IPv6 addresses: ● 10.0.0.
Table 46. Example PTP topology—Switch connections, port numbers, and IP addresses From AG1 AG2 TR1 AG3 AG4 TR2 214 System management To Port number IP address AG1 Eth1/1/3:1 (VLT PO11) AG1 Eth1/1/8:1 (VLT PO11) Global IPv4/IPv6 addresses: ● 10.0.0.
CR1 switch 1. Configure IP address for the VLAN and loopback interfaces. CR1(config)# interface vlan1 CR1(conf-if-vl-1)# ip address 200.1.1.5/24 CR1(conf-if-vl-1)# exit CR1(config)# interface loopback1 CR1(conf-if-lo-1)# ip address 10.0.0.5/32 CR1(conf-if-lo-1)# ipv6 address 10:0:0::5/128 2. Configure PTP globally. CR1(config)# CR1(config)# CR1(config)# CR1(config)# CR1(config)# ptp ptp ptp ptp ptp clock boundary local-priority 127 source ipv4 10.0.0.5 source ipv6 10:0:0::6 system-time enable 3.
CR2(config)# ptp source ipv6 10:0:0::6 CR2(config)# ptp system-time enable 3. Configure PTP on the interfaces.
AG1(conf-if-eth1/1/5:3)# ptp transport ipv4 multicast AG1(config)# interface ethernet 1/1/7:4 AG1(conf-if-eth1/1/7:4)# ptp enable AG1(conf-if-eth1/1/7:4)# ptp transport ipv4 multicast AG1(config)# interface ethernet 1/1/9:1 AG1(conf-if-eth1/1/9:1)# ptp enable AG1(conf-if-eth1/1/9:1)# ptp vlan 3002 AG1(conf-if-eth1/1/9:1)# ptp transport ipv6 unicast master AG1(conf-ethernet1/1/9:1-ptp-ipv6-master)# slave 2001:101:2::200a AG1(conf-ethernet1/1/9:1-ptp-ipv6-master)# slave 2001:101:2::200b AG1(conf-ethernet1/1/9
AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# slave 172.16.0.2 . . . AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# slave 172.16.0.39 AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# source 172.16.0.2 AG2(config)# interface ethernet 1/1/17:4 AG2(conf-if-eth1/1/17:4)# ptp enable AG2(conf-if-eth1/1/17:4)# ptp transport ipv6 multicast AG2(config)# interface ethernet 1/1/19:3 AG2(conf-if-eth1/1/19:3)# ptp enable AG2(conf-if-eth1/1/19:3)# ptp transport ipv4 multicast TR1 switch 1.
AG3 switch 1. Configure IP address for the loopback interface. AG3(config)# interface loopback1 AG3(conf-if-lo-1)# ip address 10.0.0.3/32 AG3(conf-if-lo-1)# ipv6 address 10:0:0::3/128 2. Configure PTP globally. AG3(config)# AG3(config)# AG3(config)# AG3(config)# ptp ptp ptp ptp clock boundary source ipv4 10.0.0.3 source ipv6 10:0:0::3 system-time enable 3. Configure PTP on the interfaces.
2. Configure PTP globally. TR2(config)# TR2(config)# TR2(config)# TR2(config)# ptp ptp ptp ptp clock boundary source ipv4 10.0.0.11 source ipv6 10:0:0::b system-time enable 3. Configure PTP on the interfaces.
Command Mode EXEC Security and Access Netadmin and sysadmin Usage Information Debug log messages are stored in the following file: /var/log/ptp.log. The debug ptp system command logs all information about internal data structures and is useful for debugging issues. Example Supported Releases OS10# debug ptp servo level 2 10.5.1.0 or later master Configures master clocks for the PTP slave devices.
Example Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp announce interval 1 OS10(conf-if-eth1/1/1)# ptp announce timeout 5 10.5.1.0 or later ptp clock Configures the PTP clock type on the switch and specifies the profile for the clock. Syntax ptp clock {boundary [hybrid] | end-to-end-transparent} [profile {g8275.1 | system-default}] Parameters ● ● ● ● ● Defaults System default profile, when PTP clock is configured.
Usage Information Example Supported Releases This configuration is only applicable for the boundary clock. The no form of this command removes the configuration. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp delay-mechanism end-to-end 10.5.1.0 or later ptp delay-req-min-interval Configures the minimum interval between delay request messages.
ptp enable Enables PTP on a physical or port channel interface. Syntax ptp enable Parameters None Defaults Disabled Command Mode INTERFACE CONFIGURATION Security and Access Netadmin and sysadmin Usage Information The PTP protocol operates only on interfaces with a network address. Ensure that you have configured the PTP transport method for the interface using the ptp transport command. You can enable PTP on either the port channel interface or the port channel member interfaces, but not both.
Security and Access Netadmin and sysadmin Usage Information The clock with the lowest priority1 value becomes the master clock. The lower the value of this attribute, the higher is the priority. The no form of this command removes the configuration. Example Supported Releases OS10(config)# ptp priority1 125 10.5.1.0 or later ptp priority2 Configures the priority2 attribute for advertising PTP clock.
ptp source Configures the source IP address for the PTP multicast packets. Syntax ptp source {ipv4 ipv4-address | ipv6 ipv6-address} Parameters ● ipv4-address—Source IPv4 address for the PTP multicast packets ● ipv6-address—Source IPv6 address for the PTP multicast packets Defaults None Command Mode CONFIGURATION Security and Access Netadmin and sysadmin Usage Information Supports both IPv4 and IPv6 addresses.
Command Mode CONFIGURATION Security and Access Netadmin and sysadmin Usage Information When you enable this configuration, PTP sets the system time on the switch only if the servo clock is phase locked. You cannot enable the PTP system time if the system is configured as an NTP client. However, you can enable the PTP system time if the system is configured as an NTP server. The no form of this command removes the configuration. Example Supported Releases OS10(config)# ptp system-time enable 10.5.1.
○ If you enable the unicast slave mode, it leads to a sub mode where you can configure the master IP addresses. ○ If the unicast transport mode configuration conflicts with role configuration, the system returns an error. ● For multicast transport, you must configure an IP address in INTERFACE mode or a source IP address (in GLOBAL CONFIGURATION mode) to represent the interface. ● You can configure Layer2 transport method when the interface is in L2 or L3 mode.
Grandmaster Clock Identity : 00:16:00:ff:fe:00:02:00 Clock Mode : One-step Clock Quality Class : 248 Accuracy : <=100ns Offset Log Scaled Variance : 0 Domain : 0 Priority1 : 128 Priority2 : 128 Profile : System-default Steps Removed : 1 Mean Path Delay(ns) : 72 Offset From Master(ns) : -14 Number of Ports : 2 ---------------------------------------------------------------------------Interface State Port Identity ---------------------------------------------------------------------------Ethernet1/1/22 Slave
Security and Access Netadmin and sysadmin Usage Information None Example Boundary clock Example End-to-end transparent clock Supported Releases OS10# show ptp clock PTP Clock Clock Identity Grandmaster Clock Identity Clock Mode Clock Quality Class Accuracy Offset Log Scaled Variance Domain Priority1 Priority2 Profile Steps Removed Mean Path Delay(ns) Offset From Master(ns) Number of Ports : : : : Boundary 68:4f:64:ff:ff:01:db:ec 00:16:00:ff:fe:00:02:00 One-step : : : : : : : : : : : 248 <=100ns 0
Total Management messages Received Total Signaling messages Sent Total Signaling messages Received Summary: Tx messages Rx messages Lost messages Interface : ethernet1/1/23 Port No : 2 Total Announce messages Sent Total Announce messages Received Total Sync messages Sent Total Sync messages Received Total Follow Up messages Sent Total Follow Up messages Received Total Delay Request messages Sent Total Delay Request messages Received Total Delay Response messages Sent Total Delay Response messages Received T
show ptp interface Displays PTP information about the interface. Syntax show ptp interface [{ethernet node/slot/port[:subport]} | {port-channel port-channel-id}] Parameters ● ethernet node/slot/port[:subport]—Enter the Ethernet interface information. ● port-channel port-channel-id—Enter the port channel interface number. Defaults None Command Mode EXEC Security and Access Netadmin and sysadmin Usage Information For boundary clocks, this command indicates if the port is enabled or disabled.
Grandmaster Clock Identity Grandmaster Clock Quality Class Accuracy OffsetLogScaledVariance Grandmaster Clock Priority1 Grandmaster Clock Priority2 Supported Releases : 00:16:00:ff:fe:00:02:00 : : : : : 6 <=100ns 0 100 128 10.5.1.0 or later show ptp peer Displays the count of PTP messages received from a peer at an interface or transmitted to a peer from an interface.
Delay response messages received Management messages transmitted Management messages received Signaling messages transmitted Signaling messages received Supported Releases 10.5.1.0 or later show ptp servo Displays PTP servo information such as servo state and lock status.
slave Configures the IP address of PTP slave devices for the master clock. Syntax slave ip-address Parameters ip-address—IP address of the slave clock device Defaults No default IP address; unicast negotiation disabled Command Mode INTERFACE CONFIGURATION - MASTER submode Security and Access Netadmin and sysadmin Usage Information You can configure the IP addresses of multiple slaves. The format of the slave IP address depends on the configured unicast mode.
Synchronous Ethernet (SyncE) Frequency and time synchronization over a network is a key requirement for network service providers. Frequency synchronization over Ethernet interfaces can be achieved in two ways: ● Synchronous Ethernet (SyncE)—SyncE achieves frequency synchronization by recovering clock frequency from the physical layer of Ethernet. SyncE supports the frequency transfer from hop-to-hop. ● Precision Time Protocol (PTP)—PTP achieves frequency synchronization based on the timing event messages.
QL-enabled mode In the QL-enabled mode, the switch considers the following factors when selecting a clock source on the SyncE-enabled interfaces: ● ● ● ● Clock quality level (QL) Clock availability or signal fail through QL-FAILED Priority External commands (SyncE force switch or manual switch) In this mode, the switch always selects the clock source with the best QL value.
Standby clock source states Under normal circumstances, all network elements are synced to the active clock source. If the active clock source becomes faulty, a reference source from the available standby clock sources is selected based on the selection algorithm. The standby clock sources work in any of the following states: ● Available—The clock source is operationally up. ● Failed—The clock source is in signal fail state or the SyncE-enabled interfaces do not receive any clock signal.
Example - SyncE QL-enabled mode with ESMC and SSM SyncE is configured in the QL-enabled mode and ESMC is enabled on Switch A and Switch B. In this example, Switch A is synchronized to the best input clock source, SRC2 because it has higher QL. This QL value is transmitted from Ethernet interface 1/1/3 to Switch B, which also gets synchronized to the trail of clock source, SRC2. Switch A configuration 1. Enable SyncE on the switch. SwitchA: configure terminal SwitchA(config)# sync-e enable 2.
Switch B configuration 1. Enable SyncE on the switch. SwitchB: configure terminal SwitchB(config)# sync-e enable 2. Set the SyncE mode to QL-enabled. SwitchB(config)# sync-e mode ql-enabled 3. Configure the synchronization network. The default value is 1, and it is a synchronization network that is designed for Europe. SwitchB(config)# sync-e ssm-network-option 1 4. Enable SyncE on the interfaces that are connected to the clock sources and interfaces transmitting to the neighboring SyncE node.
2. Set the SyncE mode to QL-disabled. SwitchA(config)# sync-e mode ql-disabled 3. Enable SyncE on the interfaces that are connected to the clock sources and interfaces transmitting to the neighboring SyncE node.
Local Clock Identity : 8c:04:ba:ff:fe:b0:a5:40 SSM Network Option : Option 1 Hold-off Time : 300 ms Wait-To-Restore Time : 300 s SyncE Interfaces -----------------------------------------------------------Interface Priority QL Signal State Status State -----------------------------------------------------------Ethl/1/1 128 Up Available Primary ------------------------------------------------------------ Example - PTP and SyncE enabled on different Ethernet ports In this example, SyncE and PTP are enabled o
7. Verify the SyncE configuration.
4. Enable SyncE on the interfaces that are connected to the clock sources and interfaces transmitting to the neighboring SyncE node. SwitchB(config)# interface ethernet 1/1/1 SwitchB(conf-if-eth1/1/2)# sync-e enable 5. Enable ESMC mode on the interfaces that are connected to the clock sources and interfaces transmitting ESMC to the neighboring SyncE nodes. SwitchB(config)# interface ethernet 1/1/1 SwitchB(conf-if-eth1/1/1)# sync-e esmc rx-only 6. Configure PTP boundary clock on the switch.
9. Verify the PTP state and lock status. switchA# show ptp servo Servo State : Locked Lock Status : Phase-locked Example - PTP and SyncE enabled on same Ethernet ports In this example, SyncE and PTP are enabled on Switch A and Switch B. PTP boundary clock is enabled on the switches. On Switch A, Ethernet interface 1/1/1 is a PTP-enabled port that is connected to the clock source, SRC-2 (PTP grandmaster). Ethernet interface 1/1/3 is a PTP master port to the neighboring boundary clock, Switch B .
SwitchA(conf-if-eth1/1/2)# ptp transport layer2 SwitchA(conf-if-eth1/1/2)# ptp role slave 7. Verify the SyncE configuration.
3. Configure the SSM network option ( default is option-1 for Europe). SwitchB(config)# sync-e ssm-network-option 1 4. Enable SyncE on the interfaces that are connected to the clock sources and interfaces transmitting to the neighboring SyncE node. SwitchB(config)# interface ethernet 1/1/1 SwitchB(conf-if-eth1/1/2)# sync-e enable 5. Enable ESMC mode on the interfaces that are connected to the clock sources and interfaces transmitting ESMC to the neighboring SyncE nodes.
Number of slave ports :1 Number of master ports :0 9. Verify the PTP state and lock status. switchA# show ptp servo Servo State : Locked Lock Status : Phase-locked SyncE commands clear sync-e counters Resets the statistics of the ESMC packets received at or transmitted from an interface. Syntax clear sync-e counters [ethernet node/slot/port] Parameters ethernet node/slot/port—(Optional) Enter a physical Ethernet interface.
Parameters None Default None Command Mode EXEC Security and Access Netadmin and sysadmin Usage Information This command clears the active manual or force switched clock reference. Clearing the force-switch reinitiates the clock selection process. Example Supported Releases OS10# clear sync-e switch 10.5.2.1 or later clear sync-e wait-restore-time Clears the wait-to-restore state of a specific interface or all interfaces.
show debug sync-e Shows the debug options enabled for Sync-E. Syntax show debug sync-e Parameters None Default None Command Mode EXEC Usage Information None Example Supported Releases OS10# show debug sync-e sync-e debug settings: debug sync-e all 10.5.2.1 or later show sync-e Displays the SyncE information and synchronization status.
Eth1/1/3 128 QL -EEC1 Up Available Eth1/1/4 128 QL -EEC1 Up Available ---------------------------------------------------------------------Example - QLdisabled mode Supported Releases OS10# show sync-e QL Mode : QL-Disabled Lock Status : Locked QL Out : Selection Process State : State 2A (QL-disabled and no active switch request) Primary Reference Interface : Ethernetl/1/2 Secondary Reference Interface : Ethernet1/1/1 Selected Reference Clock Identity : Local Clock Identity : d8:9e:f3:ff:fe:ab:47:20 55M N
show sync-e esmc Displays the ESMC information of all interfaces. Syntax show sync-e esmc Parameters None Default None Command Mode EXEC Usage Information This command prints the output of the interfaces only if ESMC and SyncE are enabled on the interfaces and SyncE i globally.
ESMC Capability : QL : QL Received : QL Transmitted : Hold-off Time : 300 ms Wait-To-Restore Time : 300 secs Interface : Ethernetl/1/2 SyncE : Enabled State : Available Status : Primary Signal State : Up Priority : 128 ESMC Capability : QL : QL Received : QL Transmitted : Hold-off Time : 300 ms Wait-To-Restore Time : 300 secs Supported Releases 10.5.2.1 or later sync-e enable Enables Synchronous Ethernet (SyncE) globally on a switch or on a physical interface.
Default Disabled Command Mode INTERFACE CONFIGURATION Security and Access Netadmin and sysadmin Usage Information Ensure to enable SyncE on the interfaces for ESMC to work on the interfaces. When ESMC capability is disabled, it indicates that the interface is not going to receive or transmit QL. In that case, QL of the interface can be configured using the sync-e quality-level command. The no form of this command removes the configuration.
Security and Access Netadmin and sysadmin Usage Information Ensure that SyncE is enabled on the interface before running this command. If you disable SyncE on a locked out interface, the lock out status of the interface is reset. If you disable SyncE globally on the switch, the lock out status of the locked out interfaces is reset. Example Supported Releases OS10# sync-e lockout ethernet 1/1/1 10.5.2.
sync-e quality-level Configures quality level on an interface. Syntax [no] sync-e quality-level value Parameters value—Enter quality level value. The supported values vary depending on the synchronization network that is selected using the sync-e ssm-network-option command. ● Supported quality-levels in option 1 SSM network: QL-ePRTC, QL-PRTC, QL-ePRC, QL-PRC, QLSSU-A, QL-SSU-B, QL-eEEC, QL-EEC1 and QL-DNU.
Parameters ethernet node/slot/port—Enter a physical Ethernet interface. Default None Command Mode EXEC Security and Access Netadmin and sysadmin Usage Information This command configures a switch to use the clock source that is enabled and not locked out. Example Supported Releases OS10# sync-e switch force ethernet 1/1/1 10.5.2.1 or later sync-e switch manual Configure the switch to select the clock source on the interface manually.
Supported Releases 10.5.2.3 or later sync-e wait-to-restore-time Configures the wait-to-restore time period for the failed clock sources. Syntax [no] sync-e wait-to-restore-time seconds Parameters seconds—Enter the wait-to-restore time interval in seconds, from 0 to 720.
pool netdhcp1 lease infinite network 35.1.1.0/24 ! pool netdhcp2 network 40.1.1.0/24 OS10# show ip interface brief Interface Name IP-Address OK Method Status Protocol ====================================================================================== === Ethernet 1/1/1 unassigned YES unset up up Ethernet 1/1/2 unassigned YES unset up up … Ethernet 1/1/32 unassigned NO unset up down … To resolve this issue, you must: 1. Configure a matching interface for pool netdhcp2-40.1.1.1/24 matches 40.1.1.0/24.
In the DHCP packet format, configuration parameters are options in the DHCP packet in type, length, value (TLV) format. To limit the number of parameters that servers provide, hosts enter the parameters that they require and the server sends only those parameters. DHCP uses the User Datagram Protocol (UDP) as its transport protocol. The following options are commonly used in DHCP packets.
DHCP server The Dynamic Host Configuration Protocol (DHCP) server provides network configuration parameters to DHCP clients on request. A DHCP server dynamically allocates four required IP parameters to each system on the virtual local area network (VLAN)—the IP address, network mask, default gateway, and name server address. DHCP IP address allocation works on a client/server model where the server assigns the client reusable IP information from an address pool.
Show running configuration OS10(conf-dhcp-Dell)# do show running-configuration ... ! ip dhcp server ! pool Dell network 20.1.1.0/24 default-router 20.1.1.1 range 20.1.1.2 20.1.1.8 Address lease time Use the lease {days [hours] [minutes] | infinite} command to configure an address lease time. The default is 24 hours. OS10(config)# ip dhcp server OS10(conf-dhcp)# pool Dell OS10(conf-dhcp-Dell)# lease 36 Default gateway Ensure the IP address of the default router is on the same subnet as the client. 1.
2. Create an IP address pool and enter the name in DHCP mode. pool name 3. Create a domain and enter the domain name in DHCP mode. domain-name name 4. Enter the DNS servers in order of preference that is available to a DHCP client in DHCP mode. dns-server address DNS address resolution OS10(config)# ip dhcp OS10(conf-dhcp)# pool OS10(conf-dhcp-Dell)# OS10(conf-dhcp-Dell)# server Dell domain-name dell.com dns-server 192.168.1.
3. Enter the client hardware address in DHCP mode. hardware-address hardware-address Configure manual binding OS10(config)# ip dhcp server OS10(conf-dhcp)# pool static OS10(conf-dhcp-static)# host 20.1.1.2 OS10(conf-dhcp-static)# hardware-address 00:01:e8:8c:4d:0a View the DHCP binding table OS10# show ip dhcp binding IP Address Hardware address Lease expiration Hostname +-------------------------------------------------------------------------11.1.1.
DHCP relay agent A DHCP relay agent relays DHCP messages to and from a remote DHCP server, even if the client and server are on different IP networks. You can configure the IP address of the remote DHCP server. You can configure a device either as a DHCP server or a DHCP relay agent — but not both. If routes are not leaked between VRFs, the DHCP relay agent supports multi-virtual routing and forwarding (VRF) instances. The client-facing and server-facing interfaces must be in the same VRF.
L2switch(conf-if-vl-10)# L2switch(conf-if-vl-10)# L2switch(conf-if-vl-10)# L2switch(conf-if-vl-10)# ipv6 mld snooping query-interval 130 ipv6 mld snooping query-max-resp-time 10 ipv6 mld snooping last-member-query-interval 1000 exit RA(config)# interface vlan 10 RA(conf-if-vl-10)# ipv6 address 3::1/64 RA(conf-if-vl-10)# ipv6 mld snooping querier RA(conf-if-vl-10)# ipv6 helper-address 3::3 RA(conf-if-vl-10)# ipv6 mld version 2 RA(conf-if-vl-10)# ipv6 mld snooping query-interval 60 RA(conf-if-vl-10)# ipv6 m
If you configured Option-82, the DHCP server allocates the IP address based on the options present in Option-82. Otherwise, the DHCP server allocates the IP address with the on-link subnet. If you disable Option-82 in the DHCP relay switch, the DHCP packet from the client forward without Option-82 and the DHCP server allocates the IP address from the on-link subnet value.
The server ID override suboption carries the virtual anycast gateway IP (which is the IP address on the relay agent) that is accessible from the client. The DHCP client uses this information to send all renew and release request packets to the relay agent. The relay agent adds all of the appropriate suboptions and then forwards the renew and release request packets to the original DHCP server. If configured, the server identifier (ID) override suboption carries virtual anycast gateway IP.
In VxLAN symmetric and asymmetric IRB scenarios, Dell Technologies recommends having the same relay configurations at the Global and Interface level on the VTEP OS10 devices. Dell Technologies recommends enabling the DHCPv4 virtual subnet selection and link selection options along with the server ID override option. Enabling DHCPv4 options without the server ID override option might not work when the DHCPv4 server renews or releases the client IP address that is based on these options.
ip virtual-router address 1.1.1.254 ! interface Ethernet 1/1/2 no shutdown ip address 20.1.1.1/24 DHCP Server OS10(config)# ip dhcp server OS10(config-dhcp)# pool dell_1 OS10(config-dhcp-dell_1)# network 1.1.1.0/24 OS10(config-dhcp-dell_1)# range 1.1.1.2 1.1.1.10 OS10(config-dhcp-dell_1)# default-router 1.1.1.254 OS10(config-dhcp-dell_1)# end OS10#show running-config ip dhcp ! ip dhcp server ! ip dhcp pool default network 1.1.1.0/24 default-router 1.1.1.254 address range 1.1.1.2 1.1.1.
● If the DHCP server is reachable on a different VRF, configure route leaking on VRF hello to reach the DHCP server. ● In the above case, as there is no virtual anycast IP, the server-override option value is not added. As a result, further DHCP packets from the client directly go to the server.
class test address range 1.1.1.100 1.1.1.200 ! ip dhcp pool default network 1.1.1.0 255.255.255.0 default-router 1.1.1.1 class test address range 1.1.1.100 1.1.1.200 ! ip ip ip ip route route route route 1.1.1.0 3.1.1.0 1.1.1.0 3.1.1.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 20.1.1.1 20.1.1.1 30.1.1.1 30.1.1.1 NOTE: ● The VRF serverVRF in the DHCP server is associated with a VPN identifier 463130:56524632.
Leaf1 configuration: 1. Enable DHCP Option-82 suboptions - link-selection, server-override, vss: OS10(config)# ip dhcp-relay link-selection OS10(config)# ip dhcp-relay server-override OS10(config)# ip dhcp-relay vss 2. Configure source interface (giaddr) to be used for DHCP relayed packets in each VRF. IP belonging to the loopback interface in underlay is given here as the server is reachable in the underlay network in default VRF. The response from the DHCP server comes to this IP in underlay default VRF.
3. Configure L3 virtual-network interface with VRF and IP address OS10(config)# interface OS10(conf-if-vn-10001)# OS10(conf-if-vn-10001)# OS10(conf-if-vn-10001)# OS10(conf-if-vn-10001)# OS10(config)# interface OS10(conf-if-vn-20001)# OS10(conf-if-vn-20001)# OS10(conf-if-vn-20001)# OS10(conf-if-vn-20001)# virtual-network 10001 ip vrf forwarding Yellow ip address 10.1.0.1/24 ip virtual-router address 10.1.0.254 virtual-network 20001 ip vrf forwarding Green ip address 10.2.0.1/24 ip virtual-router address 10.
OS10(conf-if-vn-20001)# ip dhcp-relay vss-info type 1 222:2222 OS10(conf-if-vn-20001)# ip helper-address 10.20.0.3 vrf Green OS10(conf-if-vn-10001)# exit Leaf3 configuration: 1. Enable DHCP Option-82 suboptions - link-selection, server-override, vss: OS10(config)# ip dhcp-relay link-selection OS10(config)# ip dhcp-relay server-override OS10(config)# ip dhcp-relay vss 2. Configure source interface (giaddr) to be used for DHCP relayed packets in each VRF.
OS10(config)# ip vrf Green OS10(conf-vrf)# ip route-import 0:0 OS10(conf-vrf)# exit OS10(config)# ip vrf Red OS10(conf-vrf)# ip route-import 0:0 OS10(conf-vrf)# exit OS10(config)# NOTE: If Border Leaf switch is already advertising a default route in each VRF to other VTEPs, there is no need to advertise this DHCP server route to other VTEPs. Otherwise, this leaked route could be advertised to other VTEPs using "advertise ipv4 connected" command under EVPN for each VRF. Leaf4 configuration: 1.
OS10(config)# OS10(config)# ip vrf default OS10(conf-vrf)# ip route-export OS10(conf-vrf)# exit OS10(config)# ip vrf Yellow OS10(conf-vrf)# ip route-import OS10(conf-vrf)# exit OS10(config)# ip vrf Green OS10(conf-vrf)# ip route-import OS10(conf-vrf)# exit OS10(config)# ip vrf Red OS10(conf-vrf)# ip route-import OS10(conf-vrf)# exit OS10(config)# 0:0 route-map RouteMap_DHCPServer 0:0 0:0 0:0 NOTE: If Border Leaf switch is already advertising a default route in each VRF to other VTEPs, there is no need to
If there is a mismatch in the interface-ID option between the VLT peers, the DHCPv6 client originated packet is dropped and a log is created to indicate the interface-ID option mismatch. If there is a mismatch in the remote-ID option between the VLT peers, the DHCPv6 client originated packet is dropped and a log is created to indicate the remote-ID option mismatch. If DHCPv6 hostname is configured for prefix, then Dell EMC Networking recommendeds to configure the same hostname for both the VLT peers.
interface Ethernet 1/1/1 no shutdown switchport mode trunk switch port trunk allowed vlan 10 ipv6 dhcp-relay interface-id description PORT ! interface vlan 10 no shutdown ip address 1.1.1.1/24 ip helper-address 20.1.1.2 ipv6 dhcp-relay interface-id description VLAN ! interface Ethernet 1/1/2 no shutdown ip address 20.1.1.1 ! DHCP Server OS10(config)# ip dhcp server OS10(config-dhcp)# pool dell_1 OS10(config-dhcp-dell_1)# network 10.1.1.0/24 OS10(config-dhcp-dell_1)# range 10.1.1.2 10.1.1.
The remote identification is configured globally. By default, the DHCPv6 relay agent type 3 DUID (system mac) is used as the remote-ID value. You can optionally configure a customized string. In VLT cases, VLT MAC address is used to generate the DUID. The prefix is an optional parameter to be configured globally. You can configure hostname, VRF Name, hostname, and VRF name or customized string as prefix. Optionally, you can configure DHCPv6 hostname.
! DHCPv6 Relay Agent 2: Global config: ipv6 dhcp-relay remote-id ipv6 dhcp-relay prefix remote-id hostname vrfname ipv6 dhcp-relay hostname DELL Interface configuration: OS10#show running-configuration interface Ethernet 1/1/1 no shutdown channel-group 10 mode active ! interface port channel 10 no shutdown vlt portchannel 10 ip address 10.1.1.0/24 ip helper-address 20.1.1.2 ip vrf forwarding red ! interface Ethernet 1/1/2 no shutdown ip address 20.1.1.
DHCP snooping DHCP snooping is a layer 2 security feature that helps networking devices to monitor DHCP messages and block untrusted or rogue DHCP servers. When you enable DHCP snooping on a switch, it begins monitoring transactions between trusted DHCP servers and DHCP clients and uses the information to build the DHCP snooping binding table. You configure interfaces that connect to DHCP servers as trusted interfaces. All other interfaces are untrusted by default.
DHCP snooping with DHCP relay In the following topology, the DHCP snooping switch is the DHCP relay agent for DHCP clients on VLAN 100. The DHCP server is reachable on VLAN 200 through eth 1/1/2. The switch forwards the client DHCP messages to the trusted DHCP server. The switch processes DHCP packets from the DHCP server before forwarding them to DHCP clients. As the rogue server is connected to the switch to the eth 1/1/3 interface which is untrusted, the switch drops DHCP packets from that interface.
DHCP snooping in a VLT environment OS10 supports DHCP snooping in a VLT environment. DHCP snooping switches in a VLT topology synchronize DHCP snooping binding information between them. The system interprets the VLTi link between VLT peers as trusted interfaces. To configure DHCP snooping in a VLT environment: ● Enable DHCP snooping on both VLT peers. ● Configure the VLT port-channel interfaces facing the DHCP server as trusted interfaces.
Enable and configure DHCP snooping globally 1. Enable DHCP snooping globally in CONFIGURATION mode. ip dhcp snooping 2. Specify physical or port-channel interfaces that have connections towards DHCP servers as trusted in INTERFACE mode. ip dhcp snooping trust Add static DHCP snooping entry in the binding table ● Add a static DHCP snooping entry in the binding table in CONFIGURATION mode.
● Remove a static DHCP snooping entry from the binding table in CONFIGURATION mode. no ip dhcp snooping binding mac mac-address vlan vlan-id interface [ethernet slot/ port/sub-port | port-channel port-channel-id] Example for removing static DHCP snooping entry in the binding table OS10(config)# no ip dhcp snooping binding mac 00:04:96:70:8a:12 vlan 100 ip 100.1.1.
DHCP server OS10(config)# interface ethernet 1/1/1 S10(conf-if-eth1/1/1)# no shutdown OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ip address 10.1.1.1/24 OS10(conf-if-eth1/1/1)# exit OS10(config)# ip dhcp server OS10(config-dhcp)# no disable OS10(config-dhcp)# pool dell_server1 OS10(config-dhcp-dell_server1)# lease 0 1 0 OS10(config-dhcp-dell_server1)# network 10.1.1.0/24 OS10(config-dhcp-dell_server1)# range 10.1.1.2 10.1.1.
DHCP snooping switch as a relay agent This example uses a simple topology with a DHCP snooping switch configured as a DHCP relay agent. A DHCP server and a DHCP client are connected to the snooping switch through different VLANs. A rogue DHCP server attempts to pose as a legitimate DHCP server. With a configuration similar to the following, the DHCP snooping switch drops packets from the rogue DHCP server which is connected to an untrusted interface.
DHCP server OS10# configure terminal OS10(config)# ip dhcp server OS10(config-dhcp)# no disable OS10(config-dhcp)# pool dell_1 OS10(config-dhcp-dell_1)# network 10.1.1.0/24 OS10(config-dhcp-dell_1)# range 10.1.1.2 10.1.1.250 OS10(config-dhcp-dell_1)# exit OS10(config-dhcp)# pool dell_2 OS10(config-dhcp-dell_2)# network 10.2.1.
● Enable DHCP snooping globally. OS10(config)# ip dhcp snooping VLAN configuration ● Create a VLAN. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown VLT configuration 1. Create a VLT domain and configure VLTi. OS10(config)# interface range ethernet 1/1/4-1/1/5 OS10(conf-range-eth1/1/4-1/1/5)# no switchport OS10(conf-range-eth1/1/4-1/1/5)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet 1/1/4-1/1/5 2. Configure a VLT MAC address.
● Create a VLAN. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown VLT configuration 1. Create a VLT domain and configure VLTi. OS10(config)# interface range ethernet 1/1/4-1/1/5 OS10(conf-range-eth1/1/4-1/1/5)# no switchport OS10(conf-range-eth1/1/4-1/1/5)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet 1/1/4-1/1/5 2. Configure a VLT MAC address. OS10(conf-vlt-1)# vlt-mac 12:5e:23:f4:23:54 3.
The following output shows that the DHCP snooping switches (VLT peers) snooped DHCP messages. The interface column displays the local VLT port channel number. OS10# show ip dhcp snooping binding Number of entries : 1 Codes : S - Static D - Dynamic IPv4 Address MAC Address Expires(Sec) Type Interface VLAN ======================================================================================= 10.1.1.
● Create another VLAN and assign an IP address to it which can communicate with the DHCP server. OS10# configure terminal OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# no shutdown OS10(conf-if-vl-200)# ip address 10.2.1.1/24 OS10(conf-if-vl-200)# exit ● Configure SW 1 as the DHCP relay agent for the clients in the VM. The IP address that you specify here is the IP address of the DHCP server OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip helper-address 10.2.1.
● Enable DHCP snooping globally. OS10(config)# ip dhcp snooping VLAN configuration ● Create a VLAN and assign an IP address to it which acts as the gateway for the VMs. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown OS10(conf-if-vl-100)# ip address OS10(conf-if-vl-100)# ip address 10.1.1.2/24 OS10(conf-if-vl-100)# exit ● Create another VLAN and assign an IP address to it which can communicate with the DHCP server.
OS10(conf-if-po-20)# exit OS10(config)# interface ethernet 1/1/1,1/1/6 OS10(conf-if-eth1/1/1,1/1/6)# no shutdown OS10(conf-if-eth1/1/1,1/1/6)# channel-group 20 ( Optional) Peer routing configuration ● Configure peer routing. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# peer-routing DHCP server VLAN configuration OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# exit OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# ip address 10.2.1.
DAI violation logging You can configure the system to log DAI validation failures corresponding to ARP packets. DAI violations are logged at the console if it is enabled. DAI violation logging is disabled by default. If you configure an interface as trusted, the switch interprets ARP packets that ingress the interface from hosts as legitimate packets. By default, all interfaces are in DAI untrusted state. For DAI to work, enable the DHCP snooping feature on the switch. DAI is disabled by default.
Address Hardware Address Interface VLAN -------------------------------------------------------------------10.2.1.1 00:40:50:00:00:00 port-channel100 vlan3001 10.1.1.13 00:2a:10:01:00:00 port-channel100 vlan3001 10.1.1.62 00:2a:10:01:00:01 port-channel100 vlan3001 View DAI statistics You can view valid and invalid ARP requests that the switch has received and replies that the switch has sent.
Source IP and MAC address validation This feature filters IP traffic, based on both source IP and source MAC addresses and permits traffic only from clients found in the DHCP snooping binding table. The switch compares the following in the packet to the DHCP snooping binding table: ● ● ● ● Source MAC address Source IP address The VLAN to which the client is connected The interface (physical or port channel) to which the client is connected If there is a match, the switch forwards the packet.
2. Add names to complete unqualified hostnames in CONFIGURATION mode. ip domain-list name You can configure a domain name and list corresponding to a non-default VRF instance. 1. Enter a domain name corresponding to a non-default VRF instance in the CONFIGURATION mode. ip domain-name vrf vrf-name server-name 2. Add names to complete unqualified hostnames corresponding to a non-default VRF instance.
Command Mode INTERFACE Usage Information The DHCP server is supported only on L3 interfaces. After you configure an IP helper address, the address forwards UDP broadcasts to the DHCP server. You can configure multiple helper addresses on an interface by repeating the same command for each DHCP server address. The no version of this command returns the value to the default. The client-facing and server-facing interfaces must be in the same VRF.
Table 48. Option-82 status Example Supported Releases Global Level Interface Level Option-82 status Enable Enable Adds Option-82 information to the packet. Enable Disable Does not add Option-82 information to the packet. Disable Enable Does not add Option-82 information to the packet. Disable Disable Does not add Option-82 information to the packet. OS10(config)# ip dhcp-relay information-option 10.5.2.
Command Mode INTERFACE CONFIGURATION Usage Information The VRF values for subnet selection are sent to the DHCP server in the option 151 field only if ip dhcp-relay vss-enable is enabled at the Global level. The value of the VRF name must match a VRF configured on the DHCP server for a DHCP pool. It is not the name of a VRF configured on the local switch, as a result, no validation is performed.
NOTE: Link-selection gets functionally enabled only if Option-82 is enabled Globally and at the interface level. This command is restricted to the netadmin and sysadmin role users. Example Supported Releases OS10(conf)# ip dhcp-relay link-selection 10.5.2 or later ip dhcp-relay source-interface Configures the source interface to be used by the DHCP relay agent to decide the Gateway IP address used for forwarding a DHCP packet received on the VRF.
ip dhcp-relay server-override Enables server identifier override (suboption-11) globally on the relay agent. Syntax ip dhcp-relay server-override Parameters None. Defaults Disabled on the relay agent. Command Mode CONFIGURATION Usage Information Enabling the server identifier option on the relay agent allows the DHCP relay agent to act as the proxy DHCP server such that the renew requests from the clients come to the relay agent rather than the DHCP server directly.
Example OS10(conf-if-eth1/1/1)# ip dhcp-relay source-interface ethernet loopback port-channel vlan virtual-network Ethernet interface type Loopback interface type Port-channel interface type VLAN interface type Virtual network type OS10(conf-if-eth1/1/1)# ip dhcp-relay source-interface loopback 1 Supported Releases 10.5.2 or later ip dhcp-relay server-override Enables server identifier override (suboption-11) globally on the relay agent. Syntax ip dhcp-relay server-override Parameters None.
Supported Releases 10.5.2 or later ipv6 dhcp-relay interface-id Enables or disables DHCPv6 interface-id option.. Syntax ipv6 dhcp-relay interface-id Parameters None Defaults Disabled Command Mode CONFIGURATION Usage Information After enabling the interface-id option, the interface name is used for interface description. Example NOTE: This command is restricted to the sysadmin and netadmin user roles.
string Except ':') Uses user-defined string for prefix(Max: 96 chars, OS10(config)# ipv6 dhcp-relay prefix interface-id hostname? vrfname Use interface vrfname OS10(config)# ipv6 dhcp-relay prefix interface-id vrfname? hostname User-defined string for hostname Supported Releases 10.5.2.1 or later ipv6 dhcp-relay remote-id Enables or disables DHCPv6 remote-id option and customized description configurations.
Defaults None. Command Mode CONFIGURATION Usage Information You must globally configure prefix as an optional parameter. You can configure hostname, VRF Name, or a customized string as prefix. Colon ( : ) is not allowed in the customized string prefix configuration. If you try to configure the prefix value with colon ( : ), the following error appears: OS10(config)# % Error: Colon ( : ) is not supported If the hostname is configured as a prefix, then the system hostname is used by default.
ipv6 dhcp-relay interface-id Configures customized string value for the interface-id option. Syntax ipv6 dhcp-relay interface-id description user-defined-string Parameters None Defaults None. Command Mode INTERFACE CONFIGURATION Usage Information You can optionally configure any customized value for the interface-id option. By default, interface name is sent as the interface-id value. It can be configured on all types of interfaces.
Usage Information This command displays the Global level status of Option-82 as well as the Interface level Option-82 status. The show ip dhcp-relay interface command displays the relay information corresponding to the requested interface enabled with the helper address. If you enable the Option-82 configuration, the Option-82 status appears as Enabled(Default). If you disable the Option-82 configuration, the Option-82 status appears as Disabled.
show ipv6 dhcp-relay Displays the DHCPv6 relay information on the client interfaces. Syntax show ipv6 dhcp-relay interface {{ethernet node/slot/port | port-channel idnumber} | vlan vlan-id [{ethernet node/slot/port | port-channel id-number}] | virtual-network vnid} Parameters ● ● ● ● Defaults None.
Interface Interface-id[option-18] Remote-id[option-37] Enterprise-number Remote-id value : : : : : ethernet 1/1/1 Enabled (OS10-red:vlan10-ethernet1/1/1) Enabled 674 OS10:force10 OS10(conf)#ipv6 dhcp-relay hostname DELL OS10(conf)#ipv6 dhcp-relay prefix interface-id hostname vrfname interface ethernet1/1/1 no shutdown no switchport switchport mode trunk switchport trunk allowed vlan 10 ipv6 dhcp-relay interface-id description chennai vlan 10 ip addrres 1::2/64 ip helper address 2::2 ip vrf forwarding red
* 1 2 Present Not Present Interface Relay Configuration Mismatch --------------------------------------------------------------------VLAN: 10 VLT Unit ID Server-Override VSS Source-Interface --------------------------------------------------------------------------------* 1 enabled type-0(Red) 2 disabled type-0(Blue) VNI: 20 VLT Unit ID Server-Override VSS Source-Interface --------------------------------------------------------------------------------* 1 type-0(Red) Present 2 type-1(ABC:1234) Not Present
--------------------------------------------------------VLAN: 10 VLT Unit ID description --------------------------------------------------------* 1 default 2 custom(santaclara) VNI: 20 VLT Unit ID description --------------------------------------------------------* 1 custom(force10) 2 default VLT-PORTCHANNEL: 100 VLT Unit ID description --------------------------------------------------------* 1 custom(force10) 2 custom(santaclara) Supported Releases 10.5.
VLT VLAN mismatch: No mismatch Example (mismatch) OS10# show vlt 1 mismatch Peer-routing mismatch: VLT Unit ID Peer-routing ----------------------------------* 1 Enabled 2 Disabled VLAN mismatch: No mismatch VLT VLAN mismatch: VLT ID : 1 VLT Unit ID Mismatch VLAN List ---------------------------------* 1 1 2 2 VLT ID : 2 VLT Unit ID Mismatch VLAN List ----------------------------------* 1 1 2 2 Example (mismatch peer routing) Example (mismatch VLAN) OS10# show vlt 1 mismatch peer-routing Peer-routing mi
available in the peer) Example (mismatch of VLTi and VLAN) Example (mismatch of VN mode) Example (mismatch of port and VLAN list) 1 * 2 10,104 - OS10# show vlt all mismatch virtual-network Virtual Network: 100 VLT Unit ID Configured VLTi-Vlans ---------------------------------------------------------------------------1 101 * 2 100 OS10# show vlt all mismatch virtual-network Virtual Network: 102 VLT Unit ID Configured Virtual Network Mode -----------------------------------------------------------------
* 2 10.16.128.20 Virtual-network: 20 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.26 * 2 10.16.128.30 Example (Anycast IP addresses not configured on one of the virtual networks on both peers) show vlt 1 mismatch virtual-network Interface virtual-network Anycast-IP mismatch: Virtual-network: 10 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.25 * 2 ABSENT Virtual-network: 20 VLT Unit ID Anycast-IP ------------------------------------1 ABSENT * 2 10.16.128.
---------------------------------------------------------------------------* 1 64::100, 64.6.7.88 2 100::100, 100.101.102.100 VLAN: 3000 VLT Unit ID Anycast-IPs ---------------------------------------------------------------------------* 1 100.101.102.100 2 Not configured VLAN: 4000 VLT Unit ID Anycast-IPs ---------------------------------------------------------------------------* 1 Not configured 2 Example (mismatch dhcprelay) 8.7.6.
● address2...address8 — (Optional) Enter up to eight IP addresses, in order of preference. Default Not configured Command Mode DHCP-POOL Usage Information Configure up to eight IP addresses, in order of preference. Use the no version of this command to remove the configuration. Example Supported Releases OS10(conf-dhcp-pool2)# default-router 20.1.1.100 10.2.0E or later disable Disables the DHCP server.
Default Not configured Command Mode DHCP-POOL Usage Information None Example Supported Releases OS10(conf-dhcp-Dell)# dns-server 192.168.1.1 10.2.0E or later hardware-address Configures the client's hardware address for manual configurations. Syntax hardware-address nn:nn:nn:nn:nn:nn Parameters nn:nn:nn:nn:nn:nn — Enter the 48-bit hardware address.
Usage Information Use the ip dhcp server command to enter the DHCP mode required to enable DHCP server-assigned dynamic addresses on an interface. Example Supported Releases OS10(config)# ip dhcp server OS10(conf-dhcp)# 10.2.0E or later lease Configures a lease time for the IP addresses in a pool. Syntax lease {infinite | days [hours] [minutes]} Parameters ● ● ● ● Default 24 hours Command Mode DHCP-POOL Usage Information The no version of this command removes the lease configuration.
Parameters type — Enter the NetBIOS node type: ● Broadcast — Enter b-node. ● Hybrid — Enter h-node. ● Mixed — Enter m-node. ● Peer-to-peer — Enter p-node. Default Hybrid Command Mode DHCP-POOL Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(conf-dhcp-Dell)# netbios-node-type h-node 10.2.0E or later network Configures a range of IPv4 or IPv6 addresses in the address pool.
range Configures a range of IP addresses. Syntax range {ip-address1 [ip-address2]} Parameters ● ip-address1 — First IP address of the IP address range. ● ip-address2 — Last IP address of the IP address range. Default Not configured Command Mode DHCP-POOL Usage Information Use the range command to configure a range of IP addresses that the OS10 switch, acting as the DHCP server, can assign to DHCP clients.
Usage Information Example Supported Releases Dell EMC Networking recommends enabling DAI before enabling DHCP snooping. OS10(conf-if-vl-230)# arp inspection 10.5.0 or later arp inspection-trust Configures a port as trusted so that ARP frames are not validated against the DAI database.
Example (Global) Supported Release OS10# clear ip dhcp snooping binding 10.5.0 or later or later clear ip dhcp snooping binding Clears the dynamic entries in the DHCP snooping binding table. Syntax clear ip dhcp snooping binding [mac mac-address] [vlan vlan-id] [interface {ethernetslot/port/sub-port> | port-channel port-channel-id}] Parameters ● mac mac-address—Enter the MAC address of the host to which the server is leasing the IP address. ● vlan vlan-id—Enter the VLAN ID. The range is from 1 to 4093.
Supported Releases 10.5.0 or later or later ip dhcp snooping (interface) Enables DHCP snooping on a VLAN. Syntax ip dhcp snooping Parameters None Defaults Enabled if enabled globally Command Mode INTERFACE VLAN Usage Information When you enable this feature, the switch begins to monitor all transactions between DHCP servers and DHCP clients and use the information to build the DHCP snooping binding table.
ip dhcp snooping trust Configures an interface as trusted in a DHCP snooping enabled VLAN. Syntax ip dhcp snooping trust Parameters None Defaults Untrusted Command Mode INTERFACE Usage Information This command configures a physical or port channel interface as trusted. By default all physical and port channel interfaces in the DHCP snooping enabled VLAN are untrusted. You can configure a DHCP server-facing physical or port channel interface as trusted.
-----------------------------------------------------------------------55.2.1.1 00:40:50:00:00:00 port-channel100 vlan3001 200.1.1.134 00:2a:10:01:00:00 port-channel100 vlan3001 200.1.1.62 00:2a:10:01:00:01 port-channel100 vlan3001 Supported Releases 10.5.0 or later show ip arp inspection statistics Displays valid and invalid ARP requests and reply statistics. Syntax show ip arp inspection statistics [vlan vlan-id] Parameters ● vlan vlan-id—Enter the VLAN ID. The range is from 1 to 4093.
Command Mode EXEC Usage Information The dynamically learned entries are displayed as D and statically configured entries are displayed as S. Example OS10# show ip dhcp snooping binding Codes : S - Static D – Dynamic IPv4 Address MAC Address Expires(Sec) Type Interface VLAN ========================================================================= 10.1.1.22 11:22:11:22:11:22 120331 S ethernet1/1/4 100 10.1.1.44 11:22:11:22:11:23 120331 S port-channel100 200 10.1.1.
Usage Information Example Supported Releases This domain appends to incomplete DNS requests. The no version of this command returns the value to the default. OS10(config)# ip domain-name vrf jay dell.com 10.2.0E or later ip host Configures mapping between the hostname server and the IP address. Syntax ip host [vrf vrf-name] [host-name] address Parameters ● vrf vrf-name — (Optional) Enter vrf and then the name of the VRF to configure the name server to IP address mapping for that VRF.
show hosts Displays the host table and DNS configuration. Syntax show hosts [vrf vrf-name] Parameters vrf vrf-name — Enter vrf then the name of the VRF to display DNS host information corresponding to that VRF. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show hosts Default Domain Name : dell.com Domain List : abc.com Name Servers : 1.1.1.
Or docker pull nginx:latest NOTE: Docker downloads the latest image if you do not specify the image file name.
● Display details of a volume: docker volume inspectvolume-name ● List all the volumes in the system: docker volume ls ● Remove a volume: docker volume rm volume-name Docker Management ● List all running Docker containers: docker ps ● List all running and stopped Docker containers: docker ps -a ● Remove a Docker container: docker rm container-name ● Remove a Docker image: docker rmi image-name ● Remove unused Docker images: docker image prune ● Remove unused Docker volumes: docker volume prune ● Remove all
Cut-through switching mode CT switching offers low-latency performance for SCSI traffic. Use CT switching in packet-switching systems. The switch forwards packets or frames to its destination immediately after the destination address is processed without waiting to receive the entire data. The egress scheduler block in the NPU pipeline schedules the packet to transmit out after the first cells of packet arrive.
Restrictions and limitations When the port is operating in CT mode, you can observe the following restrictions, depending on the configuration or timing of the incoming packet, PFC message, or port speed configurations. ● Layer 2/Layer 1/Layer 0, and queue level maximum shaper configurations are not considered.
Low Latency Modes CLI commands show switching-mode Displays the current configured switching-mode.
10 Interfaces You can configure and monitor physical interfaces (Ethernet), port-channels, and virtual local area networks (VLANs) in Layer 2 (L2) or Layer 3 (L3) modes. Table 52.
Unified port groups In an OS10 unified port group, all ports operate in either Ethernet or Fibre Channel (FC) mode. You cannot mix modes for ports in the same unified port group. To activate Ethernet interfaces, configure a port group to operate in Ethernet mode and specify the port speed. To activate Fibre Channel interfaces, see Fibre Channel interfaces. S4148U-ON On the S4148U-ON switch, the available Ethernet and Fibre Channel interfaces in a port group depend on the currently configured port profile.
3. Return to CONFIGURATION mode. exit 4. Enter Ethernet Interface mode to configure other settings. Enter a single interface, a hyphen-separated range, or multiple interfaces separated by commas.
On the Z9264F-ON switch, the available Ethernet interfaces in a port group depends on the currently configured port-group profile. For details about the supported breakout modes in port-group profiles, see the profile CLI command. To enable Ethernet interfaces: 1. Configure a Z9264F-ON port group in CONFIGURATION mode. Enter 1/1 for node/slot. The port-group range is from 1 to 32. port-group node/slot/port-group 2. Configure the restricted profile in PORT-GROUP mode.
port-group1/1/1 port-group1/1/2 port-group1/1/3 port-group1/1/4 port-group1/1/5 port-group1/1/6 Eth Eth Eth Eth Eth Eth 10g-4x 10g-4x 10g-4x 100g-1x 100g-1x 100g-1x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 - Table 53.
Table 54.
Table 55.
Table 55.
Table 56.
Table 56.
3. Return to CONFIGURATION mode. exit 4. Enter Interface breakout mode to configure other settings, such as, speed.
L3 mode configuration Ethernet and port-channel interfaces are in L2 access mode by default. When you disable the L2 mode and then assign an IP address to an Ethernet port interface, you place the port in L3 mode. Configure one primary IP address in L3 mode. You can configure up to 255 secondary IP addresses on an interface. At least one interface in the system must be in L3 mode before you configure or enter a L3–protocol mode, such as OSPF. 1. Remove a port from L2 switching in INTERFACE mode.
Figure 5. MX9116n Fabric Switching Engine — Unified port groups 1. Configure a unified port group in CONFIGURATION mode. Enter 1/1 for node/slot. The port-group range depends on the switch. port-group node/slot/port-group 2. Activate the unified port group for FC operation in PORT-GROUP mode. The available FC modes depend on the switch.
Wavelength is 850 Receive power reading is 0.
2. By default, DHCP client is enabled on the Management interface. Disable the DHCP client operations in INTERFACE mode. no ip address dhcp 3. Configure an IP address and mask on the Management interface in INTERFACE mode. ip address A.B.C.D/prefix-length 4. Enable the Management interface in INTERFACE mode. no shutdown Configure management interface OS10(config)# interface OS10(conf-if-ma-1/1/1)# OS10(conf-if-ma-1/1/1)# OS10(conf-if-ma-1/1/1)# mgmt 1/1/1 no ip address dhcp ip address 10.1.1.
Reconfigure default VLAN OS10# show vlan Q: A - Access (Untagged), T - Tagged NUM Status Description * 1 up Eth1/1/1-1/1/25,1/1/29,1/1/31-1/1/54 Q Ports A OS10(config)# interface vlan 10 Sep 19 17:28:10 OS10 dn_ifm[932]: Node.1-Unit.1:PRI:notice [os10:notify], %Dell EMC (OS10) %IFM_ASTATE_UP: Interface admin state up :vlan10 OS10(conf-if-vl-10)# exit OS10(config)# default vlan-id 10 Sep 19 17:28:15 OS10 dn_ifm[932]: Node.1-Unit.
From OS10.5.2.3 onwards, the total number of Port VLAN (PV) combinations that are supported on PowerSwitches in Full Switch mode are listed as follows: Table 57. Support VLAN values Platform With VLAN scale profile configured Without VLAN scale configuration S4100-ON Series 40000 PV 10000 PV S5200-ON Series 60000 PV 30000 PV This number is calculated based on the total number of VLANs provisioned on the switch and the number of active ports, including VLTi and port channels. From 10.5.2.
Last clearing of "show interface" counters : 00:00:11 Queuing strategy : fifo Input 0 packets, 0 bytes, 0 multicast Received 0 errors, 0 discarded Output 0 packets, 0 bytes, 0 multicast Output 0 errors, Output 0 invalid protocol Time since last interface status change : 00:00:11 Port-channel interfaces Port-channels are not configured by default. Link aggregation (LA) is a method of grouping multiple physical interfaces into a single logical interface — a link aggregation group (LAG) or port-channel.
● You cannot enable flow control on a port-channel interface. Flow control is supported on physical interfaces that are port-channel members. ● Port-channels support 802.3ad LACP. LACP identifies similarly configured links and dynamically groups ports into a logical channel. LACP activates the maximum number of compatible ports that the switch supports in a port-channel.
○ ip-address/mask — Specify an IP address in dotted-decimal A.B.C.D format and the mask. ○ secondary-ip-address — Specify a secondary IP address in dotted-decimal A.B.C.D format, which acts as the interface’s backup IP address. Assign Port Channel IP Address OS10# configure terminal OS10(config)# interface port-channel 1 OS10(conf-if-po-1)# ip address 1.1.1.1/24 OS10(conf-if-po-1)# Remove or disable port-channel You can delete or disable a port-channel. 1. Delete a port-channel in CONFIGURATION mode.
Configure load balancing OS10(config)# load-balancing ip-selection destination-ip source-ip Change hash algorithm The load-balancing command selects the hash criteria applied to traffic load balancing on port-channels. If you do not obtain even traffic distribution, use the hash-algorithm command to select the hash scheme for LAG. Rotate or shift the L2-bit LAG hash until you achieve the desired traffic distribution.
Configure range of VLANs OS10(config)# interface range vlan 1-100 OS10(conf-range-vl-1-100)# Configure range of port channels OS10(config)# interface range port-channel 1-25 OS10(conf-range-po-1-25)# Switch-port profiles A port profile determines the enabled front-panel ports and supported breakout modes on Ethernet and unified ports. Change the port profile on a switch to customize uplink and unified port operation, and the availability of front-panel data ports.
profile-5 profile-6 S4148-ON Series port profiles On the S4148-ON Series of switches, port profiles determine the available front-panel Ethernet ports and supported breakout interfaces on uplink ports. In the port profile illustration, blue boxes indicate the supported ports and breakout interfaces. Blank spaces indicate ports and speeds that are not available. ● ● ● ● ● 10GE mode is an SFP+ 10GE port or a 4x10G breakout of a QSFP+ or QSFP28 port. 25GE is a 4x25G breakout of a QSFP28 port.
● 2x16GFC are breakout interfaces (subports 1 and 3) in an SFP+ or QSFP28 FC port group. ● 4x16GFC are breakout interfaces in a QSFP28 FC port group. ● 1x32GFC (subport 1) are breakout interfaces in a QSFP28 FC port group. S4148U-ON Ethernet modes—QSFP+ ports 27-28 and SFP+ ports 31-54: ● 10GE mode is an SFP+ 10GE port or a 4x10G breakout of a QSFP+ port. ● 40GE mode is a QSFP+ port.
○ Platforms (Z9100, Z9264F, S5200 Series, Z9332F-ON, S4100 Series, MX series and S4200 Series) with 100G(QSFP28 and QSFP28DD) ports do not support 1G auto negotiation. ○ For 10G and 1G BASE-T ports, you cannot disable auto negotiation for copper Gigabit Ethernet interfaces. ○ If you modify flow control settings on an auto negotiation-enabled port, the port flaps for the changes to take effect. ○ If a DAC (25G, 40G, 50G, 100G, 200G, or 400G) is connected to a switch, auto negotiation is enabled by default.
Current address is e4:f0:04:3e:2d:86 Pluggable media present, QSFP28 type is QSFP28 100GBASE-CR4-2.0M Wavelength is 64 Receive power reading is not available Interface index is 112 Internet address is not set Mode of IPv4 Address Assignment: not set Interface IPv6 oper status: Disabled MTU 1532 bytes, IP MTU 1500 bytes LineSpeed 100G, Auto-Negotiation on Configure breakout mode Using a supported breakout cable, you can split a 40GE QSFP+ or 100GE QSFP28 Ethernet port into separate breakout interfaces.
Table 60.
RJ-45 ports and ports that are members of a port group do not support breakout auto-configuration. Breakout autoconfiguration is disabled by default.
2. Return to CONFIGURATION mode. exit 3. Reset an interface to its default configuration in CONFIGURATION mode. Enter multiple interfaces in a comma-separated string or a port range using the default interface range command. default interface {ethernet | fibrechannel} node/slot/port[:subport] 4. Enter INTERFACE mode and verify the factory-default configuration.
Forward error correction Forward error correction (FEC) enhances data reliability.
Time since last interface status change: 00:00:13 --more-- Energy-efficient Ethernet Energy-efficient Ethernet (EEE) reduces power consumption of physical layer devices (PHYs) during idle periods. EEE allows Dell EMC Networking devices to conform to green computing standards. An Ethernet link consumes power when a link is idle. EEE allows Ethernet links to use Regular Power mode only during data transmission. EEE is enabled on devices that support LOW POWER IDLE (LPI) mode.
Clear counters for specific interface OS10# clear counters interface 1/1/48 eee Clear eee counters on ethernet1/1/48 [confirm yes/no]:yes View EEE status/statistics You can view the EEE status or statistics for a specified interface, or all interfaces, using the show commands.
EEE commands clear counters interface eee Clears all EEE counters. Syntax clear counters interface eee Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# clear counters interface eee Clear all eee counters [confirm yes/no]:yes 10.3.0E or later clear counters interface ethernet eee Clears EEE counters on a specified Ethernet interface.
Example (Disable EEE) Supported Releases OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# no eee 10.3.0E or later show interface eee Displays the EEE status for all interfaces. Syntax show interface eee Parameters None Default Not configured Command Mode EXEC Example OS10# show interface eee Port EEE Status Speed Duplex --------------------------------------------Eth 1/1/1 off up 1000M ...
show interface ethernet eee Displays the EEE status for a specified interface. Syntax show interface ethernet node/slot/port[:subport] eee Parameters node/slot/port[:subport]—Enter the interface information. Default Not configured Command Mode EXEC Example OS10# show interface ethernet 1/1/48 eee Port EEE Status Speed Duplex --------------------------------------------Eth 1/1/48 on up 1000M Supported Releases 10.3.
View interface information OS10# show interface Ethernet 1/1/1 is up, line protocol is down Hardware is Eth, address is 00:0c:29:66:6b:90 Current address is 00:0c:29:66:6b:90 Pluggable media present, QSFP+ type is QSFP+ 40GBASE CR4 Wavelength is 64 Receive power reading is 0.
Time since last interface status change: 02:46:35 --more-View specific interface information OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# show configuration ! interface ethernet1/1/1 ip address 1.1.1.1/24 no switchport no shutdown View candidate configuration OS10(conf-if-eth1/1/1)# show configuration candidate ! interface ethernet1/1/1 ip address 1.1.1.1/24 no switchport no shutdown View running configuration OS10# show running-configuration Current Configuration ...
Ethernet 1/1/23 Ethernet 1/1/24 Ethernet 1/1/25 Ethernet 1/1/26 Ethernet 1/1/27 Ethernet 1/1/28 Ethernet 1/1/29 Ethernet 1/1/30 Ethernet 1/1/31 Ethernet 1/1/32 Management 1/1/1 Vlan 1 Vlan 10 Vlan 20 Vlan 30 unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned 10.16.153.
● Warning threshold—The platform specification defines this value. If you have configured to allow high-power optics, an optic with power rating below this threshold is enabled. ● Alarm threshold—The platform specification defines this value. A high-power optic with power rating above this threshold is disabled. OS10 checks for the following: ● If you have enabled high-power optics on a port, OS10 checks the alarm threshold value.
● INTERFACE RANGE ETHERNET CONFIGURATION submode Usage Information By default, this command is enabled on all the physical interfaces. Use the no version of this command to disable high-power optics on the interface or interfaces. If you disable high-power optics, this configuration is displayed in the show running-configuration command output. This command is applicable only for Z9332F-ON and Z9432F-ON platforms.
Digital optical monitoring The digital optical monitoring (DOM) feature monitors the digital optical media for temperature, voltage, bias, transmission power (Tx), and reception power (Rx). This feature also generates event logs, alarms, and traps for any fluctuations, when configured thresholds are reached.
1. Enable DOM. OS10(config)# dom enable 2. Enable DOM traps. OS10(config)# snmp-server enable traps dom You can run the show alarms command in EXEC mode to view any alarms that are generated. View DOM alarms OS10# show alarms Index ----0 Severity -------major Name ------------------EQM_MEDIA_TEMP_HIGH Raise-time Source ----------------------- -----Tue 06-04-2019 12:32:07 Node.1-Unit.
Default MTU Configuration Maximum transmission unit (MTU) defines the largest packet size that an interface can transmit without fragmentation. The MTU of an interface determines whether to accept the packet ingress and egress in the switch. The interface drops any packet with size exceeding the MTU. If you have not configured the MTU value for an interface, a default value of 1532 bytes is set automatically. Any packet exceeding this value is dropped.
Configure polling interval for Ethernet interface counters OS10 caches the interface counters every 15 s. The interface statistics include the number of packets that are sent or received through an interface. You can change this polling interval for Ethernet interface counters from 1 s to 15 s.
● An Ethernet interface is enabled using the no shutdown command; a Fibre Channel interface is disabled using the shutdown command. ● An Ethernet interface is assigned to the default VLAN. The default interface command removes all software settings and all L3, VLAN, and port-channel configurations on a physical interface. You must manually remove configured links to the interface from other software features; for example, if you configure an Ethernet interface as a discovery interface in a VLT domain.
! interface ethernet1/1/3 no shutdown no switchport ip address 192.28.43.1/31 ipv6 address 2000:28:43::28:43:1/127 ! interface ethernet1/1/4 no shutdown no switchport ip address 192.41.43.1/31 ipv6 address 2000:41:43::41:43:1/127 OS10(conf-range-eth1/1/1-1/1/4)# exit OS10(config)# default interface range ethernet 1/1/1,1/1/2-1/1/4 Proceed to cleanup interface range config? [confirm yes/no]:yes Mar 5 22:21:12 OS10 dn_l3_core_services[590]: Node.1-Unit.
Parameters vlan-id — Enter the default VLAN ID number, from 1 to 4093. Default VLAN1 Command Mode CONFIGURATION Usage Information By default, VLAN1 serves as the default VLAN for switching untagged L2 traffic on OS10 ports in Trunk or Access mode. If you use VLAN1 for network-specific data traffic, reconfigure the VLAN ID of the default VLAN. The command reconfigures the access VLAN ID, the default VLAN, of all ports in Switchport Acess mode.
Supported Releases 10.2.0E or later duplex Configures Duplex mode on the Management port. Syntax duplex {full | half | auto} Parameters ● full — Set the physical interface to transmit in both directions. ● half — Set the physical interface to transmit in only one direction. ● auto — Set the port to auto-negotiate speed with a connected device. Defaults Not configured Command Mode CONFIGURATION Usage Information You can only use this command on the Management port.
Usage Information The no version of this command disables the DOM traps. Example OS10# configure terminal OS10(config)# snmp-server enable traps dom temperature OS10# configure terminal OS10(config)# no snmp-server enable traps dom temperature Supported Releases 10.4.3.0 or later feature auto-breakout Enables front-panel Ethernet ports to automatically detect SFP media and autoconfigure breakout interfaces.
interface breakout Splits a front-panel Ethernet port into multiple breakout interfaces. Syntax interface breakout node/slot/port map {100g-1x | 50g-2x |40g-1x | 25g-4x | 10g-4x | 25g-4x} Parameters ● ● ● ● ● ● Default Not configured Command Mode CONFIGURATION Usage Information ● Each breakout interface operates at the configured speed; for example, 10G, 25G, or 50G. ● The no interface breakout node/slot/port command resets a port to its default speed: 40G or 100G.
Parameters id — Enter the Loopback interface ID number, from 0 to 16383. Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes the Loopback interface. Example Supported Releases OS10(config)# interface loopback 100 OS10(conf-if-lo-100)# 10.2.0E or later interface mgmt Configures the Management port. Syntax interface mgmt node/slot/port Parameters node/slot/port — Enter the physical port interface information for the Management interface.
Parameters channel-id — Enter the port-channel ID number, from 1 to 128. Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes the interface. Example Supported Releases OS10(config)# interface port-channel 10 OS10(conf-if-po-10)# 10.2.0E or later interface range Configures a range of Ethernet, port-channel, or VLAN interfaces for bulk configuration. Syntax interface range {ethernet node/slot/port[:subport]-node/slot/ port[:subport],[...
Usage Information FTP, TFTP, MAC ACLs, and SNMP operations are not supported. IP ACLs are supported on VLANs only. The no version of this command deletes the interface. NOTE: In SmartFabric Services mode, creation of VLAN is disabled. Example Supported Releases OS10(config)# interface vlan 10 OS10(conf-if-vl-10)# 10.2.0E or later link-bundle-utilization Configures link-bundle utilization.
MX9116n Fabric Switching Engine: ● ● ● ● QSFP28-DD port groups 1 to 9 operate in 8x25GE fabric-expander mode (FEM). QSFP28-DD port groups 10 to 12 operate in 2x100GE mode. QSFP28 port groups 13 and 14 operate in 1x100GE mode. Unified port groups 15 and 16 operate in ethernet 1x100GE mode. Command Mode PORT-GROUP Usage Information ● The mode {FC | Eth} command configures a port group to operate at line rate and guarantees no traffic loss.
Usage Information To return to the default MTU value, use the no mtu command. If an IP packet includes a L2 header, the IP MTU must be at least 32 bytes smaller than the L2 MTU. ● Port channels: Member interfaces inherit the MTU value configured on the port-channel interface. ● VLANS: ○ All members of a VLAN must have the same MTU value. ○ Tagged members must have a link MTU 4 bytes higher than untagged members to account for the packet tag.
flowcontrol receive on OS10(conf-if-eth1/1/50)# OS10(conf-if-eth1/1/50)# negotiation on OS10(conf-if-eth1/1/50)# show configuration ! interface ethernet1/1/50 no shutdown switchport access vlan 1 negotiation on flowcontrol receive on OS10(conf-if-eth1/1/50)# no negotiation OS10(conf-if-eth1/1/50)# show configuration ! interface ethernet1/1/50 no shutdown switchport access vlan 1 flowcontrol receive on OS10(conf-if-eth1/1/50)# do show interface ethernet 1/1/50 Ethernet 1/1/50 is up, line protocol is up Hardw
OS10(config)# interface ethernet 1/1/3:2 OS10(conf-if-eth1/1/3:2)# Supported releases 10.4.3.0 or later port-group Configures a group of front-panel unified ports, or a double-density QSFP28 (QSFP28-DD) or single-density QSFP28 port group. Syntax port-group node/slot/port-group Parameters ● node/slot — Enter 1/1 for node/slot when you configure a port group. ● port-group — Enter the port-group number, from 1 to 16. The available port-group range depends on the switch.
Example Supported releases OS10(config)# port-group 1/1/2 OS10(conf-pg-1/1/2)# profile restricted 10.4.3.0 or later scale-profile vlan Configures the L2 VLAN scale profile on a switch. Syntax scale-profile vlan Parameters None Defaults Not configured Command Mode CONFIGURATION Usage Information Use the VLAN scale profile when you scale the number of VLANs so that the switch consumes less memory. Enable the scale profile before you configure VLANs on the switch.
Supported Releases 10.4.0E(R3S) or later show interface Displays interface information. Syntax show interface [type] Parameters interface type—Enter the interface type: ● phy-eth node/slot/port[:subport]—Display information about physical ports that are connected to the interface. ● status—Display interface status. ● ethernet node/slot/port[:subport]—Display Ethernet interface information. ● loopback id—Display Loopback IDs, from 0 to 16383.
Example (port channel) OS10# show interface port-channel 1 Port-channel 1 is up, line protocol is down Address is 90:b1:1c:f4:a5:8c, Current address is 90:b1:1c:f4:a5:8c Interface index is 85886081 Internet address is not set Mode of IPv4 Address Assignment: not set MTU 1532 bytes LineSpeed 0 Minimum number of links to bring Port-channel up is 1 Maximum active members that are allowed in the portchannel is 5 Members in this channel: ARP type: ARPA, ARP Timeout: 60 OS10# show interface port-channel summary
Usage Information Example Supported Releases Use the do show interface description command to view interface description from other command modes.
Name: Eth1/1/1 Description: connected-to-host 802.1QTagged: Hybrid Vlan membership: Q Vlans A 1 T 2 Name: Eth1/1/2 802.1QTagged: False Vlan membership: Q Vlans A 1 Name: Po1000 802.1QTagged: Hybrid Vlan membership: Q Vlans v 1 V 2 Supported Releases 10.5.2.3 or later show inventory media Displays installed media in switch ports. Syntax show inventory media Parameters None Command Mode EXEC Usage Information Use the show inventory media command to verify the media type inserted in a port.
Example: MX9116n Fabric Engine Example: MX5108n Ethernet switch Supported Releases OS10# show inventory media --------------------------------------------------------System Inventory Media --------------------------------------------------------Node/Slot/Port Category Media Serial Dell EMC Number Qualified --------------------------------------------------------1/1/1 FIXED INTERNAL true 1/1/2 FIXED INTERNAL true 1/1/3 FIXED INTERNAL true 1/1/4 FIXED INTERNAL true 1/1/5 FIXED INTERNAL true 1/1/6 FIXED INT
show port-channel summary Displays port-channel summary information.
1/1/1 1/1/2 1/1/3 1/1/4 1/1/5 1/1/6 1/1/7 1/1/8 1/1/9 1/1/10 Example: MX9116n Fabric Engine Example: Z9264F-ON Supported Releases Eth FC FC FC FC FC Eth Eth Eth Eth 10g-4x 16g-2x 16g-2x 16g-2x 16g-2x 16g-2x 100g-1x 40g-1x 100g-1x 40g-1x OS10(config)# show Port-group port-group1/1/1 port-group1/1/2 port-group1/1/3 port-group1/1/4 port-group1/1/5 port-group1/1/6 port-group1/1/7 port-group1/1/8 port-group1/1/9 port-group1/1/10 port-group1/1/11 port-group1/1/12 port-group1/1/13 port-group1/1/14 port-group1
Usage Information Example A switch-port profile determines the available front-panel ports and breakout modes on Ethernet and unified ports. To display the current port profile, use the show switch-port-profile command. To reset the switch to the default port profile, use the no switch-port-profile node/slot command.
show unit-provision Displays the unit ID and service tag of the Fabric Expanders attached to a Fabric Switching Engine. Syntax show unit-provision Parameters None Command Mode EXEC Usage Information If the Fabric Switching Engine is in Full Switch mode, you must manually configure the unit ID of an attached Fabric Expander. Use the show unit-provision command to display the assigned and unassigned unit IDs, and service tag provision name values.
Parameters None Default Disabled Command Mode INTERFACE Usage Information This command marks a physical interface as unavailable for traffic. Disabling a VLAN or a port-channel causes different behavior. When you disable a VLAN, the L3 functions within that VLAN are disabled, and L2 traffic continues to flow. Use the shutdown command on a port-channel to disable all traffic on the port-channel, and the individual interfaces. Use the no shutdown command to enable a port-channel on the interface.
Usage Information Example Supported Releases ● When you manually configure the Management port speed, match the speed of the remote device. Dell EMC highly recommends using auto-negotiation for the Management port. ● The no version of this command resets the port speed to the default value auto. OS10(conf-if-ma-1/1/1)# speed auto 10.3.0E or later stats-monitor Configures the polling interval for Ethernet interface counters.
QSFP+ ports support 40GE and 4x10G breakouts. QSFP28 ports support 100GE and 2x50G breakouts with QSFP28 transceivers, and 40GE and 4x10G breakouts with QSFP+ transceivers. ○ profile-5 — SFP+ 10G ports (1-24 and 31-54), QSFP+ 40G ports (27-28), QSFP28 ports with 40G capability (26 and 30), and QSFP28 ports with 40G and 100G capability (25 and 29) are enabled. QSFP+ ports support 40GE and 4x10G breakouts. QSFP28 ports 26 and 30 support 40GE and 4x10G breakouts with QSFP+ transceivers.
● To display the current port profile on a switch, use the show switch-port-profile command. ● To change the port profile on a switch, use the switch-port-profile command with the desired profile, save it to the startup configuration and use the reload command to apply the change. The switch reboots with new port configuration. The no version of the command resets to the default profile.
Usage Information Example Supported Releases ● If you assign an IP address to an interface, you cannot use this command to enable L2 switching — you must first remove the IP address. ● The access parameter automatically adds an interface to default VLAN1 to transmit untagged traffic. Use the switchport access vlan command to change the access VLAN assignment. ● The trunk parameter configures an interface to transmit tagged VLAN traffic.
Expander by entering the unit ID as the virtual-slot number using the interface ethernet node/virtual-slot/port command. ● The no version of the command removes the Fabric Expander provisioning. Example Supported Releases OS10(config)# unit-provision 1/78 403RPK2 10.4.0E(R3S) or later wavelength Configures wavelength for tunable 10-GB SFP+ optical transceiver. Syntax wavelength wavelength-value Parameters wavelength-value — Enter a value to set a wavelength for the SPF+ optics. The range is from 1528.
show default mtu Display the default MTU at system level. Syntax show default mtu Parameters None Defaults None Command Mode EXEC Usage Information The interface-level MTU may be different from the system-level MTU. Example Supported Releases 410 Interfaces OS10# show default mtu Default MTU 9216 bytes 10.5.1.
11 PowerEdge MX Ethernet I/O modules The Dell EMC PowerEdge MX7000 supports the following Ethernet modules: MX9116n Fabric Switching Engine, MX7116n Fabric Expander Module, and MX5108n Ethernet Switch. For detailed information, see the Dell EMC PowerEdge MX7000 documentation. ● The MX9116n Fabric Switching Engine is a scalable L2/L3 switch designed that provides high-bandwidth, low-latency 25GE networking; for example, in private cloud and software-defined storage (SDS) networks.
MX-IOM Hardware Replacement NOTE: The process to replace MX-IOM hardware may vary depending on the version of OS10 installed. Contact Dell technical support before IOM replacement activity. For detailed instructions on how to replace a PowerEdge MX IOM, see Dell EMC PowerEdge MX Networking Deployment Guide. Unified port groups In an OS10 unified port group, all ports operate in either Ethernet or Fibre Channel (FC) mode. You cannot mix modes for ports in the same unified port group.
● 100g-1x — Reset a port group to 100GE mode. ● 50g-2x — Split a port group into two 50GE interfaces. ● 40g-1x — Set a port group to 40GE mode for use with a QSFP+ 40GE transceiver. ● 25g-4x — Split a port group into four 25GE interfaces. ● 10g-4x — Split a port group into four 10GE interfaces. 3. Return to CONFIGURATION mode. exit 4. Enter Ethernet Interface mode to configure other settings. Enter a single interface, a hyphen-separated range, or multiple interfaces separated by commas.
12 Fibre Channel OS10 switches with Fibre Channel (FC) ports operate in one of the following modes: Direct attach (F_Port), NPIV Proxy Gateway (NPG). In the FSB mode, you cannot use the FC ports. E_Port Expansion port (E_Port) in a switch is used to connect two fiber channel switches to form a multiswitch SAN fabric. The default port mode in a multiswitch setup is F.
NOTE: OS10 supports multiple E-Nodes in F_Port mode. NOTE: Remove all the NPIV Proxy Gateways (NPG), F-Port and vfabric related configurations from startup configuration before changing the IOM operating modes. Using the discovered information, the switch installs ACL entries that provide security and point-to-point link emulation.
Configure FIP snooping 1. Enable FIP snooping globally using the feature fip-snooping with-cvl command in CONFIGURATION mode. 2. Before applying FIP snooping to a VLAN, ensure that the VLAN already contains Ethernet or LAG members that are enabled with FCF Port mode. Enable FCF mode on an Ethernet or port-channel using the fip-snooping port-mode fcf command in INTERFACE mode. 3. Enable FIP snooping on the VLAN using the fip-snooping enable command in VLAN INTERFACE mode.
Enodes Sessions : 2 : 17 OS10# show fcoe sessions Enode MAC Enode Interface FC-ID PORT WWPN FCF MAC PORT WWNN FCF interface VLAN FCoE MAC aa:bb:cc:00:00:00 ethernet1/1/54 aa:bb:cd:00:00:00 port-channel5 100 0e:fc:00:01:00:01 01:00:01 31:00:0e:fc:00:00:00:00 21:00:0e:fc:00:00:00:00 aa:bb:cc:00:00:00 ethernet1/1/54 aa:bb:cd:00:00:00 port-channel5 100 0e:fc:00:01:00:02 01:00:02 31:00:0e:fc:00:00:00:00 21:00:0e:fc:00:00:00:00 OS10# show fcoe fcf FCF MAC FCF Interface VLAN FC-MAP --------------------------
1. Configure a vfabric using the vfabric fabric-ID command in CONFIGURATION mode. The switch enters vfabric CONFIGURATION mode 2. Associate a VLAN ID to the vfabric with the vlan vlan-ID command. 3. Add an FC map with the fcoe fcmap fc-map command. 4. Activate a zoneset using the zoneset activate zoneset-name command. 5. Allow access to all logged-in members in the absence of an active zoneset configuration using the zone default-zone permit command.
fibrechannel1/1/20 fibrechannel1/1/21 fibrechannel1/1/22 fibrechannel1/1/23 fibrechannel1/1/24 fibrechannel1/1/25:1 fibrechannel1/1/29:1 fibrechannel1/1/30:1 fibrechannel1/1/30:3 ========================================== To configure a vfabric in NPG mode: 1. Configure a vfabric using the vfabric fabric-ID command in CONFIGURATION mode. The switch enters vfabric CONFIGURATION mode. 2. Associate a VLAN ID to the vfabric with the vlan vlan-ID command. 3.
fcoe fka-adv-period 8 fcoe vlan-priority 3 Fibre Channel zoning Fibre Channel (FC) zoning partitions a FC fabric into subsets to restrict unnecessary interactions, improve security, and manage the fabric more effectively. Create zones and add members to the zone. Identify a member by an FC alias, world wide name (WWN), or FC ID. A zone can have a maximum of 255 unique members. Create zonesets and add the zones to a zoneset.
50:00:d3:10:00:ec:f9:1b 50:00:d3:10:00:ec:f9:05 50:00:d3:10:00:ec:f9:1f 20:35:78:2b:cb:6f:65:57 View FC zoneset configuration OS10(conf-fc-zoneset-set)# show configuration ! fc zoneset set member hba1 member hba2 OS10# show fc zoneset active vFabric id: 100 Active Zoneset: set ZoneName ZoneMember ================================================ hba2 *20:01:00:0e:1e:e8:e4:99 20:35:78:2b:cb:6f:65:57 50:00:d3:10:00:ec:f9:05 50:00:d3:10:00:ec:f9:1b 50:00:d3:10:00:ec:f9:1f hba1 *10:00:00:90:fa:b8:22:19 *21:00:0
Pinning FCoE traffic to a specific port of a portchannel You can isolate FIP and FCoE traffic by configuring a pinned port at the FCoE LAG. FCoE LAG is the port-channel used for FIP and FCoE traffic in the intermediate switches between server and storage devices. VLT provides Active/Active LAN connectivity on converged links by forwarding traffic in multiple paths to multiple upstream devices without STP blocking any of the uplinks.
Fibre Channel 423
Sample FSB configuration on VLT network 1. Enable the FIP snooping feature globally. OS10(config)# feature fip-snooping with-cvl 2. Create the FCoE VLAN. OS10(config)#interface vlan 1001 OS10(conf-if-vl-1001)# fip-snooping enable 3. Configure the VLTi interface. OS10(config)# interface ethernet 1/1/27 OS10(conf-if-eth1/1/27)# no shutdown OS10(conf-if-eth1/1/27)# no switchport 4. Configure the VLT. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.151.
OS10(conf-if-eth1/1/1)# service-policy input type network-qos PFC OS10(conf-if-eth1/1/1)# priority-flow-control mode on OS10(config)# interface OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# ethernet 1/1/2 description uplink_port_channel_member2 no shutdown channel-group 10 mode active no switchport service-policy input type network-qos PFC priority-flow-control mode on OS10(config)# interface OS10(conf-if-eth
Discovered FCFs: OS10# show fcoe fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
8. Enable DCBX. OS10(config)# dcbx enable 9. Apply the vfabric on the interfaces.
Sample FSB configuration on non-VLT network The following examples illustrate configurations in intermediate switches in non-vlt network, to communicate with server. 1. Enable the FIP snooping feature globally. OS10(config)# feature fip-snooping with-cvl 2. Create the FCoE VLAN. OS10(config)#interface vlan 1001 OS10(conf-if-vl-1001)# fip-snooping enable 3. Enable DCBX. OS10(config)# dcbx enable 4. Enable the PFC parameters on the interfaces.
OS10(conf-if-eth1/1/3)# service-policy input type network-qos PFC OS10(conf-if-eth1/1/3)# priority-flow-control mode on OS10(config)# interface OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# ethernet 1/1/4 no shutdown channel-group 20 mode active no switchport service-policy input type network-qos PFC priority-flow-control mode on View the configuration Discovered ENodes: OS10# show fcoe enode Enode MAC Enode Interface VLAN FCFs Sess
5. Create vfabric and activate the FC zoneset. OS10(config)# vfabric OS10(conf-vfabric-1)# OS10(conf-vfabric-1)# OS10(conf-vfabric-1)# 1 vlan 1001 fcoe fcmap 0xEFC00 zoneset activate zonesetA 6. Enable DCBX. OS10(config)# dcbx enable 7. Apply the vfabric on the interfaces.
----------------- ---------------- ----------------Po 10 Eth 1/1/9 Up Multiswitch fabric (E Port) E Ports are interfaces that connect the FC switches to form a multiswitch SAN fabric. These ports carry control frames between the switches to configure and maintain the fabric. An Inter-Switch Link (ISL) is created when you connect two E Ports to one another. FC ISL maintains the information in FC frames as the traffic flows between multiple switches. The multiswitch configuration sets the port mode as E.
compute the shortest path to reach a switch in the fabric. The name server service uses these routes to synchronize the name server database across the fabric. Hence, FSPF helps in building the fabric connectivity. Configure the same hold-time value on all the switches to ensure a consistent route convergence, and to avoid intermittent forwarding loop. When you configure a shorter hold-time, the route update is faster.
● ACL entries that are installed for control and data traffic use statically reserved CAM entries. Dynamic ACL space allocation is not supported. ● The switch supports zoning configurations like the F port mode. Configure the same zoning configurations on all switches in the fabric to avoid the Logical Unit Numbers (LUNs) being lost, during topology changes. Configure multiswitch fabric (E Port) This section describes the procedure to configure multiswitch fabric (E Port).
5. Configure FC interface. OS10(config)# interface fibrechannel 1/1/1 OS10(conf-if-fc1/1/1)# no shutdown OS10(conf-if-fc1/1/1)# vfabric 1 OS10(conf-if-fc1/1/1)# exit OS10(config)# interface fibrechannel 1/1/2 OS10(conf-if-fc1/1/2)# no shutdown OS10(conf-if-fc1/1/2)# vfabric 1 6. Configure the FC switch port mode. OS10(conf-if-fc1/1/2)# fc port-mode E 7. Add VLAN 1001 and fcmap to switch-1 to activate vFabric.
6. Configure the FC switch port mode. OS10(conf-if-fc1/1/2)# fc port-mode E 7. Add VLAN 1001 and fcmap to switch-2 to activate vFabric. OS10(config)# vfabric OS10(conf-vfabric-1)# OS10(conf-vfabric-1)# OS10(conf-vfabric-1)# 1 vlan 1001 fcoe fcmap 0xefc00 exit 8. Create zones. OS10(config)# fc zone zoneA OS10(config-fc-zone-zoneA)# member wwn 20:01:f4:e9:d4:f9:fc:44 OS10(config-fc-zone-zoneA)# member wwn 20:02:00:11:0d:a5:56:01 9. Create and activate a zone set.
port-group port-group port-group port-group 1/1/7 Eth 100g-1x 1/1/8 Eth 40g-1x 1/1/9 Eth 100g-1x 1/1/10 Eth 40g-1x 25 26 29 30 - ● To verify the fabric details in switch-1, run the show fc fabric command.
● To verify the fabric name server registration on switch-1, run the show fc ns fabric command.
zoneA 20:01:f4:e9:d4:f9:fc:44 20:02:00:11:0d:a5:56:01 ● To verify the vFabric in switch-1, run the show vfabric command.
Id type State code -----------------------------------------------------------------------------------10 fc1/1/3 UPSTREAM EPORT NONE 10:00:14:18:77:20:7f:cf 20:00:14:18:77:20:7f:d0 10 fc1/1/1 NONPRINPLISL EPORT NONE 10:00:14:18:77:20:7f:cf 20:00:14:18:77:20:7f:d2 OS10# ● To display the summary of principal switch election states, in switch-2, run the show fc fabric interface command.
LSR Type = 1 Advertising domain ID = 0x65(101) LSR Age = 1686 LSR Incarnation number = 0x80000024 LSR Checksum = 0x3caf Number of links = 1 NbrDomainId IfIndex NbrIfIndex Link Type Cost -------------------------------------------------------------0x77(119) 0x00001085 0x00001095 1 125 FSPF Link State Database for Vfabric-Id 1 Domain 0x77(119) LSR Type = 1 Advertising domain ID = 0x77(119) LSR Age = 1686 LSR Incarnation number = 0x80000024 LSR Checksum = 0x3caf Number of links = 1 NbrDomainId IfIndex NbrIfInd
Number of packets received: LSU 8 LSA 8 Hello 118 Error packets 0 Number of packets transmitted : LSU 8 LSA 8 Hello 119 Retransmitted LSU 0 Supported Releases 10.5.1.0 or later clear fc fabric statistics Clears the fabric statistics for all the interfaces. Syntax clear fc fabric statistics [interface type node/slot/port[:subport] | vfabric vfabric-id] Parameters ● node/slot/port[:subport]—Enter interface information. ● vfabric-id—Enter the vfabric ID.
34 32 31 33 35 Supported Releases 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10.5.1.0 or later clear fc fspf statistics Clears FSPF statistics for all the interfaces. Syntax clear fc fspf statistics [interface type node/slot/port[:subport] | vfabric vfabric-id Parameters ● node/slot/port[:subport]—Enter interface information. ● vfabric-id—Enter the vfabric ID.
Defaults Dynamic Configuration Command Mode Vfabric CONFIGURATION Usage Information ● The configurations are supported only in the multiswitch mode. The configured domain ID can be preferred or dynamic. ● If the domain ID is preferred, the switch requests preferred domain ID to the principal switch. ● You can change the domain ID only when the vfabric is in an inactive state. To activate vfabric, add vlan and fcmap configuration under the vfabric configuration view.
Usage Information ● The configurations are supported only in the multiswitch mode. In F_port mode, all the ports operate as F Port. On enabling the multiswitch mode, a port works as either a F_port or an E_port. ● To change modes, disable current mode and enable the new mode. This operation leads to traffic disruption on the corresponding port. ● You can disable the multiswitch mode only if you delete the related configurations. ● For NPG switch mode, the default port mode is N.
Example Supported Releases OS10(config-if-fc-1/1/1)#fspf cost 90 10.5.1.0 or later fspf dead-interval Configures the FSPF dead Interval value for every interface. Syntax fspf dead-interval timeout-val Parameters timeout-val—Valid values are from 1 to 65535. Defaults 80 s Command Mode Fiber channel INTERFACE Usage Information ● The configurations are supported only in the multiswitch mode. ● This command specifies the maximum interval.
Usage Information Example Supported Releases ● The configurations are supported only in multiswitch mode. ● This command configures the hold-time between two consecutive route computations in milliseconds, for the entire vfabric. If the specified time is shorter, the routing update is faster. However, the processor consumption increases accordingly. NOTE: Configure the same hold timer value on all the switches for consistent route convergence, and to avoid intermittent traffic loop.
r_a_tov Configures the R_A_TOV FC timer value for vfabric. Syntax r_a_tov timeout-val Parameters timeout-val—Valid values are from 5000 to 10000. Defaults 10000ms Command Mode VFabric CONFIGURATION Usage Information ● The configurations are supported only in multiswitch mode. ● This timer is used to mark the error conditions during domain ID allocation, SW-RSCN, and NS QUERY. Match this value with the other end, during port initialization.
Parameters None Defaults Not applicable Command Mode EXEC Usage Information ● Use this command to display the summary of principal switch election states, ILS link type, port state, remote switch, and port name. ● The Fabric states are Build Fabric, Reconfigure Fabric, EFP-Idle, EFP-Send, Principal-Switch, NonPrincipal-Switch, No Domain, and Stable states. ● The Link types are Unknown, Non-Principal ISL, Upstream Principal ISL, and Downstream Principal ISL.
Example Supported Releases OS10#show fc fabric statistics interface fibrechannel 1/1/1 Number of Request packets received : ELP 8 EFP 12 BF 3 RCF 2 DIA 5 RDI 5 Number of Accept packets received : ELP ACC 8 EFP ACC 12 BF ACC 3 RCF ACC 2 DIA ACC 5 RDI ACC 5 Number of Reject packets received : ELP RJT 8 EFP RJT 12 BF RJT 3 RCF RJT 2 DIA RJT 5 RDI RJT 5 Number of Request packets transmitted : ELP 8 EFP 12 BF 3 RCF 2 DIA 5 RDI 5 Number of Accept packets transmitted : ELP ACC 8 EFP ACC 12 BF ACC 3 RCF ACC 2 DIA
show fc fspf database Displays the FSPF link state database information of a switch. Syntax show fc fspf database Parameters None Defaults Not applicable Command Mode GLOBAL CONFIGURATION Usage Information Use this command to display the FSPF link state database information of a switch. The database information includes the entire LSR information of the fabric that is constructed based on the LSRs received from other switches.
show fc fspf route Displays the server and target ports. Syntax show fc fspf route Parameters None Defaults Not applicable Command Mode GLOBAL CONFIGURATION Usage Information Use this command to display the FSPF route information, and the route to reach every other switch in the fabric. Example Supported Releases OS10#show fc fspf route vfabric-Id Dest-Domain Route-Cost Next-hop --------------------------------------------------------------100 0x66(102) 125 fc1/1/2 10.5.1.
Usage Information Example Supported Releases Use this command to briefly display all the remote name server entries in the FC fabric. OS10#show fc ns fabric brief Total number of devices = 2 Domain FC-ID WWPN WWNN ------------------------------------------------------------------2 02:09:00 32:11:0e:fc:00:00:00:88 22:11:0e:fc:00:00:00:88 1 01:04:00 10:00:8c:7c:ff:17:f8:01 20:00:8c:7c:ff:17:f8:01 10.5.1.0 or later show fc ns switch statistics Shows the Name Server statistics for an interface.
Supported Releases RSCN 0 SW_RSCN GE_PT GE_ID ReqRx 0 0 0 ReqTx 0 0 0 AccRx 0 0 0 AccTx 0 0 0 RejRx 0 0 0 RejTx 0 0 0 ReqReTx 0 0 0 10.5.1.0 or later show fc switch Shows the multiswitch mode. Syntax show fc switch Parameters None Defaults Not applicable Command Mode GLOBAL CONFIGURATION Usage Information Use this command to display the current configured switch mode. Example Supported Releases OS10# show fc switch 10.5.1.
Output statistics: 0 frames, 0 bytes 0 class 2 frames, 0 class 3 frames 0 BB credit 0, 0 oversize frames 0 total errors Rate Info: Input 0 bytes/sec, 0 frames/sec, 0% of line rate Output 0 bytes/sec, 0 frames/sec, 0% of line rate Time since last interface status change: 1 day 16:33:57 Supported Releases 10.5.1.0 or later show vfabric Shows the fc timer, E_D_TOV, R_A_TOV, principal switch priority, and domain ID values in the show vfabric command.
show vfabric fspf Displays FSPF information at the vfabric level. Syntax show vfabric fspf Parameters None Defaults Not applicable Command Mode GLOBAL CONFIGURATION Usage Information Use this command to display the FSPF information of an interface.
session. The ENode takes a long time to identify the issue and to recover from it. At times, interface flapping occurs and might require manual intervention to recover. To recover automatically, FSB sends a Clear Virtual Link (CVL) frame from the FCF to the ENode. Configuration notes ● If you configure FSB with port pinning on the uplink or downlink side, you must configure the FCF-facing interface as FCF port mode.
d. Create class-maps. L2switch(config)# class-map type network-qos c3 L2switch(config-cmap-nqos)# match qos-group 3 L2switch(config)# class-map type queuing q0 L2switch(config-cmap-queuing)# match queue 0 L2switch(config-cmap-queuing)# exit L2switch(config)# class-map type queuing q3 L2switch(config-cmap-queuing)# match queue 3 L2switch(config-cmap-queuing)# exit e. Create policy-maps.
FSB1(config)# interface ethernet 1/1/2 FSB1(conf-if-eth1/1/2)# no flowcontrol receive FSB1(conf-if-eth1/1/2)# no flowcontrol transmit b. Enable FIP snooping with cvl option. FSB1(config)# feature fip-snooping with-cvl c. Enable DCBX. FSB1(config)# dcbx enable d. Create an FCoE VLAN and configure FIP snooping on the FCoE VLAN. FSB1(config)# interface vlan 777 FSB1(conf-if-vl-777)# fip-snooping enable e. Create class-maps.
FSB1(conf-if-eth1/1/2)# qos-map traffic-class tc-q-map1 FSB1(conf-if-eth1/1/2)# service-policy input type network-qos nqpolicy FSB1(conf-if-eth1/1/2)# service-policy output type queuing ets_policy i. Configure VLAN on CNA1, L2 switch, and FSB2 connected interfaces.
FSB2(config-pmap-c-nqos)# pause FSB2(config-pmap-c-nqos)# pfc-cos 3 FSB2(config)# policy-map type queuing ets_policy FSB2(config-pmap-queuing)# class q0 FSB2(config-pmap-c-que)# bandwidth percent 30 FSB2(config-pmap-c-que)# class q3 FSB2(config-pmap-c-que)# bandwidth percent 70 g. Create a qos-map. FSB2(config)# qos-map traffic-class tc-q-map1 FSB2(config-qos-map)# queue 3 qos-group 3 FSB2(config-qos-map)# queue 0 qos-group 0-2,4-7 h. Apply the QoS configurations on FSB1 and FCF connected interfaces.
c. Create zones. FCF(config)# fc zone zoneA FCF(config-fc-zone-zoneA)# member wwn 20:01:f4:e9:d4:a4:7d:c3 FCF(config-fc-zone-zoneA)# member wwn 21:00:00:24:ff:7c:ae:0e d. Create zoneset. FCF(config)# fc zoneset zonesetA FCF(conf-fc-zoneset-set)# member zoneA e. Create a vfabric VLAN. FCF(config)# interface vlan 777 f. Create vfabric and activate the zoneset. FCF(config)# vfabric FCF(conf-vfabric-2)# FCF(conf-vfabric-2)# FCF(conf-vfabric-2)# 2 vlan 777 fcoe fcmap 0xEFC00 zoneset activate zonesetA g.
k. Apply QoS configurations on the interface connected to FSB2.
Intf# fibrechannel1/1/3 20:04:00:11:0d:64:67:00 ethernet1/1/13 23:00:55:2c:cf:55:00:00 Domain FC-ID Enode-WWPN 2 02:00:00 21:00:00:24:ff:7c:ae:0e 2 02:01:00 20:01:f4:e9:d4:a4:7d:c3 Enode-WWNN ● To verify the active zoneset on the FCF, use the show fc zoneset active command.
Table 64. High-level configurations on FSB1, FSB3, and FCF1 FSB1/FSB2 FSB3/FSB4 FCF1/FCF2 1. Enable FIP snooping. 2. Enable DCBX. 3. Create FCoE VLAN and configure FIP snooping. 4. Create class-maps. 5. Create policy-maps. 6. Create a qos-map. 7. Configure port channel. 8. Configure VLTi interface member links. 9. Configure VLT domain. 10. Configure VLAN. 11. Apply QoS configurations on uplink (FSB3/FSB4) and downlink interfaces (CNA-1/CNA-2). Configure the uplink interface as pinned-port. 12.
FSB1(config-pmap-c-nqos)# pause FSB1(config-pmap-c-nqos)# pfc-cos 3 FSB1(config)# policy-map type queuing ets_policy FSB1(config-pmap-queuing)# class q0 FSB1(config-pmap-c-que)# bandwidth percent 30 FSB1(config-pmap-c-que)# class q3 FSB1(config-pmap-c-que)# bandwidth percent 70 6. Create a qos-map. FSB1(config)# qos-map traffic-class tc-q-map1 FSB1(config-qos-map)# queue 3 qos-group 3 FSB1(config-qos-map)# queue 0 qos-group 0-2,4-7 7. Configure port channel.
FSB1(conf-if-eth1/1/36)# FSB1(conf-if-eth1/1/36)# FSB1(conf-if-eth1/1/36)# FSB1(conf-if-eth1/1/36)# qos-map traffic-class tc-q-map1 service-policy input type network-qos nqpolicy service-policy output type queuing ets_policy fcoe-pinned-port FSB1(config)# interface ethernet 1/1/31 FSB1(conf-if-eth1/1/31)# flowcontrol receive off FSB1(conf-if-eth1/1/31)# priority-flow-control mode on FSB1(conf-if-eth1/1/31)# ets mode on FSB1(conf-if-eth1/1/31)# trust-map dot1p default FSB1(conf-if-eth1/1/31)# qos-map traff
6. Create a qos-map. FSB2(config)# qos-map traffic-class tc-q-map1 FSB2(config-qos-map)# queue 3 qos-group 3 FSB2(config-qos-map)# queue 0 qos-group 0-2,4-7 7. Configure port channel. FSB2(config)# interface port-channel 10 FSB2(conf-if-po-10)# no shutdown FSB2(conf-if-po-10)# vlt-port-channel 1 8. Configure VLTi interface member links.
FSB2(conf-if-eth1/1/2)# FSB2(conf-if-eth1/1/2)# FSB2(conf-if-eth1/1/2)# FSB2(conf-if-eth1/1/2)# trust-map dot1p default qos-map traffic-class tc-q-map1 service-policy input type network-qos nqpolicy service-policy output type queuing ets_policy 12. Configure FIP snooping port mode on the port channel interface. The default port mode is ENode. Hence, the interface connected to CNA-2 does not require additional configuration.
7. Configure port channel. FSB3(config)# interface port-channel 10 FSB3(conf-if-po-10)# no shutdown FSB3(conf-if-po-10)# vlt-port-channel 1 8. Configure VLTi interface member links.
12. Configure FIP snooping port mode on the port channel and the interface connected to FCF1. FSB3(config)# interface port-channel 10 FSB3(conf-if-po-10)# fip-snooping port-mode enode-transit FSB3(config)# interface ethernet 1/1/45 FSB3(conf-if-eth1/1/45)# fip-snooping port-mode fcf FSB4 configuration 1. Enable FIP snooping. FSB4(config)# feature fip-snooping with-cvl 2. Enable DCBX. FSB4(config)# dcbx enable 3. Create FCoE VLAN and configure FIP snooping.
8. Configure VLTi interface member links. FSB4(config)# interface ethernet1/1/34 FSB4(conf-if-eth1/1/34)# no shutdown FSB4(conf-if-eth1/1/34)# no switchport FSB4(conf-if-eth1/1/34)# channel-group 10 FSB4(config)# interface ethernet1/1/37 FSB4(conf-if-eth1/1/37)# no shutdown FSB4(conf-if-eth1/1/37)# no switchport FSB4(conf-if-eth1/1/37)# channel-group 10 9. Configure VLT domain. FSB4(config)# vlt-domain 3 FSB4(conf-vlt-2)# discovery-interface ethernet1/1/40 FSB4(conf-vlt-2)# vlt-mac 1a:2b:3c:2a:1b:1c 10.
3. Create zoneset. FCF1(config)# fc zoneset zonesetA FCF1(conf-fc-zoneset-setA)# member zoneA 4. Create a vfabric VLAN. FCF1(config)# interface vlan 1001 5. Create vfabric and activate the zoneset. FCF1(config)# vfabric FCF1(conf-vfabric-1)# FCF1(conf-vfabric-1)# FCF1(conf-vfabric-1)# 1 vlan 1001 fcoe fcmap 0xEFC00 zoneset activate zonesetA 6. Enable DCBX. FCF1(config)# dcbx enable 7. Create class-maps.
11. Apply vfabric on the interfaces connected to FSB3 and the target. FCF1(config)# interface ethernet 1/1/45 FCF1(conf-if-eth1/1/45)# switchport access vlan 1 FCF1(conf-if-eth1/1/45)# vfabric 1 FCF1(config)# interface fibrechannel 1/1/3 FCF1(conf-if-fc1/1/3)# description target_connected_port FCF1(conf-if-fc1/1/3)# no shutdown FCF1(conf-if-fc1/1/3)# vfabric 1 FCF2 configuration 1. Enable Fiber Channel F-Port mode globally. FCF2(config)# feature fc domain-id 3 2. Create zones.
FCF2(config-pmap-c-que)# class q3 FCF2(config-pmap-c-que)# bandwidth percent 70 9. Create a qos-map. FCF2(config)# qos-map traffic-class tc-q-map1 FCF2(config-qos-map)# queue 3 qos-group 3 FCF2(config-qos-map)# queue 0 qos-group 0-2,4-7 10. Apply QoS configurations on the interface connected to FSB4.
MAC FC-ID PORT WWPN PORT WWNN -----------------------------------------------------------------------------------------------------------------------------------------------00:0e:1e:f1:f1:84 Eth 1/1/1 14:18:77:20:80:ce Po 10(Eth 1/1/44:1)1002 0e:fc:00:02:01:00 02:01:00 20:01:00:0e:1e:f1:f1:84 20:00:00:0e:1e:f1:f1:84 FSB2# show fcoe fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
14:18:77:20:80:ce 1 Eth 1/1/42 F FSB4# show fcoe system Mode CVL Status FCOE VLAN List (Operational) FCFs Enodes Sessions : : : : : : 1002 0e:fc:00 8000 FSB Enabled 1001,1002 1 1 1 FCF1 FCF1# show fcoe sessions Enode MAC Enode Interface FCF MAC FCF interface VLAN FCoE MAC FC-ID PORT WWPN PORT WWNN ----------------------------------------------------------------------------------------------------------------------------------------------f4:e9:d4:f9:fc:42 Eth 1/1/45 14:18:77:20:86:ce ~ 1001 0e:fc:00:
● While configuring or unconfiguring the FC-Gateway uplink, the uplink interface flaps. As UFD is enabled by default for NPG (FCGateway Uplink) in SmartFabric mode; UFD brings down the server facing ports which are deployed with same FCoE VLAN as FCGateway uplink. ● Fibrechannel port flaps are observed on the IOM side if the IOM is operationally up and is connected to a storage device without configuring the FCDirectAttach uplink (vfabric) on this port.
5. Enable DCBX globally. OS10(config)# dcbx enable 6. Create a class map and policy map. OS10(config)# class‐map type network‐qos cmap1 OS10(config‐cmap‐nqos)# match qos‐group 3 OS10(config)# policy‐map type network‐qos pmap1 OS10(config‐pmap‐network‐qos)# class cmap1 OS10(config‐pmap‐c‐nqos)# pause OS10(config‐pmap‐c‐nqos)# pfc‐cos 3 7. Disable LLFC on the interface that connects to CNA 1. OS10(config)# interface ethernet 1/1/50 OS10(conf‐if‐eth1/1/50)# no flowcontrol receive 8.
OS10(config‐pmap‐c‐nqos)# pause OS10(config‐pmap‐c‐nqos)# pfc‐cos 3 7. Disable LLFC on the interface that connects to CNA 2. OS10(config)# interface ethernet 1/1/1 OS10(conf‐if‐eth1/1/1)# no flowcontrol receive 8. Enable PFC mode on the interface that connects to CNA 2. OS10(config)# interface ethernet 1/1/1 OS10(conf‐if‐eth1/1/1)# priority‐flow‐control mode on 9. Apply the service policy on the interface that connects to CNA 2.
Load balancing after system reboot After reboot, upstream FC connections to the end-devices become operational first and carry more sessions than the other upstream FC connections to SAN. This requires load balancing. You can address load balancing in the following ways: ● After reboot, check the system state and trigger rebalance using the CLI. ● Configure the delay fcf-adv timer. The delay timer starts when a new FC upstream interface is available.
Create VLAN OS10(config)# interface vlan 100 Create vFabric OS10(config)# vfabric 100 OS10(conf-vfabric-100)# vlan 100 OS10(conf-vfabric-100)# name NPG_Fabric OS10(conf-vfabric-100)# fcoe fcmap 0efc01 OS10(conf-vfabric-100)# exit Apply vFabric and FC port-mode configuration on the interface that connects to FC end point (HBA) OS10(config)# interface range fibrechannel 1/1/9,1/1/10 OS10(conf-range-fc1/1/9,1/1/10)# vfabric 100 OS10(conf-range-fc1/1/9,1/1/10)# fc port-mode F OS10(conf-range-fc1/1/9,1/1/10)# no
Apply vFabric configuration on the interface that connects to FCoE end points (CNA) OS10(config)# interface range ethernet 1/1/54,1/1/55 OS10(conf-range-eth1/1/54,1/1/55)# vfabric 100 OS10(conf-range-eth1/1/54,1/1/55)# no shut OS10(conf-range-eth1/1/54,1/1/55)# exit Apply vFabric configuration on the FC upstream interfaces OS10(config)# interface range fibrechannel 1/1/1,1/1/2 OS10(conf-range-fc1/1/1,1/1/2)# vfabric 100 OS10(conf-range-fc1/1/1,1/1/2)# no shut OS10(conf-range-fc1/1/1,1/1/2)# exit Apply FCoE
You can use manual rebalancing when you: Add new FC uplink to a balanced system Consider a topology with the following structure: ● NPG switch with two FC uplinks (fc 1/1/1 and fc 1/1/2) of the same speed (16G) ● Ports connecting to both FCoE and FC end points (eth 1/1/54, eth 1/1/55, fc 1/1/9 and fc 1/1/10) All the end points (servers) are logged in to the storage through the NPG switch. One FLOGI session is associated with each server.
Receive Fabric Discovery Request (FDISC) from an end point Consider the NPG switch with: ● two FC uplinks (fc 1/1/1 and fc 1/1/2) of different speed (8 G and 16 G) ● two ports (eth 1/1/54, eth 1/1/55) connecting the FCoE end points Each end point has one session that is associated with it. The NPG switch maps one session to each FC uplink to balance the system. Consider the end point connected to eth 1/1/55 establishes four more Fabric Discovery Sessions (FDISC).
The logical FCF must be projected only if there is at least one operationally up FC uplink; this FC uplink must have successfully completed the initial login with upstream switch at the time of timer expiry. This behavior achieves better load balancing during boot-up and bulk configuration. Even though all the uplinks are projected as one FCF, when a request for session establishment is received, the system finds the optimally loaded FC uplink.
Enable NPG Mode of operation OS10# show fc switch Switch Mode : Disabled Switch WWN : OS10(config)# feature fc npg OS10# show fc switch Switch Mode : NPG Switch WWN : 10:00:14:18:77:20:73:cf OS10# VLAN creation OS10(config)# interface vlan 100 vFabric Creation OS10(config)# vfabric 100 OS10(conf-vfabric-100)# vlan 100 OS10(conf-vfabric-100)# name NPG_Fabric OS10(conf-vfabric-100)# fcoe fcmap 0efc01 OS10(conf-vfabric-100)# exit Apply vFabric configuration on the FC upstream interfaces OS10(config)# interface
OS10(config-pmap-c-nqos)# exit Disable LLFC on the interface that connects to FCoE End points(CNA) OS10(config)# interface range ethernet 1/1/54,1/1/55 OS10(conf-range-eth1/1/54,1/1/55)# no flowcontrol receive Apply Service policy and Enable PFC mode on the interface that connects to FCoE End points(CNA) OS10(conf-range-eth1/1/54,1/1/55)# service-policy input type network-qos pmap1 OS10(conf-range-eth1/1/54,1/1/55)# priority-flow-control mode on Apply vFabric configuration on the interface that connects to
Apply vFabric configuration on the FC interfaces connected to NPG device OS10(config)# interface range fibrechannel 1/1/1,1/1/2 OS10(conf-range-fc1/1/1,1/1/2)# vfabric 10 OS10(conf-range-fc1/1/1,1/1/2)# no shut OS10(conf-range-fc1/1/1,1/1/2)# exit Use case 2 - NPG fabric is connected to multiple upstream switches belonging to the same SAN fabric In this topology, the NPG device is connected to multiple FCF switches and all those FCF switches are part of same SAN fabric.
fc zone Creates an FC zone and adds members to the zone. An FC zone can have a maximum of 255 unique members. Syntax fc zone zone-name Parameters zone-name — Enter a name for the zone. Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes the FC zone. To delete an FC zone, first remove it from the FC zoneset. Supported on the MX9116n switch in Full Switch mode starting in release 10.4.1.0.
Example Supported Releases OS10(config)# feature fc domain-id 100 10.3.1E or later member (alias) Add members to existing FC aliases. Identify a member by an FC alias, a world wide name (WWN), or an FC ID. Syntax member {wwn wwn-ID | fc-id fc-id} Parameters ● wwn-ID — Enter the WWN name. ● fc-id — Enter the FC ID name. Defaults Not configured Command Mode Alias CONFIGURATION Usage Information Supported on the MX9116n switch in Full Switch mode starting in release 10.4.0E(R3S).
Parameters zone-name — Enter an existing zone name. Defaults Not configured Command Mode Zoneset CONFIGURATION Usage Information Supported on the MX9116n switch in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1 The no version of this command removes the zone from the zoneset. Example Supported Releases OS10(config)# fc zoneset set OS10(conf-fc-zoneset-set)# member hba1 10.3.
Supported Releases 10.4.1.0 or later show fc ns switch Displays the details of the FC NS switch parameters.
10:00:00:90:fa:b8:22:19 21:00:00:24:ff:7f:ce:ee 21:00:00:24:ff:7f:ce:ef 20:01:00:0e:1e:e8:e4:99 50:00:d3:10:00:ec:f9:1b 50:00:d3:10:00:ec:f9:05 50:00:d3:10:00:ec:f9:1f 20:35:78:2b:cb:6f:65:57 hba2 Example (with zone name) OS10# show fc zone hba1 Zone Name Zone Member ================================================= hba1 21:00:00:24:ff:7b:f5:c8 10:00:00:90:fa:b8:22:19 21:00:00:24:ff:7f:ce:ee 21:00:00:24:ff:7f:ce:ef Supported Releases 10.3.
Example (active zoneset) OS10# show fc zoneset active vFabric id: 100 Active Zoneset: set ZoneName ZoneMember =========================================================== hba2 20:01:00:0e:1e:e8:e4:99 20:35:78:2b:cb:6f:65:57 50:00:d3:10:00:ec:f9:05 50:00:d3:10:00:ec:f9:1b 50:00:d3:10:00:ec:f9:1f hba1 Example (with zoneset name) *10:00:00:90:fa:b8:22:19 *21:00:00:24:ff:7b:f5:c8 21:00:00:24:ff:7f:ce:ee 21:00:00:24:ff:7f:ce:ef OS10# show fc zoneset set ZoneSetName ZoneName ZoneMember ========================
Defaults Not configured Command Mode vfabric CONFIGURATION Usage Information After you disable an active zoneset, the zone default-zone permit command configuration takes effect. Based on this configuration, the default zone allows or denies access between all the logged-in FC nodes of the vfabric. The no version of this command deactivates the zoneset. Supported on the MX9116n switch in Full Switch mode starting in release 10.4.1.0. Also supported in SmartFabric mode starting in release 10.5.0.1.
show npg devices Displays the NPG devices connected to the switch. Syntax show npg devices [brief] Parameters None Default Not configured Command Mode EXEC Usage Information Use the brief option to display minimum details.
● ● ● ● ● ● ● ● Example 1. FC Port Down 2. No Response For FLOGI 3. Duplicate FC ID 4. FLOGI Rejected Duplicate FC IDs—Number of Duplicate address(FC ID) assignments happened in the interface. FC ID—FC-ID allocated to the initial FLOGI request from NPG switch on the interface. BB Credit—Transmit Buffer to Buffer Credit. Speed—Link speed of the FC uplink interface. FLOGI—Number of Fabric Login Sessions in the FC uplink interface. FDISC—Number of Fabric Discovery Session in the FC uplink interface.
Uplink Duplicate Intf Upstream Fabric-Name Error Reason FC-Id(s) ----------------------------------------------------------------Fc 1/1/13 20:01:d4:ae:52:1a:ee:53 NONE 1 Fc 1/1/14 20:01:d4:ae:52:7d:aa:54 NONE 0 OS10#show npg uplink-interfaces vfabric 200 fcf-info VFabric Id : 200 FAD Timeout Left : 10 second(s) FCF Availability Status : No Uplink Duplicate Intf Upstream Fabric-Name Error Reason FC-Id(s) ----------------------------------------------------------------Fc 1/1/11 10:01:d4:ae:52:1a:ee:50 FLOGI_R
● fka-adv-period—8 ● vlan-priority—3 ● keep-alive—True Command Mode Vfabric CONFIGURATION Usage Information The no version of this command disables the FCoE parameters. Example Supported Releases OS10(config)# vfabric 10 OS10(conf-vfabric-10)# name OS10(conf-vfabric-10)# fcoe OS10(conf-vfabric-10)# fcoe OS10(conf-vfabric-10)# fcoe OS10(conf-vfabric-10)# fcoe 10 fcmap 0x0efc01 fcf-priority 128 fka-adv-period 8 vlan-priority 3 10.3.
Re-balance the FC sessions Re-balances the FC sessions across FC uplinks. Syntax re-balance fc npg sessions vfabric vfabric-id [dry-run][brief] Parameters None Default Not configured Command Mode EXEC Usage Information Triggers the load-balancing mechanism to redistribute the sessions across the FC uplinks. The dry-run option displays the current state of the system, sessions that are cleared, and the system state after balancing is done without actually doing it.
21:01:d4:ae:52:1a:ee:54 22:01:d4:ae:52:1a:ee:54 23:01:d4:ae:52:1a:ee:54 Fc 1/1/2 Fc 1/1/2 Fc 1/1/2 Fc 1/1/1 Fc 1/1/1 Fc 1/1/1 2 2 2 Fabric Id 100 State after Re-balancing Uplink FLOGI FDISC Load Speed Excess Intf (Gbps) Load ------------------------------------------------------------------Fc 1/1/1 3 3 6 8 1 Fc 1/1/2 1 9 10 16 0 ------------------------------------------------------------------4 12 16 24 1 ------------------------------------------------------------------OS10#re-balance npg sessions vfa
show npg uplink-interface Display information in a FC upstream interface. Syntax show npg uplink-interfaces [vfabric vfabric-id [fcf-info] | [fcf-info]] Parameters ● fcf-info - FCF Availability Status, fabric name of the FC upstream switch connected, error reason, FCF advertisement delay timeout left and duplicate FC id assignment counter.
Fc 1/1/11 Fc 1/1/12 01:00:0B 01:00:0C 8 8 8 16 3 1 3 0 6 1 10 1 VFabric Id : 300 Uplink Speed Intf FC Id BB Credit (Gbps) FLOGI FDISC Total Redistributed --------------------------------------------------------------------------------Fc 1/1/13 01:00:03 8 8 3 3 6 0 Fc 1/1/14 01:00:04 8 16 1 6 7 5 OS10#show npg uplink-interfaces fcf-info VFabric Id : 200 FAD Timeout Left : 10 second(s) FCF Availability Status : No Uplink Duplicate Intf Upstream Fabric-Name Error Reason FC-Id(s) -----------------------
Table 67.
Number Number Number Number Number Number Number Example (interface) Supported Releases of of of of of of of FLOGO FLOGI FLOGI FDISC FDISC FLOGO FLOGO Accepts Rejects Accepts Rejects Accepts Rejects : : : : : : : 0 43 0 6 0 0 0 OS10# show fc statistics interface fibrechannel1/1/25:1 Number of FLOGI : 1 Number of FDISC : 0 Number of FLOGO : 0 Number of FLOGI Accepts : 1 Number of FLOGI Rejects : 0 Number of FDISC Accepts : 0 Number of FDISC Rejects : 0 Number of FLOGO Accepts : 0 Number of FLOGO Rejec
fcoe fcf-priority 140 fcoe fka-adv-period 13 Supported Releases 10.4.0E(R1) or later show vfabric Displays vfabric details.
Supported on the MX9116n switch in Full Switch mode starting in release 10.4.1.0. Also supported in SmartFabric mode starting in release 10.5.0.1. Example Supported Releases OS10(config)# vfabric 100 10.3.1E or later vfabric (interface) Applies an existing vfabric to an Ethernet or FC interface. Syntax vfabric fabric-ID Parameters fabric-ID — Enter the fabric ID, from 1 to 255.
feature fip-snooping with-cvl Enables the FIP snooping feature globally. Syntax feature fip-snooping with-cvl [with-cvl] Parameters with-cvl—To enable CVL. Defaults Disabled Command Mode CONFIGURATION Usage Information You can enable only one of the following at a time: F_Port, NPG, or FSB. You can include the with-cvl option to send a Clear Virtual Link (CVL) frame from the FCF to the ENode. This option helps the system to recover automatically if an FCoE session drops.
Usage Information The no version of this command disables the FC map configuration. Example Supported Releases OS10(config)# interface vlan 3 OS10(conf-if-vl-3)# fip-snooping fc-map 0xEFC64 10.4.0E(R1) or later fip-snooping port-mode Sets FIP snooping port mode for interfaces. Syntax fip-snooping port-mode {enode | enode-transit | fcf | fcf-transit} Parameters enode | enode-transit | fcf | fcf-transit—Enter the keyword to set FIP snooping port mode.
Command Mode EXEC Usage Information None Example Supported Releases OS10# clear fcoe database vlan 100 enode aa:bb:cc:00:00:00 10.4.0E(R1) or later clear fcoe statistics Clears FCoE statistics for specified interface. Syntax clear fcoe statistics [interface interface-type] Parameters interface-type — (Optional) Enter the interface type. The interface may be ethernet, VLAN, or port-channel.
Command Mode Port-channel INTERFACE Usage Information You can configure only single port per port-channel. If the port is not configured properly, or if the pinned port goes down, the other ports in the port-channel are not used even if the ports have valid path to server. The no version of this command removes the pinned port configuration.
lldp tlv-select dcbxp-appln fcoe Enables FCoE application TLV for an interface. Syntax lldp tlv-select dcbxp-appln fcoe Parameter None Default Enabled Command Mode INTERFACE Usage Information The default priority value advertised in FCoE application TLV is 3. If the PFC configuration in an interface matches 3, then the FCoE application TLV is advertised as 3. Otherwise, FCoE application TLV is not advertised.
Example OS10#re-balance npg sessions vfabric 100 dry-run Fabric Id 100 Current State Uplink FLOGI FDISC Load Speed Excess Intf (Gbps) Load ---------------------------------------------------------------Fc 1/1/1 1 9 10 8 7 Fc 1/1/2 3 3 6 16 0 ---------------------------------------------------------------4 12 16 24 7 ---------------------------------------------------------------Session Re-distributions: 16 Session Re-distribution(s) ------------------------------------------------------------------------No
Uplink FLOGI FDISC Load Speed Excess Intf (Gbps) Load --------------------------------------------------------------------Fc 1/1/1 3 3 6 8 1 Fc 1/1/2 1 9 10 16 0 --------------------------------------------------------------------4 12 16 24 1 --------------------------------------------------------------------Supported Releases 10.5.2.0 or later show fcoe enode Displays the details of ENodes connected to the switch.
Supported Releases OS10# show fcoe fcf 54:7f:ee:37:34:40 FCF MAC FCF Interface VLAN FC-MAP Enodes -------------------------- ---- --------------------00:04:96:70:8a:12 ~ 100 0e:fc:00 4000 2 00:04:96:70:8a:12 ~ 4000 0 200 0e:fc:01 FKA_ADV_PERIOD No. of -------------- 10.4.0E(R1) or later show fcoe pinned-port Displays the port-channel, the corresponding pinned-port configuration, and the port status if the FCoE sessions are formed.
Example Supported Releases Enode MAC Enode Interface FCF MAC FCF interface VLAN FCoE MAC FC-ID PORT WWPN aa:bb:cc:00:00:00 Po 20(Eth 1/1/3) aa:bb:cd:00:00:00 Po 10(Eth 1/1/1) 100 0e:fc:00:01:00:01 01:00:01 31:00:0e:fc:00:00:00:00 21:00:0e:fc:00:00:00:00 aa:bb:cc:00:00:00 Po 20(Eth 1/1/3) aa:bb:cd:00:00:00 Po 10(Eth 1/1/1) 100 0e:fc:00:01:00:02 01:00:02 31:00:0e:fc:00:00:00:00 21:00:0e:fc:00:00:00:00 10.4.0E(R1) or later show fcoe statistics Displays the statistical details of the FCoE control plane.
Usage Information Example Supported Releases None OS10# show fcoe system Mode: FIP Snooping Bridge CVL Status: Enabled FCOE VLAN List (Operational) FCFs Enodes Sessions : : : : 1, 100 1 2 17 10.4.0E(R1) or later show fcoe vlan Displays details of FIP-snooping VLANs.
Table 68.
● Error reason—Reason for error in the FC uplink interface. Following are few possible error reasons: 1. FC Port Down 2. No Response For FLOGI 3. Duplicate FC ID 4. FLOGI Rejected ● Duplicate FC IDs—Number of Duplicate address(FC ID) assignments happened in the interface. ● FC ID—FC-ID allocated to the initial FLOGI request from NPG switch on the interface. ● BB Credit—Transmit Buffer to Buffer Credit. ● Speed—Link speed of the FC uplink interface.
Uplink Duplicate Intf Upstream Fabric-Name Error Reason FC-Id(s) ----------------------------------------------------------------Fc 1/1/13 20:01:d4:ae:52:1a:ee:53 NONE 1 Fc 1/1/14 20:01:d4:ae:52:7d:aa:54 NONE 0 OS10#show npg uplink-interfaces vfabric 200 fcf-info VFabric Id : 200 FAD Timeout Left : 10 second(s) FCF Availability Status : No Uplink Duplicate Intf Upstream Fabric-Name Error Reason FC-Id(s) ----------------------------------------------------------------Fc 1/1/11 10:01:d4:ae:52:1a:ee:50 FLOGI_R
● logging enable ● logging console enable ● terminal monitor Enable debug logs globally or on a specific interface using the rx debug subcommands. Before you enable the rx debug logs, configure the switch mode using the following command: ● feature fc {multi-switch | npg | fsb | domain-id [domain-id]} OS10 does not support the interface range option with this command. The no form of this command removes the configured debug level.
13 Layer 2 802.1X Verifies device credentials before sending or receiving packets using the Extensible Authentication Protocol (EAP), see 802.1X Commands. Link Aggregation Control Protocol (LACP) Exchanges information between two systems and automatically establishes a link aggregation group (LAG) between the systems, see LACP Commands.
The authentication process contains three devices: ● Supplicant — The device attempting to access the network performs the role of supplicant. Regular traffic from this device does not reach the network until the port associated to the device is authorized. Before that, the supplicant can only exchange 802.1x messages (EAPOL frames) with the authenticator.
EAP over RADIUS 802.1X uses RADIUS to transfer EAP packets between the authenticator and the authentication server. EAP messages are encapsulated in RADIUS packets as an attribute of type, length, value (TLV) format—the type value for EAP messages is 79. Configure 802.1X You can configure and enable 802.1X on a port in a single process. OS10 supports 802.1X with EAP-MD5, EAP-TLS, and EAP-TTLS. All platforms support RADIUS as the authentication server.
Enable 802.1X 1. Enable 802.1X globally in CONFIGURATION mode. dot1x system-auth-control 2. Enter an interface or a range of interfaces in CONFIGURATION mode. interface range 3. Enable 802.1X on the supplicant interface only in INTERFACE mode. dot1x port-control auto Configure and verify 802.
Identity retransmissions If the authenticator sends a Request Identity frame but the supplicant does not respond, the authenticator waits 30 seconds and then retransmits the frame. There are several reasons why the supplicant might fail to respond—the supplicant maybe booting when the request arrived, there may be a physical layer problem, and so on. 1.
The Request Identity Retransmit interval is for an unresponsive supplicant. You can configure the interval for a maximum of 10 times for an unresponsive supplicant. 1. Configure the amount of time that the authenticator waits to retransmit a Request Identity frame after a failed authentication in INTERFACE mode from 1 to 65535, default 60 seconds.
● Place a port in the auto, force-authorized (default), or force-unauthorized state in INTERFACE mode. dot1x port-control {auto | force-authorized | force-unauthorized} Configure and verify force-authorized state OS10(conf-range-eth1/1/7-1/1/8)# dot1x port-control force-authorized OS10(conf-range-eth1/1/7-1/1/8)# do show dot1x interface ethernet 1/1/7 802.
Tx Period: Quiet Period: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: 120 seconds 120 seconds 30 seconds 30 seconds 3600 seconds 5 MULTI_HOST Initialize Initialize View interface running configuration OS10(conf-range-eth1/1/7-1/1/8)# do show running-configuration interface ...
View interface running configuration OS10(conf-range-eth1/1/7-1/1/8)# do show running-configuration interface ...
Command Mode INTERFACE Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# dot1x host-mode multi-host 10.2.0E or later dot1x max-req Changes the maximum number of requests that the device sends to a supplicant before restarting 802.1X authentication. Syntax dot1x max-req retry-count Parameters max-req retry-count — Enter the retry count for the request sent to the supplicant before restarting 802.
Default Disabled Command Mode INTERFACE Usage Information The no version of this command disables the periodic reauthentication of 8021.X supplicants. Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# dot1x re-authentication 10.2.0E or later dot1x timeout quiet-period Sets the number of seconds that the device remains in the quiet state following a failed authentication exchange with a supplicant.
Default 30 seconds Command Mode INTERFACE Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# dot1x server-timeout 60 10.2.0E or later dot1x timeout supp-timeout Sets the number of seconds that the device waits for the supplicant to respond to an EAP request frame before the device retransmits the frame.
Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show dot1x PAE Capability: Protocol Version: System Auth Control: Auth Server: Authenticator only 2 Enable Radius 10.2.0E or later show dot1x interface Displays 802.1X configuration information. Syntax show dot1x interface ethernet node/slot/port[:subport] Parameters ethernet node/slot/port[:subport]—Enter the Ethernet interface information.
RADIUS server commands radius-server host Configures a RADIUS server and the key used to authenticate the switch on the server. Syntax radius-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] Parameters ● hostname — Enter the host name of the RADIUS server. ● ip-address — Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server. ● key 0 authentication-key — Enter an authentication key in plain text.
Default TCP port 2083 on a RADIUS server for RADIUS over TLS communication Command Mode CONFIGURATION Usage Information For RADIUS over TLS authentication, configure the radsec shared key on the server and OS10 switch. The show running-configuration output displays both the unencrypted and encrypted key in encrypted format. Configure global settings for the timeout and retransmit attempts allowed on a RADIUS over TLS servers using the radius-server retransmit and radius-server timeout commands.
The no version of this command resets the value to the default. Example Supported Releases OS10(config)# radius-server retransmit 5 10.2.0E or later radius-server timeout Configures the timeout used to resend RADIUS authentication requests. Syntax radius-server timeout seconds Parameters seconds — Enter the time in seconds for retransmission, from 1 to 100. Default An OS10 switch stops sending RADIUS authentication requests after five seconds.
peer for the time interval of three times the configured FEFD message interval, the local switch assumes that the peer link is down. The default interval for FEFD message interval is 15 seconds. For example, with the default configuration, if the local switch does not receive an echo message for 45 seconds from its peer, it brings the peer link down.
If the interface state changes to err-disabled, use the fefd reset [interface] global command to reset these interfaces. The unknown or err-disabled state brings the line protocol down so that the protocols above it can detect that the peer link is down. Table 69.
● Configure FEFD Normal mode globally using the fefd-global mode normal command in CONFIGURATION mode. OS10(Config)# fefd-global mode normal ● Configure FEFD Aggressive mode globally using the fefd-global mode aggressive command in CONFIGURATION mode. OS10(Config)# fefd-global mode aggressive 2. (Optional) Configure the FEFD interval using the fefd-global interval command in CONFIGURATION mode and enter the interval in seconds. The range is from 3 to 255 seconds. OS10(Config)# fefd-global interval 20 3.
============================================================ eth1/1/1 NA NA Idle (Not running) eth1/1/2 NA NA Idle (Not running) eth1/1/3 NA NA Idle (Not running) eth1/1/4 NA NA Idle (Not running) eth1/1/5 NA NA Idle (Not running) eth1/1/6 NA NA Idle (Not running) eth1/1/7 NA NA Idle (Not running) The following is a sample output of FEFD information for an interface: rt-maa-s4248FBL-3# show fefd ethernet 1/1/1 FEFD is globally 'ON', interval is 15 seconds, mode is Normal.
If you use the no fefd command, the system does not disable FEFD if the fefd mode command is already present in the configuration. Similarly, if you use the no fefd mode command, the system does not disable FEFD if the fefd command is already present in the configuration. To disable FEFD on an interface when FEFD globally enabled, use the fefd disable command on the interface. To unconfigure FEFD on an interface, use either the no fefd command or the no fefd mode command.
fefd reset Resets interfaces that are in error-disabled state because FEFD is set to Aggressive mode. Syntax fefd reset [interface] Parameters ● (Optional) interface—Enter the interface name to reset the error-disabled state of the interface because FEFD is set to Aggressive mode. Default Not configured Command Mode EXEC Usage Information If you do not enter the interface name, this command resets the error-disabled state of all interfaces because FEFD is set to Aggressive mode.
eth1/1/1 eth1/1/2 eth1/1/3 eth1/1/4 eth1/1/5 eth1/1/6 eth1/1/7 eth1/1/8 eth1/1/9 eth1/1/10 Supported Releases Normal Normal Normal Normal Normal Normal Normal Normal Aggressive Normal 22 22 22 22 22 22 22 22 22 22 Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Err-disabled Unknown 10.4.3.0 or later Link Aggregation Control Protocol Group Ethernet interfaces to form a single link layer interface called a LAG or port channel.
1. Configure the system priority in CONFIGURATION mode (1 to 65535; the higher the number, the lower the priority; default 32768). lacp system-priority priority-value 2. Configure the LACP port priority in INTERFACE mode (1 to 65535; the higher the number, the lower the priority; default 32768). lacp port-priority priority-value 3. Configure the LACP rate in INTERFACE mode (default normal).
Rates Protocol data units (PDUs) are exchanged between port channel (LAG) interfaces to maintain LACP sessions. PDUs are transmitted at either a slow or fast transmission rate, depending on the LACP timeout value. The configured rate interval is used to check whether the partner link is alive or not. The links are ungrouped if three consecutive LACP PDUs are missed. The timeout value depends on the configured rate interval. If the rate interval is fast, then LACP PDUs are sent once every second.
Alpha LAG configuration summary OS10(config)# interface port-channel 1 OS10(conf-if-po-1)# exit OS10(config)# interface ethernet 1/1/29 OS10(conf-if-eth1/1/29)# no switchport OS10(conf-if-eth1/1/29)# channel-group 1 mode active OS10(conf-if-eth1/1/29)# interface ethernet 1/1/30 OS10(conf-if-eth1/1/30)# no switchport OS10(conf-if-eth1/1/30)# channel-group 1 mode active OS10(conf-if-eth1/1/30)# interface ethernet 1/1/31 OS10(conf-if-eth1/1/31)# no switchport OS10(conf-if-eth1/1/31)# channel-group 1 mode activ
Interface index is 13 Internet address is not set Mode of IPv4 Address Assignment: not set Interface IPv6 oper status: Disabled MTU 1532 bytes, IP MTU 1500 bytes LineSpeed 10G, Auto-Negotiation off Flowcontrol rx on tx off ARP type: ARPA, ARP Timeout: 60 Last clearing of "show interface" counters: 1 weeks 2 days 17:28:08 Queuing strategy: fifo Input statistics: 15106397000 packets, 11528982238100 octets 3060849 64-byte pkts, 14861427 over 64-byte pkts, 1517469049 over 127-byte pkts 3034145980 over 255-byte
Verify LAG status OS10# show lacp port-channel Port-channel 51 is up, line protocol is up Address is 14:18:77:16:87:9c, Current address is 14:18:77:16:87:9c Interface index is 49 Internet address is not set Mode of IPv4 Address Assignment: not set Interface IPv6 oper status: Disabled MTU 1532 bytes, IP MTU 1500 bytes LineSpeed 160G Minimum number of links to bring Port-channel up is 1 Maximum active members that are allowed in the portchannel is 32 Members in this channel: Eth 1/1/1-1/1/8,1/1/25:1-1/1/25:4,
LACP_Timeout=Long Timeout(30s) Synchronization=IN_SYNC Collecting=true Distributing=true Partner Admin State=BDEGIKMP Partner Oper State=ADEGIKNP LACP fallback LACP fallback allows downstream devices, like servers which are connected to ports of a switch configured as LACP, to establish a link when the system is not able to finalize the LACP handshake. For example, when servers boot in PXE mode, the server cannot exchange LACP PDUs and the switch does not enable the ports.
Example configuration OS10# configure terminal OS10(config)# interface port-channel 1 OS10(conf-if-po-1)# lacp fallback enable OS10(conf-if-po-1)# lacp fallback timeout 20 OS10(conf-if-po-1)# lacp fallback preemption enable View LACP fallback configuration OS10# show port-channel summary Flags: D - Down I - member up but inactive P - member up and active U - Up (port-channel) F - Fallback enabled -------------------------------------------------------------------------------Group Port-Channel Type Proto
LACP fallback in VLT domain In a VLT domain, LACP fallback enables rebooting of ToR or server that is connected to VLT nodes through VLT port channel. The other end of the VLT nodes is connected to a DHCP/PXE server, as shown in the following figure: In the above scenario, LACP fallback works as follows: 1. The ToR/server boots 2. One of the VLT peers takes care of controlling the LACP fallback mode.
● passive — Enter to only enable LACP if it detects a device. The interface is in the Passive Negotiation state when the port responds to the LACP packets that it receives but does not initiate negotiation until it detects a device. Default Not configured Command Mode INTERFACE Usage Information When you delete the last physical interface from a port channel, the port channel remains. Configure these attributes on an individual member port.
Example Supported Releases OS10# configure terminal OS10(config)# interface port-channel 1 OS10(conf-if-po-1)# lacp fallback enable 10.3.2E(R3) or later lacp fallback preemption Enables or disables LACP fallback port preemption. Syntax lacp fallback preemption {enable | disable} Parameters ● enable—Enables preemption on the port channel. ● disable—Disables preemption on the port channel.
Supported Releases 10.3.2E(R3) or later lacp max-bundle Configures the maximum number of active members that are allowed in a port channel. Syntax lacp max-bundle max-bundle-number Parameters max-bundle-number — Enter the maximum bundle size (1 to 32). Default 32 Command Mode INTERFACE Usage Information The no version of this command resets the maximum bundle size to the default value. Example Supported Releases OS10(conf-if-po-10)# lacp max-bundle 10 10.2.
Supported Releases 10.2.0E or later lacp system-priority Sets the system priority of the device for LACP. Parameters priority — Enter the priority value for physical interfaces (0 to 65535). Default 32768 Command Mode CONFIGURATION Usage Information Each device that runs LACP has an LACP system priority value. LACP uses the system priority with the MAC address to form the system ID and also during negotiation with other systems. The system ID is unique for each device.
Default Not configured Command Mode EXEC Usage Information The LACP_activity field displays if you configure the link in Active or Passive port channel mode. The Port Identifier field displays the port priority as part of the information including the port number. For example, Port Identifier=0x8000,0x101, where the port priority value is 0x8000 and the port number value is 0x101. Example OS10# show lacp interface ethernet 1/1/129 Invalid Port id, Max.
Example OS10# show lacp neighbor interface port-channel 1 Flags:S-Device is sending Slow LACPDUs F-Device is sending Fast LACPdus A-Device is in Active mode P-Device is in Passive mode Port-channel port-channel1 neighbors Port: ethernet1/1/29 Partner System Priority: 32768 Partner System ID: 00:01:e8:8a:fd:9e Partner Port: 178 Partner Port Priority: 32768 Partner Oper Key: 1 Partner Oper State:aggregation synchronization collecting distributing defaulted expired Supported Releases 10.2.
Usage Information Example The LACP system ID is a combination of the configurable LACP system priority value and the MAC address. Each system that runs LACP has an LACP system priority value. Configure a value between 1 and 65535. The default value is 32768. LACP uses the system priority with the MAC address to form the system ID and uses the system priority during negotiation with other devices. A higher system priority value means a lower priority. The system ID is different for each device.
NOTE: When the physical port is part of the LAG and the LAG is configured in access VLAN, the VLAN ID is sent as 0 in the LLDP TLV. Mandatory TLVs OS10 supports the three mandatory TLVs. These mandatory TLVs are at the beginning of the LLDPDU in the following order: ● Chassis ID TLV ● Port ID TLV ● Time-to-live TLV Table 70. Mandatory TLVs Mandatory TLVs Type Description Chassis ID 1 Identifies the chassis. Port ID 2 Identifies a port through which the LAN device transmits LLDPDUs.
Table 71. Basic TLVs TLV Type Description Port description 4 User-defined alphanumeric string that describes the port (port ID or interface description). System name 5 User-defined alphanumeric string that identifies the system. System description 6 Includes the following information: ● Host description ● Dell OS version ● Dell application software version ● Build timestamp System capabilities 7 Determines the capabilities of the system.
Table 74. Service tag TLV (Type – 127, OUI – 0xF8-0xB1-0x56) TLV Subtype Description Service tag 21 Indicates the service tag that is associated with the device. Table 75. Solution ID TLVs (Type – 127, OUI – 0xF8-0xB1-0x56) TLV Subtype Description Product base 22 Indicates the product base. Product serial number 23 Indicates the product serial number. Product part number 24 Indicates the product part number. Custom TLVs iDRAC organizationally specific TLVs Table 76.
Isilon organizationally-specific TLVs Table 77. Isilon-related TLVs (Type – 127, OUI – 0xF8-0xB1-0x56) TLV Subtype Description Subtypes used in LLDP custom TLVs that are transacted by the Isilon nodes Originator 1 Indicates the Isilon string that is used as the originator. This string enables the OS10 switches to identify the Isilon originated LLDPDUs. RA prefix 2 Indicates the IPV6 address prefix for SLAAC.
● Disable LLDP on an interface, use the lldp transmit and lldp receive commands in INTERFACE mode. OS10(conf-if-eth1/1/2)# no lldp transmit OS10(conf-if-eth1/1/2)# no lldp receive Management interface: OS10(conf-if-ma-1/1/1)# no lldp transmit OS10(conf-if-ma-1/1/1)# no lldp receive Enable LLDP When LLDP is disabled on a switch, you can reenable LLDP globally or on an interface. ● To enable LLDP globally: Enable LLDP globally in CONFIGURATION mode.
Enter the multiplier value for the hold time in CONFIGURATION mode. lldp holdtime-multiplier OS10(config)# lldp timer 60 OS10(config)# lldp reinit 5 View LLDP timers OS10# show lldp timers LLDP Timers: Holdtime in seconds: 240 Reinit-time in seconds: 5 Transmit interval in seconds: 60 Time to live TTL or hold time is the amount of time, in seconds, that a receiving system waits to hold the information before discarding it.
Advertise VLAN Name TLVs You can configure the system to advertise the names of VLANs in LLDPDUs. Configure the VLAN names before you configure the system to advertise VLAN names. By default, this feature is disabled. After you enable this feature, the system starts sending LLDPDUs with the configured name of the default VLAN. If the default VLAN does not have a configured name, the system does not send an LLDPDU with a VLAN name TLV. Transmit VLAN name of the default VLAN 1.
OS10(conf-if-vl-3)#vlan-name vlan4 OS10(config)# interface vlan 4 OS10(conf-if-vl-4)#vlan-name vlan4 OS10(config)# interface vlan 5 OS10(conf-if-vl-5)#vlan-name vlan5 OS10(config)# interface vlan 6 OS10(conf-if-vl-6)#vlan-name vlan6 OS10(config)# interface vlan 7 OS10(conf-if-vl-7)#vlan-name vlan7 OS10(config)# interface vlan 8 OS10(conf-if-vl-8)#vlan-name vlan8 OS10(config)# interface vlan 9 OS10(conf-if-vl-9)#vlan-name vlan9 OS10(config)# interface vlan 10 OS10(conf-if-vl-10)#vlan-name vlan10 OS10(config)
Following output shows that the interface deletes VLAN 3 and starts sending the name of VLAN 9: OS10# show lldp interface ethernet 1/1/1 local-device Device ID: 34:17:eb:f2:05:c4 Port ID: ethernet1/1/1 System Name: OS10 Capabilities: Router, Bridge, Repeater System description: Dell EMC Networking OS10 Enterprise. Copyright (c) 1999-2019 by Dell Inc. All Rights Reserved. System Description: OS10 Enterprise. OS Version: 10.4.9999EX.
Disable and enable LLDP TLVs on management ports By default, management ports advertise all LLDP TLVs except VLAN name TLV. You can disable the LLDP TLV advertisement on management ports using the following commands: ● Disable LLDP TLVs in INTERFACE mode.
Example: Advertise TLVs configuration The following configuration example describes how to configure the system to advertise LLDP TLVs. Sample configuration on R1: Enable the list of LLDP TLVs needs to be advertised from R1.
Total Total Total Total Total Frames In : 0 Frames Received In Error : 0 Frames Discarded : 0 TLVS Unrecognized : 0 TLVs Discarded : 0 View LLDP interface traffic OS10# show lldp traffic interface ethernet 1/1/1 LLDP Traffic Statistics: Total Frames Out : 0 Total Entries Aged : 0 Total Frames In : 0 Total Frames Received In Error : 0 Total Frames Discarded : 0 Total TLVS Unrecognized : 0 Total TLVs Discarded : 0 LLDP MED Traffic Statistics: Total Med Frames Out : Total Med Frames In : Total Med Frames Dis
Information valid for next 105 seconds Time since last information change of this neighbor: 00:00:15 Remote System Name: LLDP-pkt-gen Remote Management Address (IPv4): 10.1.1.
Table 78.
Table 80. LLDP-MED device types Bit position Device type 3 Endpoint Class 3 4 Network connectivity 5-255 Reserved LLED-MED network policies TLVs A network policy in the context of LLDP-MED is a VLAN configuration of a device and associated L2 and L3 configurations. LLDP-MED network policies TLV include: ● ● ● ● VLAN ID VLAN tagged or untagged status L2 priority DSCP value You can configure a LLDP-MED network policy to generate an individual network policy TLV for each application type.
Table 81. LLDP-MED Network policies TLVs Type Application Description supporting streaming video services that require specific network policy treatment. 8 Video signaling Used only if video control packets use a separate network policy than the video data. 9-255 Reserved — Disable and reenable LLDP-MED By default, LLDP-MED is enabled on all interfaces except on the management interface. Disable LLDP-MED ● Disable LLDP-MED on an interface, use the lldp med disable command in INTERFACE mode.
○ add — Attach the network policy to an interface. ○ remove — Remove the network policy from an interface. ○ number — Enter a network policy index number, from 1 to 32. Configure advertise LLDP-MED network policies OS10(conf-if-eth1/1/5)# lldp med network-policy add 1 Change the fast start repeat count Fast start repeat enables a network-connectivity device to advertise itself at a faster rate for a limited amount of time.
Usage Information Neighbor information clears on all interfaces. Example Supported Releases OS10# clear lldp table 10.2.0E or later lldp enable Enables or disables LLDP globally. Syntax lldp enable Parameters None Default Enabled Command Mode CONFIGURATION Usage Information This command enables LLDP globally for all Ethernet PHY interfaces, except on those interfaces where you manually disable LLDP.
Usage Information Example Supported Releases None OS10(config)# lldp med fast-start-repeat-count 5 10.2.0E or later lldp med Enables or disables LLDP-MED on an interface. Syntax lldp med {enable | disable} Parameters ● enable — Enable LLDP-MED on the interface. ● disable — Disable LLDP-MED on the interface. Default Enabled with network-policy TLV Command Mode INTERFACE Usage Information LLDP-MED communicates the types of TLVs that the endpoint device and network-connectivity device support.
Usage Information Example Supported Releases You can create a maximum of 32 network policies and associate the LLDP-MED network policies to a port. OS10(config)# lldp med network-policy 10 app voice vlan 10 vlan-type tag priority 2 dscp 1 10.2.0E or later lldp med network-policy (Interface) Attaches or deletes an LLDP-MED network policy to or from an interface. Syntax lldp med network-policy {add | remove} number Parameters ● add — Attach the network policy to an interface.
Command Mode INTERFACE Usage Information Determines whether to advertise the interface description or the port ID in the port description TLV. According to RFC 2863, the LLDPLocPortDesc and ifDescr object values must be identical. To be compliant with RFC 2863, use the port-id option with the lldp port-description-tlv advertise command. The port-id option in this command returns the same value (port ID) for both LLDPLocPortDesc and ifDescr objects.
Parameters seconds — Enter the LLDP timer rate in seconds, from 5 to 254. Default 30 seconds Command Mode CONFIGURATION Usage Information The no version of this command sets the LLDP timer back to its default value. Example Supported Releases OS10(config)# lldp timer 25 10.2.0E or later lldp tlv-select basic-tlv Enables or disables TLV attributes to transmit and receive LLDP packets.
Example Supported Releases OS10(config)# lldp management-addr-tlv ipv4 virtual-ip OS10(conf-if-eth1/1/3)# lldp management-addr-tlv ipv6 virtual-ip 10.5.0 or later lldp tlv-select dot1tlv Enables or disables the dot.1 TLVs to transmit in LLDP packets. Syntax lldp tlv-select dot1tlv { port-vlan-id | link-aggregation | vlan-name} Parameters ● port-vlan-id — Enter the port VLAN ID. ● link-aggregation — Enable the link aggregation TLV.
lldp transmit Enables the transmission of LLDP packets on a specific interface. Syntax lldp transmit Parameters None Default Not configured Command Mode INTERFACE Usage Information The no version of this command disables the transmission of LLDP packets on a specific interface. Example Supported Releases OS10(conf-if-eth1/1/9)# lldp transmit 10.2.0E or later lldp vlan-name-tlv allowed vlan Specifies a single or multiple VLANs' names to transmit in LLDPDUs.
Command Mode EXEC Usage Information Use the med parameter to view MED information for a specific interface. Use the local-device parameter to view inventory details.
Command Mode EXEC Usage Information None Example Supported Release OS10# Total Total Total show lldp errors Memory Allocation Failures: 0 Input Queue Overflows: 0 Table Overflows: 0 10.2.0E or later show lldp med Displays the LLDP MED information for all the interfaces. Syntax show lldp med Parameters None Default Not configured Command Mode EXEC Usage Information Use the show lldp interface command to view MED information for a specific interface.
show lldp neighbors Displays the system information of the LLDP neighbors. Syntax show lldp neighbors [detail | interface ethernet node/slot/port[:subport]] Parameters ● detail — View LLDP neighbor detailed information ● interface ethernet node/slot/port[:subport] — Enter the Ethernet interface information. Command Mode EXEC Usage Information This command status information includes local port ID, remote hostname, remote port ID, remote VLAN names, and remote node ID.
show lldp timers Displays the LLDP hold time, delay time, and update frequency interval configuration information. Syntax show lldp timers Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show lldp timers LLDP Timers: Holdtime in seconds: 120 Reinit-time in seconds: 6 Transmit interval in seconds: 30 10.2.0E or later show lldp tlv-select interface Displays the TLVs enabled for an interface.
Usage Information Example Example (Interface) None OS10# show lldp traffic LLDP Traffic Statistics: Total Frames Out Total Entries Aged Total Frames In Total Frames Received In Error Total Frames Discarded Total TLVS Unrecognized Total TLVs Discarded : : : : : : : OS10# show lldp traffic interface ethernet 1/1/2 LLDP Traffic Statistics: Total Frames Out : 45 Total Entries Aged : 1 Total Frames In : 33 Total Frames Received In Error : 0 Total Frames Discarded : 0 Total TLVS Unrecognized : 0 Total TLVs D
Media Access Control All Ethernet switching ports maintain media access control (MAC) address tables. Each physical device in your network contains a MAC address. OS10 devices automatically enter learned MAC addresses as dynamic entries in the MAC address table. Learned MAC address entries are subject to aging. Set the aging timer to zero (0) to disable MAC aging.
○ address mac-address — (Optional) Displays MAC address information. ○ interface ethernet node/slot/port[:subport] — (Optional) Displays a list of dynamic and static MAC address entries. ○ interface port-channel number — (Optional) Displays port channel information, from 1 to 128. ○ count — (Optional) Displays the number of dynamic and static MAC address entries. ○ vlan vlan-id — (Optional) Displays information for a specified VLAN only, from 1 to 4093.
○ ethernet node/slot/port[:subport] — Delete the Ethernet interface configuration from the address table. ○ port-channel channel-number — Delete the port-channel interface configuration from the address table, from 1 to 128. Default Not configured Command Mode EXEC Usage Information Use the all parameter to remove all dynamic entries from the address table. Example Example (VLAN) Supported Releases OS10# clear mac address-table dynamic all OS10# clear mac address-table dynamic vlan 20 10.2.
Example (VLAN) OS10(config)# mac address-table static 34:17:eb:f2:ab:c6 vlan 1 interface ethernet 1/1/30 Example (PortChannel) Supported Releases OS10(config)# mac address-table static 34:17:eb:02:8c:33 vlan 10 interface port-channel 1 10.2.0E or later show mac address-table Displays information about the MAC address table.
Dynamic Address Count : 5 Static Address (User-defined) Count : 0 Total MAC Addresses in Use: 5 Example (Dynamic) OS10# show mac address-table dynamic VlanId Mac Address Type 1 90:b1:1c:f4:a6:8f dynamic Example (Ethernet) Supported Releases Interface ethernet1/1/3 OS10# show mac address-table interface ethernet 1/1/3 VlanId Mac Address Type Interface 1 66:38:3a:62:31:3a dynamic ethernet1/1/3 10.2.
Change STP modes The default xSTP variant running in OS10 is Rapid-PVST. You can change the mode to RSTP or MSTP using the spanningtree mode {rstp | mst | rapid-pvst} command. Mode specific functionality Enable and disable STP Spanning Tree Protocol (STP) is enabled by default on the switches. You can disable the STP globally on the switch or at the interface level. Disabling spanning tree at an instance level causes all the port members of that instance to disable the spanning tree.
When the blocked port stops receiving BPDUs, it transitions to a Forwarding state causing spanning-tree loops in the network. Enable loop guard using the spanning-tree guard loop command on an interface so that it transitions to the Loop-Inconsistent state until it receives BPDUs. After BPDUs are received, the port moves out of the Loop-Inconsistent or Blocking state and transitions to an appropriate state determined by STP.
Name PortID Prio Cost Sts Cost Bridge ID PortID -----------------------------------------------------------------------------------------ethernet1/1/7 128.56 128 500 FWD 500 32769 90b1.1cf4.a625 128.
2. In CONFIGURATION mode, use the following command to recover the ports from shutting down due to the detection of a BPDU Guard violation. When the recovery option is enabled, the port is brought up after the recovery timer expires. The default recovery timer value is 300 seconds. When the recovery option is disabled, the port remains shut down indefinitely. You must manually bring up the port using the shutdown and no shutdown commands.
By default, this feature is enabled for RSTP, Rapid-PVST and MSTP. This feature is useful in a scalable topology with MSTP & rapid-PVST (multi-instance), where multiple MAC flush calls are invoked. RSTP RSTP allows per port-based flush until the number of calls sent is equal to the MAC flush threshold value that you have configured. When the number of calls that are sent reaches the configured threshold, RSTP ignores further per-port based flush and starts the MAC flush timer.
This feature allows the user to disable path cost re-calculation on link flap events. If disabled, the path cost of the lag is calculated based on the below formula LAG speed = speed of a single member * number of configured member ports (irrespective of its oper status). Path cost changes only for the user event [addition/removal of channel-member]. Path cost is calculated based on the number of configured ports. Dynamic path cost disable functionality is supported for VLT port channel.
● Enable EdgePort on an interface in INTERFACE mode.
debug spanning-tree Enables STP to debug and display protocol information. Syntax debug spanning-tree {all | bpdu [tx | rx] | events} Parameters ● all — Debugs all spanning-tree operations. ● bpdu — Enter transmit (tx) or receive (rx) to enable the debug direction. ● events — Debugs STP events. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# debug spanning-tree bpdu rx 10.5.
When the recovery option is enabled, the port is brought up after the recovery timer expires. When the recovery option is disabled, the port is shut down indefinitely. You must manually bring up the port using the shutdown and no shutdown commands. The no version of the command disables the recovery option. Example Supported Releases OS10(config)# errdisable recovery cause bpduguard 10.4.2.
spanning-tree bpdufilter Enables or disables BPDU filtering on an interface. Syntax spanning-tree bpdufilter {enable | disable} Parameters ● enable — Enables the BPDU filter on an interface. ● disable — Disables the BPDU filter on an interface. Default Disabled Command Mode INTERFACE Usage Information Use the enable parameter to enable BPDU filtering. Example Supported Releases OS10(conf-if-eth1/1/4)# spanning-tree bpdufilter enable 10.2.
spanning-tree guard Enables or disables loop guard or root guard on an interface. Syntax spanning-tree guard {loop | root | none} Parameters ● loop — Enables loop guard on an interface. ● root — Enables root guard on an interface. ● none — Sets the guard mode to none. Default Not configured Usage Information Root guard and loop guard configurations are mutually exclusive. Configuring one overwrites the other from the active configuration.
timer is set to a non-zero value, instance-based flushing occurs based on the MAC flush threshold value. The no version of this command resets the flush-interval timer to the default value. Example OS10(config)# spanning-tree mac-flush-timer 500 OS10(config)# no spanning-tree mac-flush-timer Supported Releases 10.4.3.0 or later spanning-tree mode rstp Enables an STP type: RSTP. Syntax spanning-tree mode rstp Parameters ● rstp — Sets STP mode to RSTP.
Usage Information Example The Errdisable Cause column displays one or more reasons for the error-disabled state of an interface. If an interface is put in to error disabled state for multiple reasons, the interface does not come up unless you enable automatic recovery for all reasons.
Supported Releases 10.2.0E or later Rapid per-VLAN spanning-tree Rapid per-VLAN spanning-tree (Rapid-PVST) is used to create a single topology per VLAN. Rapid-PVST is enabled by default; it provides faster convergence than STP and runs on the default VLAN (VLAN 1). Configuring Rapid-PVST is a four-step process: 1. 2. 3. 4. Ensure the interfaces are in L2 mode. Place the interfaces in VLANs. By default, switchport interfaces are members of the default (VLAN1). Enable Rapid-PVST.
● If Force Protocol Version is STP or RSTP, the received BPDUs are considered from a different MST Region. ● Default behavior is MSTP operation mode, which allows full MSTP behavior. ● OS10 does not support enabling force version per MST instance. Force protocol version in Rapid-PVST Spanning-tree Rapid-PVST force-version (STP) ● Setting the force version to STP forces the Rapid-PVST protocol to operate in 802.1D STP mode instead of the default protocol mode RSTP on VLAN 1.
Flush Interval 200 centi-sec, Flush Invocations 8 Flush Indication threshold 5 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ------------------------------------------------------------------------------------------ethernet1/1/5 128.40 128 500 BLK 500 32769 90b1.1cf4.9af2 128.40 ethernet1/1/6 128.48 128 500 BLK 500 32769 90b1.1cf4.9af2 128.48 ethernet1/1/7 128.56 128 500 FWD 500 32769 90b1.1cf4.a625 128.56 ethernet1/1/8 128.64 128 500 BLK 500 32769 90b1.1cf4.9af2 128.
Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 4097, Address 90b1.1cf4.a523 We are the root of VLAN 1 Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID --------------------------------------------------------------------ethernet1/1/5 128.276 128 500 FWD 0 4097 90b1.1cf4.a523 128.276 ethernet1/1/6 128.280 128 500 FWD 0 4097 90b1.1cf4.a523 128.
ethernet1/1/10 ethernet1/1/11 Disb Disb 128.296 128.300 128 128 200000000 FWD 200000000 FWD 0 0 AUTO AUTO No No Root assignment Rapid-PVST assigns the root bridge according to the lowest bridge ID. Primary configuration assigns 24576 as the bridge priority whereas secondary configuration assigns 28672 as the bridge priority. spanning-tree vlan vlan-id root primary command ensures that the switch has the lowest bridge priority value by setting the predefined value of 24,576.
● Modify the hello-time in seconds in CONFIGURATION mode, from 1 to 10, default 2. With large configurations involving more numbers of ports, Dell EMC recommends increasing the hello-time. spanning-tree vlan vlan-id hello-time seconds ● Modify the max-age (in seconds) in CONFIGURATION mode, from 6 to 40, default 20.
● ● ● ● ● Port-channel Port-channel Port-channel Port-channel Port-channel interface with one 1 Gigabit Ethernet = 20000 interface with one 10 Gigabit Ethernet = 2000 with two 1 Gigabit Ethernet = 10000 with two 10 Gigabit Ethernet = 1000 with two 100 Mbps Ethernet = 100000 Command Mode INTERFACE Usage Information The media speed of a LAN interface determines the STP port path cost default value. Example Supported Releases OS10(conf-if-eth1/1/4)# spanning-tree vlan 10 cost 1000 10.2.
Parameters ● stp — Forces the version for the BPDUs transmitted by MST to STP Default Not configured Command Mode CONFIGURATION Usage Information Forces a bridge that supports Rapid-PVST to operate in an STP-compatible mode. Example Supported Releases OS10(config)# spanning-tree rpvst force-version stp 10.2.0E or later spanning-tree vlan hello-time Sets the time interval between generation and transmission of Rapid-PVST BPDUs.
spanning-tree vlan max-age Configures the time period the bridge maintains configuration information before refreshing the information by recomputing Rapid-PVST. Syntax spanning-tree vlan vlan-id max-age seconds Parameters max-age seconds — Enter a maximum age value in seconds, from 6 to 40. Default 20 seconds Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree vlan 10 max-age 10 10.2.
spanning-tree vlan root Designates a device as the primary or secondary root bridge. Syntax spanning-tree vlan vlan-id root {primary | secondary} Parameters ● ● ● ● Default Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases vlan-id — Enter a VLAN ID number, from 1 to 4093. root — Designate the bridge as the primary or secondary root. primary — Designate the bridge as the primary or root bridge.
Default None Command Mode EXEC Security and Access Sysadmin, secadmin and netadmin Usage Information None Example (RapidPVST mode) OS10# show spanning-tree compatibility-mode Interface Name Instance Compatibility-mode -----------------------------------------------ethernet1/1/1 VLAN 1 RSTP ethernet1/1/1 VLAN 2 RSTP ethernet1/1/1 VLAN 3 RSTP ethernet1/1/1 VLAN 4 RSTP ethernet1/1/1 VLAN 5 RSTP ethernet1/1/2 VLAN 1 STP ethernet1/1/2 VLAN 2 STP ethernet1/1/2 VLAN 3 STP ethernet1/1/2 VLAN 4 STP ethernet
spanning-tree rapid-pvst force-version Configures a forced version of spanning-tree to transmit BPDUs. Syntax spanning-tree rapid-pvst force-version stp Parameters ● stp — Forces the version for the BPDUs transmitted by Rapid-PVST to STP Default Not configured Command Mode CONFIGURATION Usage Information Forces a bridge that supports Rapid-PVST to operate in an STP-compatible mode. Example Supported Releases OS10(config)# spanning-tree rapid-pvst force-version stp 10.2.
View all port participating in RSTP OS10# show spanning-tree Spanning tree enabled protocol rstp with force-version rstp Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 3417.4455.667f Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 90b1.1cf4.
Interface Name Role PortID Prio Cost Sts Cost Link-type Edge ------------------------------------------------------------------------ethernet1/1/1 Disb 128.260 128 200000000 BLK 0 AUTO No ethernet1/1/2 Disb 128.264 128 200000000 BLK 0 AUTO No ethernet1/1/3 Disb 128.268 128 200000000 BLK 0 AUTO No ethernet1/1/4 Disb 128.272 128 200000000 BLK 0 AUTO No ethernet1/1/5:1 Disb 128.
ethernet1/1/2 248.128 128 500 BLK 0 32768 90b1.1cf4.9b8a ethernet1/1/3 252.128 128 500 FWD 0 32768 90b1.1cf4.9b8a ethernet1/1/4 256.128 128 500 BLK 0 32768 90b1.1cf4.9b8a Interface Name Role PortID Prio Cost Sts Cost Link-type Edge ---------------------------------------------------------ethernet1/1/1 Altr 128.244 128 500 BLK 0 AUTO No ethernet1/1/2 Altr 128.248 128 500 BLK 0 AUTO No ethernet1/1/3 Root 128.252 128 500 FWD 0 AUTO No ethernet1/1/4 Altr 128.256 128 500 BLK 0 AUTO No 128.248 128.252 128.
View bridge priority and root bridge assignment OS10# show spanning-tree active Spanning tree enabled protocol rstp with force-version rstp Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 3417.4455.667f Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 36864, Address 90b1.1cf4.
ethernet1/1/3 252.128 128 500 FWD 0 32768 90b1.1cf4.9b8a ethernet1/1/4 256.128 128 500 BLK 0 32768 90b1.1cf4.9b8a Interface Name Role PortID Prio Cost Sts Cost Link-type Edge -----------------------------------------------------------ethernet1/1/1 Altr 128.244 128 500 BLK 0 AUTO No ethernet1/1/2 Altr 128.248 128 500 BLK 0 AUTO No ethernet1/1/3 Root 128.252 128 500 FWD 0 AUTO No ethernet1/1/4 Altr 128.256 128 500 BLK 0 AUTO No Supported Releases 128.252 128.256 10.2.
Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree rstp forward-time 16 10.2.0E or later spanning-tree rstp hello-time Sets the time interval between generation and transmission of RSTP BPDUs. Syntax spanning-tree rstp hello-time seconds Parameters seconds — Enter a hello-time interval value in seconds, from 1 to 10.
Default 20 seconds Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree rstp max-age 10 10.2.0E or later spanning-tree rstp priority Sets the priority value for RSTP. Syntax spanning-tree rspt priority priority value Parameters priority priority value — Enter a bridge-priority value in increments of 4096, from 0 to 61440.
1. Enable MST, if the current running spanning-tree protocol (STP) version is not MST. 2. (Optional) Map the VLAN to different instances in such a way that the traffic is load balanced well and the link utilization is efficient. 3. Ensure the same region name is configured in all the bridges running MST. 4. (Optional) Configure the revision number. The revision number is the same on all the bridges.
OS10(conf-mst)# OS10(conf-mst)# OS10(conf-mst)# OS10(conf-mst)# revision instance instance instance 100 1 vlan 2-10 2 vlan 11-20 3 vlan 21-30 View VLAN instance mapping OS10# show spanning-tree mst configuration Region Name: Dell Revision: 100 MSTI VID 0 1,31-4093 1 2-10 2 11-20 3 21-30 View port forwarding/discarding state os10# show spanning-tree msti 0 brief Spanning tree enabled protocol msti with force-version mst MSTI 0 VLANs mapped 1-3999,4091-4093 Executing IEEE compatible Spanning Tree Protocol
ethernet1/1/13 128.104 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.104 ethernet1/1/14 128.112 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.112 ethernet1/1/15 128.120 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.120 ethernet1/1/16 128.128 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.128 ethernet1/1/17 128.136 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.136 ethernet1/1/18 128.144 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.144 ethernet1/1/19 128.152 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.
ethernet1/1/9 AUTO No ethernet1/1/10 AUTO No ethernet1/1/11 AUTO No ethernet1/1/12 AUTO No ethernet1/1/13 AUTO No ethernet1/1/14 AUTO No ethernet1/1/15 AUTO No ethernet1/1/16 AUTO No ethernet1/1/17 AUTO No ethernet1/1/18 AUTO No ethernet1/1/19 AUTO No ethernet1/1/20 AUTO No ethernet1/1/21 AUTO No ethernet1/1/22 AUTO No ethernet1/1/23 AUTO No ethernet1/1/24 AUTO No ethernet1/1/25 AUTO No ethernet1/1/26 AUTO No ethernet1/1/27 AUTO No ethernet1/1/28 AUTO No ethernet1/1/29 AUTO No ethernet1/1/30 AUTO No etherne
Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 3417.4455.667f Root Bridge hello time 2, max age 20, forward delay 15, max hops 20 Bridge ID Priority 32768, Address 90b1.1cf4.a523 Configured hello time 2, max age 20, forward delay 15, max hops 20 CIST regional root ID Priority 32768, Address 90b1.1cf4.
Max-hops A maximum number of hops a BPDU travels before a receiving device discards it. NOTE: Dell EMC recommends that only experienced network administrators change MST parameters. Poorly planned modification of MST parameters can negatively affect network performance. 1. Change the forward-time parameter in CONFIGURATION mode, from 4 to 30, default 15. spanning-tree mst forward-time seconds 2. Change the hello-time parameter in CONFIGURATION mode, from 1 to 10, default 2.
● Port-channel with 1-Gigabit Ethernet interfaces — 18000 ● Port-channel with 10-Gigabit Ethernet interfaces — 1800 1. Change the port cost of an interface in INTERFACE mode, from 1 to 200000000. spanning-tree msti number cost 1 2. Change the port priority of an interface in INTERFACE mode, from 0 to 240 in increments of 16, default 128.
Usage Information By default, the MST protocol assigns the system MAC address as the region name. Two MST devices within the same region must share the same region name, including matching case. Example Supported Releases OS10(conf-mst)# name my-mst-region 10.2.0E or later revision Configures a revision number for the MSTP configuration. Syntax revision number Parameters number — Enter a revision number for the MSTP configuration, from 0 to 65535.
spanning-tree msti Configures the MSTI, cost, and priority values for an interface. Syntax spanning-tree msti instance {cost cost | priority value} Parameters ● msti instance — Enter the MST instance number, from 0 to 63. For Z9332F-ON platform, enter a MST instance value from 0 to 61. ● cost cost — (Optional) Enter a port cost value, from 1 to 200000000.
Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command enables spanning tree on the specified MST instance. Example Supported Releases OS10(config)# spanning-tree mst 10 disable 10.4.0E(R1) or later spanning-tree mst force-version Configures a forced version of STP to transmit BPDUs. Syntax spanning-tree mst force-version {stp | rstp} Parameters ● stp — Forces the version for the BPDUs transmitted by MST to STP.
Default 2 seconds Command Mode CONFIGURATION Usage Information Dell EMC recommends increasing the hello-time for large configurations, especially configurations with multiple ports. The no version of this command resets the value to the default. Example Supported Releases OS10(config)# spanning-tree mst hello-time 5 10.2.0E or later spanning-tree mst mac-flush-threshold Configures the mac-flush threshold value for a specific instance.
spanning-tree mst max-hops Configures the maximum hop count for a BPDU to travel before it is discarded. Syntax spanning-tree mst max-hops number Parameters number — Enter a maximum hop value, from 6 to 40. Default 20 Command Mode CONFIGURATION Usage Information A device receiving BPDUs waits until the max-hops value expires before discarding it. When a device receives the BPDUs, it decrements the received value of the remaining hops and uses the resulting value as remaining-hops in the BPDUs.
○ ethernet node/slot/port[:subport] — Enter the Ethernet port information, from 1 to 48. ○ port-channel — Enter the port-channel interface information, from 1 to 128. Default Not configured Command Mode EXEC Usage Information View the MST instance information for a specific MST instance number in detail or brief, or view physical Ethernet ports or port-channel information.
Example (virtualinterface) Command History agg-6146 # show spanning-tree msti 0 virtual-interface VFP(VirtualFabricPort) of MSTI 0 is Designated Forwarding Edge port: No (default) Link type: point-to-point (auto) Boundary: No, Bpdu-filter: Disable, Bpdu-Guard: Disable, Shutdown-on-Bpdu-Guard-violation: No Root-Guard: Disable, Loop-Guard: Disable Bpdus (MRecords) Sent: 250, Received: 240 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------------------------------------------------
Default VLAN configuration OS10# show vlan Codes: * - Default VLAN, M - Management VLAN, R - Remote Port Mirroring VLANs, @ - Attached to Virtual Network, P - Primary, C - Community, I - Isolated Q: A - Access (Untagged), T - Tagged NUM Status Description Q Ports * 1 Active A Eth1/1/1-1/1/54 Default Management VLAN SFS sets the MAC of the default management VLAN 4020 to the system MAC. This is different from the MAC that is used for Data VLAN.
Create a range of VLANs OS10(config)# interface range vlan 2-10 Delete VLAN OS10(config)# no interface vlan 108 Delete a range of VLANs OS10(config)# no interface range vlan 2-10 View configured VLANs OS10# show interface vlan Vlan 1 is up, line protocol is up Address is 00:00:00:00:00:c9, Current address is 00:00:00:00:10:c9 Interface index is 69208865 Internet address is 10.1.1.
Access mode An access port is an untagged member of only one VLAN. Configure a port in Access mode and configure which VLAN carries the traffic for that interface. If you do not configure the VLAN for a port in Access mode, or an access port, the interface carries traffic for VLAN 1, the default VLAN. Change the access port membership in a VLAN by specifying the new VLAN. You must create the VLAN before you can assign the port in Access mode to that VLAN.
View running configuration OS10# show running-configuration ... ! interface ethernet1/1/8 switchport mode trunk switchport trunk allowed vlan 108 no shutdown ! interface vlan1 no shutdown ! ... Assign IP address You can assign an IP address to each VLAN to make it a L3 VLAN. All the ports in that VLAN belong to that particular IP subnet. The traffic between the ports in different VLANs route using the IP address.
Vlan 200 is up, line protocol is down Address is 00:00:00:00:00:c9, Current address is 00:00:00:00:10:c9 Interface index is 69209064 Internet address is 10.1.15.
View interface VLAN configuration OS10# show interface vlan Vlan 1 is up, line protocol is up Address is 00:00:00:00:00:c9, Current address is 00:00:00:00:10:c9 Interface index is 69208865 Internet address is 10.1.1.
0 packets, 0 octets Output statistics: 0 packets, 0 octets Time since last interface status change: 15:47:04 VLAN Scaling When VLANs are created, traffic class is specified for each VLAN that maps the VLAN traffic to a specific queue on the egress port. Class-maps are created for each VLAN matching and the action is specified in the policymap that maps it to a specific traffic class. Using traffic class-to-queue mapping, the traffic gets mapped to the corresponding queue.
The following figure shows the anycast IP-based gateway configuration for a VLAN: The ip virtual-router address and ipv6 virtual-router address commands assign the specified address as the virtual IPv4 or IPv6 address for the VLAN interface, respectively. Before assigning the anycast IP address to a VLAN interface, configure a virtual MAC address to the switch using the ip virtual-router mac-address command. All virtual addresses on all VLAN interfaces resolve to the configured virtual MAC address.
● Ensure that the anycast IPv4 or IPv6 address is different from the primary IPv4 or IPv6 address, respectively. For IPv6, you can configure more than one primary IP address. Even when more than one primary IPv6 addresses or subnets are configured, you can only configure one IPv6 address as gateway IP address. ● To ping an IPv6 host present in a remote VLAN, use the ping -I command and specify the interface IP address. The -I option is not required when you ping an IPv6 local host in a VLAN.
Example - Anycast IP Gateway for VLANs in VLT topology This section provides a sample anycast IP gateway configuration for VLANs in a VLT topology. AG1 configuration 1. Configure a global anycast MAC address. AG1# configure terminal AG1(config)# ip virtual-router mac-address 00:00:5e:00:01:01 2. Configure a VLAN Interface with the anycast virtual address. AG1(config)# interface vlan 3001 AG1(conf-if-vl-3001)# no shutdown AG1(conf-if-vl-3001)# ip address 10.1.1.
AG1(conf-if-vl-3001)# ipv6 virtual-router address 10:1:1::5 AG1(conf-if-vl-3001)# exit 3. Configure the VLT domain. AG1(config)# vlt-domain 1 AG1(conf-vlt-1)# backup destination 172.16.1.4 interval 3 AG1(conf-vlt-1)# delay-restore 300 AG1(conf-vlt-1)# discovery-interface ethernet1/1/25:1-1/1/25:4 AG1(conf-vlt-1)# peer-routing AG1(conf-vlt-1)# primary-priority 1 AG1(conf-vlt-1)# vlt-mac de:11:de:11:de:11 AG1(conf-vlt-1)# multicast peer-routing timeout 450 AG1(conf-vlt-1)# exit 4.
ethernet1/1/25:2 ethernet1/1/25:3 ethernet1/1/25:4 ethernet1/1/17:1 ethernet1/1/17:2 ethernet1/1/17:3 ethernet1/1/17:4 ethernet1/1/19:1 ethernet1/1/19:2 ethernet1/1/19:3 ethernet1/1/19:4 AG2 AG2 AG2 TR1 TR1 TR1 TR1 TR1 TR1 TR1 TR1 ethernet1/1/25:2 ethernet1/1/25:3 ethernet1/1/25:4 ethernet1/1/39 ethernet1/1/40 ethernet1/1/41 ethernet1/1/42 ethernet1/1/43 ethernet1/1/44 ethernet1/1/45 ethernet1/1/46 50:9a:4c:d4:d0:f0 50:9a:4c:d4:d0:f0 50:9a:4c:d4:d0:f0 e4:f0:04:fe:9f:e1 e4:f0:04:fe:9f:e1 e4:f0:04:fe:9f:e1
4. Configure a port channel interface towards AG3, AG4, TR1, CR1, and CR2.
7. View VLAN members. AG2# show vlan 3001 Codes: * - Default VLAN, M - Management VLAN, R - Remote Port Mirroring VLANs, @ - Attached to Virtual Network, P - Primary, C - Community, I - Isolated Q: A - Access (Untagged), T - Tagged NUM Status Description Q Ports 3001 Active T Eth1/1/9:1-1/1/9:2 T Po1,41-48,1000 8. View port channel members.
AG3(config)# interface port-channel 53 AG3(conf-if-po-53)# vlt-port-channel 53 AG3(config)# interface port-channel 54 AG3(conf-if-po-54)# vlt-port-channel 54 AG3(config)# interface port-channel 55 AG3(conf-if-po-55)# vlt-port-channel 55 AG3(config)# interface port-channel 56 AG3(conf-if-po-56)# vlt-port-channel 56 AG3(config)# interface port-channel 57 AG3(conf-if-po-57)# vlt-port-channel 57 AG3(config)# interface port-channel 58 AG3(conf-if-po-58)# vlt-port-channel 58 5.
51 52 53 54 55 56 57 58 L2-HYBRID L2-HYBRID L2-HYBRID L2-HYBRID L2-HYBRID L2-HYBRID L2-HYBRID L2-HYBRID up up up up up up up up 01:41:40 01:41:39 01:41:39 01:41:38 01:41:37 01:41:36 01:41:36 01:41:35 Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/24:3 1/1/24:4 1/1/26:1 1/1/26:2 1/1/26:3 1/1/26:4 1/1/17:1 1/1/17:2 1/1/17:3 1/1/17:4 1/1/19:1 1/1/19:2 1/1/19:3 1/1/19:4 (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) AG4 configuration 1.
5. Configure the interfaces as VLAN trunk ports and specify the allowed VLANs.
AG1 AG1# show ip arp 10.1.1.10 Codes: pv - private vlan where the mac is originally learnt Address Hardware address Interface Egress Interface ---------------------------------------------------------------10.1.1.10 00:41:30:01:00:00 vlan3001 port-channel41 AG1# show mac address-table address 00:41:30:01:00:00 Codes: pv - private vlan where the mac is originally learnt VlanId Mac Address Type Interface 3001 00:41:30:01:00:00 dynamic port-channel41 AG1# AG2 AG2# show ip arp 10.1.1.
Usage Information ● To use special characters as a part of the description string, enclose the string in double quotes. ● To use comma as a part of the description string add double back slash before the comma. Example Supported Releases OS10(config)# interface vlan 3 OS10(conf-if-vl-3)# description vlan3 10.2.0E or later interface vlan Creates a VLAN interface. Syntax interface vlan vlan-id Parameters vlan-id — Enter the VLAN ID number, from 1 to 4093.
ip virtual-router mac-address Configures the MAC address of an anycast L3 gateway for VLAN routing. Syntax ip virtual-router mac-address mac-address Parameters mac-address mac-address—Enter the MAC address of the anycast L3 gateway. Default Not configured Command mode CONFIGURATION Usage information Configure the same MAC address on all VLT switches. As the configured MAC address is automatically used for all VLANs, configure it in Global Configuration mode.
Example Supported Releases OS10# show vlan Codes: * - Default VLAN, M - Management VLAN, R - Remote Port Mirroring VLANs, @ - Attached to Virtual Network, P - Primary, C - Community, I Isolated Q: A - Access (Untagged), T - Tagged NUM Status Description Q Ports * 1 Active A Eth1/1/15 A Po100 2101 Active T Eth1/1/1,1/1/3 T Po100 2102 Active T Eth1/1/1,1/1/3 10.2.0E or later show vlt mismatch Displays the anycast IP configuration mismatch between VLT peers.
Example PVLAN uses: ● Guest access management—The network administrator in a hotel uses an isolated VLAN for providing guest users access to the Internet. Using isolated VLANs restricts direct access between the guest users. ● Service provider networks—Using PVLAN, a service provider can provide L2 security for customers and use IP addresses more efficiently. For example, the service provider can have a separate community VLAN per customer.
○ You can associate the PVLAN trunk port to both primary and secondary VLANs. This port carries traffic from both the primary and secondary VLANs. ○ To configure a PVLAN trunk port, associate a regular tagged port that is not a promiscuous or secondary port to a VLAN within a PVLAN domain. There are no specific CLI commands to configure a port as a PVLAN trunk port. NOTE: OS10 supports MAC address movement within a PVLAN domain.
● You can configure a regular VLAN as a PVLAN only when it does not have any member ports associated with it. Remove the member ports from a VLAN before you configure it as a PVLAN. ● To convert a PVLAN to a regular VLAN, you must remove the PVLAN mode. Ensure that you remove the member ports from the PVLAN and the primary and secondary VLAN mapping before you remove the PVLAN mode. ● You can configure an L2 switch port as a PVLAN port using the private-vlan mode {promiscuous | secondaryport} command.
a. Create a VLAN. OS10(config)# interface vlan 30 b. Configure the PVLAN mode as a community VLAN. OS10(conf-if-vl-30)# private-vlan mode community c. Configure a secondary port. OS10(config)# interface ethernet 1/1/3 OS10(conf-if-eth1/1/3)# switchport mode trunk OS10(conf-if-eth1/1/3)# private-vlan mode secondary-port d. Associate the secondary port to the community VLAN. OS10(conf-if-eth1/1/2)# switchport trunk allowed vlan 30 4. Associate the list of secondary VLANs to the primary VLAN.
NOTE: ● For a regular switch port in Trunk mode, you must tag all VLANs of the PVLAN domain. ● If you enable local proxy arp in the primary VLAN, both the host and the primary VLAN (as the local proxy) send an ARP reply. 1. Enter Configuration mode. OS10# configure terminal 2. Enter Interface Configuration mode. OS10(config)# interface ethernet 1/1/4 3. Configure the Switchport mode as trunk for the port to carry more than single VLAN traffic. OS10(conf-if-eth1/1/4)# switchport mode trunk 4.
5. Associate the port to be a trunk member of a PVLAN secondary VLAN. In this example, vlan 20 is an isolated secondary VLAN. OS10(conf-if-eth1/1/2)# switchport trunk allowed vlan 20 6. Associate the port to be a trunk member of a regular VLAN (non-PVLAN). OS10(conf-if-eth1/1/2)# switchport trunk allowed vlan 100 7. Configure the PVLAN port as member of untagged VLAN. Here VLAN 101 is a regular VLAN.
6. Associate the port to be a trunk member of regular VLAN.
1. Enter Configuration mode. OS10# configure terminal 2. Enter Interface Configuration mode. OS10(config)# interface ethernet 1/1/5 3. Remove the port from the PVLANs. OS10(conf-if-eth1/1/5)# no switchport access vlan OS10(conf-if-eth1/1/5)# no switchport trunk allowed vlan 10 OS10(conf-if-eth1/1/5)# show configuration ! interface ethernet1/1/5 no shutdown private-vlan mode promiscuous switchport mode trunk 4. Reset PVLAN Port mode.
no shutdown private-vlan mode secondary-port OS10(conf-if-vl-20)# View PVLAN information View PVLAN mapping information OS10# show vlan private-vlan mapping Private Vlan: Primary : 10 Isolated : 20 Community : 30 OS10# show vlan private-vlan Primary Secondary Type Active ------- --------- --------- -----10 Primary Yes 20 Isolated Yes 30 Community Yes Ports -------------------------------------------Eth1/1/1,1/1/5 Eth1/1/2 Eth1/1/3 OS10# show vlan Codes: * - Default VLAN, M - Management VLAN, R - Remote P
To view PVLAN ARP entries that are resolved or configured through a secondary VLAN, use the show ip arp command. OS10# show ip arp Codes: pv – private vlan where the mac is originally learnt Address Hardware address Interface Egress Interface ----------------------------------------------------------------------------11.1.1.2 90:b1:1c:f4:a6:ee ethernet1/1/25:1 ethernet1/1/25:1 41.1.1.2 4c:d9:8f:fa:2b:59 vlan100 port-channel100 pv 20 12.1.1.
1 Secondary-port * 2 vlt-port-channel ID : 30 VLT Unit ID Configured port-mode ---------------------------------------------------------------------------1 Secondary-port * 2 ● To view VLAN mode configuration mismatch: OS10# show vlt 1 mismatch private-vlan vlan-mode Private VLAN mode mismatch: VLAN: 10 VLT Unit ID Configured PVLAN mode ---------------------------------------------------------------------------1 Isolated * 2 Community Interaction with other features Port security OS10 supports the followin
L2 communication is not permitted between hosts connected to ports in an isolated VLAN and hosts connected to ports in any of the secondary VLANs. Also, hosts connected to ports in a community VLAN cannot communicate with hosts connected to ports in another community or isolated VLAN. However, these hosts can communicate with each other over L3 through the primary VLAN. To configure an L3 VLAN interface, enable the local proxy ARP feature. For more information, see Configure Layer 3 VLAN interface.
PVLAN commands ip local-proxy-arp Enables the local proxy Address Resolution Protocol (ARP) on an interface. Syntax ip local-proxy-arp Parameters None Default Not applicable Command Mode VLAN INTERFACE CONFIGURATION Usage Information ● The router responds to ARP requests for addresses that are on the same subnetwork of that interface. ● This command is applicable only for the primary VLAN. ● Ensure that you configure an IPv4 address on the primary VLAN before you enable local proxy ARP.
● isolated—Configures the VLAN as an isolated VLAN. ● primary—Configures the VLAN as a primary VLAN. Default Regular VLAN Command Mode VLAN INTERFACE CONFIGURATION Usage Information ● Configures a PVLAN as a community, isolated, or primary VLAN. You must not add VLAN members before you configure PVLAN mode.
Example—To configure an interface as PVLAN promiscuous port. OS10(config)# interface port-channel20 OS10(conf-if-po-20)# private-vlan mode promiscuous OS10(conf-if-po-20)#exit OS10(config)# interface ethernet 1/1/5 OS10(conf-if-eth1/1/5)# private-vlan mode promiscuous Example—To configure an interface as a secondary port. OS10(conf-if-po-20)# private-vlan mode secondary-port OS10(conf-if-po-20)# no private-vlan mode Example—To configure a secondary port as a trunk port.
Parameters vlan-id—(Optional) Enter a VLAN ID, from 1 to 4093. Command Mode EXEC Usage Information This command displays information about primary and secondary VLANs.
show vlan private-vlan isolated Displays the isolated VLANs and their members (secondary-port) in the device. Syntax show vlan private-vlan isolated Parameters None Command Mode EXEC Usage Information Use this command to verify information about the isolated VLANs and the associated primary VLAN.
Parameters interface-name—Enter the interface information in node/slot/port[:subport] format. Command Mode EXEC Usage Information Use this command to verify information about the PVLAN-specific details of an interface. This command displays the VLAN ID associated with the interface.
Example: PVLAN deployment with L2-L3 boundary at the spine layer The following use case illustrates a deployment scenario in which the end devices that belong to different tenants are separated using secondary VLANs. Here, the private VLAN domain is spanned across two data centers using an ISL trunk port. In this example: ● The configured trunk port carries the traffic for both the primary and secondary VLANs.
AG1 Leaf Switch 1. Configure the VLTi member links between AG1 and AG2. AG1(config)# interface ethernet1/1/11 AG1(conf-if-eth1/1/11)# no shutdown AG1(conf-if-eth1/1/11)# no switchport AG1(conf-if-eth1/1/11)# exit AG1(config)# interface ethernet1/1/12 AG1(conf-if-eth1/1/12)# no shutdown AG1(conf-if-eth1/1/12)# no switchport AG1(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG1(config)# vlt-domain 255 AG1(conf-vlt-255)# backup destination 100.104.80.
AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# discovery-interface ethernet1/1/11-1/1/12 peer-routing primary-priority 1 vlt-mac 00:00:00:00:01:01 exit 3. Configure the VLT port channels.
AG1(conf-if-po-101)# vlt-port-channel 1022 AG1(conf-if-po-101)# exit 4. Configure the primary VLANs and the PVLAN mode. AG1(config)# interface vlan 100 AG1(conf-if-vl-100)# private-vlan mode primary AG1(conf-if-vl-100)# exit AG1(config)# interface vlan 200 AG1(conf-if-vl-200)# private-vlan mode primary AG1(conf-if-vl-200)# exit 5. Configure the secondary VLANs and the respective PVLAN modes.
AG1(conf-if-eth1/1/2)# no shutdown AG1(conf-if-eth1/1/2)# private-vlan mode secondary-port AG1(conf-if-eth1/1/2)# exit 8. Associate the member ports to the secondary VLANs.
AG2(conf-if-eth1/1/12)# no switchport AG2(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG2(config)# vlt-domain 255 AG2(conf-vlt-255)# backup destination 100.104.80.14 AG2(conf-vlt-255)# discovery-interface ethernet1/1/11-1/1/12 AG2(conf-vlt-255)# peer-routing AG2(conf-vlt-255)# primary-priority 65535 AG2(conf-vlt-255)# vlt-mac 00:00:00:00:01:01 AG2(conf-vlt-255)# exit 3. Configure the VLT port channels.
AG2(conf-if-eth1/1/10)# no switchport AG2(conf-if-eth1/1/10)# channel-group 101 mode active AG2(conf-if-eth1/1/10)# exit AG2(config)# interface port-channel 101 AG2(conf-if-po-101)# vlt-port-channel 1022 AG2(conf-if-po-101)# exit 4. Configure the primary VLANs and the PVLAN mode. AG2(config)# interface vlan 100 AG2(conf-if-vl-100)# private-vlan mode primary AG2(conf-if-vl-100)# exit AG2(config)# interface vlan 200 AG2(conf-if-vl-200)# private-vlan mode primary AG2(conf-if-vl-200)# exit 5.
AG2(conf-if-eth1/1/1)# no shutdown AG2(conf-if-eth1/1/1)# private-vlan mode secondary-port AG2(conf-if-eth1/1/1)# exit AG2(config)# interface AG2(conf-if-eth1/1/2)# AG2(conf-if-eth1/1/2)# AG2(conf-if-eth1/1/2)# ethernet1/1/2 no shutdown private-vlan mode secondary-port exit 8. Associate the member ports to the secondary VLANs.
AG3(config)# interface ethernet1/1/12 AG3(conf-if-eth1/1/12)# no shutdown AG3(conf-if-eth1/1/12)# no switchport AG3(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG3(config)# vlt-domain 255 AG3(conf-vlt-255)# backup destination 100.104.80.15 AG3(conf-vlt-255)# discovery-interface ethernet1/1/11-1/1/12 AG3(conf-vlt-255)# peer-routing AG3(conf-vlt-255)# primary-priority 1 AG3(conf-vlt-255)# vlt-mac 00:00:00:00:00:02 AG3(conf-vlt-255)# exit 3. Configure the VLT port channels.
AG3(config)# interface vlan 13 AG3(conf-if-vl-13)# private-vlan mode isolated AG3(conf-if-vl-13)# exit AG3(config)# interface vlan 21 AG3(conf-if-vl-21)# private-vlan mode community AG3(conf-if-vl-21)# exit AG3(config)# interface vlan 22 AG3(conf-if-vl-22)# private-vlan mode isolated AG3(conf-if-vl-22)# exit 6. Associate the secondary VLANs to the primary VLAN.
AG4(conf-if-eth1/1/11)# no switchport AG4(conf-if-eth1/1/11)# exit AG4(config)# interface ethernet1/1/12 AG4(conf-if-eth1/1/12)# no shutdown AG4(conf-if-eth1/1/12)# no switchport AG4(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG4(config)# vlt-domain 255 AG4(conf-vlt-255)# backup destination 100.104.80.
AG4(conf-if-vl-12)# private-vlan mode community AG4(conf-if-vl-12)# exit AG4(config)# interface vlan 13 AG4(conf-if-vl-13)# private-vlan mode isolated AG4(conf-if-vl-13)# exit AG4(config)# interface vlan 21 AG4(conf-if-vl-21)# private-vlan mode community AG4(conf-if-vl-21)# exit AG4(config)# interface vlan 22 AG4(conf-if-vl-22)# private-vlan mode isolated AG4(conf-if-vl-22)# exit 6. Associate the secondary VLANs to the primary VLAN.
AG4(conf-if-po-128)# switchport trunk allowed vlan 11-13,21-22,100,200 AG4(conf-if-po-128)# exit Spine Switch 1. Create the primary VLANs extended from AG1 and AG2. SPINE(config)# interface vlan 100 SPINE(conf-if-vl-100)# ip address 172.1.1.1/16 SPINE(conf-if-vl-100)# exit SPINE(config)# interface vlan 200 SPINE(conf-if-vl-200)# ip address 172.2.1.1/16 SPINE(conf-if-vl-200)# exit 2. Associate the VLT port channels to the primary VLANs extended from AG1 and AG2.
To verify private VLAN configurations, use the show vlan private-vlan mapping command. AG1# show vlan private-vlan mapping Private Vlan: Primary : 100 Isolated : 13 Community : 11-12 Private Vlan: Primary : 200 Isolated : 22 Community : 21 AG1# To verify the MAC address table entries for the primary VLAN, use the show mac address-table command. On primary VLAN The output of this show command displays: ● The MAC addresses that are learned on the primary VLAN.
AG1 Leaf Switch 1. Configure the VLTi member links between AG1 and AG2. AG1(config)# interface ethernet1/1/11 AG1(conf-if-eth1/1/11)# no shutdown AG1(conf-if-eth1/1/11)# no switchport AG1(conf-if-eth1/1/11)# exit AG1(config)# interface ethernet1/1/12 AG1(conf-if-eth1/1/12)# no shutdown AG1(conf-if-eth1/1/12)# no switchport AG1(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG1(config)# vlt-domain 255 AG1(conf-vlt-255)# backup destination 100.104.80.
AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# discovery-interface ethernet1/1/11-1/1/12 peer-routing primary-priority 1 vlt-mac 00:00:00:00:01:01 exit 3. Configure the VLT port channels.
AG1(conf-if-po-3)# vlt-port-channel 1022 AG1(conf-if-po-3)# exit 4. Configure the primary VLANs and the PVLAN mode. AG1(config)# interface vlan 100 AG1(conf-if-vl-100)# private-vlan mode primary AG1(conf-if-vl-100)# exit AG1(config)# interface vlan 200 AG1(conf-if-vl-200)# private-vlan mode primary AG1(conf-if-vl-200)# exit 5. Configure the secondary VLANs and the respective PVLAN modes.
AG1(conf-if-eth1/1/2)# no shutdown AG1(conf-if-eth1/1/2)# private-vlan mode secondary-port AG1(conf-if-eth1/1/2)# exit 8. Associate the member ports to the secondary VLANs.
AG2 Leaf Switch 1. Configure the VLTi member links between AG1 and AG2. AG2(config)# interface ethernet1/1/11 AG2(conf-if-eth1/1/11)# no shutdown AG2(conf-if-eth1/1/11)# no switchport AG2(conf-if-eth1/1/11)# exit AG2(config)# interface ethernet1/1/12 AG2(conf-if-eth1/1/12)# no shutdown AG2(conf-if-eth1/1/12)# no switchport AG2(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG2(config)# vlt-domain 255 AG2(conf-vlt-255)# backup destination 100.104.80.
AG2(config)# interface ethernet1/1/22 AG2(conf-if-eth1/1/22)# no shutdown AG2(conf-if-eth1/1/22)# no switchport AG2(conf-if-eth1/1/22)# channel-group 128 mode active AG2(conf-if-eth1/1/22)# exit AG2(config)# interface port-channel 128 AG2(conf-if-po-3)# vlt-port-channel 1024 AG2(conf-if-po-3)# exit AG2(config)# interface ethernet1/1/10 AG2(conf-if-eth1/1/10)# no shutdown AG2(conf-if-eth1/1/10)# no switchport AG2(conf-if-eth1/1/10)# channel-group 101 mode active AG2(conf-if-eth1/1/10)# exit AG2(config)# inte
AG2(config)# interface port-channel3 AG2(conf-if-po-3)# no shutdown AG2(conf-if-po-3)# private-vlan mode secondary-port AG2(conf-if-po-3)# exit AG2(config)# interface port-channel4 AG2(conf-if-po-4)# no shutdown AG2(conf-if-po-4)# private-vlan mode secondary-port AG2(conf-if-po-4)# exit AG2(config)# interface AG2(conf-if-eth1/1/1)# AG2(conf-if-eth1/1/1)# AG2(conf-if-eth1/1/1)# ethernet1/1/1 no shutdown private-vlan mode secondary-port exit AG2(config)# interface AG2(conf-if-eth1/1/2)# AG2(conf-if-eth1/1/2
AG2(conf-if-vl-200)# ip virtual-router address 172.2.0.254 AG2(conf-if-vl-200)# exit AG3 Leaf Switch 1. Configure the VLTi member links between AG1 and AG2. AG3(config)# interface ethernet1/1/11 AG3(conf-if-eth1/1/11)# no shutdown AG3(conf-if-eth1/1/11)# no switchport AG3(conf-if-eth1/1/11)# exit AG3(config)# interface ethernet1/1/12 AG3(conf-if-eth1/1/12)# no shutdown AG3(conf-if-eth1/1/12)# no switchport AG3(conf-if-eth1/1/12)# exit 2. Configure the VLT domain.
AG3(config)# interface vlan 200 AG3(conf-if-vl-200)# private-vlan mode primary AG3(conf-if-vl-200)# exit 5. Configure the secondary VLANs and the respective PVLAN modes.
9. Associate the ISL to the primary and the secondary VLANs as a normal trunk port. AG3(config)# interface port-channel128 AG3(conf-if-po-128)# switchport mode trunk AG3(conf-if-po-128)# switchport trunk allowed vlan 11-13,21-22,100,200 AG3(conf-if-po-128)# exit 10. Configure anycast MAC address. AG3(config)# ip virtual-router mac-address 00:00:00:44:44:44 11. Configure IP address and anycast IP address on the primary VLANs. AG3(config)# interface vlan 100 AG3(conf-if-vl-100)# ip address 172.1.1.
AG4(conf-if-eth1/1/21)# AG4(conf-if-eth1/1/21)# AG4(conf-if-eth1/1/21)# AG4(conf-if-eth1/1/21)# no shutdown no switchport channel-group 128 mode active exit AG4(config)# interface ethernet1/1/24 AG4(conf-if-eth1/1/24)# no shutdown AG4(conf-if-eth1/1/24)# no switchport AG4(conf-if-eth1/1/24)# channel-group 128 mode active AG4(conf-if-eth1/1/24)# exit AG4(config)# interface port-channel128 AG4(conf-if-po-128)# vlt-port-channel 1024 AG4(conf-if-po-128)# exit 4. Configure the primary VLANs and the PVLAN mode.
AG4(config)# interface AG4(conf-if-eth1/1/2)# AG4(conf-if-eth1/1/2)# AG4(conf-if-eth1/1/2)# ethernet1/1/2 no shutdown private-vlan mode secondary-port exit 8. Associate the member ports to the secondary VLANs.
SPINE(config)# interface ethernet1/1/11 SPINE(conf-if-eth1/1/11)# no shutdown SPINE(conf-if-eth1/1/11)# no switchport SPINE(conf-if-eth1/1/11)# channel-group 101 mode active SPINE(conf-if-eth1/1/11)# exit 3. (Optional) To enable connectivity between end devices that belong to different secondary VLANs (community or isolated or both) of a PVLAN domain, enable ip local-proxy arp on the VLAN in the spine switch. SPINE(config)# interface vlan100 SPINE(conf-if-vl-100)# ip address 172.1.1.
Configure local monitoring session 1. Verify that the intended monitoring port has no configuration other than no shutdown and no switchport. show running-configuration 2. Create a monitoring session in CONFIGURATION mode. monitor session session-id [local] 3. Enter the source and direction of the monitored traffic in MONITOR-SESSION mode. source interface interface-type {both | rx | tx} 4. Enter the destination of traffic in MONITOR-SESSION mode.
Session and VLAN requirements RPM requires the following: ● Source session, such as monitored ports on different source devices. ● Reserved tagged VLAN for transporting monitored traffic configured on source, intermediate, and destination devices. ● Destination session, where destination ports connect to analyzers on destination devices. Configure any network device with source and destination ports.
Source session ● Configure physical ports and port channels as sources in remote port monitoring and use them in the same source session. You can use both L2, configured with the switchport command, and L3 ports as source ports. Optionally, to monitor the configured VLAN traffic on source ports, configure one or more source VLANs. ● Use the default VLAN and native VLANs as a source VLAN. ● You cannot configure the dedicated VLAN used to transport mirrored traffic as a source VLAN.
destination remote-vlan 20 source interface ethernet1/1/26:1 rx // The source interface can be either a physical interface or a VLAN no shut source# show monitor session all S.
destination# show running-configuration monitor ! monitor session 1 destination interface ethernet1/1/26:1 flow-based enable source interface ethernet1/1/12 rx no shut destination# destination# show monitor session all S.
Configure encapsulated remote port monitoring Encapsulated remote port monitoring requires valid source and destination IP addresses. Ensure that the source IP address is local and destination IP address is remote. You can also configure the time-to-live (TTL), which defines the life span of the data transmitted through the network and differentiated services code point (DSCP) values. 1. Create monitoring session in CONFIGURATION mode. monitor session session-id type erpm-source 2.
1. Enable flow-based monitoring for a monitoring session in MONITOR-SESSION mode. flow-based enable 2. Return to CONFIGURATION mode. exit 3. Create an access list in CONFIGURATION mode. ip access-list access-list-name 4. Define access-list rules using seq, permit, and deny statements in CONFIG-ACL mode. ACL rules describe the traffic to monitor. seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte]] [fragments] [threshold-in-msgs count] [capture session session-id] 5.
RPM on VLT Scenarios Scenario 1 Mirror VLTi member ports traffic to a VLT port-channel. The packet analyzer connects to the ToR switch.
ToR switch configs: interface vlan100 no shutdown mac access-list rspan seq 10 permit any any capture session 1 vlan 100 ! Connect port channel to VLT: interface port-channel 1 no shutdown switchport mode trunk switchport access vlan 1 switchport trunk allowed vlan 100 mac access-group rspan in ! monitor session 1 destination interface ethernet1/1/26:1 flow-based enable source interface port-channel1 rx no shut ! Connect port to packet analyzer: interface ethernet 1/1/26:1 no shutdown no switchport flowcont
Configs on VLTPeer1 interface vlan 100 no shutdown remote-span mac access-list rspan seq 10 permit any any capture session 1 vlan 10 ! Orphan port: interface ethernet 1/1/25:1 no shutdown switchport mode trunk switchport access vlan 1 switchport trunk allowed vlan 10 flowcontrol receive on mac access-group rspan in ! interface port-channel 1 no shutdown switchport mode trunk Layer 2 715
! switchport access vlan 1 switchport trunk allowed vlan 100 vlt-port-channel 1 monitor session 1 type rpm-source destination remote-vlan 100 flow-based enable source interface ethernet1/1/25:1 rx no shut ! TOR switch configs interface vlan100 no shutdown mac access-list rspan seq 10 permit any any capture session 1 vlan 100 ! Connect port channel to VLT: interface port-channel 1 no shutdown switchport mode trunk switchport access vlan 1 switchport trunk allowed vlan 100 mac access-group rspan in ! monito
Example OS10(conf-mon-local-1)# description remote OS10(conf-mon-rpm-source-5)# description "RPM Sesssion" OS10(conf-mon-erpm-source-10)# description "ERPM Session" Supported Releases 10.2.0E or later destination Sets the destination where monitored traffic is sent to. The monitoring session can be local, RPM, or ERPM. Syntax destination {interface interface-type | remote-vlan vlan-id} Parameters interface-type—Enter the interface type for a local monitoring session.
Example OS10(conf-mon-local-1)# flow-based enable OS10(conf-mon-rpm-source-2)# flow-based enable OS10(conf-mon-erpm-source-3)# flow-based enable Supported Releases 10.2.0E or later ip Configures the IP time-to-live (TTL) value and the differentiated services code point (DSCP) value for the ERPM traffic. Syntax ip {ttl ttl-number | dscp dscp-number} Parameters ● ttl-number—Enter the TTL value, from 1 to 255. ● dscp-number—Enter the DSCP value, from 0 to 63.
Example (ERPM) Supported Releases OS10(config)# monitor session 10 type erpm-source OS10(conf-mon-erpm-source-10)# 10.2.0E or later show monitor session Displays information about a monitoring session. Syntax show monitor session {session-id | all} Parameters ● session-id—Enter the session ID number, from 1 to 18. ● all—View all monitoring sessions. Default All Command Mode EXEC Usage Information In the State field, true indicates that the port is enabled.
Example OS10(config)# monitor session 1 OS10(conf-mon-local-1)# no shut OS10(config)# monitor session 5 type rpm-source OS10(conf-mon-rpm-source-5)# no shut OS10(config)# monitor session 10 type erpm-source OS10(conf-mon-erpm-source-10)# no shut Supported Releases 10.2.0E or later source Configures a source for port monitoring. The monitoring session can be: local, RPM, or ERPM.
Default Not configured Command Mode MONITOR-SESSION Usage Information This command is introduced on the MX9116n and MX5108n with support for full-switch mode from the Dell EMC SmartFabric OS release 10.4.0(R3S). Also supported in SmartFabric Services mode on the MX9116n and MX5108n from the Dell EMC SmartFabric OS release 10.5.1. Example Supported Releases OS10(config)# monitor session 10 OS10(conf-mon-erpm-source-10)# source-ip 10.16.132.181 destination-ip 172.16.10.11 gre-protocol 35006 10.4.
14 Layer 3 Bidirectional forwarding detection (BFD) Provides rapid failure detection in links with adjacent routers (see BFD commands). Border Gateway Protocol (BGP) Provides an external gateway protocol that transmits inter-domain routing information within and between autonomous systems (see BGP Commands). Equal Cost Multi- Provides next-hop packet forwarding to a single destination over multiple best paths (see ECMP Path (ECMP) Commands).
1. Enter the ip vrf management command in CONFIGURATION mode. Use Non-Transaction-Based Configuration mode only. Do not use Transaction-Based mode. 2. Add the management interface using the interface management command in VRF CONFIGURATION mode. Configure management VRF OS10(config)# ip vrf management OS10(conf-vrf)# interface management You can enable various services in both management or default VRF instances. The services that are supported in the management and default VRF instances are: Table 82.
The following example shows removing IP address, configuring management VRF, and then adding IP address: OS10(conf-if-ma-1/1/1)# do show version Dell EMC Networking OS10 Enterprise Copyright (c) 1999-2020 by Dell Inc. All Rights Reserved. OS Version: 10.5.2.0 Build Version: 10.5.2.0.
When you create a new non-default VRF instance, OS10 does not assign any interface to it. You can assign the new VRF instance to any of the existing physical or logical interfaces, provided they are not already assigned to another non-default VRF. NOTE: When you create a new logical interface, OS10 assigns it automatically to the default VRF instance. In addition, OS10 initially assigns all physical Layer 3 interfaces to the default VRF instance.
ip address 10.1.1.1/24 4. Assign an IPv6 address to the interface. INTERFACE CONFIGURATION ipv6 address 1::1/64 You can also auto configure an IPv6 address using the ipv6 address autoconfig command. Assign an interface back to the default VRF instance Table 83. Configurations to be deleted CONFIGURATION MODE COMMAND IP address—In interface configuration mode, undo the IP address configuration.
Deleting a non-default VRF instance Before deleting a non-default VRF instance, ensure all the dependencies and associations corresponding to that VRF instance are first deleted or disabled. The following procedure describes how to delete a non-default VRF instance: After deleting all dependencies, you can delete the non-default VRF instances that you have created.
Figure 8. Setup VRF Interfaces Router 1 ip vrf blue ! ip vrf orange ! ip vrf green ! interface ethernet 1/1/1 no shutdown switchport mode trunk switchport access vlan 1 switchport trunk allowed vlan 128,192,256 flowcontrol receive off ! interface ethernet1/1/2 no shutdown no switchport ip vrf forwarding blue ip address 20.0.0.
no switchport ip vrf forwarding orange ip address 30.0.0.1/24 ! interface ethernet1/1/4 no shutdown no switchport ip vrf forwarding green ip address 40.0.0.1/24 ! interface vlan128 mode L3 no shutdown ip vrf forwarding blue ip address 1.0.0.1/24 ! interface vlan192 mode L3 no shutdown ip vrf forwarding orange ip address 2.0.0.1/24 ! ! interface vlan256 mode L3 no shutdown ip vrf forwarding green ip address 3.0.0.1/24 ! ip route vrf green 31.0.0.0/24 3.0.0.
ip vrf forwarding orange ip address 2.0.0.2/24 ! interface vlan256 mode L3 no shutdown ip vrf forwarding green ip address 3.0.0.2/24 ! ip route vrf green 30.0.0.0/24 3.0.0.
Router 2 show command output OS10# show ip vrf VRF-Name blue Interfaces Eth1/1/5 Vlan128 default Mgmt1/1/1 Vlan1,24-25,200 green Eth1/1/7 Vlan256 orange Eth1/1/6 Vlan192 OS10# show ip route vrf blue Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, * - candidate default, + - summary route, > - non-active route Gateway of las
Static route leaking Route leaking enables routes that are configured in a default or non-default VRF instance to be made available to another VRF instance. You can leak routes from a source VRF instance to a destination VRF instance. The routes need to be leaked in both source and destination VRFs to achieve end-to-end traffic flow. If there are any connected routes in the same subnet as statically leaked routes, then the connected routes take precedence.
--------------------------------------------------------------------------------------------------C 120.0.0.0/24 via 120.0.0.1 ethernet1/1/1 0/0 00:00:57 S 140.0.0.
Figure 9. Route leaking between VRFs with asymmetric IRB routing For VXLAN-related configurations, see Configure VXLAN. To configure route leaking between VRFs with asymmetric IRB routing: VTEP1 1. Configure IP helper address specifying the DHCP server ip address in the client-connected virtual networks with the client-connected VRF name. For IPv6 DHCP helper address, specify the server VRF in the helper-address command.
VTEP2 1. Configure IP helper address specifying the DHCP server ip address in the client-connected virtual networks with the client-connected VRF name. For IPv6 DHCP helper address, specify the server VRF in the helper-address command. VTEP2(config)# interface virtual-network 10 VTEP2(conf-if-vn-10)# ip helper-address 20.1.1.100 vrf GREEN 2. Configure loopback interfaces. Assign the loopback interfaces as source interfaces for the VRF.
Table 84. Unsupported export and import route map attributes Route map option Attribute Protocol set as-path BGP set community BGP set comm-list BGP set tag OSPF set extcommunity BGP set extcomm-list BGP set local-preference BGP set origin BGP set metric-type BGP set weight BGP set route-type local BGP Table 85.
Route selection in the leaked VRF ● If a route is present in the local VRF and the same route is leaked from another VRF, OS10 prefers the route with the lowest administrative distance. ● If a route is present in the local VRF and the same route is leaked from another VRF with the same administrative distance, OS10 prefers the local route. ● When OS10 compares routes that are received from different sources, the software prefers routes with the lowest administrative distance.
OS10(conf-vrf)# ip route-export 2:2 Leak all IPv6 routes from one VRF to another VRF Use the following procedure to export (leak) all IPv6 routes from all routing protocols from one VRF instance to another VRF instance: 1. Enter the VRF from which you want to leak routes in CONFIGURATION mode. ip vrf source-vrf-name 2. Export all routes that belong to one VRF instance in VRF-CONFIGURATION mode. ipv6 route-export route-target 3. Enter the VRF instance to which you want to leak routes in CONFIGURATION mode.
Or ipv6 route-export route-target route-map route-map-name Use any of the supported match or set attributes as required. ● Enter the VRF instance to which you want to leak routes in CONFIGURATION mode. ip vrf destination-vrf-name ● Import routes from another VRF instance in VRF-CONFIGURATION mode using the same route target. ip route-import route-target route-map route-map-name Or ipv6 route-import route-target route-map route-map-name Use any of the supported match or set attributes as required.
OS10(conf-vrf)# ipv6 route-import 1:1 OS10(conf-vrf)# ipv6 route-export 2:2 route-map export_ospf Example - Leak only IPv4 static routes In the following example, a route map exports only the static routes from vrf1 and is received by vrf2.
OS10(conf-vrf)# ip route-import 1:1 OS10(conf-vrf)# ip route-export 2:2 route-map export_iBGP Example - Leak only IPv6 iBGP routes In the following example, a route map exports only the iBGP routes from vrf1 and is received by vrf2.
Redistribute leaked routes from one VRF to another VRF Use the following procedure to export (leak) and redistribute specific IPv4 routes from one VRF instance to another VRF instance: ● Create a route map. route-map route-map-name Use any of the supported match or set attributes as required. ● Enter the VRF from which you want to leak routes in CONFIGURATION mode. ip vrf source-vrf-name ● Export all routes that belong to one VRF instance in VRF-CONFIGURATION mode.
○ Redistribute leaked EVPN routes in BGP-AF-CONFIGURATION mode. redistribute l2vpn evpn [route-map rmap-name] ○ Use the following command to redistribute leaked routes across routing protocols as available: redistribute {connected | bgp | ospf | static | l2vpn evpn} Use any of the supported match or set attributes as required.
OS10(config)# ip vrf vrf1 OS10(conf-vrf)# ipv6 route-export 1:1 route-map export_iBGP OS10(conf-vrf)# ipv6 route-import 2:2 OS10(conf-vrf)# exit OS10(config)# ip vrf vrf2 OS10(conf-vrf)# ipv6 route-import 1:1 OS10(conf-vrf)# ipv6 route-export 2:2 route-map export_iBGP OS10(config)# router bgp 65000 OS10(config-router-bgp-65000)# vrf vrf2 OS10(config-router-bgp-65000-vrf)# address-family ipv6 unicast OS10(configure-router-bgpv6-vrf-af)# redistribute imported-bgp-routes vrf vrf1 Example - Redistribute leaked
OS10(config)# ip vrf vrf1 OS10(conf-vrf)# ipv6 route-export 1:1 route-map export_EVPN OS10(conf-vrf)# ipv6 route-import 2:2 OS10(conf-vrf)# exit OS10(config)# ipv6 route-import 1:1 OS10(config)# ipv6 route-export 2:2 route-map export_EVPN OS10(config)# router bgp 100 OS10(config-router-bgp-100)# address-family ipv6 unicast OS10(configure-router-bgpv6-af)# redistribute l2vpn evpn Example - Route leaking across VRFs in a VXLAN BGP EVPN symmetric IRB topology The following VXLAN with BGP EVPN example uses a C
The following explains how the network is configured: ● All VTEPs perform symmetric IRB routing. In this example, all spine nodes are in one autonomous system and each VTEP in the leaf network belongs to a different autonomous system. Spine switch 1 is in AS 101. Spine switch 2 is in AS 101. For leaf nodes, VLT domain 1 is in AS 201; VLT domain 2 is in AS 202. VLT domain 2 is a border leaf VTEP.
● On VTEPs 1 and 2, two VRFs are present – VRF-Yellow and VRF-Green. VN10001 is part of VRF-Yellow and VN20001 is part of VRF-Green. ● On VTEPs 3 and 4, three VRFs are present – VRF-Yellow, VRF-Green and VRF-Red. VN10001 is part of VRF-Yellow and VN30001 is part of VRF-Red. VRF-Green does not have local VNs. ● On all VTEPs, symmetric IRB is configured in EVPN mode using a unique, dedicated VXLAN VNI, and Auto RD/RT values for each tenant VRF.
3. Configure EVPN with IP-VRFs.
OS10(config-evpn)# vrf Green OS10(config-evpn-vrf-Green)# advertise ipv4 bgp OS10(config-evpn-vrf-Green)# exit b. If the border-leaf does not get a default route from an external router: Configure a static null default route in each VRF and advertise it using advertise ipv4 static command for each VRF in the EVPN. OS10(config)# ip route vrf Yellow 0.0.0.0/0 interface null 0 OS10(config)# ip route vrf Green 0.0.0.
OS10(config-route-map)# match ip address prefix-list PrefixList_Deny_YellowVrfRoutes OS10(config-route-map)# OS10(config-route-map)# router bgp 202 OS10(config-router-bgp-202)# address-family ipv4 unicast OS10(configure-router-bgpv4-af)# redistribute l2vpn evpn OS10(configure-router-bgpv4-af)# redistribute connected OS10(configure-router-bgpv4-af)# exit OS10(config-router-bgp-202)# neighbor 192.168.2.
4. Configure a border-leaf to advertise the default route into the EVPN in each VRF. From the other VTEPs, any traffic to external network and also to networks which are not within the local VRF reaches the Border-Leaf router using this default route. a. If the border-leaf is already getting a default route from an external router for each VRF: Advertise the BGP route using the advertise ipv4 bgp command for each VRF in the EVPN.
OS10(config)# ip vrf Red OS10(conf-vrf)# ip route-export 3:3 route-map RouteMap_RedVrf_Export OS10(conf-vrf)# ip route-import 1:1 OS10(conf-vrf)# exit 7. (Optional) For advertising leaked routes from the Yellow VRF only to an external router in the default VRF and not to an underlay network, use route-maps on spine facing eBGP neighbors and also on the iBGP neighbor between the VLT peers. OS10(config)# ip prefix-list PrefixList_Deny_YellowVrfRoutes deny 10.1.0.
O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, * - candidate default, + - summary route, > - non-active route Gateway of last resort is Direct to network 0.0.0.0 Destination Gateway Dist/ Metric Last Change --------------------------------------------------------------------------------------------------------*S 0.0.0.0/0 Direct null0 0/0 00:39:24 C 10.1.0.0/24 via 10.1.0.
B EX 172.16.1.1/32 20/0 00:22:58 B EX 172.16.1.2/32 20/0 00:22:58 B EX 172.16.1.3/32 20/0 00:22:58 B EX 172.16.1.4/32 20/0 00:22:58 B EX 172.16.1.201/32 20/0 00:22:58 B EX 172.16.1.202/32 20/0 00:22:58 B EX 192.168.0.1/32 20/0 00:22:58 B EX 192.168.0.2/32 20/0 00:22:58 B EX 192.168.2.0/31 20/0 00:14:11 B EX 192.168.2.2/31 20/0 00:14:11 B EX 192.168.2.4/31 20/0 00:13:49 B EX 192.168.2.6/31 20/0 00:13:49 B EX 192.168.2.240/31 20/0 00:14:11 via 10.10.0.1 via 10.10.0.2 via 10.10.0.1 via 10.10.0.2 via 10.10.0.
Configure administrative distance for leaked routes 1. Enter the VRF from which you want to leak routes in CONFIGURATION mode. ip vrf source-vrf-name 2. Export all routes that belong to one VRF instance in VRF-CONFIGURATION mode. IPv4: ip route-export route-target route-map route-map-name IPv6: ipv6 route-export route-target route-map route-map-name 3. Create a route-map. route-map rmap-name 4. Change the administrative distance for leaked routes in ROUTE-MAP mode.
Parameters ● management—Enter the keyword management to configure a domain list for the management VRF instance. ● vrf-name—Enter the name of the non-default VRF instance to configure a domain list for that non-default VRF instance. ● domain-names—Enter the list of domain names. Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the domain list configuration from the management or the non-default VRF instance.
Example Supported Releases OS10(config)# ip vrf vrf-test OS10(conf-vrf-test)# 10.4.1.0 or later ip ftp vrf Configures an FTP client for the management or non-default VRF instance. Syntax ip ftp vrf {management | vrf vrf-name} Parameters ● management — Enter the keyword to configure an FTP client on the management VRF instance. ● vrf vrf-name — Enter the keyword then the name of the VRF to configure an FTP client on that non-default VRF instance.
ip http vrf Configures an HTTP client for the management or non-default VRF instance. Syntax ip http vrf {management | vrf vrf-name} Parameters ● management — Enter the keyword to configure an HTTP client for the management VRF instance. ● vrf vrf-name — Enter the keyword then the name of the VRF to configure an HTTP client for that non-default VRF instance.
To filter IPv4 routes imported from across VRFs, use a route map. Use the no form of this command to remove the imported routes. Example OS10(conf-vrf)# ip route-import 1:1 ==> No route-map attached OS10(conf-vrf)# ip route-import 1:1 route-map importOSPFBGProutes Supported Releases 10.4.3.0 or later ip route-export Exports an IPv4 static route from one VRF instance to another.
To filter IPv6 routes imported from across VRFs, use a route map. Use the no form of this command to remove the imported routes. Example OS10(conf-vrf)# ipv6 route-import 1:1 ==> No route-map attached OS10(conf-vrf)# ipv6 route-import 1:1 route-map importOSPFBGProutes Supported Releases 10.4.3.0 or later ipv6 route-export Exports an IPv6 static route from a VRF instance to another VRF instance.
Example Supported Releases OS10(config)# ip scp vrf management OS10(config)# ip scp vrf vrf-blue 10.4.0E(R1) or later ip sftp vrf Configures an SFTP client for the management or non-default VRF instance. Syntax ip sftp vrf {management | vrf vrf-name} Parameters ● management — Enter the keyword to configure an SFTP client for a management VRF instance. ● vrf vrf-name — Enter the keyword then the name of the VRF to configure an SFTP client for that non-default VRF instance.
Usage Information Example Supported Releases Enter the ip vrf management command only in non-transaction-based configuration mode. Do not use transaction-based mode. The no version of this command removes the management VRF instance configuration. OS10(config)# ip vrf management OS10(conf-vrf)# 10.4.0E(R1) or later match source-protocol Matches the source routing protocol in a route map.
redistribute imported-bgp-routes Redistributes leaked eBGP and iBGP routes from a VRF domain into the BGP session of another VRF domain. Syntax redistribute imported-bgp-routes vrf vrf-name [route-map route-map-name] Parameters ● vrf vrf-name—Enter the VRF instance from which to import routes. ● route-map route-map-name—Enter the route map name to filter the leaked BGP routes.
Usage Information Redistribute leaked routes from all imported VRFs to another VRF with additional filtering using a route map. There is no option to redistribute a specific leaked OSPF routes of a VRF.
set distance Sets the administrative distance (AD) for the routes, which are exported from one VRF to another using a route-map. Syntax [no] set distance value Parameters value—Enter a number to assign to routes, from 1 to 255. Default None Command Mode ROUTE-MAP Security and Access netadmin, sysadmin, and secadmin Usage Information Use this command when exporting routes from one VRF to another. Example The no version of this command deletes the AD configuration.
show ip vrf Displays the VRF instance information. Syntax show ip vrf [management | vrf-name] Parameters ● management—Enter the keyword management to display information corresponding to the management VRF instance. ● vrf-name—Enter the name of the non-default VRF instance to display information corresponding to that VRF instance.
BFD is a simple hello mechanism. Two neighboring routers running BFD establish a session using a three-way handshake. After the session is established, the routers exchange periodic control packets at sub-second intervals. If a router does not receive a hello packet within the specified time, routing protocols are notified that the forwarding path is down. In addition, BFD sends a control packet when there is a state change or change in a session parameter.
NOTE: BFD sessions flap when the node has multiple unresolved IPv6 PTP slaves and hence Dell EMC recommends running one of the protocols in the node. This issue exists only with the IPv6 slaves. BFD three-way handshake A ● ● ● BFD session requires a three-way handshake between neighboring routers. In the following example, the handshake assumes: One router is active, and the other router is passive. This is the first session established on this link. The default session state on both ports is Down. 1.
BFD configuration Before you configure BFD for a routing protocol, first enable BFD globally on both routers in the link. BFD is disabled by default. ● ● ● ● OS10 does not support Demand mode, authentication, and Echo function. OS10 does not support BFD on multi-hop and virtual links. OS10 supports protocol liveness only for routing protocols. OS10 BFD supports static and dynamic routing protocols such as static route, OSPF, OSPFv3, and BGP.
● multiplier number — Enter the number of consecutive packets that must not be received from a BFD peer before the session state changes to Down, from 3 to 50. The default is 3. ● role {active | passive} — Enter active if the router initiates BFD sessions. Both BFD peers can be active at the same time. Enter passive if the router does not initiate BFD sessions, and only responds to a request from an active BFD to initialize a session. The default is active. 2. Enable BFD globally in CONFIGURATION mode.
When you configure a BFD session with a BGP neighbor, you can: ● Establish a BFD session with a specified BGP neighbor using the neighbor ip-address and bfd commands. ● Establish BFD sessions with all neighbors discovered by BGP using the bfd all-neighbors command. For example: Router 1 OS10(conf)# bfd enable OS10(conf)# router bgp 1 OS10(config-router-bgp-1)# neighbor 2.2.4.
Configure BFD for BGP OS10 supports BFD sessions with IPv4 or IPv6 BGP neighbors using the default VRF. When you configure BFD for BGP, you can enable BFD sessions with all BGP neighbors discovered by BGP or with a specified neighbor. 1. Configure BFD session parameters and enable BFD globally on all interfaces in CONFIGURATION mode as described in Configure BFD globally. bfd interval milliseconds min_rx milliseconds multiplier number role {active | passive} bfd enable 2.
OS10(config-router-bgp-4)# bfd all-neighbors interval 200 min_rx 200 multiplier 6 role active BFD for BGP single-neighbor configuration OS10(conf)# bfd interval 200 min_rx 200 multiplier 6 role active OS10(conf)# bfd enable OS10(conf)# router bgp 1 OS10(config-router-bgp-1)# neighbor 150.150.1.
Last read 00:24:31 seconds Hold time is 180, keepalive interval is 60 seconds Configured hold time is 180, keepalive interval is 60 seconds Fall-over disabled Neighbor is using Global level BFD Configuration Received 784 messages 1 opens, 0 notifications, 0 updates 783 keepalives, 0 route refresh requests Sent 780 messages 2 opens, 0 notifications, 0 updates 778 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Ca
CONFIGURATION Mode 2. Enter ROUTER-OSPF mode router ospf ospf-instance CONFIGURATION Mode 3. Establish sessions with all OSPFv2 neighbors. bfd all-neighbors ROUTER-OSPF Mode 4. Enter INTERFAC E CONFIGURATION mode. interface interface-name CONFIGURATION Mode 5. Establish BFD sessions with OSPFv2 neighbors corresponding to a single OSPF interface.
ip vrf forwarding red ip address 30.1.1.1/24 ip ospf 200 area 0.0.0.0 ! router ospf 200 vrf red bfd all-neighbors log-adjacency-changes router-id 2.3.3.1 ! In this example OSPF is enabled in non-default VRF red. BFD is enabled globally at the router OSPF level and all the interfaces associated with this VRF OSPF instance inherit the global BFD configuration. However, this global BFD configuration does not apply to interfaces in which the interface level BFD configuration is already present.
1. Enable BFD Globally. 2. Establish sessions with OSPFv3 neighbors. Establishing BFD sessions with OSPFv3 neighbors To establish BFD sessions with OSPFv3 neighbors: 1. Enable BFD globally bfd enable CONFIGURATION Mode 2. Enter ROUTER-OSPF mode router ospfv3 ospfv3-instance CONFIGURATION 3. Establish sessions with all OSPFv3 neighbors. bfd all-neighbors ROUTER-OSPFv3 Mode 4. Enter INTERFAC E CONFIGURATION mode. interface interface-name CONFIGURATION Mode 5.
Changing OSPFv3 session parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role. Configure these parameters for all OSPFv3 sessions or all OSPFv3 sessions on a particular interface. If you change a parameter globally, the change affects all OSPFv3 neighbors sessions.
3. Configure BFD for static route using the ip route bfd command. Establishing BFD Sessions for IPv4 Static Routes Sessions are established for all neighbors that are the next hop of a static route. To establish a BFD session, use the following command. Establish BFD sessions for all neighbors that are the next hop of a static route.
Establishing BFD Sessions for IPv6 Static Routes To establish a BFD session for IPv6 static routes, use the following command. Establish BFD sessions for all neighbors that are the next hop of a static route. ipv6 route bfd [interval interval min_rx min_rx multiplier value role {active | passive}] CONFIGURATION Mode Enter the time interval for sending and receiving BFD control packets from 50 to 1000.
The following example enables BFD for specific static routes on a nondefault VRF: OS10(config)#ip route vrf LAN2 10.2.2.0/24 10.1.1.
OS10(config-router-neighbor)# bfd OS10(config-router-neighbor)# no shutdown OS10(config)# router bgp 300 OS10(config-router-bgp-300)# template ebgppg OS10(config-router-template)# bfd OS10(config-router-template)# exit OS10(config-router-bgp-300)# neighbor 3.1.1.1 OS10(config-router-neighbor)# inherit template ebgppg OS10(config-router-neighbor)# no shutdown Supported releases 10.4.1.
Parameters None Default Not configured Command Mode ROUTER-NEIGHBOR Usage Information Use the neighbor ip-address command in ROUTER-BGP mode to specify a neighbor. Use the bfd disable command to disable BFD sessions with the neighbor. Example Supported releases OS10(conf)# router bgp 1 OS10(config-router-bgp-1)# neighbor 10.1.1.1 OS10(config-router-neighbor)# bfd disable 10.4.1.0 or later bfd enable Enables BFD on all interfaces on the switch.
command. The no version of this command deletes the configured global settings and returns to the default values. If you enable BFD on a specific static route, use the bfd interval command to configure the BFD parameters for that specific static route. Example Supported releases OS10(config)# bfd interval 250 min_rx 300 multiplier 4 role passive 10.4.1.0 or later ip ospf bfd all-neighbors Enables and configures the default BFD parameters for all OSPFv2 neighbors in this interface.
● min_rx milliseconds — Enter the maximum waiting time for receiving control packets from BFD peers, from 100 to 1000. Dell EMC recommends using more than 100 milliseconds. ● multiplier number — Enter the maximum number of consecutive packets that must not be received from a BFD peer before the session state changes to Down, from 3 to 50. ● role {active | passive} — Enter active if the router initiates BFD sessions. Both BFD peers can be active at the same time.
Supported releases 10.4.2E or later ipv6 route bfd Enables or disables BFD on IPv6 static routes. Syntax ipv6 route [vrf vrf-name] bfd [interval millisec min_rx min_rx multiplier role {active | passive}] Parameters ● vrf vrf-name — Enter the keyword VRF and then the name of the VRF to configure static route in that VRF. ● interval milliseconds — Enter the time interval for sending control packets to BFD peers, from 50 to 1000.
Example OS10# show bfd neighbors * - Active session role ---------------------------------------------------------------------------------LocalAddr RemoteAddr Interface State RxInt TxInt Mult VR ---------------------------------------------------------------------------------* 100.100.1.1 100.100.1.2 ethernet1/1/26:1 up 200 200 3 re * 100.100.3.1 100.100.3.2 ethernet1/1/26:3 up 200 200 3 de * 200.1.1.2 200.1.1.1 vlan102 up 200 200 3 bl * 200.1.5.2 200.1.5.1 vlan105 up 200 200 3 de * 200.1.11.2 200.1.11.
Autonomous systems BGP autonomous systems are a collection of nodes under a single administration with shared network routing policies. Each AS has a number, which an Internet authority assigns—you do not assign the BGP number. The Internet Assigned Numbers Authority (IANA) identifies each network with a unique AS number (ASN). AS numbers 64512 through 65534 are reserved for private purposes. AS numbers 0 and 65535 cannot be used in a live environment.
● When you redistribute OSPFv3 routes to BGP, including External Type-2 routes, the multi-exit discriminator (MED) attribute is set to the OSPF route metric plus one instead of the OSPF route metric value. ● When you configure the bgp bestpath router-id ignore command, for non-best paths, the show ip bgp output displays Inactive reason: Router ID. ● Do not configure the IP address of the router as a BGP neighbor. This action causes the address being accepted as an invalid neighbor address.
FE80::/16 ● ::0002-::FFFF- all prefixes Route reflectors Route reflectors (RRs) reorganize the IBGP core into a hierarchy and allow route advertisement rules. Route reflection divides IBGP peers into two groups — client peers and nonclient peers. ● If a route is received from a nonclient peer, it reflects the route to all client peers ● If a route is received from a client peer, it reflects the route to all nonclient and client peers An RR and its client peers form a route reflection cluster.
Attributes Routes learned using BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination. These properties are called BGP attributes which influence route selection for designing robust networks. There are no hard coded limits on the number of supported BGP attributes.
8. If you enable the bgp bestpath router-id ignore command and: ● If the Router-ID is the same for multiple paths because the routes were received from the same route—skip this step. ● If the Router-ID is not the same for multiple paths, prefer the path that was first received as the Best Path. The path selection algorithm returns without performing any of the checks detailed. 9. Prefer the external path originated from the BGP router with the lowest router ID.
One AS assigns the MED a value. Other AS uses that value to decide the preferred path. Assume that the MED is the only attribute applied and there are two connections between AS 100 and AS 200. Each connection is a BGP session. AS 200 sets the MED for its Link 1 exit point to 100 and the MED for its Link 2 exit point to 50. This sets up a path preference through Link 2. The MEDs advertise to AS 100 routers so they know which is the preferred path. MEDs are nontransitive attributes.
Best path selection Best path selection selects the best route out of all paths available for each destination, and records each selected route in the IP routing table for traffic forwarding. Only valid routes are considered for best path selection. BGP compares all paths, in the order in which they arrive, and selects the best paths. Paths for active routes are grouped in ascending order according to their neighboring external AS number.
Advertise cost As the default process for redistributed routes, OS10 supports IGP cost as MED. Both autosummarization and synchronization are disabled by default. BGPv4 and BGPv6 support ● Deterministic MED, default ● A path with a missing MED is treated as worst path and assigned an 0xffffffff MED value. ● Delayed configuration at system boot—OS10 reads the entire configuration file BEFORE sending messages to start BGP peer sessions.
Router A, Router B, and Router C belong to AS 100, 200, and 300, respectively. Router A acquired Router B — Router B has Router C as its client. When Router B is migrating to Router A, it must maintain the connection with Router C without immediately updating Router C’s configuration. Local-AS allows Router B to appear as if it still belongs to Router B’s old network, AS 200, to communicate with Router C.
Enable BGP Before enabling BGP, assign a BGP router ID to the switch using the following command: ● In the ROUTER BGP mode, enter the router-id ip-address command. Where in, ip-address is the IP address corresponding to a configured L3 interface (physical, loopback, or LAG). BGP is disabled by default. The system supports one AS number — you must assign an AS number to your device. To establish BGP sessions and route traffic, configure at least one BGP neighbor or peer.
Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 5.1.1.2 4294967295 0 0 0 0 0 00:00:00 Active For the router ID, the system selects the first configured IP address or a random number. To view the status of BGP neighbors, use the show ip bgp neighbors command. For BGP neighbor configuration information, use the show running-config bgp command. The example shows two neighbors — one is an external BGP neighbor; and the other is an internal BGP neighbor.
4. Add a remote AS in ROUTER-NEIGHBOR mode, from 1 to 65535 for 2-byte or 1 to 4294967295 for 4-byte. remote-as as-number 5. Enable the BGP neighbor in ROUTER-NEIGHBOR mode. no shutdown 6. (Optional) Add a description text for the neighbor in ROUTER-NEIGHBOR mode. description text To reset the configuration when you change the configuration of a BGP neighbor, use the clear ip bgp * command. To view the BGP status, use the show ip bgp summary command.
4. Enable BGP on the device. router bgp as-number 5. Enter an unnumbered neighbor in ROUTER-BGP mode. neighbor interface interface-type interface interface-type — (Optional) Enter one of the following interface types: ● ethernet node/slot/port[:subport] — Display Ethernet interface information. ● port-channel id-number — Display port channel interface IDs, from 1 to 128. ● vlan vlan-id — Display the VLAN interface number, from 1 to 4093. 6. Enable the BGP neighbor in ROUTER-NEIGHBOR mode.
4_OCTET_AS(65) Extended Next Hop Encoding (5) Capabilities advertised to neighbor for IPv4 Unicast: MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) 4_OCTET_AS(65) Extended Next Hop Encoding (5) Prefixes accepted 0, Prefixes advertised 0 Connections established 1; dropped 0 Last reset never Prefixes ignored due to: Martian address 0, Our own AS in AS-PATH 0 Invalid Nexthop 0, Invalid AS-PATH length 0 Wellknown community 0, Locally originated 0 Local host: fe80::76e6:e2ff:fef5:b281, Local port: 45
Configure an auto-unnumbered neighbor To configure an auto-unnumbered neighbor: 1. Configure minimum and maximum RA intervals in CONFIGURATION mode. ipv6 nd min-ra-interval interval ipv6 nd max-ra-interval interval 2. Configure physical or port-channel interfaces as Layer 3 interfaces in INTERFACE mode. interface range ethernet 1/1/1-1/1/4 no shutdown no switchport 3. Enable RAs on the interfaces in INTERFACE mode. ipv6 nd send-ra 4.
Router A configuration 1. Configure recommended RA timers globally for fast convergence in CONFIGURATION mode. OS10-A(config)# ipv6 nd min-ra-interval 3 OS10-A(config)# ipv6 nd max-ra-interval 4 2. Make the required interfaces in CONFIGURATION mode and convert them to Layer 3 routing interfaces. OS10-A(config)# interface range ethernet 1/1/1-1/1/4 OS10-A(conf-range-eth1/1/1-1/1/4)# no shutdown OS10-A(conf-range-eth1/1/1-1/1/4)# no switchport 3.
3. Enable RA transmission on all the interfaces in the range in INTERFACE mode. OS10-B(conf-range-eth1/1/1-1/1/8)# ipv6 nd send-ra 4. Configure the interfaces as BGP auto-unnumbered interfaces in INTERFACE mode. OS10-B(conf-range-eth1/1/1-1/1/4)# ipv6 bgp unnumbered ebgp-template OS10-B(conf-range-eth1/1/5-1/1/8)# ipv6 bgp unnumbered ibpg-template 5. Create BGP instance in CONFIGURATION mode. OS10-B(config)# router bgp 100 6. Create a template and assign necessary parameters in ROUTER-BGP mode.
7. Configure the BGP auto-unnumbered neighbor in ROUTER-BGP mode. OS10-C(config-router-bgp-100)# neighbor unnumbered-auto OS10-C(config-router-neighbor)# no shutdown 8. Configure the peer group template that the neighbors use to inherit peer-group configuration in ROUTER-NEIGHBOR mode. This template is applied only to the auto-unnumbered interfaces configured with the ipv6 bgp unnumbered command. OS10-C(config-router-neighbor)# inherit ibgp-template int-bgp 9.
2. Use one of the following commands to enter the respective ADDRESS-FAMILY mode from ROUTER-BGP mode: IPv4: address-family ipv4 unicast IPv6: address-family ipv6 unicast 3. Change the administrative distance for BGP from the respective ADDRESS-FAMILY mode.
7. (Optional) Add a remote neighbor, and enter the AS number in ROUTER-TEMPLATE mode. remote-as as-number ● To add an EBGP neighbor, configure the as-number parameter with a number different from the BGP as-number configured in the router bgp as-number command. ● To add an IBGP neighbor, configure the as-number parameter with the same BGP as-number configured in the router bgp as-number command. NOTE: When you configure an unnumbered interface, do not configure the remote AS number. 8.
100.5.1.1 100.6.1.1 OS10# show ip bgp peer-group bg1 Peer-group bg1, remote AS 0 BGP version 4 Minimum time between advertisement runs is 30 seconds For address family: Unicast BGP neighbor is bg1, peer-group external Update packing has 4_OCTET_AS support enabled Number of peers in this group 2 Peer-group members: 40.1.1.2 ethernet 1/1/1 OS10# show ip bgp peer-group leaf_v4 summary BGP router identifier 100.0.0.8 local AS number 64601 Neighbor AS MsgRcvd MsgSent Up/Down 100.5.1.1 64802 376 325 04:28:25 100.
1. Enable BGP, and assign the AS number to the local BGP speaker in CONFIGURATION mode, from 1 to 65535 for 2 bytes, 1 to 4294967295 | 0.1 to 65535.65535 for 4 bytes, or 0.1 to 65535.65535, in dotted format. router bgp as-number 2. Enter CONFIG-ROUTER-VRF mode to create a peer template for the nondefault VRF instance that you create. vrf vrf-name 3. Create a peer template by assigning a neighborhood name to it in CONFIG-ROUTER-VRF mode. template template-name 4.
Neighbor fall-over The BGP neighbor fall-over feature reduces the convergence time while maintaining stability. When you enable fall-over, BGP tracks IP reachability to the peer remote address and the peer local address. When remote or peer local addresses become unreachable, BGP brings the session down with the peer. For example, if no active route exists in the routing table for peer IPv6 destinations/local address, BGP brings the session down. By default, the hold time governs a BGP session.
Prefixes ignored due Martian address 0, Invalid Nexthop 0, Wellknown community to: Our own AS in AS-PATH 0 Invalid AS-PATH length 0 0, Locally originated 0 For address family: IPv6 Unicast Allow local AS number 0 times in AS-PATH attribute Local host: 3.1.1.3, Local port: 58633 Foreign host: 3.1.1.1, Foreign port: 179 Verify neighbor fall-over on peer-group OS10# show running-configuration ! router bgp 102 ! address-family ipv4 unicast aggregate-address 6.1.0.0/16 ! neighbor 40.1.1.
Peer 1 in ROUTER-TEMPLATE mode OS10# configure terminal OS10(config)# interface ethernet 1/1/5 OS10(conf-if-eth1/1/5)# no switchport OS10(conf-if-eth1/1/5)# ip address 11.1.1.1/24 OS10(conf-if-eth1/1/5)# router bgp 10 OS10(config-router-bgp-10)# template pass OS10(config-router-template)# password 9 f785498c228f365898c0efdc2f476b4b27c47d972c3cd8cd9b91f518c14ee42d OS10(config-router-template)# exit OS10(config-router-bgp-10)# neighbor 11.1.1.
remote-as 20 no shutdown OS10(config-router-neighbor)# do show running-configuration bgp ! router bgp 20 neighbor 11.1.1.2 password 9 f785498c228f365898c0efdc2f476b4b27c47d972c3cd8cd9b91f518c14ee42d remote-as 20 no shutdown Fast external fallover Fast external fallover terminates EBGP sessions of any directly adjacent peer if the link used to reach the peer goes down. BGP does not wait for the hold-down timer to expire. Fast external fallover is enabled by default.
! address-family ipv6 unicast activate OS10(config-router-bgp-300)# OS10(conf-if-eth1/1/1)# do clear ip bgp * OS10# show ip bgp summary BGP router identifier 11.11.11.11 local AS number 300 Neighbor AS MsgRcvd MsgSent Up/Down State/Pfx ----------------------------------------------------------------3.1.1.1 100 7 4 00:00:08 3 3::1 100 9 5 00:00:08 4 OS10# OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# shutdown OS10(conf-if-eth1/1/1)# do show ip bgp summary BGP router identifier 11.11.11.
OS10(conf-router-template)# remote-as 100 OS10(conf-router-template)# listen 32.1.0.0/8 limit 10 Local AS During BGP network migration, you can maintain existing AS numbers. Reconfigure your routers with the new information to disable after the migration. Network migration is not supported on passive peer templates. You must configure Peer templates before assigning it to an AS.
AS number limit Sets the number of times an AS number occurs in an AS path. The allow-as parameter permits a BGP speaker to allow the AS number for a configured number of times in the updates received from the peer. The AS-PATH loop is detected if the local AS number is present more than the number of times in the command. 1. Enter the neighbor IP address to use the AS path in ROUTER-BGP mode. neighbor ip address 2. Enter Address Family mode in ROUTER-NEIGHBOR mode.
r - redistributed/network, S - stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric *>I 55::/64 172:16:1::2 0 i *>I 55:0:0:1::/64 172:16:1::2 0 i *>I 55:0:0:2::/64 172:16:1::2 0 i LocPrf 0 Weight 0 Path 100 200 300 400 0 0 100 200 300 400 0 0 100 200 300 400 Redistribute routes Add routes from other routing instances or protocols to the BGP process. You can include OSPF, static, or directly connected routes in the BGP process with the redistribute command.
Redistribute active and inactive IPv4 OSPF routes into BGP OS10# configure terminal OS10(config)# route-map redis-inactive-routes OS10(config-route-map)# match inactive-path-additive OS10(config-route-map)# exit OS10(config)# router bgp 100 OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(configure-router-bgpv4-af)# redistribute ospf 10 route-map redis-inactive-r outes Redistribute active and inactive IPv6 L2 VPN EVPN routes into BGP OS10# configure terminal OS10(config)# route-map redis-inacti
● confed—Selects the best path MED comparison of paths learned from BGP confederations. ● missing-as-best—Treats a path missing an MED as the most preferred one. ● missing-as-worst—Treats a path missing an MED as the least preferred one. Modify MED attributes OS10(config)# router bgp 100 OS10(conf-router-bgp-100)# always-compare-med OS10(conf-router-bgp-100)# bestpath med confed Local preference attribute You can change the value of the LOCAL_PREFERENCE attributes for all routes the router receives.
View route-map OS10(conf-route-map)# do show route-map route-map bgproutemap, permit, sequence 1 Match clauses: Set clauses: local-preference 500 metric 400 origin incomplete Weight attribute You can influence the BGP routing based on the weight value. Routes with a higher weight value have preference when multiple routes to the same destination exist. 1. Assign a weight to the neighbor connection in ROUTER-BGP mode. neighbor {ip-address} 2.
Route-map filters Filtering routes allows you to implement BGP policies. Use route-maps to control which routes the BGP neighbor or peer group accepts and advertises. 1. Enter the neighbor IP address to filter routes in ROUTER-BGP mode. neighbor ipv4-address 2. Enter Address Family mode in ROUTER-NEIGHBOR mode. address-family {[ipv4 | ipv6] [unicast]} 3. Create a route-map and assign a filtering criteria in ROUTER-BGP-NEIGHBOR-AF mode, then return to CONFIG-ROUTERBGP mode.
4. Assign a peer group template as part of the route-reflector cluster in ROUTER-BGP mode. template template-name 5. Configure the template as the route-reflector client in ROUTER-TEMPLATE mode. route-reflector-client When you enable a route reflector, the system automatically enables route reflection to all clients. To disable route reflection between all clients in this reflector, use the no bgp client-to-client reflection command in ROUTER-BGP mode.
Confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, Dell EMC recommends BGP confederations only for IBGP peering involving many IBGP peering sessions per router. When you configure BGP confederations, you break the AS into smaller sub-ASs. To devices outside your network, the confederations appear as one AS.
History entry Entry that stores information about a downed route. Dampened path Path that is no longer advertised. Penalized path Path that is assigned a penalty. 1. Enable route dampening in ROUTER-BGP mode. dampening [half-life | reuse | max-suppress-time] ● half-life — Number of minutes after which the penalty decreases (1 to 45, default 15). After the router assigns a penalty of 1024 to a route, the penalty decreases by half after the half-life period expires.
Timers To adjust the routing timers for all neighbors, configure the timer values using the timers command. If both the peers negotiate with different keepalive and hold time values, the final hold time value is the lowest values received. The new keepalive value is one-third of the accepted hold time value. ● Configure timer values for all neighbors in ROUTER-NEIGHBOR mode.
4. Clear all information or only specific details in EXEC mode. clear ip bgp {neighbor-address | * | interface interface-type} [soft in] ● * — Clears all peers. ● neighbor-address— Clears the neighbor with this IP address. ● interface interface-type— Clears an unnumbered neighbor. Soft-reconfiguration of IPv4 neighbor OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-bgp-neighbor-af)# soft-reconfiguration inbound OS10(conf-router-bgp-neighbor-af)# end OS10# clear ip bgp 10.2.1.
OS10(config-router-bgp-100-vrf)# address-family ipv4 unicast OS10(configure-router-bgpv4-vrf-af)# bgp redistribute-internal OS10(config)# router ospf 20 vrf dell OS10(config-router-ospf-20)# redistribute bgp 100 View BGP routes information Use the following commands to view all BGP routes that match any of the community filters for a default or nondefault VRF instance. ● View BGP routes that match a standard community number.
Example - BGP in a VLT topology The following spine-leaf VLT topology runs BGP for Layer 3 communication. Spine 1 configuration 1. Configure a VLAN interface on which the BGP session has to be formed with VLT peers. Spine1(config)# interface vlan101 Spine1(conf-if-vl-101)# ip address 10.0.1.1/29 Spine1(conf-if-vl-101)# mtu 9216 Spine1(conf-if-vl-101)# exit 2. Configure port channel interfaces between Spine and VLT peers. Add it as part of the created VLAN.
3. Configure eBGP neighbor with VLT peer1 and VLT peer2. Spine1(config)# router bgp 65101 Spine1(config-router-bgp-65101)# router-id 10.1.1.1 Spine1(config-router-bgp-65101)# neighbor 10.0.1.2 Spine1(config-router-neighbor)# remote-as 65201 Spine1(config-router-neighbor)# no shutdown Spine1(config-router-neighbor)# exit Spine1(config-router-bgp-65101)# neighbor 10.0.1.
Leaf1(config)# interface ethernet1/1/6 Leaf1(conf-if-eth1/1/6)# channel-group 3 mode active Leaf1(conf-if-eth1/1/6)# exit 5. Configure the eBGP neighbor with Spine 1 and iBGP neighbor with ToR 1 and ToR 2. Leaf1(config)# router bgp 65201 Leaf1(config-router-bgp-65201)# router-id 10.2.1.1 Leaf1(config-router-bgp-65201)# neighbor 10.0.1.1 Leaf1(config-router-neighbor)# remote-as 65101 Leaf1(config-router-neighbor)# no shutdown Leaf1(config-router-neighbor)# exit Leaf1(config-router-bgp-65201)# neighbor 10.0.
4. Configure VLT port-channels with ToR 1 and ToR 2.
3. Configure the host facing VLAN and add host connected interfaces to it. ToR1(config)# interface vlan2001 ToR1(conf-if-vl-2001)# ip address 172.16.1.1/24 ToR1(conf-if-vl-2001)# mtu 9216 ToR1(conf-if-vl-2001)# exit ToR1(config)# interface ethernet1/1/3 ToR1(conf-if-eth1/1/3)# mtu 9216 ToR1(conf-if-eth1/1/3)# switchport mode trunk ToR1(conf-if-eth1/1/3)# switchport trunk allowed vlan 2001 ToR1(conf-if-eth1/1/3)# exit 4. Configure the iBGP neighbor with VLT peers and advertise the host subnet.
ToR2(config-router-neighbor)# no shutdown ToR2(config-router-neighbor)# exit ToR2(config-router-bgp-65201)# neighbor 10.0.2.2 ToR2(config-router-neighbor)# remote-as 65201 ToR2(config-router-neighbor)# no shutdown ToR2(config-router-neighbor)# exit Example - Three-tier CLOS topology with eBGP This section provides a sample three-tier topology with external BGP. Spine 1 configuration 1. Configure an IP address on leaf-facing interfaces.
Spine1(config)# interface Spine1(conf-if-eth1/1/4)# Spine1(conf-if-eth1/1/4)# Spine1(conf-if-eth1/1/4)# Spine1(conf-if-eth1/1/4)# Spine1(conf-if-eth1/1/4)# ethernet1/1/4 description Spine1-Leaf4 no switchport mtu 9216 ip address 10.1.2.2/31 exit 2. Configure BGP neighbors. This example uses passive peering which simplifies neighbor configuration. Spine1(config)# router bgp 65101 Spine1(config-router-bgp-65101)# router-id 10.0.0.
Leaf1(conf-if-eth1/1/2)# Leaf1(conf-if-eth1/1/2)# Leaf1(conf-if-eth1/1/2)# Leaf1(conf-if-eth1/1/2)# Leaf1(conf-if-eth1/1/2)# description Leaf1-Spine2 no switchport mtu 9216 ip address 10.2.1.1/31 exit 2. Configure an IP address on ToR facing interfaces. Leaf1(config)# interface Leaf1(conf-if-eth1/1/1)# Leaf1(conf-if-eth1/1/1)# Leaf1(conf-if-eth1/1/1)# Leaf1(conf-if-eth1/1/1)# Leaf1(conf-if-eth1/1/1)# ethernet1/1/3 description Leaf1-ToR1 no switchport mtu 9216 ip address 10.3.1.0/31 exit 3.
Leaf2(config-router-neighbor)# no shutdown Leaf2(config-router-neighbor)# exit Leaf 3 configuration 1. Configure an IP address on spine-facing interfaces.
3. Configure BGP neighbors. Leaf4(config)# router bgp 65202 Leaf4(config-router-bgp-65202)# router-id 10.0.1.4 Leaf4(config-router-bgp-65202)# neighbor 10.1.2.2 Leaf4(config-router-neighbor)# remote-as 65101 Leaf4(config-router-neighbor)# no shutdown Leaf4(config-router-neighbor)# exit Leaf4(config-router-bgp-65202)# neighbor 10.2.2.2 Leaf4(config-router-neighbor)# remote-as 65101 Leaf4(config-router-neighbor)# no shutdown Leaf4(config-router-neighbor)# exit Leaf4(config-router-bgp-65202)# neighbor 10.6.1.
ToR2(conf-if-eth1/1/1)# ToR2(config)# interface ToR2(conf-if-eth1/1/2)# ToR2(conf-if-eth1/1/2)# ToR2(conf-if-eth1/1/2)# ToR2(conf-if-eth1/1/2)# ToR2(conf-if-eth1/1/2)# exit ethernet1/1/2 description ToR2-Leaf4 no switchport mtu 9216 ip address 10.6.1.1/31 exit 2. Configure a VLAN interface and a VLAN member for end devices. ToR2(config)# interface vlan 2001 ToR2(conf-if-vl-2001)# ip address 172.16.2.
3. Configure add-path capability in IPv4 AFI, with add-path on both directions with count as 4. OS10(config-router-template)# address-family ipv4 unicast OS10(config-router-bgp-template-af)# add-path both 4 4. Configure soft-reconfiguration inbound for IPv6 AFI. OS10(config-router-template)# address-family ipv6 unicast OS10(config-router-bgp-template-af)# soft-reconfiguration inbound 5. Configure next-hop-self for IPv6 AFI.
NOTE: Only the system administers (sysadmin) role is allowed to manage this configuration. NOTE: The add-path configuration is not supported on the unnumbered peers when applied through the template.
Example (Receive) Supported Releases OS10(conf-router-bgpv6-af)# add-path receive 10.2.0E or later address-family Enters Global Address Family Configuration mode for the IP address family. Syntax address-family {[ipv4 | ipv6] unicast} Parameters ● ipv4 unicast — Enter an IPv4 unicast address family. ● ipv6 unicast — Enter an IPv6 unicast address family.
Command Mode ROUTER-NEIGHBOR Usage Information The time interval applies to all the peer group members of the template in ROUTER-TEMPLATE mode. The no version of this command disables the advertisement-start time interval. Example Supported Releases OS10(conf-router-neighbor)# advertisement-start 30 10.3.0E or later aggregate-address Summarizes a range of prefixes to minimize the number of entries in the routing table.
Example (IPv6) Example (l2vpn) Supported Releases OS10(conf-router-template)# address-family ipv6 unicast OS10(conf-router-bgp-template-af)# allowas-in 5 OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# allowas-in 3 10.3.0E or later always-compare-med Compares MULTI_EXIT_DISC (MED) attributes in the paths that are received from different neighbors.
router bgp 100 as-notation asdot Example - asdot+ format OS10(conf-router-bgp-100)# as-notation asdot+ OS10(conf-router-bgp-100)# show configuration ! router bgp 0.100 as-notation asdot+ Example - asplain format Supported Releases OS10(conf-router-bgp-100)# as-notation asplain OS10(conf-router-bgp-100)# show configuration ! router bgp 100 10.1.0E or later bestpath as-path Configures the AS path selection criteria for best path computation.
NOTE: To configure these settings for a nondefault VRF instance, you must first enter the ROUTERCONFIG-VRF sub mode using the following commands: 1. Enter the ROUTER BGP mode using the router bgp as-number command. 2. From the ROUTER BGP mode, enter the ROUTER BGP VRF mode using the vrf vrf-name command. Example Supported Releases OS10(conf-router-bgp-2)# bestpath med confed 10.3.0E or later bestpath router-id Ignores comparing router-id information for external paths during best-path selection.
Command Mode ROUTER-BGP-AF Usage Information To reduce the instability of the BGP process, setup route flap dampening parameters. After setting up the dampening parameters, clear information about route dampening and return the suppressed routes to the Active state. You can also view statistics on route flapping or change the path selection from Default Deterministic mode to Non-Deterministic mode. The no version of this command resets the value to the default.
● soft — (Optional) Enter to configure and activate policies without resetting the BGP TCP session — BGP soft reconfiguration. ● in — (Optional) Enter to activate only ingress (inbound) policies. Default Not configured Command Mode EXEC Usage Information None. Example OS10# clear ip bgp 1.1.15.4 The following is an example to clear BGP information learned through an unnumbered neighbor: OS10# clear ip bgp interface ethernet 1/1/1 Supported Releases 10.3.
Supported Releases 10.3.0E or later clear ip bgp flap-statistics Clears all or specific IPv4 or IPv6 flap counts of prefixes. Syntax clear ip bgp [vrf vrf-name] [ipv4–address | ipv6–address] flap-statistics [ipv4–prefix | ipv6–prefix] Parameters ● vrf vrf-name — (OPTIONAL) Enter vrf then the name of the VRF to clear flap statistics information. ● ipv4–address — (Optional) Enter an IPv4 address to clear the flap counts of the prefixes learned from the given peer.
confederation Configures an identifier for a BGP confederation. Syntax confederation {identifier as-num | peers as-number} Parameters ● identifier as-num —Enter an AS number, from 0 to 65535 for 2 bytes, 1 to 4294967295 for 4 bytes, or 0.1 to 65535.65535 for dotted format. ● peers as-number—Enter an AS number for peers in the BGP confederation, from 1 to 4294967295.
cluster-id Assigns a cluster ID to a BGP cluster with multiple route reflectors. Syntax cluster-id {number | ip-address} Parameters ● number—Enter a route reflector cluster ID as a 32-bit number, from 1 to 4294967295. ● ip-address—Enter an IP address as the route-reflector cluster ID. Default Router ID Command Mode ROUTER-BGP Usage Information If a cluster contains only one route reflector, the cluster ID is the route reflector’s router ID.
Usage Information Example Supported Releases ● To use special characters as a part of the description string, enclose the string in double quotes. ● To use comma as a part of the description string add double back slash before the comma. ● The no version of this command removes the description. OS10# configure terminal OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 8.8.8.
Example Supported Releases OS10(conf-router-bgp-10)# template lunar OS10(conf-router-bgp-template)# address-family ipv6 unicast OS10(conf-router-template-af)# default-originate route-map rmap-bgp 10.4.1.0 or later distance bgp Sets the administrative distance for BGP routes. Syntax distance bgp external-distance internal-distance local-distance Parameters ● external-distance—Enter a number to assign to routes learned from a neighbor external to the AS, from 1 to 255.
distribute-list Distributes BGP information through an established prefix list. Syntax distribute-list prefix-list-name {in | out} Parameters ● prefix-list-name—Enter the name of established prefix list. ● in—Enter to distribute inbound traffic. ● out—Enter to distribute outbound traffic. Defaults None Command Modes ROUTER-BGP-NEIGHBOR-AF ROUTER-TEMPLATE-AF Usage Information Example The no version of this command removes the route-map.
Example Supported Releases OS10(conf-router-neighbor)# ebgp-multihop 2 10.3.0E or later enforce-first-as Enforces the first AS in the AS path of the route received from an EBGP peer to be the same as the configured remote AS. Syntax enforce-first-as Parameters None Default Enabled Command Mode ROUTER-BGP Usage Information To verify statistics of routes rejected, use the show ip bgp neighbors command. If routes are rejected, the session is reset.
fast-external-fallover Resets BGP sessions immediately when a link to a directly connected external peer fails. Syntax fast-external-fallover Parameters None Default Not configured Command Mode ROUTER-BGP Usage Information Fast external fall-over terminates the EBGP session immediately after the IP unreachability or link failure is detected. This only applies after you manually reset all existing BGP sessions. For the configuration to take effect, use the clear ip bgp command.
Parameters None Default None Command Mode ROUTER-BGP Security and Access netadmin, sysadmin, and secadmin Usage Information By default, the next-hop is set to next-hop-self while advertising an ECMP route to an iBGP peer. Use the no version of this command to advertise ECMP routes to iBGP neighbors with the lowest next-hop IP address. To verify the configuration, use the show ip bgp neighbors command. This command is applicable for IPv4 unicast and IPv6 unicast address family modes.
Parameters ● template-name — Enter a template name. A maximum of 16 characters. ● inherit-type {ibgp | ebgp} —To associate a template to an unnumbered peer, specify the inherit-type. The options are ibgp and ebgp. Default Not configured Command Mode ROUTER-NEIGHBOR Usage Information When network neighbors inherit a template, all that are enabled on the template are also supported on the neighbors. The no version of this command disables the peer group template configuration.
listen Enables peer listening and sets the prefix range for dynamic peers. Syntax listen ip-address [limit count] Parameters ● ip-address—Enter the BGP neighbor IP address. ● limit count—(Optional) Enter a maximum dynamic peer count, from 1 to 4294967295. Default Not configured Command Mode ROUTER-TEMPLATE Usage Information Enables a passive peering session for listening. The no version of this command disables a passive peering session.
log-neighbor-changes Enables logging for changes in neighbor status. Syntax log-neighbor-changes Parameters None Default Enabled Command Mode ROUTER-BGP Usage Information OS10 saves logs which includes the neighbor operational status and reset reasons. To view the logs, use the show bgp config command. The no version of this command disables the feature.
maximum-prefix Configures maximum-prefix support in peer-group level templates. This support applies for both IPv4 and IPv6 address families. Syntax maximum-prefix 1-4294967295 {1-100 | warning-only} Parameters ● 1-4294967295 - Maximum number of prefix limit. ● 1-100 - Percentage threshold value at which to generate an warning message. The default value is 75. ● warning-only - Specify warning-only to generate a warning message when limit is exceeded. Default None.
The no version of this command disables the BGP neighbor configuration.
Parameters None. Default Not configured Command Mode TEMPLATE ADDRESS FAMILY LEVEL Usage Information Configures the next-hop-self for a specific template. This configuration is applied to all BGP peers when inheriting this template. The next-hop-self configuration is enabled by default on the unnumbered peers. When the next-hop-self configuration is removed, there is no impact on the unnumbered peers. NOTE: Only the system administers (sysadmin) role is allowed to manage this configuration.
Usage Information Enable or disable outbound optimization dynamically to reset all neighbor sessions. When you enable outbound optimization, all peers receive the same update packets. The next-hop address chosen as one of the addresses of neighbor’s reachable interfaces is also the same for the peers. The no version of this command disables outbound optimization.
Usage Information Example (Connected) Example (Static — IPv4) Example (Static — IPv6) Example (OSPF — IPv4) Example (OSPF — IPv6) Supported Releases Static routes are treated as incomplete routes. When you use the redistribute ospf process-id command without other parameters, the system redistributes all OSPF internal routes, external type 1 routes, and external type 2 routes. The no version of this command resets the value to the default.
Usage Information Example Supported Releases None OS10(config)# router bgp 300 OS10(config-router-bgp-300)# template ebgppg OS10(config-router-template)# remove-private-as 10.4.1.0 or later route-map Applies an established route-map to either incoming or outbound routes of a BGP neighbor or peer group. Syntax route-map route-map-name {in | out} Parameters ● route-map-name — Enter the name of the configured route-map.
router bgp Enables BGP and assigns an AS number to the local BGP speaker. Syntax router bgp as-number Parameters as-number—Enter the AS number range. ● 1 to 65535 in 2 byte ● 1 to 4294967295 in 4 byte Default None Command Mode CONFIGURATION Usage Information The AS number can be a 16-bit integer. The no version of this command resets the value to the default. Example Supported Releases OS10(config)# router bgp 3 OS10(conf-router-bgp-3)# 10.3.
Usage Information Example Supported Releases A community attribute indicates that all routes with the same attributes belong to the same community grouping. All neighbors belonging to the template inherit the feature when configured for a template. The no version of this command disables sending a community attribute to a BGP neighbor or peer group. OS10(conf-router-neighbor)# send-community extended 10.3.
Origin INCOMPLETE, Metric 0, LocalPref 100, Weight Route-reflector origin : 0.0.0.0 0, confed-external The following displays the next hop as an unnumbered neighbor with ethernet1/1/1 as the connected interface. OS10# show ip bgp 31.1.1.0/24 BGP routing table entry for 31.1.1.0/24 Paths: (1 available, table Default-IP-Routing-Table.) Received from : fe80::3617:ebff:fef1:dc5e via ethernet1/1/1 (1.1.1.
Default None Command Mode EXEC Security and Access Netadmin, sysadmin, secadmin, and netoperator Usage Information This command is used to display BGP routes that match the given community number. Example Supported Releases OS10# show ip bgp community 11:22 BGP local RIB : Routes to be Added , Replaced , Withdrawn BGP local router ID is 10.1.1.
show ip bgp dampened-paths Displays BGP routes that are dampened or nonactive. Syntax show ip bgp [vrf vrf-name] dampened-paths Parameters None Default Not configured Command Mode EXEC Usage Information ● vrf vrf-name — (OPTIONAL) Enter vrf and then the name of the VRF to view routes that are affected by a specific community list corresponding to that VRF. ● Network — Displays the network ID where the route is dampened.
Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf *>r 100::1/128 :: 0 100 *>r 2001:100:1:1::/64 :: 0 100 Supported Releases Weight 32768 32768 Path ? ? 10.5.2.1 or later show ip bgp filter-list Displays the BGP routes that match any of the AS-path regular expressions from the AS-path list.
● ● ● ● Example Supported Releases Duration — Displays the HH:MM:SS after the route first flapped. Flaps — Displays the number of times the route flapped. Reuse — Displays the HH:MM:SS until the flapped route is available. Path — Lists all AS the flapping route passed through to reach the destination network. OS10# show ip bgp flap-statistics BGP local router ID is 80.1.1.
LocPrf Weight Path *> 41.1.1.0/24 fe80::3617:ebff:fef1:dc5e 0 10 0 0 OS10# show ip bgp ipv4 unicast neighbors interface ethernet 1/1/1 routes BGP local router ID is 40.1.1.2 Status codes: s suppressed, S stale, d dampened, h history, * valid, > best Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 31.1.1.0/24 fe80::3617:ebff:fefd:dc5e 0 0 10 100 OS10# show ip bgp ipv4 unicast neighbors interface ethernet 1/1/1 received-routes BGP local router ID is 40.1.1.
show ip bgp ipv6 unicast Displays route information for BGP IPv6 routes. Syntax show ip bgp [vrf vrf-name] ipv6 unicast [summary | neighbors [ip-address | interface interface-type] [advertised-routes | dampened-paths | flapstatistics | denied-routes | routes]]] Parameters ● vrf vrf-name — (OPTIONAL) Enter vrf then the name of the VRF to view IPv6 unicast information corresponding to that VRF. ● neighbors — Displays IPv6 neighbor information. ● ip-address — Displays information about a specific neighbor.
*> 1001::/64 0 fe80::3617:ebff:fef1:dc5e 10 0 0 OS10# show ip bgp ipv6 unicast neighbors interface ethernet 1/1/1 deniedroutes BGP local router ID is 40.1.1.2 Status codes: D denied Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path D 1002::/64 fe80::3617:ebff:fef1:dc5e 0 0 0 10 Summary information for unnumbered neighbors: OS10# show ip bgp ipv6 unicast summary BGP router identifier 89.101.17.
Usage Information ● BGP neighbor — Displays the BGP neighbor address and its AS number. The last phrase in the line indicates whether the link between the BGP router and its neighbor is an external or internal one. If they are located in the same AS, the link is internal; otherwise the link is external. ● BGP version — Displays the BGP version, always version 4, and the remote router ID.
CISCO_ROUTE_REFRESH(128) 4_OCTET_AS(65) ADD_PATH(69) Prefixes accepted 1, Prefixes advertised 0 Connections established 2; dropped 16 Closed by neighbor sent 00:00:14 ago For address family: IPv4 Unicast Max prefix set to 1 with threshold 1 warning only Next hop set to self Soft-reconfiguration inbound configured Allow local AS number 0 times in AS-PATH attribute Prefixes ignored due to: Martian address 0, Our own AS in AS-PATH 0 Invalid Nexthop 0, Invalid AS-PATH length 0 Wellknown community 0, Locally ori
Prefixes accepted 0, Prefixes advertised 0 Connections established 1; dropped 0 Last reset never For address family: IPv4 Unicast Next hop set to self Allow local AS number 0 times in AS-PATH attribute Route map for incoming advertisements is filter_ipv4_intf_in Route map for outgoing advertisements is filter_ipv4_intf_out Prefixes ignored due to: Martian address 0, Our own AS in AS-PATH 0 Invalid Nexthop 0, Invalid AS-PATH length 0 Wellknown community 0, Locally originated 0 For address family: IPv6 Unicas
D 55:0:0:6::/64 172:16:1::2 55:0:0:7::/64 172:16:1::2 D 55:0:0:8::/64 172:16:1::2 D 55:0:0:9::/64 172:16:1::2 Total number of prefixes: 10 OS10# Example deniedroutes Example routes Example unnumbered neighbors 0 0 0 0 0 0 0 0 i i i i OS10# show ip bgp ipv6 unicast neighbors 172:16:1::2 denied-routes BGP local router ID is 100.1.1.
4_OCTET_AS(65) Extended Next Hop Encoding (5) Prefixes accepted 0, Prefixes advertised 0 Connections established 1; dropped 0 Last reset never Prefixes ignored due to: Martian address 0, Our own AS in AS-PATH 0 Invalid Nexthop 0, Invalid AS-PATH length 0 Wellknown community 0, Locally originated 0 Local host: fe80::76e6:e2ff:fef5:b281, Local port: 45926 Foreign host: fe80::76e6:e2ff:fef6:b81, Foreign port: 179 Example advertisedroutes from unnumbered neighbors Example received-routes from unnumbered neighb
show ip bgp peer-group Displays information about BGP peers in a peer-group. Syntax show ip bgp [vrf vrf-name] peer-group peer-group-name Parameters ● vrf vrf-name — (OPTIONAL) Enter vrf to view information about BGP peers in a peer group corresponding to that VRF. ● peer-group-name — (Optional) Enter the peer group name to view information about that peergroup only. Default Not configured Command Mode EXEC Usage Information ● Peer-group — Displays the peer group name.
Neighbor 17.1.1.2 AS 7 MsgRcvd 7 MsgSent 6 Up/Down 00:01:54 State/Pfx 5 OS10# show ip bgp peer-group bg1 Peer-group bg1, remote AS 0 BGP version 4 Minimum time between advertisement runs is 30 seconds For address family: Unicast BGP neighbor is bg1, peer-group external Update packing has 4_OCTET_AS support enabled Number of peers in this group 2 Peer-group members: 40.1.1.2 ethernet 1/1/1 OS10# show ip bgp peer-group bg1 summary BGP router identifier 14.233.209.
Example OS10# show BGP router Neighbor 80.1.1.2 ip bgp summary identifier 80.1.1.1 local AS number 102 AS MsgRcvd MsgSent Up/Down State/Pfx 800 24 23 00:09:15 5 Example for unnumbered peer: OS10# show ip bgp summary BGP router identifier 89.101.17.125 local AS number 100 Neighbor AS MsgSent Up/Down State/Pfx ethernet1/1/1 200 19 00:15:34 0 Supported Releases MsgRcvd 19 10.2.0E or later show ip route Displays information about IPv4 BGP routing table entries.
show ipv6 route Displays information about IPv6 BGP routing table entries. Syntax show ipv6 route [vrf vrf-name] bgp Parameters ● vrf vrf-name — Enter vrf and then the name of the VRF to view information that is exchanged between BG neighbors corresponding to that VRF Default Not configured Command Mode EXEC Usage Information This command displays information about IPv6 BGP routing table entries.
soft-reconfiguration inbound Configures the soft-reconfiguration support for the peer-group level. This support applies for both IPv4 and IPv6 address families. Syntax soft-reconfiguration inbound Parameters None. Default Not configured Command Mode TEMPLATE ADDRESS FAMILY LEVEL Usage Information This configuration allows soft-reconfiguration for a specific template. This configuration is applied to all BGP peers when inheriting this template.
timers Adjusts BGP keepalive and holdtime timers. Syntax timers keepalive holdtime Parameters ● keepalive—Enter the time interval, in seconds, between keepalive messages sent to the neighbor routers, from 1 to 65535. ● holdtime—Enter the time interval, in seconds, between the last keepalive message and declaring a router dead, from 3 to 65535.
OS10(config-router-bgp-100-vrf)# Supported Releases 10.3.0E or later weight Assigns a default weight for routes from the neighbor interfaces. Syntax weight number Parameters number—Enter a number as the weight for routes, from 1 to 4294967295. Default 0 Command Mode ROUTER-BGP-NEIGHBOR Usage Information The path with the highest weight value is preferred in the best-path selection process. The no version of this command resets the value to the default.
IPV6 Load Balancing : Enabled MAC Load Balancing : Enabled TCP-UDP Load Balancing : Enabled Ingress Port Load Balancing : Disabled IPV4 FIELDS : source-ip destination-ip protocol vlan-id l4-destination-port l4source-port IPV6 FIELDS : source-ip destination-ip protocol vlan-id l4-destination-port l4source-port MAC FIELDS : source-mac destination-mac ethertype vlan-id TCP-UDP FIELDS: l4-destination-port l4-source-port ● The second part generates from the static physical configuration such as the ingress and e
Supported platforms The following table lists the platforms that support resilient hashing. Table 88.
Member link goes down In the following example, if member link D goes down, resilient hashing distributes the traffic intended for member link D to A and B. The existing 1, 2, and 3 traffic is not disturbed.
Important notes ● Resilient hashing on port channels applies only for unicast traffic. ● For resilient hashing on ECMP groups, the ECMP path must be in multiples of 64. Before you enable resilient hashing, ensure that the maximum ECMP path is set to a multiple of 64. You can configure this value using the ip ecmp-group maximum-paths command. Maximum ECMP groups and paths The maximum number of ECMP groups supported on the switch depends on the maximum ECMP paths configured on the switch.
ECMP commands enhanced-hashing Ensures that existing traffic flows are not remapped when a member link goes down. Syntax enhanced-hashing resilient-hashing {lag | ecmp} Parameters ● resilient-hashing—Enter the keyword to enable enhanced-hashing. ● {ecmp | lag}—Enter the keyword to enable resilient hashing for a port channel or ECMP group. Defaults Disabled Command Mode CONFIGURATION Usage Information The no version of this command disables resilient hashing.
Example Supported Releases OS10(config)# hash-algorithm lag crc 10.3.0E or later ip ecmp-group maximum-paths Configures the maximum number of ECMP paths per route. Syntax ip ecmp-group maximum-paths number Parameters number — Enter the maximum number of ECMP paths, from 2 to 128. Default 64 Command Mode CONFIGURATION Usage Information To save the new ECMP settings, use the write memory command, then reload the system for the new settings to take effect.
● ● ● ● ● ● ● ● ● ● ● ● ip-selection — Enables IPv4 key parameters to use in the hash computation. ipv6-selection — Enables IPV6 key parameters to use in hash computation. destination-ip — Enables the destination IP address in the hash calculation. source-ip — Enables the source IP address in the hash calculation. protocol — Enables protocol information in the hash calculation. vlan-id — Enables VLAN ID information in the hash calculation.
---------------------------------------LAG Resilient hashing : Disabled OS10# show enhanced-hashing resilient-hashing ECMP Resilient Hashing Configuration For ECMP: ---------------------------------------------ECMP Resilient hashing : Disabled Supported Releases 10.4.3.0 or later show hash-algorithm Displays hash-algorithm information.
Command Mode EXEC Usage Information None Example OS10# show load-balance Load-Balancing Configuration For LAG & ECMP: -------------------------------------------IPV4 Load Balancing Enabled IPV4 FIELDS : source-ipv4 dest-ipv4 vlan protocol L4-source-port L4-destport IPV6 Load Balancing Enabled IPV6 FIELDS : source-ipv6 dest-ipv6 vlan protocol L4-source-port L4-destport Mac Load Balancing Enabled MAC FIELDS : source-mac dest-mac vlan ethertype mac-in-mac header based hashing is disabled TcpUdp Load Balan
● ip-address mask—Enter the IP address in dotted decimal format—A.B.C.D. and mask in slash prefix-length format (/24). ● secondary—Enter a secondary backup IP address for the interface. Assign interface IP address to interface OS10(config)# interface OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# ethernet 1/1/1 no shutdown no switchport ip address 10.10.1.
View configured static routes OS10# show ip route static Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF,IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, > - non-active route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change -----------------------------------------------------------------S 200.200.200.0/24 via 10.1.1.
IPv4 routing commands clear ip arp Clears the dynamic ARP entries from a specific interface or optionally delete (no-refresh) ARP entries from the content addressable memory (CAM). Syntax clear ip arp [vrf vrf-name] [interface interface | ip ip-address] [norefresh] Parameters ● vrf vrf-name — (Optional) Enter vrf then the name of the VRF to clear ARP entries corresponding to that VRF. ● interface interface— (Optional) Specify an interface type: ○ ethernet — Physical interface.
ip address Configure the IP address to an interface. Syntax ip address ip–address/mask Parameters ip–address/mask — Enter the IP address. Defaults None Command Mode INTERFACE Usage Information The no version of this command removes the IP address set for the interface. Example Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ip address 10.1.1.0/24 10.3.0E or later ip address dhcp Enables DHCP client operations on the interface.
ip arp gratuitous Enables an interface to receive or send gratuitous ARP requests and updates. Syntax ip arp gratuitous {update | request} Parameters ● update — Specify to enable or disable ARP cache updates for gratuitous ARP. ● request — Specify to enable or disable sending gratuitous ARP requests when duplicate address is detected.
Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes a static route configuration. Example Use the bfd option to enable Bidirectional Forwarding detection (BFD) on a specific static route. OS10(config)# ip route 200.200.200.0/24 10.1.1.2 OS10(config)# ip route 200.200.200.0/24 interface null 0 The following is a sample configuration for enabling BFD on a specific static route: OS10(config)# ip route 10.10.200.0/24 10.1.1.
Example (Static) OS10# show ip arp summary Total Entries Static Entries Dynamic Entries ------------------------------------------------------3994 0 3994 OS10# show ip arp 192.168.2.2 Address Hardware address Interface Egress Interface -------------------------------------------------------------------192.168.2.
E2 - OSPF external type 2, > - non-active route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change -----------------------------------------------------------------C 10.1.1.0/24 via 10.1.1.1 vlan100 0/0 01:16:56 B EX 10.1.2.0/24 via 10.1.2.1 vlan101 20/0 01:16:56 O 10.1.3.0/24 via 10.1.3.1 vlan102 110/2 01:16:56 B IN 10.1.4.0/24 via 10.1.4.
● IPv6 forwarding is enabled on physical Ethernet interfaces, VLANs, and port groups. IPv6 forwarding is disabled only when you enable IPv6 address autoconfiguration on an interface and set it in host mode using the ipv6 address autoconfig command. ● IPv6 forwarding is permanently disabled on the management Ethernet interface so that it remains in Host mode and does not operate as a router regardless of the ipv6 address autoconfig setting.
● 2001:0db8:0:0::1428:57ab ● 2001:0db8::1428:57ab ● 2001:db8::1428:57ab Write IPv6 networks using CIDR notation. An IPv6 network or subnet is a contiguous group of IPv6 addresses which must be a power of two. The initial bits of addresses, which are identical for all hosts in the network, are the network's prefix. A network is denoted by the first address in the network and the size in bits of the prefix in decimal, separated with a slash.
Configure link-local address OS10(config)# interface ethernet 1/1/8 OS10(conf-if-eth1/1/8)# ipv6 address FE80::1/64 link-local Stateless autoconfiguration When an interface comes up, OS10 uses stateless autoconfiguration to generate a unique link-local IPv6 address with a FE80::/64 prefix and an interface ID generated from the MAC address. To use stateless autoconfiguration to assign a globally unique address using a prefix received in router advertisements, use the ipv6 address autoconfig command.
● ipv6 nd hop-limit hops — (Optional) Sets the hop limit advertised in RA messages and included in IPv6 data packets sent by the router, from 0 to 255; default 64. 0 indicates that no hop limit is specified by the router. ● ipv6 nd managed-config-flag — (Optional) Sent in RA messages to tell hosts to use stateful address autoconfiguration, such as DHCPv6, to obtain IPv6 addresses.
Duplicate address discovery To determine if an IPv6 unicast address is unique before assigning it to an interface, an OS10 switch sends a neighbor solicitation message. If the process of duplicate address discovery (DAD) detects a duplicate address in the network, the address does not configure on the interface. DAD is enabled by default. By default, IPv6 is not disabled when a duplicate address is detected. Only the duplicate address is not applied. Other IPv6 addresses are still active on the interface.
IPv6 destination unreachable By default, when no matching entry for an IPv6 route is found in the IPv6 routing table, a packet drops and no error message is sent. You can enable the capability to send an IPv6 destination unreachable error message to the source without dropping the packet.
----------------------------------------------------------------C 2001:db86::/32 via 2001:db86:fff::1 ethernet1/1/1 0/0 00:03:24 View IPv6 static information OS10# show ipv6 route static Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF,IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, > - non-active route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change
If this flag is set to off, OS10 skips the validation process. OS10(conf-ra_guard_policy_list)# managed-config-flag on 5. (Optional) Create an IPv6 prefix, access, or MAC list. This list specifies the condition that is validated against the RA guard packet that is received. You can optionally use an existing IPv6 prefix, access, or MAC list.
retransmit-timer 100 router-life-time 100 router-preference maximum high match ra ipv6-prefix-list example_prefix_list Interfaces Vlans ---------------------------------ethernet1/1/6 vlan1 IPv6 RA guard commands clear ipv6 nd ra-guard statistics Clears the RA packet statistics from all the interfaces that have RA guard policy configured.
ipv6 nd ra-guard attach-policy Applies the RA guard policy to a specific interface. Syntax ipv6 nd ra-guard attach-policy policy-name vlan {all | vlan-id-1, vlanid-2...vlan-id-n | vlan-id1-vlan-idn} Parameters policy-name—Enter the RA guard policy name. A maximum of 140 characters. Default None Command Mode INTERFACE CONFIGURATION Usage Information NOTE: If you configure the BGP unnumbered feature on a VLAN, do not apply the RA guard policy for that VLAN.
ipv6 nd ra-guard logging enable Enables console logging for RA guard violation. Syntax ipv6 nd ra-guard logging enable Parameters None Default Disabled Command Mode CONFIGURATION Usage Information By default, the system logs the first violating packet for a port-VLAN combination. You can control further console logging for RA guard violation using this command. The no form of this command disables console logging. The logs appear on the console as shown: 2020-01-03T12:44:23.
Supported Releases 10.5.2.0 or later managed-config-flag Verifies the advertised managed configuration parameter. Syntax managed-config-flag {on | off} Parameters ● on—Specifies the managed configuration flag as on. ● off—Specifies the managed configuration flag as off.
other-config-flag Verifies other advertised configuration parameter. Syntax other-config-flag {on | off} Parameters ● on—Enables verification of the other advertised configuration parameter. ● off—Disables verification of the other advertised configuration parameter. Default None Command Mode RA GUARD POLICY LIST CONFIGURATION Usage Information If you do not configure this command, the system bypasses the verification of the other configuration parameter.
router-lifetime Verifies the configured router lifetime value in the received RA packets. Syntax router-lifetime value Parameters value—Enter the router lifetime in seconds, from 0 to 9000. Default None Command Mode RA GUARD POLICY LIST CONFIGURATION Usage Information The no form of this command removes the configuration. Example Supported Releases OS10(conf-ra_guard_policy_list)# router-lifetime 100 10.5.2.
device-role router hop-limit maximum 254 mtu 1280 other-config-flag on reachable-time 100 retrans-timer 100 router-preference maximum medium Supported Releases 10.5.2.0 or later show ipv6 nd ra-guard policy Displays the configurations applied on all RA guard policies or a specific RA guard policy. Syntax show ipv6 nd ra-guard policy policy-name Parameters policy-name—Name of the policy.
show ipv6 nd ra-guard violation-details Displays the violation details of RA guard in the device. Syntax show ipv6 nd ra-guard violation-details Parameters None Command Mode EXEC Usage Information The system displays up to 50,000 packet violations. If the packet violation count is more than 50000, the details are overwritten.
○ ○ ○ ○ For a 40-Gigabit Ethernet interface, enter fortyGigE then the slot/port information. For a port channel interface, enter port-channel then a number. For a VLAN interface, enter vlan then a number from 1 to 4093. virtual-network vn-id — For a virtual network, enter virtual-network then the ID of the network. Defaults None. Command Mode EXEC Usage Information The no version of this command resets the value to the default. Example Supported Releases 10.4.1.
Example Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ipv6 address 2111:dddd:0eee::22/64 10.3.0E or later ipv6 address autoconfig Acquires global IPv6 addresses by using the network prefix obtained from RAs.
Parameters None Defaults None Command Mode INTERFACE Usage Information Use this command to disable and re-enable IPv6 forwarding on an interface for security purposes or to recover from a duplicate address discovery (DAD) failure. The no version of this command disables IPv6 forwarding. Example Supported Releases OS10(config)# interface OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# ethernet 1/1/1 ipv6 address 2111:dddd:0eee::22/128 no ipv6 enable ipv6 enable 10.3.
Supported Releases 10.4.0E(R1) or later ipv6 hop-by-hop Enables and disables processing hop-by-hop options in IPv6 packet headers. Syntax ipv6 hop-by-hop Parameters None Defaults Hop-by-hop header options in an IPv6 packet do not process on an interface. Command Mode INTERFACE Usage Information ● Use this command to enable local processing of IPv6 packets with hop-by-hop options in conformance with the RFC 8200, IPv6 Specification.
ipv6 nd hop-limit Sets the hop limit advertised in RA messages and included in IPv6 data packets sent by the router. Syntax ipv6 nd hop-limit hops Parameters ● hop-limit hops — Enter the maximum number of hops allowed for RA messages, from 0 to 255. Defaults 64 hops Command Mode INTERFACE Usage Information The configured hop limit is advertised in RA messages and included in IPv6 data packets sent by the router. 0 indicates that no hop limit is specified by the router.
Example OS10(config)# interface ethernet 1/2/3 OS10(conf-if-eth1/2/3)# ipv6 nd max-ra-interval 300 OS10(config)# ipv6 nd max-ra-interval 4 Supported Releases 10.4.0E(R1) or later ipv6 nd mtu Sets the maximum transmission unit (MTU) used on a local link in RA messages. Syntax ipv6 nd mtu number Parameters ● mtu number — Enter the MTU size in bytes, from 1280 to 65535.
● no-advertise — (Optional) Do not advertise the specified prefix. By default, all prefixes in configured subnets advertise. ● no-autoconfig — (Optional) Sets AdvAutonomous to Off for the specified prefix in the radvd.conf file. This setting tells hosts to not use this prefix for address autoconfiguration. By default, AdvAutonomous is On. ● no-rtr-address — (Optional) Sets AdvRouterAddr to Off for the prefix in the radvd.conf file.
Example Supported Releases OS10(config)# interface ethernet 1/2/3 OS10(conf-if-eth1/2/3)# ipv6 nd max-ra-interval 300 10.4.0E(R1) or later ipv6 nd reachable-time Sets the advertised time the router sees a neighbor to be up after it receives a reachability confirmation. Syntax ipv6 nd reachable-time milliseconds Parameters ● reachable-time milliseconds — Enter the reachable time in milliseconds, from 0 to 3600000.
sending RA messages, the switch must be in Router mode with IPv6 forwarding enabled and stateless autoconfiguration disabled no ipv6 address autoconfig command. ● The no version command disables RA messages. Example Supported Releases OS10(config)# interface ethernet 1/2/3 OS10(conf-if-eth1/2/3)# ipv6 nd send-ra 10.4.0E(R1) or later ipv6 route Configures a static IPv6 static route.
Security and Access netadmin and sysadmin Usage Information Use the no version of this command to permit IPv6 routing header Type 0 packets. When configured to permit IPv6 routing header Type 0 packets, OS10 allows normal switching and routing of packets with IPv6 routing header Type 0. However, OS10 switches are compliant with RFC 5095 and drops any IPv6 routing header Type 0 packets that are destined to it.
Command Mode EXEC Usage Information The no version of this command resets the value to the default.
Example (Summary) Supported Releases OS10# show ipv6 route summary Route Source Active Routes Ospf 0 Bgp 0 Connected 0 Static 0 Ospf Inter-area 0 NSSA External-1 0 NSSA External-2 0 Ospf External-1 0 Ospf External-2 0 Bgp Internal 0 Bgp External 0 Ospf Intra-area 0 Total 0 Non-Active Routes 0 0 0 0 0 0 0 0 0 0 0 0 0 10.2.0E or later show ipv6 interface brief Displays IPv6 interface information.
Autonomous system areas OSPF operates in a hierarchy. The largest entity within the hierarchy is the autonomous system (AS). The AS is a collection of networks under a common administration that share a common routing strategy. OSPF is an intra-AS, Interior Gateway Routing Protocol (IGRP) that receives routes from and sends routes to other AS. You can divide an AS into several areas, which are groups of contiguous networks and attached hosts administratively grouped.
Router types Router types are attributes of the OSPF process—multiple OSPF processes may run on the same router. A router connected to more than one area, receiving routing from a BGP process connected to another AS, acts as both an area border router and an autonomous system border router. Each router has a unique ID, written in decimal A.B.C.D format. You do not have to associate the router ID with a valid IP address.
Designated router Maintains a complete topology table of the network and sends updates to the other routers via multicast. All routers in an area form a slave/master relationship with the DR. Every time a router sends an update, the router sends it to the DR and BDR. The DR sends the update to all other routers in the area. Backup designated router Router that takes over if the DR fails. Each router exchanges information with the DR and BDR. The DR and BDR relay information to other routers.
4 Virtual link neighboring router ID Router priority Router priority determines the designated router for the network. The default router priority is 1. When two routers attach to a network, both attempt to become the DR. The router with the higher router priority takes precedence. If there is a tie, the router with the higher router ID takes precedence. A router with a router priority set to zero cannot become the DR or BDR.
● max-wait — Configure the maximum amount of hold time that can delay an SPF calculation, from 1 to 600000 milliseconds; default 10000. Enable SPF throttling (OSPFv2) OS10(config)# router ospf 100 OS10(config-router-ospf-100)# timers spf 1200 2300 3400 Enable SPF throttling (OSPFv3) OS10(config)# router ospfv3 10 OS10(config-router-ospf-10)# timers spf 2000 3000 4000 View OSPFv2 SPF throttling OS10(config-router-ospf-100)# do show ip ospf Routing Process ospf 100 with ID 12.1.1.
Configure redistribute routes OS10(conf-router-ospf-10)# redistribute bgp 4 route-map aloha OS10(conf-router-ospf-10)# redistribute connected route-map aloha OS10(conf-router-ospf-10)# redistribute static route-map aloha Before Release 10.5.2.0, the redistribute command redistributed active and inactive route paths. By default, from Release 10.5.2.0 and beyond, this command redistributes only active route paths. If you have configured route redistribution, when you upgrade to Release 10.5.2.
In OSPFv2, neighbors on broadcast and non-broadcast multiple access (NBMA) network links are identified by their interface addresses, while neighbors on other types of links are identified by router-identifiers (RID). Enable OSPFv2 OSPFv2 is disabled by default. Configure at least one interface as either Physical or Loopback and assign an IP address to the interface. You can assign any area besides area 0 a number ID.
2. Enable OSPF and configure an OSPF instance in VRF CONFIGURATION mode. router ospf instance-number vrf vrf-name 3. Enter the interface information to configure the interface for OSPF in INTERFACE mode. interface ethernet node/slot/port[:subport] 4. Enable the interface in INTERFACE mode. no shutdown 5. Disable the default switchport configuration and remove it from an interface or a LAG port in INTERFACE mode. no switchport 6.
Assign router ID OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# router-id 10.10.1.5 View OSPFv2 status OS10# show ip ospf 10 Routing Process ospf 10 with ID 10.10.1.5 Supports only single TOS (TOS0) routes It is an Autonomous System Boundary Router It is Flooding according to RFC 2328 Convergence Level 0 Min LSA origination 0 msec, Min LSA arrival 1000 msec Min LSA hold time 5000 msec, Max LSA wait time 5000 msec Number of area in this router is 1, normal 1 stub 0 nssa 0 Area (0.0.0.
Passive interfaces A passive interface does not send or receive routing information. Configuring an interface as a passive interface suppresses both receiving and sending routing updates. Although the passive interface does not send or receive routing updates, the network on that interface is included in OSPF updates sent through other interfaces. 1. Enter an interface type in INTERFACE mode. interface ethernet node/slot/port[:subport] 2. Configure the interface as a passive interface in INTERFACE mode.
It is an Autonomous System Border Router It is an Area Border Router It is Flooding according to RFC 2328 Convergence Level 1 Min LSA origination 0 msec, Min LSA arrival 0 msec Min LSA hold time 0 msec, Max LSA wait time 0 msec Number of area in this router is 3, normal 1 stub 1 nssa 1 Area BACKBONE (0) Number of interface in this area is 1 SPF algorithm executed 28 times Area ranges are Area (2) Number of interface in this area is 1 SPF algorithm executed 28 times Area ranges are Area (3) Number of inte
7. Change the wait period between link state update packets sent out the interface in INTERFACE mode, from 1 to 3600. The default wait period is 1. The transmit delay must be the same on all routers in the OSPF network.
Graceful restart When a networking device restarts, the adjacent neighbors and peers detect the condition. During a graceful restart, the restarting device and neighbors continue to forward the packets without interrupting network performance. The neighbors that help in the restart process are called helper routers. When you enable graceful restart, the restarting device retains the routes learned by OSPF in the forwarding table.
● ● ● ● ● ● ● Is OSPF enabled on the interface? Are adjacencies established correctly? Are the interfaces configured for L3 correctly? Is the router in the correct area type? Are the OSPF routes included in the OSPF database? Are the OSPF routes included in the routing table in addition to the OSPF database? Are you able to ping the IPv4 address of adjacent router interface? Troubleshooting OSPF with show commands ● View a summary of all OSPF process IDs enabled in EXEC mode.
Default Cost is 1 Command Mode ROUTER-OSPF Usage Information The cost is also referred as reference-bandwidth or bandwidth. Use the area default-cost command on the border routers at the edge of a stub area. The no version of this command resets the value to the default. Example Supported Releases OS10(conf-router-ospf-10)# area 10.10.1.5 default-cost 10 10.2.0E or later area nssa Defines an area as a NSSA.
area stub Defines an area as the OSPF stub area. Syntax area area-id stub [no-summary] Parameters ● area-id—Set the OSPF area ID as an IP address in A.B.C.D format or number, from 1 to 65535. ● no-summary—(Optional) Prevents an ABR from sending summary LAs into the stub area. Default Not configured Command Mode ROUTER-OSPF Usage Information The no version of this command deletes a stub area. Example Supported Releases OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# area 10.10.1.
clear ip ospf statistics Clears OSPF traffic statistics. Syntax clear ip ospf [instance-number] [vrf vrf-name] statistics Parameters ● instance-number — (Optional) Enter an OSPF instance number, from 1 to 65535. ● vrf vrf-name — (Optional) Enter the keyword vrf followed by the name of the VRF to clear OSPF traffic statistics in that configured VRF.
default-metric Assigns a metric value to redistributed routes for the OSPF process. Syntax default-metric number Parameters number — Enter a default-metric value, from 1 to 16777214. Default Not configured Command Mode ROUTER-OSPF Usage Information The no version of this command disables the default-metric configuration. Example Supported Releases OS10(conf-router-ospf-10)# default-metric 2000 10.2.
ip ospf area Attaches an interface to an OSPF area. Syntax ip ospf process-id area area-id Parameters ● process-id — Set an OSPF process ID for a specific OSPF process, from 1 to 65535. ● area area-id — Enter the OSPF area ID in dotted decimal A.B.C.D format or enter an area ID number, from 1 to 65535. Default Not configured Command Mode INTERFACE Usage Information The no version of this command removes an interface from an OSPF area.
ip ospf dead-interval Sets the time interval since the last hello-packet was received from a router. After the interval elapses, the neighboring routers declare the router dead. Syntax ip ospf dead-interval seconds Parameters seconds — Enter the dead interval value in seconds, from 1 to 65535. Default 40 seconds Command Mode INTERFACE Usage Information The dead interval is four times the default hello-interval by default. The no version of this command resets the value to the default.
ip ospf mtu-ignore Disables MTU size detection on received Database Descriptor (DBD) packets when forming OSPFv3 adjacency. Syntax ip ospf mtu-ignore Parameters None Default Not configured Command Mode INTERFACE Usage Information If the MTU size of the peer interface is greater than the local interface, switches that run OSPF do not form adjacencies with neighbors. Use this command to override this behavior and form adjacency.
Example Supported Releases OS10(conf-if-eth1/1/6)# ip ospf passive 10.2.0E or later ip ospf priority Sets the priority of the interface to determine the DR for the OSPF network. Syntax ip ospf priority number Parameters number — Enter a router priority number, from 0 to 255. Default 1 Command Mode INTERFACE Usage Information When two routers attached to a network attempt to become the DR, the one with the higher router priority takes precedence.
Supported Releases 10.2.0E or later log-adjacency-changes Enables logging of syslog messages regarding changes in the OSPF adjacency state. Syntax log-adjacency-changes Parameters None Default Disabled Command Mode ROUTER-OSPF Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# log-adjacency-changes 10.2.
redistribute Redistributes information from another routing protocol or routing instance to the OSPFv2 process. Syntax redistribute {bgp as-number| imported-ospf-routes | connected | static} [route-map map-name] Parameters ● as-number — Enter an autonomous number to redistribute BGP routing information throughout the OSPF instance, from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (dotted format). ● connected — Enter the information from the connected active routes on interfaces to redistribute.
● vrf vrf-name — Enter the keyword vrf followed by the name of the VRF to configure an OSPF instance in that VRF. Default Not configured Command Mode CONFIGURATION Usage Information Assign an IP address to an interface before using this command. The no version of this command deletes an OSPF instance. Example Supported Releases OS10(config)# router ospf 10 vrf vrf-test 10.2.0E or later show ip ospf Displays OSPF instance configuration information.
connected areas display. You can determine if an ASBR is in a directly connected area by the flags. For ASBRs in a directly connected area, E flags are set. Example OS10# show ip ospf 10 asbr RouterID 112.2.1.1 111.2.1.1 Supported Releases Flags E/-/-/ E/-/-/ Cost 1 0 Nexthop 110.1.1.2 0.0.0.0 Interface vlan3050 - Area 0.0.0.0 - 10.2.0E or later show ip ospf database Displays all LSA information. You must enable OSPF to generate output.
show ip ospf database asbr-summary Displays information about AS boundary LSAs. Syntax show ip ospf [process-id] database asbr-summary Parameters ● process-id—(Optional) Displays the AS boundary LSA information for a specified OSPF process ID. If you do not enter a process ID, this applies only to the first OSPF process. ● vrf vrf-name — (Optional) Displays the AS boundary LSA information for a OSPF process ID corresponding to the specified VRF.
● ● ● ● ● ● ● ● Example Link State ID — Identifies the router ID. Advertising Router — Identifies the advertising router’s ID. LS Seq Number — Identifies the LS sequence number. This identifies old or duplicate LSAs. Checksum — Displays the Fletcher checksum of an LSA’s complete contents. Length — Displays the LSA length in bytes. Network Mask — Identifies the network mask implemented on the area. TOS — Displays the ToS options. The only option available is zero. Metric — Displays the LSA metric.
Network (Area 0.0.0.0) LS age: 1356 Options: (No TOS-capability, No DC, E) LS type: Network Link State ID: 110.1.1.2 Advertising Router: 112.2.1.1 LS Seq Number: 0x80000008 Checksum: 0xd2b1 Length: 32 Network Mask: /24 Attached Router: 111.2.1.1 Attached Router: 112.2.1.1 Supported Releases 10.2.0E or later show ip ospf database nssa external Displays information about the NSSA-External Type 7 LSA.
External Route Tag: 0 LS age: 70 Options: (No TOS-Capability, No DC, No Type 7/5 translation) LS type: NSSA External Link State ID: 0.0.0.0 Advertising Router: 2.2.2.2 LS Seq Number: 0x80000001 Checksum: 0x2526 Length: 36 Network Mask: /0 Metric Type: 1 TOS: 0 Metric: 0 Forward Address: 0.0.0.0 External Route Tag: 0 LS age: 65 Options: (No TOS-Capability, No DC, No Type 7/5 translation) LS type: NSSA External Link State ID: 12.1.1.0 Advertising Router: 2.2.2.
Parameters ● process-id — (Optional) Displays the opaque-area Type 10 information for an OSPF process ID. If you do not enter a process ID, this command applies only to the first OSPF process. ● vrf vrf-name — (Optional) Displays the opaque-area Type 10 information for an OSPF process ID corresponding to a VRF. Default Not configured Command Mode EXEC Usage Information ● ● ● ● ● ● ● ● ● ● Example LS Age — Displays the LS age. Options — Displays the optional capabilities available on the router.
● Opaque ID — Identifies the Opaque type-specific ID, the remaining 24 bits of the LS ID. Example OS10# show ip ospf 100 database opaque-as OSPF Router with ID (1.1.1.1) (Process ID 100) Type-11 AS Opaque LS age: 3600 Options: (No TOS-Capability, No DC) LS type: Type-11 AS Opaque Link State ID: 8.1.1.3 Advertising Router: 2.2.2.2 LS Seq Number: 0x8000000D Checksum: 0x61D3 Length: 36 Opaque Type: 8 Opaque ID: 65795 Supported Releases 10.2.
Supported Releases 10.2.0E or later show ip ospf database router Displays information about the router Type 1 LSA. Syntax show ip ospf process-id [vrf vrf-name] database router Parameters ● process-id — (Optional) Displays the router Type 1 LSA for an OSPF process ID. If you do not enter a process ID, this command applies only to the first OSPF process. ● vrf vrf-name — (Optional) Displays the router Type 1 LSA for an OSPF process ID corresponding to a VRF.
Supported Releases 10.2.0E or later show ip ospf database summary Displays the network summary Type 3 LSA routing information. Syntax show ip ospf [process-id] [vrf vrf-name] database summary Parameters ● process-id—(Optional) Displays LSA information for a specific OSPF process ID. If you do not enter a process ID, this command applies only to the first OSPF process. ● vrf vrf-name — (Optional) Displays LSA information for a specified OSPF process ID corresponding to a VRF.
○ port channel — Enter the port-channel interface number, from 1 to 128. ○ vlan — Enter the VLAN interface number, from 1 to 4093. Default Not configured Command Mode EXEC Example Supported Releases OS10# show ip ospf 10 interface ethernet1/1/1 is up, line protocol is up Internet Address 110.1.1.1/24, Area 0.0.0.0 Process ID 10, Router ID 1.1.1.
Default Not configured Command Mode EXEC Usage Information This command displays OSPFv2 traffic statistics for a specified instance or interface, or for all OSPFv2 instances and interfaces.
112.112.112.1 112.112.112.2 Supported Releases -/B/-/ -/B/-/ 2 2 110.1.1.2 110.1.1.2 Vl 3050 Vl 3050 0 0 10.2.0E or later summary-address Configures a summary address for an ASBR to advertise one external route as an aggregate for all redistributed routes covered by a specified address range. Syntax summary-address ip-address/mask [not-advertise | tag tag-value] Parameters ● ip-address/mask—Enter the IP address to summarize along with the mask.
Default ● start-time — 1000 milliseconds ● hold-time — 10000 milliseconds ● max-wait — 10000 milliseconds Command Mode ROUTER-OSPF Usage Information By default, SPF timers are disabled in an OSPF instance. Use SPF throttling to delay SPF calculations during periods of network instability. In an OSPF network, a topology change event triggers an SPF calculation after a start time. When the start timer finishes, a hold time may delay the next SPF calculation for an additional time.
Supported Releases 10.2.0E or later OSPFv3 OSPFv3 is an IPv6 link-state routing protocol that supports IPv6 unicast address families (AFs). OSPFv3 is disabled by default. You must configure at least one interface, either physical or Loopback. The OSPF process automatically starts when OSPFv3 is enabled for one or more interfaces. Any area besides area 0 can have any number ID assigned to it. Enable OSPFv3 1. Enable OSPFv3 globally and configure an OSPFv3 instance in CONFIGURATION mode.
5. Disable the default switchport configuration and remove it from an interface or a LAG port in INTERFACE mode. no switchport 6. Associate the interface with the non-default VRF instance that you created earlier. ip vrf forwarding vrf-name 7. Enable the OSPFv3 on an interface. ipv6 ospfv3 process-id area area-id ● process-id — Enter the OSPFv3 process ID for a specific OSPFv3 process, from 1 to 65535. ● area-id — Enter the OSPF area ID as an IP address in A.B.C.D format or number, from 1 to 65535.
Number of interface in this area is 1 SPF algorithm executed 42 times Configure Stub Areas Type 5 LSAs are not flooded into stub areas. The ABR advertises a default route into the stub area where it is attached. Stub area routers use the default route to reach external destinations. 1. Enable OSPFv3 routing and enter ROUTER-OSPFv3 mode, from 1 to 65535. router ospfv3 instance number 2. Configure an area as a stub area in ROUTER-OSPFv3 mode.
Enable Passive Interfaces A passive interface is one that does not send or receive routing information. Configuring an interface as a passive interface suppresses both the receiving and sending routing updates. Although the passive interface does not send or receive routing updates, the network on that interface is included in OSPF updates sent through other interfaces. You can remove an interface from passive interfaces using the no ipv6 ospf passive command. 1. Enter an interface type in INTERFACE mode.
5. Change the priority of the interface, which determines the DR for the OSPFv3 broadcast network in INTERFACE mode, from 0 to 255. The default is 1. ipv6 ospf priority number 6. Change the default setting to ignore the MTU mismatch with the peer, when the MTU size of the peer interface is higher than the local MTU size.
● AH authentication verifies that data is not altered during transmission and ensures that users are communicating with the intended individual or organization. The authentication header is inserted after the IP header with a value of 51. MD5 and SHA1 authentication types are supported; encrypted and unencrypted keys are supported. ● ESP encryption encapsulates data, enabling data protection that follows in the datagram.
When you configure encryption on an interface, both IPsec encryption and authentication are enabled. You cannot configure encryption if you have already configured an interface for IPsec authentication using the ipv6 ospf authentication ipsec command. To configure encryption, you must first delete the authentication policy. ● Enable IPsec encryption for OSPFv3 packets in Interface mode.
IPsec encryption for OSPV3 area Prerequisite: Before you enable IPsec encryption for an OSPFv3 area, first enable OSPFv3 globally on the router. When you configure encryption at the area level, both IPsec encryption and authentication are enabled. You cannot configure encryption if you have already configured an IPsec area authentication using the area ospf authentication ipsec command. To configure encryption, you must first delete the authentication policy.
● View the configuration of OSPF neighbors connected to the local router in EXEC mode. show ipv6 ospf neighbor View OSPF Configuration OS10# show running-configuration ospfv3 ! interface ethernet1/1/1 ip ospf 100 area 0.0.0.0 ! router ospf 100 log-adjacency-changes OSPFv3 Commands area authentication Configures authentication for an OSPFv3 area. Syntax area area-id authentication ipsec spi number {MD5 | SHA1} key Parameters ● ● ● ● ● Default OSPFv3 area authentication is not configured.
Command Mode ROUTER-OSPFv3 Usage Information ● Before you enable IPsec encryption for an OSPFv3 area, you must enable OSPFv3 globally on each router. ● When you configure encryption at the area level, both IPsec encryption and authentication are enabled. You cannot configure encryption if you have already configured an IPsec area authentication using the area ospf authentication ipsec command. To configure encryption, you must first delete the authentication policy.
Supported Releases 10.3.0E or later clear ipv6 ospf process Clears all OSPFv3 routing tables. Syntax clear ipv6 ospf {instance-number} [vrf vrf-name] process Parameters ● instance-number — Enter an OSPFv3 instance number, from 1 to 65535. ● vrf vrf-name — (Optional) Enter the keyword vrf followed by the name of the VRF to clear OSPFv3 processes in that VRF. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# clear ipv6 ospf 3 process 10.3.
Supported Releases OS10 legacy command. default-information originate Generates and distributes a default external route information to the OSPFv3 routing domain. Syntax default-information originate [always] Parameters always — (Optional) Always advertise the default route. Defaults Disabled Command Mode ROUTER-OSPFv3 Usage Information The no version of this command disables the distribution of default route.
Usage Information Example Supported Releases ● Before you enable IPsec authentication on an OSPFv3 interface, you must enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area. ● The SPI value must be unique to one IPsec authentication or encryption security policy on the router. You cannot configure the same SPI value on another interface even if it uses the same authentication or encryption algorithm.
ipv6 ospf encryption Configures OSPFv3 encryption on an IPv6 interface. Syntax ipv6 ospf encryption {ipsec spi number esp encryption-type key authentication-type key | null} Parameters ● ipsec spi number — Enter a unique security policy index number, from 256 to 4294967295. ● esp encryption-type — Enter the encryption algorithm used with ESP (3DES, DES, AES-CBC, or NULL). For AES-CBC, only the AES-128 and AES-192 ciphers are supported. ● key — Enter the text string used in the encryption algorithm.
ipv6 ospf mtu-ignore Disables MTU size detection on received Database Descriptor (DBD) packets when forming OSPFv3 adjacency. Syntax ipv6 ospf mtu-ignore Parameters None Default Not configured Command Mode INTERFACE Usage Information If the MTU size of the peer interface is greater than the local interface, switches that run OSPFv3 do not form adjacencies with neighbors. Use this command to override this behavior and form adjacency.
network information corresponding to these loopback interfaces is still announced in OSPF LSAs that are sent through other interfaces configured for OSPF. Example Supported Releases OS10(config)# interface ethernet 1/1/6 OS10(conf-if-eth1/1/6)# ipv6 ospf passive 10.3.0E or later ipv6 ospf priority Sets the priority of the interface to determine the DR for the OSPFv3 network. Syntax ipv6 ospf priority number Parameters number — Enter a router priority number, from 0 to 255.
Usage Information Example Supported Releases The no version of this command resets the value to the default. OS10(config)# router ospfv3 OS10(config-router-ospfv3-100)# maximum-paths 1 10.3.0E or later redistribute Redistributes information from another routing protocol or routing instance to the OSPFv3 process.
router ospfv3 Enters Router OSPFv3 mode and configures an OSPFv3 instance. Syntax router ospfv3 instance-number [vrf vrf-name] Parameters ● instance-number—Enter a router OSPFv3 instance number, from 1 to 65535. ● vrf vrf-name — Enter the keyword vrf followed by the name of the VRF to configure an OSPFv3 instance in that VRF. Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes an OSPFv3 instance.
show ipv6 ospf database Displays all LSA information. You must enable OSPFv3 to generate output. Syntax show ipv6 ospf process-id [vrf vrf-name] database Parameters ● process-id — Enter the OSPFv3 process ID to view a specific process. If you do not enter a process ID, the command applies to all the configured OSPFv3 processes. ● vrf vrf-name — Enter the keyword vrf followed by the name of the VRF to display LSA information for that VRF.
○ port-channel — Port-channel interface, from 1 to 128. ○ vlan — VLAN interface, from 1 to 4093. ● vrf vrf-name — (Optional) Enter the keyword vrf followed by the name of the VRF to display the configured OSPFv3 enabled interfaces in that VRF. Default Not configured Command Mode EXEC Example Supported Releases OS10# show ipv6 ospf interface ethernet1/1/1 is up, line protocol is up Link Local Address fe80::20c:29ff:fe0a:d59/64, Interface ID 5 Area 0.0.0.0, Process ID 200, Instance ID 0, Router ID 10.0.
○ port-channel number — Enter the port-channel interface number, from 1 to 128. ○ vlan vlan-id — Enter the VLAN ID number, from 1 to 4093. Default Not configured Command Mode EXEC Usage Information This command displays OSPFv3 traffic statistics for a specified instance or interface, or for all OSPFv3 instances and interfaces.
If you do not specify a start-time, hold-time, or max-wait value, the default values are used. The no version of this command removes the configured SPF timers and disables SPF throttling in an OSPF instance. Example OS10(config)# router ospfv3 100 OS10(config-router-ospfv3-100)# timers spf 1345 2324 9234 OS10(config-router-ospfv3-100)# do show ipv6 ospf Routing Process ospfv3 100 with ID 129.240.244.
Figure 10. Object tracking Interface tracking You can create an object that tracks the line-protocol state of an L2 interface, and monitors its operational up or down status. You can configure up to 500 objects. Each object is assigned a unique ID. When the link-level status goes down, the tracked resource status is also considered Down. If the link-level status goes up, the tracked resource status is also considered Up.
2. (Optional) Enter interface object tracking on the line-protocol state of an L2 interface in OBJECT TRACKING mode. interface interface line-protocol 3. (Optional) Configure the time delay used before communicating a change to the status of a tracked interface in OBJECT TRACKING mode, from 0 to 80 seconds; default 0. delay [up seconds] [down seconds] 4. (Optional) View the tracked object information in EXEC mode. show track object-id 5. (Optional) View all interface object information in EXEC mode.
OS10 (conf-track-2)# do show track 2 IP Host 1.1.1.
View interface object tracking information OS10# show track interface TrackID Resource Parameter Status LastChange --------------------------------------------------------------------------------1 line-protocol ethernet1/1/1 DOWN 2017-02-03T08:41:25Z1 OS10# show track ip TrackID Resource Parameter Status LastChange --------------------------------------------------------------------------------2 ipv4-reachablity 1.1.1.
● loopback — Enter the Loopback interface identifier. ● mgmt — Enter the Management interface. Defaults Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(conf-track-100)# interface ethernet line-protocol 10.3.0E or later ip reachability Configures an object to track a specific next-hop host's reachability. Syntax ip host-ip-address reachability Parameters host-ip-address — Enter the IPv4 host address.
Defaults 0 seconds Command Mode CONFIGURATION Usage Information Set the interval to 0 to disable the refresh. Example Supported Releases OS10(conf-track-100)# reachability-refresh 600 10.3.0E or later show track Displays tracked object information. Syntax show track [brief] [object-id] [interface] [ip | ipv6] Parameters ● ● ● ● ● Defaults None Command Mode CONFIGURATION Usage Information None Example (Brief) Supported Releases brief — (Optional) Displays brief tracked object information.
Policy-based routing PBR provides a mechanism to redirect IPv4 and IPv6 data packets based on the policies defined to override the switch’s forwarding decisions based on the routing table. Policy-based route-maps A route-map is an ordered set of rules that controls the redistribution of IP routes into a protocol domain. When you enable PBR on an interface, all IPv4 or IPv6 data packets process based on the policies that you define in the route-maps.
Apply match and set parameters to IPv6 route-map OS10(conf-route-map)# route-map map1 OS10(conf-route-map)# match ipv6 address acl8 OS10(conf-route-map)# set ipv6 next-hop 20::20 Assign route-map to interface You can assign a route-map to an interface for IPv4 or IPv6 policy-based routing to an interface. ● Assign the IPv4 or IPv6 policy-based route-map to an interface in INTERFACE mode.
Policy-based routing per VRF Configure PBR per VRF instance for both IPv4 and IPv6 traffic flows. Policy-based routing (PBR) enables packets with certain match criteria, such as packets from specific source and destination addresses, to be re-directed to a different next-hop. You can also use PBR to re-direct packets arriving on a VRF instance to a next-hop that is reachable through a different VRF instance.
SW1 VLAN configuration ● Create a VLAN and assign an IP address to it which acts as the gateway for the hosts in the VM. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown OS10(conf-if-vl-100)# ip address 10.1.1.1/24 OS10(conf-if-vl-100)# exit ● Create another VLAN, and assign an IP address to it. OS10# configure terminal OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# no shutdown OS10(conf-if-vl-200)# ip address 10.2.1.
3. Specify the management IP address of the VLT peer as a backup link. OS10(conf-vlt-1)# backup destination 10.10.10.2 4. Configure VLT port channels.
OS10(conf-if-vl-200)# ip address 10.2.1.3/24 OS10(conf-if-vl-200)# exit VLT configuration 1. Create a VLT domain, and configure VLTi. OS10(config)# interface range ethernet 1/1/4-1/1/5 OS10(conf-range-eth1/1/4-1/1/5)# no switchport OS10(conf-range-eth1/1/4-1/1/5)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet 1/1/4-1/1/5 2. Configure a VLT MAC address. OS10(conf-vlt-1)# vlt-mac 12:5e:23:f4:23:54 3. Specify the management IP address of the VLT peer as a backup link.
Using the following PBR configuration, you can re-direct traffic ingresssing to VRF RED to a destination that is reachable through the next-hop IP address 2.2.2.2 in VRF BLUE: 1. Create a route-map. OS10(config)# route-map test 2. Enter the IP address to match the specified access list. OS10(config-route-map)# match ip 4.4.4.4 acl1 3. Set the next-hop address to 2.2.2.2, which is reachable through VRF BLUE. OS10(config-route-map)# OS10(config-route-map)# set ip vrf BLUE next-hop 2.2.2.
ip ip-address reachablility vrf vrf-name OS10(conf-track-200)# OS10(conf-track-200)# ip 1.1.1.1 reachability vrf red OS10(conf-track-200)#exit 3. Configure the route-map. route-map route-map-name OS10(config-route-map)# OS10(config-route-map)# match ip address acl1 4. Set the track ID configured in step 1 to the route-map. set ip vrf vrf-name nexy-hop next-hop-address track-id track-id-number OS10(config-route-map)# set ip vrf red next-hop 1.1.1.1 track-id 200 5.
seq 30 permit tcp 10.99.0.0/16 10.0.0.0/8 eq 21 seq 40 permit icmp 10.99.0.0/16 10.0.0.0/8 ● Create a route-map to block specific traffic from PBR processing. route-map TEST-RM deny 5 match ip address TEST-ACL-DENY ● Create a route-map to permit traffic for PBR processing. route-map TEST-RM permit 10 match ip address TEST-ACL set ip next-hop 10.0.40.235 ● Apply the policy to the previously created interface.
PBR commands clear route-map pbr-statistics Clears all PBR counters. Syntax clear route-map [map-name] pbr-statistics Parameters map-name—Enter the name of a configured route-map. A maximum of 140 characters. Defaults None Command Mode EXEC Usage Information None Example Supported Releases OS10# clear route-map map1 pbr-statistics 10.3.0E or later match address Matches the access-list to the route-map. Syntax match {ip | ipv6} address [name] Parameters name—Enter the name of an access-list.
route-map pbr-statistics Enables counters for PBR statistics. Syntax route-map [map-name] pbr-statistics Parameters map-name—Enter the name of a configured route-map. A maximum of 140 characters. Defaults Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# route-map map1 pbr-statistics 10.3.0E or later set next-hop Sets an IPv4 or IPv6 next-hop address for policy-based routing.
Command Mode ROUTE-MAP Usage Information You must configure next-hop IP address tracking and PBR next-hop with the same VRF instance. For next-hop reachability in the same VRF instance, you must configure both PBR per VRF and object tracking. Missing either the next-hop IP address tracking or PBR next-hop configuration in a VRF instance results in an erroneous configuration. However, the system does not display an error message indicating problems in the configuration.
VRRP: ● Provides a virtual default routing platform ● Provides load balancing ● Supports multiple logical IP subnets on a single LAN segment ● Enables simple traffic routing without the single point of failure of a static default route ● Avoids issues with dynamic routing and discovery protocols ● Takes over a failed default router: ○ Within a few seconds ○ With a minimum of VRRP traffic ○ Without any interaction from hosts NOTE: ● The default behavior of VRRP is active-active.
The example shows a typical network configuration using VRRP. Instead of configuring the hosts on network 10.10.10.0 with the IP address of either Router A or Router B as the default router, the default router of all hosts is set to the IP address of the virtual router. When any host on the LAN segment requests Internet access, it sends packets to the IP address of the virtual router.
interface ethernet 1/1/5 ip address 10.10.10.1/24 ! vrrp-group 254 no shutdown ... Group version Configure a VRRP version for the system. Define either VRRPv2 — vrrp version 2 or VRRPv3 — vrrp version 3. ● Configure the VRRP version for IPv4 in INTERFACE mode. vrrp version Configure VRRP version 3 OS10(config)# vrrp version 3 1. Set the switch with the lowest priority to vrrp version 2. 2. Set the switch with the highest priority to vrrp version 3. 3. Set all switches from vrrp version 2 to vrrp version 3.
1. Configure a VRRP group in INTERFACE mode, from 1 to 255. vrrp-group vrrp-id 2. Configure virtual IP addresses for this VRRP ID in INTERFACE-VRRP mode. A maximum of 10 IP addresses. virtual-address ip-address1 [...ip-address10] Configure virtual IP address OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ip address 10.1.1.1/24 OS10(conf-if-eth1/1/1)# vrrp-group 10 OS10(conf-eth1/1/1-vrid-10)# virtual-address 10.1.1.
Configure virtual IP address in a VRF You can configure a VRRP group in a non-default VRF instance and assign a virtual address to this group. To configure VRRP under a specific VRF: 1. Create the non-default VRF in which you want to configure VRRP. ip vrf vrf-name CONFIGURATION Mode 2. In the VRF Configuration mode, enter the desired interface. interface interface-id VRF CONFIGURATION Mode 3. Remove the interface from L2 switching mode. no switchport INTERFACE CONFIGURATION Mode 4.
Set VRRP group priority OS10(config)# interface ethernet 1/1/5 OS10(conf-if-eth1/1/5)# vrrp-group 254 OS10(conf-eth1/1/5-vrid-254)# priority 200 Verify VRRP group priority OS10(conf-eth1/1/5-vrid-254)# do show vrrp 254 Interface : ethernet1/1/5 IPv4 VRID : 254 Primary IP Address : 10.1.1.1 State : master-state Virtual MAC Address : 00:00:5e:00:01:01 Version : version-3 Priority : 200 Preempt : Hold-time : Authentication : no-authentication Virtual IP address : 10.1.1.
You must configure all virtual routers in the VRRP group with the same settings. Configure all routers with preempt enabled or configure all with preempt disabled. 1. Create a virtual router for the interface with the VRRP identifier in INTERFACE mode, from 1 to 255. vrrp-group vrrp-id 2. Prevent any backup router with a higher priority from becoming the Master router in INTERFACE-VRRP mode.
Change advertisement interval OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# vrrp-group 1 OS10(conf-eth1/1/1-vrid-1)# advertise-interval centisecs 200 View running configuration OS10(conf-eth1/1/1-vrid-1)# do show running-configuration ! Version 10.1.9999P.2281 ! Last configuration change at Jul 26 12:22:33 2016 ! aaa authentication system:local ! interface ethernet1/1/1 ip address 10.1.1.
Configure interface tracking OS10(config)# track 10 OS10(conf-track-10)# interface ethernet 1/1/7 line-protocol View running configuration OS10(conf-track-10)# do show running-configuration ! Version 10.1.9999P.2281 ! Last configuration change at Jul 27 03:24:01 2016 ! aaa authentication system:local ! interface ethernet1/1/1 ip address 10.1.1.1/16 no switchport no shutdown ! vrrp-group 1 priority 200 virtual-address 10.1.1.
Default 1 second or 100 centisecs Command Mode INTERFACE-VRRP Usage Information Dell EMC recommends keeping the default setting for this command. If you change the time interval between VRRP advertisements on one router, change it on all routers. The no version of this command sets the VRRP advertisements timer interval back to its default value, 1 second or 100 centisecs. Example Supported Releases OS10(conf-eth1/1/6-vrid-250)# advertise-interval 120 centisecs 100 10.2.
Default 100 Command Mode INTERFACE-VRRP Usage Information To guarantee that a VRRP group becomes master, configure the priority of the VRRP group to the 254, which is the highest priority. OS10 does not support priority 255. The no version of this command resets the value to the default of 100. Example Supported Releases OS10(conf-eth1/1/5-vrid-254)# priority 200 10.2.0E or later show vrrp Displays VRRP group information.
● priority cost value — (Optional) Enter a cost value to subtract from the priority value, from 1 to 254. Default 10 Command Mode INTERFACE-VRRP Usage Information If you disable the interface, the cost value subtracts from the priority value and forces a new master election. This election process is applicable when the priority value is lower than the priority value in the backup virtual router. You can associate only one track object with a VRRP group.
Example Supported Releases OS10(conf-eth1/1/5-vrid-254)# virtual address 10.1.1.15 10.2.0E or later vrrp delay reload Sets the delay time for VRRP initialization after a system reboot. Syntax vrrp delay reload seconds Parameters seconds — Enter the number of seconds for the VRRP reload time, from 0 to 900. Default 0 Command Mode CONFIGURATION Usage Information VRRP delay reload time of zero seconds indicates no delays. This command configuration applies to all the VRRP configured interfaces.
Usage Information Example Supported Releases The VRRP group only becomes active and sends VRRP packets when you configure a virtual IP address. When you delete the virtual address, the VRRP group stops sending VRRP packets. The no version of this command removes the vrrp-ipv6–group configuration. OS10(conf-if-eth1/1/7)# vrrp-ipv6-group 250 10.2.0E or later vrrp version Sets the VRRP version for the IPv4 group. Syntax vrrp version {2 | 3} Parameters ● 2 — Set to VRRP version 2.
15 Multicast Multicast is a technique that allows networking devices to send data to a group of interested receivers in a single transmission. For instance, this technique is widely used for streaming videos. Multicast allows you to more efficiently use network resources, specifically for bandwidth-consuming services such as audio and video transmission.
● OS10 supports MLD snooping for L2 IPv6 multicast. OS10 does not support the following: ● ● ● ● Fast leave support with a prefix list IGMPv2 SSM mapping Static multicast group configuration Simple Network Management Protocol (SNMP) MIB for Internet Group Management Protocol (IGMP) or Protocol Independent Multicast (PIM) NOTE: Layer 3 (L3) PIM and IGMP multicast is not supported on the S3048-ON switch. IGMP and Multicast Listener Discovery (MLD) snooping is supported on all switches.
For multicast flood control to work, you must enable both IGMP and MLD snooping on the system. By default, multicast flood control, IGMP snooping, and MLD snooping are enabled. NOTE: The Multicast flood control feature is not supported on the S4248FB-ON and S4248FBL-ON switches. The following describes a scenario where a multicast frame is flooded on all ports of all switches. The switches and hosts in the network need not receive these frames because they are not the intended destinations.
Enable multicast flood control Multicast flood control is enabled on OS10 by default. If it is disabled, use the following procedure to enable multicast flood control: 1. Configure IGMP snooping. To know how to configure IGMP snooping, see the IGMP snooping section. 2. Configure MLD snooping. To know how to configure MLD snooping, see the MLD Snooping section. 3. Enable the multicast flood control feature. OS10(config)# multicast snooping flood-restrict 4. Verify the configuration.
Multicast Commands multicast snooping flood-restrict Enables multicast snooping flood control for IGMP snooping and MLD snooping. Syntax multicast snooping flood-restrict The no version of this command disables multicast flood control. Parameters None Default Enabled Command Mode CONFIGURATION Usage Information Multicast snooping flood control, IGMP snooping, and MLD snooping are enabled by default.
○ Version 2 leave group message Version 3 provides support for source filtering. The system reports interest in receiving packets only from specific source addresses, or from all the sources except some specific source addresses, sent to a particular multicast address. Standards compliance ● OS10 complies to the RFCs 1112, 2236, and 3376 for IGMP versions 1, 2, and 3, respectively. ● OS10 uses version 3 as the default IGMP version. Version 3 is backwards compatible with versions 1 and 2.
When a host receives a query, it does not respond immediately, but rather starts a delay timer. The delay time is set to a random value between 0 and the maximum response time. The host sends a response when the timer expires; in IGMP version 2, if another host responds before the timer expires, the timer nullifies, and no response is sent. The querier advertises the maximum response time in the query.
● Enable IGMP snooping globally using the ip igmp snooping enable command in CONFIGURATION mode. This command enables IGMP snooping on all VLAN interfaces. NOTE: You cannot enable IGMP or MLD snooping when configuring VLAN scale profile. If you enable VLAN scale profile, OS10 disables IGMP and MLD snooping globally. When you disable VLAN scale profile configuration, you must explicitly enable IGMP and MLD snooping globally.
Member-ports 225.1.0.7 Member-ports 225.1.0.8 Member-ports 225.1.0.
database, use the ip igmp immediate-leave command. The no version of this command disables IGMP immediate leave. Example Supported Releases OS10# configure terminal OS10# interface vlan11 OS10(conf-if-vl-11)# ip igmp immediate-leave 10.4.3.0 or later ip igmp last-member-query-interval Changes the last member query interval, which is the maximum response time included in the group-specific queries sent in response to leave group messages.
Parameters seconds—Enter the amount of time in seconds, from 1 to 25. Default 10 seconds Command Mode INTERFACE Usage Information The IGMP query maximum response time value must be less than the IGMP query interval value. The no form of the command configures the default value. Example Supported Releases OS10# configure terminal OS10# interface vlan14 OS10(conf-if-vl-14)# ip igmp query-max-resp-time 20 10.4.3.0 or later ip igmp snooping enable Enables IGMP snooping globally.
Parameters None Default Disabled Command Mode VLAN INTERFACE Usage Information The fast leave option allows the IGMP snooping switch to remove an interface from the multicast group immediately on receiving the leave message. The no version of this command disables the fast leave functionality. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip igmp snooping fast-leave 10.4.1.
Parameters None Default Not configured Command Mode VLAN INTERFACE Usage Information The no version of this command disables IGMP querier on the VLAN interface.. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip igmp snooping querier 10.4.0E(R1) or later ip igmp snooping query-interval Configures time interval for sending IGMP general queries.
Default 3 Command Mode VLAN INTERFACE Usage Information The no version of this command resets the version number to the default value. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip igmp version 2 10.4.1.0 or later show ip igmp groups Displays the IGMP groups. Syntax show ip igmp [vrf vrf-name] groups [group-address [detail] | detail | interface-name [group-address [detail]]] Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF.
show ip igmp interface Displays information about all IGMP-enabled interfaces. Syntax show ip igmp [vrf vrf-name] interface name Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. ● interface name—Enter the keyword interface, then the interface name. Default None Command Mode EXEC Usage Information None Example OS10# show ip igmp interface Vlan103 is up, line protocol is up Internet address is 2.1.1.
Example Example (with VLAN) 1040 Multicast OS10# show ip igmp snooping groups Total Number of Groups: 480 IGMP Connected Group Membership Group Address Interface Mode Expires 225.1.0.0 vlan3031 IGMPv2-Compat 00:01:26 Member-ports :port-channel51,ethernet1/1/51:1,ethernet1/1/52:1 225.1.0.1 vlan3031 IGMPv2-Compat 00:01:26 Member-ports :port-channel51,ethernet1/1/51:1,ethernet1/1/52:1 225.1.0.2 vlan3031 IGMPv2-Compat 00:01:26 Member-ports :port-channel51,ethernet1/1/51:1,ethernet1/1/52:1 225.1.0.
00:01:30 Member-ports :port-channel51,ethernet1/1/51:1,ethernet1/1/52:1 225.1.0.9 vlan3031 IGMPv2-Compat 00:01:30 Member-ports :port-channel51,ethernet1/1/51:1,ethernet1/1/52:1 225.1.0.10 vlan3031 IGMPv2-Compat 00:01:30 --more-Example (with VLAN and multicast IP address) Example (with detail) Example (with VLAN) OS10# show ip igmp snooping groups vlan 3031 225.1.0.0 IGMP Connected Group Membership Group Address Interface Mode Expires 225.1.0.
ethernet1/1/51:1 ethernet1/1/52:1 Example (with PVLAN) Supported Releases Include Include 1d:20:27:34 1d:20:27:37 00:01:07 00:01:07 OS10#show ip igmp snooping groups private-vlan 100 Flags: P-Primary vlan, I-Isolated vlan, C-Community vlan Total Number of Groups: 1 IGMP Connected Group Membership Group Address Interface Mode Expires 225.1.1.1 vlan100 Exclude 00:01:51 Member-ports : port-channel11(I-vlan200),port-channel12(C-vlan300),port-channel13(Pvlan100) 10.4.
Member Port port-channel51 ethernet1/1/51:1 ethernet1/1/52:1 Mode Include Include Include Uptime 1d:20:26:07 1d:20:26:05 1d:20:26:08 Expires 00:01:41 00:01:46 00:01:46 Interface vlan3041 Group 232.11.0.1 Source List 101.41.0.21 Member Port Mode port-channel51 Include ethernet1/1/51:1 Include ethernet1/1/52:1 Include Uptime 1d:20:26:07 1d:20:26:05 1d:20:26:08 Expires 00:01:41 00:01:46 00:01:46 Uptime 1d:20:26:07 Expires 00:01:41 Interface vlan3041 Group 232.11.0.2 Source List 101.41.0.
show ip igmp snooping interface Displays IGMP snooping interfaces details. Syntax show ip igmp snooping interface [vlan vlan-id] Parameters vlan-id—(Optional) Enter the VLAN ID, from 1 to 4093. For a PVLAN domain, enter the VLAN ID of the primary VLAN, from 1 to 4093. Default Not configured Command Mode EXEC Usage Information The multicast flood control feature is not available on the S4248FB-ON and S4248FBL-ON devices.
IGMP IGMP IGMP IGMP IGMP IGMP snooping snooping snooping Snooping snooping snooping query interval is 60 seconds querier timeout is 130 seconds last member query response interval is 1000 ms max response time is 10 seconds fast-leave is disabled on this interface querier is enabled on this interface OS10# show ip igmp snooping interface vlan 3031 Vlan3031 is up, line protocol is up IGMP version is 3 IGMP snooping is enabled on interface IGMP snooping query interval is 60 seconds IGMP snooping querier tim
vlan3044 vlan3045 vlan3046 vlan3047 vlan3048 vlan3049 vlan3050 vlan3051 vlan3052 --more-- port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 <
● (Optional) Multicast flood control is enabled by default. To disable the multicast flood restrict feature, use the no multicast snooping flood-restrict command in CONFIGURATION mode. To reenable the feature globally, use the ip igmp snooping enable command in CONFIGURATION mode. ● In a network, the snooping switch is connected to a multicast Router that sends MLD queries. On a Layer 2 network that does not have a multicast router, you can configure the snooping switch to act as querier.
ff0e:225:2::2 vlan3532 MLDv1-Compat 00:01:56 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 --more-<
Parameters None Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command disables the MLD snooping. Example Supported Releases OS10(config)# ipv6 mld snooping enable 10.4.1.0 or later ipv6 mld snooping fast-leave Enables fast leave in MLD snooping for specified VLAN.
Parameters interface—type—Enter the interface type details. The interface must be a member of the VLAN. In a PVLAN domain, only the promiscuous port type is supported. Secondary ports are not supported. Default Not configured Command Mode VLAN INTERFACE Usage Information The no version of this command removes the multicast router configuration from the VLAN member port.
Parameters query-response-time—Enter the query response time in seconds, ranging from 1 to 25. Default 10 seconds Command Mode VLAN INTERFACE Usage Information The no version of this command resets the query response time to default value. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ipv6 mld snooping query-max-resp-time 15 10.4.1.0 or later ipv6 mld version Configures the MLD version.
00:01:38 ff0e:225:1:: vlan3531 MLDv1-Compat 00:01:52 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 ff0e:225:1::1 vlan3531 MLDv1-Compat 00:01:52 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 ff0e:225:1::2 vlan3531 MLDv1-Compat 00:01:52 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 ff0e:225:1::3 vlan3531 MLDv1-Compat 00:01:52 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 ff0e:225:1::4 vlan3531 MLDv1-Compat 00:01:52 Member-ports :port-channel41,ethernet1/1/51
Supported Releases 10.4.0E(R1) or later show ipv6 mld snooping groups detail Displays the MLD source information along with detailed member port information. Syntax show ipv6 mld snooping groups [vlan vlan-id] [group ipv6-address] detail Parameters ● vlan-id—(Optional) Enter the VLAN ID, from 1 to 4093. ● ipv6-address—(Optional) Enter the IPv6 address of the multicast group.
port-channel31 ethernet1/1/51:1 ethernet1/1/52:1
Example OS10# show ipv6 mld snooping interface vlan 3031 Vlan3031 is up, line protocol is up MLD version is 2 MLD snooping is enabled on interface MLD snooping query interval is 60 seconds MLD snooping querier timeout is 130 seconds MLD snooping last member query response interval is 1000 ms MLD snooping max response time is 10 seconds MLD snooping fast-leave is disabled on this interface MLD snooping querier is disabled on this interface OS10# show ipv6 mld snooping interface vlan 2 Vlan2 is up, line prot
show ipv6 mld snooping summary Displays the number of MLD-enabled snooping instances. Syntax show ipv6 mld snooping summary Parameters None Default None Command Mode EXEC Usage Information None Example OS10# show ipv6 mld snooping summary Maximum number of IGMP and MLD Instances: 1024 Total Number of enabled MLD Instances: 512 Supported Releases 10.5.2.
Table 89. Full Switch Mode Scale Upgrade from 10.5.0.x or earlier to profile 10.5.2.1 or later VLAN configur ation Upgrade from 10.5.1.0 to 10.5.2.1 or later Enabled ● Global: Disabled ● Per VLAN: Enabled ● Global: Disabled ● Per VLAN: Enabled ● Global: Enabled ● Per VLAN: Disabled NOTE: Multicast snooping is disabled at the per VLAN interface level and enabled globally. Restrictions snooping is ● Global: Enabled ● Per VLAN: Disabled disabled.
Table 91. PIM terminology Terminology Definition Rendezvous point (RP) The RP is a single root node that the shared tree uses, called the rendezvous point. (*, G) (*, G) refers to an entry in the PIM table for a group. (S, G) (S, G) refers to an entry in the PIM table for a source and group on the RP tree (RPT). (S, G, RPT) (S, G, RPT) refers to an entry in the RP tree. First hop router (FHR) The FHR is the router that is directly connected to the multicast source.
Root Path Tree (RTP) An RPT is the path between the RP and receivers (hosts) in a multicast group (see figure). The RPT is built by means of a PIM join message from a receiver DR. ● A receiver sends a request to join group (G) in an IGMP host membership report. A PIM sparse-mode router, the receiver DR, receives the report on a directly attached subnet and creates an RPT branch for the multicast group of interest.
Instead of continuing to use the SPT to the RP and the RPT toward the receiver, a direct SPT is created between the source and the receiver in the following way: 1. Once the receiver DR receives the first multicast packet from the source, the DR sends a PIM join message to its RPF neighbor. 2. The source DR receives the PIM join message, and an additional (S, G) state is created to form the SPT. 3.
PIM-SM sample configuration This section describes how to enable PIM-SM in the FHR, RP, and LHR nodes using the topology show in the following figure. To enable PIM-SM, perform the following configurations on each of the nodes (FHR, RP, and LHR): 1. Enable multicast routing globally in CONFIGURATION mode. ip multicast-routing 2. Enable PIM-SM on the required Layer 3 interfaces of the nodes in INTERFACE mode. ip pim sparse-mode 3. Configure an RP address on every multicast-enabled node in CONFIGURATION mode.
FHR(conf-if-eth1/1/48)# FHR(conf-if-eth1/1/48)# FHR(conf-if-eth1/1/48)# FHR(conf-if-eth1/1/48)# FHR(conf-if-eth1/1/48)# no ip ip ip switchport address 22.1.1.2/24 pim sparse-mode ospf 1 area 0 The show ip pim interface command displays the PIM-enabled interfaces in FHR. FHR# show ip pim interface Address Interface Ver/Mode Nbr Count Query Intvl DR Prio DR --------------------------------------------------------------------------------------------------2.2.2.2 ethernet1/1/17 v2/S 1 30 1 2.2.2.2 3.3.3.
1.1.1.2 RP# ethernet1/1/43 v2/S 1 30 1 1.1.1.2 The show ip pim neighbor command displays the PIM neighbor of RP and the interface to reach the neighbor. RP# show ip pim neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority/Mode ---------------------------------------------------------------------------------------------3.3.3.2 ethernet1/1/31 00:02:57/00:01:17 v2 1 / DR S 1.1.1.
2.2.2.2 1.1.1.2 ethernet1/1/17 ethernet1/1/29 00:02:58/00:01:24 00:07:49/00:01:31 v2 v2 1 1 / DR S / DR S LHR# show ip pim rp mapping Group(s) : 224.0.0.0/4, Static RP : 192.168.1.25, v2 The following show command output examples display the PIM states across all nodes after IGMP join and multicast traffic is received. PIM states in FHR node The show ip pim tib command output displays the PIM tree information base (TIB).
00:01:59 LHR# 15.1.1.10 LHR# show ip pim tib PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 224.1.1.1), uptime 00:00:05, expires 00:00:54, RP 192.168.1.25, flags: SCJ Incoming interface: ethernet1/1/29, RPF neighbor 1.1.1.2 Outgoing interface list: vlan2001 Forward/Sparse 00:00:05/Never (22.1.1.10, 224.1.1.
● PIM-SSM uses IGMPv3 because receivers subscribe to a source and group, the RP and shared tree are unnecessary; only SPTs are used. On OS10 systems, it is possible to use PIM-SM with IGMPv3 to achieve the same result, but PIM-SSM eliminates the unnecessary protocol overhead. Configure PIM-SSM To configure a group range for PIM-SSM: NOTE: The IP range, 232.0.0.0/8 is reserved for SSM. You do not have to explicitly configure this range. 1.
R1(config)# interface R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# ethernet 1/1/7 no switchport interface ethernet 1/1/7 ip vrf forwarding red ip address 201.1.1.
R2(conf-if-po-11)# end R2# configure terminal R2(config)# interface ethernet 1/1/26:1 R2(conf-if-eth1/1/26:1)# no ip vrf forwarding R2(conf-if-eth1/1/26:1)# no switchport R2(conf-if-eth1/1/26:1)# channel-group 11 R2(conf-if-eth1/1/26:1)# end R2# configure terminal R2(config)# interface vlan 2001 R2(conf-if-vl-2001)# ip vrf forwarding red R2(conf-if-vl-2001)# ip address 208.1.1.
The show ip pim vrf red ssm-range command displays the specified multicast address range. R1# show ip pim vrf red ssm-range Group Address / MaskLen 224.1.1.0 / 24 The show ip pim vrf red tib command output displays the PIM tree information base (TIB).
The show ip pim vrf red mcache command output displays multicast route entries. R2# show ip pim vrf red mcache PIM Multicast Routing Cache Table (201.1.1.1, 224.1.1.1) Incoming interface : port-channel11 Outgoing interface list : vlan2001 Configure expiry timers for S, G entries You can configure expiry timers for S, G entries globally. The S, G entries expire in 210 seconds by default.
225.1.1.5 225.1.1.6 171.1.1.1 171.1.1.1 To view the RP for a multicast group range, use the show ip pim rp mapping command. OS10# show ip pim rp mapping PIM Group-to-RP Mappings Group(s): 230.1.1.1/32 RP:14.1.1.1, v2 Info source: 42.1.1.1, via bootstrap, priority 255 expires: 00:01:53 Group(s): 231.1.1.1/32 RP: 9.1.1.1, v2 Info source: 42.1.1.
■ If you associate an ACL to an RP candidate that is not yet created in the system, and then configure the ACL without any rules, the router advertises itself as the RP for the entire multicast range, 224.0.0.0/4. Do not use deny rules in the ACL that is used for RP candidate because it does not have any significance. To configure dynamic RP using the BSR mechanism: 1. Configure a candidate BSR using the ip pim bsr-candidate command.
Candidate BSR address: 10.1.1.8, priority: 255, hash mask length: 31 Next Cand_RP_advertisement in 00:00:50 RP: 10.1.2.8(loopback10) To view RP-mapping details: OS10# show ip pim rp mapping Group(s) : 225.1.1.0/24 RP : 10.1.2.8, v2 Info source: 10.1.1.8, via bootstrap, priority 0 expires: 00:00:00 4. (Optional) Configure the RP timers.
PIM join filters The PIM join filter allows you to permit or deny PIM Join/Prune messages on an interface using an extended IP access list. PIM router propagates (*, G) and (S,G) Join/Prune messages from its neighbors and creates multicast route to forward the traffic. This process can lead to PIM state explosion and high memory consumption when large numbers of PIM Join/Prune messages are forwarded to each router on the rendezvous point tree (RPT).
PIM neighbor filters The PIM neighbor filter allows you to control a PIM router from forming an adjacency with a neighbor router. By default, PIM-enabled neighbor devices exchange Hello packets at regular intervals and through these message exchanges become PIM neighbors. You can use a neighbor filter ACL to ensure that the switch accepts only the appropriate PIM neighbors. The ACL is configured on a per-interface basis to filter PIM Hello packets from sources you want to deny or permit.
To configure an ACL that is used for a register filter: 1. Configure an ACL in CONFIGURATION mode. You can specify the ACL name up to 140 characters. OS10# configure terminal OS10(config)# ip access-list pim_reg_filter OS10(config-ipv4-acl)# permit ip 10.10.10.2/32 any The PIM register filter uses both source and group information from the access-list for filtering register messages. 2. Configure a register filter that applies the previously created ACL (pim_reg_filter) in the default or nondefault VRF.
● The entire multicast route table and all the entries in the data plane With VLT multicast routing, when you run this command on a local VLT node, it deletes: ● All the multicast routes from the local PIM TIB ● All the local mroute entries in the data plane ● The synchronized mroute entries from the VLT peer node Example Supported Releases OS10# clear ip pim vrf vrf1 tib Clear PIM tib? [y/n]: 10.4.3.0 or later ip multicast-routing Enables IP multicast forwarding.
Example Supported Releases OS10# configure terminal OS10(config)# ip pim vrf red bsr-candidate loopback 10 hash-mask-len 31 priority 11 10.5.0 or later ip pim bsr-candidate-timers Configures the time interval between candidate BSR advertisements.
ip pim dr-priority Changes the designated router (DR) priority for the interface. Syntax ip pim dr-priority priority-value Parameters priority-value—Enter a number from 0 to 4294967295. Default 1 Command Mode INTERFACE CONFIGURATION Usage Information The router with the highest value assigned to an interface becomes the DR. If two interfaces have the same DR priority value, the interface with the highest IP address becomes the DR.
ip pim neighbor-filter Enables filtering of neighbors on an interface. Syntax ip pim neighbor-filter access-list-name Parameters access-list-name—Enter the name of the access list. You can specify the ACL name up to 140 characters. Default Disabled Command Mode INTERFACE CONFIGURATION Usage Information Before you configure PIM neighbor filter, ensure that: ● Multicast is enabled globally using the ip multicast-routing command. ● The interface is enabled.
Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. If you specify this option, this command applies the filter to specific VRF. Otherwise, it applies the filter to the default VRF. ● access-list-name—Enter the name of the access list. You can specify the ACL name up to 140 characters. Default Disabled Command Mode GLOBAL CONFIGURATION Usage Information Before you configure a PIM register filter, ensure that Multicast is enabled globally using the ip multicast-routing command.
ip pim rp-candidate Configures the router as an IPv4 PIM RP candidate. Syntax ip pim [vrf vrf-name] rp-candidate {ethernet node/slot/port[:subport] | loopback loopback-interface-number | vlan vlan-number | port-channel portchannel-number} [priority priority-value] [acl acl-name] Parameters ● ● ● ● ● ● Default Priority is 192. Command Mode CONFIGURATION Usage Information Specify the interface to obtain the candidate RP address.
Example Supported Releases OS10# configure terminal OS10(config)# ip pim vrf red rp-candidate-timers loopback 10 advtinterval 30 hold-time 80 10.5.0 or later ip pim sparse-mode Enables PIM sparse mode and IGMP on the interface. Syntax ip pim sparse-mode Parameters None Default Disabled Command Mode INTERFACE CONFIGURATION Usage Information Before you enable PIM sparse mode, ensure that: ● Multicast is enabled globally using the ip multicast-routing command. ● The interface is enabled.
ip pim ssm-range Specifies the SSM group range using an access list. Syntax ip pim [vrf vrf-name] ssm-range {access-list-name} Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. ● access-list-name—Enter the name of the access list. Default 232.0.0.0/8 Command Mode CONFIGURATION Usage Information When ACL rules change, the ACL and PIM modules apply the new rules automatically. When you remove the SSM ACL, PIM-SSM is supported only for the default SSM range.
● ● ● ● ● ● Example Supported Releases Interface—Interface type with slot/port information or VLAN/Port Channel ID Version/Mode—PIM version number and mode; v2 for PIM version 2 and S for PIM sparse mode Nbr Count—Active neighbor count on the PIM-enabled interface Query interval—Query interval for router query messages on that interface DR priority—Designated router priority value configured on that interface DR—IP address of the DR for that interface OS10# show ip pim interface Address Interface Ver/Mode
show ip pim neighbor Displays PIM neighbors. Syntax show ip pim [vrf vrf-name] neighbor Parameters vrf vrf-name—Enter the keyword vrf, then the name of the VRF.
● mapping—Enter the keyword mapping to display the multicast groups to RP mapping and information about how RP is learned. ● group-address—Enter the multicast group address mask in dotted-decimal format to view the RP for a specific group (A.B.C.D). Default None Command Mode EXEC Usage Information None Examples OS10# show ip pim rp Group RP --------------------------------225.1.1.1 171.1.1.1 225.1.1.2 171.1.1.1 225.1.1.3 171.1.1.1 225.1.1.4 171.1.1.1 225.1.1.5 171.1.1.1 225.1.1.6 171.1.1.1 225.1.1.
show ip pim summary Displays PIM summary. Syntax show ip pim [vrf vrf-name] summary Parameters vrf vrf-name—Enter the keyword vrf, then the name of the VRF.
Usage Information Example This command displays the following: ● S, G—Displays the entry in the multicast PIM database ● uptime—Displays the amount of time the entry has been in the PIM route table ● expires—Displays the amount of time until the entry expires and is removed from the database ● RP—Displays the IP address of the RP or source for the entry ● Incoming interface—Displays the reverse path forwarding (RPF) interface towards the RP/ source ● RPF neighbor—Displays the next hop IP address from this
Supported Releases 10.4.3.0 or later Anycast RP using PIM PIM Anycast RP provides load balancing and redundancy capabilities for Rendezvous Point (RP) routers in a multicast domain. This feature allows you to configure two or more RPs with same IP address (RP address) in a multicast group. The shared RP address is advertised in Interior Gateway Protocol (IGP). The RP routers that share the same RP address form an Anycast RP set.
The following example is a configuration of dynamic anycast RP address over a PIM bootstrap router. The RP shared address 100.1.1.1 is used in the multicast domain. IP addresses 192.10.1.1 and 192.10.2.2 are mapped to form the Anycast RP set. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# ip address 100.1.1.1/32 OS10(conf-if-lo-1)# ip ospf 10 area 0.0.0.0 OS10(config)#exit OS10(config)# interface loopback2 OS10(conf-if-lo-1)# ip address 192.10.1.1/32 OS10(conf-if-lo-1)# ip ospf 10 area 0.0.0.
Usage Information Use the no form of the command to remove the peer. Example To configure a PIM Anycast-RP peer, enter the following command: OS10# configure terminal OS10(config)# ip pim anycast-rp 1.1.1.1 192.168.1.1 To remove a peer, enter the following command: OS10# configure terminal OS10(config)# no ip pim anycast-rp 1.1.1.1 192.168.1.1 Supported Releases 10.5.2.0 or later show ip pim rp mapping Displays the Anycast RP mapping information for a multicast group.
Sample configuration: Multicast VRF using PIM-SM This section describes how to configure IPv4 multicast in a non-default VRF instance using the topology shown in the following illustration. Perform the following configuration on each of the nodes, R1, R2, R3, and R4.
R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# no ip vrf forwarding no switchport channel-group 11 end R1# configure terminal R1(config)# interface ethernet 1/1/7 R1(conf-if-eth1/1/7)# no switchport R1(conf-if-eth1/1/7)# interface ethernet 1/1/7 R1(conf-if-eth1/1/7)# ip vrf forwarding red R1(conf-if-eth1/1/7)# ip address 201.1.1.
R2(conf-vrf)# end R2# configure terminal R2(config)# interface vlan 1001 R2(conf-if-vl-1001)# ip vrf forwarding red R2(conf-if-vl-1001)# end R2# configure terminal R2(config)# interface ethernet 1/1/21:4 R2(conf-if-eth1/1/21:4)# switchport mode trunk R2(conf-if-eth1/1/21:4)# switchport trunk allowed vlan 1001 R2(conf-if-eth1/1/21:4)# end R2# configure terminal R2(config)# interface ethernet 1/1/12:1 R2(conf-if-eth1/1/12:1)# no switchport R2(conf-if-eth1/1/12:1)# ip vrf forwarding red R2(conf-if-eth1/1/12:1)
R3(conf-if-eth1/1/12)# switchport trunk allowed vlan 1001 R3(conf-if-eth1/1/12)# end R3# configure terminal R3(config)# interface port-channel 12 R3(conf-if-po-12)# no switchport R3(conf-if-po-12)# ip vrf forwarding red R3(conf-if-po-12)# end R3# configure terminal R3(config)# interface ethernet 1/1/5 R3(conf-if-eth1/1/5)# no ip vrf forwarding R3(conf-if-eth1/1/5)# no switchport R3(conf-if-eth1/1/5)# channel-group 12 R3(conf-if-eth1/1/5)# end R3# configure terminal R3(config)# interface vlan 1001 R3(conf-if
R3(config)# ip pim vrf red rp-address 182.190.168.224 group-address 224.0.0.
R4(conf-if-po-12)# end R4# configure terminal R4(config)# interface Lo0 R4(conf-if-lo-0)# ip vrf forwarding red R4(conf-if-lo-0)# ip address 4.4.4.
--------------------------------224.1.1.1 182.190.168.224 R1# show ip pim vrf red rp mapping Group(s) : 224.0.0.0/4, Static RP : 182.190.168.224, v2 R1# show ip pim vrf red mcache PIM Multicast Routing Cache Table (201.1.1.1, 224.1.1.1) Incoming interface : ethernet1/1/7 Outgoing interface list : port-channel11 Rendezvous point (R3) R3# show ip pim vrf red neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority / Mode ---------------------------------------------------------------------------192.
--------------------------------224.1.1.1 182.190.168.224 R3# show ip pim vrf red tib PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 224.1.1.1), uptime 00:04:41, expires 00:00:00, RP 182.190.168.224, flags: S Incoming interface: Null, RPF neighbor 0.0.0.
(*, 224.1.1.1), uptime 00:05:44, expires 00:00:15, RP 182.190.168.224, flags: SCJ Incoming interface: port-channel12, RPF neighbor 194.1.1.1 Outgoing interface list: vlan2001 Forward/Sparse 00:05:44/Never (201.1.1.1, 224.1.1.1), uptime 00:02:58, expires 00:00:31, flags: CT Incoming interface: port-channel11, RPF neighbor 193.1.1.1 Outgoing interface list: vlan2001 Forward/Sparse 00:02:58/Never R4# show ip pim vrf red mcache PIM Multicast Routing Cache Table (*, 224.1.1.
● Provides traffic resiliency in the event of a VLT node failure. The traffic is forwarded until the PIM protocol reconverges and builds a new tree. IGMP message synchronization VLT nodes use the VLTi link to synchronize IGMP messages across their peers. Any IGMP join message that is received on one of the VLT nodes synchronizes with the peer node. Therefore, the IGMP tables are identical in a VLT domain.
● In VLT deployments, Dell Technologies recommends not to change the PIM designated router by configuring a non-default value using the ip pim dr-priority command. ● In large-scale multicast deployments, you might see frequent bursts of multicast control traffic. For such deployments, Dell Technologies recommends that you increase the burst size for queue 2 on all PIM routers using control-plane policing.
core(conf-if-vl-12)# exit core(config)# interface loopback 103 core(conf-if-lo-103)# no shutdown core(conf-if-lo-103)# ip address 103.0.0.3/32 core(conf-if-lo-103)# ip pim sparse-mode core(conf-if-lo-103)# ip ospf 100 area 0.0.0.0 core(conf-if-lo-103)# exit PIM neighbors of core and the interface to reach the neighbors The show ip pim neighbor command displays the PIM neighbors of core and the interface to reach the neighbors.
Sample configuration on AG1: AG1# configure terminal AG1(config)# ip multicast-routing AG1 (config)# ip pim rp-address 103.0.0.3 group-address 224.0.0.0/4 AG1(config)# router ospf 100 AG1(config-router-ospf-100)# exit AG1(config)# vlt-domain 255 AG1(conf-vlt-255)# backup destination 10.16.132.
AG1(conf-if-po-12)# vlt-port-channel 12 AG1(conf-if-po-12)# exit PIM neighbors of AG1 and the interface to reach the neighbors The show ip pim neighbor command displays the PIM neighbors of AG1 and the interface to reach the neighbors. AG1# show ip pim neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority / Mode ---------------------------------------------------------------------11.0.0.2 vlan11 00:00:43/00:01:33 v2 10 / S 12.0.0.2 vlan12 00:01:01/00:01:44 v2 10 / S 12.0.0.
K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 225.1.1.1), uptime 00:10:15, expires 00:00:44, RP 103.0.0.3, flags: SCJ Incoming interface: vlan12, RPF neighbor 12.0.0.3 Outgoing interface list: vlan11 Forward/Sparse 00:10:15/Never (16.0.0.10, 225.1.1.1), uptime 00:00:55, expires 00:02:34, flags: CT Incoming interface: vlan12, RPF neighbor 12.0.0.
AG2(config)# interface vlan 11 AG2(conf-if-vlan-11)# no shutdown AG2(conf-if-vlan-11)# ip address 11.0.0.2/24 AG2(conf-if-vlan-11)# ip pim sparse-mode AG2(conf-if-vlan-11)# ip pim dr-priority 10 AG2(conf-if-vlan-11)# ip ospf 100 area 0.0.0.0 AG2(conf-if-vlan-11)# ip ospf cost 3000 AG2(conf-if-vlan-11)# exit AG2(config)# interface vlan 12 AG2(conf-if-vlan-12)# no shutdown AG2(conf-if-vlan-12)# ip address 12.0.0.
225.1.1.1 00:01:47 0.0.0.0 vlan11 Exclude 00:02:00 The output of the show ip pim tib command. AG2# show ip pim tib PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 225.1.1.1), uptime 00:02:15, expires 00:00:00, RP 103.0.0.3, flags: SC Incoming interface: vlan12, RPF neighbor 12.0.0.
(*, 225.1.1.1),flags: S Incoming interface : vlan12 Outgoing interface list : vlan11 (S) (16.0.0.10, 225.1.1.
NOTE: Dell Technologies recommends that you configure the same timeout value on both the VLT peer nodes. The no form of this command resets the multicast peer-routing timer value to its default value of 300 s. Example Supported Releases OS10(config)# vlt-domain 255 OS10(conf-vlt-255)# multicast peer-routing-timeout 1200 10.5.2.0 or later show vlt inconsistency ip mcache Displays information about mismatched IIF routes between the local and peer VLT nodes.
Vlan 12 Vlan 13 Supported Releases 1112 Multicast 10.5.
16 VXLAN A virtual extensible LAN (VXLAN) extends Layer 2 (L2) server connectivity over an underlying Layer 3 (L3) transport network in a virtualized data center. A virtualized data center consists of virtual machines (VMs) in a multi-tenant environment. OS10 supports VXLAN as described in RFC 7348. VXLAN provides a L2 overlay mechanism on an existing L3 network by encapsulating the L2 frames in L3 packets.
This feature is not supported on the following platforms: ● S3048-ON ● Z9332F-ON ● N3248TE-ON Configuration notes In a static VXLAN, overlay routing is supported on: ● ● ● ● ● S4100-ON Series S4200-ON Series S5200-ON Series S4048T-ON S6010-ON VXLAN concepts Network virtualization overlay (NVO) An overlay network extends L2 connectivity between server virtual machines (VMs) in a tenant segment over an underlay L3 IP network.
● You can map only one VLAN ID to a virtual network. ● Ideally suited for existing tenant VLANs that stretch over an IP fabric using VXLAN. Port-scoped VLAN A Port,VLAN pair that maps to a virtual network ID (VNID) in OS10. Assign an individual member interface to a virtual network either with an associated tagged VLAN or as an untagged member. Using a portscoped VLAN, you can configure: ● The same VLAN ID on different access interfaces to different virtual networks.
2. Configure an IP address on the Loopback interface in INTERFACE mode. The IP address allows the source VTEP to send VXLAN frames over the L3 transport network. ip address ip-address/mask 3. Return to CONFIGURATION mode. exit 4. Enter NVE mode from CONFIGURATION mode. NVE mode allows you to configure the VXLAN tunnel endpoint on the switch. nve 5. Configure the Loopback interface as the source tunnel endpoint for all virtual networks on the switch in NVE mode. source-interface loopback number 6.
1. Assign a VLAN to the virtual network in VLAN Interface mode. interface vlan vlan-id virtual-network vn-id 2. Configure port interfaces as trunk members of the VLAN in Interface mode. interface ethernet node/slot/port[:subport] switchport mode trunk switchport trunk allowed-vlan vlan-id exit The local physical ports assigned to the VLAN transmit packets over the virtual network.
2. Configure port interfaces as trunk members and remove the access VLAN in Interface mode. interface ethernet node/slot/port[:subport] switchport mode trunk no switchport access vlan exit 3. Assign the trunk interfaces as untagged members of the virtual network in VIRTUAL-NETWORK mode. You cannot use the reserved VLAN ID for a legacy VLAN or for tagged traffic on member interfaces of virtual networks.
network IP addresses in different subnets. If you do not assign the virtual-network interface to a tenant VRF, it is assigned to the default VRF. interface virtual-network vn-id ip vrf forwarding tenant-vrf-name ip address ip-address/mask no shutdown exit 4. Configure an anycast gateway IPv4 or IPv6 address for each virtual network in INTERFACE-VIRTUAL-NETWORK mode. This anycast IP address must be in the same subnet as the IP address of the virtual-network interface in Step 3.
Table 93. IP address on the virtual-network interface on each VTEP Virtual network VTEP Virtual-network IP address Anycast gateway IP address VNID 11 VTEP 1 10.10.1.201 10.10.1.254 VTEP 2 10.10.1.202 10.10.1.254 VTEP 3 10.10.1.203 10.10.1.254 VTEP 1 10.20.1.201 10.20.1.254 VTEP 2 10.20.1.202 10.20.1.254 VTEP 3 10.20.1.203 10.20.1.254 VTEP 1 10.30.1.201 10.30.1.254 VTEP 2 10.30.1.202 10.30.1.254 VTEP 3 10.30.1.203 10.30.1.
Configure the same VLTi VLAN ID on both VLT peers. You cannot use the ID of an existing VLAN on a VLT peer or the reserved untagged VLAN ID. You can use the VLTi VLAN ID to assign tagged or untagged access interfaces to a virtual network. virtual-network vn-id vlti-vlan vlan-id ● Although a VXLAN virtual network has no access port members that connect to downstream servers, you must configure a switch-scoped VLAN or VLTi VLAN.
Each overlay ARP entry requires a routing next-hop in the hardware to bind a destination tenant VM IP address to the corresponding tenant VM MAC address and VNI. Each virtual-network interface assigned to an IP subnet requires a routing interface in the hardware. OS10 supports preset profiles to re-allocate the number of resources reserved for overlay ARP entries. The number of entries reserved for each preset mode differs according to OS10 switch. Table 94.
● View the currently configured overlay routing profile; for example, in the S5200-ON series: show hardware overlay-routing-profile mode Overlay Setting Mode Next-hop Entries Current default-overlay-routing 8192 Next-boot default-overlay-routing 8192 Underlay Next-hop Entries 57344 57344 Overlay L3 RIF Entries 2048 2048 Underlay L3 RIF Entries 14336 14336 DHCP relay on VTEPs Dynamic Host Configuration Protocol (DHCP) clients in overlay communicate with a DHCP server using the DHCP relay on the VTEP swit
View the VXLAN virtual-network VLAN OS10# show virtual-network vlan 100 Vlan Virtual-network Interface 100 1000 ethernet1/1/1,ethernet1/1/2 100 5000 ethernet1/1/2 View the VXLAN virtual-network VLANs OS10# show vlan Codes: * - Default VLAN, M - Management VLAN, R - Remote Port Mirroring VLANs, @ – Attached to Virtual Network Q: A - Access (Untagged), T - Tagged NUM * 1 @ 100 @ 101 200 Status Description Q Ports up A Eth1/1/1-1/1/48 up T Eth1/1/2,Eth1/1/3 A Eth1/1/1 up T port-channel5 up T Eth1/1/11-1/1/15
The show nve remote-vtep counters command displays the packet counters and byte counter statistics for a specific remote VTEP. The counters for a remote VTEP include both the counters corresponding to the L2 VNI spanned with the VTEP as well as the EVPN-VRF L3 VNI spanned with the VTEP. OS10# show nve remote-vtep counters Remote-VTEP Input (Packets/Bytes) Output (Packets/Bytes) ---------------------------------------------------------------------10.10.10.10 857/8570 257/23709 20.20.20.
Gateway of last resort is not set Destination Gateway Dist/Metric Last Change --------------------------------------------------------------------------------C 1000:100:10:1::/64 via 1000:100:10:1::4 virtual-network60000 0/0 00:37:08 C 1000:100:10:21::/64 via 1000:100:10:21::4 virtual-network60032 0/0 00:37:07 C 1000:100:10:41::/64 via 1000:100:10:41::4 virtual-network60064 0/0 00:37:06 C 1000:100:10:61::/64 via 1000:100:10:61::4 virtual-network60096 0/0 00:37:05 VXLAN MAC addresses Use the show mac addres
Table 95. Display VXLAN MAC addresses Command Description remote-vtep ip-address: Displays MAC addresses learned on NVE from the specified remote VTEP. show mac address-table count virtual-network [dynamic | local | remote | static | interface {ethernet node/slot/port:subport | port-channel number} | vn-id] Displays the number of MAC addresses learned on all virtual networks (default). dynamic: Displays the number of dynamic MAC addresses learned on all or a specified virtual network.
Table 96. Clear VXLAN MAC addresses (continued) Command Description vn-id: Clears only the MAC addresses learned on the specified virtual network. vn-id address mac-address: Clears only the MAC address learned on the specified virtual network. clear mac address-table dynamic nve remote-vtep ip-address Clears all MAC addresses learned from the specified remote VTEP. VXLAN commands hardware overlay-routing-profile Configures the number of reserved ARP table entries for VXLAN overlay routing.
interface virtual-network Configures a virtual-network router interface. Syntax Parameters interface virtual-network vn-id virtualnetwork vn-id Enter a virtual-network ID, from 1 to 65535. Default Not configured Command mode CONFIGURATION Usage information Configure a virtual-network router interface to enable hosts connected to a virtual network to route traffic to hosts on another virtual network in the same VRF.
Usage information Example Supported releases Configure the same MAC address on all VTEPs so that the anycast gateway MAC address remains the same if a VM migrates to a different VTEP. Because the configured MAC address is automatically used for all VXLAN virtual networks, configure it in global Configuration mode. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 10.4.3.0 or later member-interface Assigns untagged or tagged VLAN traffic on a member interface to a virtual network.
remote-vtep Configures the IP address of a remote tunnel endpoint in a VXLAN network. Syntax remote-vtep ip-address Parameters ip-address — Enter the IP address of a remote virtual tunnel endpoint (VTEP). Default Not configured Command mode VIRTUAL-NETWORK VXLAN-VNI Usage information After you configure the remote VTEP, the VXLAN virtual network is enabled to start sending server traffic. You can configure multiple remote VTEPs.
show interface virtual-network Displays the configuration of virtual-network router interfaces and packet statistics. Syntax show interface virtual-network [vn-id] Parameters vn-id Enter a virtual-network ID, from 1 to 65535. Default Not configured Command mode EXEC Usage information Use this command to display the virtual-network IP address used for routing traffic in a virtual network. Traffic counters also display.
IP Address: 2.2.2.2, State: up, Encap: VxLAN VNI list: 10000(DP), 200(DP), 300(DP) Supported releases 10.4.2.0 or later show nve remote-vtep counters Displays VXLAN packet statistics for a remote VTEP. Syntax show nve remote-vtep [ip-address] counters Parameters ● ip-address — Enter IP address of a remote VTEP. Default Not configured Command mode EXEC Usage information Use this command to display input and output statistics for VXLAN traffic on a remote VTEP.
Parameters vn-id Enter a virtual-network ID, from 1 to 65535. Default Not configured Command mode EXEC Usage information Use this command to display the VNID, port members, source interface, and remote tunnel endpoints of a VXLAN virtual network.
interface port-channel number Enter a port-channel number, from 1 to 128. vlan vlan-id (Optional) Enter a VLAN ID, from 1 to 4093. Default Not configured Command mode EXEC Usage information Use this command to monitor the packet throughput on a port interface that is a member of a VXLAN virtual network. Assign a VLAN member interface to only one virtual network.
Parameters vlan vlan-id Enter a VLAN ID, from 1 to 4093. Default Not configured Command mode EXEC Usage information Use this command to verify the VXLAN virtual networks where a VLAN is assigned, including the port members connected to downstream servers. Example Supported releases OS10# show show virtual-network 100 Vlan Virtual-network Interface 100 1000 ethernet1/1/1,ethernet1/1/2 10.4.2.0 or later show vlan (virtual network) Displays the VLANs assigned to virtual networks.
● You cannot change the source interface if at least one VXLAN virtual network ID (VNID) is configured for the NVE instance. Use this command in NVE mode to override a previously configured value and reconfigure the source IP address. The no version of this command removes the configured value. Examples Supported releases OS10(config-nve)# source-interface loopback 1 10.4.2.0 or later virtual-network Creates a virtual network for VXLAN tunneling.
Parameters vni Enter the VXLAN ID for a virtual network, from 1 to 16,777,215. Default Not configured Command mode VIRTUAL-NETWORK Usage information This command associates a VXLAN ID number with a virtual network. The no version of this command removes the configured ID. Example Supported releases OS10(conf-vn-100)# vxlan-vni 100 OS10(config-vn-vxlan-vni)# 10.4.2.0 or later VXLAN MAC commands clear mac address-table dynamic nve remote-vtep Clears all MAC addresses learned from a remote VTEP.
local Clear only locally-learned MAC addresses. vn-id Clear learned MAC addresses on the specified virtual network, from 1 to 65535. vn-id local Clear locally learned MAC addresses on the specified virtual network, from 1 to 65535. vn-id address mac-address Clear only the MAC address entry learned in the specified virtual network. Enter the MAC address in EEEE.EEEE.EEEE format.
Parameters vxlan-vni vni Display MAC addresses learned on the specified VXLAN virtual network, from 1 to 16,777,215. remote-vtep ip-address Display MAC addresses learned from the specified remote VTEP. Default Not configured Command mode EXEC Usage information Use the clear mac address-table dynamic nve remote-vtep command to delete all MAC address entries learned from a remote VTEP.
Example Supported releases OS10# show mac address-table count virtual-network MAC Entries for all vlans : Dynamic Address Count : 8 Static Address (User-defined) Count : 0 Total MAC Addresses in Use: 8 10.4.2.0 or later show mac address-table extended Displays MAC addresses learned on all VLANs and VXLANs.
show mac address-table nve Displays MAC addresses learned on a VXLAN virtual network or from a remote VXLAN tunnel endpoint. Syntax show mac address-table nve {vxlan-vni vni | remote-vtep ip-address} Parameters vxlan-vni vni Display MAC addresses learned on the specified VXLAN virtual network, from 1 to 16,777,215. remote-vtep ip-address Display MAC addresses learned from the specified remote VTEP.
Command mode EXEC Usage information Use this command to verify the MAC addresses learned on VXLAN virtual networks. By default, MAC learning from a remote VTEP is enabled.
Figure 12. Static VXLAN use case VTEP 1 Leaf Switch 1. Configure the underlay OSPF protocol. Do not configure the same IP address for the router ID and the source loopback interface in Step 2. OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 172.16.0.1 OS10(config-router-ospf-1)# exit 2. Configure a Loopback interface. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# ip ospf 1 area 0.0.0.
3. Configure the Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 4. Configure VXLAN virtual networks with a static VTEP.
OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# no switchport mtu 1650 ip address 172.16.2.0/31 ip ospf 1 area 0.0.0.0 exit 8. Configure VLT Configure a dedicated L3 underlay path to reach the VLT Peer in case of network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.1/30 OS10(config-if-vl-4000)# ip ospf 1 area 0.0.0.
OS10(config-if-vn-10000)# ip address 10.1.0.231/16 OS10(config-if-vn-10000)# ip virtual-router address 10.1.0.100 OS10(config-if-vn-10000)# no shutdown OS10(config-if-vn-10000)# exit OS10(config)# interface virtual-network 20000 OS10(config-if-vn-20000)# ip vrf forwarding tenant1 OS10(config-if-vn-20000)# ip address 10.2.0.231/16 OS10(config-if-vn-20000)# ip virtual-router address 10.2.0.100 OS10(config-if-vn-20000)# no shutdown OS10(config-if-vn-20000)# exit VTEP 2 Leaf Switch 1.
OS10(conf-if-po-10)# switchport access vlan 200 OS10(conf-if-po-10)# exit OS10(config)# interface OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# ethernet1/1/5 no shutdown channel-group 10 mode active no switchport exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode access OS10(conf-if-po-20)# switchport access vlan 200 OS10(conf-if-po-20)# exit OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10
Configure a VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.2 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
4. Configure VXLAN virtual networks with a static VTEP. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# remote-vtep OS10(config-vn-vxlan-vni-remote-vtep)# OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# remote-vtep OS10(config-vn-vxlan-vni-remote-vtep)# OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 192.168.1.1 exit 192.168.1.
OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# no switchport mtu 1650 ip address 172.18.2.0/31 ip ospf 1 area 0.0.0.0 exit 9. Configure VLT Configure VLTi VLAN for the VXLAN virtual network.
Configure an anycast L3 gateway. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing with an anycast gateway IP address for each virtual network. OS10(config)# interface virtual-network 10000 OS10(config-if-vn-10000)# ip vrf forwarding tenant1 OS10(config-if-vn-10000)# ip address 10.1.0.233/16 OS10(config-if-vn-10000)# ip virtual-router address 10.1.0.
OS10(conf-if-po-10)# no switchport access vlan OS10(conf-if-po-10)# exit OS10(config)# interface OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# ethernet1/1/5 no shutdown channel-group 10 mode active no switchport exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# no switchport access vlan OS10(conf-if-po-20)# exit OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(co
OS10(conf-if-po-10)# exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# vlt port-channel 20 OS10(conf-if-po-20)# exit Configure VLTi member links. OS10(config)# interface OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# ethernet1/1/3 no shutdown no switchport exit OS10(config)# interface OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# ethernet1/1/4 no shutdown no switchport exit Configure a VLT domain.
OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# no switchport ip address 172.16.1.1/31 ip ospf 1 area 0.0.0.0 exit OS10(config)# interface OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# ethernet1/1/2 no shutdown no switchport ip address 172.17.1.1/31 ip ospf 1 area 0.0.0.
BGP EVPN for VXLAN Ethernet Virtual Private Network (EVPN) is a control plane for VXLAN that reduces flooding in the network and resolves scalability concerns. EVPN uses MP-BGP to exchange information between VTEPs. EVPN was introduced in RFC 7432 and is based on BGP MPLS-based VPNs. RFC 8365 describes VXLAN-based EVPN. The MP-BGP EVPN control plane provides protocol-based remote VTEP discovery, and MAC and ARP learning. This configuration reduces flooding related to L2 unknown unicast traffic.
Figure 13. BGP EVPN topology Leaf nodes Leaf nodes are typically top-of-rack (ToR) switches in a data center network. They act as the VXLAN tunnel endpoints and perform VXLAN encapsulation and decapsulation. Leaf nodes also participate in the MP-BGP EVPN to support control plane and data plane functions. Control plane functions include: ● Initiate and maintain route adjacencies using any routing protocol in the underlay network. ● Advertise locally learned routes to all MP-BGP EVPN peers.
The BGP EVPN running on each VTEP listens to the exchange of route information in the local overlay, encodes the learned routes as BGP EVPN routes, and injects them into BGP to advertise to the peers. Tunnel endpoints advertise as Type 3 EVPN routes. MAC/IP addresses advertise as Type 2 EVPN routes. EVPN instance An EVPN instance (EVI) spans across the VTEPs that participate in an Ethernet VPN. Each virtual-network tenant segment, that is advertised using EVPN, must associate with an EVI.
2. Configure BGP to advertise EVPN routes. 3. Configure EVPN, including the VNI, RD, and RT values associated with the EVPN instance. 4. Verify the BGP EVPN configuration. Configuration 1. Configure BGP to advertise EVPN routes. EVPN requires that you establish MP-BGP sessions between leaf and spine nodes in the underlay network.
d. Send an extended community attribute to the BGP neighbor in ROUTER-BGP-NEIGHBOR mode. send-community extended e. Enable the peer session with the BGP neighbor in ROUTER-BGP-NEIGHBOR mode. no shutdown f. Configure the L2 VPN EVPN address family for VXLAN host-based routing to the BGP peer in ROUTER-BGP-NEIGHBOR mode. address-family l2vpn evpn g. Enable the exchange of L2VPN EVPN addresses with the BGP peer in ROUTER-BGP-NEIGHBOR mode. activate h. Return to ROUTER-BGP mode. exit i.
b. Enable auto-EVI creation for overlay virtual networks in EVPN mode. Auto-EVI creation is supported only if BGP EVPN is used with 2-byte AS numbers and if at least one BGP instance is enabled with the EVPN address family. No further manual configuration is allowed in auto-EVI mode. auto-evi ● Manual EVI configuration mode a. Enable the EVPN control plane in CONFIGURATION mode. evpn b. Manually create an EVPN instance in EVPN mode. The range is from 1 to 65535. evi id c.
Received 311 messages 2 opens, 2 notifications, 3 updates 304 keepalives, 0 route refresh requests Sent 307 messages 4 opens, 0 notifications, 2 updates 301 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast: MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) 4_OCTET_AS(65) MP_L2VPN_EVPN Capabilities advertised to neighbor for IPv4 Unicast: MULTIPROTO_EX
You set up overlay routing by assigning a VRF to each tenant, creating a virtual-network interface, and assigning an IP subnet in the VRF to each virtual-network interface. The VTEP acts as the L3 gateway that routes traffic from one tenant subnet to another in the overlay before encapsulating it in the VXLAN header and transporting it over the underlay fabric. On virtual networks that associate with EVIs, EVPN IRB is enabled only after you create a virtual-network interface.
For a VXLAN BGP EVPN example that uses symmetric IRB and Type-5 route, see Example: VXLAN BGP EVPN — Symmetric IRB. Configure Symmetric IRB for VXLAN BGP EVPN Before you start 1. Follow the procedure in Configure VXLAN to: ● Configure the VXLAN overlay network. ● Enable routing for VXLAN virtual networks. Integrated Routing and Bridging (IRB) is automatically enabled. ● Enable an overlay routing profile with the number of reserved ARP table entries for VXLAN overlay routing. 2.
Route-Distinguisher : 1:110.111.170.195:10000(auto) Route-Targets : 0:10000:16787216(auto) both Inclusive Multicast : 110.111.170.107 IRB : Enabled(VRF-TENANT-1) OS10# show evpn evi 20000 EVI : 20000, State : up Bridge-Domain : Virtual-Network 20000, VNI 20000 Route-Distinguisher : 1:110.111.170.
*>r Route distinguisher: 3.3.3.3:65002 VNI:65002 [5]:[0]:[24]:[12.12.12.0]:[0.0.0.0]/224 3.3.3.3 0 100 0 100 101 ? *>r Route distinguisher: 4.4.4.4:101 VNI:101 [2]:[0]:[48]:[14:18:77:25:6f:4d]:[32]:[11.11.11.2]/224 4.4.4.4 0 100 32768 *>r Route distinguisher: 3.3.3.3:102 VNI:102 [2]:[0]:[48]:[14:18:77:25:8f:6d]:[32]:[12.12.12.1]/224 3.3.3.3 0 100 0 100 101 ? *> Route distinguisher: 3.3.3.3:101 [3]:[0]:[32]:[3.3.3.3]/152 3.3.3.3 0 100 0 100 101 ? *>r Route distinguisher: 4.4.4.
Figure 14. BGP EVPN in VLT domain VXLAN BGP commands activate (l2vpn evpn) Enables the exchange of L2 VPN EVPN address family information with a BGP neighbor or peer group. Syntax activate Parameters None Default Not configured Command Mode ROUTER-BGP-NEIGHBOR-AF Usage Information Use this command to exchange L2 VPN EVPN address information for VXLAN host-based routing with a BGP neighbor. The IPv4 unicast address family is enabled by default.
Example Supported Releases OS10(conf-router-neighbor)# address-family l2vpn evpn unicast OS10(conf-router-bgp-neighbor-af)# activate 10.2.0E or later address-family l2vpn evpn Configures the L2 VPN EVPN address family for VXLAN host-based routing to a BGP neighbor.
sender-side-loop-detection Enables the sender-side loop detection process for a BGP neighbor. Syntax sender-side-loop-detection Parameters None Default Enabled Command Mode ROUTER-BGP-NEIGHBOR-AF Usage Information This command helps detect routing loops, based on the AS path before it starts advertising routes. To configure a neighbor to accept routes use the neighbor allowas-in command. The no version of this command disables sender-side loop detection for that neighbor.
*> Route distinguisher: 110.111.170.107:64536 [3]:[0]:[32]:[110.111.170.107]/152 110.111.170.107 0 100 101 ? OS10# show BGP router Neighbor State/Pfx 3.3.3.3 4.4.4.4 5.5.5.5 6.6.6.6 0 100 ip bgp l2vpn evpn summary identifier 2.2.2.2 local AS number 4294967295 AS MsgRcvd MsgSent Up/Down 4294967295 4294967295 4294967295 4294967295 2831 2364 4947 2413 9130 9586 8399 7310 05:57:27 05:56:43 01:10:39 05:51:56 504 504 11514 504 OS10# show ip bgp l2vpn evpn neighbors BGP neighbor is 3.3.3.
Received 20 messages 1 opens, 0 notifications, 0 updates 19 keepalives, 0 route refresh requests Sent 20 messages 1 opens, 1 notifications, 0 updates 18 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast: MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) 4_OCTET_AS(65) MP_L2VPN_EVPN(1) Extended Next Hop Encoding (5) Capabilities advertised to neighbor
Supported releases 10.4.2.0 or later VXLAN EVPN commands advertise Advertises the IP prefixes learned from external networks and directly connected neighbors into EVPN. Syntax advertise {ipv4 | ipv6} {connected | static | ospf | bgp} [route-map mapname] Parameters ● ● ● ● ● ● ● Default None Command Mode EVPN-VRF Usage Information EVPN uses Type 5 route advertisements. To specify the types of learned routes to use in EVPN Type 5 advertisements in a tenant VRF, use the advertise command.
auto-evi Creates an EVPN instance automatically, including Route Distinguisher (RD) and Route Target (RT) values. Syntax auto-evi Parameters None Default Not configured Command mode EVPN Usage information In deployments running BGP with 2-byte or 4-byte autonomous systems, auto-EVI automatically creates EVPN instances when you create a virtual network on a VTEP in the overlay network.
Example 2 Supported releases OS10(config)# evpn OS10(config-evpn)# disable-rt-asn OS10(config-evpn)# evi 1001 OS10(config-evpn-evi-1001)# route-target auto OS10(config-evpn)# vrf BLUE OS10(config-evpn-vrf-BLUE)# vni 64001 OS10(config-evpn-vrf-BLUE)# route-target auto OS10(config-evpn-vrf-BLUE)# 10.5.1.0 or later evi Creates an EVPN instance (EVI) in EVPN mode. Syntax evi id Parameters id Enter the EVPN instance ID, from 1 to 65535.
Parameters A.B.C.D: [1-65535] Manually configure the RD with a 4-octet IPv4 address, then a 2-octet-number from 1 to 65535. auto Configure the RD to automatically generate. Default Not configured Command mode EVPN-EVI and EVPN-VRF Usage information A RD maintains the uniqueness of an EVPN route between different EVPN instances. Configure a route distinguisher in a tenant VRF used for EVPN symmetric IRB traffic.
Parameters value {import | export | both} Configure an RT import or export value, or both values in the format 2-octetASN:4-octet-number or 4-octet-ASN:2-octet-number. ● The 2-octet ASN or number is 1 to 65535. ● The 4-octet ASN or number is 1 to 4294967295. auto Configure the RT import and export values to automatically generate. asn4 (Optional) Advertises a 4-byte AS number in RT values.
show evpn evi Displays the configuration settings of EVPN instances. Syntax show evpn evi [id] Parameters id — (Optional) Enter the EVPN instance ID, from 1 to 65535. Default Not configured Command mode EXEC Usage information Use this command to verify EVPN instance status, associated VXLAN virtual networks and the RD and RT values the BGP EVPN routes use in the EVI. The status of integrated routing and bridging (IRB) and the VRF used for EVPN traffic also display.
Local MAC Address Count : Remote MAC Address Count : 1 2 OS10# show evpn mac evi 811 next-hop 80.80.1.8 count EVI 811 next-hop 80.80.1.8 MAC Entries : Remote MAC Address Count : 2 Supported releases 10.4.2.0 or later show evpn mac-ip Displays the BGP EVPN Type 2 routes used for host MAC-IP address binding.
106 106 14:18:77:25:6f:84 14:18:77:25:6f:84 lcl lcl 0 0 16.16.16.2 2001:16::16:2 OS10# show evpn mac-ip evi 104 Type EVI 104 104 104 104 -(lcl): Local (rmt): remote Mac-Address 14:18:77:25:4d:b9 14:18:77:25:4d:b9 14:18:77:25:6e:b9 14:18:77:25:6e:b9 Type rmt rmt lcl lcl Seq-No 0 0 0 0 Host-IP Interface/Next-Hop 14.14.14.1 95.0.0.3 2001:14::14:1 95.0.0.3 14.14.14.
show evpn vrf Displays the VRF instances used to forward EVPN routes in VXLAN overlay networks. Syntax show evpn vrf [vrf-name] Parameters vrf-name — (Optional) Enter the name of a non-default tenant VRF instance. Default Not configured Command mode EXEC Usage information Use this command to verify the tenant VRF instances used in EVPN instances to exchange BGP EVPN routes in VXLANs.
OS10# show evpn vrf l3-vni vrf_30 VRF : vrf_30, State : up L3-VNI : 3030 Route-Distinguisher : 1:80.80.1.1:3030(auto) Route-Targets : 0:200:268435557(auto) both Remote VTEP : 4.4.4.4 Supported releases 10.5.1.0 or later show evpn vxlan-vni Displays the VXLAN overlay network for EVPN instances. Syntax show evpn vxlan-vni [vni] Parameters vni — (Optional) Enter the VXLAN virtual-network ID, from 1 to 16,777,215.
vrf Creates a non-default VRF instance for EVPN symmetric IRB traffic. Syntax vrf vrf-name Parameters ● vrf-name — Enter the name of a non-default tenant VRF; 32 characters maximum. Default Not configured Command Mode EVPN Usage Information Configure a non-default VRF for symmetric IRB for each tenant VRF. The tenant VRF is created using the ip vrf command when you enable overlay routing with IRB; see Enable overlay routing between virtual networks.
Figure 15. VXLAN BGP EVPN use case VTEP 1 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface.
3. Configure VXLAN virtual networks. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4. Assign VLAN member interfaces to the virtual networks.
OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(config-router-bgp-af)# redistribute connected OS10(config-router-bgp-af)# exit 8. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.16.1.
12. Configure VLT. Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.0/31 OS10(config-if-vl-4000)# exit Configure the VLT port channel.
Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network 10000 ip vrf forwarding tenant1 ip address 10.1.0.231/16 ip virtual-router address 10.1.0.
OS10(conf-if-eth1/1/5)# exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# switchport access vlan 200 OS10(conf-if-po-20)# exit OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# ethernet1/1/6 no shutdown channel-group 20 mode active no switchport exit 6. Configure upstream network-facing ports.
OS10(config-router-neighbor)# update-source loopback1 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# no activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# activate OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor
OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports. OS10(config)# uplink-state-group OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# 1 enable downstream ethernet1/1/1-1/1/2 upstream port-channel10 upstream port-channel20 exit Configure iBGP IPv4 peering between VLT peers.
OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4. Configure unused VLAN ID for untagged membership. OS10(config)# virtual-network untagged-vlan 1000 5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 9. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.18.1.1 OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor 172.18.2.
OS10(config-evpn-evi-10000)# route-target auto OS10(config-evpn-evi-10000)# exit OS10(config-evpn)# evi 20000 OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn)# exit vni 20000 rd auto route-target auto exit 13. Configure VLT. Configure a VLTi VLAN for the virtual network.
Configure iBGP IPv4 peering between VLT peers. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.16.250.11 OS10(config-router-neighbor)# remote-as 100 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 14. Configure IP routing in the overlay network. Create the tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address.
5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 10. Configure a Loopback interface for BGP EVPN peering different from the VLT peer IP address. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.19.0.
Configure a VLTi VLAN for the virtual network. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vlti-vlan 100 OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(conf-vn-20000)# vlti-vlan 200 OS10(conf-vn-20000)# exit Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.
Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network 10000 ip vrf forwarding tenant1 ip address 10.1.0.234/16 ip virtual-router address 10.1.0.
OS10(conf-router-bgp-101)# neighbor 172.17.1.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.18.1.
OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-bgp-101)# neighbor 172.19.0.
OS10(conf-router-bgp-101)# neighbor 172.18.2.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.19.2.
OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# send-community extended OS10(conf-router-neighbor)# update-source loopback1 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit
64 bytes from 10.2.0.10: icmp_seq=4 ttl=63 time=0.944 ms 64 bytes from 10.2.0.10: icmp_seq=5 ttl=63 time=0.806 ms --- 10.2.0.10 ping statistics --5 packets transmitted, 5 received, 0% packet loss, time 4078ms rtt min/avg/max/mdev = 0.806/0.851/0.944/0.051 ms root@HOST-A:~# 5. Check connectivity between host A and host C. root@HOST-A:~# ping 10.1.0.20 -c 5 PING 10.1.0.20 (10.1.0.20) 56(84) bytes of 64 bytes from 10.1.0.20: icmp_seq=1 ttl=64 64 bytes from 10.1.0.20: icmp_seq=2 ttl=64 64 bytes from 10.1.0.
Figure 16. VXLAN BGP EVPN with multiple AS VTEP 1 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface.
3. Configure VXLAN virtual networks. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4. Assign VLAN member interfaces to the virtual networks.
OS10(config-router-bgp-99)# address-family ipv4 unicast OS10(config-router-bgp-af)# redistribute connected OS10(config-router-bgp-af)# exit 8. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-99)# neighbor 172.16.1.1 OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-99)# neighbor 172.16.2.
OS10(config-evpn-evi-20000)# route-target 100:20000 import OS10(config-evpn-evi-20000)#exit OS10(config-evpn)# 12. Configure VLT. Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.0/31 OS10(config-if-vl-4000)# exit Configure the VLT port channel.
Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network10000 ip vrf forwarding tenant1 ip address 10.1.0.231/16 ip virtual-router address 10.1.0.
OS10(config)# interface OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# ethernet1/1/5 no shutdown channel-group 10 mode active no switchport exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# switchport access vlan 200 OS10(conf-if-po-20)# exit OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# ethern
OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# no activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-99)# neighbor 172.202.0.
OS10(conf-if-eth1/1/4)# no switchport OS10(conf-if-eth1/1/4)# exit Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.2 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
2. Configure the Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure VXLAN virtual networks. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4.
OS10(conf-if-eth1/1/1)# mtu 1650 OS10(conf-if-eth1/1/2)# ip address 172.18.2.0/31 OS10(conf-if-eth1/1/2)# exit 8. Configure eBGP. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# router-id 172.18.0.1 OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 9. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.18.1.
OS10(config-evpn-evi-10000)# rd 192.168.2.1:10000 OS10(config-evpn-evi-10000)# route-target 99:10000 import OS10(config-evpn-evi-10000)# route-target 100:10000 both OS10(config-evpn-evi-10000)#exit OS10(config-evpn)# evi 20000 OS10(config-evpn-evi-20000)# vni 20000 OS10(config-evpn-evi-20000)# rd 192.168.2.1:20000 OS10(config-evpn-evi-20000)# route-target 99:20000 import OS10(config-evpn-evi-20000)# route-target 100:20000 both OS10(config-evpn-evi-20000)#exit OS10(config-evpn)# 13. Configure VLT.
Configure iBGP IPv4 peering between VLT peers. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.16.250.11 OS10(config-router-neighbor)# remote-as 100 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 14. Configure IP routing in the overlay network. Create the tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address.
5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 10. Configure a Loopback interface for BGP EVPN peering different from the VLT peer IP address. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.19.0.1/32 OS10(conf-if-lo-1)# exit 11. Configure BGP EVPN peering. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.201.0.
OS10(conf-vn-20000)# vlti-vlan 200 OS10(conf-vn-20000)# exit Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.11/31 OS10(config-if-vl-4000)# exit Configure VLT port channels.
Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network10000 ip vrf forwarding tenant1 ip address 10.1.0.234/16 ip virtual-router address 10.1.0.
OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# exit 4. Configure a Loopback interface for BGP EVPN peering. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.201.0.1/32 OS10(conf-if-lo-1)# exit 5. Configure BGP EVPN peer sessions. OS10(config)# router bgp 101 OS10(conf-router-bgp-101)# neighbor 172.16.0.
Spine Switch 2 1. Configure downstream ports on the underlay links to the leaf switches.
OS10(conf-router-neighbor)# update-source loopback1 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-bgp-102)# neighbor 172.17.0.
2. Verify EVPN configurations and EVPN parameters. LEAF1# show evpn evi EVI : 10000, State : up Bridge-Domain : Route-Distinguisher : Route-Targets : Inclusive Multicast : IRB : EVI : 20000, State : up Bridge-Domain : Route-Distinguisher : Route-Targets : Inclusive Multicast : IRB : LEAF1# Virtual-Network 10000, VNI 10000 1:192.168.1.1:10000 0:99:10000 both, 0:100:10000 import 192.168.2.1 Enabled(tenant1) Virtual-Network 20000, VNI 20000 1:192.168.1.1:20000 0:99:10000 both, 0:100:10000 import 192.168.2.
rtt min/avg/max/mdev = 0.640/0.669/0.707/0.041 ms root@HOST-A:~# NOTE: Follow Steps 1 to 6 to check ping connectivity between combinations of other hosts, and between hosts through different virtual-network IP addresses. Example: VXLAN BGP EVPN — Centralized L3 gateway with asymmetric IRB The following VXLAN with BGP EVPN example uses a centralized Layer 3 gateway to perform virtual-network routing. It is based on the sample configuration in Example: VXLAN BGP EVPN — Multiple AS topology.
Figure 17. VXLAN BGP EVPN with centralized L3 gateway NOTE: This centralized L3 gateway example for VXLAN BGP EVPN uses the same configuration steps as in Example: VXLAN BGP EVPN — Multiple AS topology. Configure each spine and leaf switch as in the Multiple AS topology example, except: ● Because VTEPs 1 and 2 operate only in Layer 2 VXLAN mode, do not configure IP switching in the overlay network.
Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network10000 ip vrf forwarding tenant1 ip address 10.1.0.233/16 ip virtual-router address 10.1.0.
S4048T-ON, S6010-ON, and the S4100-ON series, routing after decapsulation is performed only between virtual networks. You can connect an egress virtual network to a VLAN in an external router, which connects to the external network. In the following example, VLT domain 1 is a VLT VTEP. VLT domain 2 is the border leaf VLT VTEP pair. All virtual networks in the data center network are configured in all VTEPs with virtual-network IP and anycast IP gateway addresses.
Figure 18. VXLAN BGP EVPN with border leaf gateway NOTE: This border leaf gateway example for VXLAN BGP EVPN uses the same configuration steps as in Example: VXLAN BGP EVPN — Multiple AS topology. Configure each spine and leaf switch as in the Multiple AS topology example and add the following additional configuration steps on each VTEP. VTEP 1 Leaf Switch 1. Configure a dedicated VXLAN virtual network.
2. Configure routing on the virtual network. OS10(config)# interface virtual-network 500 OS10(conf-if-vn-10000)# ip vrf forwarding tenant1 OS10(conf-if-vn-10000)# ip address 10.5.0.231/16 3. Configure a static route for outbound traffic sent to the anycast MAC address of the dedicated virtual network. OS10(config)#ip route 0.0.0.0/0 10.5.0.100 VTEP 2 Leaf Switch 1. Configure a dedicated VXLAN virtual network.
5. Configure a static route for outbound traffic sent to VLAN 200. OS10(config)#ip route 0.0.0.0/0 10.10.0.3 VTEP 4 Leaf Switch 1. Configure a dedicated VXLAN virtual network. OS10(config)# virtual-network 500 OS10(config-vn-500)# vxlan-vni 500 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit 2. Configure an anycast gateway MAC address on the boder leaf VTEP. This MAC address must be different from the anycast gateway MAC address configured on non-border-leaf VTEPs.
VTEP 1 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface.
3. Configure the VXLAN virtual network. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit 4. Assign VLAN member interfaces to the virtual network. Use a switch-scoped VLAN-to-VNI mapping: OS10(config)# interface OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config-if-vl-100)# vlan100 virtual-network 10000 no shutdown exit 5. Configure access ports as VLAN members for a switch-scoped VLAN-to-VNI mapping.
OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 9. Configure a Loopback interface for BGP EVPN peering different from the VLT peer IP address. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.16.0.1/32 OS10(conf-if-lo-1)# exit 10. Configure BGP EVPN peering. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.201.0.
OS10(conf-if-eth1/1/3)# no switchport OS10(conf-if-eth1/1/3)# exit OS10(config)# interface OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# ethernet1/1/4 no shutdown no switchport exit Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.1 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
15. Configure advertisement of connected networks through EVPN type-5 routes. OS10(config)# evpn OS10(config-evpn)# vrf tenant1 OS10(config-evpn-vrf-tenant1)# advertise ipv4 connected OS10(config-evpn-vrf-tenant1)# exit VTEP 2 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using the same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2.
OS10(conf-if-eth1/1/2)# ip address 172.17.2.0/31 OS10(conf-if-eth1/1/2)# exit 7. Configure eBGP. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# router-id 172.17.0.1 OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 8. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.17.1.
11. Configure EVPN for the VXLAN virtual network. Configure the EVPN instance, RD, and RT using auto-EVI mode. OS10(config)# evpn OS10(config-evpn)# auto-evi OS10(config-evpn)# exit 12. Configure VLT. Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.1/31 OS10(config-if-vl-4000)# exit Configure the VLT port channel.
Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual network. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network 10000 ip vrf forwarding tenant1 ip address 10.1.0.232/16 ip virtual-router address 10.1.0.100 no shutdown exit 14. Configure symmetric IRB.
OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# ethernet1/1/6 no shutdown channel-group 20 mode active no switchport exit 6. Add the access ports to the virtual network. OS10(config)# virtual-network 20000 OS10(config-vn-20000)# member-interface port-channel 20 untagged OS10(config-vn-20000)# exit 7. Configure upstream network-facing ports.
OS10(config-router-neighbor)# update-source loopback1 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# no activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# activate OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor
Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.3 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ff:ee OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
OS10(conf-if-eth1/1/7)# switchport mode trunk OS10(conf-if-eth1/1/7)# switchport trunk allowed vlan 200 17. Configure advertisement of the connected networks via EVPN Type-5 routes. OS10(config)# evpn OS10(config-evpn)# vrf tenant1 OS10(config-evpn-vrf-tenant1)# advertise ipv4 connected OS10(config-evpn-vrf-tenant1)# exit 18. Configure BGP session with external router on the border-leaf VTEPs. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# vrf tenant1 OS10(config-router-bgp-100-vrf)# neighbor 10.
VTEP 4 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.2.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure the VXLAN virtual network.
OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 9. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.19.1.1 OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor 172.19.2.
OS10(config-evpn-evi-20000)# route-target auto OS10(config-evpn-evi-20000)# exit OS10(config-evpn)# exit 13. Configure VLT. Configure a VLTi VLAN for the virtual network. OS10(config)# virtual-network 20000 OS10(conf-vn-20000)# vlti-vlan 200 OS10(conf-vn-20000)# exit Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.
Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual network. OS10(config)# interface OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# virtual-network 20000 ip vrf forwarding tenant1 ip address 10.2.0.234/16 ip virtual-router address 10.2.0.100 no shutdown exit 15. Configure symmetric IRB.
With connected routes of virtual networks present in an individual VTEP advertised as type-5 routes, the border-leaf router has information about all the virtual networks present in the pod.
3. Configure eBGP IPv4 peer sessions on the P2P links. OS10(conf-router-bgp-101)# neighbor 172.16.1.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.17.1.
OS10(conf-router-bgp-101)# neighbor 172.18.0.
OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.17.2.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.18.2.
OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-bgp-101)# neighbor 172.19.0.
4. Check connectivity between host A and host B. root@HOST-A:~# ping 10.2.0.20 -c 5 PING 10.2.0.10 (10.2.0.10) 56(84) bytes of 64 bytes from 10.2.0.10: icmp_seq=1 ttl=63 64 bytes from 10.2.0.10: icmp_seq=2 ttl=63 64 bytes from 10.2.0.10: icmp_seq=3 ttl=63 64 bytes from 10.2.0.10: icmp_seq=4 ttl=63 64 bytes from 10.2.0.10: icmp_seq=5 ttl=63 data. time=0.824 time=0.847 time=0.835 time=0.944 time=0.806 ms ms ms ms ms --- 10.2.0.
Example - VXLAN BGP EVPN symmetric IRB with unnumbered BGP peering The following BGP EVPN example uses a Clos leaf-spine topology with BGP over unnumbered interfaces. The following explains how the network is configured: ● External BGP (eBGP) over unnumbered interfaces is used to exchange both IPv4 routes and EVPN routes. ● You need not configure IP addresses on links that connect Spine and Leaf switches. BGP Unnumbered peering works without an IP address configuration on Spine-Leaf links.
● On leaf switches 1 and 2, access ports are assigned to a virtual network using a switch-scoped VLAN. EVPN for the overlay VXLAN is configured using auto-EVI mode. ● On leaf switches 3 and 4, access ports are assigned to a virtual network using a port-scoped VLAN. EVPN for the overlay VXLAN is configured using manual EVI mode with RT and RD values configured in auto mode.
OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-101)# neighbor interface ethernet1/1/4 OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit Spine Switch 2 configuration 1. Configure downstream ports as unnumbered interfaces.
OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit VTEP Leaf Switch 1 configuration 1. Configure a loopback interface for the VXLAN underlay using the same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the loopback interface as the VXLAN source tunnel interface.
OS10(config-router-bgp-af)# redistribute connected OS10(config-router-bgp-af)# exit 8. Configure a BGP unnumbered neighbor over network facing ports. Use a template to simplify the configuration on multiple interfaces. These neighbors are configured to carry IPv4 address family (default) and L2VPN EVPN address family.
● Configure UFD with uplink VLT ports and downlink network ports. OS10(config)# uplink-state-group OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# 1 enable downstream ethernet1/1/1-1/1/2 upstream port-channel10 exit ● Configure iBGP unnumbered peering between VLT peers with both IPv4 and L2VPN EVPN address families.
2. Configure the loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure the VXLAN virtual network. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn)# exit 4. Assign VLAN member interfaces to the virtual network. Use a switch-scoped VLAN-to-VNI mapping.
OS10(config-router-bgp-201)# neighbor interface ethernet1/1/2 OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit 9. Configure EVPN for the VXLAN virtual network. Configure the EVPN instances using Auto EVI mode and Disable ASN in the generated RT.
OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit 11. Configure IP routing in overlay network. ● Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit ● Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 ● Configure routing on the virtual network.
OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# no switchport access vlan OS10(conf-if-po-20)# exit OS10(config)# interface ethernet1/1/6 OS10(conf-if-eth1/1/6)# no shutdown OS10(conf-if-eth1/1/6)# channel-group 20 mode active OS10(conf-if-eth1/1/6)# exit 6. Add the access ports to the virtual network. OS10(config)# virtual-network 20000 OS10(config-vn-20000)# member-interface port-channel 20 untagged OS10(config-vn-20000)# exit 7.
NOTE: Use the disable-rt-asn command to autoderive RT that does not include the ASN in the RT value. This allows auto RT to be used even if the Clos leaf-spine design has separate ASN for each leaf node. Configure this command only when all the VTEPs are OS10 switches. 11. Configure VLT. ● Configure a VLTi VLAN for the virtual network.
● Create the tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit ● Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 ● Configure routing on the virtual network. OS10(config)# interface OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# virtual-network 20000 ip vrf forwarding tenant1 ip address 10.2.0.233/16 ip virtual-router address 10.2.0.100 no shutdown exit 13.
4. Configure an unused VLAN ID for untagged membership. OS10(config)# virtual-network untagged-vlan 1000 5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(config-evpn)# evi 20000 OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn)# exit vni 20000 rd auto route-target auto exit NOTE: Use the disable-rt-asn command to autoderive RT that does not include the ASN in the RT value. This allows auto RT to be used even if the Clos leaf-spine design has separate ASN for each leaf node. Configure this command only when all the VTEPs are OS10 switches. 11. Configure VLT.
OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit 12. Configure IP routing in the overlay network. ● Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit ● Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 ● Configure routing on the virtual network.
Asymmetric to Symmetric IRB migration steps 1. Make the spines to send overlay traffic only to Leaf-2 by making Leaf-1 advertise VTEP IP with a higher metric in the underlay network. Leaf-1 configuration a. Configure route-map with prefix-list to set the metric higher for the VTEP IP. Leaf-1(config)# ip prefix-list vtep_ip seq 10 permit 10.10.10.
2. Spines would now send the overlay traffic destined to VLT domain 1 (Rack1) only to Leaf-2. 3. Configure Symmetric IRB mode in Leaf-2. Leaf-2 configuration a. Configure router-mac. Leaf-2(config)# evpn Leaf-2(config-evpn)# router-mac 02:10:10:10:10:10 b. Configure IP VRF with L3 VNI. Leaf-2(config-evpn)# vrf BLUE Leaf-2(config-evpn-vrf-VRF001)# vni 65001 c. Configure RT (auto or manual) and RD (optional, default is auto). Leaf-2(config-evpn-vrf-BLUE)# route-target auto d.
b. Default route configured in VTEPs pointing to border leaf using an intermediate VNI could be removed. Default route or external routes could now be advertised to the VTEPs from border leaf using advertise commands under EVPN-IPVRF mode. Example - Route leaking across VRFs in a VXLAN BGP EVPN symmetric IRB topology The following VXLAN with BGP EVPN example uses a Clos leaf-spine topology to show how to set up route leaking across VRF in a symmetric IRB topology.
● The individual switch configuration shows how to configure VRFs in the VTEPs and configure route leaking between VRFs. For other VXLAN and BGP EVPN configuration, see other examples and the VXLAN section. ● Route leaking is performed on the Border Leaf VTEP. ● There are three nondefault VRFs present in the network – Yellow, Green, and Red. ● Route leaking is done between: ○ VRF-Yellow and VRF-Green. ○ VRF-Yellow and VRF-Red.
2. Configure Layer 3 virtual-network interfaces with VRFs and IP addresses. OS10(config)# interface OS10(conf-if-vn-10001)# OS10(conf-if-vn-10001)# OS10(conf-if-vn-10001)# OS10(conf-if-vn-10001)# OS10(config)# interface OS10(conf-if-vn-20001)# OS10(conf-if-vn-20001)# OS10(conf-if-vn-20001)# virtual-network 10001 ip vrf forwarding Yellow ip address 10.1.0.2/24 ip virtual-router address 10.1.0.254 virtual-network 20001 ip vrf forwarding Green ip address 10.2.0.2/24 ip virtual-router address 10.2.0.254 3.
OS10(config-evpn-vrf-Red)# advertise ipv4 connected OS10(config-evpn-vrf-Red)# exit 4. Configure the border-leaf to advertise the default route into the EVPN in each VRF. From the other VTEPs, any traffic to an external network and also to networks which are not within the local VRF reaches the Border Leaf router using this default route. a.
OS10(conf-vrf)# ip route-import 1:1 OS10(conf-vrf)# exit OS10(config)# ip vrf Red OS10(conf-vrf)# ip route-export 3:3 route-map RouteMap_RedVrf_Export OS10(conf-vrf)# ip route-import 1:1 OS10(conf-vrf)# exit 7. (Optional) For advertising leaked routes from Yellow VRF only to an external router on the default VRF and not to an underlay network, use route-maps on spine-facing eBGP neighbors and also on the iBGP neighbor between the VLT peers.
OS10(config-evpn-vrf-Yellow)# advertise ipv4 connected OS10(config-evpn-vrf-Yellow)# exit OS10(config-evpn)# vrf Green OS10(config-evpn-vrf-Green)# vni 65002 OS10(config-evpn-vrf-Green)# route-target auto OS10(config-evpn-vrf-Green)# advertise ipv4 connected OS10(config-evpn-vrf-Green)# exit OS10(config-evpn)# vrf Red OS10(config-evpn-vrf-Red)# vni 65003 OS10(config-evpn-vrf-Red)# route-target auto OS10(config-evpn-vrf-Red)# advertise ipv4 connected OS10(config-evpn-vrf-Red)# exit 4.
● Yellow VRF and Red VRF.
C 10.1.0.0/24 via 10.1.0.3 virtual-network10001 0/0 00:47:11 B EV 10.1.0.1/32 via 192.168.0.1 200/0 00:48:55 B EV 10.1.0.2/32 via 192.168.0.1 200/0 00:48:55 B EV 10.2.0.0/24 via 192.168.0.1,Green 200/0 00:35:48 C 10.3.0.0/24 via 10.3.0.1,Red virtual-network30001 0/0 00:35:48 C 10.10.0.0/24 via 10.10.0.
Gateway of last resort is not set Destination Gateway Dist/ Metric Last Change --------------------------------------------------------------------------------------------------------B EX 10.1.0.0/24 via 10.10.0.1 20/0 00:13:49 via 10.10.0.2 B EX 10.1.0.1/32 via 10.10.0.1 20/0 00:14:22 via 10.10.0.2 B EX 10.1.0.2/32 via 10.10.0.1 20/0 00:14:24 via 10.10.0.2 C 10.10.0.0/24 via 10.10.0.3 vlan100 0/0 00:23:16 B EX 172.16.1.1/32 via 10.10.0.1 20/0 00:22:58 via 10.10.0.2 B EX 172.16.1.2/32 via 10.10.0.
The NSX controller communicates with an OS10 VTEP using the OVSDB management protocol over a Secure Sockets Layer (SSL) connection. Establishing the communication between the controller and VTEP involves generating the SSL certificate at a VTEP and copying the certificate to the NSX controller. After SSL authentication, a secure connection over SSL is established between the controller and the VTEP. The VTEP then receives and processes the configuration data from the controller.
● Only one mode of VxLAN provisioning is supported at a time: NSX controller-based, static VXLAN, or BGP EVPN. ● An OS10 switch does not send VXLAN access port statistics to the NSX controller. ● Controller-provisioned VXLAN is not supported on VTEPs configured as peers in a VLT domain. Only VTEPs in standalone mode are supported. Specify the controller reachability information In OS10 VTEP, the controller configuration command initializes a connection to an OVSDB-based controller.
4. Assign the interface to the controller. OS10(config-if-eth1/1/1)# nve-controller To view the controller information and the ports the controller manages, use the show nve controller command. OS10# show nve controller Management IP Gateway IP Max Backoff Configured Controller Controller Cluster IP 10.16.140.173 10.16.140.171 10.16.140.172 Port 6640 6640 6640 : : : : 10.16.140.29/16 55.55.5.5 1000 10.16.140.
NOTE: In controller-provisioned VXLAN, the VTEP establishes a BFD session with the service nodes using the controllerprovided parameters instead of the parameters configured at the VTEP. If BFD is not enabled in the VTEP, the VTEP uses IP reachability information to monitor connectivity to the service node. To view established sessions, use the show bfd neighbors command.
0pDXiqS3uJwGmfxlhvmFio8EeHM/Z79DkBRD6FUMwacAnb3yCIKZH50AWq7qRmmG NZOgYUT+8oaj5tO/hEQfDYuv32E5z4d3FhiBJMFT86T4YvpJYyJkiKmaQWInkthL V3VxEMXI5vJQclMhwYbKfPB4hh3+qdS5o+uVco76CVrcWi7rO3XmsBkbnQIDAQAB MA0GCSqGSIb3DQEBDQUAA4IBAQATuFVD20GcHD8zdpYf0YaP4b6TuonUzF0jwoV+ Qr9b4kOjEBGuoPdevX3AeV/dvAa2Q6o1iOBM5z74NgHizhr067pFP841Nv7DAVb7 cPHHSSTTSeeJjIVMh0kv0KkVefsYuI4r1jqJxu0GZgBinqehXxVKlceouLvwbhb1 MFYXN3lcE2AXR746q1VIc6stNkxf3nrlOpSDz3P4VOnbAnIrY+SvUVmAT0tdrowH 99y2AzoAxUHOdWsH8EjCFch7VilmCVVhyghXdfyl6lv/F6vMRwjc343Bp
3. Create a logical switch. You can create a logical network that acts as the forwarding domain for virtualized and nonvirtualized server workloads on the physical and virtual infrastructure. The following steps configure the logical switch for NSX controller management. a. Click Logical Switches from the left navigation pane. b. Click the green + icon under Logical Switches. The New Logical Switch dialog window opens. c. Enter a name and select Unicast as the replicate mode and click OK 4.
5. (Optional) Enable or disable BFD globally. The following steps enable or disable BFD configuration in the controller. a. Click Service Definitions from the left navigation pane. b. Click the Hardware Devices tab. c. Click the Edit button in the BFD Configuration. d. Check or clear the Enable BFD check box and provide the Probe interval, in milliseconds, if required. After you configure a VMware NSX controller on a server VM, connect to the controller from the VXLAN gateway switch.
To configure an NSX controller-provisioned VXLAN: ● Configure the controller and the interfaces to be managed by the controller, in the OS10 VTEPs ● Configure the NSX controller in VMware vCenter. For more information about configuring the NSX controller using the GUI, see the Configure and control VXLAN from the VMware vCenter. You must configure an OS10 VTEP with the controller configuration so that the VTEP can communicate with the NSX controller.
OS10(config-nve-ovsdb)# max-backoff 10000 OS10(config-nve-ovsdb)# exit 5. Assign interfaces to be managed by the controller. OS10(config)# interface ethernet 1/1/54:3 OS10(config-if-eth1/1/54:3)# switchport mode trunk OS10(config-if-eth1/1/54:3)# no switchport access vlan OS10(config-if-eth1/1/54:3)# nve-controller 6. (Optional) Enable BFD. OS10(config)# bfd enable VTEP 2 1. Configure the OSPF protocol in the underlay.
Gateway IP Max Backoff Configured Controller Controller Cluster IP 10.16.140.182 10.16.140.183 10.16.140.181 : 200.0.0.1 : 10000 : 10.16.140.181:6640 ssl (connected) Port 6640 6640 6640 Protocol ssl ssl ssl Connected true true true State ACTIVE ACTIVE ACTIVE Max-Backoff 10000 10000 10000 NVE Controller Ports ethernet1/1/54:3 To display the VNID, port members, source interface, and remote VTEPs of the VXLAN, use the show virtual-network command.
NVE Controller Ports ethernet1/1/25:3 To display the VNID, port members, source interface, and remote VTEPs of the VXLAN, use the show virtual-network command. OS10# show virtual-network Codes: DP - MAC-learn Dataplane, CP - MAC-learn Controlplane, UUD - Unknown-Unicast-Drop Virtual Network: 0 Members: Virtual Network: 6000 Members: VLAN 20: ethernet1/1/25:3 VxLAN Virtual Network Identifier: 6000 Source Interface: loopback1(202.0.0.1) Remote-VTEPs (flood-list): 13.0.0.
Example Supported releases OS10(config)# nve OS10(config-nve)# controller ovsdb 10.4.3.0 or later ip port ssl Configures the OVSDB controller reachability information such as IP address, port number, and the connection type of session, in the switch. Syntax ip ip-address port port-number ssl Parameters ● ip-address — Specify the IP address of the OVSDB controller to connect with. ● port-number — Specify the port number through which the connection to the OVSDB controller is made.
nve-controller Assigns the interfaces to be managed by the controller. Syntax nve-controller Parameters None Default None Command mode INTERFACE Usage information The interface must be in Switchport Trunk mode when adding the interface to the controller. If the interface is not in the Switchport Trunk mode, the system displays the following error message: % Error: Interface ethernet1/1/1, must be in switchport trunk for controller mode.
Management IP Gateway IP Max Backoff Configured Controller Controller Cluster IP Max-Backoff 10.16.140.173 10.16.140.171 10.16.140.172 : : : : 10.16.140.29/16 55.55.5.5 1000 10.16.140.172:6640 ssl (connected) Port Protocol Connected State 6640 6640 6640 ssl ssl ssl true false true ACTIVE BACKOFF ACTIVE NVE Controller Ports ethernet1/1/1:1 ethernet1/1/15 Supported releases 10.4.3.0 or later show nve controller ssl-certificate Displays the SSL certificate generated in the system.
Parameters None Default None Command mode EXEC Usage information When you specify the VNID, the output displays details about the service nodes available for the VNID. Example (without VNID) OS10# show nve replicators Codes: * - Active Replicator BFD Status:Enabled Replicators State ----------------------2.2.2.3 Up 2.2.2.
show ovsdb-tables mac-remote-ucast Displays information about remote MAC address entries including each MAC address, IP address, local switch name, and VNID. Syntax show ovsdb-tables mac-remote-ucast Parameters None Default None Command mode EXEC Usage information This command is available only for netadmin, sysadmin, and secadmin roles.
Parameters None Default None Command mode EXEC Usage information This command is available only for netadmin, sysadmin, and secadmin roles. Example OS10# show ovsdb-tables tunnel Count : 2 Tunnel table _uuid bfd_config_local bfd_params bfd_config_remote bfd_status local remote ------------------------------------ -----------------------------------------------------------------------8025d953-acf5-4091-9fa2-75d41953b397 {bfd_dst_ip="55.55.5.5", bfd_dst_mac="00:23:20:00:00:01"} {bfd_dst_ip="2.2.2.
17 UFT modes A switch in a Layer 2 (L2) network may require a larger MAC address table size, while a switch in a Layer 3 (L3) network may require a larger routing table size. Unified forwarding table (UFT) offers the flexibility to configure internal L2/L3 forwarding table sizes. OS10 supports several UFT modes for the forwarding tables. By default, OS10 selects a UFT mode that provides a reasonable size for all tables.
Table 102. UFT Modes — Table Size for Z9264F-ON UFT Mode L2 MAC Table Size L3 Host Table Size L3 Routes Table Size Scaled-l2–switch 270336 8192 32768 Scaled-l3–hosts 8192 270336 32768 Scaled-l3–routes 8192 8192 262144 Default 139264 139264 32768 Table 103.
L3 Host Entries L3 Route Entries : : 147456 32768 212992 98304 View UFT information for all modes OS10# show hardware forwarding-table mode all Mode default scaled-l2 scaled-l3-routes L2 MAC Entries 163840 294912 32768 L3 Host Entries 147456 16384 16384 L3 Route Entries 32768 32768 131072 scaled-l3-hosts 98304 212992 98304 IPv6 extended prefix routes IPv6 addresses that contain prefix routes with mask between /64 to /128 are called as IPv6 extended prefix routes.
Syntax hardware forwarding-table mode {scaled-l2 | scaled-l3-routes | scaled-l3hosts} Parameters ● scaled-l2 —Enter the L2 MAC address table size. ● scaled-l3-routes — Enter the L3 routes table size. ● scaled-l3-hosts — Enter the L3 hosts table size. Defaults The default parameters vary according to the platform. See UFT modes on page 1296. Command Mode CONFIGURATION Usage Information Configure the sizes of internal L2 and L3 forwarding tables for your requirements of the network environment.
Example Supported Releases OS10# show hardware forwarding-table mode Current Settings Mode default-mode L2 MAC Entries : 163840 L3 Host Entries : 147456 L3 Route Entries : 32768 Next-boot Settings scaled-l3-hosts 98304 212992 98304 10.3.0E or later show hardware forwarding-table mode all Displays table sizes for the hardware forwarding table modes.
18 Security Dell EMC SmartFabric OS10 has several security features to protect the usability and integrity of the data available in the switch. OS10 also has security features to the user network from attacks and restrict network traffic. Switch security Dell EMC SmartFabric OS10 has various inbuilt security features to secure the administrative access to the switch. User management OS10 controls the user access to the switch and what can they do after login based on the set roles and privileges.
Assign user role To limit OS10 system access, assign a role when you configure each user. ● Enter a user name, password, and role in CONFIGURATION mode. username username password password role role ○ username username — Enter a text string. A maximum of 32 alphanumeric characters; 1 character minimum. ○ password password — Enter a text string. A maximum of 32 alphanumeric characters; 9 characters minimum.
The linuxadmin password configured from the CLI takes precedence across reboots over the password configured from the Linux shell. Verify the linuxadmin password using the show running-configuration command. OS10# show running-configuration system-user linuxadmin password $6$5DdOHYg5$JCE1vMSmkQOrbh31U74PIPv7lyOgRmba1IxhkYibppMXs1KM4Y.gbTPcxyMP/PHUkMc5rdk/ ZLv9Sfv3ALtB61 Disable linuxadmin user To disable or lock the linuxadmin user, use the system-user linuxadmin disable command in CONFIGURATION mode.
○ configure — Accesses class-map, DHCP, logging, monitor, openflow, policy-map, QOS, support-assist, telemetry, CoS, Tmap, UFD, VLT, VN, VRF, WRED, and alias modes. ○ interface — Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range, port-channel, and VLAN modes. ○ route-map — Accesses route-map mode. ○ router — Accesses router-bgp and router-ospf modes. ○ line — Accesses line-vty mode. ● priv-lvl privilege-level — Enter the number of a privilege level, from 2 to 14.
○ configure — Accesses class-map, DHCP, logging, monitor, openflow, policy-map, QOS, support-assist, telemetry, CoS, Tmap, UFD, VLT, VN, VRF, WRED, and alias modes. ○ interface — Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range, port-channel, and VLAN modes. ○ route-map — Accesses route-map mode. ○ router — Accesses router-bgp and router-ospf modes. ○ line — Accesses line-vty mode. ● priv-lvl privilege-level — Enter the number of a privilege level, from 2 to 14.
○ lockout-period minutes — Sets the amount of time that a user ID is prevented from accessing the system after exceeding the maximum number of failed login attempts, from 0 to 43,200; default 5. NOTE: Dell Technologies recommends that you configure the lockout period to be a nonzero value. If you set this value to zero, no lockout period is configured. Any number of failed login attempts do not lock out a user. ○ console-exempt—Applicable only if the user lockout feature is enabled.
Create strong password rules OS10(config)# password-attributes min-length 7 character-restriction upper 4 numeric 2 Display password rules OS10# show running-configuration password-attributes password-attributes min-length 7 character-restriction upper 4 numeric 2 Disable strong password check OS10(config)# password-attributes min-length 7 character-restriction upper 4 numeric 2 OS10(config)# username admin2 password 4newhire4 role sysadmin %Error: Password fail: it does not contain enough DIFFERENT charact
Configuration notes All Dell EMC PowerSwitches: ● Obscure password (service obscure-password) is enabled by default when upgrading to 10.5.2.0 or later if the setting is not changed before the upgrade. ● If the Obscure password configuration is explicitly disabled before the upgrade, it remains disabled after the upgrade as well. User management commands disable Lowers the privilege level. Syntax disable privilege-level Parameters ● privilege-level—Enter the privilege level, from 0 to 15.
enable password priv-lvl Sets a password for a privilege level. Syntax enable password encryption-type password-string priv-lvl privilege-level Parameters ● encryption-type — Enter the type of password encryption: ○ 0 — Use an unencrypted password. ○ sha-256 — Use a SHA-256 encrypted password. ○ sha-512 — Use a SHA-512 encrypted password. ● priv-lvl privilege-level — Enter a privilege number from 1 to 15.
Usage Information By default, the password you configure with the username password command must be at least nine alphanumeric characters. Use this command to increase password strength. When you enter the command, at least one parameter is required. When you enter the character-restriction parameter, at least one option is required. To reset parameters to their default values, use the no password-attributes command. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.
○ exec — Accesses EXEC mode. ○ configure — Accesses class-map, DHCP, logging, monitor, openflow, policy-map, QOS, support-assist, telemetry, CoS, Tmap, UFD, VLT, VN, VRF, WRED, and alias modes. ○ interface — Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range, port-channel, and VLAN modes. ○ route-map — Accesses route-map mode. ○ router — Accesses router-bgp and router-ospf modes. ○ line — Accesses line-vty mode.
Default Not configured Command Mode CONFIGURATION Usage Information Use service obscure-password command so that the text characters of passwords are not displayed in show command output. The command obscures the passwords that you configure for user names, NTP, BGP, SNMP, RADIUS servers, and TACACS+ servers. To disable the obscure passwords function, use the no service obscure-password command. Example Supported Releases OS10(config)# service obscure-password 10.5.
Defaults Not configured Command Mode EXEC Example Supported Releases OS10# show running-configuration privilege privilege exec priv-lvl 3 configure privilege configure priv-lvl 4 "interface ethernet" enable password sha-512 $6$Yij02Phe2n6whp7b$ladskj0HowijIlkajg981 privlvl 12 10.4.3.0 or later system-user linuxadmin password Configures a password for the linuxadmin user.
userrole inherit Reconfigures the default netoperator role and permissions that OS10 assigns by default to a RADIUS or TACACS+authenticated user with an unknown user role or privilege level. You can also configure an unknown RADIUS or TACACS+ user role to inherit permissions from an existing OS10 role.
○ secadmin — Full access to configuration commands that set security policy and system access, such as password strength, AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic keys, login statistics, and log information. ○ netadmin — Full access to configuration commands that manage traffic flowing through the switch, such as routes, interfaces, and ACLs.
AAA authentication An OS10 switch uses a list of authentication methods to define the types of authentication and the sequence in which they apply. By default, OS10 uses only the local authentication method. The authentication methods in the method list execute in the order you configure them. Re-enter the methods to change the order. The local authentication method remains enabled even if you remove all configured methods in the list using the no aaa authentication login {console | default} command.
NOTE: OS10 supports only the VSA to assign user roles. Other VSAs are not supported. Also, you must configure the user role on the RADIUS or TACACS+ server using the vendor-specific attribute (VSA) or the authentication fails. The vendor ID of Dell EMC is 674. Create a VSA with Name = Dell-group-name, OID = 2, Type = string. Valid values for Dell-group-name are: Table 106.
Configure AAA authentication OS10(config)# aaa authentication login default group radius local OS10(config)# do show running-configuration aaa aaa authentication login default group radius local aaa authentication login console local Remove AAA authentication methods OS10(config)# no aaa authentication login default OS10(config)# do show running-configuration aaa aaa authentication login default local aaa authentication login console local User re-authentication To prevent users from accessing resources an
● Configure the timeout period used to wait for an authentication response from a RADIUS server in CONFIGURATION mode, from 0 to 1000 seconds; the default is 5. radius-server timeout seconds ● (Optional) Specify an interface whose IP address is used as the source IP address for user authentication with RADIUS servers in CONFIGURATION mode. By default, no source interface is configured. OS10 selects the source IP address of any interface from which a packet is sent to a RADIUS server.
RADIUS over TLS authentication Traditional RADIUS-based user authentication runs over UDP and uses the MD5 message-digest algorithm for secure communications. To provide enhanced security in RADIUS user authentication exchanges, RFC 6614 defines the RADIUS over Transport Layer Security (TLS) protocol.
Configure a global timeout setting allowed on TACACS+ servers. By default, OS10 times out after five seconds. No source interface is configured. The default VRF instance is used to contact TACACS+ servers. NOTE: You cannot configure both a nondefault VRF instance and a source interface at the same time for TACACS+ authentication. NOTE: A TACACS+ server configured with a host name is not supported on a nondefault VRF.
Configure authorization AAA command authorization controls user access to a set of commands assigned to users and is performed after user authentication. When enabled, AAA authorization checks a remote authorization server for each command that a user enters on the switch. If the commands that are entered by the user are configured in the remote server for that user, the remote server authorizes the usage of the command.
AAA accounting sends accounting messages: ● Sends a start notice when a process begins, and a stop notice when the process ends using the start-stop option ● Sends only a stop notice when a process ends using the stop-only option ● No accounting notices are sent using the none option ● Logs all accounting notices in syslog using the logging option ● Logs all accounting notices on configured TACACS+ servers using the group tacacs+ option Enable AAA accounting ● Enable AAA accounting in CONFIGURATION mode.
aaa authentication login Configures the AAA authentication method for console, SSH, and Telnet logins. Syntax aaa authentication login {console | default} {local | group radius | group tacacs+} Parameters ● console — Configure authentication methods for console logins. ● default — Configure authentication methods for SSH and Telnet logins. ● local — Use the local username, password, and role entries configured with the username password role command.
Default Local authorization Command Mode ● CONFIGURATION Usage Information Re-enter the command to configure additional authorization methods and CLI access. The authorization methods in the method list execute in the order you configure them. Re-enter the methods to change the order. The local authorization method remains enabled even if you remove all configured methods in the list using the no aaa authorization command.
● key 9 authentication-key — Enter an authentication key in encrypted format with a maximum of 128 characters. ● authentication-key — Enter an authentication in plain text with a maximum of 42 characters. It is not necessary to enter 0 before the key. ● key authentication-key — Enter a text string for the encryption key used to authenticate the switch on the TACACS+ server. A maximum of 42 characters.
● authentication-key — Enter an authentication in plain text. A maximum of 42 characters. It is not necessary to enter 0 before the key. ● auth-port port-number — (Optional) Enter the UDP port number used on the server for authentication, from 1 to 65535, default 1812. Default Not configured Command Mode CONFIGURATION Usage Information The authentication key must match the key configured on the RADIUS server. You cannot enter spaces in the key.
Example Supported Releases OS10(config)# radius-server host 1.5.6.4 tls security-profile radiusadmin key radsec 10.4.3.0 or later radius-server retransmit Configures the number of authentication attempts allowed on RADIUS servers. Syntax radius-server retransmit retries Parameters retries — Enter the number of retry attempts, from 0 to 10. Default An OS10 switch retransmits a RADIUS authentication request three times.
Defaults Not configured Command Mode CONFIGURATION Usage Information Use this command to associate RADIUS servers with a VRF. If you do not configure a VRF on the RADIUS server list, the servers are on the default VRF. RADIUS server lists and VRFs have one-to-one mapping. The no version of this command removes the RADIUS server from the management VRF instance. Example Supported Releases OS10(config)# radius-server vrf management OS10(config)# radius-server vrf blue 10.4.
Example Supported Releases OS10(config)# ip radius source-interface ethernet 1/1/10 10.4.3.1 or later ip tacacs source-interface Specifies the interface whose IP address is used as the source IP address for user authentication with a TACACS+ server. Syntax ip tacacs source-interface interface Parameters interface: ● ethernet node/slot/port[:subport] — Enter a physical Ethernet interface. ● loopback number — Enter a Loopback interface, from 0 to 16383. ● mgmt 1/1/1 — Enter the management interface.
Display bootloader protectection OS10# show boot protect Boot protection enabled Authorized users: root linuxadmin admin Secure Boot OS10 secure boot verifies the authenticity and integrity of the OS10 image. Secure boot protects a system from malicious code being loaded and executed during the boot process. Using secure boot, you can validate the OS10 image during installation and on demand at any time.
● ZTD cannot validate the image with Dell public key (PKI/sha256/GPG keys) and hence cannot perform secure installation of the OS10 image.
● PKGS_OS10-Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin.sha256.base64—PKI signature of the OS10 image binary ● PKGS_OS10-Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin.sha256—The sha256 hash of the OS10 image binary ● PKGS_OS10-Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin.gpg—GNU privacy guard (GnuPG or GPG) signature of the OS10 image binary ● DellOS10.cert.
Validate OS10 image before manual installation from ONIE When you manually install an OS10 image using ONIE, you can validate the image using hash-based authentication (sha256) or digital certificates (PKI-signed). The signature for the OS10 installer image is provided with the downloaded OS10 .tar file. You can extract the OS10 binary file image from the .tar file and install it from a local server. For more information, see Download OS10 image and Installation using ONIE.
2. Reboot the system using the other installed OS10 image. 3. Replace the invalid OS10 image with a valid image using the image secure-install command. OS10# image secure-install image://PKGS_OS10-Enterprise-10.4.9999EX.3342stretchinstaller-x86_64.bin pki signature tftp://10.16.127.7/users/PKGS_OS10Enterprise-10.4.9999EX.3342stretch-installer-x86_64.bin.sha256.base64 public-key tftp://10.16.127.7/users/DellOS10.cert.
Example Supported Releases OS10# boot protect disable username root 10.4.3.0 or later boot protect enable username password Allows you to enable bootloader protection. Syntax boot protect enable username username password password Parameters ● username — Enter the username to provide access to bootloader protection. ● password — Enter a password for the specified username. Default Disabled Command Mode EXEC Usage Information You can enable bootloader protection by executing this command.
Security and Access Sysadmin and secadmin Command Mode EXEC Usage Information None Example OS10# show secure-boot Certificate Key Id : Version Number : Serial Number : Signature Algorithm : Issuer : Widgits Pty Ltd Validity : GMT Certificate Key Id Version Number Serial Number Signature Algorithm Issuer Widgits Pty Ltd Validity GMT Supported Releases : : : : : pki-certificates 123 3 (0x2) 17154672033164819608 (0xee11a353271dfc98) sha256WithRSAEncryption C=IN, ST=Some-State, L=some-city, O=Internet
/opt/dell/os10/bin/trojan1 /opt/dell/os10/bin/virus123 Supported Releases 10.5.1.0 or later secure-boot grub-key Allows you to switch between standard and auto-generated key options. Syntax secure-boot grub-key{standard | auto-generated} Parameters ● standard— The DELL EMC Networking recommended GPG key is used by GRUB to validate the OS10 kernel. The kernel is signed with the key during build time.
Standby Partition File-system integrity verified:success Example 3 Startup config verification Supported Releases OS10# secure-boot verify startup-config Latest startup config protected: yes 10.5.1.0 or later secure-boot revoke key Revokes an installed key. Syntax secure-boot revoke key key-id Parameters key-id—key number of the installed key that is compromised.
Default Disabled Security and Access Sysadmin Command Mode CONFIGURATION Usage Information If you enable secure boot, ensure that you manually protect the startup configuration file before you reload the switch. The protected version of the startup configuration file is applied during the boot up process. If a protected version of the startup configuration file is not available, the system applies the default configuration. The no version of this command removes the configuration.
Supported Releases 10.5.1.0 or later image secure-install Validates and installs the specified image. Syntax image secure-install image-filepath {sha256 signature signature-filepath | gpg signature signature-filepath | pki signature signature-filepath publickey key-file} Parameters ● image-filepath—Enter the absolute path name of the OS10 image file. ● sha256 signature signature-filepath—Verify the SHA-256 cryptographic hash signature of the image file.
Security and Access Sysadmin Command Mode EXEC Usage Information This command uses the key-server name and key-id to install the key into the switch GPG key ring. Use this command before you use the image verify or image secure-install commands with the GPG option. If the key is not installed in the key ring, the image verify and image secureinstall commands fail when used with the GPG key. Example Supported Releases OS10# image gpg-key key-server pool.sks-keyservers.net key-id 47CB9029 10.5.1.
NOTE: RSA1 and DSA keys are not supported on the OS10 SSH server. An SSH client must exchange the same public key to establish a secure SSH connection to the OS10 switch. If necessary, you can regenerate the keys used by the SSH server with a customized bit size. You cannot change the default size of the Ed25519 key. The crypto key generate command is available only to the sysadmin and secadmin roles. 1. Regenerate keys for the SSH server in EXEC mode.
● Configure the maximum number of concurrent login sessions in CONFIGURATION mode. OS10(config)# login concurrent-session limit number ○ limit number — Sets the maximum number of concurrent login sessions allowed for a user ID, from 1 to 12; default 10. When you configure the maximum number of allowed concurrent login sessions, take into account that: ● Each remote VTY connection counts as one login session. ● All login sessions from a terminal emulator on an attached console count as one session.
Initiate an SSH session with another switch To initiate an SSH session to another switch: 1. Enter configuration mode. OS10# configure terminal 2. Enable SSH client cli command. OS10(config)#ip ssh client cli enable By default, SSH Client CLI command is disabled. User cannot access the ssh command. This command must be performd to enable the SSH CLI. You must execute the no ip ssh client enable command to disable the SSH command. 3. Initiate an SSH session. OS10# ssh 9.1.1.
The no version of this command disables the SSH server. Example Supported Releases OS10(config)# ip ssh server enable 10.3.0E or later ip ssh server challenge-response-authentication Enables challenge response authentication in the SSH server. Syntax ip ssh server challenge-response-authentication Parameters None Default Disabled Command Mode CONFIGURATION Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S).
The no version of this command removes the configuration. Example Supported Releases OS10(config)# ip ssh server cipher 3des-cbc aes128-cbc 10.3.0E or later ip ssh server hostbased-authentication Enables host-based authentication in an SSH server. Syntax ip ssh server hostbased-authentication Parameters None Default Disabled Command Mode CONFIGURATION Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S).
Example Supported Releases OS10(config)# ip ssh server kex curve25519-sha256 diffie-hellman-group1sha1 10.3.0E or later ip ssh server mac Configures the hash message authentication code (HMAC) algorithms used in the SSH server. Syntax ip ssh server mac hmac-algorithm Parameters hmac-algorithm — Enter the supported HMAC algorithms separated by a blank space.
ip ssh server password-authentication Enables password authentication in the SSH server. Syntax ip ssh server password-authentication Parameters None Default Enabled Command Mode CONFIGURATION Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1. The no version of this command disables the password authentication.
ip ssh server vrf Configures an SSH server for the management or non-default VRF instance. Syntax ip ssh server vrf {management | vrf-name} Parameters ● management — Configures the management VRF instance to reach the SSH server. ● vrf-name — Enter the VRF instance used to reach the SSH server. Default Not configured Command Mode CONFIGURATION Usage Information The SSH server uses the management VRF.
ssh Starts an SSH client session. Syntax ssh [vrf {management | vrf-name} {-b source-ip-address] [-B sourceinterface] [-c encryption-cypher] [-l username] [-m HMAC-algorithm] [-p port-number] [-h] destination Parameters ● vrf management - (Optional) SSH to an IP address in a management VRF instance. ● vrf vrf-name - (Optional) SSH to an IP address to a specified VRF instance. ● -b source-ip-address - (Optional) Enter the source IPv4 or IPv6 address.
○ ○ ○ ○ ○ hmac-md5-96 hmac-sha1-96 hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com hmac-sha1-96-etm@openssh.com ● -p port-number - (Optional) Enter the SSH server port number.Default port number is 22. ● -h - Displays help for this command. ● destination - Enter the IP address or name of the remote SSH server. Name of the SSH server can contain symbols. such as os10-dell.com. Default Following are the default values for the options listed: ● vrf - management. ● -c - chacha20-poly1305@openssh.
intellectual property laws. Dell EMC and the Dell EMC logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
username sshkey Enables SSH password-less login using the public key of a remote client. The remote client is not prompted to enter a password. Syntax username username sshkey sshkey-string Parameters ● username — Enter the user name. This value is the user name configured with the username password role command. ● sshkey-string — Enter the public key of remote client device, as the text string. If sshkeystring contains a blank space, enclose the string in double quotes (").
Usage Information Before you use the command, locate the public keys on a remote client in the ~/.ssh/id_rsa.pub file. Create a text file and copy the SSH public keys on the remote client into the file. Enter each public key on a separate line. Download the file to your home OS10 directory. NOTE: Entering the command when an SSH key file is not present has no effect and results in a silent failure. SSH password-less login is not enabled.
login concurrent-session limit Configures the maximum number of concurrent login sessions allowed for a user ID. Syntax login concurrent-session limit number Parameters limit number — Enter the limit of concurrent login sessions, from 1 to 12. Default 10 concurrent login sessions Command Mode CONFIGURATION Usage Information The total number of concurrent login sessions for the same user ID includes all console and remote connections, where: ● Each remote VTY connection counts as one login session.
ip access-class Filters connections in a virtual terminal line using an IPv4 access list. Syntax ip access-class access-list-name Parameters access-list-name — Enter the access list name. Default Not configured Command Mode LINE VTY CONFIGURATION Usage Information The no version of this command removes the filter. Example Supported Releases OS10(config)# line vty OS10(config-line-vty)# ip access-class deny10 10.4.
● User-based configuration changes recorded with the user ID, date, and time of the change. The specific parameter changes are not logged. ● Establishment of secure traffic flows, such as SSH, and violations on secure flows ● Certificate issues, including user access and changes made to certificate installation using crypto commands ● Adding and deleting users Audit log entries are saved locally and sent to configured Syslog servers. To set up a Syslog server, see System logging.
Default Disabled Command Mode CONFIGURATION Usage Information Only the sysadmin and secadmin roles have access to this command. When enabled, user login information, including the number of successful and failed logins, role changes, and the last time a user logged in, displays after a successful login. The no login-statistics enable command disables login statistics. Example Supported Releases OS10(config)# login-statistics enable 10.4.
Defaults Not configured Command Mode EXEC Usage Information To display the contents of the audit log, use the show logging audit command. Example Supported Releases OS10# clear logging audit Proceed to clear all audit log messages [confirm yes/no(default)]:yes 10.4.3.0 or later show logging audit Displays audit log entries. Syntax show logging audit [reverse] [number] Parameters ● reverse — Display entries starting with the most recent events.
Defaults Not configured Command Mode CONFIGURATION Usage Information Audit log entries are saved locally and sent to configured Syslog servers. Only the sysadmin and secadmin roles can enable the audit log. The no version of the command disables audit log recording. Example Supported Releases OS10(conf)# logging audit enable 10.4.3.0 or later X.509v3 certificates OS10 supports X.509v3 certificates to secure communications between the switch and a host, such as a RADIUS server.
Public key infrastructure (PKI) Application that manages the generation of private and public encryption keys, and the download, installation, and exchange of CA-signed certificates with network devices. X.509v3 Standard for the public key infrastructure that manages digital certificates and public key encryption. Public key infrastructure To use X.
○ ca-cert-filepath specifies the local path to the downloaded certificate; for example, home://CAcert.pem or usb://CA-cert.pem. ○ filename specifies an optional filename that the certificate is stored under in the OS10 trust-store directory. Enter the filename in the filename.crt format. Example: Download and install CA certificate OS10# copy scp:///tftpuser@10.11.178.103:/tftpboot/certs/Dell_rootCA1.pem home:// Dell_rootCA1.pem password: OS10# crypto ca-cert install home://Dell_rootCA1.
71:18:01:64:bb:72:2c:26:6f:6e:e8:06:9a:77:4b: 07:3b:b3:8c:71:ff:61:1b:84:d4:02:46:47:e5:4d: 79:be:22:e9:7a:8c:eb:06:38:38:a6:f7:b7:83:bf: f2:64:c9:b8:d9:7f:d1:cc:87:ac:80:b0:d0:d3:17: 35:d1:49:44:2e:6e:9f:60:9c:ca:9a:6d:cd:63:79: 7c:6d:33:72:13:74:f1:16:20:50:46:20:e7:c1:ff: b0:42:95 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 75:22:3F:BE:99:B7:FA:A1:5B:1D:68:0B:E9:5E:21:7D:83:62:AC:DB X509v3 Authority Key Identifier: keyid:75:22:3F:BE:99:B7:FA:A1:5B:1D:68:0B:E9:5E:21:7D:83:6
When a CA issues a certificate, it usually includes the CRL distribution point in the certificate. OS10 uses the CDP URL to access the server with the current CRL. OS10 supports using multiple CDPs and CRLs during a CRL revocation check. If a CRL check validates a certificate from an external device, OS10 sets up a secure connection to perform the tasks initiated by the application. Like CA certificates, CRLs are maintained in the trust store on the switch and applied to all PKI-enabled applications.
Request and install host certificates OS10 also supports the switch obtaining its own X.509v3 host certificate. In this procedure, you generate a certificate signing request (CSR) and a private key. Store the private key locally in a secure location. Copy the CSR file to a certificate authority. The CA generates a host certificate for an OS10 switch by digitally signing the switch certificate contained in the CSR.
You can copy the CSR from flash to a destination, such as a USB flash drive, using TFTP, FTP, or SCP. OS10# copy home://DellHost.pem DellHost.pem password: scp:///tftpuser@10.11.178.103:/tftpboot/certs/ The CA server signs the CSR with its private key. The CA server then makes the signed certificate available for the OS10 switch to download and install. Install host certificate 1. Use the copy command to download an X.
password: OS10# crypto cert install cert-file home://Dell_host1_CA1.pem key-file home:// Dell_host1_CA1.key Processing certificate ... Certificate and keys were successfully installed as "Dell_host1_CA1.pem" that may be used in a security profile. CN = Dell_host1_CA1 Display trusted certificates OS10# show crypto cert -------------------------------------| Installed non-FIPS certificates | -------------------------------------Dell_host1_CA1.
Delete trusted certificate OS10# OS10# crypto cert delete Dell_host1_CA1.pem Certificate and keys were successfully deleted. CN = Dell_host1_CA1 Self-signed certificates Administrators may prefer to not set up a Certificate Authority and implement a certificate trust model in the network, but still want to use the privacy features provided by the Transport Layer Security (TLS) protocol. In this case, self-signed certificates can be used. A self-signed certificate is not signed by a CA.
○ key-file {key-path | private} specifies the local path to retrieve the downloaded or locally generated private key. Enter private to install the key from a local hidden location and rename the key file with the certificate name. ○ password passphrase specifies the password used to decrypt the private key if it was generated using a password. ○ fips installs the certificate-key pair as FIPS-compliant.
b8:83:ae:34:bb:84:e6:b4:a3:fd:77:20:67:15:3f:02:76:ca: f6:74:d4:d2:36:0e:58:8c:96:13:c2:85:8a:df:ba:c0:d9:c8: Security profiles To use independent sets of security credentials for different OS10 applications, you can configure multiple security profiles and assign them to OS10 applications. A security profile consists of a certificate and private key pair. For example, you can maintain different security profiles for RADIUS over TLS authentication and SmartFabric services.
OS10# show running-configuration crypto security-profile ! crypto security-profile radius-prof certificate dv-fedgov-s6010-1 OS10# show running-configuration radius-server radius-server host radius-server-2.test.com tls security-profile radius-prof key 9 2b9799adc767c0efe8987a694969b1384c541414ba18a44cd9b25fc00ff180e9 Cluster security When you enable VLT or a fabric automation application, switches that participate in the cluster use secure channels to communicate with each other.
Successfully created CSR file /home/admin/tor6.csr and key OS10# copy home://tor6.csr scp://CAadmin:secret@172.11.222.1/s4048-001-csr.pem OS10# copy scp://CAadmin:secret@172.11.222.1/s4048-001.crt usb://s4048-001.crt OS10# crypto cert install crt-file usb://s4048-001.crt key-file usb://s4048-001.key This will replace the already installed host certificate. Do you want to proceed ? [yes/no(default)]:yes Processing certificate ... Host certificate installed successfully. 3. Configure an X.
11. The OS10 SSH server prompts you for a password. 12. The OS10 SSH server performs standard RADIUS or TACACS+ user authentication using the username and returned password. 13. On successful authentication, the SSH session continues. Local user authentication with a password When you configure the OS10 SSH server for X.509v3 SSH local authentication and when you connect using SSH, the following sequence occurs: 1. Insert a CAC or PIV smart card into the card reader slot in your computer or keyboard. 2.
● Install CA and host PKI certificates. crypto ca-cert install ca-cert-filepath [filename] crypto cert install cert-file home://cert-filepath key-file {key-path | private} [password passphrase] [fips] ● Create a security profile with certificate and required attributes.
● Leave plain password authentication enabled for users that do not have a configured certificate. ip ssh server password-authentication ● Leave plain public key authentication enabled if it is required that users can alternatively use SSH public key password-less authentication. ip ssh server pubkey-authentication ● Configure the user X.509v3 certificate details to allow the SSH server to match the user certificate to the account.
Example: Configure RADIUS over TLS with X.509v3 certificates This example shows how to install a trusted X.509v3 CA and a host certificate-key pair that supports RADIUS over TLS authentication. 1. Install a trusted CA certificate. OS10# copy tftp://CAadmin:secret@172.11.222.1/GeoTrust_Universal_CA.crt home:// GeoTrust_Universal_CA.crt OS10# crypto ca-cert install home://GeoTrust_Universal_CA.crt Processing certificate ...
X.509v3 commands certificate Configures a certificate and private key pair in an application-specific security profile. Syntax certificate certificate-name Parameters certificate-name — Enter the name of the certificate-key pair as it appears in the show crypto certs output without the .pem extension. Default Not configured Command mode SEC-PROFILE Usage information Use the certificate command to associate a certificate and private key with a security profile.
● all — Delete all CA certificates. Default Not configured Command mode EXEC Usage information To display the currently installed CA certificates, use the show crypto ca-certs command. Example OS10# crypto ca-cert delete Amazon_Root_CA.crt Successfully removed certificate OS10# crypto ca-cert delete all Proceed to delete all installed CA certificates? [confirm yes/ no(default)]:yes Supported releases 10.4.3.
Example Supported Releases OS10# crypto cdp add Comsign http://fedir.comsign.co.il/crl/ComSignCA.crl 10.5.0 or later crypto cdp delete Deletes a certificate distribution point from the trust store on the switch. Syntax crypto cdp delete crl-filename Parameters ● cdp-name — Enter a CDP name. Default Not configured Command Mode EXEC Usage Information Before you delete a CDP, use the show crypto cdp command to display a list of all CDPs installed on the switch.
Parameters ● request — Create a certificate signing request to copy to a CA. ● self-signed — Create a self-signed certificate. ● cert-file cert-path — (Optional) Enter the local path where the self-signed certificate or CSR is stored. You can enter a full path or a relative path; for example, flash://certs/s4810-001request.csr or usb://s4810-001.crt. If you do not enter the cert-file option, the system interactively prompts you to fill in the remaining fields of the certificate signing request.
If the system is in FIPS mode — crypto fips enable command — the CSR and private key are generated using approved algorithms from a cryptographic library that has been validated against the FIPS 140-2 standard. You can install the FIPS-compliant certificate-key pair using the crypto cert install command with the fips option. Examples OS10# crypto cert generate request cert-file home://cert1.pem key-file home://cee OS10-VM email admin@dell.com length 1024 altname DNS.dell.com Processing certificate ...
Processing certificate ... Certificate and keys were successfully installed as "Dell_host1_CA1.pem" that may be used in a security profile. CN = Dell_host1_CA1. Supported releases 10.4.3.0 or later crypto crl delete Deletes a Certificate Revocation List file in the trust store on the switch. Syntax crypto crl delete crl-filename Parameters ● crl-filename — Enter a CRL filename with the .pem extension as displayed under Manually installed CRLs in show crypto crl output.
crypto fips enable Enables FIPS mode. Syntax crypto fips enable Parameters None Default Not configured Command mode EXEC Usage information You can use OS10 in FIPS 140-2 compliant mode. In this mode, applications restrict their use of cryptographic algorithms to those supported by the NIST FIPS 140-2 standard and certification process. When you enable FIPS mode: ● The SSH service restarts. Existing SSH sessions are not affected. Only new SSH sessions operate in the enabled FIPS mode.
Example OS10(config)# crypto security-profile profile-1 OS10(config-sec-profile)# peer-name-check OS10(config)# crypto security-profile profile-1 OS10(config-sec-profile)# no peer-name-check Supported releases 10.5.0 or later revocation-check Enables CRL checking in a security profile.
Issuer: C = US, ST = California, L = Santa Clara, O = Dell EMC, OU = Networking, CN = Dell_rootCA1 Validity Not Before: Jul 25 18:49:22 2018 GMT Not After : Jul 22 18:49:22 2028 GMT Subject: C = US, ST = California, O = Dell EMC, OU = Networking, CN = Dell_interCA1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:b8:46:93:86:27:af:3e:fb:a7:bd:c1:25:76:fd: 50:87:02:de:98:2b:95:2e:b0:49:e4:5c:7c:db:83: b9:e7:3d:e3:61:63:e9:e1:e9:6f:a4:eb:b8:06:bf: 57:b7:bb:17:d1:
OS10# show crypto cdp Comsign http://fedir.comsign.co.il/crl/ComSignCA.crl Supported Releases 10.5.0 or later show crypto cert Displays information about a specified certificate or all installed certificates. Syntax show crypto cert [filename] Parameters filename — (Optional) Enter the text filename of a certificate as displayed in the show crypto certs output. Enter the filename in the format filename.crt. Default Display all installed host certificates.
X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME Netscape Comment: OpenSSL Generated Client Certificate X509v3 Subject Key Identifier: 4A:20:AA:E1:69:BF:BE:C5:66:2E:22:71:70:B4:7E:32:6F:E0:05:28 X509v3 Authority Key Identifier: keyid:A3:39:CB:C7:76:86:3B:05:44:34:C2:6F:90:73:1F:5F:64:55:5C:76 X509v3 Key Usage: critical Supported releases 10.4.3.0 or later show crypto crl Displays the list of installed Certificate Revocation List files.
19:f3:42:2a:d2:c4:3b:de:c4:4d:ad:f0:72:c5:b4:25:51:e5: 3c:76:8b:97:3c:db:fe:3f:7f:41:d2:d9:aa:7f:98:90:6b:cf: 27:53:0e:66:83:8e:cc:81:ef:6a:e5:cd:c2:f1:e2:ea:84:4f: 73:bb:90:5a:b3:19:a3:50:6a:c7:b3:99:e4:09:fd:56:99:83: 3a:15:93:b0:4a:49:28:78:69:85:de:fc:06:cc:b9:a5:5b:d9: 4a:b0:46:90:ce:94:3a:9c:f3:04:e4:d7:98:36:29:a8:8b:fe: 72:26:b0:fd:39:5e:14:f5:00:6d:0e:4f:ec:d4:a5:ca:4f:e1: d9:4f:5a:37:21:e3:a2:fb:80:db:cd:68:0b:a0:fa:58:0d:5e: 40:e1:e4:1c Supported Releases 10.5.
Usage information Use the ocsp-check command to enable OCSP verification of certificates presented by the external devices for a PKI-enabled application on the switch. The no version of the command disables OCSP revocation checking in a security profile. Example Supported releases OS10(config)# crypto security-profile profile-1 OS10(config-sec-profile)# ocsp-check http://ocspresponder.example.net 10.5.2.
3. Sticky secure MAC addresses are learned dynamically but are saved in the running configuration. Secure sticky MAC addresses never age out. After you enable port security on an interface, by default, the maximum number of MAC address that the interface can learn is one. This is applicable for both dynamic and static secure MAC addresses. After you enable port security on an interface, by default, sticky MAC addresses and MAC movement are disabled on the interface.
● shutdown-both — The system shuts down both the original and offending interfaces. ● shutdown-offending — The system shuts down the offending interface. ● shutdown-original — The system shuts down the interface that originally learned the MAC address that moved. MAC address aging By default, dynamically-learned secure MAC addresses do not age out.
● To drop the packet when a MAC address learning limit violation occurs, use the drop option. OS10(config-if-port-sec)#mac-learn limit violation drop ● To forward the packet when a MAC address learning limit violation occurs, use the flood option. The system does not learn the MAC address. OS10(config-if-port-sec)#mac-learn limit violation forward ● To shut down an interface on a MAC address learning limit violation, use the shutdown option.
● To shut down the original interface that learned the MAC address on a MAC movement violation, use the shutdownoriginal option. OS10(config-if-port-sec)#mac-move violation shutdown-original ● To shut down the interface that detected a MAC address that is already learned by another interface, use the shutdownoffending option. OS10(config-if-port-sec)#mac-move violation shutdown-offending ● To shut down both original and offending interfaces, use the shutdown-both option.
Secure static MAC addresses configuration example OS10# configure terminal OS10(config)#interface port-channel 1 OS10(conf-if-po-1)#switchport port-security OS10(config-if-port-sec)#no disable OS10(config-if-po-1)#exit OS10(config)# mac address-table static 03:ab:cd:21:ba:01 vlan 1 interface port-channel 1 Remove statically-configured secure MAC addresses To remove statically-configured secure MAC addresses, use the following command in EXEC mode: clear mac address-table secure {{dynamic | sticky} {address
View port-security parameters for all interfaces To view port-security parameters for all interfaces, use the following command in EXEC mode: show switchport port-security [interface {ethernet node/slot/port[:subport] | portchannel port-channel-number}] View port-security parameters for all interfaces example OS10# show switchport port-security Global Port-security status :Enable Interface name : eth1/1/1 Port Security Port Status Mac learn limit Mac-learn limit-Violation action Sticky Mac-move-allow ma
Mac-move-violation Aging Total MAC Addresses Secure static MAC Addresses Sticky MAC Addresses Secure Dynamic MAC addresses :shutdown-offending :Disabled :11 :0 :11 :0 View the error disabled state of interfaces The Errdisable Cause column displays one or more reasons for the error-disabled state of an interface. If an interface is put in to the Error Disabled state for multiple reasons, the interface does not come up unless you enable automatic recovery for all the reasons.
Usage Information This command deletes only sticky and dynamic secure MAC address entries from the MAC address table. The clear mac address-table dynamic command deletes all dynamic MAC address entries including secure dynamic MAC addresses. Use the all parameter to remove all secure sticky and dynamic entries from the MAC address table.
Supported Releases 10.5.1.0 or later mac-learn Configures the number of MAC addresses an interface can learn. Syntax mac-learn {limit learn-limit-value | no-limit} Parameters ● limit learn-limit-value — Enter a value from 1 to 3072. ● no-limit — The interface learns the maximum number of MAC addresses that the system supports.
Supported Releases 10.5.1.0 or later mac-move allow Enables MAC address movement. Syntax mac-move allow Parameters None Default MAC address movement is disabled. Command Mode CONFIGURATION-PORT-SECURITY Usage Information MAC address movement is not allowed for secure static and sticky MAC addresses. By default, MAC address movement for dynamically-learned MAC address is disabled on the system. The no version of this command disables MAC address movement.
mac address-table static Configures a static entry for the Layer 2 MAC address table. Syntax mac address-table static mac-address vlan vlan-id interface {ethernet node/ slot/port[:subport] | port-channel number} Parameters ● mac-address — Enter the MAC address to add to the table in nn:nn:nn:nn:nn:nn format. ● vlan vlan-id — Enter the VLAN to apply the static MAC address to, from 1 to 4093. ● interface — Enter the interface type: ○ ethernet node/slot/port[:subport] — Enter the Ethernet information.
Aging Total MAC Addresses Secure static MAC Addresses Sticky MAC Addresses Secure Dynamic MAC addresses :Enabled :10 :0 :10 :0 Interface name : eth1/1/10 Port Security Port Status Mac learn limit MAC-learn-limit-Violation action Sticky Mac-move-allow mac-move-violation action Aging Total MAC Addresses Secure static MAC Addresses Sticky MAC Addresses Secure Dynamic MAC addresses :Enabled :Error-Disable :100 :Shutdown :Disabled :Not Allowed :shutdown-both :Enabled :11 :0 :0 :11 OS10# show switchport por
Command Mode INTERFACE Usage Information After you enable port security on an interface, by default, the maximum number of MAC addresses that the interface can learn is one. This is applicable for both dynamic and static secure MAC addresses. After you enable port security on an interface, by default, sticky MAC addresses and MAC movement are disabled on the interface. This command enables port security on an interface.
aging Enables the aging timer for dynamically-learned MAC addresses on an interface that is configured with port security. Syntax aging {off | on} Parameters None Default Dynamically-learned MAC addresses on an interface that is configured with port security do not age out. Command Mode CONFIGURATION-PORT-SECURITY Usage Information Secure sticky MAC addresses never age out. Example Supported Releases OS10(config-if-port-sec)# aging on 10.5.1.
show errdisable Displays information on errdisable configurations and port recovery status. Syntax show errdisable [detect | recovery] Parameters ● detect—Displays whether error disable detection is enabled. ● recovery—Displays details of recovery cause, recovery interval, and recovery status of the error disabled port. Default None Command Mode EXEC Usage Information The Errdisable Cause column displays one or more reasons for the error-disabled state of an interface.
Usage Information Example Supported Releases 1406 Security None OS10# show MAC address-table count MAC Entries for all vlans : Dynamic Address : 10000 Total secure dynamic MAC addresses: 5000 of (10000) Static Address (User-defined) Count : 5000 Total secure static MAC addresses:200 of (5000) Total secure sticky MAC addresses :0 Total MAC Addresses in Use: 15000 10.1.
19 OpenFlow Switches implement the control plane and data plane in the same hardware. Software-defined network (SDN) decouples the software (control plane) from the hardware (data plane). A centralized SDN controller handles the control plane traffic and hardware configuration for data plane flows. The SDN controller is the "brain" of an SDN.
The ONOS controller does not encode the DSCP flow entry values that are matched according to the Openflow 1.0 specification. Hence when you install a flow entry in OpenFlow 1.0, that matches the IP DSCP, the ONOS controller sets an incorrect flow-entry encoding value for IP DSCP. OpenFlow logical switch instance In OpenFlow-only mode, you can configure only one logical switch instance. After you enable OpenFlow mode, create a logical switch instance. The logical switch instance is disabled by default.
Flow table An OpenFlow flow table consists of flow entries. Each flow table entry contains the following fields: Table 109. Supported fields Fields Support match_fields Supported priority Supported counters Supported instructions Supported timeouts Supported cookie Not supported Group table Not supported Meter table Not supported Instructions Each flow entry contains a set of instructions that execute when a packet matches the entry. Table 110.
Table 111. Supported action sets Action set Support decrement TTL Not supported set Supported (selective fields) qos Not supported group Not supported output Supported Action types An action type associates with each packet. Table 112.
Table 113.
Table 113. Supported counters Required/Optional Counter Bits Support Optional In-band packet count 64 Not supported Optional In-band byte count 64 Not supported Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● In the show interface vlan command output, the VLAN octet counters are not displayed accurately. ● If a packet hits two ACL tables, the counter with higher priority statistics gets incremented and the other actions are merged and applied.
Connection setup TCP Table 117. Supported modes Modes Supported/Not supported Connection interruption ● fail-secure-mode—Supported ● fail-standalone-mode—Not supported TLS encryption Supported Multiple controller Not supported Auxiliary connections Not supported Number of logical switches One Supported controllers REST APIs on ● RYU ● ONOS Flow table modification messages Table 118.
Table 119.
Table 120.
Table 120. Supported fields Flow match fields Supported/Not supported OFPXMT_OFB_TUNNEL_ID = 38 Not supported OFPXMT_OFB_IPV6_EXTHDR = 39 Not supported Action structures Table 121.
Table 122. Supported capabilities Capabilities Supported/Not supported OFPC_IP_REASM = 1 << 5 Not supported OFPC_QUEUE_STATS = 1 << 6 Not supported OFPC_PORT_BLOCKED = 1 << 8 Not supported Multipart message types Table 123.
Table 123.
Table 125. Supported properties Property type Supported/Not supported OFPTFPT_WRITE_ACTIONS_MISS = 5 Not supported OFPTFPT_APPLY_ACTIONS = 6 Supported OFPTFPT_APPLY_ACTIONS_MISS = 7 Not supported OFPTFPT_MATCH = 8 Supported OFPTFPT_WILDCARDS = 10 Supported OFPTFPT_WRITE_SETFIELD = 12 Supported OFPTFPT_WRITE_SETFIELD_MISS = 13 Not supported OFPTFPT_APPLY_SETFIELD = 14 Supported OFPTFPT_APPLY_SETFIELD_MISS = 15 Not supported Group configuration Table 126.
Flow-removed reasons Table 129. Supported reasons Flow-removed reasons Supported/Not supported OFPRR_IDLE_TIMEOUT = 0 Supported OFPRR_HARD_TIMEOUT = 1 Supported OFPRR_DELETE = 2 Supported OFPRR_GROUP_DELETE = 3 Not supported Error types from switch to controller Table 130.
Table 130.
Table 130.
Table 130.
Table 130.
Consider the case of dynamic learning of flows for bidirectional traffic. Flows are learnt as and when a packet arrives. With dynamic learning in an OpenFlow network, the OpenFlow switch receives a packet that does not match the flow table entries and sends the packet to the SDN controller to process it. The controller identifies the path the packet has to traverse and updates the flow table with a new entry. The controller also decides the caching time of the flow table entries.
iii. Configure the logical switch instance, of-switch-1. OS10# configure terminal OS10 (config)# openflow OS10 (config-openflow)# switch of-switch-1 4. Configure one or more OpenFlow controllers with either IPv4 or IPv6 addresses to establish a connection with the logical switch instance. You can configure up to eight OpenFlow controllers.
OpenFlow commands controller Configures an OpenFlow controller that the logical switch instance connects to. Syntax controller {ipv4 ipv4-address| ipv6 ipv6-address [port port-number] [security {none|tls}] Parameters ● ipv4 ipv4-address—Enter ipv4, then the IP address of the controller. ● ipv6 ipv6-address—Enter ipv6, then the IPv6 address of the controller. ● port port-number—Enter the keyword, then the port number, from 1 to 65,535. The default port is 6653.
OS10 OS10 OS10 OS10 Supported Releases (config-openflow-switch)# (config-openflow-switch)# (config-openflow-switch)# (config-openflow-switch)# controller controller controller controller ipv4 ipv4 ipv6 ipv6 10.1.23.12 port 6633 10.1.99.121 port 6633 2025::1 port 6633 2025::12 port 6633 10.4.1.0 or later dpid-mac-address Specifies the MAC address bits of the datapath ID (DPID) of the logical switch instance.
OS10 (config-openflow)# in-band-mgmt interface ethernet 1/1/1 OS10 (config-openflow)# no shutdown Supported Releases 10.4.1.0 or later max-backoff Configures the time interval, in seconds, that the logical switch instance waits after requesting a connection with the OpenFlow controller. Syntax max-backoff interval Parameters interval—Enter the amount of time, in seconds, that the logical switch instance waits after it attempts to establish a connection with the OpenFlow controller, from 1 to 65,535.
openflow Enters OPENFLOW configuration mode. Syntax openflow Parameters None Default None Command Mode CONFIGURATION Usage Information All OpenFlow configurations are performed in this mode. The no form of this command prompts a switch reload. If you enter yes, the system deletes all OpenFlow configurations and the switch returns to the normal mode after the reload. Example OS10# configure terminal OS10(config)# openflow OS10 (config-openflow)# Supported Releases 10.4.1.
Usage Information NOTE: Only use this command should be run when the logical switch instance is disabled. Use the shutdown command to disable the logical switch instance. After you run this command, enter the no shutdown command to enable the logical switch instance again. ● When you specify, negotiate, the switch negotiates versions 1.0 and 1.3 and selects the highest of the versions supported by the controller. The negotiation is based on the hello handshake described in the OpenFlow Specification 1.3.
Supported Releases 10.4.1.0 or later show openflow Displays general OpenFlow switch and the logical switch instance information. Syntax show openflow Parameters None Default None Command Mode EXEC Usage Information None Example OS10# show openflow Manufacturer : DELL Hardware Description : Software Description : Dell Networking OS10-Premium, Dell Networking Application Software Version: 10.4.
Total flows: 1 Flow: 0 Table ID: 0, Table: Ingress ACL TCAM table Flow ID: 0 Priority: 32768, Cookie: 0 Hard Timeout: 0, Idle Timeout: 0 Packets: 0, Bytes: 0 Match Parameters: In Port: ethernet1/1/1 EType: 0x800 SMAC: 00:0b:c4:a8:22:b0/ff:ff:ff:ff:ff:ff DMAC: 00:0b:c4:a8:22:b1/ff:ff:ff:ff:ff:ff VLAN id: 2/4095 VLAN PCP: 1 IP DSCP: 4 IP ECN: 1 IP Proto: 1 Src Ip: 10.0.0.1/255.255.255.255 Dst Ip: 20.0.0.1/255.255.255.
ethernet1/1/5:4 FIBER ethernet1/1/6 NONE ethernet1/1/7 NONE ethernet1/1/8 COPPER ethernet1/1/9 NONE ethernet1/1/10 NONE ethernet1/1/11 COPPER ethernet1/1/12 COPPER ethernet1/1/13 NONE ethernet1/1/14 NONE ethernet1/1/15 NONE ethernet1/1/16 NONE ethernet1/1/17 NONE ethernet1/1/18 NONE ethernet1/1/19 NONE ethernet1/1/20 NONE ethernet1/1/21 NONE ethernet1/1/22 NONE ethernet1/1/23 NONE ethernet1/1/24 NONE ethernet1/1/25 COPPER ethernet1/1/26 COPPER ethernet1/1/27 NONE ethernet1/1/28 NONE ethernet1/1/29 NONE ethe
Command Mode EXEC Usage Information None Example OS10# show openflow switch Logical switch name: of-switch-1 Internal switch instance ID: 0 Config state: true Signal Version: negotiate Data plane: secure Max backoff (sec): 8 Probe Interval (sec): 5 DPID: 90:b1:1c:f4:a5:23 Switch Name : of-switch-1 Number of buffers: 0 Number of tables: 1 Table ID: 0 Table name: Ingress ACL TCAM table Max entries: 1000 Active entries: 0 Lookup count: 0 Matched count: 0 Controllers: 10.16.208.
Supported Releases 10.4.1.0 or later switch Creates a logical switch instance or modifies an existing logical switch instance. Syntax switch logical-switch-name Parameters logical-switch-name—Enter the name of the logical switch instance that you want to create or modify, a maximum of 15 characters. OS10 supports only one instance of the logical switch. Default None Command Mode OPENFLOW CONFIGURATION Usage Information You must configure a controller for the logical switch instance.
Table 131.
Table 131. Modes and CLI commands Mode Available CLI commands ● debug tacacs+ LAG INTERFACE CONFIGURATION LAG is not supported. LOOPBACK INTERFACE CONFIGURATION Loopback interface is not supported. INTERFACE CONFIGURATION description end exit ip mtu negotiation ntp show shutdown VLAN INTERFACE CONFIGURATION 1438 OpenFlow VLAN is not supported.
20 Access Control Lists OS10 uses two types of access policies — hardware-based ACLs and software-based route-maps. Use an ACL to filter traffic and drop or forward matching packets. To redistribute routes that match configured criteria, use a route-map. ACLs ACLs are a filter containing criterion to match; for example, examine internet protocol (IP), transmission control protocol (TCP), or user datagram protocol (UDP) packets, and an action to take such as forwarding or dropping packets at the NPU.
To permit these packets, you must configure an explicit permit statement for the specific hosts or subnetworks with the deny rule having a lower priority to drop the rest of the packets. The deny ip any any and deny ipv6 any any rules are implicit. You do not have to configure them explicitly. MAC ACLs MAC ACLs filter traffic on the header of a packet.
Control-plane ACL qualifiers This section lists the supported control-plane ACL rule qualifiers. NOTE: OS10 supports only the qualifiers listed below. Ensure that you use only these qualifiers in ACL rules.
Deny second and subsequent fragments OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# deny ip any 10.1.1.1/32 fragments OS10(conf-ipv4-acl)# permit ip any 10.1.1.1/32 Permit all packets on interface OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# permit ip any 10.1.1.1/32 OS10(conf-ipv4-acl)# deny ip any 10.1.1.1/32 fragments L3 ACL rules Use ACL commands for L3 packet filtering. TCP packets from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all others are denied.
Assign sequence number to filter IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses. Traffic passes through the filter by filter sequence. Configure the IP ACL by first entering IP ACCESS-LIST mode and then assigning a sequence number to the filter. User-provided sequence number ● Enter IP ACCESS LIST mode by creating an IP ACL in CONFIGURATION mode.
For example, if you configured the following rules: deny ip 1.1.1.1/24 2.2.2.2/24 deny ip any any Using the no deny ip any any command deletes only the deny ip any any rule. To delete the deny ip 1.1.1.1/24 2.2.2.2/24 rule, you must explicitly use the no deny ip 1.1.1.1/24 2.2.2.2/24 command. NOTE: Wildcard option is not supported. ● You can no longer configure the same ACL rule multiple times using different sequence numbers.
2. Configure an IP address for the interface, placing it in L3 mode in INTERFACE mode. ip address ip-address 3. Apply an IP ACL filter to traffic entering or exiting an interface in INTERFACE mode. ip access-group access-list-name {in | out} Configure IP ACL OS10(config)# interface ethernet 1/1/28 OS10(conf-if-eth1/1/28)# ip address 10.1.2.
Apply ACL rules to access-group and view access-list OS10(config)# interface ethernet 1/1/28 OS10(conf-if-eth1/1/28)# ip access-group abcd in OS10(conf-if-eth1/1/28)# exit OS10(config)# ip access-list acl1 OS10(conf-ipv4-acl)# permit ip host 10.1.1.1 host 100.1.1.1 count Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● The following applications require ACL tables: VLT, iSCSI, L2 ACL, L3 v4 ACL, L3 v6 ACL, PBR v4, PBR v6, QoS L2, QoS L3, FCoE.
Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● You can create either Layer 2 ACL or Layer 3 ACL. You cannot create both the tables at a time. ● In egress L3 IPv4 ACL, the fragment, TCP flags, and DSCP fields are not supported. ● IPv6 user ACL table is not supported. ● In egress ACLs, L2 user table is utilized only for switched packets and L3 user table is utilized only for routed packets. ● In L2 user ACL, Ether type is not supported.
● ● ● ● To To To To deny only /8 prefixes, enter deny x.x.x.x/x ge 8 le 8 permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8 le 12 deny routes with a mask less than /24, enter deny x.x.x.x/x le 24 permit routes with a mask greater than /20, enter permit x.x.x.
Table 133. Multiple match commands under a single route-map Route-map clause deny Prefix list Incoming Route Action permit NO MATCH Continue with next route-map clause. deny MATCH Continue with next route-map clause. deny NO MATCH Continue with next route-map clause. permit MATCH The route is denied. permit NO MATCH Continue with next route-map clause. deny MATCH Continue with next route-map clause. deny NO MATCH Continue with next route-map clause.
○ vlan — Enter the VLAN ID number. Check match routes OS10(config)# route-map test permit 1 0S10(conf-route-map)# match tag 250000 OS10(conf-route-map)# set weight 100 Set conditions There is no limit to the number of set commands per route map, but keep the number of set filters in a route-map low. The set commands do not require a corresponding match command. ● Enter the IP address in A.B.C.D format of the next-hop for a BGP route update in ROUTE-MAP mode.
ACL flow-based monitoring Flow-based monitoring conserves bandwidth by selecting only the required flow to mirror instead of mirroring entire packets from an interface. This feature is available for L2 and L3 ingress traffic. Specify flow-based monitoring using ACL rules. Flow-based monitoring copies incoming packets that match the ACL rules applied on the ingress port and forwards, or mirrors them to another port.
2. Enable flow-based monitoring for the mirroring session in MONITOR-SESSION mode. flow-based enable 3. Define ACL rules that include the keywords capture session session-id in CONFIGURATION mode. The system only considers port monitoring traffic that matches rules with the keywords capture session. ip access-list 4. Apply the ACL to the monitored port in INTERFACE mode.
rows Max rows -----------------------------------------------------------------------------------------------------0 SYSTEM_FLOW 49 975 1024 1 SYSTEM_FLOW 49 975 1024 2 USER_IPV4_ACL 3 1021 1024 3 USER_L2_ACL 2 1022 1024 4 USER_IPV6_ACL 2 510 512 5 USER_IPV6_ACL 2 510 512 6 FCOE 55 457 512 7 FCOE 55 457 512 8 ISCSI_SNOOPING 12 500 512 9 FREE 0 512 512 10 PBR_V6 1 511 512 11 PBR_V6 1 511 512 -----------------------------------------------------------------------------------------------------Service Pools ---
App Allocated pools App group Configured rules Used rows Free rows Max rows -----------------------------------------------------------------------------------------------------USER_L2_ACL_EGRESS Shared:1 G1 1 2 254 256 USER_IPV4_EGRESS Shared:1 G0 1 2 254 256 USER_IPV6_EGRESS Shared:2 G2 1 2 254 256 Known behavior ● On the S4200-ON platform, the show acl-table-usage detail command output lists several hardware pools as available (FREE), but you will see an "ACL CAM table full" warning log when the system
By default, the interval is set to 5 minutes and logs are created every 5 minutes. During this interval, the system continues to examine the packets against the configured ACL rule and permits or denies traffic, but logging is halted temporarily. This value is configurable, and the range is from 1 to 10 minutes. For example, if you have configured a threshold value of 20 and an interval of 10 minutes, after an initial packet match is logged, the 20th packet that matches the ACE is logged.
Example Supported Releases OS10# clear ipv6 access-list counters 10.2.0E or later clear mac access-list counters Clears counters for a specific or all MAC access lists. Syntax clear mac access-list counters [access-list-name] Parameters access-list-name — (Optional) Enter the name of the MAC access list to clear counters. A maximum of 140 characters. Default Not configured Command Mode EXEC Usage Information If you do not enter an access-list name, all MAC access-list counters clear.
Example Supported Releases OS10(config)# ip access-list testflow OS10(conf-ipv4-acl)# deny udp any any 10.2.0E or later deny (IPv6) Configures a filter to drop packets with a specific IPv6 address. Syntax deny [protocol-number | icmp | ipv6 | tcp | udp] [A::B | A::B/x | any | host ipv6-address] [A::B | A::B/x | any | host ipv6-address] [capture | count | dscp value | fragment | log] Parameters ● protocol-number — (Optional) Enter the protocol number identified in the IP header, from 0 to 255.
○ protocol-number — (Optional) MAC protocol number identified in the header, from 600 to ffff. ○ capture — (Optional) Capture packets the filter processes. ○ cos — (Optional) CoS value, from 0 to 7. ○ count — (Optional) Count packets the filter processes. ○ vlan — (Optional) VLAN number, from 1 to 4093. Default Disabled Command Mode MAC-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment.
● ● ● ● ● ● ● ● ● A::B/x — Enter the number of bits to match to the IPv6 address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ipv6-address — (Optional) Enter the IPv6 address to use a host address only. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63.
Parameters ● A::B — (Optional) Enter the source IPv6 address from which the packet was sent and the destination address. ● A::B/x — (Optional) Enter the source network mask in /prefix format (/x) and the destination mask. ● any — (Optional) Set all routes which are subject to the filter: ○ capture — (Optional) Capture packets the filter processes. ○ count — (Optional) Count packets the filter processes. ○ byte — (Optional) Count bytes the filter processes.
Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases OS10(config)# ip access-list testflow OS10(conf-ipv4-acl)# deny tcp any any capture session 1 10.2.0E or later deny tcp (IPv6) Configures a filter that drops TCP IPv6 packets meeting the filter criteria.
Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.D/x — Enter the number of bits to match to the dotted decimal address.
● ● ● ● ● ● count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. operator — (Optional) Enter a logical operator to match the packets on the specified port number.
Usage Information Example Example (Control-plane ACL) Supported Releases Use this command in the CONTROL-PLANE mode to apply a control-plane ACL. Control-plane ACLs are only applied on the ingress traffic. By default, the control-plane ACL is applied to the front-panel ports as well as the management port.The no version of this command deletes the IPv4 ACL configuration.
Table 134. Special characters supported in regular expression Example Supported Release Character Supported/Not supported Pipe (|) Supported Plus (+) Supported Caret (^) Supported; use the caret (^) character to represent the beginning of a new line. Dollar ($) Supported Square brackets ([ ]) Supported Asterisk (*) Supported Dot (.) Supported Backslash (\) Supported; precede the character with a backslash(\). For example, enter \\.
Usage Information Example Supported Release The no version of this command removes the community list. OS10(config)# ip community-list standard STD_LIST deny local-AS 10.3.0E or later ip community–list standard permit Creates a standard community list for BGP to permit access. Syntax ip community-list standard name permit {aa:nn | no-advertise | local-as | no-export | internet} Parameters ● name — Enter the name of the standard community list used to identify one more permit groups of communities.
Supported Release 10.3.0E or later ip extcommunity-list standard permit Creates an extended community list for BGP to permit access. Syntax ip extcommunity-list standard name permit {4byteas-generic | rt | soo} Parameters ● name — Enter the name of the community list used to identify one or more permit groups of extended communities. Do not use the term none as the name of the extended community list. ● rt — Enter the route target. ● soo — Enter the route origin or site-of-origin.
Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix-list. Example Supported Release OS10(config)# ip prefix-list denyprefix deny 10.10.10.2/16 le 30 10.3.0E or later ip prefix-list permit Creates a prefix-list to permit route filtering from a specified network address. Syntax ip prefix-list name permit [A.B.C.
ip prefix-list seq permit Configures a filter to permit route filtering from a specified prefix list. Syntax ipv6 prefix-list [name] seq num permit A::B/x [ge | le} prefix-len Parameters ● ● ● ● ● ● Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix list. Example Supported Release name — Enter the name of the prefix list. num — Enter the sequence list number. A.B.C.
Parameters access-list-name — Enter the name of an IPv6 access list. A maximum of 140 characters. Default Not configured Command Mode CONFIGURATION Usage Information None Example Supported Release OS10(config)# ipv6 access-list acl6 10.2.0E or later ipv6 prefix-list deny Creates a prefix list to deny route filtering from a specified IPv6 network address.
ipv6 prefix-list permit Creates a prefix-list to permit route filtering from a specified IPv6 network address. Syntax ipv6 prefix-list prefix-list-name permit {A::B/x [ge | le] prefix-len} Parameters ● ● ● ● ● Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix-list. Example Supported Release prefix-list-name — Enter the IPv6 prefix-list name. A::B/x — Enter the IPv6 address to permit.
Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix-list. Example Supported Release OS10(config)# ipv6 prefix-list TEST seq 65535 permit AB10::1/128 ge 30 10.3.0E or later logging access-list mgmt burst Configures the burst size for control-plane ACL applied on the management interface. Syntax [no] logging access-list mgmt burst value Parameters value—Specify the burst size (maximum tokens), from 1 to 10.
Default Not configured Command Mode CONFIGURATION CONTROL-PLANE Usage Information Example Example (Control-plane ACL) Supported Releases Use this command in the CONTROL-PLANE mode to apply a control-plane ACL. Control-plane ACLs are only applied on the ingress traffic. By default, the control-plane ACL is applied to the front-panel ports. The no version of this command resets the value to the default.
● ● ● ● byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Permit a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment.
permit (MAC) Configures a filter to allow packets with a specific MAC address. Syntax permit {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} [protocol-number | capture | count [byte] | cos | vlan] Parameters ● nn:nn:nn:nn:nn:nn — Enter the MAC address. ● 00:00:00:00:00:00 — (Optional) Enter which bits in the MAC address must match. If you do not enter a mask, a mask of 00:00:00:00:00:00 applies.
Example Supported Releases OS10(config)# ip access-list testflow OS10(conf-ipv4-acl)# permit icmp any any capture session 1 10.2.0E or later permit icmp (IPv6) Configures a filter to permit all or specific ICMP messages.
Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases OS10(conf-ipv4-acl)# permit ip any any capture session 1 10.2.0E or later permit ipv6 Configures a filter to permit all or specific packets from an IPv6 address.
● ● ● ● ● ● ● ● urg — (Optional) Set the bit set as urgent. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Permit a packet based on the DSCP values, 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged.
Supported Releases 10.2.0E or later permit udp Configures a filter that allows UDP packets meeting the filter criteria. Syntax permit udp [A.B.C.D | A.B.C.D/x | any | host ip-address [eq | lt | gt | neq | range]] [[A.B.C.D | A.B.C.D/x | any | host ip-address [eq | lt | gt | neq | range] ] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.
Parameters ● A::B — Enter the IPv6 address in hexadecimal format separated by colons. ● A::B/x — Enter the number of bits that must match the IPv6 address. ● any — (Optional) Enter the keyword any to specify any source or destination IP address. NOTE: The control-plane ACL supports only the eq operator. ● host ipv6-address — (Optional) Enter the keyword and the IPv6 address to use a host address only. ● ack — (Optional) Set the bit as acknowledgement.
seq deny Assigns a sequence number to deny IPv4 addresses while creating the filter. Syntax seq sequence-number deny [protocol-number | icmp | ip | tcp | udp] [A.B.C.D | A.B.C.D/x | any | host ip-address] [A.B.C.D | A.B.C.D/x | any | host ipaddress] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the ACL for editing and sequencing number, from 1 to 16777214. ● protocol-number — (Optional) Enter the protocol number, from 0 to 255.
● ● ● ● ● ● ● host ipv6-address — (Optional) Enter to use an IPv6 host address only. capture — (Optional) Enter to capture packets the filter processes. count — (Optional) Enter to count packets the filter processes. byte — (Optional) Enter to count bytes the filter processes. dscp value — (Optional) Enter to deny a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Enter to use ACLs to control packet fragments. log — (Optional) Enables ACL logging.
seq deny icmp Assigns a filter to deny ICMP messages while creating the filter. Syntax seq sequence-number deny icmp [A.B.C.D | A.B.C.D/x | any | host ip-address] [A.B.C.D | A.B.C.D/x | any | host ip-address] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.C.D — Enter the IPv4 address in dotted decimal format. ● A.B.C.
Usage Information Example Supported Releases OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter, or use the no seq sequence-number command if you know the filter’s sequence number. OS10(config)# ipv6 access-list ipv6test OS10(conf-ipv6-acl)# seq 10 deny icmp any any capture session 1 log 10.2.0E or later seq deny ip Assigns a sequence number to deny IPv4 addresses while creating the filter.
● ● ● ● ● ● ● host ip-address — (Optional) Enter the IPv6 address to use a host address only. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged.
Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter, or use the no seq sequence-number command if you know the filter’s sequence number. Example Supported Releases OS10(config)# ip access-list egress OS10(conf-ipv4-acl)# seq 10 deny tcp any any capture session 1 log 10.2.
Supported Releases 10.2.0E or later seq deny udp Assigns a filter to deny UDP packets while creating the filter. Syntax seq sequence-number deny udp [A.B.C.D | A.B.C.D/x | any | host ip-address [operator]] [[A.B.C.D | A.B.C.D/x | any | host ip-address [operator] ] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.C.
seq deny udp (IPv6) Assigns a filter to deny UDP packets while creating the filter. Syntax seq sequence-number deny udp [A::B | A::B/x | any | host ipv6-address [operator]] [A::B | A:B/x | any | host ipv6-address [operator]] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214.
● ● ● ● ● ● ● ● ● ● ● protocol-number — (Optional) Enter the protocol number, from 0 to 255. A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.D/x — Enter the number of bits that must match the dotted decimal address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ip-address — (Optional) Enter the IPv4 address to use a host address only. capture — (Optional) Capture packets the filter processes.
Supported Releases 10.2.0E or later seq permit (MAC) Assigns a sequence number to permit MAC addresses while creating a filter. Syntax seq sequence-number permit {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} [protocol-number | capture | cos | count [byte] | vlan] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing, from 1 to 16777214.
● dscp value — (Optional) Permit a packet based on the DSCP values, from 0 to 63. ● fragment — (Optional) Use ACLs to control packet fragments. ● log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment.
Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.C.D — Enter the IPv4 address in dotted decimal format. ● A.B.C.D/x — Enter the number of bits that must match the dotted decimal address. ● any — (Optional) Enter the keyword any to specify any source or destination IP address. ● host ip-address — (Optional) Enter the IPv4 address to use a host address only.
Supported Releases 10.2.0E or later seq permit tcp Assigns a sequence number to allow TCP packets while creating the filter. Syntax seq sequence-number permit tcp [A.B.C.D | A.B.C.D/x | any | host ip-address [operator]] [[A.B.C.D | A.B.C.D/x | any | host ip-address [operator] ] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.
seq permit tcp (IPv6) Assigns a sequence number to allow TCP IPv6 packets while creating the filter. Syntax seq sequence-number permit tcp [A::B | A::B/x | any | host ipv6-address [operator]] [A::B | A:B/x | any | host ipv6-address [operator]] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.D/x — Enter the number of bits that must match the dotted decimal address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ip-address — (Optional) Enter the IPv4 address to use a host address only. operator — (Optional) Enter a logical operator to match the packets on the specified port number.
● ● ● ● ● ● ● ● ● ● ● ● ○ neq — Not equal to ○ range — Range of ports, including the specified port numbers. ack — (Optional) Set the bit as acknowledgment. fin — (Optional) Set the bit as finish—no more data from sender. psh — (Optional) Set the bit as push. rst — (Optional) Set the bit as reset. syn — (Optional) Set the bit as synchronize. urg — (Optional) Set the bit set as urgent. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes.
Ingress IPV6 access list aaa on ethernet1/1/2 Egress IPV6 access list aaa on ethernet1/1/2 Example (Control-plane ACL - IP) OS10# show ip access-group aaa-cp-acl Ingress IP access-list aaa-cp-acl on control-plane data mgmt Example (Control-plane ACL - MAC) OS10# show mac access-group aaa-cp-acl Ingress MAC access-list aaa-cp-acl on control-plane data Example (Control-plane ACL - IPv6) OS10# show ipv6 access-group aaa-cp-acl Ingress IPV6 access-list aaa-cp-acl on control-plane data mgmt Supported Relea
Example (IP Out) Example (IPv6 In) Example (IPv6 Out) Example (IP In - Control-plane ACL) Example (IPv6 In - Control-plane ACL) Example (MAC In - Control-plane ACL) Supported Releases OS10# show ip access-lists out Egress IP access list aaaa Active on interfaces : ethernet1/1/1 ethernet1/1/2 seq 10 permit ip any any seq 20 permit tcp any any count (0 packets) seq 30 permit udp any any count bytes (0 bytes) OS10# show ipv6 access-lists in Ingress IPV6 access list bbb Active on interfaces : ethernet1/1
Parameters None Default None Command Mode EXEC Usage Information The hardware pool displays the ingress application groups (pools), the features mapped to each of these groups, and space available in each of the pools. The amount of space required to store a single ACL rule in a pool depends on th The service pool displays the amount of used and free space for each of the features. The number of ACL rules conf displayed in the configured rules column.
Ingress ACL utilization - Pipe 2 Hardware Pools ---------------------------------------------------------------------Pool ID App(s) Used rows Free rows Max rows ---------------------------------------------------------------------0 SYSTEM_FLOW 98 414 512 1 SYSTEM_FLOW 98 414 512 2 SYSTEM_FLOW 98 414 512 3 USER_IPV4_ACL 0 512 512 4 USER_IPV4_ACL 0 512 512 5 FREE 0 512 512 6 USER_IPV6_ACL 0 512 512 7 USER_IPV6_ACL 0 512 512 8 USER_IPV6_ACL 0 512 512 9 USER_L2_ACL 0 512 512 10 USER_L2_ACL 0 512 512 11 FREE 0 5
S6010-ON platform OS10# show acl-table-usage detail Ingress ACL utilization Hardware Pools ------------------------------------------------------------------Pool ID App(s) Used rows Free rows Max rows ------------------------------------------------------------------0 SYSTEM_FLOW 49 975 1024 1 SYSTEM_FLOW 49 975 1024 2 USER_IPV4_ACL 3 1021 1024 3 USER_L2_ACL 2 1022 1024 4 USER_IPV6_ACL 2 510 512 5 USER_IPV6_ACL 2 510 512 6 FCOE 55 457 512 7 FCOE 55 457 512 8 ISCSI_SNOOPING 12 500 512 9 FREE 0 512 512 10 PB
Parameters None Default None Command Mode EXEC Usage Information None Example OS10# show control-plane logging access-list mgmt Control plane Management ACL Logging Burst : 2 packets (default) Rate : 2 packets per minute (default) Supported Releases 10.5.2.1 or later show ip as-path-access-list Displays the configured AS path access lists. Syntax show ip as-path-access-list [name] Parameters name — (Optional) Specify the name of the AS path access list.
seq 10 permit 1::1/64 seq 20 deny 2::2/64 Supported Releases 10.3.0E or later show logging access-list Displays the ACL logging threshold and interval configuration. Syntax show logging access-list Parameters None Default None Command Mode EXEC Usage Information None Example Supported Releases OS10# show logging access-list ACL Logging Threshold : 10 Interval : 5 10.4.3.0 or later Route-map commands continue Configures the next sequence of the route map.
Command Mode ROUTE-MAP Usage Information The no version of this command deletes a match AS path filter. Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# match as-path pathtest1 10.3.0E or later match community Configures a filter to match routes that have a certain COMMUNITY attribute in their BGP path. Syntax match community community-list-name [exact-match] Parameters ● community-list-name — Enter the name of a configured community list.
Default None Command Mode ROUTE-MAP Usage Information You can use this command in ROUTE-MAP configuration mode in addition to the other match rules. The no version of this command deletes the match filter. Example Supported Releases OS10# configure terminal OS10(config)# route-map redis-inactive-routes OS10(config-route-map)# match inactive-path-additive 10.5.2.0 or later match interface Configures a filter to match routes whose next-hop is the configured interface.
match ip next-hop Configures a filter to match based on the next-hop IP addresses specified in IP prefix lists. Syntax match ip next-hop prefix-list prefix-list Parameters prefix-list — Enter the name of the configured prefix list. A maximum of 140 characters. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes the match. Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# match ip next-hop prefix-list test100 10.3.
match metric Configures a filter to match on a specific value. Syntax match metric metric-value Parameters metric-value — Enter a value to match the route metric against, from 0 to 4294967295. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes the match. Example Supported Releases OS10(conf-route-map)# match metric 429132 10.2.0E or later match origin Configures a filter to match routes based on the origin attribute of BGP.
Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# match route-type external type-1 10.3.0E or later match tag Configures a filter to redistribute only routes that match a specific tag value. Syntax match tag tag-value Parameters tag-value — Enter the tag value to match with the tag number, from 0 to 4294967295. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes the match.
Defaults None Command Mode ROUTE-MAP Usage Information In a route map, use this set command to add a list of communities that pass a permit statement to the COMMUNITY attribute of a BGP route sent or received from a BGP peer. Use the set comm-list delete command to delete a community list from a matching route. Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# set comm-list comlist1 add 10.4.
set extcomm-list add Add communities in the specified list to the EXTCOMMUNITY attribute in a matching inbound or outbound BGP route. Syntax set extcomm-list extcommunity-list-name add Parameter extcommunity-list-name — Enter the name of an established extcommunity list. A maximum of 140 characters.
Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# set extcommunity rt 10.10.10.2:325 10.3.0E or later set local-preference Sets the preference value for the AS path. Syntax set local-preference value Parameters value — Enter a number as the LOCAL_PREF attribute value, from 0 to 4294967295. Default Not configured Command Mode ROUTE-MAP Usage Information This command changes the LOCAL_PREF attribute for routes meeting the route map criteria.
Parameters ● type-1 — Adds a route to an existing community. ● type-2 — Sends a route in the local AS. ● external — Disables advertisement to peers. Default Not configured Command Mode ROUTE-MAP Usage Information ● BGP Affects BGP behavior only in outbound route maps and has no effect on other types of route maps. If the route map contains both a set metric-type and a set metric clause, the set metric clause takes precedence.
set origin Set the origin of the advertised route. Syntax set origin {egp | igp | incomplete} Parameters ● egp — Enter to add to existing community. ● igp — Enter to send inside the local-AS. ● incomplete — Enter to not advertise to peers. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes the set clause from a route map. Example Supported Releases OS10(conf-route-map)# set origin egp 10.2.
show route-map Displays the current route map configurations. Syntax show route-map [map-name] Parameters map-name — (Optional) Specify the name of a configured route map. A maximum of 140 characters.
21 Quality of service Enterprise networks carry various data traffic including voice and video traffic. To efficiently use the available network resources, Quality of Service (QoS) offers several features that help to: ● ● ● ● Allocate sufficient bandwidth for certain types of traffic, such as video traffic. Prioritize voice traffic. Transfer data reliably. Optimize performance. QoS defines how reliable, available, and efficient a network is. Availability determines the quality of a network.
Different QoS features control the traffic flow parameters, as the traffic traverses a network device from ingress to egress interfaces. Classification To prioritize traffic, you must first classify it. Classification is the process that differentiates one type of traffic from another and categorizes it in to different groups. OS10 groups network traffic into different traffic classes, from class 0 to 7 based on various parameters.
ACL-based classification consumes significant amount of network processor resources. Trust-based classification (CoS and DSCP) classifies traffic in a predefined way without using network processor resources. OS10 implicitly classifies all control traffic such as STP, OSPF, ICMP, and so on, and forwards the traffic to control plane applications. See Control-plane policing for more information. Data traffic classification You can classify the data traffic based on ACL or trust.
3 5 0-4 5-7 4. Apply the map on a specific interface or on system-qos, global level. ● Interface level OS10(conf-if-eth1/1/1)# trust-map dot1p example-dot1p-trustmap-name NOTE: In the interface level, the no version of the command returns the configuration to the system-qos level. If there is no configuration available at the system-qos level, the configuration returns to default mapping.
Table 136. Default DSCP trust map DSCP values Traffic class ID Color 52-55 6 Y 56-59 7 G 60-62 7 Y 63 7 R NOTE: You cannot modify the default DSCP trust map. User–defined DCSP trust map You can override the default mapping by creating a user-defined DSCP trust map. All the unspecified DSCP entries map to the default traffic class ID 0 and color G. Configure user–defined DSCP trust map 1. Create a DSCP trust map.
ACL-based classification Classify the ingress traffic by matching the packet fields using ACL entries. Classify the traffic flows based on QoS-specific fields or generic fields, using IP or MAC ACLs. Create a class-map template to match the fields. OS10 allows matching any of the fields or all the fields based on the match type you configure in the class-map. Use the access-group match filter to match MAC or IP ACLs. You can configure a maximum of four access-group filters in a class-map: ● ● ● ● 802.
or OS10(config)# system qos OS10(config-sys-qos)# trust-map dscp userdef-dscp 3. Create a class-map and attach it to a policy where trust is configured. This example uses 802.1p cos to define the match criteria. You can use dscp or other access group match filters. If the 802.1p traffic matches the defined criteria, the set qos-group 1 command assigns the traffic to TC 1.
For example, in release 10.4.1, the following policy configuration is applied on queue 5, which in 10.4.1 is mapped to ARP_REQ, ICMPV6_RS, ICMPV6_NS, and ISCSI protocols: policy-map type control-plane test ! class test set qos-group 5 police cir 300 pir 300 After upgrade to release 10.4.
Table 138. CoPP: Protocol mappings to queues, and default rate limits and buffer sizes - from release 10.4.
Configure control-plane policing Rate-limiting the protocol CPU queues requires configuring control-plane type QoS policies. ● Create QoS policies, class maps and policy maps, for the desired CPU-bound queue. ● Associate the QoS policy with a particular rate-limit. ● Assign the QoS service policy to control plane queues. By default, the peak information rate (pir) and committed information rate (cir) values are in packets per second (pps) for control plane.
Assign service-policy Rate controlling the traffic towards CPU requires configuring the control-plane type policy. To enable CoPP, apply the defined policy-map to CONTROL-PLANE mode. 1. Enter CONTROL-PLANE mode from CONFIGURATION mode. control-plane 2. Define aninput type service-policy and configure a name for the service policy in CONTROL-PLANE mode.
1. Create a control-plane type class-map. OS10(config)# class-map type control-plane example-cmap-protocol-queue-remap 2. Apply the match criteria by specifying the names of the protocols or applications. In this example, VRRP is re-mapped to queue 4. OS10(config-cmap-control-plane)# match vrrp NOTE: You cannot configure the same protocols or application groups under multiple class-maps within the same policy-map. 3. Create a control-plane type policy-map and add the class-map to the policy-map.
View CMAP1 configuration OS10# show class-map type control-plane example-copp-class-map-name Class-map (control-plane): example-copp-class-map-name (match-any) View CoPP service-policy OS10# show policy-map type control-plane Service-policy(control-plane) input: example-copp-policy-map-name Class-map (control-plane): example-copp-class-map-name set qos-group 2 police cir 100 bc 100 pir 100 be 100 View CoPP information OS10# show control-plane info Queue Min Rate Limit(in pps) Max Rate Limit(in pps) Protocol
Marking Traffic After you classify the ingress traffic, you can set the value or change an existing value (remarking) for CoS or DSCP. Marking sets the IP precedence or IP DSCP value for traffic at ingress. The switch then uses the new marking to process the traffic. Traffic class IDs identify the traffic flow when the traffic reaches egress for queue scheduling. Mark traffic 1. Create a QoS type class-map to match the traffic flow. OS10(config)# class-map cmap-cos3 OS10(config-cmap-qos)# match cos 3 2.
2. Define the set of traffic class values mapped to a queue. OS10(config-qos-map)# queue 3 qos-group 0-3 NOTE: For the Z9332F-ON platform, you must specify the type of queue. For example: OS10(config-qos-map)# queue 3 qos-group 0-3 type ucast 3. Verify the map entries. OS10# show qos maps type tc-queue Traffic-Class to Queue Map: tc-q-map Queue Traffic-Class -------------------------3 0-3 4. Apply the map on a specific interface or on a system-QoS global level.
2. Create a QoS type policy-map to define a policer. OS10(config)# policy-map example-interface-policer OS10(config-pmap-qos)# class example-cmap-all-traffic OS10(config-pmap-c-qos)#police cir 4000 pir 6000 3. Apply the QoS type policy-map to an interface. OS10(config)# interface ethernet 1/1/14 OS10(conf-if-eth1/1/14)# service-policy input type qos example-interface-policer Flow rate policing controls the rate of flow of traffic. Configure flow rate policing 1.
1. Create a QoS type class-map to match a traffic flow. OS10(config)# class-map cmap-dscp-3 OS10(config-cmap-qos)# match ip dscp 3 2. Modify the policy-map to update the DSCP field. OS10(config)# policy-map modify-dscp OS10(config-pmap-qos)# class cmap-dscp-3 OS10(config-pmap-c-qos)# set qos-group 3 OS10(config-pmap-c-qos)# set dscp 10 Shaping traffic Shaping allows you to control the speed of traffic that goes out of an interface.
3. Return to CONFIGURATION mode. exit 4. Create a queuing type policy-map and configure a policy-map name in CONFIGURATION mode. policy-map type queuing example-que-pmap-name 5. Configure a queuing class in POLICY-MAP mode. class example-que-cmap-name 6. Assign a bandwidth percent, from 1 to 100 to nonpriority queues in POLICY-MAP-CLASS-MAP mode.
3. Set the scheduler as strict priority in POLICY-MAP-CLASS-MAP mode. priority Apply policy-map 1. Apply the policy-map to the interface in INTERFACE mode or all interfaces in SYSTEM-QOS mode. system qos OR interface ethernet node/slot/port[:subport] 2. Enter the output service-policy in SYSTEM-QOS mode or INTERFACE mode.
● ● ● ● ● ● Destination MAC address—6 bytes Source MAC address—6 bytes Ethernet type/length—2 bytes Payload—variable Cyclic redundancy check—4 bytes Inter-frame gap—variable The rate adjustment feature is disabled by default. To enable rate adjustment, use the qos-rate-adjust value_of_rate_adjust command. For example: qos-rate-adjust 8 If you have configured WDRR and shaping on a particular queue, the queue can become congested.
2. Create policy-maps to define the policies for the classified traffic flows.
NOTE: For Underlay, Overlay VXLAN configuration, see the VXLAN chapter. The network ports and access ports must be VLAN-tagged interfaces for QoS settings to be applied based on dot1p priority. S1 Switch 1. Configure trust map with different dot1p priority values mapped to different traffic classes (queues).
S2 Switch 1. Configure trust map with different dot1p priority values mapped to different traffic classes (queues). OS10# configure terminal OS10(config)# trust dot1p-map TRUST_DOT1P_MAP OS10(config-tmap-dot1p-map)# qos-group 0 dot1p 0 OS10(config-tmap-dot1p-map)# qos-group 3 dot1p 3 OS10(config-tmap-dot1p-map)# end 2. Configure queuing at egress with bandwidth allocation of 65% for queue 3.
OS10(config-tmap-dot1p-map)# qos-group 3 dot1p 3 OS10(config-tmap-dot1p-map)# end 2. Configure queuing at egress with bandwidth allocation of 65% for queue 3. OS10# configure terminal OS10(config)# class-map type queuing CM_QUEUING_Q3 OS10(config-cmap-queuing)# match queue 3 OS10(config-cmap-queuing)# exit OS10(config)# policy-map type queuing PM_QUEUING OS10(config-pmap-queuing)# class CM_QUEUING_Q3 OS10(config-pmap-c-que)# bandwidth percent 65 OS10(config-pmap-c-que)# end 3.
OS10(config)# policy-map type queuing PM_QUEUING OS10(config-pmap-queuing)# class CM_QUEUING_Q3 OS10(config-pmap-c-que)# bandwidth percent 65 OS10(config-pmap-c-que)# end 3. Apply the dot1p trust map and queuing configuration at the system-qos level (global configuration).
0 1 2 3 4 5 6 7 0 0 0 101810039 0 0 0 0 0 0 0 26063369984 0 0 0 0 0 0 0 0 0 0 0 0 OS10# show queuing statistics interface ethernet Interface ethernet1/1/2 Queue Packets Bytes Dropped-Packets 0 46890036 12191361537 0 1 0 0 0 2 0 0 0 3 0 0 0 4 0 0 0 5 0 0 0 6 0 0 0 7 0 0 0 0 0 0 0 0 0 0 0 1/1/2 Dropped-Bytes 0 0 0 0 0 0 0 0 Example 2: Traffic classification and bandwidth allocation in VXLAN topology using CoS value on access ports and DSCP value on network ports This example describes how to configure Q
NOTE: For Underlay, Overlay VXLAN configuration, see the VXLAN chapter. L1 Switch 1. Configure class map and policy map for access port. Traffic with a CoS value of 3 is matched, assigned to qos-group 3, and marked with a DSCP value of 24.
OS10(config-pmap-c-qos)# exit OS10(config-pmap-qos)# exit 3. Configure queuing at egress with a bandwidth allocation of 65% for queue 3. OS10(config)# class-map type queuing CM_QUEUING_Q3 OS10(config-cmap-queuing)# match queue 3 OS10(config-cmap-queuing)# exit OS10(config)# policy-map type queuing PM_QUEUING OS10(config-pmap-queuing)# ! OS10(config-pmap-queuing)# class CM_QUEUING_Q3 OS10(config-pmap-c-que)# bandwidth percent 65 OS10(config-pmap-c-que)# exit OS10(config-pmap-queuing)# exit 4.
OS10(config)# policy-map type qos PM_QOS_NETWORK_PORT OS10(config-pmap-qos)# ! OS10(config-pmap-qos)# class CM_QOS_MATCH_DSCP24 OS10(config-pmap-c-qos)# set qos-group 3 OS10(config-pmap-c-qos)# set cos 3 OS10(config-pmap-c-qos)# exit OS10(config-pmap-qos)# exit 3. Configure queuing at egress with a bandwidth allocation of 65% for queue 3.
2. Configure class map and policy map for the network port. Traffic with a DSCP value of 24 is matched, assigned to qos-group 3, and marked with a CoS value of 3.
OS10(config-pmap-c-qos)# set qos-group 3 OS10(config-pmap-c-qos)# set dscp 24 OS10(config-pmap-c-qos)# exit OS10(config-pmap-qos)# exit 2. Configure class map and policy map for the network port. Traffic with a DSCP value of 24 is matched, assigned to qos-group 3, and marked with a CoS value of 3.
S1 Switch 1. Configure class map and policy map for the access port. Traffic with a DSCP value of 24 is matched and assigned to qos-group 3. OS10(config)# class-map type qos CM_QOS_MATCH_DSCP24 OS10(config-cmap-qos)# match ip dscp 24 OS10(config-cmap-qos)# exit OS10(config)# policy-map type qos PM_QOS_LEAF_PORT OS10(config-pmap-qos)# class CM_QOS_MATCH_DSCP24 OS10(config-pmap-c-qos)# set qos-group 3 OS10(config-pmap-c-qos)# exit OS10(config-pmap-qos)# exit 2.
3. Apply the queuing policy globally in the system-qos mode. OS10(config)# system qos OS10(config-sys-qos)# show configuration OS10(config-sys-qos)# service-policy output type queuing PM_QUEUING OS10(config-sys-qos)# exit 4. Apply QoS configuration on the leaf node-facing ports.
6 7 0 0 0 0 0 0 0 0 OS10# show queuing statistics interface ethernet 1/1/2 Interface ethernet1/1/2 Queue Packets Bytes Dropped-Packets Dropped-Bytes 0 55 4857 0 0 1 0 0 0 0 2 0 0 0 0 3 57904965 14823671040 0 0 4 0 0 0 0 5 0 0 0 0 6 0 0 0 0 7 0 0 0 0 ● Leaf node-facing port of S1 switch: OS10# show queuing statistics interface ethernet Interface ethernet1/1/21 Queue Packets Bytes Dropped-Packets 0 1711761863 519748332392 0 1 0 0 0 2 0 0 0 3 1143474565 345329318630 0 4 0 0 0 5 0 0 0 6 0 0 0 7 0 0 0 1/1/
● Reserved buffer—The system reserves a dedicated amount of buffer to a port or a priority group (at ingress) and a port or a queue (at egress). ● Shared buffer—Is the total available buffer space minus the reserved buffer space. Shared buffer is used for CPU control traffic and is dynamically allocated to the ports when memory space is needed. ● Alpha value—Is a configurable value from 0 to 10 that determines the dynamic shared buffer threshold, and maintains dynamic buffer space during congestion events.
Table 141. Default ingress buffers on the S4100-ON series platform Speed 10G 25G 40G 50G 100G Reserved buffers for PG 7 (default) 9KB 9KB 9KB 9KB 9KB The following lists the link-level flow control (LLFC) buffer settings for default priority group 7: Table 142.
Table 144. Default egress buffers on the S4100-ON series platform Speed 10G Reserved buffers 1664 bytes for each queue of a port (default) 25G 40G 50G 100G 1664 bytes 1664 bytes 1664 bytes 1664 bytes The default dynamic shared buffer threshold is 8. 1. Create a queuing type class-map to match the queue. OS10(config)# class-map type queuing example-cmap-eg-buffer OS10(config-cmap-queuing)# match queue 1 2.
Configure Deep Buffer mode By default, Deep Buffer mode is disabled. To configure Deep Buffer mode on a switch, enable the mode, save the configuration, and reload the switch for the feature to take effect. NOTE: Disable all the network QoS configurations; for example, PFC and LLFC, before configuring the Deep Buffer mode. To configure Deep Buffer mode: 1. Enable Deep Buffer mode in CONFIGURATION mode.
Congestion avoidance Congestion avoidance anticipates and takes necessary actions to avoid congestion. The following mechanisms avoid congestion: ● Tail drop—Packets are buffered at traffic queues. When the buffers are exhausted or reach the configured threshold, excess packets drop. By default, OS10 uses tail drop for congestion avoidance. ● Random early detection (RED)—In tail drop, different flows are not considered in buffer utilization.
2. Configure WRED threshold parameters for different colors in WRED CONFIGURATION mode. OS10(config-wred)# random-detect color yellow minimum-threshold 100 maximum-threshold 300 drop-probability 40 3. Configure the exponential weight value for the WRED profile in WRED CONFIGURATION mode. OS10(config-wred)# random-detect weight 4 4. Configure the ECN threshold parameters in WRED CONFIGURATION mode. OS10(config-wred)#random-detect ecn minimum-threshold 100 maximum-threshold 300 dropprobability 40 5.
RoCE for faster access and lossless connectivity Remote Direct Memory Access (RDMA) enables memory transfers between two computers in a network without involving the CPU of either computer. RDMA networks provide high bandwidth and low latency without appreciable CPU overhead for improved application performance, storage and data center utilization, and simplified network management. RDMA was traditionally supported only in an InfiniBand environment.
○ If the network is non-VLAN tagged, use the trust-map dscp default command or the user-defined trust-map dscp configuration. OS10 (config)# system qos OS10 (config-sys-qos)# trust-map dot1p default 5. Create a network-qos type class-map and policy-map for priority flow control (PFC). This configuration fine tunes the buffer settings for the particular priority.
7. Create a QoS map for ETS to map the lossy and lossless traffic to the respective queues. OS10 (config)# qos-map traffic-class 2Q OS10(config-qos-map)# queue 0 qos-group 0-2, 4-7 OS10(config-qos-map)# queue 3 qos-group 3 NOTE: On the Z9332F-ON platform, you must also specify the type of queue, whether it is a unicast or multicast queue.
e. Apply the qos-map for ETS configurations on the interface. OS10 (conf-if-eth1/1/1)# qos-map traffic-class 2Q f. Enable PFC on the interface. OS10 (conf-if-eth1/1/1)# priority-flow-control mode on ● For RoCEv2 (tagged L3 traffic): a. Create a VLAN. OS10(config)# interface vlan 55 OS10(conf-if-vl-55)# no shutdown b. Enter INTERFACE mode and enter the no shutdown command. OS10 (config)# interface ethernet 1/1/1 OS10 (conf-if-eth1/1/1)# no shutdown c.
● To view the PFC configuration, operational status, and statistics on the interface, use the show interface interface-name priority-flow-control details command: OS10(config)# show interface ethernet 1/1/15 priority-flow-control details ● To view the ECN markings on an interface, use the show queuing statistics interface interface-name wred command: OS10# show queuing statistics interface ethernet 1/1/1 wred ● To view any egress packet loss, use the show queuing statistics command: NOTE: There should not b
The following examples show each device in this network and their respective configuration: SW1 configuration VXLAN configuration — SW1 OS10# configure terminal OS10(config)# interface vlan 3000 OS10(conf-if-vl-3000)# exit OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# exit OS10(config)# interface loopback 1 OS10(conf-if-lo-1)# ip address 1.1.1.1/32 OS10(conf-if-lo-1)# exit OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 8.8.8.
OS10(config)# configure terminal OS10(config)# nve OS10(conf-nve)# source-interface loopback 1 OS10(conf-nve)# exit OS10(config)# virtual-network 5 OS10(conf-vn-5)# vxlan-vni 1000 OS10(conf-vn-vxlan-vni)# remote-vtep 2.2.2.
WRED and ECN configuration — SW1 OS10# configure terminal OS10(config)# wred w1 OS10(config-wred)# random-detect ecn OS10(config-wred)# random-detect color green minimum-threshold 100 maximum-threshold 500 drop-probability 100 OS10(config-wred)# random-detect color yellow minimum-threshold 100 maximum-threshold 500 drop-probability 100 OS10(config-wred)# random-detect color red minimum-threshold 100 maximum-threshold 500 drop-probability 100 OS10(config-wred)# exit OS10(config)# class-map type queuing cq OS
OS10(config-router-ospf-1)# router-id 9.9.9.
OS10(config)# policy-map type network-qos llfc OS10(config-pmap-network-qos)# class llfc OS10(config-pmap-c-nqos)# pause buffer-size 120 pause-threshold 50 resume-threshold 12 OS10(config-pmap-c-nqos)# end OS10# configure terminal OS10(config)# interface range ethernet 1/1/1,1/1/20,1/1/31,1/1/32 OS10(conf-range-eth1/1/1,1/1/20,1/1/31,1/1/32)# flowcontrol transmit on OS10(conf-range-eth1/1/1,1/1/20,1/1/31,1/1/32)# flowcontrol receive on OS10(conf-range-eth1/1/1,1/1/20,1/1/31,1/1/32)# service-policy input typ
VXLAN configuration — VLT peer 2 OS10(config)# configure terminal OS10(config)# interface vlan 3000 OS10(conf-if-vl-3000)# ip address 5.5.5.3/24 OS10(conf-if-vl-3000)# exit OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# exit OS10(config)# interface loopback 1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 2.2.2.2/32 OS10(conf-if-lo-1)# exit OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 10.10.10.
OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# service-policy input type network-qos p5 OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# trust-map dot1p t1 OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# end LLFC configuration — VLT peer 2 Instead of PFC, you can configure LLFC as follows: OS10# configure terminal OS10(config)# class-map type network-qos llfc OS10(config-cmap-nqos)# match qos-group 0-7 OS10(config-cmap-nqos)# exit OS10(config)# policy-map type network-qos llfc OS10(config-pmap-network-qos)#
NOS# NOS# configure terminal NOS(config)# interface ethernet 1/1/3 NOS(conf-if-eth1/1/3)# switchport mode trunk NOS(conf-if-eth1/1/3)# switchport trunk allowed vlan 200 NOS(conf-if-eth1/1/3)# end NOS# NOS# configure terminal NOS(config)# interface port-channel 2 NOS(conf-if-po-2)# switchport mode trunk NOS(conf-if-po-2)# switchport trunk allowed vlan 200 NOS(conf-if-po-2)# end PFC configuration — ToR device NOS# configure terminal NOS(config)# trust dot1p-map t1 NOS(config-tmap-dot1p-map)# qos-group 0 dot1p
NOS(config-wred)# random-detect color red minimum-threshold 100 maximum-threshold 500 drop-probability 100 NOS(config-wred)# exit NOS(config)# class-map type queuing cq NOS(config-cmap-queuing)# match queue 5 NOS(config-cmap-queuing)# exit NOS(config)# policy-map type queuing pq NOS(config-pmap-queuing)# class cq NOS(config-pmap-c-que)# random-detect w1 NOS(config-pmap-c-que)# end NOS# configure terminal NOS(config)# interface range ethernet 1/1/1,1/1/2,1/1/3 NOS(conf-range-eth1/1/1,1/1/2,1/1/3)# flowcontro
● Detecting microburst congestions ● Monitoring buffer utilization and historical trends ● Determining optimal sizes and thresholds for the ingress or egress shared buffers and headroom on a given port or queue based on real-time data NOTE: BST is not supported on the S4248F-ON platforms. After you disable BST, be sure to clear the counter using the clear qos statistics type buffer-statisticstracking command.
Eth 1/1/22 0 0, 1 0, 2 down Eth 1/1/23 0 0, 1 0, 2 down Eth 1/1/24 0 0, 1 0, 2 down Eth 1/1/25 3 0, 1 1, 3 up Eth 1/1/26 3 0, 1 1, 3 down Eth 1/1/27 3 0, 1 1, 3 down Eth 1/1/28 3 0, 1 1, 3 down Eth 1/1/29 0 0, 1 0, 2 down Eth 1/1/30 0 0, 1 0, 2 down Eth 1/1/31 0 0, 1 0, 2 down Eth 1/1/32 0 0, 1 0, 2 down Eth 1/1/33 1 2, 3 0, 2 up Eth 1/1/34 2 2, 3 1, 3 up View information for a single interface: OS10# show qos port-map details interface ethern
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/16 1/1/17:1 1/1/19:1 1/1/19:2 1/1/19:3 1/1/19:4 1/1/21:1 1/1/21:2 1/1/21:3 1/1/21:4 1/1/23 1/1/24 1/1/25:1 1/1/25:2 1/1/25:3 1/1/25:4 1/1/27:1 1/1/27:2 1/1/27:3 1/1/27:4 1/1/29:1 1/1/29:2 1/1/29:3 1/1/29:4 1/1/31 1/1/32
View information for a single interface: OS10# show qos port-map details interface ethernet 1/1/1 --------------------------------------------------------------------------Interface Port Pipe Ingress MMU Egress MMU Oper Status --------------------------------------------------------------------------Eth 1/1/1:1 0 0, 1 0, 2 up MX9116n output example: OS10# show qos port-map details --------------------------------------------------------------------------Interface Port Pipe Ingress MMU Egress MMU Oper Status
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/27:1 1/1/27:2 1/1/27:3 1/1/27:4 1/1/28:1 1/1/28:2 1/1/28:3 1/1/28:4 1/1/29:1 1/1/29:2 1/1/29:3 1/1/29:4 1/1/30:1 1/1/30:2 1/1/30:3 1/1/30:4 1/1/31:1 1/1/31:2 1/1/31:3 1/1/31:4 1/1/32:1 1/1/32:2 1/1/32:3 1/1/32:4 1/1/33:1 1/1/33:2 1/1/33:3 1/1/33:4 1/1/34:1 1/1/34:2 1/1/34:3 1/1/34:4 1/1/35
QoS commands bandwidth Assigns a percentage of weight to the queue. Syntax bandwidth percent value Parameters percent value — Enter the percentage assignment of bandwidth to the queue, from 1 to 100. Default Not configured Command Mode POLICY-MAP CLASS-MAP Usage Information If you configure this command, you cannot use the priority command for the class. Example Supported Releases OS10(config-pmap-c-que)# bandwidth percent 70 10.2.
Usage Information If you define a class-map under a policy-map, the qos, queuing, or control-plane type is the same as the policy-map. You must create this map in advance. The only exception to this rule is when the policy-map type is trust, where the class type must be qos. Example Supported Releases OS10(conf-pmap-qos)# class c1 10.2.0E or later class-map Creates a QoS class-map that filters traffic to match packets to the corresponding policy created for your network.
clear qos statistics type Clears all queue counters, including PFC, for control-plane, qos, and queueing. Syntax clear qos statistics type {{qos | queuing | control-plane | bufferstatistics-tracking} [interface ethernet node/slot/port[:subport]]} Parameters ● ● ● ● qos—Clears qos type statistics. queuing—Clears queueing type statistics. control-plane—Clears control-plane type statistics. buffer-statistics-tracking—Clears the peak buffer usage count statistics on all interfaces and service pools.
control-plane-buffer-size Configures the buffer size for the CPU pool. Syntax control-plane-buffer-size size-of-buffer-pool Parameters size-of-buffer-pool—Enter the buffer size in KB, from 620 KB to 900 KB. Default None Command Mode SYSTEM-QOS Usage Information This command configures the buffer size of the CPU pool. The system allocates a buffer size for the CPU pool from the total system buffer.
Usage Information Applicable only for the S4200-ON series switches. Deep Buffer mode configuration takes effect only after you save it in the startup configuration and reboot the switch. The no version of this command disables Deep Buffer mode. Example Supported Releases OS10(config)# hardware deep-buffer-mode 10.4.3.0 or later match Configures match criteria for the QoS policy.
Supported Releases 10.2.0E or later match cos Matches a cost of service (CoS) value to L2 dot1p packets. Syntax match [not] cos cos-value Parameters ● cos-value — Enter a CoS value, from 0 to 7. ● not — Enter not to cancel the match criteria. Default Not configured Command Modes CLASS-MAP Usage Information You cannot have two match statements with the same filter-type. If you enter two match statements with the same filter-type, the second statement overwrites the first statement.
● ipv6 — Enter to use IPv6 as the match precedence rule. ● ip-any — Enter to use both IPv4 and IPv6 as the match precedence rule. ● precedence precendence-list — Enter a precedence-list value, from 0 to 7. Default Not configured Command Mode CLASS-MAP Usage Information You cannot enter two match statements with the same filter-type. If you enter two match statements with the same filter-type, the second statement overwrites the first statement.
Parameters size — Enter the size of the buffer (1500 to 9216). Default 9216 Command Mode POLICY-MAP-CLASS-MAP Usage Information The no version of this command returns the value to the default. Example Supported Releases OS10(conf-pmap-nqos-c)# mtu 2500 10.3.0E or later pause Enables a pause based on buffer limits for the port to start or stop communication to the peer.
Parameters cos-value — Enter a single, comma-delimited, or hyphenated range of CoS values for priority flowcontrol to enable, from 0 to 7. NOTE: The range 0-7 is invalid. All other ranges, including 0-6 and 1-7 are valid. Default Not configured Command Mode POLICY-MAP-CLASS-MAP Usage Information To configure link-level flow-control, do not configure pfc-cos for the matched class for this policy.
Example Supported Releases OS10(conf-sys-qos)# pfc-shared-buffer-size 2000 10.3.0E or later pfc-shared-headroom-buffer-size Configures the shared headroom size for absorbing the packets after pause frames generate.
policy-map Enters QoS POLICY-MAP mode and creates or modifies a QoS policy-map. Syntax policy-map policy-map-name [type {qos | queuing | control-plane | application | network-qos }] Parameters ● policy-map-name — Enter a class name for the policy-map. A maximum of 32 characters. ● type — Enter the policy-map type. ○ qos — Create a qos policy-map type. ○ queuing — Create a queueing policy-map type. ○ control-plane — Create a control-plane policy-map type.
you are not using a network-qos type policy for an interface. The no version of this command returns the value to the default. Example Supported Releases OS10(conf-if-eth1/1/2)# priority-flow-control mode on 10.3.0E or later qos-group dot1p Configures a dot1p trust map to the traffic class. Syntax qos-group tc-list [dot1p values] Parameters ● qos-group tc-list — Enter the traffic single value class ID, from 0 to 7.
Parameters map-name — Enter the name of the queue trust map. A maximum of 32 characters. Default Not configured Command Mode CONFIGURATION Usage Information If applied on the interface or system level, the traffic class routes all traffic to the mapped queue. The no version of this command returns the value to the default.
○ 3 = 1/16 ○ 4 = 1/8 ○ 5 = 1/4 ○ 6 = 1/2 ○ 7=1 ○ 8=2 ○ 9=4 ○ 10 = 8 ● static thresh-value — (Optional) Enter the static shared buffer threshold value in Bytes, from 1 to 65535. Default Not configured Command Mode POLICY-MAP-CLASS-MAP Usage Information Use the queue-len value parameter to set the minimum guaranteed queue length for a queue. The no version of this command returns the value to the default.
Default 0 Command Mode TRUST-MAP Usage Information If the trust map does not define traffic class values to a queue, those flows map to the default queue 0. If some of the traffic class values are already mapped to an existing queue, you see an error. The no version of this command returns the value to the default. Example Supported Releases OS10(conf-tmap-tc-queue-qos)# queue 2 qos-group 5 10.3.
random-detect (queue) Assigns a WRED profile to the specified queue. Syntax random-detect wred-profile-name Parameters wred-profile-name — Enter the name of an existing WRED profile. Default Not configured Command Mode PMAP-C-QUE Usage Information The no version of this command removes the WRED profile from the queue. Example Supported Releases OS10(config)# policy-map type queuing p1 OS10(config-pmap-queuing)# class c1 OS10(config-pmap-c-que)# random-detect test_wred 10.4.
Example Supported Releases OS10(config)# wred test_wred OS10(config-wred)# random-detect ecn 10.4.0E(R1) or later random-detect ecn Enables ECN for the system globally. Syntax random-detect ecn Default Not configured Command Mode SYSTEM QOS Usage Information The no version of this command disables ECN globally. NOTE: This command enables ECN globally and is supported only on the S4200–ON Series platform. In the SYSTEM QOS mode, this command is not available on other platforms.
Usage Information The no version of this command removes the weight factor from the WRED profile. Example Supported Releases OS10(config)# wred test_wred OS10(config-wred)# random-detect weight 10 10.4.0E(R1) or later service-policy Configures the input and output service policies.
Example Supported Releases OS10(conf-pmap-c-qos)# set cos 6 10.2.0E or later set dscp Sets the drop precedence for incoming packets based on their DSCP value and color map profile. Syntax set dscp dscp-value [color {red | yellow}] Parameters ● ● ● ● Default Not configured Command Mode POLICY-MAP-CLASS-MAP Usage Information This command supports only QoS ingress policy type.
● ● ● ● ● mbps — Enter the committed rate unit in megabits per second, from 0 to 40000. pps — Enter the committed rate unit in packets per second, from 1 to 268000000. burst-size — Enter the burst size in kilobites per packet, from 0 to 10000 or 1 to 1073000. max — Enter the maximum peak rate in kbps, mbps, or pps. max-burst-size — Enter the burst size in kilobites per packets, from 0 to 10000 or 1 to 1073000.
Example Supported Releases OS10# show control-plane buffers queue-number pool-type rsvd-buf-size threshold-mode threshold-value --------------------------------------------------------------------------0 lossy 1664 static 20800 1 lossy 1664 static 20800 2 lossy 1664 static 48880 3 lossy 9216 static 48880 4 lossy 1664 static 20800 5 lossy 1664 static 48880 6 lossy 1664 static 48880 7 lossy 1664 static 48880 8 lossy 1664 static 48880 9 lossy 9216 static 48880 10
Example OS10# show control-plane buffer-stats Queue TX TX pckts bytes Used reserved buffers Used shared buffers -----------------------------------------------------------------------0 0 0 0 0 Supported Releases 1 0 0 0 0 2 0 0 0 0 3 0 0 0 0 4 0 0 0 0 5 0 0 0 0 6 3 204 0 0 7 6 408 0 0 8 0 0 0 0 9 0 0 0 0 10 0 0 0 0 11 0 0 0 0 12 0 0 0 0 13 0 0 0 0 14 0 0 0 0 15 0 0 0 0 16 0 0 0 0 17 0 0 0 0 18 0 0 0 0 19 0 0
Usage Information Example Supported Releases Monitors statistics for the control-plane and to troubleshoot CoPP.
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 OS10# Supported Releases 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10.2.0E or later show hardware deep-buffer-mode Displays the status of Deep buffer mode in the current and next boot of the switch. Syntax show hardware deep-buffer-mode Parameters None Defaults Not configured Command Modes EXEC Usage Information Applicable only for the S4200-ON series switches.
show interface priority-flow-control Displays the priority flow-control, operational status, CoS bitmap, and statistics per port. Syntax show interface ethernet node/slot/port[:subport] priority-flow-control [details] Parameters details — (Optional) Displays all priority flow control information for an interface.
show policy-map Displays information on all existing policy-maps. Syntax show policy-map type {control-plane | qos | queuing | network-qos}] [policy-map-name] Parameters ● ● ● ● ● ● Default Not configured Command Mode EXEC Usage Information None Example Supported Releases type — Enter the policy-map type — qos, queuing, or control-plane. qos — Displays all policy-maps of qos type. queuing — Displays all policy-maps configured of queuing type.
Command Mode EXEC Usage Information None Example Supported Releases OS10# show qos egress buffers interface ethernet 1/1/1 Interface : ethernet1/1/1 Speed : 0 queue-number pool-type rsvd-buf-size threshold-mode threshold-value -----------------------------------------------------------------------0 lossy 1664 dynamic 8 1 lossy 1664 dynamic 8 2 lossy 1664 dynamic 8 3 lossless 0 static 12479488 4 lossy 1664 dynamic 8 5 lossy 1664 dynamic 8 6 lossy 1664 dynamic 8 7 lossy 1664 dynamic 8 10.3.
show qos egress buffer-stats interface Displays the buffers statistics for the egress interface. Syntax show qos egress buffer-stats interface [interface node/slot/port[:subport]] [detail] Parameters ● interface — (Optional) Enter the interface type. ● node/slot/port[:subport] — (Optional) Enter the port information. ● detail — Displays per MMU egress buffer statistics in platforms with multiple MMU instances such as Z9100-ON, Z9264F-ON, and MX9116n.
show qos ingress buffers interface Displays interface buffer configurations. Syntax show qos ingress buffers interface [interface node/slot/port[:subport]] Parameters ● interface — (Optional) Enter the interface type. ● node/slot/port[:subport] — (Optional) Enter the port information.
buffer-statistics-tracking command to view the actual peak buffer utilization for the current configuration. Example Supported Releases OS10# show qos ingress buffer-statistics-tracking interface ethernet 1/1/1 Interface : ethernet1/1/1 Speed : 0 Priority Peak shared Peak HDRM Group buffers buffers -----------------------------------------------0 0 0 1 0 0 2 0 0 3 0 0 4 0 0 5 0 0 6 0 0 7 0 0 10.4.3.
show qos maps Displays the active system trust map. Syntax show qos maps type {tc-queue | trust-map-dot1p | trust-map dscp} trust-mapname Parameters ● ● ● ● Default Not configured Command Mode EXEC Usage Information None Example (dot1p) 1604 dot1p — Enter to view the dot1p trust map. dscp — Enter to view the DSCP trust map. tc-queue—Enter to view the traffic class to queue map. trust-map — Enter the name of the trust map.
Default Dot1p Priority to Traffic-Class Map Traffic-Class DOT1P Priority ------------------------------0 1 1 0 2 2 3 3 4 4 5 5 6 6 7 7 Default Dscp Priority to Traffic-Class Map Traffic-Class DSCP Priority ------------------------------0 0-7 1 8-15 2 16-23 3 24-31 4 32-39 5 40-47 6 48-55 7 56-63 Default Traffic-Class to Queue Map Traffic-Class Queue number ------------------------------0 0 1 1 2 2 3 3 4 4 5 5 6 6 7 7 OS10# Example (dscp) OS10# show qos trust-map dscp new-dscp-map new-dscp-map qos-group Dsc
Command Mode EXEC Usage Information The command applies to the Z9332F-ON only. The command provides priority-to-traffic-class and trafficclass-to-queue mapping, both default and user configured. The Type column displays the queue type corresponding to the traffic-class-to-queue map entry. For platforms other than Z9332F-ON, the Both displays in the Type column to indicate that the mapping applies to both unicast and multicast queues.
Eth 1/1/12 1 2, 3 0, 2 up Eth 1/1/13 2 2, 3 1, 3 down Eth 1/1/14 2 2, 3 1, 3 down Eth 1/1/15 2 2, 3 1, 3 down Eth 1/1/16 2 2, 3 1, 3 down Eth 1/1/17 3 0, 1 1, 3 down Eth 1/1/18 3 0, 1 1, 3 down Eth 1/1/19 3 0, 1 1, 3 down Eth 1/1/20 3 0, 1 1, 3 down Eth 1/1/21 0 0, 1 0, 2 down Eth 1/1/22 0 0, 1 0, 2 down Eth 1/1/23 0 0, 1 0, 2 down Eth 1/1/24 0 0, 1 0, 2 down Eth 1/1/25 3 0, 1 1, 3 up Eth 1/1/26 3 0, 1 1, 3 down Eth 1/1/27 3 0, 1
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1608 Quality of service 1/1/5:2 1/1/5:3 1/1/5:4 1/1/7:1 1/1/7:2 1/1/7:3 1/1/7:4 1/1/9:1 1/1/9:2 1/1/9:3 1/1/9:4 1/1/11:1 1/1/11:2 1/1/11:3 1/1/11:4 1/1/13:1 1/1/13:2 1/1/13:3 1/1/13:4 1/1/15 1/1/16 1/1/17:1 1/1/19:1 1/1/1
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/51:1 1/1/51:2 1/1/51:3 1/1/51:4 1/1/53 1/1/54 1/1/55 1/1/56 1/1/57:1 1/1/57:2 1/1/57:3 1/1/57:4 1/1/59 1/1/60 1/1/61 1/1/62 1/1/63 1/1/64 1/1/65 1/1/66 3 3 3 3 3 3 3 3 2 2 2 2 2 2 2 2 3 3 2 1 0, 0, 0, 0, 0, 0, 0, 0, 2, 2, 2, 2, 2, 2, 2, 2, 0, 0, 2, 2, 1 1 1 1 1 1 1 1 3 3 3 3 3 3 3 3 1 1 3 3 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 2 down down down down down down
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1610 Quality of service 1/1/21:3 1/1/21:4 1/1/22:1 1/1/22:2 1/1/22:3 1/1/22:4 1/1/23:1 1/1/23:2 1/1/23:3 1/1/23:4 1/1/24:1 1/1/24:2 1/1/24:3 1/1/24:4 1/1/25:1 1/1/25:2 1/1/25:3 1/1/25:4 1/1/26:1 1/1/26:2 1/1/26:3 1/1/26:4
Eth Eth Eth Eth 1/1/44:1 1/1/44:2 1/1/44:3 1/1/44:4 0 0 0 0 0, 0, 0, 0, 1 1 1 1 0, 0, 0, 0, 2 2 2 2 up up up up View information for a single interface: OS10# show qos port-map details interface ethernet 1/1/1 --------------------------------------------------------------------------Interface Port Pipe Ingress MMU Egress MMU Oper Status --------------------------------------------------------------------------Eth 1/1/1 3 0, 1 1, 3 down Supported Releases 10.5.
show qos system Displays the QoS configuration applied to the system. Syntax show qos system Parameters None Default Not configured Command Mode EXEC Usage Information View and verify system-level service-policy configuration information. Example Supported Releases show qos system ETS Mode : off ECN Mode : off buffer-statistics-tracking : off 10.4.1.0 or later show qos system buffers Displays the system buffer configurations and utilization.
Total shared lossy buffers Total used shared lossy buffers MMU 2 Total lossy buffers Total shared lossy buffers Total used shared lossy buffers MMU 3 Total lossy buffers Total shared lossy buffers Total used shared lossy buffers - 10012 - 0 - 10597 - 9993 - 0 - 10597 - 9993 - 0 OS10# show qos system egress buffer All values are in kb Total buffers - 12187 Total lossless buffers - 0 Total shared lossless buffers - 0 Total used shared lossless buffers Total lossy buffers - 11567 Total shared lossy buffers -
Example Example (S4200) — When ECN is enabled globally.
7 Example (wred) Example (queue) Supported Releases 0 0 0 0 OS10# show queuing statistics interface ethernet 1/1/1 wred Interface ethernet1/1/1 (All queues) Description Packets Bytes Output 0 0 Dropped 0 0 Green Drop 0 0 Yellow Drop 0 0 Red Drop 0 0 ECN marked count 0 0 OS10# show queuing statistics interface ethernet 1/1/1 queue 3 Interface ethernet1/1/1 Queue Packets Bytes Dropped-Packets Dropped-Bytes 3 0 0 0 0 10.2.
Example Supported Releases OS10(config)# trust dot1p-map map1 OS10(config-tmap-dot1p-map)# qos-group 4 dot1p 5 10.3.0E or later trust dscp-map Creates a user-defined trust map for DSCP flows. Syntax trust dscp-map map-name Parameters map-name — Enter the name of the DSCP trust map. A maximum of 32 characters. Default Not configured Command Mode CONFIGURATION Usage Information If you enable trust, traffic obeys this trust map. default-dscp-trust is a reserved trust-map name.
Supported Releases 10.4.1.0 or later wred Configures a weighted random early detection (WRED) profile. Syntax wred wred-profile-name Parameters wred-profile-name — Enter a name for the WRED profile. Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the WRED profile. Example Supported Releases OS10(config)# wred test_wred OS10(config-wred)# 10.4.
22 Virtual Link Trunking Virtual Link Trunking (VLT) is a Layer 2 aggregation protocol used between an end device such as a server and two or more connected network devices. VLT helps to aggregate ports terminating on multiple switches. OS10 currently supports VLT port channel terminations on two different switches. VLT: ● ● ● ● ● ● ● ● ● Provides node-level redundancy by using the same port channel terminating on multiple upstream nodes.
Optimized forwarding with VRRP To ensure the same behavior on both sides of the VLT nodes, VRRP requires state information coordination. VRRP Active-Active mode optimizes L3 forwarding over VLT. By default, VRRP ActiveActive mode is enabled on all the VLAN interfaces. VRRP Active-Active mode enables each peer to locally forward L3 packets, resulting in reduced traffic flow between peers over the VLTi link. Spanning-Tree Protocol VLT ports support RSTP, RPVST+, and MSTP.
● If the primary peer fails, the secondary peer takes the primary role. If the primary peer (with the lower priority) later comes back online, it is assigned the secondary role (there is no preemption). ● In a VLT domain, the peer network devices must run the same OS10 software version. NOTE: A temporary exception is allowed during the upgrade process. See the Dell EMC SmartFabric OS 10.5.0.x Release Notes for more information. ● Configure the same VLT domain ID on peer devices.
The following shows a scenario where VLT Peer A is being reloaded or going down: Until LACP convergence happens, the server continues to forward traffic to VLT Peer A resulting in traffic loss for a longer time interval.
These PDUs notify the server to direct the traffic to VLT Peer B hence minimizing traffic loss. Configure VLT Verify that both VLT peer devices are running the same operating system version. For VRRP operation, configure VRRP groups and L3 routing on each VLT peer. Configure the following settings on each VLT peer device separately: 1. To prevent loops in a VLT domain, Dell EMC Networking recommends enabling STP globally using the spanning-tree mode command.
NOTE: If a VLT peer is reloaded, it automatically becomes the secondary peer regardless of the VLT primary-priority setting. 4. Configure VLTi interfaces with the no switchport command. 5. Configure the VLTi interfaces on each peer using the discovery-interface command. After you configure both sides of the VLTi, the primary and secondary roles in the VLT domain are automatically assigned if primary priority is not configured. NOTE: Dell EMC recommends that you disable flow-control on discovery interfaces.
RPVST+ configuration Configure RPVST+ on both the VLT peers. This creates an RPVST+ instance for every VLAN configured in the system. With RPVST+ configured on both VLT nodes, OS10 supports a maximum of 60 VLANs. The RPVST+ instances in the primary VLT peer control the VLT port channels on both the primary and secondary peers. NOTE: RPVST+ is the default STP mode running on the switch. Use the following command only if you have another variant of the STP running on the switch.
RSTP configuration ● Enable RSTP on each peer node in CONFIGURATION mode.
instance instance-number vlan from-vlan-id — to-vlan-id 4. Configure the MST revision number, from 0 to 65535. MULTIPLE-SPANNING-TREE revision revision-number 5. Configure the MST region name. MULTIPLE-SPANNING-TREE name name-string The following example shows that both VLT nodes are configured with the same MST VLAN-to-instance mapping.
Number of transitions to forwarding state: 1 Edge port: No (default) Link Type: Point-to-Point BPDU Sent: 2714, Received: 1234 Port 2001 (VLT-LAG -1(vlt-portid-1)) of MSTI 0 is designated Forwarding Port path cost 200000, Port priority 128, Port Identifier 128.2001 Designated root priority: 32768, address: 34:17:44:55:66:7f Designated bridge priority: 32768, address: 90:b1:1c:f4:a5:23 Designated port ID: 128.
Peer 2 OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# exit OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# no switchport OS10(conf-if-eth1/1/2)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet1/1/1-1/1/2 Configure the VLT MAC address You can manually configure the VLT MAC address. Configure the same VLT MAC address on both the VLT peer switches to avoid any unpredictable behavior during a VLT failover.
Configure the VLT backup link using the backup destination {ip-address | ipv6 ipv6–address} [vrf management] [interval interval-time]. The interval range is from 1 to 30 seconds. The default interval is 30 seconds. Irrespective of the interval that is configured, when the VLTi link fails, the system checks for the heartbeat connection without waiting for the timed intervals, thus allowing faster convergence.
For example, as shown, after the VLTi is down, VLT peer1 learns the MAC address of Host 2: VLT Peer 2 is not synchronized with the MAC address of Host 2 because the VLTi link is down. When traffic from Host 1 is sent to VLT Peer 2, VLT Peer 2 floods the traffic. When the VLT backup link is enabled, the secondary VLT Peer 2 identifies the node liveliness through the backup link. If the primary is up, the secondary peer brings down VLT port channels.
Role of VLT backup link in the prevention of loops during VLTi failure When the VLTi is down, STP may fail to detect any loops in the system. This failure creates a data loop in an L2 network. As shown, STP is running in all three switches: In the steady state, VLT Peer 1 is elected as the root bridge. When the VLTi is down, both the VLT nodes become primary. In this state, VLT Peer 2 sends STP BPDU to TOR assuming that TOR sends BPDU to VLT Peer 1.
When the VLT backup link is enabled, the secondary VLT peer identifies the node liveliness of primary through the backup link. If the primary VLT peer is up, the secondary VLT peer brings down the VLT port channels. In this scenario, the STP opens up the orphan port and there is no loop in the system, as shown: Configure a VLT port channel A VLT port channel, also known as a virtual link trunk, links an attached device and VLT peer switches. OS10 supports a maximum of 128 VLT port channels per node. 1.
Configure VLT port channel — peer 1 OS10(config)# interface port-channel 20 OS10(conf-if-po-20)# vlt-port-channel 20 Configure VLT port channel — peer 2 OS10(config)# interface port-channel 20 OS10(conf-if-po-20)# vlt-port-channel 20 Configure VLT peer routing VLT peer routing enables optimized routing where packets destined for the L3 endpoint of the VLT peer are locally routed. VLT supports unicast routing of both IPv4 and IPv6 traffic. To enable VLT unicast routing, both VLT peers must be in L3 mode.
Migrate VMs across data centers with eVLT OS10 switches support movement of virtual machines (VMs) across data centers using VRRP Active-Active mode. Configure symmetric VRRP with the same VRRP group ID and virtual IP in VLANs stretched or spanned across data centers. VMs use the VRRP Virtual IP address of the VLAN as Gateway IP. As the VLAN configurations are symmetric across data centers, you can move the VMs from one data center to another.
● Configure VRRP on L2 links between core routers: C1(config)# interface vlan 100 C1(conf-if-vl-100)# ip address 10.10.100.1/24 C1(conf-if-vl-100)# vrrp-group 10 C1(conf-vlan100-vrid-10)# priority 250 C1(conf-vlan100-vrid-10)# virtual-address 10.10.100.
D1(config)# interface ethernet 1/1/4 D1(conf-if-eth1/1/4)# channel-group 10 D1(conf-if-eth1/1/4)# exit ● Configure OSPF on L3 side of core router: D1(config)# router ospf 100 D1(config-router-ospf-100)# redistribute connected D1(conf-router-ospf-100)# exit D1(config)# interface vlan 200 D1(conf-if-vl-200)# ip ospf 100 area 0.0.0.
● Add members to port channel 20: C2(config)# interface C2(conf-if-eth1/1/5)# C2(conf-if-eth1/1/5)# C2(config)# interface C2(conf-if-eth1/1/6)# C2(conf-if-eth1/1/6)# ethernet 1/1/5 channel-group 20 exit ethernet 1/1/6 channel-group 20 exit Sample configuration of D2: ● Configure VRRP on L2 links between core routers: D2(config)# interface vlan 100 D2(conf-if-vl-100)# ip address 10.10.100.4/24 D2(conf-if-vl-100)# vrrp-group 10 D2(conf-vlan100-vrid-10)# virtual-address 10.10.100.
View VLT information To monitor the operation or verify the configuration of a VLT domain, use a VLT show command on primary and secondary peers. ● View detailed information about the VLT domain configuration in EXEC mode, including VLTi status, local and peer MAC addresses, peer-routing status, and VLT peer parameters. show vlt domain-id ● View the role of the local and remote VLT peer in EXEC mode. show vlt domain-id role ● View any mismatches in the VLT configuration in EXEC mode.
Configuring delay-restore port - non-VLT Following table shows how to configure delay-restore ports on an interface and with a timer value: Table 146. Configuring delay-restore port on an interface Step Command Description 1 OS10# configure terminal Enters Configuration mode. 2 OS10(config)# interface ethernet 1/1/1 Enters Interface configuration mode. 3 OS10(conf-if-eth1/1/1)# delay-restore-port enable Enables delay-restore port.
Table 148. Configuring delay-restore orphan ports Steps Command Description 1 OS10# configure terminal Enters Configuration mode. 2 OS10(config)# interface ethernet 1/1/1 Enters Interface configuration mode. 3 OS10(conf-if-eth1/1/1)# vlt delay-restore orphan-port enable Enables delay-restore orphan port. 4 OS10(conf-if-eth1/1/1)# exit Exits Interface configuration mode and enters Configuration mode. 5 OS10(conf)# vlt-domain 1 Enters VLT domain mode.
● ● ● ● ● When VLTi fails and the VLT heart-beat is down, both the VLT peers become primary (split brain). Ethernet1/1/1 in both the VLT peers are kept up. When VLTi recovers, election occurs. The port remains up in the peer elected as the primary node. In the secondary VLT peer, ethernet1/1/1 is brought down (since ignore vlti-failure configuration is disabled) and the delay-restore timer is started. A syslog indicating that the delay-restore timer has started is thrown on the console.
Table 150. Disable delay-restore orphan ports Steps Command Description 4 OS10(conf-if-eth1/1/1)# no vlt delay-restore orphan-port enable Disables delayrestore orphan port. The following table provides the behavior of orphan ports with different DROP configurations and events: Table 151.
When delay-restore port or delay-restore orphan port is enabled on an interface and the respective delay-restore timer is running, the port is immediately brought down. This is done to comply with the behavior of VLT ports (When a normal LAG is converted into a VLT LAG when delay-restore timer is running, the LAG is immediately brought down).
Supported Releases 10.3.0E or later delay-restore-port enable Enables or disables delay-restore configuration at interface level. Syntax delay-restore-port enable To disable the delay-restore configuration, enter the no delay-restore-port enable command. Parameters None. Default Disabled Command Mode INTERFACE CONFIGURATION MODE Usage Information Use the range command to enable delay-restore-port on all interfaces or a selected range of interfaces.
delay-restore-port timeout Configures delay-restore port timer value. Syntax delay-restore-port timeout timeout-value To remove configured timer value and return to default, enter the no delay-restore-port timeout command. Parameters ● timeout timeout-value - Enter the keyword timeout followed by the timeout value. The range is from 1 to 1200.
peer-routing Enables optimized routing where packets destined for the L3 endpoint of the VLT peer are locally routed. Syntax peer-routing Parameters None Default Disabled Command Mode VLT-DOMAIN Usage Information The no version of this command disables peer routing. Example Supported Releases OS10(conf-vlt-1)# peer-routing 10.2.0E or later peer-routing-timeout Configures the delay after which, the system disables peer routing when the peer is not available.
● If the heartbeat is up and the VLTi link goes down between the VLT peers, both the VLT peers retain their primary and secondary roles. However, the VLT port channel on the secondary VLT peer shuts down. NOTE: When you configure a priority for VLT peers using this command, the configuration does not take effect immediately. The primary priority configuration comes into effect the next time election is triggered. Example Supported Releases OS10(conf-vlt-1)#primary-priority 2 10.4.1.
Root-Guard: Disable, Loop-Guard: Disable Bpdus (MRecords) Sent: 11, Received: 7 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID --------------------------------------------------------------------------------------------VFP(VirtualFabricPort) 0.1 0 1 FWD 0 32768 0078.7614.6062 0.
Example (MSTP information on VLT) OS10# show spanning-tree virtual-interface detail Port 1 (VFP(VirtualFabricPort)) of MSTI 0 is designated Forwarding Port path cost 0, Port priority 128, Port Identifier 128.1 Designated root priority: 32768, address: 34:17:44:55:66:7f Designated bridge priority: 32768, address: 90:b1:1c:f4:a5:23 Designated port ID: 128.
show vlt Displays information on a VLT domain. Syntax show vlt domain-id delay-restore-orphan-port Parameter ● domain-id — Enter a VLT domain ID, from 1 to 255. ● delay-restore orphan-port - Enter the delay-restore orphan-port keyword to display the delayrestore orphan-port status. Default Not configured Command Mode EXEC Usage Information In the following example, the status of the VLT node should be up.
Po1 Po4 Delay-Restore Orphan-Port Ignore VLTi Fail enabled interfaces : Eth1/1/10 Po4 Supported Releases 10.2.0E or later show vlt domain-id delay restore orphan port Displays the delay restore orphan port information on a VLT domain. Syntax show vlt domain-id delay-restore-orphan-port Parameter ● domain-id — Enter a VLT domain ID, from 1 to 255. ● delay-restore orphan-port - Enter the delay-restore orphan-port keyword to display the delay-restore orphan-port status.
Delay-Restore Orphan-Port Ignore VLTi Fail enabled interfaces : Eth1/1/10 Po4 Supported Releases 10.5.2.0 or later show vlt backup-link Displays detailed status of the heartbeat Syntax show vlt domain-id backup-link Parameters domain-id — Enter the VLT domain ID.
Default egress mask: In-ports qualifier : ethernet1/1/1-1/1/2 Blocked ports : ethernet1/1/1-1/1/2, 1/1/10-1/1/14, 1/1/16 Supported Releases 10.5.2.1 or later show vlt error-disabled-ports Displays VLT ports that are in the error-disabled state. Syntax show vlt id error-disabled-ports Parameters id—Enter the VLT domain ID, from 1 to 255. Default Not configured Command Mode EXEC Usage Information Use this command to view VLT ports that are in error-disabled state.
Use this command if there are traffic convergence issues. Example OS10# show vlt-mac-inconsistency Checking Vlan 228 .. Found 7 inconsistencies ..
No mismatch VLAN mismatch: No mismatch VLT VLAN mismatch: No mismatch Example (mismatch) OS10# show vlt 1 mismatch Peer-routing mismatch: VLT Unit ID Peer-routing ----------------------------------* 1 Enabled 2 Disabled VLAN mismatch: No mismatch VLT VLAN mismatch: VLT ID : 1 VLT Unit ID Mismatch VLAN List ---------------------------------* 1 1 2 2 VLT ID : 2 VLT Unit ID Mismatch VLAN List ----------------------------------* 1 1 2 2 Example (mismatch peer routing) Example (mismatch VLAN) OS10# show vlt
Example (mismatch — Virtual Network (VN) name not available in the peer) Example (mismatch of VLTi and VLAN) Example (mismatch of VN mode) Example (mismatch of port and VLAN list) OS10# show vlt all mismatch virtual-network Virtual Network Name Mismatch: VLT Unit ID Mismatch Virtual Network List ---------------------------------------------------------------------------1 10,104 * 2 OS10# show vlt all mismatch virtual-network Virtual Network: 100 VLT Unit ID Configured VLTi-Vlans -------------------------
Virtual-network: 10 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.25 * 2 10.16.128.20 Virtual-network: 20 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.26 * 2 10.16.128.30 Example (Anycast IP addresses not configured on one of the virtual networks on both peers) show vlt 1 mismatch virtual-network Interface virtual-network Anycast-IP mismatch: Virtual-network: 10 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.
Example (mismatch VLAN anycast IP) OS10# show vlt 1 mismatch vlan-anycast VLAN anycast ip Mismatch: VLAN: 2000 VLT Unit ID Anycast-IPs ---------------------------------------------------------------------------* 1 64::100, 64.6.7.88 2 100::100, 100.101.102.100 VLAN: 3000 VLT Unit ID Anycast-IPs ---------------------------------------------------------------------------* 1 100.101.102.
Parameters id — Enter the VLT domain ID, from 1 to 255. Default Not configured Command Mode EXEC Usage Information The * in the mismatch output indicates a local mismatch. Example Supported Releases OS10# show vlt 1 role VLT Unit ID Role -----------------------* 1 primary 2 secondary 10.2.0E or later show vlt vlt-port-detail Displays detailed status information about the VLT ports. Syntax show vlt id vlt-port-detail Parameters id — Enter a VLT domain ID, from 1 to 255.
Example Supported Releases OS10(config)# vlt-domain 1 10.2.0E or later vlt delay-restore orphan-port enable Enables or disables delay-restore orphan port on an interface. Syntax vlt delay-restore orphan-port enable Parameters None. Default Disabled Command Mode INTERFACE CONFIGURATION MODE Usage Information Use the range command to enable delay-restore orphan ports on all interfaces or on selected range of interfaces.
Supported Releases 10.5.2 or later vlt delay-restore orphan-port ignore vlti-failure Considers or ignores VLTi failures for delay-restore orphan port. Syntax vlt delay-restore orphan-port ignore vlti-failure To disable the delay-restore orphan port configuration, enter the no delay-restore orphan-port ignore vlti-failure command. Parameters None.
Command Mode PORT-CHANNEL INTERFACE Usage Information Assign the same VLT port-channel ID to interfaces on VLT peers to create a VLT port-channel. The no version of this command removes the VLT port-channel ID configuration. Example (peer 1) Example (peer 2) Supported Releases OS10(conf-if-po-10)# vlt-port-channel 1 OS10(conf-if-po-20)# vlt-port-channel 1 10.2.0E or later vlt-mac Configures a MAC address for all peer switches in a VLT domain.
23 Uplink Failure Detection Uplink failure detection (UFD) indicates the loss of upstream connectivity to servers connected to the switch. A switch provides upstream connectivity for devices, such as servers. If the switch loses upstream connectivity, the downstream devices also lose connectivity. However, the downstream devices do not generally receive an indication that the upstream connectivity was lost because connectivity to the switch is still operational. To solve this issue, use UFD.
Configure uplink failure detection Consider the following before configuring an uplink-state group: ● ● ● ● ● ● ● An uplink-state group is considered to be operationally up if it has at least one upstream interface in the Link-Up state. An uplink-state group is considered to be operationally down if it has no upstream interfaces in the Link-Up state. You can assign a physical port or a port channel to an uplink-state group. You can assign an interface to only one uplink-state group at a time.
● If you disable an uplink-state group, the downstream interfaces are not disabled, regardless of the state of the upstream interfaces. ● If you do not assign upstream interfaces to an uplink-state group, the downstream interfaces are not disabled. Configuration: 1. Create an uplink-state group in CONFIGURATION mode. uplink-state-group group-id 2. Configure the upstream and downstream interfaces in UPLINK-STATE-GROUP mode.
Eth 1/1/5(Dwn) Eth 1/1/9:2(Dwn) Eth 1/1/9:3(Dwn) OS10#show uplink-state-group 1 detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled (NA): Not Available *: VLT port-channel, V: VLT status, P: Peer Operational status ^: Tracking status Uplink State Group : 1 Name: iscsi_group, Status: Enabled, Up Upstream Interfaces : eth1/1/35(Up) *po10(V:Up, ^P:Dwn) VLTi(NA) Downstream Interfaces : eth1/1/2(Up) *po20(V: Up,P: Up) OS10#show uplink-state-group 2 detail (Up): Interface up (Dwn): Interfa
Table 152. UFD on VLT network Event VLT action on primary node VLT action on secondary node UFD action VLTi Link is operationally up with heartbeat up No action VLT module sends VLT portchannel enable request to Interface Manager (IFM) for both uplink and downlink. UFD receives operationally up of upstream VLT portchannel and sends clear errordisable of downstream VLT port-channel to IFM. Reboot of VLT secondary peer No action After reboot, runs the delay restore timer.
Sample configurations of UFD on VLT The following examples show some of the uplink-state groups on VLT. In the following illustration, both the upstream and downstream members are part of VLT port-channels. The uplink-state group includes both the VLT port-channels as members. In the following example, the upstream member is part of VLT port-channel and the downstream member is an orphan port. The uplink-state group includes the VLT port-channel, VLT node, and the downstream port.
OS10 does not support adding a VLTi link member to the uplink-state group. You can add the VLTi link as upstream member to an uplink-state group using the upstream VLTi command. If the VLTi link is not available in the system, OS10 allows adding the VLTi link as an upstream member. In this case, UFD starts tracking the operational status of the VLTi link when the link is available. Until the VLTi link is available, the show uplink-state-group details command displays the status of the link as NA.
UFD commands clear ufd-disable Overrides the uplink-state group configuration and brings up the downstream interfaces. Syntax clear ufd-disable {interface interface-type | uplink-state-group group-id} Parameters ● interface-type — Enter the interface type. ● group-id — Enter the uplink state group ID, from 1 to 32. Default None Command Mode EXEC Usage Information This command manually brings up a disabled downstream interface that is in an UFD-disabled error state.
Mode. See upstream CLI command for more information. The no version of this command removes the interface from the uplink-state group. Example Supported Releases OS10(config)# uplink-state-group 1 OS10(conf-uplink-state-group-1)# downstream ethernet 1/1/1 10.4.0E(R3) or later downstream auto-recover Enables auto-recovery of the disabled downstream interfaces.
Usage Information Example Supported Releases The no version of this command disables tracking of an uplink-state group. OS10(config)# uplink-state-group 1 OS10(conf-uplink-state-group-1)# enable 10.4.0E(R3) or later name Configures a descriptive name for the uplink-state group. Syntax name string Parameters string — Enter a description for the uplink-state group. A maximum of 32 characters.
● detail — Displays detailed information on the status of the uplink-state groups.
Supported Releases 10.4.0E(R3) or later uplink-state-group Creates an uplink-state group and enables upstream link tracking. Syntax uplink-state-group group-id Parameters group-id — Enter a unique ID for the uplink-state group, from 1 to 32. Default None Command Mode CONFIGURATION Usage Information The no version of this command removes the uplink-state group. Example Supported Releases OS10(config)# uplink-state-group 1 10.4.
24 Converged data center services OS10 supports converged data center services, including IEEE 802.1 data center bridging (DCB) extensions to classic Ethernet. DCB provides I/O consolidation in a data center network. Each network device carries multiple traffic classes while ensuring lossless delivery of storage traffic with best-effort for local area network (LAN) traffic and latency-sensitive scheduling of service traffic. ● 802.1Qbb — Priority flow control ● 802.
Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● Provisioning PFC is not supported when deep buffer mode is enabled. ● Configure the traffic class ID to queue mapping policy on egress interfaces. ● You cannot enable PFC on all the physical interfaces, when you have split the ports to multiple breakout interfaces. For more information, see the 'PFC configuration notes' section in the Dell EMC SmartFabric OS10 User Guide.
● Apply the default trust map specifying that dot1p values are trusted in SYSTEM-QOS or INTERFACE mode. trust-map dot1p default Configure a non-default dot1p-priority-to-traffic class mapping 1. Configure a trust map of dot1p traffic classes in CONFIGURATION mode. A trust map does not modify ingress dot1p values in output flows. Assign a qos-group to trusted dot1p values in TRUST mode using 1-to-1 mappings. Dot1p priorities are 0 to 7.
Default TC-to-queue mapping format The following is the format for Z9332F-ON: Default Traffic-Class to Queue Map Traffic Class Queue Number --------------------------------------------0 0 0-2 0 1 1 3-5 1 2 2 6-7 2 3 3 4 4 5 5 6 6 7 7 Type Unicast Multicast Unicast Multicast Unicast Multicast Unicast Unicast Unicast Unicast Unicast The following is the default TC-to-Queue Mapping format: Default Traffic-Class to Queue Map Traffic-Class Queue number Type ---------------------------------------0 0 Both 1 1 B
4. (Optional) Configure the PFC shared buffer for lossless traffic. Create PFC dot1p traffic classes 1. Create a network-qos class map to classify PFC traffic classes in CONFIGURATION mode, from 1 to 7. Specify the traffic classes using the match qos-group command. QoS-groups map 1:1 to traffic classes 1 to 7; for example, qos-group 1 corresponds to traffic class 1. Enter a single value, a hyphen-separated range, or multiple qos-group values separated by commas in CLASS-MAP mode.
PFC is enabled on traffic classes with dot1p 3 and 4 traffic. The two traffic classes require different ingress queue processing. In the network-qos pp1 policy map, class cc1 uses customized PFC buffer size and pause frame settings; class cc2 uses the default settings.
3 - - - - 4 - - - - 5 - - - - 6 - - - - 7 9360 static 12779520 - - View PFC system buffer configuration OS10# show qos system ingress buffer All values are in kb Total buffers Total lossless buffers Maximum lossless buffers Total shared lossless buffers Total used shared lossless buffers Total lossy buffers Total shared lossy buffers Total used shared lossy buffers - 12187 0 5512 0 11567 11192 0 OS10# show qos system egress buffer All values are in kb Total buffers - 12187 Total
Parameters ● buffer-size kilobytes — Enter the reserved (guaranteed) ingress-buffer size in kilobytes for PFC dot1p traffic, from 0 to 7787. ● pause-threshold kilobytes — Enter the buffer threshold limit (in kilobytes) to send pause frames to a transmitting device to temporarily halt the data transmission, from 0 to 7787. ● resume-threshold kilobytes — Enter the threshold limit (in kilobytes) at which a request is sent to the transmitting device to resume sending traffic, from 0 to 7787.
Example (policymap) Supported Releases OS10(config)# policy-map type network-qos pp1 OS10(conf-pmap-network-qos)# class cc1 OS10(conf-pmap-c-nqos)# pfc-cos 3 10.3.0E or later pfc-shared-buffer-size Configures the number of shared buffers available for PFC-enabled traffic on the switch. Syntax pfc-shared-buffer-size kilobytes Parameter kilobytes — Enter the total amount of shared buffers available to PFC-enabled dot1p traffic in kilobytes, from 0 to 7787.
Parameters ● thresh-mode —Specifies the Buffer threshold mode. ● static kilobytes — Enter the static followed by the fixed shared-buffer limit available for PFC traffic-class queues in kilobytes, from 0 to 7787. The value of this parameter must be within the maximum amount tuned by the pfc-shared-buffer-size command. ● dynamic weight — Enter the dynamic followed by the weight value used to dynamically determine the shared-buffer limit available for PFC traffic-class queues, from 1 to 10.
Enhanced transmission selection ETS provides customized bandwidth allocation to 802.1p classes of traffic. Assign different amounts of bandwidth to Ethernet, FCoE, or iSCSI traffic classes that require different bandwidth, latency, and best-effort treatment during network congestion. ETS divides traffic into different priority groups using their 802.1p priority value.
number is used only internally to schedule classes of ingress traffic. Enter multiple dot1p and dscp values in a hyphenated range or separated by commas. trust dot1p-map dot1p-map-name qos-group {0-7} dot1p {0-7} exit trust dscp-map dscp-map-name qos-group {0-7} dscp {0-63} exit 2. Configure a QoS map with trusted traffic-class (qos-group) to lossless-queue mapping in CONFIGURATION mode. Assign one or more qos-groups, from 0 to 7, to a specified queue in QOS-MAP mode.
8. Apply the queuing policy to egress traffic in SYSTEM-QOS or INTERFACE mode. service-policy output type queuing policy—map-name 9. Enable ETS globally in SYSTEM-QOS mode or on an interface/interface range in INTERFACE mode. NOTE: If you have not enabled PFC on all the interfaces, this configuration at the global level is not required. Enable ETS on the specific interfaces.
View QoS maps: traffic-class to queue mapping OS10# show qos maps Traffic-Class to Queue Map: tc-q-map1 queue 0 qos-group 0 queue 1 qos-group 1 Traffic-Class to Queue Map: dot1p_map1 qos-group 0 dot1p 0-3 qos-group 1 dot1p 4-7 DSCP Priority to Traffic-Class Map : dscp_map1 qos-group 0 dscp 0-31 qos-group 1 dscp 32-63 ETS commands ets mode on Enables ETS on an interface.
DCBX configuration notes ● DCBX is a prerequisite for using DCB features, such as PFC and ETS, to exchange link-level configurations in a converged network. ● DCBX, when deployed in topologies, enables lossless operation for FCoE or iSCSI traffic. In these scenarios, all network devices in the topology must have DCBX-enabled. ● DCBX uses LLDP to advertise and automatically negotiate the administrative state and PFC or ETS configuration with directly connected DCB peers.
● OS10 supports DCBX versions CEE and IEEE2.5. ● If ETS and PFC are enabled, DCBX advertises ETS configuration, ETS recommendation, and PFC configuration. When you configure application-specific parameters such as FCoE or iSCSI to be advertised, DCBX advertises the respective Application Priority TLVs. ● A DCBX-enabled port operates only in a manual role. In this mode, the port operates only with user-configured settings and does not autoconfigure with DCB settings that are received from a DCBX peer.
Interface ethernet1/1/3 Port Role is Manual DCBX Operational Status is Disabled Reason: Port Shutdown Is Configuration Source? FALSE Local DCBX Compatibility mode is AUTO Local DCBX Configured mode is AUTO Peer Operating version is Not Detected Local DCBX TLVs Transmitted: erpfi 0 Input PFC TLV pkts, 0 Output PFC TLV pkts, 0 Error PFC 0 Input ETS Conf TLV Pkts, 0 Output ETS Conf TLV Pkts, 0 0 Input ETS Reco TLV pkts, 0 Output ETS Reco TLV pkts, 0 0 Input Appln Priority TLV pkts, 0 Output Appln Priority Prio
Priority TLV Pkts Total Total Total Total DCBX DCBX DCBX DCBX Frames transmitted 0 Frames received 0 Frame errors 0 Frames unrecognized 0
Local ISCSI PriorityMap is 0x10 Remote ISCSI PriorityMap is 0x10 220 Input TLV pkts, 350 Output TLV pkts, 0 Error pkts 71 Input Appln Priority TLV pkts, 80 Output Appln Priority TLV pkts, 0 Error Appln Priority TLV Pkts View DCBX ETS TLV status OS10# show lldp dcbx interface ethernet 1/1/15 ets detail Interface ethernet1/1/15 Max Supported PG is 8 Number of Traffic Classes is 8 Admin mode is on Admin Parameters : -----------------Admin is enabled PG-grp Priority# Bandwidth TSA ------------------------------
DCBX commands dcbx enable Enables DCBX globally on all interfaces. Syntax dcbx enable Parameters None Default Disabled Command Mode CONFIGURATION Usage Information DCBX is disabled at a global level and enabled at an interface level by default. For DCBX to be operational, DCBX must be enabled at both the global and interface levels. Enable DCBX globally using the dcbx enable command to activate the exchange of DCBX TLV messages with PFC, ETS, and iSCSI configurations.
Command Mode INTERFACE Usage Information In Auto mode, a DCBX-enabled port detects an incompatible DCBX version on a peer device port and automatically reconfigures a compatible version on the local port. The no version of this command disables the DCBX version. Example Supported Releases OS10(conf-if-eth1/1/2)# dcbx version cee 10.3.0E or later debug dcbx Enables DCBX debugging.
Supported Releases 10.3.0E or later show debug dcbx Displays the list of debug options that are enabled for DCBX. Syntax show debug dcbx Parameters None Command Mode EXEC Usage Information None Example OS10# show debug dcbx Dcbx debug settings: debug dcbx all no debug dcbx events interface mgmt debug dcbx pdu in interface ethernet 1/1/1 Supported Releases 10.5.1.0 or later show lldp dcbx Displays the DCBX configuration and PFC or ETS TLV status on an interface.
Peer Operating version is Not Detected Local DCBX TLVs Transmitted: erpfi 0 Input PFC TLV pkts, 0 Output PFC TLV pkts, 0 Error PFC pkts 0 Input ETS Conf TLV Pkts, 0 Output ETS Conf TLV Pkts, 0 Error ETS Conf TLV Pkts 0 Input ETS Reco TLV pkts, 0 Output ETS Reco TLV pkts, 0 Error ETS Reco TLV Pkts 0 Input Appln Priority TLV pkts, 0 Output Appln Priority TLV pkts, 0 Error Appln Priority TLV Pkts Total Total Total Total DCBX DCBX DCBX DCBX Frames transmitted 0 Frames received 0 Frame errors 0 Frames unrecogn
Interface ethernet1/1/15 Port Role is Manual DCBX Operational Status is Enabled Is Configuration Source? FALSE Local DCBX Compatibility mode is IEEEv2.5 Local DCBX Configured mode is IEEEv2.5 Peer Operating version is IEEEv2.
6 7 0% 0% SP SP Oper status is init ETS DCBX Oper status is Up State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled 5 Input Conf TLV Pkts, 2 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 5 Input Reco TLV Pkts, 2 Output Reco TLV Pkts, 0 Error Reco TLV Pkts Example (PFC detail) OS10# show lldp dcbx interface ethernet 1/1/15 pfc detail Interface ethernet1/1/15 Admin mode is on Admin is enabled, Priority list is 4,5,6,7 Remote is enabled, Priority list is 4,5,6,7 Remote
In an iSCSI session, a switch connects CNA servers (iSCSI initiators) to a storage array (iSCSI targets) in a SAN or TCP/IP network. iSCSI optimization running on the switch uses dot1p priority-queue assignments to ensure that iSCSI traffic receives priority treatment. iSCSI configuration notes ● Enable iSCSI optimization so the switch autodetects and autoconfigures Dell EMC EqualLogic storage arrays that are directly connected to an interface.
1. Configure an interface or interface range to detect a connected storage device. interface ethernet node/slot/port:[subport] interface range ethernet node/slot/port:[subport]-node/slot/port[:subport] 2. Enable the interface to support a storage device that is directly connected to the port and not automatically detected by iSCSI. Use this command for storage devices that do not support LLDP.
OS10(config)# iscsi target port 3261 ip-address 10.1.1.
● Starting from release 10.4.1.1, when you perform a fresh installation of OS10, iSCSI autoconfig is enabled and flowcontrol receive is set to on. However, when you upgrade from an earlier release to release 10.4.1.1 or later, the existing iSCSI configuration is retained and the flowcontrol receive could be set to on or off, depending on the iSCSI configuration before the upgrade.
Command Mode CONFIGURATION Usage Information iSCSI optimization automatically detects storage arrays and autoconfigures switch ports with the iSCSI parameters that are received from a connected device. The no version of this command disables iSCSI autodetection. Starting from release 10.4.1.1, when you perform a fresh installation of OS10, iSCSI autoconfig is enabled and flow control receive is set to on. However, when you upgrade from an earlier release to release 10.4.1.
iscsi session-monitoring enable Enables iSCSI session monitoring. Syntax iscsi session-monitoring enable Parameter None Default Disabled Command Mode CONFIGURATION Usage Information To configure the aging timeout in iSCSI monitoring sessions, use the iscsi aging time command. To configure the TCP ports that listen for connected storage devices in iSCSI monitoring sessions use the iscsi target port command. The no version of this command disables iSCSI session monitoring.
Example Supported Releases OS10(conf-if-eth1/1/1)# lldp tlv-select dcbxp-appln iscsi 10.3.0E or later show iscsi Displays the current configured iSCSI settings. Syntax show iscsi Parameters None Command Mode EXEC Usage Information This command output displays global iSCSI configuration settings. To view target and initiator information use the show iscsi session command.
Initiator:iqn.1991-05.com.microsoft:win-rlkpjo4jun2 Up Time:00:00:16:02(DD:HH:MM:SS) Time for aging out:29:23:59:35(DD:HH:MM:SS) ISID:400001370000 Initiator Initiator Target Target Connection IP Address TCP Port IP Address TCP Port ID ---------------------------------------------------------10.10.10.210 54835 10.10.10.40 3260 1 Supported Releases 10.3.0E or later show iscsi storage-devices Displays information about the storage arrays directly attached to OS10 ports.
2. PFC configuration (global) PFC is enabled on traffic classes with dot1p 4, 5, 6, and 7 traffic. All the traffic classes use the default PFC pause settings for shared buffer size and pause frames in ingress queue processing in the network-qos policy map. The trust-map dot1p default honors (trusts) all dot1p ingress traffic.
OS10(config-cmap-queuing)# match queue 1 OS10(config-cmap-queuing)# exit OS10(config)# policy-map type queuing pmap1 OS10(config-pmap-queuing)# class cmap1 OS10(config-pmap-c-que)# bandwidth percent 30 OS10(config-pmap-c-que)# exit OS10(config-pmap-queuing)# class cmap2 OS10(config-pmap-c-que)# bandwidth percent 70 OS10(config-pmap-c-que)# end OS10(config)# system qos OS10(config-sys-qos)# trust-map dot1p default 5.
Total Total Total Total DCBX DCBX DCBX DCBX Frames transmitted 0 Frames received 0 Frame errors 0 Frames unrecognized 0 8.
PG-grp Priority# Bandwidth TSA -----------------------------------------------0 0,1,2,3, 30% ETS 1 4,5,6,7 70% ETS 2 0% ETS 3 0% ETS 4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Oper status is init ETS DCBX Oper status is Up State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled 2 Input Conf TLV Pkts, 27 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 2 Input Reco TLV Pkts, 27 Output Reco TLV Pkts, 0 Error Reco TLV Pkts 10.
4 Input Appln Priority TLV pkts, 3 Output Appln Priority TLV pkts, 0 Error Appln Priority TLV Pkts 12. DCBX configuration (interface) This example shows how to configure and verify different DCBX versions.
trust-map dot1p default service-policy output type queuing pmap1 ets mode on qos-map traffic-class tmap2 trust-map dot1p tmap1 priority-flow-control mode on OS10(conf-if-eth1/1/53)# do show lldp dcbx interface ethernet 1/1/53 E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Recommendation TLV disabled P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Application Priority for FCOE disabled I-Applic
25 sFlow sFlow is a standard-based sampling technology embedded within switches and routers that monitors network traffic. It provides traffic monitoring for high-speed networks with many switches and routers.
● Enable sFlow in CONFIGURATION mode. sflow enable ● Disable sFlow in CONFIGURATION mode.
sflow collector 10.16.150.1 agent-addr 10.16.132.67 6767 max-datagram-size 800 sflow collector 10.16.153.176 agent-addr 3.3.3.3 6666 ! interface ethernet1/1/1 sflow enable ! Collector configuration Configure the IPv4 or IPv6 address for the sFlow collector. When you configure the collector, enter a valid and reachable IPv4 or IPv6 address. You can configure a maximum of two sFlow collectors. If you specify two collectors, samples are sent to both.
Global default extended maximum header size: 128 bytes Global extended information enabled: none 1 collector(s) configured Collector IP addr:4.4.4.1 Agent IP addr:1.1.1.1 UDP port:6343 VRF:RED 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected Polling-interval configuration The polling interval for an interface is the number of seconds between successive samples of counters sent to the collector. You can configure the duration for polled interface statistics.
● Set the sampling rate in CONFIGURATION mode, from 4096 to 65535. The default is 32768. sflow sample-rate sampling-size ● Disable packet sampling in CONFIGURATION mode. no sflow sample-rate ● View the sampling rate in EXEC mode.
OS10(config)# sflow source-interface loopback 1 OS10(config)# sflow source-interface vlan 10 View sFlow running configuration OS10# sflow sflow sflow sflow show running-configuration sflow enable all-interfaces source-interface vlan10 collector 5.1.1.1 agent-addr 4.1.1.1 6343 collector 6.1.1.1 agent-addr 4.1.1.1 6343 OS10(config)#show running-configuration interface vlan ! interface vlan1 no shutdown ! interface vlan10 no shutdown ip address 10.1.1.
If sFlow is enabled and the port channel does not have any member interfaces, you will see a message similar to the following: SFlow is not enabled (or) SFlow enabled and Port channel has no members ● View the sFlow running configuration in EXEC mode. OS10# show running-configuration sflow sflow enable sflow max-header-size 80 sflow polling-interval 30 sflow sample-rate 4096 sflow collector 10.16.150.1 agent-addr 10.16.132.67 6767 max-datagram-size 800 sflow collector 10.16.153.176 agent-addr 3.3.3.
sflow enable Enables sFlow on a specific interface or globally on all interfaces. Syntax sflow enable [all-interfaces] Parameters all-interfaces — (Optional) Enter to enable sFlow globally. Default Disabled Command Mode CONFIGURATION Usage Information The no version of this command to disables sFlow.
Usage Information Example Supported Releases The polling interval for an interface is the number of seconds between successive samples of counters sent to the collector. You can configure the duration for polled interface statistics. The no version of the command resets the interval time to the default value. OS10(conf)# sflow polling-interval 200 10.3.0E or later sflow sample-rate Configures the sampling rate.
Example (VLAN) Supported Releases OS10(config)# sflow source-interface vlan 10 10.4.1.0 or later show sflow Displays the current sFlow configuration for all interfaces or by a specific interface type. Syntax show sflow [interface type] Parameter interface type — (Optional) Enter either ethernet or port-channel for the interface type. Command Mode EXEC Usage Information OS10 does not support statistics for UDP packets dropped and samples received from the hardware.
26 Telemetry Network health relies on performance monitoring and data collection for analysis and troubleshooting. Network data is often collected with SNMP and CLI commands using the pull mode. In pull mode, a management device sends a get request and pulls data from a client. As the number of objects in the network and the metrics grow, traditional methods limit network scaling and efficiency. Using multiple management systems further limits network scaling.
Table 155. BGP peers YANG Container Minimum sampling interval (milliseconds) infra-bgp/peer-state/peer-status 0 Buffer statistics Table 156. Buffer statistics YANG Container Minimum sampling interval (milliseconds) base-qos/queue-stat 15000 base-qos/priority-group-stat 15000 base-qos/buffer-pool-stat 15000 base-qos/buffer-pool 15000 Device information Table 157.
System statistics Table 161. System statistics YANG Container Minimum sampling interval (milliseconds) system-status/current-status 15000 Configure telemetry NOTE: To set up a streaming telemetry collector, download and use the OS10 telemetry .proto files from the Dell EMC Support site. To enable the streaming of telemetry data to destinations in a subscription profile: 1. Enable telemetry on the switch. 2. Configure a destination group. 3.
1. Enter the destination group name in TELEMETRY mode. A maximum of 32 characters. OS10(conf-telemetry)# destination-group group-name 2. Enter the IPv4 or IPv6 address and transport-service port number in DESTINATION-GROUP mode. Only one destination is supported in the 10.4.3.0 release. You can enter a fully qualified domain name (FQDN) for ip-address. The destination domain name resolves to an IP address — see System domain name and list.
View telemetry configuration Use the following show commands to display telemetry configuration. OS10# show telemetry Telemetry Status : enabled -- Telemetry Destination Groups -Group : dest1 Destination : 10.11.56.
View destination group OS10# show telemetry destination-group Telemetry Status : enabled -- Telemetry Destination Groups -Group : dest1 Destination : 10.11.56.
Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The connection 10.11.56.204:40001 is in connected state Verify telemetry in running configuration OS10# show running-configuration telemetry ! telemetry enable ! destination-group dest1 destination 10.11.56.
Default Telemetry is disabled on the switch. Command mode CONFIGURATION Usage information Enable and disable streaming telemetry in Telemetry mode. Example Supported releases OS10(config)# telemetry OS10(conf-telemetry)# 10.4.3.0 or later enable Enables telemetry on the switch. Syntax enable Parameters None Default Telemetry is disabled. Command mode TELEMETRY Usage information Enter the no enable command to disable telemetry. Example Supported releases OS10(conf-telemetry)# enable 10.4.
● domain-name — Enter the fully qualified domain name of the destination device. A maximum of 32 characters. ● port-number — Enter the transport-service port number to which telemetry data is sent on the destination device. Default Not configured Command mode DESTINATION-GROUP Usage information When you associate a destination group with a subscription, telemetry data is sent to the IP address and port specified by the destination command. In the 10.4.3.0 release, only one destination is supported.
Supported releases 10.4.3.0 or later sensor-group (subscription-profile) Assigns a sensor group with sampling interval to a subscription profile for streaming telemetry.
Usage information This command assigns the sensors from which data is collected for streaming telemetry to a subscription profile and specifies the sampling rate. To add sensor groups to the subscription profile, reenter the command. The interface sensor group supports only physical and port channel interfaces. The no version of this command deletes the sensor group from the subscription profile. NOTE: The subscription profile should contain either OS10 sensor groups or openconfig sensor groups.
transport Configures the transport protocol used to stream telemetry data to a remote management device. Syntax transport protocol [no-tls] Parameters ● protocol — Enter the gRPC (Google remote procedure call) transport protocol used for telemetry sessions. ● no-tls — (Optional) Disable Transport Security Layer (TLS) certificate exchange with gRPC transport. Default OS10 telemetry uses the gRPC protocol for transport with TLS certificates enabled.
show telemetry Displays the configured destination-group, sensor-group, and subscription profiles for streaming telemetry. Syntax show telemetry [destination-group [group-name] | sensor-group [group-name] | subscription-profile [profile-name]] Parameters ● destination-group — Display only destination groups or a specified group. ● sensor-group — Display only sensor groups or a specified group. ● subscription-profile — Display only subscription profiles or a specified profile.
Sensor Path : openconfig-lacp/lacp Group : oc-lag Sensor Path : openconfig-interfaces/interfaces/interface Group : oc-lldp Sensor Path : openconfig-lldp/lldp Group : oc-stp Sensor Path : openconfig-spanning-tree/stp Group : oc-system Sensor Path : openconfig-system/system Sensor Path : openconfig-platform/components/component Group : oc-vendor-ufd Sensor Path : ufd/uplink-state-group-stats/ufd-groups Group : oc-vendor-vxlan Sensor Path : vxlan/vxlan-state/remote-endpoint/stats Group : oc-vlan Sensor Path :
Sensor Path : openconfig-bgp/bgp/neighbors/neighbor Sensor Path : openconfig-bgp/bgp/rib/afi-safis/afi-safi Group : oc-buffer Sensor Path : openconfig-qos/qos/interfaces/interface Group : oc-device Sensor Path : openconfig-platform/components/component Sensor Path : openconfig-network-instance/network-instances/networkinstance Group : oc-environment Sensor Path : openconfig-platform/components/component Group : oc-interface Sensor Path : openconfig-interfaces/interfaces/interface Group : oc-lacp Sensor Path
Name : subscription-2 Destination Groups(s) : dest2 Sensor-group Sample-interval ----------------------------------oc-bfd 15000 oc-bgp 15000 oc-buffer 15000 oc-device 15000 oc-environment 15000 oc-interface 15000 oc-lacp 15000 oc-lag 0 oc-lldp 15000 oc-stp 15000 oc-system 15000 oc-vendor-ufd 15000 oc-vendor-vxlan 15000 oc-vlan 15000 oc-vrrp 15000 Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The conne
Sensor Path : infra-bgp/peer-state/peer-status Group : buffer Sensor Path : base-qos/queue-stat Sensor Path : base-qos/priority-group-stat Sensor Path : base-qos/buffer-pool-stat Sensor Path : base-qos/buffer-pool Group : device Sensor Path : base-pas/chassis Sensor Path : base-pas/card Sensor Path : base-switch/switching-entities/switch-stats Group : environment Sensor Path : base-pas/entity Sensor Path : base-pas/psu Sensor Path : base-pas/fan-tray Sensor Path : base-pas/fan Sensor Path : base-pas/led Sen
interface lag system 180000 0 300000 Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The connection 10.11.56.
27 RESTCONF API RESTCONF is a representational state transfer (REST)-like protocol that uses HTTPS connections. Use the OS10 RESTCONF API to set up the configuration parameters on OS10 switches using JavaScript Object Notation (JSON)-structured messages. Use any programming language to create and send JSON messages. The examples in this chapter use curl. The OS10 RESTCONF implementation complies with RFC 8040. You can use the RESTCONF API to configure and monitor an OS10 switch.
● ecdhe-rsa-with-aes-256-gcm-SHA384 rest https cipher-suite 4. Enable RESTCONF API in CONFIGURATION mode. rest api restconf RESTCONF API configuration OS10(config)# rest https server-certificate name OS10.dell.
Error {"ietf-restconf:errors":{"error":[{"error-type":"rpc","error-tag":"invalid-value","errorapp-tag":"data-invalid","error-path":"/classifier-entry","error-message":"unknown resource instance","error-info":{"bad-value":"/restconf/data/dell-diffservclassifier:classifier-entry=test","error-number":388}}]}} POST request curl -i -k -H "Accept: application/json" -H "Content-Type: application/ json" -u $USER_NAME:$PASSWORD -d '{"dell-diffserv-classifier:classifier-entry": [{"name":"test","mtype":"qos","match":"
Translated RESTCONF requests example Config command OS10# cli mode rest-translate Commands executed in this mode will not alter current system state.
Restconf request(s): curl -i -k -H "Accept: application/json" -u $USER_NAME:$PASSWORD -X GET https://$MGMT_IP/ restconf/data/dell-system-software:system-sw-state/sw-version curl -i -k -H "Accept: application/json" -u $USER_NAME:$PASSWORD -X GET https://$MGMT_IP/ restconf/data/dell-system:system-state/system-status Action/RPC based command OS10# cli mode rest-translate Commands executed in this mode will not alter current system state.
Do you want to proceed? [confirm yes/no]:yes REST-TRANSLATE-OS10# configure terminal CLI command: configure terminal Restconf request(s): curl -i -k -H "Accept: application/json" -u $USER_NAME:$PASSWORD -X GET https://$MGMT_IP/ restconf/data/dell-mgmt-cm:cms REST-TRANSLATE-OS10(config)# interface ethernet 1/1/1 CLI command: interface ethernet 1/1/1 Restconf request(s): curl -i -k -H "Accept: application/json" -H "Content-Type: application/ json" -u $USER_NAME:$PASSWORD -d '{"ietf-interfaces:interfaces":{"in
REST Token-Based Authentication Limitations The following limitations are applicable in 10.5.1: ● REST token authentication is disabled when FIPS mode is enabled. Acquire new token You can acquire a new token by calling the Login REST API. A successful Login API call using the basic authentication generates a new set of token. $ curl -X GET -k -u admin:admin -H "Content-Type: application/json" https://$TARGET/ login { "access_token": "abc.123.xyz", "token_type": "bearer", "refresh_token": "efg.456.
CLI commands for RESTCONF API rest api restconf Enables the RESTCONF API service on the switch. Syntax rest api restconf Parameters None Default RESTCONF API is disabled. Command Mode CONFIGURATION Usage Information ● After you enable the RESTCONF API, you can send curl commands in HTTPS requests from a remote device. ● The no version of the command disables the RESTCONF API. Example Supported Releases OS10(config)# rest api restconf 10.4.1.
Usage Information Example Supported Releases The no version of the command removes the host name from the SSL server certificate. OS10(config)# rest https server-certificate name 10.10.10.10 10.4.1.0 or later rest https session timeout Configures the timeout a RESTCONF HTTPS connection uses. Syntax rest https session timeout seconds Parameters seconds — Enter the switch timeout for an HTTPS request from a RESTCONF client, from 30 to 65535 seconds.
Usage Information Example Supported Releases This command disables translation of CLI command into equivalent RESTCONF requests in the current session. REST-TRANSLATE-OS10# no cli mode 10.5.1.0 or later show cli mode Display the current CLI session mode. Syntax show cli mode Parameters None Default None Command Mode Exec Usage Information This command displays the active mode of the current CLI session and also the file name where the RESTCONF requests are stored.
rest authentication token max-refresh Configures the maximum refresh time. Syntax rest authentication token max-refresh count Parameters count — Enter the refresh count limit, from 0 to 10. The count indicates the maximum number of times the tokens refresh. If you do not want to refresh, enter 0. Default 3 Command Mode CONFIGURATION Usage Information This command updates the maximum number of times the tokens refresh. The no version of the command resets the count to the default value.
● -u specifies the user name and password to use for server authentication. ● -k specifies a text file to read curl arguments from. The command line arguments found in the text file will be used as if they were provided on the command line. Use the IP address or URL of the OS10 switch when you access the OS10 RESTCONF API from a remote orchestration system. ● -H specifies an extra header to include in the request when sending HTTPS to a server. You can enter multiple extra headers.
merge stop-on-error set PAGE 1755JSON content { } Parameters "interface": [{ "type": "iana-if-type:softwareLoopback", "enabled": true, "description":"loopback interface", "name":"loopback1"}] ● type string —Enter iana-if-type:softwareLoopback for a loopback interface. ● enabled bool— Enter true to enable the interface; enter false to disable. ● description string — Enter a text string to describe the interface. A maximum of 80 alphanumeric characters.
28 Troubleshoot Dell EMC SmartFabric OS10 Critical workloads and applications require constant availability. Dell EMC Networking offers tools to help you monitor and troubleshoot problems before they happen.
* 1 S4148F-ON 985 006 10 1 S4148F-ON-PWR-1-AC 1 S4148F-ON-FANTRAY-1 1 S4148F-ON-FANTRAY-2 1 S4148F-ON-FANTRAY-3 1 S4148F-ON-FANTRAY-4 09H9MN X01 TW-09H9MN-28298-713-0026 06FKHH 0N7MH8 0N7MH8 0N7MH8 0N7MH8 A00 X01 X01 X01 X01 CN-06FKHH-28298-6B5-03NY TW-0N7MH8-28298-713-0101 TW-0N7MH8-28298-713-0102 TW-0N7MH8-28298-713-0103 TW-0N7MH8-28298-713-0104 9531XC2 198 Boot information Display system boot and image information. ● View all boot information in EXEC mode.
30452 admin 1 root 2 root 3 root 5 root 7 root 8 root 10 root 11 root 12 root 13 root 14 root 15 root 16 root 17 root 19 root 20 root 21 root 22 root 23 root 24 root 25 root --more-- 20 20 20 20 0 20 20 20 20 20 rt rt rt rt 20 0 0 20 0 20 0 25 0 0 0 0 -20 0 0 0 0 0 0 0 0 0 0 -20 -20 0 -20 0 -20 5 22076 112100 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2524 5840 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2100 3032 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 R S S S S R S S S S S S S S S S S S S S S S 6.1 0.0 0.
Capture packets from Ethernet interface $ tcpdump -i e101-003-0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on e101-003-0, link-type EN10MB (Ethernet), capture size 262144 bytes 01:39:22.457185 IP 3.3.3.1 > 3.3.3.4: ICMP echo request, id 5320, seq 26, length 64 01:39:22.457281 IP 3.3.3.1 > 3.3.3.
When you execute a traceroute, the output shows the path a packet takes from your device to the destination IP address. It also lists all intermediate hops (routers) that the packet traverses to reach its destination, including the total number of hops traversed. Check IPv4 connectivity OS10# ping 172.31.1.255 Type Ctrl-C to abort. Sending 5, 100-byte ICMP Echos to 172.31.1.255, timeout is 2 seconds: Reply to request 1 from 172.31.1.208 0 ms Reply to request 1 from 172.31.1.
1 3ffe:501:ffff:100:201:e8ff:fe00:4c8b 000.000 ms 000.000 ms 000.000 ms Faulty media This section describes the behavior of pluggable media that OS10 cannot read because of some hardware or mechanical fault. Detect faulty media If the pluggable media that you insert into an interface is faulty, you will see a message similar to the following one on the console: Nov 09 15:03:23 OS10 dn_alm[997]: Node.1-Unit.1:PRI [event], Dell EMC (OS10) %EQM_MEDIA_PRESENT: Media inserted .
Unit Type Part Number Rev Piece Part ID Svc Tag Exprs Svc Code ---------------------------------------------------------------------------------------------* 1 S4248FB-ON CN-0W1K08-77931-647-0017 OS11SIM 1 S4248FB-ON-PWR-2-AC 02RPHX A00 CN-02RPHX-17972-5BH-00RE 1 S4248FB-ON-FANTRAY-1 03CH15 A00 CN-03CH15-77931-62T-0039 1 S4248FB-ON-FANTRAY-2 03CH15 A00 CN-03CH15-77931-62T-0133 1 S4248FB-ON-FANTRAY-3 03CH15 A00 CN-03CH15-77931-62T-0067 1 S4248FB-ON-FANTRAY-4 03CH15 A00 CN-03CH
------------------------------------1 up 43 Thermal sensors Unit Sensor-Id Sensor-name Temperature -----------------------------------------------------------------------------1 1 CPU On-Board temp sensor 32 1 2 Switch board temp sensor 28 1 3 System Inlet Ambient-1 temp sensor 27 1 4 System Inlet Ambient-2 temp sensor 25 1 5 System Inlet Ambient-3 temp sensor 26 1 6 Switch board 2 temp sensor 31 1 7 Switch board 3 temp sensor 41 1 8 NPU temp sensor 43 View hash algorithm OS10# show hash-algorithm LagAlgo -
2 fail -- Fan Status -FanTray Status AirFlow Fan Speed(rpm) Status ---------------------------------------------------------------1 up NORMAL 1 13195 up 2 up NORMAL 1 13151 up 3 up NORMAL 1 13239 up 4 up NORMAL 1 13239 up Diagnostic commands location-led interface Changes the location LED of the interface. Syntax location-led interface ethernet {chassis/slot/port[:subport]} {on | off} Parameters ● chassis/slot/port[:subport] — Enter the ethernet interface number.
show boot Displays boot-related information. Syntax show boot [detail] Parameters detail — (Optional) Enter to display detailed information. Default Not configured Command Mode EXEC Usage Information Use the boot system command to set the boot image for the next reboot.
00:04.0 PCI bridge: Intel Corporation Atom processor C2000 PCIe Root Port 4 (rev 02) 00:0e.0 Host bridge: Intel Corporation Atom processor C2000 RAS (rev 02) 00:0f.0 IOMMU: Intel Corporation Atom processor C2000 RCEC (rev 02) 00:13.0 System peripheral: Intel Corporation Atom processor C2000 SMBus 2.0 (rev 02) 00:14.0 Ethernet controller: Intel Corporation Ethernet Connection I354 (rev 03) 00:14.1 Ethernet controller: Intel Corporation Ethernet Connection I354 (rev 03) 00:16.
Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show hash-algorithm LagAlgo - CRC EcmpAlgo - CRC 10.2.0E or later show inventory Displays system inventory information.
0.34 Tasks: 208 total, %Cpu(s): 9.7 us, 0.
Supported Releases 10.3.0E or later show system Displays system information. Syntax show system [brief | node-id] Parameters ● brief — View an abbreviated list of the system information. ● node-id — View the node ID number.
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Example (brief) 1/1/9 1/1/10 1/1/11 1/1/12 1/1/13 1/1/14 1/1/15 1/1/16 1/1/17 1/1/18 1/1/19 1/1/20 1/1/21 1/1/22 1/1/23 1/1/24 1/1/25 No No No No No No No No No No No No No No No No Yes BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 OS10# show system brief Node Id M
● -p port — (Optional) Enter a destination port: ○ For UDP tracing, enter the destination port base that traceroute uses. The destination port number is incremented by each probe. ○ For ICMP tracing, enter the initial ICMP sequence value, incremented by each probe. ○ For TCP tracing, enter the constant destination port to connect. ○ -P protocol — (Optional) Use a raw packet of the specified protocol for traceroute. The default protocol is 253 (RFC 3692).
Recover Linux password If you lose or forget your Linux administrator password, you can reconfigure it from the CLI using the system-user linuxadmin password {clear-text-password | hashed-password} command in CONFIGURATION mode. Save the password using the write memory command. For example: OS10(config)# system-user linuxadmin password Dell@Force10!@ OS10(config)# exit OS10# write memory For more information, see Linuxadmin user configuration.
9. Configure the password by using the /opt/dell/os10/bin/recover_linuxadmin_password.sh plainpassword command. Enter the linuxadmin password in plain text. root@OS10: /# /opt/dell/os10/bin/recover_linuxadmin_password.sh Dell@admin0!@ 10. Enter the sync command to save the new password. root@OS10: /# sync 11. Reboot the system, and then enter your new password. root@OS10: /# reboot -f Rebooting.[ 822.327073] sd 0:0:0:0: [sda] Synchronizing SCSI cache [ 822.340656] reboot: Restarting system [ 822.
5. At the linuxadmin prompt, enter sudo -i and the linuxadmin password to enter root mode. linuxadmin@s4048t-1:~$ sudo -i [sudo] password for linuxadmin: root@s4048t-1:~# 6. At the root mode prompt, enter the passwd username command to recover the password for the specified user name. Enter the new password twice; for example: root@s4048t-1:~# passwd admin New password: Retype new password: passwd: password updated successfully 7. Exit and log out from root mode and linuxadmin mode.
If it is not possible to restore your factory defaults with the installed OS, reboot the system from the Grub menu and select ONIE: Rescue. ONIE Rescue bypasses the installed operating system and boots the system into ONIE until you reboot the system. After ONIE Rescue completes, the system resets and boots to the ONIE console. 1. Restore the factory defaults on your system from the Grub menu using the ONIE: Uninstall OS command. To select which entry is highlighted, use the up and down arrow keys.
NOTE: When you upgrade from an earlier release (prior to Release 10.5.0.0), the switch does not retain the SupportAssist configuration. After the upgrade is complete, enable and configure SupportAssist again. You must reconfigure SupportAssist because the OS10 switch (starting from Release 10.5.0.0) connects to a different Dell EMC server, and you must accept the EULA and reconfigure the server again.
Or OS10(conf-support-assist)# server url https://domain username example-username password example-password 5. (Required) Configure the interface to connect to the SupportAssist server in SUPPORT-ASSIST mode. OS10(conf-support-assist)# source-interface interface 6. (Required) Configure the contact information for your company in SUPPORT-ASSIST mode. OS10(conf-support-assist)# contact-company name ExampleCompanyName OS10(conf-support-assist-ExampleCompanyName)# 7.
1. (Required) Enter the contact name in SUPPORT-ASSIST mode. OS10(config)# support-assist OS10(conf-support-assist)# contact-company name ExampleCompanyName OS10(conf-support-assist-ExampleCompanyName)# contact-person first firstname last lastname 2. (Required) Enter the email addresses in SUPPORT-ASSIST mode. OS10(conf-support-assist-ExampleCompanyName)# email-address primary email-address [alternate alternate-email-address] You can optionally configure an alternate email address. 3.
Set default activity schedule OS10(conf-support-assist)# no support-assist-activity full-transfer schedule View status View the SupportAssist configuration status, details, and EULA information using the following show commands: 1. View the SupportAssist activity in EXEC mode. show support-assist status 2. View the EULA license agreement in EXEC mode.
View EULA license OS10# show support-assist eula SUPPORTASSIST ENTERPRISE - SOFTWARE TERMS *** IMPORTANT INFORMATION - PLEASE READ CAREFULLY *** This SupportAssist Software ("Software") contains computer programs and other proprietary material and information, the use of which is governed by and expressly conditioned upon acceptance of this SupportAssist Enterprise Software Terms ("Agreement").
9 Fri Jun 30 05:13:37 UTC 2019 Full-transfer bundle upload failed due to communication error 10 Fri Jun 30 05:14:00 UTC 2019 Alert bundle upload failed due to communication error 11 Fri Jun 30 05:14:03 UTC 2019 Alert bundle uploaded to ESRS Server List of country names and codes This section provides a list of country codes that you must use in the address command. Table 164.
Table 164.
Table 164.
Table 164.
Table 164.
Table 164.
Table 164.
SupportAssist commands eula-consent Accepts or rejects the SupportAssist end-user license agreement (EULA). Syntax eula—consent {support-assist} {accept | reject} Parameters ● support-assist — Enter to accept or reject the EULA for the service. ● accept — Enter to accept the EULA-consent. ● reject — Enter to reject EULA-consent. Default Not configured Command Mode CONFIGURATION Usage Information If you reject the end-user license agreement, you cannot access the SupportAssist Configuration submode.
Default None Command Mode EXEC Usage Information This command displays the warranty information for the OS10 switch and the relevant service contracts.
Default Not applicable Command Mode CONFIGURATION Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1 Example Supported Releases OS10(config)# support-assist OS10(conf-support-assist)# 10.2.0E or later support-assist-activity Schedules a time for data collection and transfer activity or performs on-demand data collection and managed file transfer.
Examples OS10# support-assist-activity full-transfer start-now OS10# support-assist-activity full-transfer schedule hourly min 59 OS10# support-assist-activity full-transfer schedule daily hour 23 min 59 OS10# support-assist-activity full-transfer schedule weekly day-of-week 1 hour 23 min 59 OS10# support-assist-activity full-transfer schedule monthly day 30 hour 23 min 59 OS10# support-assist-activity full-transfer schedule yearly month 12 day 31 hour 23 min 59 Supported Releases 10.2.
Examples OS10(conf-support-assist)# activity event-notification enable OS10(conf-support-assist)# activity full-transfer enable Supported Releases 10.2.0E or later contact-company Configures the company contact information. Syntax contact-company name company-name Parameters company-name—Enter the contact company name. Default Not configured Command Mode SUPPORT-ASSIST Usage Information You can enter only one contact company.
Supported Releases 10.2.0E or later show configuration Displays the SupportAssist configuration currently running on the device. Syntax show configuration Parameters None Default Not configured Command Mode SUPPORT-ASSIST Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0.
contact-person first Firstname last Lastname email-address primary youremail@example.com alternate alternate_email@example.com phone primary 0001234567 alternate 1234567890 preferred-method email Supported Releases 10.2.0E or later show support-assist eula Displays the EULA for SupportAssist. Syntax show support-assist eula Parameters None Default None Command Mode EXEC Usage Information Use this command to view the EULA for SupportAssist.
Service Contact-Company Street Address City State Country Zipcode Territory Contact-person Primary email Alternate email Primary phone Alternate phone Contact method Server(configured) : : : : : : : : : : : : : : : Enabled ExampleCompanyName Olympia SanJose California USA 95123 West Firstname Lastname youremail@example.com emailid@example.
Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.2. The no version of this command removes the configuration.
Command Mode SUPPORT-ASSIST Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0. The no version of this command removes the configuration. Example Supported Releases OS10(conf-support-assist-ExampleCompanyName)# contact-person first Firstname last Lastname 10.2.0E or later street-address Configures the street address of the company.
SupportAssist person commands email-address Configures the email address of the contact person. Syntax email—address primary email-id [alternate email-id] Parameters email-id—Enter the email address of the contact person. Default Not configured Command Mode SUPPORT-ASSIST Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0.
Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0(R3S). Also supported in SmartFabric mode starting in release 10.5.0. The no version of this command removes the configuration.
Support bundle generation successful event Apr 19 17:0:9: support-bundle Apr 19 17:0:9: support-bundle %Node.1-Unit.1:PRI:OS10 execution has completed %Node.1-Unit.1:PRI:OS10 execution has completed %log-notice:SUPPORT_BUNDLE_COMPLETED: generate successfully:All Plugin options disabled %log-notice:SUPPORT_BUNDLE_COMPLETED: generate successfully:All Plugin options enabled Support bundle generation failure Apr 19 17:0:14: %Node.1-Unit.
show support-bundle status Displays the support bundle generation status and file transfer status. Syntax show support-bundle status Parameters None Default None Command Mode EXEC Security and Access Sysadmin, secadmin, and netadmin Example Supported Releases OS10# show support-bundle status Support bundle generation status Transfer State Detail Transfer Progress Transfer Bytes File Size : : : : : support-bundle-generation-success in-progress 10 % 769 bytes 7690 bytes 10.5.2.
Triggered alarms are in one of these states: ● Active—Alarm is raised and is currently active. ● Acknowledged—Alarm is raised; the user is aware of the situation and acknowledged the alarm. This alarm does not impact the overall health of the system or the system LED. Some alarms go directly from active to cleared state and require little-to-no administrative effort. You must acknowledge or investigate alarms with a high severity.
2. Copy one of the available severity profiles to a remote host. OS10# copy severity-profile://default.xml scp://username:password@a.b.c.d/dir-path/ mySevProf.xml 3. Modify the .xml file with changes as required. NOTE: When you modify the xml file, you must select one of the following severities: ● CRITICAL ● MAJOR ● MINOR ● WARNING ● INFORMATIONAL Following is a sample of the .xml file. you can use Notepad++ to make modifications to his .xml file:
Delete custom severity profile You can delete custom severity profiles that you no longer need. However, you cannot delete the default or active severity profile. To delete a custom severity profile, use the delete severity-profile://profile-name command. For example: OS10# delete severity-profile://mySevProf_1.xml System logging You can change the system logging default settings using the severity level to control the type of system messages that log.
● Disable monitor logging, and reset the minimum logging severity to the default in CONFIGURATION mode. no logging monitor severity ● Disable server logging, and reset the minimum logging severity to the default in CONFIGURATION mode. no logging server severity ● Reenable any logging command in CONFIGURATION mode. no logging enable Enable server logging for log notice OS10(config)# logging server 10.11.86.
NOTE: fips installs the certificate-key pair as FIPS-compliant. Enter fips to install a certificate-key pair that is used by a FIPS-aware application, such as Syslog over TLS. If you do not enter fips, the certificate-key pair is stored as a non-FIPS-compliant pair. You determine if the certificate-key pair is generated as FIPS-compliant. Do not use FIPS-compliant certificate-key pairs outside of FIPS mode.
Processing certificate ... Certificate and keys were successfully installed as "clientcert.crt" that may be used in a security profile. CN = 10.0.0.6 OS10# show crypto cert -------------------------------------| Installed non-FIPS certificates | -------------------------------------clientcert.
dn_eqm dn_eth_drv dn_etl dn_i3 dn_ifm dn_infra_afs dn_issu dn_l2_services dn_l2_services_ dn_l2_services_ dn_l2_services_ dn_l2_services_ dn_l3_core_serv dn_l3_service dn_lacp dn_lldp dn_mgmt_entity_ --More-- Environmental monitoring Monitors the hardware environment to detect temperature, CPU, and memory utilization.
Show link-bundle utilization OS10(config)# do show link-bundle-utilization Link-bundle trigger threshold - 10 Alarm commands alarm acknowledge Acknowledges an active alarm. Syntax alarm acknowledge sequence-number Parameters ● sequence-number — Acknowledge the alarm corresponding to the sequence number. Default Not configured Command Mode EXEC Usage Information Use the show alarm command to view all active alarms. Use active alarm sequence numbers to acknowledge specific alarms.
Command Mode EXEC Usage Information None Example OS10# show alarms Sq No Severity Name Source ------------------------------------------------------------------- -----7563 critical EQM_MORE_PSU_FAULT 19:26:16 2019 /pus/1 7566 warning EQM_TML_MINOR_CROSSED 19:30:22 2019 /pus/1 7569 information L2_SERV_LACP_CMS_CPS_SEND_FAIL 19:55:40 2019 /pus/1 Supported Releases Timestamp Fri Jul 26 Fri Jul 26 Fri Jul 26 10.2.0E or later show alarms acknowledged Displays all acknowledged alarms.
Example Alarm is not acknowledged: OS10# show alarms details Active-alarm details - 732 ------------------------------------------Sequence Number: 732 Severity: critical Source: /psu/2 Name: EQM_MORE_PSU_FAULT Description: psu 2 is not working correctly Raise-time: Mon Jul 29 06:12:30 2019 Ack-time: New: true Acknowledged: false ------------------------------------------Alarm is acknowledged: OS10# show alarms details Active-alarm details - 732 ------------------------------------------Sequence Number: 732
show alarms severity Displays all active alarms corresponding to a specific severity level. Syntax show alarms severity severity Parameters severity — Set the alarm severity: ● critical — Critical alarm severity. ● major — Major alarm severity. ● minor — Minor alarm severity. ● warning — Warning alarm severity.
show alarms summary Displays the summary of all active alarms. Syntax show alarms summary Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show alarms summary Active-alarm Summary ------------------------------------------Total-count: 2 Critical-count: 0 Major-count: 1 Minor-count: 1 Warning-count: 0 ------------------------------------------10.2.
Example (reverse) Example (sequence) Example (details) Example (summary) 3 2 Raised Raised EQM_MORE_PSU_FAULT Sun 10-07-2018 18:39:44 /psu/2 EQM_FANTRAY_FAULT Sun 10-07-2018 16:39:42 /fantray/3 OS10# Sq No ----1 2 3 4 5 6 show event history reverse State Name Timestamp -------- ------------------ ----------------------Stateless SYSTEM_REBOOT Sun 10-07-2018 15:39:41 Raised EQM_FANTRAY_FAULT Sun 10-07-2018 16:39:42 Raised EQM_MORE_PSU_FAULT Sun 10-07-2018 18:39:44 Raised EQM_MORE_PSU_FAULT Sun 10-07-2
show event severity-profile Displays the active severity profile and the profile that becomes active after a system restart. Syntax show event severity-profile Parameters None Default None Command Mode EXEC Usage Information None Example Supported Releases OS10# show event severity-profile Severity Profile Details -----------------------Currently Active : default Active after restart : mySevProf.xml 10.5.0 or later Logging commands clear logging Clears messages in the logging buffer.
● log-debug—Set to debug messages. Default Log-notice Command Mode CONFIGURATION Usage Information Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1. To set the severity to the default level, use the no logging console severity command. The default severity level is log-notice. NOTE: The system rate-limits syslog messages to a maximum of 10 per second on the console.
Default Log-notice Command Mode CONFIGURATION Usage Information To reset the log-file severity to the default level, use the no logging log-file severity command. The default severity level is log-notice. Supported on the MX9116n and MX5108n switches in Full Switch mode starting in release 10.4.0E(R3S). Also supported in SmartFabric mode starting in release 10.5.0.1.
Command mode CONFIGURATION Usage information Use this command to specify the configured crypto security profile to use to send system messages to a remote server over TLS. TLS requires an X.509v3 certificate-key pair installed on the switch. Example Supported releases OS10(config)# logging security-profile prof1 10.5.0 or later logging server Configures a remote syslog server.
show logging Displays system logging messages by log file, process-names, or summary. Syntax show logging {log-file [process-name | line-numbers] | process-names} Parameters ● process-name — (Optional) Enter the process-name to use as a filter in syslog messages. ● line-numbers — (Optional) Enter the number of lines to include in the logging messages, from 1 to 65535. Default None Command Mode EXEC Usage Information The output from this command is the /var/log/eventlog file.
Example Supported Releases OS10# show trace May 23 17:10:03 OS10 base_nas: [NETLINK:NHEVENT]:ds_api_linux_neigh.c:nl_to_nei gh_info:109, Operation:Add-NH family:IPv4(2) flags:0x0 state:Failed(32) if-idx:4 May 23 17:10:03 OS10 base_nas: [NETLINK:NHEVENT]:ds_api_linux_neigh.c:nl_to_nei gh_info:120, NextHop IP:192.168.10.
Processor 5Sec(%) 1Min(%) 5Min(%) High Low High Low High Low ================================================== Overall 0 0 10 5 80 70 CPU Utilization commands show processes cpu Displays information about CPU usage for processes running in the system. Syntax show processes cpu {summary | num-of-tasks} Parameters ● summary—Display a summary of CPU usage. ● num-of-tasks—Specify the number of tasks to display in order of the highest CPU usage in the past 5 seconds, 1 minute, and 5 minutes.
Example Supported Releases OS10# show util-threshold cpu Processor 5Sec(%) 1Min(%) 5Min(%) High Low High Low High Low ==================================================== Overall 0 0 10 5 80 70 10.5.2.0 or later util-threshold cpu Sets the CPU utilization threshold values. Syntax util—threshold cpu cpu-utilization-time threshold threshold-percentage Parameters ● cpu-utilization-time—Set the CPU threshold time: ○ 1min—Set threshold to 1-minute CPU utilization.
========================== Overall 80 60 Memory Utilization commands show processes memory Displays information about memory usage for processes running in the system. Syntax show processes memory [num-of-tasks] Parameters num-of-tasks—(Optional) Specify the number of tasks to display with highest memory usage, from 1 to 99.
util-threshold memory Configures the high or low memory utilization thresholds for SNMP traps. Syntax util—threshold memory threshold threshold-percentage Parameters ● threshold—Set the threshold value: ○ high—High threshold. The default is 92. ○ low—Low threshold. ● threshold-percentage—Set the threshold percentage, from 0 to 100.
linuxadmin@OS10:~$ To log in to OS10 and access the command-line interface, enter su — admin at the Linux shell prompt, then admin as the password. linuxadmin@OS10:~$ su - admin Password: admin OS10# Frequently asked questions This section contains answers to frequently asked questions for ONIE-enabled devices. ● Installation contains information about how to enter ONIE: Install mode after a reboot, find information about your specific switch, how to log into the OS10 shell, and so on.
Configuration How do I enter CONFIGURATION mode? Use the configure terminal command to change from EXEC mode to CONFIGURATION mode. I made changes to the running configuration file but the updates are not showing. How do I view my changes? Use the show running-configuration command to view changes that you have made to the running-configuration file.
Access control lists How do I setup filters to deny or permit packets from an IPv4 or IPv6 address? Use the deny or permit commands to create ACL filters. How do I clear access-list counters? Use the clear ip access-list counters, clear ipv6 access-list counters, or clear mac access-list counters commands. How do I setup filters to automatically assign sequencer numbers for specific addresses? Use the seq deny or seq permit commands for specific packet filtering.
29 Support resources The Dell EMC Support site provides a range of documents and tools to assist you with effectively using Dell EMC devices. Through the support site you can obtain technical information regarding Dell EMC products, access software upgrades and patches, download available management software, and manage your open cases. The Dell EMC support site provides integrated, secure access to these services. To access the Dell EMC Support site, go to www.dell.com/support/.