Dell Configuration Guide for the S6000 System 9.14.2.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2019 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents 1 About this Guide......................................................................................................................... 32 Audience............................................................................................................................................................................... 32 Conventions..................................................................................................................................................................
Moving a Command from EXEC Privilege Mode to EXEC Mode........................................................................... 55 Allowing Access to CONFIGURATION Mode Commands....................................................................................... 55 Allowing Access to Different Modes...........................................................................................................................55 Applying a Privilege Level to a Username..........................................
Enabling 802.1X....................................................................................................................................................................83 Configuring dot1x Profile ................................................................................................................................................... 84 Configuring MAC addresses for a do1x Profile.............................................................................................................
Applying Egress Layer 3 ACLs (Control-Plane)........................................................................................................ 116 IP Prefix Lists...................................................................................................................................................................... 116 Configuration Task List for Prefix Lists......................................................................................................................
Enabling four-byte autonomous system numbers................................................................................................... 173 Changing a BGP router ID...........................................................................................................................................174 Configuring AS4 Number Representations...............................................................................................................174 Configuring a BGP peer......................
Unified Forwarding Table (UFT) Modes........................................................................................................................ 225 Configuring UFT Modes............................................................................................................................................. 226 11 Control Plane Policing (CoPP).................................................................................................. 227 Configure Control Plane Policing.................
DCBx Example............................................................................................................................................................. 255 DCBx Prerequisites and Restrictions........................................................................................................................256 Configuring DCBx........................................................................................................................................................
Configuring the Hash Algorithm................................................................................................................................ 293 Enabling Deterministic ECMP Next Hop.................................................................................................................. 293 Configuring the Hash Algorithm Seed...................................................................................................................... 293 Link Bundle Monitoring..............
Creating the FRRP Group.......................................................................................................................................... 324 Configuring the Control VLAN...................................................................................................................................324 Configuring and Adding the Member VLANs.......................................................................................................... 325 Setting the FRRP Timers..........
Configuring Layer 2 (Data Link) Mode..................................................................................................................... 356 Configuring Layer 2 (Interface) Mode......................................................................................................................356 Configuring Layer 3 (Network) Mode...................................................................................................................... 356 Configuring Layer 3 (Interface) Mode...
Auto-Negotiation on Ethernet Interfaces...................................................................................................................... 386 Setting the Speed of Ethernet Interfaces................................................................................................................386 Set Auto-Negotiation Options...................................................................................................................................
Extended Address Space............................................................................................................................................. 411 Stateless Autoconfiguration........................................................................................................................................ 411 IPv6 Headers................................................................................................................................................................
Multi-Topology IS-IS......................................................................................................................................................... 438 Transition Mode...........................................................................................................................................................438 Interface Support...............................................................................................................................................
27 Layer 2................................................................................................................................... 473 Manage the MAC Address Table.................................................................................................................................... 473 Clearing the MAC Address Table...............................................................................................................................
Relevant Management Objects....................................................................................................................................... 501 29 Microsoft Network Load Balancing...........................................................................................506 Configuring a Switch for NLB ........................................................................................................................................ 507 Enabling a Switch for Multicast NLB..........
MSTP Sample Configurations..........................................................................................................................................537 Debugging and Verifying MSTP Configurations............................................................................................................ 541 32 Multicast Features.................................................................................................................. 543 Enabling IP Multicast...........................
Assigning Area ID on an Interface.............................................................................................................................. 591 Assigning OSPFv3 Process ID and Router ID Globally............................................................................................ 591 Assigning OSPFv3 Process ID and Router ID to a VRF......................................................................................... 592 Configuring Stub Areas...................................
Configuring Monitor Multicast Queue............................................................................................................................ 628 Flow-Based Monitoring.................................................................................................................................................... 628 Enabling Flow-Based Monitoring...............................................................................................................................
Displaying WRED Drop Statistics.............................................................................................................................. 672 Displaying egress–queue Statistics...........................................................................................................................672 Pre-Calculating Available QoS CAM Space...................................................................................................................
45 Security................................................................................................................................. 707 AAA Accounting.................................................................................................................................................................707 Configuration Task List for AAA Accounting........................................................................................................... 707 RADIUS Accounting.................
Dell EMC Networking OS Image Verification...........................................................................................................758 Startup Configuration Verification............................................................................................................................ 759 Configuring the root User Password........................................................................................................................
Important Points to Remember.......................................................................................................................................785 Set up SNMP.....................................................................................................................................................................785 Creating a Community................................................................................................................................................
MIB support for interface level port security........................................................................................................... 816 MIB objects for configuring MAC addresses............................................................................................................817 MIB objects for configuring MAC addresses............................................................................................................818 MIB support for MAC notification traps...........
Recover from Stack Link Flaps..................................................................................................................................846 Recover from a Card Problem State on a Stack.....................................................................................................846 50 Storm Control........................................................................................................................ 848 Configure Storm Control....................................
Configuring a Source IP Address for NTP Packets................................................................................................ 875 Configuring NTP Authentication............................................................................................................................... 876 Configuring NTP control key password....................................................................................................................878 Configuring the NTP Step-Threshold............
Layer-2 Traffic in VLT Domains.................................................................................................................................903 Interspersed VLANs.................................................................................................................................................... 904 VLT on Core Switches................................................................................................................................................
VLT Proxy Gateway Sample Topology........................................................................................................................... 967 VLT Domain Configuration.........................................................................................................................................968 Dell-1 VLT Configuration.............................................................................................................................................
Configuring a Static Route....................................................................................................................................... 1006 Sample VRF Configuration............................................................................................................................................. 1006 Route Leaking VRFs.........................................................................................................................................................
Intermediate System to Intermediate System (IS-IS).......................................................................................... 1065 Routing Information Protocol (RIP)........................................................................................................................ 1066 Multicast..................................................................................................................................................................... 1066 Network Management........
1 About this Guide This guide describes the protocols and features the Dell EMC Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell EMC Command Line Reference Guide for your system. The S6000 platform is available with Dell EMC Networking OS version 9.0(2.0) and beyond. Though this guide contains information about protocols, it is not intended to be a complete reference.
2 Configuration Fundamentals The Dell EMC Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
• EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password section in the Getting Started chapter.
ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE SUPPORTASSIST TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP uBoot Navigating CLI Modes The Dell EMC Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode. Move linearly through the command modes, except for the end command which takes you directly to EXEC Privilege mode and the exit command which moves you up one command mode level.
CLI Command Mode Prompt Access Command EXTENDED ACCESS-LIST DellEMC(config-ext-nacl)# ip access-list extended (IP ACCESS-LIST Modes) IP COMMUNITY-LIST DellEMC(config-community-list)# ip community-list AUXILIARY DellEMC(config-line-aux)# line (LINE Modes) CONSOLE DellEMC(config-line-console)# line (LINE Modes) VIRTUAL TERMINAL DellEMC(config-line-vty)# line (LINE Modes) STANDARD ACCESS-LIST DellEMC(config-std-macl)# mac access-list standard (MAC ACCESS-LIST Modes) EXTENDED ACCESS-LIST De
CLI Command Mode Prompt Access Command MONITOR SESSION DellEMC(conf-mon-sesssessionID)# monitor session OPENFLOW INSTANCE DellEMC(conf-of-instance-ofid)# openflow of-instance PORT-CHANNEL FAILOVER-GROUP DellEMC(conf-po-failover-grp)# port-channel failover-group PRIORITY GROUP DellEMC(conf-pg)# priority-group PROTOCOL GVRP DellEMC(config-gvrp)# protocol gvrp QOS POLICY DellEMC(conf-qos-policy-outets)# qos-policy-output SUPPORTASSIST DellEMC(support-assist)# support-assist VLT DOMAIN
0 1 up UNKNOWN up -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -----------------------------------------------------------------0 0 up up 9120 up 9120 0 1 up up 9120 up 9120 Speed in RPM DellEMC(conf)# Undoing Commands When you enter a command, the command line is added to the running configuration file (running-config). To disable a command and remove it from the running-config, enter the no command, then the original command.
Entering and Editing Commands Notes for entering commands. • • The CLI is not case-sensitive. You can enter partial CLI keywords. • • • • • Enter the minimum number of letters to uniquely identify a command. For example, you cannot enter cl as a partial keyword because both the clock and class-map commands begin with the letters “cl.” You can enter clo, however, as a partial keyword because only one command begins with those three letters. The TAB key auto-completes keywords in commands.
Filtering show Command Outputs Filter the output of a show command to display specific information by adding | [except | find | grep | no-more | save] specified_text after the command. The variable specified_text is the text for which you are filtering and it IS case sensitive unless you use the ignore-case suboption. Starting with Dell EMC Networking OS version 7.8.1.0, the grep command accepts an ignore-case sub-option that forces the search to case-insensitive.
• On the system that telnets into the switch, this message appears: % Warning: The following users are currently configuring the system: User "" on line console0 • On the system that is connected over the console, this message appears: % Warning: User "" on line vty0 "10.11.130.
EXEC Privilege mode DellEMC#show alias details DellEMC# show alias details -----------------------------------------------------------------Name: showipbr10 Definition: show ip interface brief | grep tengig ignore-case ----------------------------------------------------------------------------------------------------------------------------------Name: showipbr40 Definition: show ip interface brief | grep fortygig ignore-case -----------------------------------------------------------------DellEMC# 3.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell EMC Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
Accessing the System Remotely You can configure the system to access it remotely by Telnet or secure shell (SSH). • • The platform has a dedicated management port and a management routing table that is separate from the IP routing table. You can manage all Dell EMC Networking products in-band via the front-end data ports through interfaces assigned an IP address as well. Accessing the System Remotely Configuring the system for remote access is a three-step process, as described in the following topics: 1.
• • • • • • access-class access-list-name: Enter the name of a configured IP ACL. nopassword: Allows you to configure an user without the password. password: Allows you to configure an user with a password. secret: Specify a secret string for an user. sha256–password: Uses sha256–based encryption method for password. encryption-type: Enter the encryption type for securing an user password. There are four encryption types. • • • • • 0 — input the password in clear text.
Configuration File Management Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the system from EXEC Privilege mode. Copy Files to and from the System The command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url. NOTE: For a detailed description of the copy command, refer to the Dell EMC Networking OS Command Reference.
To mount an NFS file system, perform the following steps: Table 4. Mounting an NFS File System File Operation Syntax To mount an NFS file system: mount nfs rhost:path mountpoint username password The foreign file system remains mounted as long as the device is up and does not reboot. You can run the file system commands without having to mount or un-mount the file system each time you run a command.
flash: Copy to local file system ([flash://]filepath) nfsmount: Copy to nfs mount file system (nfsmount:///filepath) running-config remote host: Destination file name [test.c]: ! 225 bytes successfully copied DellEMC# Save the Running-Configuration The running-configuration contains the current system configuration. Dell EMC Networking recommends coping your runningconfiguration to the startup-configuration.
The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.
EXEC Privilege mode cd directory View Command History The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buffer. The system generates a trace message for each executed command. No password information is saved to the file. NOTE: The timestamps display format of the show command history output changes based on the service timestamps log datetime configuration.
[1d0h24m]: [1d0h24m]: [1d0h24m]: [1d0h24m]: [1d0h25m]: [1d0h25m]: [1d0h25m]: [1d0h25m]: [1d0h25m]: [1d0h25m]: Repeated 1 time. CMD-(CLI):[service timestamps log uptime]by default from console CMD-(CLI):[interface tengigabitethernet 1/1]by default from console CMD-(CLI):[shutdown]by default from console CMD-(CLI):[no shutdown]by default from console CMD-(CLI):[end]by default from console CMD-(CLI):[write memory]by default from console Repeated 1 time.
However, these changes are backward-compatible and do not affect existing behavior; meaning, you can still use the ip http source- interface command to communicate with a particular interface even if no VRF is configured on that interface NOTE: If the HTTP service is not VRF-aware, then it uses the global routing table to perform the look-up. To enable an HTTP client to look up the VRF table corresponding to either management VRF or any nondefault VRF, use the ip http vrf command in CONFIGURATION mode.
4 Management This chapter describes the different protocols or services used to manage the Dell EMC Networking system.
A user can access all commands at his privilege level and below. Removing a Command from EXEC Mode To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, then the first keyword of each command you wish to restrict.
CONFIGURATION mode privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword} Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. • CONFIGURATION mode privilege {configure |interface | line | route-map | router} level level {command ||...
vlan VLAN keyword DellEMC(conf)# interface group vlan 1 - 2 , tengigabitethernet 1/1 DellEMC(conf-if-group-vl-1-2,te-1/1)# no shutdown DellEMC(conf-if-group-vl-1-2,te-1/1)# end Applying a Privilege Level to a Username To set the user privilege level, use the following command. • Configure a privilege level for a user. CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command.
Enabling Audit and Security Logs You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode. Audit Logs The audit log contains configuration events and information. The types of information in this log consist of the following: • • • User logins to the switch.
Clearing Audit Logs To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is enabled, only the system administrator user role can issue this command. Example of the clear logging auditlog Command DellEMC# clear logging auditlog Configuring Logging Format To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version {0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.
Figure 2. Setting Up a Secure Connection to a Syslog Server Pre-requisites To configure a secure connection from the switch to the syslog server: 1. On the switch, enable the SSH server DellEMC(conf)#ip ssh server enable 2. On the syslog server, create a reverse SSH tunnel from the syslog server to the Dell OS switch, using following syntax: ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.
Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
Track Login Activity Dell EMC Networking OS enables you to track the login activity of users and view the successful and unsuccessful login events. When you log in using the console or VTY line, the system displays the last successful login details of the current user and the number of unsuccessful login attempts since your last successful login to the system, and whether the current user’s permissions have changed since the last login.
Example of the show login statistics all command The show login statistics all command displays the successful and failed login details of all users in the last 30 days or the custom defined time period. DellEMC#show login statistics all -----------------------------------------------------------------User: admin Last login time: 08:54:28 UTC Wed Mar 23 2016 Last login location: Line vty0 ( 10.16.127.
The following is sample output of the show login statistics unsuccessful-attempts user login-id command. DellEMC# show login statistics unsuccessful-attempts user admin There were 3 unsuccessful login attempt(s) for user admin in last 12 day(s). The following is sample output of the show login statistics successful-attempts command. DellEMC#show login statistics successful-attempts There were 4 successful login attempt(s) for user admin in last 30 day(s).
session, the system does not allow any attempt to login since maximum concurrent sessions have reached even though more VTY lines are available. You are allowed to login as a different user as more VTY lines are available. The following example enables you to clear your existing login sessions.
• logging buffered level Specify the minimum severity level for logging to the console. • CONFIGURATION mode logging console level Specify the minimum severity level for logging to terminal lines. • CONFIGURATION mode logging monitor level Specify the minimum severity level for logging to a syslog server. • CONFIGURATION mode logging trap level Specify the minimum severity level for logging to the syslog history table.
%TSM-6-SFM_DISCOVERY: Found SFM 8 %TSM-6-SFM_DISCOVERY: Found 9 SFMs %CHMGR-5-CHECKIN: Checkin from line card 5 (type EX1YB, 1 ports) %TSM-6-PORT_CONFIG: Port link status for LC 5 => portpipe 0: OK portpipe 1: N/A %CHMGR-5-LINECARDUP: Line card 5 is up %CHMGR-5-CHECKIN: Checkin from line card 12 (type S12YC12, 12 ports) %TSM-6-PORT_CONFIG: Port link status for LC 12 => portpipe 0: OK portpipe 1: N/A %CHMGR-5-LINECARDUP: Line card 12 is up %IFMGR-5-CSTATE_UP: changed interface Physical state to up: So 12/8 %
Synchronizing Log Messages You can configure Dell EMC Networking OS to filter and consolidate the system messages for a specific line by synchronizing the message output. Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system. 1. Enter LINE mode.
[May 17 15:41:50]: CMD-(CLI):[no shutdown]by default from console [May 17 15:42:42]: CMD-(CLI):[show clock]by default from console [May 17 15:42:52]: CMD-(CLI):[write memory]by default from console - Repeated 1 time.
DellEMC(conf)#service timestamps log uptime DellEMC#show clock 15:51:47.
%STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default - repeated 3 times %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default File Transfer Services With Dell EMC Networking OS, you can configure the system to transfer files over the network using the file transfer protocol (FTP).
• • • username: enter a text string. encryption-type: enter 0 for plain text or 7 for encrypted text. password: enter a text string. NOTE: You cannot use the change directory (cd) command until you have configured ftp-server topdir. To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode. Configuring FTP Client Parameters To configure FTP client parameters, use the following commands.
NOTE: If you already have configured generic IP ACL on a terminal line, then you cannot further apply IPv4 or IPv6 specific filtering on top of this configuration. Similarly, if you have configured either IPv4 or IPv6 specific filtering on a terminal line, you cannot apply generic IP ACL on top of this configuration. Before applying any of these configurations, you must first undo the existing configuration using the no access-class access-list-name [ipv4 | ipv6] command.
2. Apply the method list from Step 1 to a terminal line. CONFIGURATION mode login authentication {method-list-name | default} 3. If you used the line authentication method in the method list you applied to the terminal line, configure a password for the terminal line. LINE mode password In the following example, VTY lines 0-2 use a single authentication method, line.
Enter an IPv4 address in dotted decimal format (A.B.C.D). Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported. DellEMC# telnet 10.11.80.203 Trying 10.11.80.203... Connected to 10.11.80.203. Exit character is '^]'. Login: Login: admin Password: DellEMC>exit DellEMC#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.
Recovering from a Forgotten Password on the S6000 If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted for a password to re-enter. If you forget your password, follow these steps: 1. Log onto the system using the console. 2. Power-cycle the chassis by disconnecting and then reconnecting the power cord. 3. During bootup, press Esc when prompted to abort the boot process.
2. During bootup, press the ESC key when this message appears: Press Esc to stop autoboot... You enter Boot-Line Interface (BLI) mode at the BOOT_USER# prompt. 3. At the BLI prompt, set the system parameter to ignore the enable password and reload the system: BOOT_USER mode BOOT_USER# boot change primary You are prompted to enter a valid boot device (for example, ftp o r tftp or flash) and a path or filename for the Dell Networking OS image that you want to use. 4.
Important Points to Remember • • The Chassis remains in boot prompt if none of the partitions contain valid images. To enable TFTP boot after restoring factory default settings, you must stop the boot process in BLI. In case the system fails to reload the image from the partition, perform the following steps: 1. Power-cycle the chassis (pull the power cord and reinsert it). 2.
Enter the stack-unit keyword and the keyword all to view the reason for the last system reboot of all stack units in the stack. DellEMC#show reset-reason Cause : Reset by User through CLI command Reset Time: 11/05/2017-08:36 DellEMC# show reset-reason stack-unit 1 Cause : Reset by User through CLI command Reset Time: 11/05/2017-08:36 Disabling Syslog Messages for SNMP Authentication Failure Events The system generates syslog messages for SNMP authentication events.
5 802.1X 802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is verified (through a username and password, for example). 802.
• • • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network. It translates and forwards requests and responses between the authentication server and the supplicant.
Figure 5. EAP Port-Authentication EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 6. EAP Over RADIUS RADIUS Attributes for 802.1X Support Dell EMC Networking systems include the following RADIUS attributes in all 802.
Related Configuration Tasks • • • • • • Configuring Request Identity Re-Transmissions Forcibly Authorizing or Unauthorizing a Port Re-Authenticating a Port Configuring Timeouts Configuring a Guest VLAN Configuring an Authentication-Fail VLAN Important Points to Remember • • • • • Dell EMC Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP. All platforms support only RADIUS as the authentication server.
1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode. In the following example, the bold lines show that 802.1X is enabled.
CONFIGURATION mode dot1x profile {profile-name} profile—name — Enter the dot1x profile name. The profile name length is limited to 32 characters. DellEMC(conf)#dot1x profile test DellEMC(conf-dot1x-profile)# DellEMC#show dot1x profile 802.1x profile information ----------------------------Dot1x Profile test Profile MACs 00:00:00:00:01:11 Configuring MAC addresses for a do1x Profile To configure a list of MAC addresses for a dot1x profile, use the mac command. You can configure 1 to 6 MAC addresses.
Port Auth Status: Re-Authentication: Untagged VLAN id: Guest VLAN: Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts:3 Critical VLAN: Critical VLAN id: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: AUTHORIZED(STATIC-MAB) Disable None Enable 100 Enable 200 Enable 300 Disable Enable Sample 90 seconds 120 seconds 10 30 seconds 30 secon
Host Mode: Auth PAE State: Backend State: SINGLE_HOST Authenticated Idle Configuring Request Identity Re-Transmissions When the authenticator sends a Request Identity frame and the supplicant does not respond, the authenticator waits for 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator retransmits can be configured.
Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Forcibly Authorizing or Unauthorizing a Port The 802.1X ports can be placed into any of the three states: • ForceAuthorized — an authorized state.
• Configure the authenticator to periodically re-authenticate the supplicant. INTERFACE mode dot1x reauthentication [interval] seconds The range is from 1 to 31536000. • The default is 3600. Configure the maximum number of times the supplicant can be re-authenticated. INTERFACE mode dot1x reauth-max number The range is from 1 to 10. The default is 2. The bold lines show that re-authentication is enabled and the new maximum and re-authentication time period.
----------------------------Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Guest VLAN: Disable Guest VLAN id: NONE Auth-Fail VLAN: Disable Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: NONE Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 15 seconds Server Timeout: 15 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: Auth PAE State: Backend State: SINGLE_HOST Initialize
Figure 8. Dynamic VLAN Assignment 1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication). 2. Make the interface a switchport so that it can be assigned to a VLAN. 3. Create the VLAN to which the interface will be assigned. 4. Connect the supplicant to the port configured for 802.1X. 5.
Configuring a Guest VLAN If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the system assumes that the host does not have 802.1X capability and the port is placed in the Guest VLAN. NOTE: For more information about configuring timeouts, refer to Configuring Timeouts. Configure a port to be placed in the Guest VLAN after failing to respond within the timeout period using the dot1x guest-vlan command from INTERFACE mode.
Re-Authentication: Untagged VLAN id: Guest VLAN: Disabled Guest VLAN id: 200 Auth-Fail VLAN: Disabled Auth-Fail VLAN id: 100 Auth-Fail Max-Attempts: 5 Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Disable None Auth PAE State: Backend State: Initialize Initialize 90 seconds 120 seconds 10 15 seconds 15 seconds 7200 seconds 10 SINGLE_HOST 802.
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) Optimizing CAM Utilization During the Attachment of ACLs to VLANs To minimize the number of entries in CAM, enable and configure the ACL CAM feature. Use this feature when you apply ACLs to a VLAN (or a set of VLANs) and when you apply ACLs to a set of ports. The ACL CAM feature allows you to effectively use the Layer 3 CAM space with VLANs and Layer 2 and Layer 3 CAM space with ports.
• • • • • • • The maximum number of members in an ACL VLAN group is determined by the type of switch and its hardware capabilities. This scaling limit depends on the number of slices that are allocated for ACL CAM optimization. If one slice is allocated, the maximum number of VLAN members is 256 for all ACL VLAN groups. If two slices are allocated, the maximum number of VLAN members is 512 for all ACL VLAN groups.
1,1000 DellEMC# Configuring FP Blocks for VLAN Parameters To allocate the number of FP blocks for the various VLAN processes on the system, use the cam-acl-vlan command. To reset the number of FP blocks to the default, use the no version of this command. By default, 0 groups are allocated for the ACL in VLAN contentaware processor (VCAP). ACL VLAN groups or CAM optimization is not enabled by default. You also must allocate the slices for CAM optimization. 1.
| | OUT-L3 ACL | | OUT-V6 ACL 3 | 0 | IN-L2 ACL | | IN-L3 ACL | | IN-L3 FIB | | IN-V6 ACL | | IN-NLB ACL | | IPMAC ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL Codes: * - cam usage is above 90%.
| | OUT-L3 ACL | | | OUT-V6 ACL | Codes: * - cam usage is above 90%. 178 178 | | 9 4 | | 169 174 Allocating FP Blocks for VLAN Processes The VLAN contentaware processor (VCAP) application is a pre-ingress CAP that modifies the VLAN settings before packets are forwarded. To support ACL CAM optimization, the CAM carving feature is enhanced. A total of four VCAP groups are present: two fixed groups and two dynamic groups.
7 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
• • • • • • • • • Applying an IP ACL Configure Ingress ACLs Configure Egress ACLs IP Prefix Lists ACL Remarks ACL Resequencing Route Maps Configuring UDF ACL Configuring IP Mirror Access Group IP Access Control Lists (ACLs) In Dell EMC Networking switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet.
Test CAM Usage This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs. To determine whether sufficient ACL CAM space is available to enable a service-policy, use this command. To verify the actual CAM space required, create a class map with all the required ACL rules, then execute the test cam-usage command in Privilege mode. The following example shows the output when executing this command.
ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8. Therefore (without the keyword order), packets within the range 20.1.1.0/24 match positive against cmap1 and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be buffered in queue 4. In cases where class-maps with overlapping ACL rules are applied to different queues, use the order keyword to specify the order in which you want to apply ACL rules.
CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] The default is permit. The optional seq keyword allows you to assign a sequence number to the route map instance. The default action is permit and the default sequence number starts at 10. When you use the keyword deny in configuring a route map, routes that meet the match filters are not redistributed. To view the configuration, use the show config command in ROUTE-MAP mode.
• set commands change the characteristics of routes, either adding something or specifying a level. When there are multiple match commands with the same parameter under one instance of route-map, Dell EMC Networking OS does a match between all of those match commands. If there are multiple match commands with different parameters, Dell EMC Networking OS does a match ONLY if there is a match among ALL the match commands.
• CONFIG-ROUTE-MAP mode match ip address prefix-list-name Match destination routes specified in a prefix list (IPv6). • CONFIG-ROUTE-MAP mode match ipv6 address prefix-list-name Match next-hop routes specified in a prefix list (IPv4). • CONFIG-ROUTE-MAP mode match ip next-hop {access-list-name | prefix-list prefix-list-name} Match next-hop routes specified in a prefix list (IPv6).
• set metric-type {external | internal | type-1 | type-2} Assign an IP address as the route’s next hop. • CONFIG-ROUTE-MAP mode set next-hop ip-address Assign an IPv6 address as the route’s next hop. • CONFIG-ROUTE-MAP mode set ipv6 next-hop ip-address Assign an ORIGIN attribute. • CONFIG-ROUTE-MAP mode set origin {egp | igp | incomplete} Specify a tag for the redistributed routes. • CONFIG-ROUTE-MAP mode set tag tag-value Specify a value as the route’s weight.
Example of the redistribute Command Using a Route Tag ! router rip redistribute ospf 34 metric 1 route-map torip ! route-map torip permit 10 match route-type internal set tag 34 ! Continue Clause Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more route-map modules are processed. If you configure the continue command at the end of a module, the next module (or a specified module) is processed even after a match is found.
Example of Denying Second and Subsequent Fragments DellEMC(conf)#ip access-list extended ABC DellEMC(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments DellEMC(conf-ext-nacl)#permit ip any 10.1.1.1/32 DellEMC(conf-ext-nacl) Layer 4 ACL Rules Examples The following examples show the ACL commands for Layer 4 packet filtering. Permit an ACL line with L3 information only, and the fragments keyword is present: If a packet’s L3 information matches the L3 information in the ACL line, the packet's FO is checked.
A standard IP ACL uses the source IP address as its match criterion. 1. Enter IP ACCESS LIST mode by naming a standard IP access list. CONFIGURATION mode ip access-list standard access-listname 2. Configure a drop or forward filter. CONFIG-STD-NACL mode seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte] [dscp] [order] [monitor [session-id]] [fragments] NOTE: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter.
they were configured (for example, the first filter was given the lowest sequence number). The show config command in IP ACCESS LIST mode displays the two filters with the sequence numbers 5 and 10. DellEMC(config-route-map)#ip access standard acl1 DellEMC(config-std-nacl)#permit 10.1.0.0/16 monitor 177 DellEMC(config-std-nacl)#show config ! ip access-list standard acl1 seq 5 permit 10.1.0.
ip access-list extended vv seq 25 permit tcp any eq 40 any eq 33 seq 30 permit tcp any eq 33 any eq 43 seq 35 permit tcp any range www 194 any eq 101 seq 40 permit udp any eq 434 any gt mobile-ip seq 45 deny udp any eq 53 any lt ntp Configure Filters, ICMP Packets To create a filter for ICMP packets with a specified sequence number, use the following commands. 1. Create either an extended IPv4 or IPv6 ACL and assign it a unique name.
DellEMC(config-ext-nacl)#show ipv6 accounting access-list ! Extended Ingress IPv6 access list icmpv6 on TenGigabitEthernet 1/1 Total cam count 9 seq 5 permit icmp any any echo count (40 packets) seq 10 permit icmp any any echo-reply count (50 packets) seq 15 permit icmp any any nd-ns count (30 packets) seq 20 permit icmp any any nd-na count (56 packets) seq 25 permit icmp any any packet-too-big count (25 packets) seq 30 permit icmp any any parameter-problem count (34 packets) seq 35 permit icmp any any time
• Configure a deny or permit filter to examine IP packets. • CONFIG-EXT-NACL mode {deny | permit} {source mask | any | host ip-address} [count [byte]] [order] [monitor [session-id]] [fragments] Configure a deny or permit filter to examine TCP packets. • CONFIG-EXT-NACL mode {deny | permit} tcp {source mask] | any | host ip-address}} [count [byte]] [order] [monitor [session-id]] [fragments] Configure a deny or permit filter to examine UDP packets.
Assign an IP ACL to an Interface To pass traffic through a configured IP ACL, assign that ACL to a physical interface, a port channel interface, or a VLAN. The IP ACL is applied to all traffic entering a physical or port channel interface and the traffic is either forwarded or dropped depending on the criteria and actions specified in the ACL. The same ACL may be applied to different interfaces and that changes its functionality.
Configure Ingress ACLs Ingress ACLs are applied to interfaces and to traffic entering the system. These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation. To create an ingress ACL, use the ip access-group command in EXEC Privilege mode. The example shows applying the ACL, rules to the newly created access group, and viewing the access list.
DellEMC(config-ext-nacl)#deny icmp any any DellEMC(config-ext-nacl)#permit 1.1.1.2 DellEMC(config-ext-nacl)#end DellEMC#show ip accounting access-list ! Extended Ingress IP access list abcd on tengigabitethernet 0/0 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.
• • To deny routes with a mask less than /24, enter deny x.x.x.x/x le 24. To permit routes with a mask greater than /20, enter permit x.x.x.x/x ge 20. The following rules apply to prefix lists: • • • A prefix list without any permit or deny filters allows all routes. An “implicit deny” is assumed (that is, the route is dropped) for all route prefixes that do not match a permit or deny filter in a configured prefix list. After a route matches a filter, the filter’s action is applied.
NOTE: The last line in the prefix list Juba contains a “permit all” statement. By including this line in a prefix list, you specify that all routes not matching any criteria in the prefix list are forwarded. To delete a filter, use the no seq sequence-number command in PREFIX LIST mode.If you are creating a standard prefix list with only one or two filters, you can let Dell EMC Networking OS assign a sequence number based on the order in which the filters are configured.
The following example shows the show ip prefix-list summary command. DellEMC> DellEMC>show ip prefix summary Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 DellEMC> Applying a Prefix List for Route Redistribution To pass traffic through a configured prefix list, use the prefix list in a route redistribution command.
To view the configuration, use the show config command in ROUTER OSPF mode, or the show running-config ospf command in EXEC mode. DellEMC(conf-router_ospf)#show config ! router ospf 34 network 10.2.1.1 255.255.255.255 area 0.0.0.1 distribute-list prefix awe in DellEMC(conf-router_ospf)# ACL Remarks While defining ACL rules, you can optionally include a remark to make the ACLs more descriptive. You can include a remark with a maximum of 80 characters in length.
The remark number is optional. The following is an example of removing a remark.
resequence prefix-list {ipv4 | ipv6} {prefix-list-name StartingSeqNum Step-to-Increment} Remarks and rules that originally have the same sequence number have the same sequence number after you apply the resequence command. The example shows the resequencing of an IPv4 access-list beginning with the number 2 and incrementing by 2. DellEMC(config-ext-nacl)# show config ! ip access-list extended test remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.
Implementation Information ACLs and prefix lists can only drop or forward the packet or traffic. Route maps process routes for route redistribution. For example, a route map can be called to filter only specific routes and to add a metric. Route maps also have an “implicit deny.” Unlike ACLs and prefix lists; however, where the packet or traffic is dropped, in route maps, if a route does not match any of the route map conditions, the route is not redistributed.
VmanQos : EcfmAcl : FcoeAcl : iscsiOptAcl : ipv4pbr : vrfv4Acl : Openflow : fedgovacl : nlbclusteracl: 0 2 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 DellEMC# 4. Create a UDF packet format in the UDF TCAM table. CONFIGURATION mode udf-tcam name seq number DellEMC(conf)#udf-tcam ipnip seq 1 5. Configure a UDF ID to parse packet headers using the specified number of offset and required bytes.
CONFIGURATION-EXTENDED-ACCESS-LIST mode permit ip {source mask | any | host ip-address} {destination mask | any | host ip-address} udf-pkt-format name udf-qualifier-value name DellEMC(config-ext-nacl)#permit ip any any udf-pkt-format ipinip udf-qualifier-value ipnip_val1 12. View the UDF TCAM configuration.
Dell(conf)#monitor session 65535 type erpm Dell(conf)#ip access-list extended test Dell(config-ext-nacl)#permit ip any any count monitor 65535 Dell(config-ext-nacl)#end Dell(conf)#interface TenGigabitEthernet 1/5 Dell(conf-if-te-1/5)#ip mirror-access-group test acl3 Dell(conf-if-te-1/5)#end Example of viewing IP mirror–access–group applied to an Interface Dell(conf-if-te-1/5)#show config ! interface TenGigabitEthernet 1/5 no ip address ip mirror-access-group acl3 in shutdown Dell(conf-if-te-1/5)# 126 Acc
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 9. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
State Description Up Both systems are exchanging control packets. The session is declared down if: • • • A control packet is not received within the detection time. Sufficient echo packets are lost. Demand mode is active and a control packet is not received in response to a poll packet. BFD Three-Way Handshake A three-way handshake must take place between the systems that participate in the BFD session.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 11.
• Configuring Protocol Liveness Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
TX: 100ms, RX: 100ms, Multiplier: 4 Role: Passive Delete session on Down: False Client Registered: CLI Uptime: 00:09:06 Statistics: Number of packets received from neighbor: 4092 Number of packets sent to neighbor: 4093 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 7 Disabling and Re-Enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured.
Establishing Sessions for Static Routes for Default VRF Sessions are established for all neighbors that are the next hop of a static route on the default VRF. Figure 12. Establishing Sessions for Static Routes To establish a BFD session, use the following command. • Establish BFD sessions for all neighbors that are the next hop of a static route.
ip route bfd vrf vrf2 ip route bfd vrf vrf1 prefix-list p4_le The following example shows that sessions are created for static routes for the default VRF. Dell#show bfd neighbors * Ad Dn B C I O O3 R M V VT - Active session role Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 11.1.1.1 RemoteAddr 11.1.1.2 Interface Te 1/1 State Rx-int Tx-int Mult Clients Up 200 200 3 R * 21.1.1.1 21.1.1.2 Vl 100 Up 200 200 3 R * 31.1.1.1 31.1.1.
For more information on prefix lists, see IP Prefix Lists. To enable BFD sessions on specific neighbors, perform the following steps: Enter the following command to enable BFD session on specific next-hop neighbors: CONFIGURATION ip route bfd prefix-list prefix-list-name The BFD session is established for the next-hop neighbors that are specified in the prefix-list. • • • • • • • • • The absence of a prefix-list causes BFD sessions to be enabled on all the eligible next-hop neighbors.
Related Configuration Tasks • • Changing IPv6 Static Route Session Parameters Disabling BFD for Static Routes Establishing Sessions for IPv6 Static Routes for Default VRF Sessions are established for all neighbors that are the next hop of a static route on the default VRF. To establish a BFD session, use the following command. • Establish BFD sessions for all IPv6 neighbors that are the next hop of a static route.
I O O3 R M V VT - ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 11::1 RemoteAddr 11::2 Interface Te 1/1 State Rx-int Tx-int Mult Clients Up 200 200 3 R * 21::1 21::2 Vl 100 Up 200 200 3 R * 31::1 31::2 Vl 101 Up 200 200 3 R The following example shows that sessions are created for static routes for the nondefault VRFs.
Related Configuration Tasks • • Changing OSPF Session Parameters Disabling BFD for OSPF Establishing Sessions with OSPF Neighbors for the Default VRF BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 13.
To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Te 2/1 Up 100 100 3 O * 2.2.3.1 2.2.3.
* 3.3.3.3 * 3.3.3.3 * 3.3.3.3 192.168.122.137 192.168.122.138 192.168.122.139 Te 1/43 Te 1/38 Te 1/42 Up Up Up 1000 1000 1000 1000 1000 1000 3 3 3 VT VT VT DellEMC# show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 10.1.3.2 Local MAC Addr: 00:01:e8:02:15:0e Remote Addr: 10.1.3.
ip ospf bfd all-neighbors disable Configure BFD for OSPFv3 BFD for OSPFv3 provides support for IPV6. Configuring BFD for OSPFv3 is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPFv3 neighbors. Related Configuration Tasks • • Changing OSPFv3 Session Parameters Disabling BFD for OSPFv3 Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface.
• bfd enable Establish sessions with all OSPFv3 neighbors in a specific VRF. • ROUTER-OSPFv3 mode bfd all-neighbors Establish sessions with the OSPFv3 neighbors on a single interface in a specific VRF. • INTERFACE mode ipv6 ospf bfd all-neighbors To disable BFD on a specific OSPFv3 enabled interface, use the ipv6 ospf bfd all-neighbors disable command. You can also use the no bfd enable command to disable BFD on a specific interface.
Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role. Configure these parameters for all OSPFv3 sessions or all OSPFv3 sessions on a particular interface. If you change a parameter globally, the change affects all OSPFv3 neighbors sessions.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 14. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. • ROUTER-ISIS mode bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface. If you change a parameter globally, the change affects all IS-IS neighbors sessions.
Figure 15. Establishing Sessions with BGP Neighbors The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: • • By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors command). By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peer-group-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number 4. Enable the BGP neighbor. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group-name} no shutdown 5. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ipv6-address | peer-group name} remote-as as-number 6. Enable the BGP neighbor.
3. Specify the address family as IPv4. CONFIG-ROUTERBGP mode address-family ipv4 vrf vrf-name 4. Add an IPv4 BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ip-address | peer-group name} remote-as as-number 5. Enable the BGP neighbor. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ip-address | peer-group-name} no shutdown 6. Add an IPv6 BGP neighbor or peer group in a remote AS.
Disabling BFD for BGP You can disable BFD for BGP. To disable a BFD for BGP session with a specified neighbor, use the first command. To remove the disabled state of a BFD for BGP session with a specified neighbor, use the second command. The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally configured with the bfd allneighbors command or configured for the peer group to which the neighbor belongs. • Disable a BFD for BGP session with a specified neighbor.
* 2.2.2.3 * 3.3.3.3 2.2.2.2 3.3.3.2 Te 6/2 Te 6/3 Up Up 200 200 200 200 3 3 B B The following example shows viewing BFD neighbors with full detail. The bold lines show the BFD session parameters: TX (packet transmission), RX (packet reception), and multiplier (maximum number of missed packets). R2# show bfd neighbors detail Session Discriminator: 9 Neighbor Discriminator: 10 Local Addr: 1.1.1.3 Local MAC Addr: 00:01:e8:66:da:33 Remote Addr: 1.1.1.
1.1.1.2 2.2.2.2 3.3.3.2 1 1 1 282 273 282 281 273 281 0 0 0 0 0 0 0 (0) 0 00:38:12 04:32:26 00:38:12 0 0 0 The following example shows viewing BFD information for a specified neighbor. The bold lines show the message displayed when you enable a BFD session with different configurations: • • • Message displays when you enable a BFD session with a BGP neighbor that inherits the global BFD session settings configured with the global bfd all-neighbors command.
Peer active in peer-group outbound optimization ... Configure BFD for VRRP When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the route processor module (RPM). BFD sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state change occurred. Configuring BFD for VRRP is a three-step process: 1. Enable BFD globally.
Establishing VRRP Sessions on VRRP Neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions. VRRP BFD sessions on the backup router cannot change to the UP state. Configure the master router to establish an individual VRRP session the backup router. To establish a session with a particular VRRP neighbor, use the following command. • Establish a session with a particular VRRP neighbor.
Disabling BFD for VRRP If you disable any or all VRRP sessions, the sessions are torn down. A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to the Down state. To disable all VRRP sessions on an interface, sessions for a particular VRRP group, or for a particular VRRP session on an interface, use the following commands. • Disable all VRRP sessions on an interface. • INTERFACE mode no vrrp bfd all-neighbors Disable all VRRP sessions in a VRRP group.
9 Border Gateway Protocol (BGP) Border Gateway Protocol (BGP) is an interdomain routing protocol that manages routing between edge routers. BGP uses an algorithm to exchange routing information between switches enabled with BGP. BGP determines a path to reach a particular destination using certain attributes while avoiding routing loops. BGP selects a single path as the best path to a destination network or host. You can also influence BGP to select different path by altering some of the BGP attributes.
Figure 17. BGP Topology with autonomous systems (AS) BGP version 4 (BGPv4) supports classless interdomain routing (CIDR) and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 18. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. AS4 Number Representation Dell EMC Networking OS supports multiple representations of 4-byte AS numbers: asplain, asdot+, and asdot. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If 4-Byte AS numbers are not implemented, only ASPLAIN representation is supported.
• AS Numbers larger than 65535 is represented using ASDOT notation as .. For example: AS 65546 is represented as 1.10. ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS numbers less than 65536 appear in integer format (asplain); AS numbers equal to or greater than 65536 appear in the decimal format (asdot+). For example, the AS number 65526 appears as 65526 and the AS number 65546 appears as 1.10.
DellEMC(conf-router_bgp)#no bgp four-octet-as-support DellEMC(conf-router_bgp)#sho conf ! router bgp 100 neighbor 172.30.1.250 local-as 65057 DellEMC(conf-router_bgp)#do show ip bgp BGP table version is 28093, local router ID is 172.30.1.57 Four-Byte AS Numbers You can use the 4-Byte (32-bit) format when configuring autonomous system numbers (ASNs). The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN message.
State Description If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state. OpenSent After successful OpenSent transition, the router sends an Open message and waits for one in return. OpenConfirm After the Open message parameters are agreed between peers, the neighbor relation is established and is in the OpenConfirm state.
mode, Dell EMC Networking OS compares MED between the adjacent paths within an AS group because all paths in the AS group are from the same AS. NOTE: The bgp bestpath as-path multipath-relax command is disabled by default, preventing BGP from loadbalancing a learned route across two or more eBGP peers. To enable load-balancing across different eBGP peers, enable the bgp bestpath as-path multipath-relax command.
c. the paths were received from IBGP or EBGP neighbor respectively. 10. If the bgp bestpath router-id ignore command is enabled and: a. if the Router-ID is the same for multiple paths (because the routes were received from the same route) skip this step. b. if the Router-ID is NOT the same for multiple paths, prefer the path that was first received as the Best Path. The path selection algorithm returns without performing any of the checks detailed here. 11.
Figure 20. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 21. Multi-Exit Discriminators NOTE: Configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
Example of Viewing AS Paths DellEMC#show ip bgp paths Total 30655 Paths Refcount Metric Path 3 18508 701 3549 19421 i 3 18508 701 7018 14990 i 3 18508 209 4637 1221 9249 9249 i 2 18508 701 17302 i 26 18508 209 22291 i 75 18508 209 3356 2529 i 2 18508 209 1239 19265 i 1 18508 701 2914 4713 17935 i 162 18508 209 i 2 18508 701 19878 ? 31 18508 209 18756 i 2 18508 209 7018 15227 i 10 18508 209 3356 13845 i 3 18508 209 701 6347 7781 i 1 18508 701 3561 9116 21350 i Next Hop The next hop is the IP address used to
IPv4 and IPv6 address family The IPv4 address family configuration in Dell EMC Networking OS is used for identifying routing sessions for protocols that use IPv4 address. You can specify multicast within the IPv4 address family. The default of address family configuration is IPv4 unicast. You can configure the VRF instances for IPv4 address family configuration. The IPv6 address family configuration is used for identifying routing sessions for protocols that use IPv6 address.
Item Default reuse = 750 suppress = 2000 max-suppress-time = 60 minutes Distance external distance = 20 internal distance = 200 local distance = 200 Timers keepalive = 60 seconds holdtime = 180 seconds Add-path Disabled Implement BGP with Dell EMC Networking OS The following sections describe how to implement BGP on Dell EMC Networking OS.
Ignore Router-ID in Best-Path Calculation You can avoid unnecessary BGP best-path transitions between external paths under certain conditions. The bgp bestpath routerid ignore command reduces network disruption caused by routing and forwarding plane changes and allows for faster convergence. AS Number Migration With this feature you can transparently change the AS number of an entire BGP network and ensure that the routes are propagated throughout the network while the migration is in progress.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances support for BGP management information base (MIB) with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website. NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web page.
Configuration Information The software supports BGPv4 as well as the following: • • • • deterministic multi-exit discriminator (MED) (default) a path with a missing MED is treated as worst path and assigned an MED value of (0xffffffff) the community format follows RFC 1998 delayed configuration (the software at system boot reads the entire configuration file prior to sending messages to start BGP peer sessions) The following are not yet supported: • • auto-summarization (the default is no auto-summary) s
CONFIGURATION mode router bgp as-number • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format). Only one AS is supported per system. NOTE: If you enter a 4-Byte AS number, 4-Byte AS support is enabled automatically. 2. Add a BGP neighbor or peer and AS number.
NOTE: The showconfig command in CONFIGURATION ROUTER BGP mode gives the same information as the show running-config bgp command. The following example displays two neighbors: one is an external internal BGP neighbor and the second one is an internal BGP neighbor. The first line of the output for each neighbor displays the AS number and states whether the link is an external or internal (shown in bold). The third line of the show ip bgp neighbors output contains the BGP State.
The following example shows the show ip bgp summary command output (4–byte AS number displays). R2#show ip bgp summary BGP router identifier 1.1.1.1, local 80000 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 1 neighbor(s) using 40960 bytes of memory Neighbor 20.20.20.1 AS 200 MsgRcvd 0 MsgSent 0 TblVer 0 InQ 0 OutQ Up/Down State/Pfx 0 00:00:00 0 Changing a BGP router ID BGP uses the configured router ID to identify the devices in the network.
• Enable ASPLAIN AS Number representation. • CONFIG-ROUTER-BGP mode bgp asnotation asplain NOTE: ASPLAIN is the default method Dell EMC Networking OS uses and does not appear in the configuration display. Enable ASDOT AS Number representation. • CONFIG-ROUTER-BGP mode bgp asnotation asdot Enable ASDOT+ AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot+ The following example shows the bgp asnotation asplain command output.
• Enter the router configuration mode and the AS number. • CONFIG mode router bgp as-number Add the IP address of the neighbor for the specified autonomous system. • CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6–address | peer-group-name} remote-as as-number Enable the neighbor. • CONFIG-ROUTERBGP mode neighbor ip-address | ipv6-address | peer-group-name no shutdown Specify the IPv4 address family configuration.
To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes. Example-Configuring BGP routing between peers Example of enabling BGP in Router A Following is an example to enable BGP configuration in the router A. RouterA# configure terminal RouterA(conf)# router bgp 40000 RouterA(conf-router_bgp)# bgp router-id 10.1.1.99 RouterA(conf-router_bgp)# timers bgp 80 130 RouterA(conf-router_bgp)# neighbor 192.
• • • • • • • You must create a peer group first before adding the neighbors in the peer group. If you remove any configuration parameters from a peer group, it will apply to all the neighbors configured under that peer group. If you have not configured a parameter for an individual neighbor in the peer group, the neighbor uses the value configured in the peer group. If you reset any parameter for an individual neighbor, it will override the value set in the peer group.
• • • • • • neighbor neighbor neighbor neighbor neighbor neighbor distribute-list out filter-list out next-hop-self route-map out route-reflector-client send-community A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is more specific than the peer group’s and if the neighbor’s configuration does not affect outgoing updates.
The following illustration shows the configurations described on the following examples. These configurations show how to create BGP areas using physical and virtual links. They include setting up the interfaces and peers groups with each other. Figure 24. BGP peer group example configurations Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/32 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.
R1(conf-router_bgp)#neighbor 192.168.128.2 no shut R1(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0 R1(conf-router_bgp)#neighbor 10.0.3.33 remote 100 R1(conf-router_bgp)#neighbor 10.0.3.33 no shut R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 10.0.3.33 no shutdown neighbor 10.0.3.
R3(conf-if-te-3/21)#show config ! interface TengigabitEthernet 3/21 ip address 10.0.2.3/24 no shutdown R3(conf-if-te-3/21)# R3(conf-if-te-3/21)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#neighbor 10.0.3.31 remote 99 R3(conf-router_bgp)#neighbor 10.0.3.31 no shut R3(conf-router_bgp)#neighbor 10.0.2.2 remote 99 R3(conf-router_bgp)#neighbor 10.0.2.2 no shut R3(conf-router_bgp)#show config ! router bgp 100 neighbor 10.0.3.31 remote 99 neighbor 10.0.3.
R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.3 no shut R2(conf-router_bgp)#show conf ! router bgp 99 network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 peer-group CCC neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.
Advanced BGP configuration tasks The following sections describe how to configure the advanced (optional) BGP configuration tasks. Route-refresh and Soft-reconfiguration BGP soft-reconfiguration allows for faster and easier route changing. Changing routing policies typically requires a reset of BGP sessions (the TCP connection) for the policies to take effect. Such resets cause undue interruption to traffic due to hard reset of the BGP cache and the time it takes to re-establish the session.
Route-refresh This section explains how the soft-reconfiguration and route-refresh works. Soft-reconfiguration has to be configured explicitly for a neighbor unlike route refresh, which is automatically negotiated between BGP peers when establishing a peer session. The route-refresh updates will be sent, only if the neighbor soft-reconfiguration inbound command is not configured in a BGP neighbor and when you do a soft reset using clear ip bgp {neighbor-address | peer-group-name} soft in command.
neighbor 20.1.1.2 no shutdown neighbor 20::2 remote-as 200 neighbor 20::2 no shutdown ! address-family ipv6 unicast redistribute connected neighbor 20::2 activate exit-address-family ! DellEMC(conf-router_bgp)#do clear ip bgp 20.1.1.2 soft in May 8 15:28:11 : BGP: 20.1.1.2 sending ROUTE_REFRESH AFI/SAFI (1/1) May 8 15:28:12 : BGP: 20.1.1.2 UPDATE rcvd packet len 56 May 8 15:28:12 : BGP: 20.1.1.2 rcvd UPDATE w/ attr: origin ?, path 200, nexthop 20.1.1.
Configuring BGP aggregate routes To create an aggregate route entry in the BGP routing table, use the following commands. The aggregate route is advertised from the autonomous system. • Enter the router configuration mode and the AS number for the specific BGP routing process. • CONFIG mode router bgp as-number Create an aggregate entry in the BGP routing table.
Following is the sample configuration to suppress the advertisement of specific aggregate routes to all neighbors. DellEMC# configure terminal DellEMC(conf)# router bgp 100 DellEMC(conf-router_bgp)# aggregate-address 10.1.1.0 255.255.255.0 summary-only DellEMC(conf-router_bgp)# exit DellEMC(conf)# Filtering BGP The following section describes the methods used to filter the updates received from BGP neighbors.
DellEMC(conf-router_bgp)#neigh AAA no shut DellEMC(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown DellEMC(conf-router_bgp)#neigh 10.155.15.
1. Create a prefix list and assign it a name. CONFIGURATION mode ip prefix-list prefix-name 2. Create multiple prefix list filters with a deny or permit action. CONFIG-PREFIX LIST mode seq sequence-number {deny | permit} {any | ip-prefix [ge | le] } • • ge: minimum prefix length to be matched. le: maximum prefix length to me matched. For information about configuring prefix lists, refer to Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-PREFIX LIST mode exit 4. Enter ROUTER BGP mode.
For information about configuring route maps, see Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Filter routes based on the criteria in the configured route map.
CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} filter-list as-path-name {in | out} If you assign an non-existent or empty AS-PATH ACL, the software allows all routes. To view all BGP path attributes in the BGP database, use the show ip bgp paths command in EXEC Privilege mode.
DellEMC(conf)# exit DellEMC# In the above example, add a BGP neighbor to the AS 400 and the route-map called route2 applied to inbound routes from the BGP neighbor at 10.10.10.1. A route map route2 is created with a permit clause and the route’s community attribute is matched to communities in community list 1. A community list 1 that permits routes with a communities attribute of 100. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode.
fall-over enabled Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 52, neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dropped 5 Last reset 00:19:37, due to Reset by peer Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 20.20.20.2, Local port: 65519 Foreign host: 10.10.10.
neighbor peer-group-name subnet subnet-number mask The peer group responds to OPEN messages sent on this subnet. 3. Enable the peer group. CONFIG-ROUTER-BGP mode neighbor peer-group-name no shutdown 4. Create and specify a remote peer for BGP neighbor. CONFIG-ROUTER-BGP mode neighbor peer-group-name remote-as as-number Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED.
The below example configuration shows how to enable the BGP graceful restart. DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# bgp graceful-restart DellEMC(conf-router_bgp)# exit Redistributing Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the BGP process. You can configure the device to redistribute ISIS, OSPF, static, or directly connected routes into BGP process using the redistribute command.
1. Allow the advertisement of multiple paths (send, receive or both). CONFIG-ROUTER-BGP or CONFIG-ROUTER-BGP-AF mode bgp add-path [both | enable | receive | send] path-count Configure the following parameters: • • • • • both: Indicate that the system sends and accepts multiple paths from peers. enable: Indicate that the system enables add-path support for the node. send: Indicate that the system sends multiple paths to peers. receive: Indicate that the system accepts multiple paths from peers.
• • • • no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE. no-export: routes with the COMMUNITY attribute of NO_EXPORT. quote-regexp: then any number of regular expressions. The software applies all regular expressions in the list. regexp: then a regular expression. To view the configuration, use the show config command in CONFIGURATION COMMUNITY-LIST or CONFIGURATION EXTCOMMUNITY LIST mode or the show ip {community-lists | extcommunity-list} command in EXEC Privilege mode.
deny 14551:112 deny 701:667 deny 702:667 deny 703:667 deny 704:666 deny 705:666 deny 14551:666 DellEMC# Configure BGP attributes Following sections explain how to configure the BGP attributes such as MED, COMMUNITY, WEIGHT, and LOCAL_PREFERENCE. Changing MED Attributes By default, Dell EMC Networking OS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths received from different BGP neighbors or peers from the same AS for the same route.
Configure a community list by denying or permitting specific community numbers or types of community. • • • • • • community-number: use AA:NN format where AA is the AS number (2 or 4 Bytes) and NN is a value specific to that autonomous system. local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED and are not sent to EBGP peers. no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE and are not advertised. no-export: routes with the COMMUNITY attribute of NO_EXPORT.
value: the range is from 0 to 4294967295. The default is 100. DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf_router_bgp)# neighbor 10.10.10.1 remote-as 500 DellEMC(conf_router_bgp)# bgp default local-preference 150 DellEMC(conf_router_bgp)# exit In the above example configuration, the default LOCAL_PREFERENCE value is changed to 150 for all the updates from AS 500 to AS 400. The default value is 100.
• If you do not use the all keyword, the next hop of only eBGP-learned routes is updated by the route reflector. If you use the all keyword, the next hop of both eBGP- and iBGP-learned routes are updated by the route reflector. Sets the next hop address. CONFIG-ROUTE-MAP mode set next-hop ip-address If the set next-hop command is applied on the out-bound interface using a route map, it takes precedence over the neighbor next-hop-self command.
Route Reflectors Route reflectors reorganize the iBGP core into a hierarchy and allow some route advertisement rules. NOTE: Do not use route reflectors (RRs) in the forwarding path. In iBGP, hierarchal RRs maintaining forwarding plane RRs could create routing loops. Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and its client peers form a route reflection cluster.
When you enter this command for the first time, the router configures as a route reflector and the specified BGP neighbors configure as clients in the route reflector cluster. When you remove all clients of a route reflector using the no neighbor route-reflectorclient command, the router no longer functions as a route reflector. When you enable a route reflector, Dell EMC Networking OS automatically enables route reflection to all clients.
• • suppress: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is greater than the suppress value, the flapping route is no longer advertised (that is, it is suppressed). The default is 2000. • max-suppress-time: the range is from 1 to 255. The maximum number of minutes a route can be suppressed. The default is four times the half-life value. The default is 60 minutes. Clear all information or only information on a specific route.
To view which routes are dampened (non-active), use the show ip bgp dampened-routes command in EXEC Privilege mode. Changing BGP keepalive and hold timers BGP uses timers to control the activity of sending the keepalive messages to its neighbors or peers. Also, you can adjust the interval of how long the device has to wait for a keepalive messge from a neighbor before declaring the peer dead. To configure BGP timers, use either or both of the following commands.
CONFIG-ROUTER-BGP mode neighbors {ip-address | ipv6-address | peer-group-name} timers extended idle-holdtime • idle-holdtime: the range is from 1 to 32767. Time interval, in seconds, during which the peer remains in idle state. The default is 15 seconds. Configure idle-holdtime values for all BGP neighbors. CONFIG-ROUTER-BGP mode timers bgp extended idle holdtime idle-holdtime: the range is from 1 to 32767. Time interval, in seconds, during which the peer remains in idle state. The default is 15 seconds.
ROUTER-BGP Mode shutdown address-family-ipv6-unicast When you configure BGP, you must explicitly enable the BGP neighbors using the following commands: neighbor {ip-address | peer-group name} remote-as as-number neighbor {ip-address | peer-group-name} no shutdown For more information on enabling BGP, see Enabling BGP.
confederations appear as one AS. Within the confederation sub-AS, the IBGP neighbors are fully meshed and the MED, NEXT_HOP, and LOCAL_PREF attributes are maintained between confederations. To configure BGP confederations, use the following commands. • Specifies the confederation ID. CONFIG-ROUTER-BGP mode bgp confederation identifier as-number • • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). Specifies which confederation sub-AS are peers.
DellEMC(conf-router_bgpv6_af)# neighbor 50.0.0.2 activate DellEMC(conf-router_bgp)# exit Following is the output of show ip bgp vrf vrf1 summary command for the above configuration. DellEMC#show ip bgp vrf vrf1 summary BGP router identifier 1.1.1.1, local AS number 100 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 1 neighbor(s) using 16384 bytes of memory Neighbor 50.0.0.
network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.
Enabling MBGP Configurations Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of routes: one set for unicast routing and one set for multicast routing. The routes associated with multicast routing are used by the protocol independent multicast (PIM) to build data distribution trees. Dell EMC Networking OS MBGP is implemented per RFC 1858. You can enable the MBGP feature per router and/or per peer/peer-group. The default is IPv4 Unicast routes.
DellEMC(conf-router_bgpv6_af)#neighbor 2001::1 activate DellEMC(conf-router_bgpv6_af)#exit Following is the output of show ip bgp ipv6 unicast summary command for the above configuration example. DellEMC#show ip bgp ipv6 unicast summary BGP router identifier 1.1.1.
BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 3 neighbor(s) using 40960 bytes of memory Neighbor 20.20.20.2 30.30.30.1 2001::2 AS 200 20 200 MsgRcvd 10 0 40 MsgSent 20 0 45 TblVer 0 0 0 InQ 0 0 0 OutQ 0 0 0 Up/Down 00:06:11 00:00:00 00:03:14 State/Pfx 0 0 0 The same output will be displayed when using show ip bgp ipv4 unicast summary command. Following is the sample output of show ip bgp ipv4 multicast summary command. R1# show ip bgp ipv4 multicast summary BGP router identifier 1.
20.20.20.1 R2# 10 10 20 0 0 0 00:06:11 0 Following is the output of show ip bgp ipv6 unicast summary command for the above configuration example. R2#show ip bgp ipv6 unicast summary BGP router identifier 2.2.2.2, local AS number 200 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 2 neighbor(s) using 24576 bytes of memory Neighbor 20.20.20.
Following is the show running-config command output for the above configuration. DellEMC# show running-config bgp ! router bgp 655 bgp router-id 1.1.1.1 neighbor 10.1.1.2 remote-as 20 neighbor 10.1.1.2 auto-local-address neighbor 10.1.1.2 no shutdown ! address-family ipv6 unicast neighbor 10.1.1.2 activate exit-address-family ! Example configuration performed in R2 DellEMC# configure terminal DellEMC(conf)# router bgp 20 DellEMC(conf-router_bgp)# neighbor 10.1.1.
Debugging BGP To enable BGP debugging, use any of the following commands. • View all information about BGP, including BGP events, keepalives, notifications, and updates. • EXEC Privilege mode debug ip bgp [ip-address | peer-group peer-group-name] [in | out] View information about BGP route being dampened. • EXEC Privilege mode debug ip bgp dampening [in | out] View information about local BGP state changes and other BGP events.
Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) For address family: IPv4 Unicast BGP table version 1395, neighbor version 1394 Prefixes accepted 1 (consume 4 bytes), 0 withdrawn by peer Prefixes advertised 0, rejected 0, 0 withdrawn from peer Connections established 3; dropped 2 Last reset 00:00:12, due to Missing well known att
10 Content Addressable Memory (CAM) CAM Allocation CAM Allocation for Ingress To allocate the space for regions such has L2 ingress ACL, IPV4 ingress ACL, IPV6 ingress ACL, IPV4 QoS, L2 QoS, PBR, VRF ACL, and so forth, use the cam-acl command in CONFIGURATION mode. The CAM space is allotted in field processor (FP) blocks. The total space allocated must equal FP blocks. The following table lists the default CAM allocation settings.
Table 12. Additional Default CAM Allocation Settings Additional CAM Allocation Setting FCoE ACL (fcoeacl) 0 ISCSI Opt ACL (iscsioptacl) 0 You must enter the ipv6acl and vman-dual-qos allocations as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges. You can only have one odd number group when setting the CAM.
Example of the test cam-usage Command DellEMC#test cam-usage service-policy input test-cam-usage stack-unit 1 po 0 Stack-Unit| Portpipe|CAM Partition|Available CAM|Estimated CAM per Port|Status -----------------------------------------------------------------------------------2 | 0 |IPv4Flow |192 |3 |Allowed (64) DellEMC# View CAM Profiles To view the current CAM profile for the chassis and each component, use the show cam-profile command.
Ipv4Qos L2Qos L2PT IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : : : : : : 2 1 0 0 0 0 0 0 0 0 0 0 0 2 1 0 0 0 0 0 0 0 2 2 0 0 -- Stack unit 0 -Current Settings(in block sizes) Next Boot(in block sizes) 1 block = 128 entries L2Acl : 6 4 Ipv4Acl : 4 2 Ipv6Acl : 0 0 Ipv4Qos : 2 2 L2Qos : 1 1 L2PT : 0 0 IpMacAcl : 0 0 VmanQos : 0 0 VmanDualQos : 0 0 EcfmAcl : 0 0 FcoeAcl : 0 0 iscsiOptAcl : 0 0 ipv4pbr : 0 2 vrfv4Acl : 0 2 Openflow : 0 0 fedgov
L2PT IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : : : : 0 0 0 0 0 0 0 0 0 0 0 -- Stack unit 7 -Current Settings(in block sizes) 1 block = 128 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 FcoeAcl : 0 iscsiOptAcl : 0 ipv4pbr : 0 vrfv4Acl : 0 Openflow : 0 fedgovacl : 0 DellEMC# View CAM Usage View the amount of CAM space available, used, and remaining in each part
IPV4, IPV6. The system checks the CAM usage of the features with the set threshold to display a syslog message, which contains the CAM region, slot/port-pipe and pipeline information. By default, syslog warning appears when the CAM usage is 90 percent. You can also configure the silence period for the syslog message on the CAM usage. A syslog warning appears when the CAM usage exceeds the configured CAM threshold. The silence period starts after the initial syslog warning.
CAM Optimization When you enable the CAM optimization, if a Policy Map containing classification rules (ACL and/or DSCP/ ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only one FP entry is used). When you disable this command, the system behaves as described in this chapter. Troubleshoot CAM Profiling The following section describes CAM profiling troubleshooting.
Table 14. UFT Modes — Table Size UFT Mode L2 MAC Table Size L3 Host Table Size L3 LPM Table Size Default 160K 144K 16K Scaled-l3-hosts 96K 208K 16K Scaled-l3-routes 32K 16K 128K Configuring UFT Modes To configure the Unified Forwarding Table (UFT) modes, follow these steps. 1. Select a mode to initialize the maximum scalability size for L2 MAC table or L3 Host table or L3 Route table.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 28. CoPP Implemented Versus CoPP Not Implemented Topics: • Configure Control Plane Policing Configure Control Plane Policing The system can process a maximum of 4200 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
DellEMC(conf)#ipv6 access-list ipv6-icmp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit icmp DellEMC(conf-ipv6-acl-cpuqos)#exit DellEMC(conf)#ipv6 access-list ipv6-vrrp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit vrrp DellEMC(conf-ipv6-acl-cpuqos)#exit The following example shows creating the QoS input policy.
2. Create an input policy-map to assign the QoS policy to the desired service queues.l. CONFIGURATION mode policy-map--input name cpu-qos service-queue queue-number qos-policy name 3. Enter Control Plane mode. CONFIGURATION mode control-plane-cpuqos 4. Assign a CPU queue-based service policy on the control plane in cpu-qos mode. Enabling this command sets the queue rates according to those configured.
CPU Weig CPU Queue Queu ht Rate Shape e (PPS Rate) Protocol 7 64 400 xSTP, LACP, 802DOT1X, TRILL, L2PT, ECFM 8 64 600 LLDP, PVST, GVRP, FEFD, TRACEFLOW, FCoE 9 64 600 BGP, OSPF, IPV6-TUNNEL, IPV6-VRRP, RIP, ISIS 10 64 600 IPV4-VRRP, DHCP 11 64 300 MLD, PIM, MSDP Configuring Protocol to CPU Queue Mapping You can configure the mapping between CPU queues and the protocols that can be assigned to each CPU queue.
Viewing Queue Rates Example of Viewing Queue Rates DellEMC#show cpu-queue rate cp Service-Queue Rate (PPS) -------------- ----------Q0 1300 Q1 300 Q2 300 Q3 300 Q4 2000 Q5 400 Q6 400 Q7 1100 DellEMC# To view the queue mapping for each configured protocol, use the show ip protocol-queue-mapping command.
12 Data Center Bridging (DCB) Data center bridging (DCB) refers to a set of enhancements to Ethernet local area networks used in data center environments, particularly with clustering and storage area networks.
Traffic Description LAN traffic LAN traffic consists of many flows that are insensitive to latency requirements, while certain applications, such as streaming video, are more sensitive to latency. Ethernet functions as a best-effort network that may drop packets in the case of network congestion.
• iSCSI storage traffic with priority 4. In the Dell EMC Networking OS, PFC is implemented as follows: • • • • • • • • • • • • PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface. However, only four lossless queues are supported on an interface: one for Fibre Channel over Ethernet (FCoE) converged traffic and one for Internet Small Computer System Interface (iSCSI) storage traffic. Configure the same lossless queues on all ports.
Table 16. ETS Traffic Groupings Traffic Groupings Description Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7 configurable; 8 - 14 reservation and 15.0 - 15.7 is strict priority group.. Group bandwidth Percentage of available bandwidth allocated to a priority group. Group transmission selection algorithm (TSA) Type of queue scheduling a priority group uses. In Dell EMC Networking OS, ETS is implemented as follows: • ETS supports groups of 802.
Enabling Data Center Bridging DCB is automatically configured when you configure FCoE or iSCSI optimization. Data center bridging supports converged enhanced Ethernet (CEE) in a data center network. DCB is disabled by default. It must be enabled to support CEE. • • • • Priority-based flow control Enhanced transmission selection Data center bridging exchange protocol FCoE initialization protocol (FIP) snooping DCB processes virtual local area network (VLAN)-tagged packets and dot1p priority values.
Important Points to Remember • • If you remove a dot1p priority-to-priority group mapping from a DCB map (no priority pgid command), the PFC and ETS parameters revert to their default values on the interfaces on which the DCB map is applied. By default, PFC is not applied on specific 802.1p priorities; ETS assigns equal bandwidth to each 802.1p priority. As a result, PFC and lossless port queues are disabled on 802.
Committed and peak burst size is in kilobytes. Default is 50. The range is from 0 to 40000. The pfc on command enables priority-based flow control. 3. Specify the dot1p priority-to-priority group mapping for each priority. priority-pgid dot1p0_group_num dot1p1_group_num ...dot1p7_group_num Priority group range is from 0 to 7. All priorities that map to the same queue must be in the same priority group. Leave a space between each priority group number.
3. Configure to drop the unknown unicast packets flooding on lossless priorities. CONFIGURATION mode pfc-nodrop-priority l2-dlf drop 4. View the packets drop count corresponding to the priority.
the CRC and discards counters. (These ingress interfaces receiving pfc-enabled traffic have an egress interface that has a compatible PFC configuration). NOTE: DCB maps are supported only on physical Ethernet interfaces. • • • • • • • • • • • • To remove a DCB map, including the PFC configuration it contains, use the no dcb map command in Interface configuration mode. To disable PFC operation on an interface, use the no pfc mode on command in DCB-Map configuration mode.
Configuring Lossless Queues DCB also supports the manual configuration of lossless queues on an interface when PFC mode is disabled in a DCB map, apply the map on the interface. The configuration of no-drop queues provides flexibility for ports on which PFC is not needed, but lossless traffic should egress from the interface. Configuring no-drop queues is applicable only on the interfaces which do not need PFC.
Step Task Command Command Mode Range: 0-3. Separate queue values with a comma; specify a priority range with a dash; for example: pfc no-drop queues 1,3 or pfc no-drop queues 2-3 Default: No lossless queues are configured. Priority-Based Flow Control Using Dynamic Buffer Method In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion.
The internal Priority assigned for the packet by Ingress FP is used by the memory management unit (MMU) to assign the packet to right queue by indexing the internal-priority to queue map table (TABLE 1) in hardware. PRIO2COS setting for honoring the PFC protocol packets from the Peer switches is as per above Packet-Dot1p->queue table (Table 2). The packets come in with packet-dot1p 2 alone are assign to PG6 on ingress.
b. Apply PFC Priority configuration. Configure priorities on which PFC is enabled. DellEMC(conf-if-te-1/1)#pfc priority 1,2 SNMP Support for PFC and Buffer Statistics Tracking Buffer Statistics Tracking (BST) feature provides a mechanism to aid in Resource Monitoring and Tuning of Buffer Allocation. The Max Use Count mode provides the maximum value of the counters accumulated over a period of time.
In ingress, the buffers are accounted at per PG basis and would indicate the number of the packets that has ingress this port PG but still queued up in egress pipeline. However, there is no direct mapping between the PG and Queue. Packet is assigned an internal priority on the ingress pipeline based on the queue to which it is destined. This Internal-priority to Queue mapping has been modified and enhanced as follows for the device: Table 20.
Operations on Untagged Packets The below is example for enabling PFC for priority 2 for tagged packets. Priority (Packet Dot1p) 2 will be mapped to PG6 on PRIO2PG setting. All other Priorities for which PFC is not enabled are mapped to default PG – PG7. Classification rules on ingress (Ingress FP CAM region) matches incoming packet-dot1p and assigns an internal priority (to select queue as per Table 1 and Table 2).
2. Create an ETS priority group. CONFIGURATION mode priority-group group-num {bandwidth bandwidth | strict-priority} [[committed | peak] bandwidth [burst-size] [peak | committed] bandwidth [burst-size]] pfc off The range for priority group is from 0 to 7. Set the bandwidth in percentage. The percentage range is from 1 to 100% in units of 1%. Committed and peak bandwidth is in megabits per second. The range is from 0 to 40000. Committed and peak burst size is in kilobytes. Default is 50.
• • Group strict priority: Use this to increase its bandwidth usage to the bandwidth total of the priority group and allow a single priority flow in a priority group. A single flow in a group can use all the bandwidth allocated to the group. Link strict priority: Use this to increase to the maximum link bandwidth and allow a flow in any priority group. NOTE: CIN supports only the dot1p priority-queue assignment in a priority group.
• • • • • • ETS-assigned bandwidth allocation and strict-priority scheduling apply only to data queues, not to control queues. Dell EMC Networking OS supports hierarchical scheduling on an interface. The control traffic on Dell EMC Networking OS is redirected to control queues as higher priority traffic with strict priority scheduling. After the control queues drain out, the remaining data traffic is scheduled to queues according to the bandwidth and scheduler configuration in the DCB map.
• • Strict-priority groups: If priority group 3 has free bandwidth, it is distributed as follows: 20% of the free bandwidth to priority group 1 and 30% of the free bandwidth to priority group 2. If priority group 1 or 2 has free bandwidth, (20 + 30)% of the free bandwidth is distributed to priority group 3. Priority groups 1 and 2 retain whatever free bandwidth remains up to the (20+ 30)%.
DCBx Port Roles To enable the auto-configuration of DCBx-enabled ports and propagate DCB configurations learned from peer DCBx devices internally to other switch ports, use the following DCBx port roles. Auto-upstream The port advertises its own configuration to DCBx peers and is willing to receive peer configuration. The port also propagates its configuration to other ports on the switch. The first auto-upstream that is capable of receiving a peer configuration is elected as the configuration source.
NOTE: On a DCBx port, application priority TLV advertisements are handled as follows: • The application priority TLV is transmitted only if the priorities in the advertisement match the configured PFC priorities on the port. • On auto-upstream and auto-downstream ports: • • If a configuration source is elected, the ports send an application priority TLV based on the application priority TLV received on the configuration-source port.
Propagation of DCB Information When an auto-upstream or auto-downstream port receives a DCB configuration from a peer, the port acts as a DCBx client and checks if a DCBx configuration source exists on the switch. • • If a configuration source is found, the received configuration is checked against the currently configured values that are internally propagated by the configuration source.
Figure 32. DCBx Sample Topology DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • • For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
4. Configure the DCBx port role the interface uses to exchange DCB information. PROTOCOL LLDP mode [no] DCBx port-role {config-source | auto-downstream | auto-upstream | manual} • • • • auto-upstream: configures the port to receive a peer configuration. The configuration source is elected from auto-upstream ports. auto-downstream: configures the port to accept the internally propagated DCB configuration from a configuration source.
NOTE: To configure the DCBx port role the interfaces use to exchange DCB information, use the DCBx port-role command in INTERFACE Configuration mode (Step 3). 4. Configure the PFC and ETS TLVs that advertise on unconfigured interfaces with a manual port-role. PROTOCOL LLDP mode [no] advertise DCBx-tlv {ets-conf | ets-reco | pfc} [ets-conf | ets-reco | pfc] [ets-conf | ets-reco | pfc] • • • ets-conf: enables transmission of ETS Configuration TLVs. ets-reco: enables transmission of ETS Recommend TLVs.
Debugging DCBx on an Interface To enable DCBx debug traces for all or a specific control paths, use the following command. • Enable DCBx debugging. EXEC PRIVILEGE mode debug DCBx {all | auto-detect-timer | config-exchng | fail | mgmt | resource | sem | tlv} • • • • • • • • all: enables all DCBx debugging operations. auto-detect-timer: enables traces for DCBx auto-detect timers. config-exchng: enables traces for DCBx configuration exchanges. fail: enables traces for DCBx failures.
The following example shows the show dot1p-queue mapping command. DellEMC(conf)# show qos dot1p-queue-mapping Dot1p Priority: 0 1 2 3 4 5 6 7 Queue : 0 0 0 1 2 3 3 3 The following example shows the show dcb command. DellEMC# show dcb stack-unit 0 port-set 0 DCB Status : Enabled PFC Port Count : 56 (current), 56 (configured) PFC Queue Count : 2 (current), 2 (configured) The following example shows the show qos priority-groups command.
PFC Link Delay 45556 pause quanta Application Priority TLV Parameters : -------------------------------------FCOE TLV Tx Status is disabled ISCSI TLV Tx Status is disabled Local FCOE PriorityMap is 0x8 Local ISCSI PriorityMap is 0x10 Remote FCOE PriorityMap is 0x8 Remote ISCSI PriorityMap is 0x8 0 Input TLV pkts, 1 Output TLV pkts, 0 Error pkts, 0 Pause Tx pkts, 0 Pause Rx pkts The following table describes the show interface pfc summary command fields. Table 23.
Fields Description Application Priority TLV: Remote ISCSI Priority Map Status of iSCSI advertisements in application priority TLVs from remote peer port: enabled or disabled. PFC TLV Statistics: Input TLV pkts Number of PFC TLVs received. PFC TLV Statistics: Output TLV pkts Number of PFC TLVs transmitted. PFC TLV Statistics: Error pkts Number of PFC error packets received. PFC TLV Statistics: Pause Tx pkts Number of PFC pause frames transmitted.
5 6 7 - - - - - - Oper status is init ETS DCBX Oper status is Down Reason: Port Shutdown State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled The following example shows the show interface ets detail command.
The following table describes the show interface ets detail command fields. Table 24. show interface ets detail Command Description Field Description Interface Interface type with stack-unit and port number. Maximum Supported TC Group Maximum number of priority groups supported. Number of Traffic Classes Number of 802.1p priorities currently configured. Admin mode ETS mode: on or off.
The following example shows the show stack-unit all stack-ports all ets details command.
R-ETS Recommendation TLV enabled r-ETS Recommendation TLV disabled P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Application Priority for FCOE disabled I-Application priority for iSCSI enabled i-Application Priority for iSCSI disabled ----------------------------------------------------------------------Interface TenGigabitEthernet 1/14 Remote Mac Address 00:01:e8:8a:df:a0 Port Role is Auto-Upstream DCBx Operational Status is Enabled Is Configurat
Field Description Local DCBx Status: Protocol State Current operational state of DCBx protocol: ACK or IN-SYNC. Peer DCBx Status: DCBx Operational Version DCBx version advertised in Control TLVs received from peer device. Peer DCBx Status: DCBx Max Version Supported Highest DCBx version supported in Control TLVs received from peer device. Peer DCBx Status: Sequence Number Sequence number transmitted in Control TLVs received from peer device.
Configuring the Dynamic Buffer Method Priority-based flow control using dynamic buffer spaces is supported on the switch. To configure the dynamic buffer capability, perform the following steps: 1. Enable the DCB application. By default, DCB is enabled and link-level flow control is disabled on all interfaces. CONFIGURATION mode dcb enable 2. Configure the shared PFC buffer size and the total buffer size. A maximum of 4 lossless queues are supported.
Figure 33. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
The following describes the priority group-bandwidth assignment. Priority Group Bandwidth Assignment IPC 5% SAN 50% LAN 45% PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic. 1. Enabling DCB DellEMC(conf)#dcb enable 2. Configure DCB map and enable PFC, and ETS DellEMC(conf)# service-class dynamic dot1p Or DellEMC(conf)# interface tengigabitethernet 1/1 DellEMC(conf-if-te-1/1)# service-class dynamic dot1p 3.
13 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters. Multiple servers might respond to a single DHCPDISCOVER; the client might wait a period of time and then act on the most preferred offer. 3. The client broadcasts a DHCPREQUEST message in response to the offer, requesting the offered values. 4.
Configure the System to be a DHCP Server A DHCP server is a network device that has been programmed to provide network configuration parameters to clients upon request. Servers typically serve many clients, making host management much more organized and efficient. NOTE: If the management port is associated with any non-default VRF, then the ip address dhcp command does not work. The following table lists the key responsibilities of DHCP servers. Table 26.
Configuration Tasks To configure DHCP, an administrator must first set up a DHCP server and provide it with configuration parameters and policy information including IP address ranges, lease length specifications, and configuration data that DHCP hosts need. Configuring the Dell system to be a DHCP server is a three-step process: 1. Configuring the Server for Automatic Address Allocation 2.
dns-server address Using NetBIOS WINS for Address Resolution Windows internet naming service (WINS) is a name resolution service that Microsoft DHCP clients use to correlate host names to IP addresses within a group of networks. Microsoft DHCP clients can be one of four types of NetBIOS nodes: broadcast, peer-to-peer, mixed, or hybrid. 1. Specify the NetBIOS WINS name servers, in order of preference, that are available to Microsoft Dynamic Host Configuration Protocol (DHCP) clients.
EXEC Privilege mode. clear ip dhcp binding ip address Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: • The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (Dell EMC Networking OS version and a configuration file).
To renew the lease time of the dynamically acquired IP, use the renew dhcp command on an interface already configured with a dynamic IP address. NOTE: To verify the currently configured dynamic IP address on an interface, use the show ip dhcp lease command. The show running-configuration command output only displays ip address dhcp. The currently assigned dynamic IP address does not display. To configure and view an interface as a DHCP client to receive an IP address, use the following commands. 1.
NOTE: Management routes added by the DHCP client include the specific routes to reach a DHCP server in a different subnet and the management route. DHCP Client Operation with Other Features The DHCP client operates with other Dell EMC Networking OS features, as the following describes. Stacking The DHCP client daemon runs only on the master unit and handles all DHCP packet transactions. It periodically synchronizes the lease file with the standby unit.
The following illustration depicts the topology in which routes are leaked between VRFs in the relay agent. VRF_1 VRF_2 DHCP Server --------------------- DHCP relay agent --------------------------- Client (10.0.0.1) (10.0.0.2) (20.0.0.2) (20.0.0.4) Configuring Route Leaking between VRFs on DHCP Relay Agent To configure route leaking between VRFs on DHCP relay agent, include the configuration similar to the following along with your DHCP relay configuration on your system.
ip prefix-list ip2 seq 5 permit 10.0.0.0/24 Non-default VRF configuration for DHCPv6 helper address The ipv6 helper-address command is enhanced to provide support for configuring VRF for DHCPv6 relay helper address. To forward DHCP packets between DHCP client and server if they are from different VRFs, you should configure route leak using route map between the VRFs. For more information on configuring route leak across VRF, see DHCP Relay when DHCP Server and Client are in Different VRFs.
Interface level DHCP relay source IPv4 or IPv6 configuration You can configure interface specific DHCP relay source IPv4 or IPv6 configuration. If the DHCP relay source interface is configured on the interface level, the DHCP relay forwards the packets from these interfaces to the DHCP server using the interface.
Dell(conf-if-vl-4)# tagged TenGigE 1/4 Dell(conf-if-vl-4)# ip helper-address vrf vrf1 100.0.0.1 Dell(conf-if-vl-4)# ipv6 helper-address vrf vrf1 100::1 Configure the System for User Port Stacking (Option 230) Set the stacking-option variable to provide stack-port detail on the DHCP server when you set the DHCP offer. A stack can be formed when the units are connected. Option 230 is the option for user port stacking. Use it to create up to eight stack groups.
• Assign IP addresses according to the relay agent. This prevents generating DHCP offers in response to requests from an unauthorized relay agent. The server echoes the option back to the relay agent in its response, and the relay agent uses the information in the option to forward a reply out the interface on which the request was received, rather than flooding it on the entire VLAN. The relay agent strips Option 82 from DHCP responses before forwarding them to the client.
and DHCPDECLINE packets are allowed so that the DHCP snooping table can decrease in size. After the table usage falls below the maximum limit of 4000 entries, new IP address assignments are allowed. NOTE: DHCP server packets are dropped on all non-trusted interfaces of a system configured for DHCP snooping. To prevent these packets from being dropped, configure ip dhcp snooping trust on the server-connected port.
ip dhcp snooping binding mac mac-address vlan-id vlan-id ip ip-address interface interfacetype interface-number lease lease-value If multiple IP addresses are expected for the same MAC address, repeat this step for all IP addresses. Adding a Static IPV6 DHCP Snooping Binding Table To add a static entry in the snooping database, use the following command. • Add a static entry in the snooping binding table.
Invalid Binding List of List of List of Binding Entry Entry lease expired Trust Ports DHCP Snooping Enabled Vlans DAI Trust ports : 0 : 0 :Te 1/4 :Vl 10 :Te 1/4 View the DHCP snooping binding table using the show ip dhcp snooping binding command. DellEMC#show ip dhcp snooping binding Codes : S - Static D - Dynamic IP Address MAC Address Expires(Sec) Type VLAN Interface ========================================================================= 10.1.1.254 00:00:a0:00:00:02 162 D Vl 200 Te 1/4 10.1.1.
View the DHCP snooping statistics with the show ipv6 dhcp snooping command. DellEMC#show ipv6 dhcp snooping binding Codes : S - Static D – Dynamic IPv6 Address MAC Address Expires(Sec) Type VLAN Interface ========================================================================= 11:11::22 11:22:11:22:11:22 120331 S Vl 100 Te 1/1 33::22 11:22:11:22:11:23 120331 S Vl 200 Te 1/1 333:22::22 11:22:11:22:11:24 120331 D Vl 300 Te 1/2 Debugging the IPv6 DHCP To debug the IPv6 DHCP, use the following command.
To view the number of entries in the table, use the show ip dhcp snooping binding command. This output displays the snooping binding table created using the ACK packets from the trusted port. DellEMC#show ip dhcp snooping binding Codes : S - Static D - Dynamic IP Address MAC Address Expires(Sec) Type VLAN Interface ================================================================ 10.1.1.251 00:00:4d:57:f2:50 172800 D Vl 10 Te 1/2 10.1.1.252 00:00:4d:57:e6:f6 172800 D Vl 10 Te 1/1 10.1.1.
Internet Internet DellEMC# 10.1.1.253 10.1.1.254 - 00:00:4d:57:f8:e8 00:00:4d:69:e8:f2 Te 1/3 Te 1/5 Vl 10 CP Vl 10 CP To see how many valid and invalid ARP packets have been processed, use the show arp inspection statistics command.
Enabling IP Source Address Validation IP source address validation (SAV) prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table. A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker. For example, using ARP spoofing, an attacker can assume a legitimate client’s identity and receive traffic addressed to it. Then the attacker can spoof the client’s IP address to interact with other clients.
• Enable IP+MAC SAV. INTERFACE mode • ip dhcp source-address-validation ipmac Enable IP+MAC SAV with VLAN option. INTERFACE mode ip dhcp source-address-validation ipmac vlan vlan-id Dell EMC Networking OS creates an ACL entry for each IP+MAC address pair and optionally with its VLAN ID in the binding table and applies it to the interface. To display the IP+MAC ACL for an interface for the entire system, use the show ip dhcp snooping source-addressvalidation [interface] command in EXEC Privilege mode.
14 Equal Cost Multi-Path (ECMP) ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Configuring the Hash Algorithm TeraScale has one algorithm that is used for link aggregation groups (LAGs), ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features. To adjust the ExaScale behavior to match TeraScale, use the following command. • Change the ExaScale hash-algorithm for LAG, ECMP, and NH-ECMP to match TeraScale. CONFIGURATION mode.
NOTE: You cannot separate LAG and ECMP, but you can use different algorithms across the chassis with the same seed. If LAG member ports span multiple port-pipes and line cards, set the seed to the same value on each port-pipe to achieve deterministic behavior. NOTE: If you remove the hash algorithm configuration, the hash seed does not return to the original factory default setting. To configure the hash algorithm seed, use the following command. • Specify the hash algorithm seed. CONFIGURATION mode.
ip ecmp-group path-fallback DellEMC(conf)#ip ecmp-group maximum-paths 3 User configuration has been changed. Save the configuration and reload to take effect DellEMC(conf)# Creating an ECMP Group Bundle Within each ECMP group, you can specify an interface. If you enable monitoring for the ECMP group, the utilization calculation is performed when the average utilization of the link-bundle (as opposed to a single link within the bundle) exceeds 60%. 1. Create a user-defined ECMP group bundle.
Support for /128 IPv6 and /32 IPv4 Prefixes in Layer 3 Host Table and LPM Table IPv6 enhancements utilize the capability on platform to program /128 IPv6 prefixes in LPM table and /32 IPv4 prefixes in Host table. Also host table provides ECMP support for destination prefixes in the hardware. The platform uses the hardware chip that supports this behavior and hence they can make use of this capability.
• The first portion is primarily generated from packet headers to identify micro-flows in the traffic.
Flow-based Hashing for ECMP Flow-based hashing is one of RTAG7 hashing techniques to cater to ECMP routing in multi-tier networks. It addresses traffic polarization issues by ensuring proper flow distribution between ECMP members in the higher layers of a multi-tier network. It facilitates a dynamic hash function selection across different nodes in the network on a macro flow basis, by reducing route starvation and the unfair distribution of bandwidth between members.
The preceding anti-polarization techniques require some coordinated configuration of network nodes to solve the problem and these techniques are not scalable when the number of tiers in the network is high. Flow based hashing specifically addresses this using Macro flow-based Hash function. It facilitates a dynamic hash function selection across different nodes in a network on a macro flow basis, thus reducing unfair distribution of bandwidth between members and starvation.
Traffic flow after enabling flow-based hashing When the flow-based hashing is enabled at all the nodes in the multi-tier network, traffic distribution is balanced at all tiers of the network nullifying the polarization effect. Traffic occurs by the randomness for the flow-based hashing algorithm across multiple nodes in a given network.
15 FIP Snooping The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces or in a switch stack.
The following table lists the FIP functions. Table 29. FIP Functions FIP Function Description FIP VLAN discovery FCoE devices (ENodes) discover the FCoE VLANs on which to transmit and receive FIP and FCoE traffic. FIP discovery FCoE end-devices and FCFs are automatically discovered. Initialization FCoE devices learn ENodes from the FLOGI and FDISC to allow immediate login and create a virtual link with an FCoE switch.
Port-based ACLs These ACLs are applied on all three port modes: on ports directly connected to an FCF, server-facing ENode ports, and bridge-to-bridge links. Port-based ACLs take precedence over global ACLs. FCoE-generated ACLs These take precedence over user-configured ACLs. A user-configured ACL entry cannot deny FCoE and FIP snooping frames. The following illustration shows a switch used as a FIP snooping bridge in a converged Ethernet network.
• Process FIP VLAN discovery requests and responses, advertisements, solicitations, FLOGI/FDISC requests and responses, FLOGO requests and responses, keep-alive packets, and clear virtual-link messages. FIP Snooping in a Switch Stack FIP snooping supports switch stacking as follows: • • • A switch stack configuration is synchronized with the standby stack unit. Dynamic population of the FCoE database (ENode, Session, and FCF tables) is synchronized with the standby stack unit.
• You must apply the CAM-ACL space for the FCoE region before enabling the FIP-Snooping feature. If you do not apply CAM-ACL space, the following error message is displayed: DellEMC(conf)#feature fip-snooping % Error: Cannot enable fip snooping. CAM Region not allocated for Fcoe. DellEMC(conf)# NOTE: Manually add the CAM-ACL space to the FCoE region as it is not applied by default.
Configure the FC-MAP Value You can configure the FC-MAP value to be applied globally by the switch on all or individual FCoE VLANs to authorize FCoE traffic. The configured FC-MAP value is used to check the FC-MAP value for the MAC address assigned to ENodes in incoming FCoE frames. If the FC-MAP value does not match, FCoE frames are dropped. A session between an ENode and an FCF is established by the switchbridge only when the FC-MAP value on the FCF matches the FC-MAP value on the FIP snooping bridge.
Configuring FIP Snooping You can enable FIP snooping globally on all FCoE VLANs on a switch or on an individual FCoE VLAN. By default, FIP snooping is disabled. To enable FCoE transit on the switch and configure the FCoE transit parameters on ports, follow these steps. 1. Configure FCoE. FCoE configuration: copy flash:/ CONFIG_TEMPLATE/ FCoE_DCB_Config running-config The configuration files are stored in the flash memory in the CONFIG_TEMPLATE file.
Command Output show fip-snooping statistics [interface vlan vlan-id| interface port-type port/slot | interface port-channel port-channel-number] Displays statistics on the FIP packets snooped on all interfaces, including VLANs, physical ports, and port channels. clear fip-snooping statistics [interface vlan vlan-id | interface port-type port/slot | interface port-channel port-channel-number] Clears the statistics on the FIP packets snooped on all VLANs, a specified VLAN, or a specified port interface.
The following example shows the show fip-snooping enode command. DellEMC# show fip-snooping enode Enode MAC Enode Interface FCF MAC VLAN ----------------------- ---------d4:ae:52:1b:e3:cd Te 1/11 54:7f:ee:37:34:40 100 FC-ID ----62:00:11 The following table describes the show fip-snooping enode command fields. Table 33. show fip-snooping enode Command Description Field Description ENode MAC MAC address of the ENode. ENode Interface Slot/port number of the interface connected to the ENode.
Number of FCF Discovery Timeouts :0 Number of VN Port Session Timeouts :0 Number of Session failures due to Hardware Config :0 DellEMC(conf)# DellEMC# show fip-snooping statistics int tengigabitethernet 1/11 Number of Vlan Requests :1 Number of Vlan Notifications :0 Number of Multicast Discovery Solicits :1 Number of Unicast Discovery Solicits :0 Number of FLOGI :1 Number of FDISC :16 Number of FLOGO :0 Number of Enode Keep Alive :4416 Number of VN Port Keep Alive :3136 Number of Multicast Discovery Adverti
Field Description Number of FLOGI Number of FIP-snooped FLOGI request frames received on the interface. Number of FDISC Number of FIP-snooped FDISC request frames received on the interface. Number of FLOGO Number of FIP-snooped FLOGO frames received on the interface. Number of ENode Keep Alives Number of FIP-snooped ENode keep-alive frames received on the interface. Number of VN Port Keep Alives Number of FIP-snooped VN port keep-alive frames received on the interface.
FCoE Transit Configuration Example The following illustration shows a switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 40. Configuration Example: FIP Snooping on a Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
DellEMC(conf-if-te-1/1)# protocol lldp DellEMC(conf-if-te-1/1-lldp)# dcbx port-role auto-downstream NOTE: A port is enabled by default for bridge-ENode links.
16 Flex Hash and Optimized Boot-Up This chapter describes the Flex Hash and fast-boot enhancements. Topics: • • • • • • • Flex Hash Capability Overview Configuring the Flex Hash Mechanism Configuring Fast Boot and LACP Fast Switchover Optimizing the Boot Time Interoperation of Applications with Fast Boot and System States RDMA Over Converged Ethernet (RoCE) Overview Preserving 802.
To delete the configured flex hash setting, use the no version of the command. Configuring Fast Boot and LACP Fast Switchover Configure the optimized booting time functionality by performing the following steps. 1. Enable the system to restart with optimized booting-time functionality enabled. CONFIGURATION mode DellEMC(conf)#reload-type fastboot 2. Configure fast boot on a port-channel on both the nodes that are members of a port-channel in order to enable the physical ports to be aggregated faster.
3. Before performing the planned reload, we recommend that the IPv6 Neighbor Discovery (ND) reachable timer is increased to a value of 300 seconds or longer on the adjacent devices to prevent the ND cache entries from becoming stale and being removed while the ToR goes through a CPU reset. This timer can be restored to its prior value after the ToR has completed its planned reload. 4.
• The system saves all the dynamic ND cache entries to a database on the flash card.
Changes to BGP Multipath When the system becomes active after a fast-boot restart, a change has been made to the BGP multipath and ECMP behavior. The system delays the computation and installation of additional paths to a destination into the BGP routing information base (RIB) and forwarding table for a certain period of time.
To provide lossless service for RRoCE, the QoS service policy must be configured in the ingress and egress directions on lite sub interfaces. Preserving 802.1Q VLAN Tag Value for Lite Subinterfaces This functionality is supported on the S6000 platform. All the frames in a Layer 2 VLAN are identified using a tag defined in the IEEE 802.1Q standard to determine the VLAN to which the frames or traffic are relevant or associated. Such frames are encapsulated with the 802.1Q tags.
17 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) and may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
Figure 41. Example of Multiple Rings Connected by Single Switch Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. • • • • • • • • • • The Master node transmits ring status check frames at specified intervals. You can run multiple physical rings on the same switch.
Important FRRP Concepts The following table lists some important FRRP concepts. Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (for example, FRRP 101 and FRRP 202, as shown in the illustration in Member VLAN Spanning Two Rings Connected by One Switch. Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose.
• Each ring has only one Master node; all others are transit nodes. FRRP Configuration These are the tasks to configure FRRP.
CONFIG-FRRP mode. interface primary interface secondary interface control-vlan vlan id Interface: • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. 4. Configure the Master node. CONFIG-FRRP mode. mode master 5. Identify the Member VLANs for this FRRP group. CONFIG-FRRP mode.
VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs. 6. Enable this FRRP group on this switch. CONFIG-FRRP mode. no disable Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time 3 times the Hello-Interval. • Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode. timer {hello-interval|dead-interval} milliseconds • • Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500).
Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • • • • • Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same control VLAN. There can be only one Master node for any FRRP group. You can configure FRRP on Layer 2 interfaces only. Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP.
interface Vlan 201 no ip address tagged TenGigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary TenGigabitEthernet 2/14 secondary TenGigabitEthernet 2/31 control-vlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface TenGigabitEthernet 3/14 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/21 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TenGigabitEthernet 3/14,21 no shutdown ! interface Vlan 201 no ip addres
Figure 42. FRRP Ring Connecting VLT Devices You can also configure an FRRP ring where both the VLT peers are connected to the FRRP ring and the VLTi acts as the primary interface for the FRRP Master and transit nodes. This active-active FRRP configuration blocks the FRRP ring on a per VLAN or VLAN group basis enabling the configuration to spawn across different set of VLANs.
multiple member VLANS are configured (for example, M1 to M10) that carry the data traffic across the FRRP rings. The secondary port P2 is tagged to the control VLAN (V1). VLTi is implicitly tagged to the member VLANs when these VLANs are configured in the VLT peer. As a result of the VLT Node2 configuration on R2, the secondary interface P2 is blocked for the member VLANs (M11 to Mn). Following figure illustrated the FRRP Ring R1 topology: Figure 43.
18 GARP VLAN Registration Protocol (GVRP) The generic attribute registration protocol (GARP) VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and deregister attribute values, such as VLAN IDs, with each other.
Figure 44. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2. Enabling GVRP on a Layer 2 Interface Related Configuration Tasks • • Configure GVRP Registration Configure a GARP Timer Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch.
To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. • Enable GVRP on a Layer 2 interface.
• • Leave — When a GARP device expects to de-register a piece of attribute information, it sends out a Leave message and starts this timer. If a Join message does not arrive before the timer expires, the information is de-registered. The Leave timer must be greater than or equal to 3x the Join timer. The Dell EMC Networking OS default is 600ms. LeaveAll — After startup, a GARP device globally starts a LeaveAll timer.
19 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 45. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet. 2.
• • To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered. An additional query type, the Group-and-Source-Specific Query, keeps track of state changes, while the Group-Specific and General queries still refresh the existing state.
3. The host’s third message indicates that it is only interested in traffic from sources 10.11.1.1 and 10.11.1.2. Because this request again prevents all other sources from reaching the subnet, the router sends another group-and-source query so that it can satisfy all other hosts. There are no other interested hosts so the request is recorded. Figure 48.
Figure 49. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1. Enable multicast routing using the ip multicast-routing command. 2. Enable a multicast routing protocol.
• View IGMP-enabled IPv4 interfaces. • EXEC Privilege mode show ip igmp interface View IGMP-enabled IPv6 interfaces. EXEC Privilege mode show ipv6 mld interface DellEMC#show ip igmp interface TenGigabitEthernet 3/10 Inbound IGMP access group is not set Internet address is 165.87.34.
225.1.1.1 225.1.2.1 TenGigabitEthernet 1/1 TenGigabitEthernet 1/1 IGMPV2 IGMPV2 00:11:19 00:10:19 00:01:50 00:01:50 165.87.34.100 165.87.31.100 Viewing IGMP Snooping Groups To view both learned and statically configured IGMP snooping groups, use the following command. • View both learned and statically configured IGMP snooping groups. EXEC Privilege mode show ip igmp snooping groups Dell# show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface 225.1.1.
• Adjust the last member query interval. • INTERFACE mode ip igmp last-member-query-interval Adjust the amount of time the querier waits, for the initial query response, before sending the next IPv6 query. Interface mode ipv6 mld last-member-query-interval Enabling IGMP Immediate-Leave If the querier does not receive a response to a group-specific or group-and-source query, it sends another (querier robustness value).
• Disable snooping on a VLAN. INTERFACE VLAN mode no ip igmp snooping Related Configuration Tasks • • • • Removing a Group-Port Association Disabling Multicast Flooding Specifying a Port as Connected to a Multicast Router Configuring the Switch as Querier DellEMC(conf)#ip igmp snooping enable DellEMC(conf)#do show running-config igmp ip igmp snooping enable DellEMC(conf)# Removing a Group-Port Association To configure or view the remove a group-port association feature, use the following commands.
Configuring the Switch as Querier To configure the switch as a querier, use the following command. Hosts that do not support unsolicited reporting wait for a general query before sending a membership report. When the multicast source and receivers are in the same VLAN, multicast traffic is not routed and so there is no querier. Configure the switch to be the querier for a VLAN so that hosts send membership reports and the switch can generate a forwarding table by snooping.
In customer deployment topologies, it might be required that the traffic for certain management applications needs to exit out of the management port only. You can use EIS to control and the traffic can exit out of any port based on the route lookup in the IP stack. One typical example is an SSH session to an unknown destination or an SSH connection that is destined to the management port IP address. The management default route can coexist with front-end default routes.
Enabling and Disabling Management Egress Interface Selection You can enable or disable egress-interface-selection using the management egress-interface-selection command. NOTE: Egress Interface Selection (EIS) works only with IPv4 routing. When the feature is enabled using the management egress-interface-selection command, the following events are performed: • • • • • • • • • • • • • The CLI prompt changes to the EIS mode.
• • • • • • • • • • • • TCP/UDP port number is extracted from the sockaddr structure in the in_selectsrc call which is called as part of the connect system call or in the ip_output function. If the destination TCP/UDP port number belongs to a configured management application, then sin_port of destination sockaddr structure is set to Management EIS ID 2 so that route lookup can be done in the management EIS routing table.
Handling of Transit Traffic (Traffic Separation) This is forwarded traffic where destination IP is not an IP address configured in the switch. • • • Packets received on the management port with destination on the front-end port is dropped. Packets received on the front-end port with destination on the management port is dropped. A separate drop counter is incremented for this case. This counter is viewed using the netstat command, like all other IP layer counters.
2. Non-Management Applications (Applications that are not configured as management applications as defined by this feature): Non-management application traffic exits out of either front-end data port or management port based on routing table. If there is a default route on both the management and front-end data port, the default for the data port is preferred route.
EIS behavior for ICMP: ICMP packets do not have TCP/UDP ports. In this case, to perform an EIS route lookup for ICMP-based applications (ping and traceroute), you must configure ICMP as a management application. If the management port is down or the route lookup fails, packets are dropped. If source IP address does not match the management port IP address route lookup is done in the default routing table.
20 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell EMC Networking Operating System (OS). The system supports 10 Gigabit Ethernet and 40 Gigabit Ethernet interfaces. NOTE: Only Dell-qualified optics are supported on these interfaces. Non-Dell 40G optics are set to error-disabled state.
• • • • • • • • • • • • • • • • Monitoring and Maintaining Interfaces Non Dell-Qualified Transceivers Splitting 40G Ports without Reload Splitting QSFP Ports to SFP+ Ports Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port Configuring wavelength for 10–Gigabit SFP+ optics Link Dampening Link Bundle Monitoring Using Ethernet Pause Frames for Flow Control Configure the MTU Size on an Interface Port-Pipes Auto-Negotiation on Ethernet Interfaces View Advanced Interface Information Configuring the Traffic S
Pluggable media present, XFP type is 10GBASE-LR. Medium is MultiRate, Wavelength is 1310nm XFP receive power reading is -3.7685 Interface index is 67436603 Internet address is 65.113.24.
Resetting an Interface to its Factory Default State You can reset the configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1. View the configurations applied on an interface. INTERFACE mode show config DellEMC(conf-if-te-1/5)#show config ! interface TenGigabitEthernet 1/5 no ip address portmode hybrid switchport rate-interval 8 mac learning-limit 10 no-station-move no shutdown 2. Reset an interface to its factory default state.
For more information about VLANs, refer to Bulk Configuration. For more information on port channels, refer to Port Channel Interfaces. Dell EMC Networking OS Behavior: The system uses a single MAC address for all physical interfaces. Configuration Task List for Physical Interfaces By default, all interfaces are operationally disabled and traffic does not pass through them.
Table 41. Layer Modes Type of Interface Possible Modes Requires Creation Default State 10 Gigabit Ethernet and 40 Gigabit Ethernet Layer 2 No Shutdown (disabled) Management N/A No Shutdown (disabled) Loopback Layer 3 Yes No shutdown (enabled) Null interface N/A No Enabled Port Channel Layer 2 Yes Shutdown (disabled) Yes, except for the default VLAN.
• INTERFACE mode ip address ip-address Enable the interface. INTERFACE mode no shutdown If an interface is in the incorrect layer mode for a given command, an error message is displayed (shown in bold). In the following example, the ip address command triggered an error message because the interface is in Layer 2 mode and the ip address command is a Layer 3 command only. DellEMC(conf-if)#show config ! interface TenGigabitEthernet 1/2 no ip address switchport no shutdown DellEMC(conf-if)#ip address 10.10.
• • • • BPDU Guard FEFD MAC learning limit ARP inspection Based on the automatic recovery configuration, when the interface is changed to Err-disabled state, the Dell EMC Networking OS invokes a timer for the configured time-out interval. Upon expiration of the timer, the interface is moved to operationally up state if the encountered error is fixed. If not, the interface is again moved to Err-disabled state again.
Egress Interface Selection (EIS) EIS allows you to isolate the management and front-end port domains by preventing switch-initiated traffic routing between the two domains. This feature provides additional security by preventing flooding attacks on front-end ports. The following protocols support EIS: DNS, FTP, NTP, RADIUS, sFlow, SNMP, SSH, Syslog, TACACS, Telnet, and TFTP. This feature does not support sFlow on stacked units.
• ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in /prefix format (/x). You can configure two global IPv6 addresses on the system in EXEC Privilege mode. To view the addresses, use the show interface managementethernet command, as shown in the following example. If you try to configure a third IPv6 address, an error message displays. If you enable auto-configuration, all IPv6 addresses on that management interface are auto-configured.
• Primary and secondary management interface IP and virtual IP must be in the same subnet. To view the Primary RPM Management port, use the show interface Managementethernet command in EXEC Privilege mode. If there are two RPMs, you cannot view information on that interface. Configuring a Management Interface on an Ethernet Port You can manage the system through any port using remote access such as Telnet. To configure an IP address for the port, use the following commands.
A consideration for including VLANs in routing protocols is that you must configure the no shutdown command. (For routing traffic to flow, you must enable the VLAN.) NOTE: You cannot assign an IP address to the default VLAN, which is VLAN 1 (by default). To assign another VLAN ID to the default VLAN, use the default vlan-id vlan-id command. To assign an IP address to an interface, use the following command. • Configure an IP address and mask on the interface.
Configuring Port Delay To configure a delayed bring up of all interfaces during switch boot up, use the following command: • Enter the CONFIGURATION mode. CONFIGURATION mode Use the port-delay-restore command and ensure to specify a value between 1 second and 300 seconds. DellEMC(conf)#port-delay-restore 300 Use the no port-delay-restore command to disable the feature.
• Dynamic — Port channels that are dynamically configured using the link aggregation control protocol (LACP). For details, see Link Aggregation Control Protocol (LACP). The port channel ID ranges from 1 to 4096. As soon as you configure a port channel, Dell EMC Networking OS treats it like a physical interface. For example, IEEE 802.1Q tagging is maintained while the physical interface is in the port channel.
2. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown After you enable the port channel, you can place it in Layer 2 or Layer 3 mode. To place the port channel in Layer 2 mode or configure an IP address to place the port channel in Layer 3 mode, use the switchport command. You can configure a port channel as you would a physical interface by enabling or configuring protocols or assigning access control lists.
Members in this channel: Te 1/10 Te 1/17 ARP type: ARPA, ARP timeout 04:00:00 Last clearing of "show interface" counters 00:00:00 Queueing strategy: fifo 1212627 packets input, 1539872850 bytes Input 1212448 IP Packets, 0 Vlans 0 MPLS 4857 64-byte pkts, 17570 over 64-byte pkts, 35209 over 127-byte pkts 69164 over 255-byte pkts, 143346 over 511-byte pkts, 942523 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 42 CRC, 0 IP Checksum, 0 overrun, 0 discarded 2456590833 packets
no ip address channel-member TenGigabitEthernet 1/8 no shutdown DellEMC(conf-if-po-4)#no chann tengi 1/8 DellEMC(conf-if-po-4)#int port 3 DellEMC(conf-if-po-3)#channel tengi 1/8 DellEMC(conf-if-po-3)#sho conf ! interface Port-channel 3 no ip address channel-member TenGigabitEthernet 1/8 shutdown DellEMC(conf-if-po-3)# Configuring the Minimum Oper Up Links in a Port Channel You can configure the minimum links in a port channel (LAG) that must be in “oper up” status to consider the port channel to be in “ope
INTERFACE mode DellEMC(conf-if)#vlan tagged 2,3-4 2. Use the switchport command in INTERFACE mode to enable Layer 2 data transmissions through an individual interface INTERFACE mode DellEMC(conf-if)#switchport 3. Verify the manually configured VLAN membership (show interfaces switchport interface command).
Dell EMC Networking OS allows you to modify the hashing algorithms used for flows and for fragments. The load-balance and hashalgorithm commands are available for modifying the distribution algorithms. Changing the Hash Algorithm The load-balance command selects the hash criteria applied to port channels. If you do not obtain even distribution with the load-balance command, you can use the hash-algorithm command to select the hash scheme for LAG, ECMP and NH-ECMP.
The interface range command allows you to create an interface range allowing other commands to be applied to that range of interfaces. The interface range prompt offers the interface (with slot and port information) for valid interfaces. The maximum size of an interface range prompt is 32. If the prompt size exceeds this maximum, it displays (...) at the end of the output. NOTE: Non-existing interfaces are excluded from the interface range prompt.
Exclude a Smaller Port Range The following is an example show how the smaller of two port ranges is omitted in the interface-range prompt.
CONFIGURATION mode interface range macro name The following example shows how to change to the interface-range configuration mode using the interface-range macro named “test.” DellEMC(config)# interface range macro test DellEMC(config-if)# Monitoring and Maintaining Interfaces Monitor interface statistics with the monitor interface command. This command displays an ongoing list of the interface status (up/down), number of packets, traffic statistics, and so on.
Maintenance Using TDR The time domain reflectometer (TDR) is supported on all Dell EMC Networking switches. TDR is an assistance tool to resolve link issues that helps detect obvious open or short conditions within any of the four copper pairs. TDR sends a signal onto the physical cable and examines the reflection of the signal that returns. By examining the reflection, TDR is able to indicate whether there is a cable fault (when the cable is broken, becomes unterminated, or if a transceiver is unplugged).
• • • When a non-supported profile release is upgraded to a supported profile release, the fan-out configured ports get automatically included in the profile. In fan-out mode, if a system is upgraded with 25 or 26 ports, only 24 ports get upgraded to fan-out mode. The rest of the ports are put to default 40G mode. In stacking, configure profile first before provisioning for new units. Otherwise it is mandatory to reload for profile to take effect.
16 17 18 19 20 21 22 23 24 26 28 30 32 16 17 18 19 20 21 22 23 24 26 28 30 32 You can only split the 40G ports in the top row (odd numbered ports) on a 16X40G module. If you configure 4X10G on a 40G interface, the subsequent even numbered interface is removed and unavailable for use.
NOTE: You can split the 40G ports to 10G ports and vice —versa without reloading the device. To split a single 40G port into four 10G ports, use the following command. • Split a single 40G port into four 10G ports. CONFIGURATION mode stack-unit stack-unit-number port number portmode quad • number: enter the port number of the 40G port to be split. NOTE: To revert the port mode to 40G, use the no stack-unit stack-unit-number port port-number portmode quad command.
Important Points to Remember • • • • • • Starting from Dell OS 9.7(0.0), as part of dynamic fan-out support, only 96 ports can be split into 10G mode. Remaining eight ports stay in 40G. For more information, see Splitting 40G Ports without Reload. Before using the QSA to convert a 40 Gigabit Ethernet port to a 10 Gigabit SFP or SFP+ port, enable 40 G to 4*10 fan-out mode on the device.
SFP+ 0 Ext Id SFP+ 0 Connector ………………………. = 0x00 = 0x23 Dell#show interfaces tengigabitethernet 0/4 transceiver SFP 0 Serial ID Base Fields SFP 0 Id = 0x0d SFP 0 Ext Id = 0x00 SFP 0 Connector = 0x23 SFP 0 Transceiver Code = 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 SFP 0 Encoding = 0x00 ……………… ……………… SFP 0 Diagnostic Information =================================== SFP 0 Rx Power measurement type = OMA =================================== SFP 0 Temp High Alarm threshold = 0.
QSFP 0 Voltage High Alarm threshold QSFP 0 Bias High Alarm threshold = 0.000V = 0.000mA Dell#show interfaces fortyGigE 0/12 transceiver QSFP 0 Serial ID Base Fields QSFP 0 Id = 0x0d QSFP 0 Ext Id = 0x00 QSFP 0 Connector = 0x23 QSFP 0 Transceiver Code = 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 QSFP 0 Encoding = 0x00 ……………… ……………… QSFP 0 Diagnostic Information =================================== QSFP 0 Rx Power measurement type = OMA =================================== QSFP 0 Temp High Alarm threshold = 0.
Dell#show interfaces tengigabitethernet 0/6 gigabitethernet 0/0 is up, line protocol is down Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, SFP type is 1GBASE …………………… LineSpeed 1000 Mbit Dell#show interfaces tengigabitethernet 0/7 gigabitethernet 0/0 is up, line protocol is down Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, SFP type is 1GBASE …………………… LineSpeed 1000 Mbit Dell#s
Link Dampening Interface state changes occur when interfaces are administratively brought up or down or if an interface state changes. Every time an interface changes a state or flaps, routing protocols are notified of the status of the routes that are affected by the change in state. These protocols go through the momentous task of re-converging. Flapping; therefore, puts the status of entire network at risk of transient loops and black holes.
Figure 50. Interface State Change Consider an interface periodically flaps as shown above. Every time the interface goes down, a penalty (1024) is added. In the above example, during the first interface flap (flap 1), the penalty is added to 1024. And, the accumulated penalty will exponentially decay based on the set half-life, which is set as 10 seconds in the above example. During the second interface flap (flap 2), again the penalty (1024) is accumulated.
Enabling Link Dampening To enable link dampening, use the following command. • Enable link dampening. INTERFACE mode dampening To view the link dampening configuration on an interface, use the show config command. R1(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown To view dampening information on all or specific dampened interfaces, use the show interfaces dampening command from EXEC Privilege mode.
Configure MTU Size on an Interface In Dell EMC Networking OS, Maximum Transmission Unit (MTU) is defined as the entire Ethernet packet (Ethernet header + FCS + payload). The following table lists the range for each transmission media. Transmission Media MTU Range (in bytes) Ethernet 592-9216 = link MTU 576-9398 = IP MTU The IP MTU automatically configures.
Control how the system responds to and generates 802.3x pause frames on Ethernet interfaces. The default is rx off tx off. INTERFACE mode. flowcontrol rx [off | on] tx [off | on]| [monitor session-ID] Where: rx on: Processes the received flow control frames on this port. rx off: Ignores the received flow control frames on this port. tx on: Sends control frames from this port to the connected device when a higher rate of traffic is received.
Layer 2 Overhead Difference Between Link MTU and IP MTU Tagged Packet with VLAN-Stack Header 26 bytes Link MTU and IP MTU considerations for port channels and VLANs are as follows. Port Channels: • • All members must have the same link MTU value and the same IP MTU value. The port channel link MTU and IP MTU must be less than or equal to the link MTU and IP MTU values configured on the channel members.
CONFIGURATION mode interface interface-type 5. Set the local port speed. INTERFACE mode speed {10 | 100 | 1000 | 10000 | auto} NOTE: If you use an active optical cable (AOC), you can convert the QSFP+ port to a 10 Gigabit SFP+ port or 1 Gigabit SFP port. You can use the speed command to enable the required speed. 6. Optionally, set full- or half-duplex. INTERFACE mode duplex {half | full} 7. Disable auto-negotiation on the port.
Example of the negotiation auto Command DellEMC(conf)# int tengigabitethernet 1/1 DellEMC(conf-if-te-1/1)#neg auto DellEMC(conf-if-te-1/1-autoneg)# ? end Exit from configuration mode exit Exit from autoneg configuration mode mode Specify autoneg mode no Negate a command or set its defaults show Show autoneg configuration information DellEMC(conf-if-te-1/1-autoneg)#mode ? forced-master Force port to master mode forced-slave Force port to slave mode DellEMC(conf-if-te-1/1-autoneg)# For details about the speed
Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG. The following example shows how to configure rate interval when changing the default value.
Configuring the Traffic Sampling Size Globally You can configure the traffic sampling size for an interface in the global configuration mode. All LAG members inherit the rate interval configuration from the LAG. Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds. The following example shows how to configure rate interval when changing the default value.
Queueing strategy: fifo Input Statistics: 13932 packets, 1111970 bytes 5588 64-byte pkts, 8254 over 64-byte pkts, 89 over 127-byte pkts 1 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 13761 Multicasts, 9 Broadcasts, 162 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 13908 packets, 1114396 bytes, 0 underruns 5555 64-byte pkts, 8213 over 64-byte pkts, 140 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 13727 Multi
• • (OPTIONAL) To clear statistics for all VRRP groups configured, enter the keyword vrrp. Enter a number from 1 to 255 as the vrid. (OPTIONAL) To clear unknown source address (SA) drop counters when you configure the MAC learning limit on the interface, enter the keywords learning-limit. When you enter this command, confirm that you want Dell EMC Networking OS to clear the interface counters for that interface.
Uncompressed Compressed no ip address interface group Vlan 3 – 5 shutdown tagged te 1/1 ! no ip address interface TenGigabitEthernet 1/34 shutdown ip address 2.1.1.1/16 ! shutdown interface Vlan 1000 ! ip address 1.1.1.1/16 interface Vlan 2 no shutdown no ip address ! no shutdown ! Compressed config size – 27 lines.
in flash by default copy compressed-config Copy one file, after optimizing and reducing the size of the configuration file, to another location. Dell EMC Networking OS supports IPv4 and IPv6 addressing for FTP, TFTP, and SCP (in the hostip field).
21 IPv4 Routing The Dell EMC Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell EMC Networking OS.
IP Addresses Dell EMC Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks. Supernetting, which increases the number of subnets, is also supported. To subnet, you add a mask to the IP address to separate the network and host portions of the IP address.
• secondary: add the keyword secondary if the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. To view the configuration, use the show config command in INTERFACE mode or use the show ip interface command in EXEC privilege mode, as shown in the second example. DellEMC(conf-if)#show conf ! interface TenGigabitEthernet 1/1 ip address 10.11.1.
Direct, Lo 0 --More-Dell EMC Networking OS installs a next hop that is on the directly connected subnet of current IP address on the interface. Dell EMC Networking OS also installs a next hop that is not on the directly connected subnet but which recursively resolves to a next hop on the interface's configured subnet. • • • • When the interface goes down, Dell EMC Networking OS withdraws the route. When the interface comes up, Dell EMC Networking OS re-installs the route.
To view the configured static routes for the management port, use the show ip management-route command in EXEC privilege mode. DellEMC#show ip management-route Destination ----------10.16.0.0/16 172.16.1.0/24 Gateway ------ManagementEthernet 1/1 10.16.151.
Enabling Directed Broadcast By default, Dell EMC Networking OS drops directed broadcast packets destined for an interface. This default setting provides some protection against denial of service (DoS) attacks. To enable Dell EMC Networking OS to receive directed broadcasts, use the following command. • Enable directed broadcast. INTERFACE mode ip directed-broadcast To view the configuration, use the show config command in INTERFACE mode.
Specifying the Local System Domain and a List of Domains If you enter a partial domain, Dell EMC Networking OS can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. Dell EMC Networking OS searches the host table first to resolve the partial domain. The host table contains both statically configured and dynamically learnt host and IP addresses.
ARP Dell EMC Networking OS uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP. ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, Dell EMC Networking OS creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time.
To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output. Clearing ARP Cache To clear the ARP cache of dynamically learnt ARP information, use the following command. • Clear the ARP caches for all interfaces or for a specific interface by entering the following information.
Figure 51. ARP Learning via ARP Request Beginning with Dell EMC Networking OS version 8.3.1.0, when you enable ARP learning via gratuitous ARP, the system installs a new ARP entry, or updates an existing entry for all received ARP requests. Figure 52. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP.
ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply). ICMP error messages inform the router of problems in a particular packet. These messages are sent only on unicast traffic. Configuration Tasks for ICMP The following lists the configuration tasks for ICMP.
Figure 53. ICMP Redirect Host H is connected to the same Ethernet segment as SW1 and SW2. SW1 and SW2 are multi-layer switches which can route packets. The default gateway of Host H is configured as SW1. Although the best route to the remote branch office host may be through SW2, Host H sends a packet destined for Host R to its default gateway — SW1.
• If the UDP port list contains ports 67 or 68, UDP broadcast traffic is forwarded on those ports. Enabling UDP Helper To enable UDP helper, use the following command. • Enable UPD helper. ip udp-helper udp-ports DellEMC(conf-if-te-1/1)#ip udp-helper udp-port 1000 DellEMC(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 ip address 2.1.1.
Configurations Using UDP Helper When you enable UDP helper and the destination IP address of an incoming packet is a broadcast address, Dell EMC Networking OS suppresses the destination address of the packet. The following sections describe various configurations that employ UDP helper to direct broadcasts.
Packet 2 is sent from the host on VLAN 101. It has a broadcast MAC address and a destination IP address of 1.1.1.255. In this case, it is flooded on VLAN 101 in its original condition as the forwarding process is Layer 2. Figure 55. UDP Helper with Subnet Broadcast Addresses UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces.
Troubleshooting UDP Helper To display debugging information for troubleshooting, use the debug ip udp-helper command. Example of the debug ip udp-helper Command DellEMC(conf)# debug ip udp-helper 01:20:22: Pkt rcvd on Te 5/1 with IP DA (0xffffffff) will be sent on Te 5/2 Te 5/3 Vlan 3 01:44:54: Pkt rcvd on Te 7/1 is handed over for DHCP processing. When using the IP helper and UDP helper on the same interface, use the debug ip dhcp command. Example Output from the debug ip dhcp Command Packet 0.0.0.
22 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell EMC Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
• Prefix Renumbering — Useful in transparent renumbering of hosts in the network when an organization changes its service provider. NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration. NOTE: Dell EMC Networking OS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS).
To support /65 – /128 IPv6 route prefix entries, Dell EMC Networking OS needs to be programmed with /65 - /128 bit IPv6 support. The number of entries as well needs to be explicitly programmed. This number can be1K, 2K, or 3K granularity. On the system, for IPv6 /65 to /128 will consume the same storage banks which is used by the L3_DEFIP table. Once the IPv6 128 bit is enabled, number of entries in L3_DEFIP will be reduced. LPM partitioning will take effect after reboot of the box.
Payload Length (16 bits) The Payload Length field specifies the packet payload. This is the length of the data following the IPv6 header. IPv6 Payload Length only includes the data following the header, not the header itself. The Payload Length limit of 2 bytes requires that the maximum packet payload be 64 KB. However, the Jumbogram option type Extension header supports larger packet sizes when required. Next Header (8 bits) The Next Header field identifies the next header’s type.
However, if the Destination Address is a Hop-by-Hop options header, the Extension header is examined by every forwarding router along the packet’s route. The Hop-by-Hop options header must immediately follow the IPv6 header, and is noted by the value 0 (zero) in the Next Header field. Extension headers are processed in the order in which they appear in the packet header. Hop-by-Hop Options Header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path.
For example, 2001:0db8:1234::/48 stands for the network with addresses 2001:0db8:1234:0000:0000:0000:0000:0000 through 2001:0db8:1234:ffff:ffff:ffff:ffff:ffff. Link-local Addresses Link-local addresses, starting with fe80:, are assigned only in the local link area. The addresses are generated usually automatically by the operating system's IP layer for each network interface.
Feature and Functionality Dell EMC Networking OS Release Introduction Documentation and Chapter Location S6000 Multiprotocol BGP extensions for IPv6 8.3.11 IPv6 BGP in the Dell EMC Networking OS Command Line Reference Guide. IPv6 BGP MD5 Authentication 8.3.11 IPv6 BGP in the Dell EMC Networking OS Command Line Reference Guide. IS-IS for IPv6 8.3.11 Intermediate System to Intermediate System IPv6 IS-IS in the Dell EMC Networking OS Command Line Reference Guide.
Feature and Functionality Dell EMC Networking OS Release Introduction Documentation and Chapter Location S6000 MLDv1/v2 N/A IPv6 PIM in the Dell EMC Networking OS Command Line Reference Guide. ICMPv6 ICMP for IPv6 combines the roles of ICMP, IGMP and ARP in IPv4. Like IPv4, it provides functions for reporting delivery and forwarding errors, and provides a simple echo service for troubleshooting. The Dell EMC Networking OS implementation of ICMPv6 is based on RFC 4443.
IPv6 Neighbor Discovery The IPv6 neighbor discovery protocol (NDP) is a top-level protocol for neighbor discovery on an IPv6 network. In place of address resolution protocol (ARP), NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for determining relationships between neighboring nodes. Using these messages, an IPv6 device learns the link-layer addresses for neighbors known to reside on attached links, quickly purging cached values that become invalid.
• • • prefix addresses multicast addresses invalid host addresses If you specify this information in the IPv6 RDNSS configuration, a DNS error is displayed. Example for Configuring an IPv6 Recursive DNS Server The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
ff02::1 ff02::2 ff02::1:ff00:12 ff02::1:ff8b:7570 ND MTU is 0 ICMP redirects are not sent DAD is enabled, number of DAD attempts: 3 ND reachable time is 20120 milliseconds ND base reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 198 to 600 seconds ND router advertisements live for 1800 seconds ND advertised hop limit is 64 IPv6 hop limit for originated packets is 64 ND dns-server ad
• • • • • L3 ACL (ipv4acl): 6 L2 ACL(l2acl): 5 IPv6 L3 ACL (ipv6acl): 0 L3 QoS (ipv4qos): 1 L2 QoS (l2qos): 1 To have the changes take effect, save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings. • Allocate space for IPV6 ACLs. Enter the CAM profile name then the allocated amount. CONFIGURATION mode cam-acl { ipv6acl } When not selecting the default option, enter all of the profiles listed and a range for each.
• • • • • vrf vrf-name:(OPTIONAL) name of the VRF. prefix: IPv6 route prefix slot/port : interface type and slot/port forwarding router: forwarding router’s address tag: route tag Enter the keyword interface then the type of interface and slot/port information: • • • • • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
mroute neighbors ospf pim prefix-list route rpf DellEMC# IPv6 multicast-routing table IPv6 neighbor information OSPF information PIM V6 information List IPv6 prefix lists IPv6 routing information RPF table Displaying an IPv6 Interface Information To view the IPv6 configuration for a specific interface, use the following command. • Show the currently running configuration for the specified interface.
• • • • • • • • • • • To display information about a network, enter ipv6 address (X:X:X:X::X). To display information about a host, enter hostname. To display information about all IPv6 routes (including non-active routes), enter all. To display information about all connected IPv6 routes, enter connected. To display information about brief summary of all IPv6 routes, enter summary. To display information about Border Gateway Protocol (BGP) routes, enter bgp.
• • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. For the Management interface on the stack-unit, enter the keyword ManagementEthernet then the slot/port information.
POLICY LIST CONFIGURATION mode ipv6 nd ra-guard policy policy-name 4. Define the role of the device attached to the port. POLICY LIST CONFIGURATION mode device-role {host | router} Use the keyword host to set the device role as host. Use the keyword router to set the device role as router. 5. Set the hop count limit. POLICY LIST CONFIGURATION mode hop-limit {maximum | minimum limit} The hop limit range is from 0 to 254. 6. Set the managed address configuration flag.
other-config-flag on reachable-time 540 retrans-timer 101 router-preference maximum medium trusted-port DellEMC(conf-ra_guard_policy_list)# Configuring IPv6 RA Guard on an Interface To configure the IPv6 Router Advertisement (RA) guard on an interface, perform the following steps: 1. Configure the terminal to enter the Interface mode. CONFIGURATION mode interface interface-type slot/port 2. Apply the IPv6 RA guard to a specific interface.
23 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
This cannot be inferred as the maximum supported iSCSI sessions are reached. Also, number of iSCSI sessions displayed on the system may show any number equal to or less than the maximum. The following illustration shows iSCSI optimization between servers and a storage array in which a stack of three switches connect installed servers (iSCSI initiators) to a storage array (iSCSI targets) in a SAN network.
You can configure whether the iSCSI optimization feature uses the VLAN priority or IP DSCP mapping to determine the traffic class queue. By default, iSCSI flows are assigned to dot1p priority 4. To map incoming iSCSI traffic on an interface to a dot1p priority-queue other than 4, use the QoS dot1p-priority command (refer to QoS dot1p Traffic Classification and Queue Assignment). Dell EMC Networking recommends setting the CoS dot1p priority-queue to 0 (zero).
The following message displays the first time a Dell EqualLogic array is detected and describes the configuration changes that are automatically performed: %STKUNIT0-M:CP %IFMGR-5-IFM_ISCSI_AUTO_CONFIG: This switch is being configured for optimal conditions to support iSCSI traffic which will cause some automatic configuration to occur including jumbo frames and flow-control on all ports; no storm control and spanning-tree port fast to be enabled on the port of detection.
Enable and Disable iSCSI Optimization The following describes enabling and disabling iSCSI optimizaiton. NOTE: iSCSI monitoring is disabled by default. iSCSI auto-configuration and auto-detection is enabled by default. If you enable iSCSI, flow control is automatically enabled on all interfaces. To disable flow control on all interfaces, use the no flow control rx on tx off command and save the configuration.
Configuring iSCSI Optimization To configure iSCSI optimization, use the following commands. 1. For a non-DCB environment: Enable session monitoring. CONFIGURATION mode cam-acl l2acl 4 ipv4acl 4 ipv6acl 0 ipv4qos 2 l2qos 1 l2pt 0 ipmacacl 0 vman-qos 0 ecfmacl 0 fcoeacl 0 iscsioptacl 2 NOTE: Content addressable memory (CAM) allocation is optional.
• • • • • enable: enables the application of preferential QoS treatment to iSCSI traffic so that iSCSI packets are scheduled in the switch with a dot1p priority 4 regardless of the VLAN priority tag in the packet. The default is: iSCSI packets are handled with dotp1 priority 4 without remark. disable: disables the application of preferential QoS treatment to iSCSI frames.
The following example shows the show iscsi session command. VLT PEER1 DellEMC#show iscsi session Session 0: ----------------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0e70c2002-10a0018426a48c94-iom010 Initiator: iqn.1991-05.com.microsoft:win-x9l8v27yajg ISID: 400001370000 VLT PEER2 Session 0: -----------------------------------------------------------------------------------Target: iqn.2001-05.com.
24 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell EMC Networking supports both IPv4 and IPv6 versions of IS-IS.
Figure 61. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases. Use this feature to place a virtual physical topology into logical routing domains, which can each support different routing and security policies. All routers on a LAN or point-to-point must have at least one common supported topology when operating in Multi-Topology IS-IS mode.
Graceful Restart Graceful restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change. Normally, when an IS-IS router is restarted, temporary disruption of routing occurs due to events in both the restarting router and the neighbors of the restarting router.
• Accepts external IPv6 information and advertises this information in the PDUs. The following table lists the default IS-IS values. Table 46.
1. Create an IS-IS routing process. CONFIGURATION mode router isis [tag] tag: (optional) identifies the name of the IS-IS process. 2. Configure an IS-IS network entity title (NET) for a routing process. ROUTER ISIS mode net network-entity-title Specify the area address and system ID for an IS-IS routing process. The last byte must be 00. For more information about configuring a NET, refer to IS-IS Addressing. 3. Enter the interface configuration mode.
Redistributing: Distance: 115 Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: DellEMC# level-1-2 level-1-2 none none To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
Configuring IS-IS Graceful Restart To enable IS-IS graceful restart globally, use the following commands. Additionally, you can implement optional commands to enable the graceful restart settings. • Enable graceful restart on ISIS processes. • ROUTER-ISIS mode graceful-restart ietf Configure the time during which the graceful restart attempt is prevented. ROUTER-ISIS mode graceful-restart interval minutes The range is from 1 to 120 minutes. • The default is 5 minutes.
T1 Timeout Value Adjacency wait time : 5, retry count: 1 : 30 Operational Timer Value ====================== Current Mode/State : T3 Time left : T2 Time left : Restart ACK rcv count : Restart Req rcv count : Suppress Adj rcv count : Restart CSNP rcv count : Database Sync count : Normal/RUNNING 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 (level-2) (level-2) (level-2) (level-2) (level-2) (level-2) Circuit TenGigabitEthernet 2/10: Mode: Normal L1-State:NORMA
• • size: the range is from 128 to 9195. The default is 1497. Set the LSP refresh interval. ROUTER ISIS mode lsp-refresh-interval seconds • • seconds: the range is from 1 to 65535. The default is 900 seconds. Set the maximum time LSPs lifetime. ROUTER ISIS mode max-lsp-lifetime seconds • seconds: the range is from 1 to 65535. The default is 1200 seconds. To view the configuration, use the show config command in ROUTER ISIS mode or the show running-config isis command in EXEC Privilege mode.
The default is Level 1 and Level 2 (level-1–2) To view which metric types are generated and received, use the show isis protocol command in EXEC Privilege mode. The IS-IS matrixes settings are in bold. Example of Viewing IS-IS Metric Types DellEMC#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
Configuring the Distance of a Route To configure the distance for a route, use the following command. • Configure the distance for a route. ROUTER ISIS mode distance Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router.
Distribute Routes Another method of controlling routing information is to filter the information through a prefix list. Prefix lists are applied to incoming or outgoing routes and routes must meet the conditions of the prefix lists or Dell EMC Networking OS does not install the route in the routing table. The prefix lists are globally applied on all interfaces running IS-IS. Configure the prefix list in PREFIX LIST mode prior to assigning it to the IS-IS process.
distribute-list prefix-list-name out [bgp as-number | connected | ospf process-id | rip | static] You can configure one of the optional parameters: • • connected: for directly connected routes. • ospf process-id: for OSPF routes only. • rip: for RIP routes only. • static: for user-configured routes. • bgp: for BGP routes only. Deny RTM download for pre-existing redistributed IPv6 routes.
redistribute {bgp as-number | connected | rip | static} [level-1 level-1-2 | level-2] [metric metric-value] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: • • level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. • metric-value: the range is from 0 to 16777215. The default is 0. • metric-type: choose either external or internal. The default is internal. • map-name: enter the name of a configured route map.
set-overload-bit • This setting prevents other routers from using it as an intermediate hop in their shortest path first (SPF) calculations. Remove the overload bit. ROUTER ISIS mode no set-overload-bit When the bit is set, a 1 is placed in the OL column in the show isis database command output. The overload bit is set in both the Level-1 and Level-2 database because the IS type for the router is Level-1-2. DellEMC#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum B233.
Dell EMC Networking OS displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode. To disable a specific debug command, enter the keyword no then the debug command. For example, to disable debugging of IS-IS updates, use the no debug isis updates-packets command. To disable all IS-IS debugging, use the no debug isis command. To disable all debugging, use the undebug all command.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value metric value is displayed in the show config and show running-config commands and is used if you change back to transition metric style. NOTE: A truncated value is a value that is higher than 63, but set back to 63 because the higher value is not supported. wide narrow transition default value (10) if the original value is greater than 63. A message is sent to the console.
Beginning Metric Style Next Metric Style Resulting Metric Value Next Metric Style Final Metric Value wide transition truncated value narrow transition default value (10). A message is sent to the logging buffer transition Leaks from One Level to Another In the following scenarios, each IS-IS level is configured with a different metric style. Table 50.
You can configure IPv6 IS-IS routes in one of the following three different methods: • • • Congruent Topology — You must configure both IPv4 and IPv6 addresses on the interface. Enable the ip router isis and ipv6 router isis commands on the interface. Enable the wide-metrics parameter in router isis configuration mode. Multi-topology — You must configure the IPv6 address. Configuring the IPv4 address is optional. You must enable the ipv6 router isis command on the interface.
DellEMC(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.00 ! address-family ipv6 unicast multi-topology exit-address-family DellEMC(conf-router_isis)# IS-IS Sample Configuration — Multi-topology Transition DellEMC(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown DellEMC(conf-if-te-3/17)# DellEMC(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
25 In-Service Software Upgrade This chapter deals with In-Service Software Upgrade (ISSU) and its dependencies. Topics: • • • • • • • • • ISSU Introduction Fastboot 2.0 (Zero Loss Upgrade) L2 ISSU L3 ISSU CoPP Mirroring flow control packets PFC QoS Tunnel Configuration ISSU Introduction In-service software upgrades (ISSU), also known as warmboot or fastboot 2.0, allow Dell EMC Networking to address software bugs and add new features to switches and routers without interrupting network availability.
LACP Long Timeout If there is a LACP protocol running on an interface, the user needs to have the LACP long timeout configured, if LACP short timeout is configured, ISSU will not take place. Spanning Tree When spanning tree is enabled, user needs to have BPDU guard configured in the interfaces. MAC Address Table During warmboot MAC address table will be stored and they are retrieved after warmboot is complete.
Mirroring flow control packets ISSU for mirroring flow control packets is a graceful implementation . The mirror ACL FP rules and the MTPs would be cleared out when the box comes up in warmboot during the ISSU audit phase, and the flows are re-programmed again with mirror action when the mirroring configurations are downloaded. In case of legacy L3 ACL based mirroring , the mirroring actions would be cleared out and re-programmed while the FP rules are retained.
26 Link Aggregation Control Protocol (LACP) Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel by Dell EMC Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. The benefits and constraints are basically the same, as described in Port Channel Interfaces in the Interfaces chapter.
• Passive — In this state, the interface is not in an active negotiating state, but LACP runs on the link. A port in Passive state also responds to negotiation requests (from ports in Active state). Ports in Passive state respond to LACP packets. Dell EMC Networking OS supports LAGs in the following cases: • • A port in Active state can set up a port channel (LAG) with another port in Active state. A port in Active state can set up a LAG with another port in Passive state.
switchport DellEMC(conf)#interface port-channel 32 DellEMC(conf-if-po-32)#no shutdown DellEMC(conf-if-po-32)#switchport The LAG is in the default VLAN. To place the LAG into a non-default VLAN, use the tagged command on the LAG. DellEMC(conf)#interface vlan 10 DellEMC(conf-if-vl-10)#tagged port-channel 32 Configuring the LAG Interfaces as Dynamic After creating a LAG, configure the dynamic LAG interfaces. To configure the dynamic LAG interfaces, use the following command.
DellEMC# show lacp 32 Port-channel 32 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e800.a12b Partner System ID: Priority 32768, Address 0001.e801.
Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group. NOTE: If a LAG interface is part of a redundant pair, you cannot use it as a member of a failover group created for shared LAG state tracking. 1. Enter port-channel failover group mode. CONFIGURATION mode port-channel failover-group 2. Create a failover group and specify the two port-channels that will be members of the group.
Members in this channel: Te 1/17(U) ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:01:28 Queueing strategy: fifo NOTE: The set of console messages shown above appear only if you configure shared LAG state tracking on that router (you can configure the feature on one or both sides of a link). For example, as previously shown, if you configured shared LAG state tracking on R2 only, no messages appear on R4 regarding the state of LAGs in a failover group.
Example of Viewing a LAG Port Configuration Alpha#sh int TenGigabitEthernet 2/31 TenGigabitEthernet 2/31 is up, line protocol is up Port is part of Port-channel 10 Hardware is DellEMCEth, address is 00:01:e8:06:95:c0 Current address is 00:01:e8:06:95:c0 Interface Index is 109101113 Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit, Mode full duplex, Slave Flowcontrol rx on tx on ARP type: ARPA, ARP Timeout 04:00:00 Last cleari
Figure 67.
Figure 68.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-te-3/21-lacp)#port-channel 10 mode active Bravo(conf-if-te-3/21-lacp)#no shut Bravo(conf-if-te-3/21)#end ! interface TenGigabitEthernet 3/21 no ip address ! port-ch
Figure 69.
Figure 70.
Figure 71. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
27 Layer 2 Manage the MAC Address Table You can perform the following management tasks in the MAC address table. • • • • Clearing the MAC Address Table Setting the Aging Time for Dynamic Entries Configuring a Static MAC Address Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command. • Clear a MAC address table of dynamic entries.
Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table. EXEC Privilege mode show mac-address-table [address | aging-time [vlan vlan-id]| count | dynamic | interface | static | vlan] • • • • • • • address: displays the specified entry. aging-time: displays the configured aging-time. count: displays the number of dynamic and static entries for all VLANs, and the total number of entries.
NOTE: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available for MAC Learning Limit, including limit violations. mac learning-limit Dynamic The MAC address table is stored on the Layer 2 forwarding information base (FIB) region of the CAM. The Layer 2 FIB region allocates space for static MAC address entries and dynamic MAC address entries. When you enable MAC learning limit, entries created on this port are static by default.
interface TenGigabitEthernet 1/1 no ip address switchport mac learning-limit 1 dynamic no-station-move mac learning-limit station-move-violation log no shutdown Learning Limit Violation Actions To configure the system to take an action when the MAC learning limit is reached on an interface and a new address is received using one the following options with the mac learning-limit command, use the following commands. • Generate a system log message when the MAC learning limit is exceeded.
• mac learning-limit reset Reset interfaces in the ERR_Disabled state caused by a learning limit violation. • EXEC Privilege mode mac learning-limit reset learn-limit-violation [interface | all] Reset interfaces in the ERR_Disabled state caused by a station move violation. EXEC Privilege mode mac learning-limit reset station-move-violation [interface | all] Disabling MAC Address Learning on the System You can configure the system to not learn MAC addresses from LACP and LLDP BPDUs.
Figure 72. Redundant NICs with NIC Teaming When you use NIC teaming, consider that the server MAC address is originally learned on Port 0/1 of the switch (shown in the following) and Port 0/5 is the failover port. When the NIC fails, the system automatically sends an ARP request for the gateway or host NIC to resolve the ARP and refresh the egress interface.
Assign a backup interface to an interface using the switchport backup command. The backup interface remains in a Down state until the primary fails, at which point it transitions to Up state. If the primary interface fails, and later comes up, it becomes the backup interface for the redundant pair. Dell EMC Networking OS supports Gigabit, 10 Gigabit, and 40-Gigabit interfaces as backup interfaces.
• • • The active or backup interface can be a LAG, but it cannot be a member port of a LAG. The active and standby do not have to be of the same type (1G, 10G, and so on). You may not enable any Layer 2 protocol on any interface of a redundant pair or to ports connected to them. As shown in the above illustration, interface 3/41 is a backup interface for 3/42, and 3/42 is in the Down state. If 3/41 fails, 3/42 transitions to the Up state, which makes the backup link active.
DellEMC# DellEMC(conf-if-po-1)#switchport backup interface tengigabitethernet 1/2 Apr 9 00:16:29: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Te 1/2 DellEMC(conf-if-po-1)# Far-End Failure Detection Far-end failure detection (FEFD) is a protocol that senses remote data link errors in a network. FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval. You can enable FEFD globally or locally on an interface basis.
4. If the FEFD enabled system is configured to use FEFD in Normal mode and neighboring echoes are not received after three intervals, (you can set each interval can be set between 3 and 300 seconds) the state changes to unknown. 5. If the FEFD system has been set to Aggressive mode and neighboring echoes are not received after three intervals, the state changes to Err-disabled.
To display information about the state of each interface, use the show fefd command in EXEC privilege mode. DellEMC#show fefd FEFD is globally 'ON', interval is 3 seconds, mode is 'Normal'.
• Display output whenever events occur that initiate or disrupt an FEFD enabled connection. • EXEC Privilege mode debug fefd events Provide output for each packet transmission over the FEFD enabled connection.
28 Link Layer Discovery Protocol (LLDP) 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices. The collected information is stored in a management information base (MIB) on each device, and is accessible via simple network management protocol (SNMP).
Type TLV Description — Optional Includes sub-types of TLVs that advertise specific configuration information. These sub-types are Management TLVs, IEEE 802.1, IEEE 802.3, and TIA-1057 Organizationally Specific TLVs. Figure 77. LLDPDU Frame Optional TLVs The Dell EMC Networking OS supports these optional TLVs: management TLVs, IEEE 802.1 and 802.3 organizationally specific TLVs, and TIA-1057 organizationally specific TLVs. Management TLVs A management TLV is an optional TLVs sub-type.
Type TLV Description 7 System capabilities Identifies the chassis as one or more of the following: repeater, bridge, WLAN Access Point, Router, Telephone, DOCSIS cable device, end station only, or other. 8 Management address Indicates the network address of the management interface. Dell EMC Networking OS does not currently support this TLV. 127 Port-VLAN ID On Dell EMC Networking systems, indicates the untagged VLAN to which a port belongs.
• • • • manage inventory manage Power over Ethernet (PoE) identify physical location identify network policy LLDP-MED is designed for, but not limited to, VoIP endpoints. TIA Organizationally Specific TLVs The Dell EMC Networking system is an LLDP-MED Network Connectivity Device (Device Type 4).
Type SubType TLV Description 127 10 Inventory — Model Name Indicates the model of the LLDP-MED device. 127 11 Inventory — Asset ID Indicates a user specified device number to manage inventory. 127 12–255 Reserved — LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV.
• • • VLAN tagged or untagged status Layer 2 priority DSCP value An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED network policy TLV is generated for each application type that you specify with the Dell EMC Networking OS CLI (Advertising TLVs).
• through the CLI. Dell EMC Networking also honors the power priority value the powered device sends; however, the CLI configuration takes precedence. Power Value — Dell EMC Networking advertises the maximum amount of power that can be supplied on the port. By default the power is 15.4W, which corresponds to a power value of 130, based on the TIA-1057 specification. You can advertise a different power value using the max-milliwatts option with the power inline auto | static command.
Example of the protocol lldp Command (CONFIGURATION Level) R1(conf)#protocol lldp R1(conf-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol globally end Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP hello configuration mode LLDP mode configuration (default = rx and tx) multiplier LLDP multiplier configuration no Negate a command or set its defaults show Show LLDP configuration DellEMC(conf-lldp)#exit DellEMC(conf)#interface tengigabitethernet 1/3 DellEMC(conf-if
management-interface 3. Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP on Management Ports To disable or undo LLDP on management ports, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION mode. protocol lldp 2. Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode. management-interface 3. Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no.
Figure 82. Configuring LLDP Storing and Viewing Unrecognized LLDP TLVs Dell EMC Networking OS provides support to store unrecognized (reserved and organizational specific) LLDP TLVs. Also, support is extended to retrieve the stored unrecognized TLVs using SNMP. When the incoming TLV from LLDP neighbors is not recognized, the TLV is categorized as unrecognized TLV. The unrecognized TLVs is categorized into two types: 1. Reserved unrecognized LLDP TLV 2.
Viewing Unrecognized LLDP TLVs You can view or retrieve the stored unrecognized (reserved and organizational specific) TLVs using the show lldp neighbor details command. View all the LLDP TLV information including unrecognized TLVs, using the snmpwalk and snmpget commands. Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration. CONFIGURATION or INTERFACE mode show config The following example shows viewing an LLDP global configuration.
Te 1/1 TenGigabitEthernet 1/5 Te 1/2 TenGigabitEthernet 1/6 Ma 1/1 swlab2-maa-tor-...TenGigabitEthernet 1/3 DellEMC(conf-if-te-1/3)# 00:01:e8:05:40:46 00:01:e8:05:40:46 d8:9e:f3:b2:61:20 The length of the LLDP neighbors (Remote host) name is truncated if it is above 15 characters.
Total TLVs Discarded: 16 Next packet will be sent after 9 seconds The neighbors are given below: ----------------------------------------------------------------------Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 00:00:00:00:00:01 Remote Port Subtype: Interface name (5) Remote Port ID: TenGigabitEthernEt 1/40 Local Port ID: TenGigabitEthernet 1/1 Locally assigned remote Neighbor Index: 1 Remote TTL: 120 Information valid for next 44 seconds Time since last information change of this neighbor
Time since last information change of this neighbor: 00:01:39 UnknownTLVList: OrgUnknownTLVList: ((00-01-66),127, 4) ((00-01-66),126, 4) ((00-01-66),125, 4) ((00-01-66),124, ((00-01-66),122, 4) ((00-01-66),121, 4) ((00-01-66),120, 4) ((00-01-66),119, --------------------------------------------------------------------------Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 4c:76:25:f4:ab:03 Remote Port Subtype: Interface name (5) Remote Port ID: fortyGigE 1/2/8/1 Local Port ID: TenGigabitEthernet
• CLI — Through the snmp-notification-interval CLI. • • Example: snmp-notification-interval [5–3600] SNMP — Through the snmpset command. • • Example: snmpset —c public —v2c 10.16.127.10 LLDP-MIB::lldpNotificationInterval.0 I 20 REST API — Through configuring by REST API method. Configuring Transmit and Receive Mode After you enable LLDP, the system transmits and receives LLDPDUs by default. To configure the system to transmit or receive only and return to the default, use the following commands.
CONFIGURATION mode or INTERFACE mode.
Figure 83. The debug lldp detail Command — LLDPDU Packet Dissection Example of debug lldp Command Output with Unrecognized Reserved and Organizational Specific LLDP TLVs The following is an example of LLDPDU with both (Reserved and Organizational specific) unrecognized TLVs.
Table 58. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplier Multiplier value. msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs.
TLV Type 7 8 TLV Name System Capabilities Management Address TLV Variable system capabilities enabled capabilities management address length management address subtype management address interface numbering subtype interface number OID System LLDP MIB Object Remote lldpRemSysDesc Local lldpLocSysCapSupported Remote lldpRemSysCapSupported Local lldpLocSysCapEnabled Remote lldpRemSysCapEnabled Local lldpLocManAddrLen Remote lldpRemManAddrLen Local lldpLocManAddrSubtype Remote
Table 61.
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object lldpXMedLocXPoEPDPowe rSource Remote lldpXMedRemXPoEPSEPo werSource lldpXMedRemXPoEPDPow erSource Power Priority Local lldpXMedLocXPoEPDPowe rPriority lldpXMedLocXPoEPSEPort PDPriority Remote lldpXMedRemXPoEPSEPo werPriority lldpXMedRemXPoEPDPow erPriority Power Value Local lldpXMedLocXPoEPSEPort PowerAv lldpXMedLocXPoEPDPowe rReq Remote lldpXMedRemXPoEPSEPo werAv lldpXMedRemXPoEPDPow erReq Link Layer Discovery Protocol (LLDP) 5
29 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
• • • The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN. When a large volume of traffic is processed, the clustering performance might be impacted in a small way. This limitation is applicable to switches that perform unicast flooding in the software. The ip vlan-flooding command applies globally across the system and for all VLANs.
This setting causes the multicast MAC address to be mapped to the Cluster IP address for the NLB mode of operation of the switch. NOTE: While configuring static ARP for the Cluster IP, provide any one of the interfaces that is used in the static multicast MAC configuration, where the Cluster host is connected. As the switch does not accept only one ARPinterface pair, if you configure static ARP with each egress interface, the switch overwrites the previous egressinterface configuration. 2.
30 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell EMC Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 85.
Implementation Information The Dell EMC Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process. 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Refer to the following figures. The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP.
Figure 86.
Figure 87.
Figure 88.
Figure 89. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command. Active sources can be rejected because the RPF check failed, the SA limit is reached, the peer RP is unreachable, or the SA message has a format error. • Cache rejected sources. CONFIGURATION mode ip msdp cache-rejected-sa Accept Source-Active Messages that Fail the RFP Check A default peer is a peer from which active sources are accepted even though they fail the RFP check.
Figure 91.
Figure 92. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check. DellEMC(conf)#ip msdp peer 10.0.50.
3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Reason Rpf-Fail Rpf-Fail Rpf-Fail Limiting the Source-Active Messages from a Peer To limit the source-active messages from a peer, use the following commands. 1. OPTIONAL: Store sources that are received after the limit is reached in the rejected SA cache.
2. Prevent the system from caching remote sources learned from a specific peer based on source and group. CONFIGURATION mode ip msdp sa-filter list out peer list ext-acl As shown in the following example, R1 is advertising source 10.11.4.2. It is already in the SA cache of R3 when an ingress SA filter is applied to R3. The entry remains in the SA cache until it expires and is not stored in the rejected SA cache. [Router 3] R3(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.
To display the configured SA filters for a peer, use the show ip msdp peer command from EXEC Privilege mode. Logging Changes in Peership States To log changes in peership states, use the following command. • Log peership state changes. CONFIGURATION mode ip msdp log-adjacency-changes Terminating a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639.
R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:04 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none Debugging MSDP To debug MSDP, use the following command. • Display the information exchanged between peers.
Figure 93. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2. Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3.
network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group. A mesh in this context is a topology in which each RP in a set of RPs has a peership with all other RPs in the set.
The following example shows an R2 configuration for MSDP with Anycast RP. ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.
network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.22 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.11 connect-source Loopback 0 ip msdp peer 192.168.0.22 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.22 ! ip route 192.168.0.1/32 10.11.0.
! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.2/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.
! ip route 192.168.0.2/32 10.11.0.23 MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface TenGigabitEthernet 4/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface TenGigabitEthernet 4/22 ip address 10.10.42.1/24 no shutdown ! interface TenGigabitEthernet 4/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.4/32 no shutdown ! router ospf 1 network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.168.0.
31 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview MSTP — specified in IEEE 802.
• • • • • • Modifying the Interface Parameters Setting STP path cost as constant Configuring an EdgePort Flush MAC Addresses after a Topology Change MSTP Sample Configurations Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell EMC Networking OS supports four variations of spanning tree, as shown in the following table. Table 62. Spanning Tree Variations Dell EMC Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .
Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. • • Within an MSTI, only one path from any bridge to any other bridge is enabled. Bridges block a redundant path by disabling one of the link ports. 1. Enter PROTOCOL MSTP mode. CONFIGURATION mode protocol spanning-tree mstp 2. Enable MSTP.
To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode. DellEMC(conf-mstp)#name my-mstp-region DellEMC(conf-mstp)#exit DellEMC(conf)#do show spanning-tree mst config MST region name: my-mstp-region Revision: 0 MSTI VID 1 100 2 200-300 To view the forwarding/discarding state of the ports participating in an MSTI, use the show spanning-tree msti command from EXEC Privilege mode.
no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 MSTI 2 bridge-priority 0 Interoperate with Non-Dell Bridges Dell EMC Networking OS supports only one MSTP region. A region is a combination of three unique qualities: • • • Name is a mnemonic string you assign to the region. The default region name is null. Revision is a 2-byte number. The default revision number OS is 0. VLAN-to-instance mapping is the placement of a VLAN in an MSTI.
forward-delay seconds The range is from 4 to 30. The default is 15 seconds. 2. Change the hello-time parameter. PROTOCOL MSTP mode hello-time seconds NOTE: With large configurations (especially those configurations with more ports) Dell EMC Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. 3. Change the max-age parameter. PROTOCOL MSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. 4. Change the max-hops parameter.
Port Cost Default Value 100-Gigabit Ethernet interfaces 200 Port Channel with 100 Mb/s Ethernet interfaces 100000 Port Channel with 1-Gigabit Ethernet interfaces 10000 Port Channel with 10-Gigabit Ethernet interfaces 1000 Port Channel with 25-Gigabit Ethernet interfaces 400 Port Channel with 50-Gigabit Ethernet interfaces 200 Port Channel with 100-Gigabit Ethernet interfaces 100 To change the port cost or priority of an interface, use the following commands. 1.
Dell EMC Networking OS Behavior: Regarding bpduguard shutdown-on-violation behavior: • • • • If the interface to be shut down is a port channel, all the member ports are disabled in the hardware. When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware.
Figure 95. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown SFTOS Example Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3.
Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • • Display BPDUs. EXEC Privilege mode debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages. debug spanning-tree mstp events To ensure all the necessary parameters match (region name, region version, and VLAN to instance mapping), examine your individual routers. To show various portions of the MSTP configuration, use the show spanning-tree mst commands.
Name: Tahiti, Rev: 123 (MSTP region name and revision), Int Root Path Cost: 0 Rem Hops: 19, Bridge Id: 32768:0001.e8d5.cbbd 4w0d4h : INST 1 (MSTP Instance): Flags: 0x78, Reg Root: 32768:0001.e806.953e, Int Root Cost: 0 Brg/Port Prio: 32768/128, Rem Hops: 19 INST 2 (MSTP Instance): Flags: 0x78, Reg Root: 32768:0001.e806.
32 Multicast Features NOTE: Multicast routing is supported on secondary IP addresses; it is not supported on IPv6. NOTE: Multicast routing is supported across default and non-default virtual routing and forwarding (VRFs).
Protocol Ethernet Address PIM-SM 01:00:5e:00:00:0d • • • • The Dell EMC Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. Multicast is not supported on secondary IP addresses. If you enable multicast routing, egress Layer 3 ACL is not applied to multicast data traffic. Multicast traffic can be forwarded to a maximum of 15 VLANs with the same outgoing interface.
NOTE: The IN-L3-McastFib CAM partition stores multicast routes and is a separate hardware limit that exists per portpipe. Any software-configured limit may supersede this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit is reached using the ip multicast-limit command.
Figure 96. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 64. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface TenGigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description 2/11 • • • • Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface TenGigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
You can configure PIM to switch over to the SPT when the router receives multicast packets at or beyond a specified rate. Table 65. Configuring PIM to Switch Over to the SPT Configuring PIM to Switch Over to the SPT Command Mode IPv4 Configure PIM to switch over to the SPT when the multicast packet rate is at or beyond a specified rate. The keyword infinity directs PIM to never switch to the SPT.
Figure 97. Preventing a Source from Transmitting to a Group The following table lists the location and description shown in the previous illustration. Table 66. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface TenGigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description 2/11 • • • • Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface TenGigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
Understanding Multicast Traceroute (mtrace) Multicast Traceroute (mtrace) is a multicast diagnostic facility used for tracing multicast paths. Mtrace enables you to trace the path that a multicast packet takes from its source to the destination. When you initiate mtrace from a source to a destination, an mtrace Query packet with IGMP type 0x1F is sent to the last-hop multicast router for the given destination. The mtrace query packet is forwarded hop-by-hop untill it reaches the last-hop router.
the RPF neighbor. When a Dell EMC Networking system is the last hop to the destination, Dell EMC Networking OS sends a response to the query. To print the network path, use the following command. • Print the network path that a multicast packet takes from a multicast source to receiver, for a particular group.
Command Output Description • • • • -4 103.103.103.3 --> Source o (1.1.1.1) Outgoing interface address at that node for the source and group o (PIM) Multicast protocol used at the node to retrieve the information o (Reached RP/Core) Forwarding code in mtrace to denote that RP node is reached o (103.103.103.0/24) Source network and mask. In case (*G) tree is used, this field will have the value as (shared tree).
Scenario destination by using the multicast tables for that group. Output destination 1.1.1.1 via group 226.0.0.3 From source (?) to destination (?) ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 1.1.1.1 --> Destination -1 1.1.1.1 PIM Reached RP/Core 103.103.103.0/24 -2 101.101.101.102 PIM 103.103.103.0/24 -3 2.2.2.1 PIM 103.103.103.0/24 -4 103.103.103.
Scenario Output Querying reverse path for source 103.103.103.3 to destination 1.1.1.1 via RPF From source (?) to destination (?) ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 1.1.1.1 --> Destination -1 1.1.1.1 PIM 103.103.103.0/24 -2 101.101.101.102 PIM 103.103.103.0/24 -3 2.2.2.1 PIM 103.103.103.0/24 -4 103.103.103.
Scenario is not PIM enabled, the output of the command displays a NO ROUTE error code in the Forwarding Code column. In the command output, the entry for that node in the Source Network/Mask column displays the value as default. If a multicast tree is not formed due to a configuration issue (for example, PIM is not enabled on one of the interfaces on the path), you can invoke a weak mtrace to identify the location in the network where the error has originated. Output Querying reverse path for source 6.6.
Scenario output of the command displays a ‘*’ indicating that no response is received for an mtrace request. The following message appears when the system performs a hopby-hop search: “switching to hop-by-hop:” Output 1.1.1.1 via RPF From source (?) to destination (?) * * * * switching to hop-by-hop: ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 1.1.1.
Scenario Output . . . -146 17.17.17.17 PIM No space in packet 99.99.0.0/16 ----------------------------------------------------------------- In a valid scenario, mtrace request packets are expected to be received on the OIF of the node. However, due to incorrect formation of the multicast tree, the packet may be received on a wrong interface. In such a scenario, a corresponding error message is displayed. R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort. Querying reverse path for source 6.6.6.
33 Object Tracking IPv4 or IPv6 object tracking is available on Dell EMC Networking OS. Object tracking allows the Dell EMC Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell EMC Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 98. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • • UP and DOWN thresholds used to report changes in a route metric. A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
A tracked route matches a route in the routing table only if the exact address and prefix length match an entry in the routing table. For example, when configured as a tracked route, 10.0.0.0/24 does not match the routing table entry 10.0.0.0/8. If no route-table entry has the exact address and prefix length, the tracked route is considered to be DOWN.
VRRP Object Tracking As a client, VRRP can track up to 20 objects (including route entries, and Layer 2 and Layer 3 interfaces) in addition to the 12 tracked interfaces supported for each VRRP group. You can assign a unique priority-cost value from 1 to 254 to each tracked VRRP object or group interface. The priority cost is subtracted from the VRRP group priority if a tracked VRRP object is in a DOWN state.
Track 100 Interface TenGigabitEthernet 1/1 line-protocol Description: San Jose data center Tracking a Layer 3 Interface You can create an object that tracks the routing status of an IPv4 or IPv6 Layer 3 interface. You can track the routing status of any of the following Layer 3 interfaces: • • • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
The following is an example of configuring object tracking for an IPv6 interface: DellEMC(conf)#track 103 interface tengigabitethernet 1/11 ipv6 routing DellEMC(conf-track-103)#description Austin access point DellEMC(conf-track-103)#end DellEMC#show track 103 Track 103 Interface TenGigabitEthernet 7/11 ipv6 routing Description: Austin access point Track an IPv4/IPv6 Route You can create an object that tracks the reachability or metric of an IPv4 or IPv6 route.
CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} reachability [vrf vrf-name] Valid object IDs are from 1 to 500. Enter an IPv4 address in dotted decimal format; valid IPv4 prefix lengths are from / 0 to /32. Enter an IPv6 address in X:X:X:X::X format; valid IPv6 prefix lengths are from / 0 to /128. (Optional) E-Series only: For an IPv4 route, you can enter a VRF name to specify the virtual routing table to which the tracked route belongs. 2.
To change the refresh interval for tracking an IPv4 or IPv6 route, use the following command. Change the reachability refresh interval for tracking of an IPv4 or IPv6 route. CONFIGURATION mode track reachability refresh interval The refresh interval range is from 0 to 60 seconds. The default is 60 seconds.
The following example configures object tracking on the metric threshold of an IPv4 route: DellEMC(conf)#track 6 ip route 2.1.1.0/24 metric threshold DellEMC(conf-track-6)#delay down 20 DellEMC(conf-track-6)#delay up 20 DellEMC(conf-track-6)#description track ip route metric DellEMC(conf-track-6)#threshold metric down 40 DellEMC(conf-track-6)#threshold metric up 40 DellEMC(conf-track-6)#exit DellEMC(conf)#track 10 ip route 3.1.1.
Example of the show track brief Command Router# show track brief ResId State 1 Resource LastChange IP route reachability Parameter 10.16.0.0/16 Example of the show track resolution Command DellEMC#show track resolution IP Route Resolution ISIS 1 OSPF 1 IPv6 Route Resolution ISIS 1 Example of the show track vrf Command DellEMC#show track vrf red Track 5 IP route 192.168.0.
34 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell EMC Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell EMC Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 99. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers. NOTE: If you configure two non-backbone areas, then you must enable the B bit in OSPF.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
• • • • • (for example, the ASBR where the Type 5 advertisement originated. The link-state ID for Type 4 LSAs is the router ID of the described ASBR). Type 5: LSA — These LSAs contain information imported into OSPF from other routing processes. They are flooded to all areas, except stub areas. The link-state ID of the Type 5 LSA is the external network number.
Figure 101. Priority and Cost Examples OSPF with Dell EMC Networking OS The Dell EMC Networking OS supports up to 128,000 OSPF routes for OSPFv2. Dell EMC Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell EMC Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell EMC Networking OS supports only one OSPFv3 process per VRF. OSPFv2 and OSPFv3 can co-exist but you must configure them individually.
RPM have been downloaded into the forwarding information base (FIB) on the line cards (the data plane) and are still resident. For packets that have existing FIB/CAM entries, forwarding between ingress and egress ports/VLANs, and so on, can continue uninterrupted while the control plane OSPF process comes back to full functionality and rebuilds its routing tables.
Processing SNMP and Sending SNMP Traps Only the process in default vrf can process the SNMP requests and send SNMP traps. NOTE: SNMP gets request corresponding to the OspfNbrOption field in the OspfNbrTable returns a value of 66. RFC-2328 Compliant OSPF Flooding In OSPF, flooding is the most resource-consuming task. The flooding algorithm described in RFC 2328 requires that OSPF flood LSAs on all interfaces, as governed by LSA’s flooding scope (refer to Section 13 of the RFC.
OSPF ACK Packing The OSPF ACK packing feature bundles multiple LS acknowledgements in a single packet, significantly reducing the number of ACK packets transmitted when the number of LSAs increases. This feature also enhances network utilization and reduces the number of small ACK packets sent to a neighboring router. OSPF ACK packing is enabled by default and non-configurable.
Configuration Task List for OSPFv2 (OSPF for IPv4) You can perform the following tasks to configure Open Shortest Path First version 2 (OSPF for IPv4) on the switch. Two of the tasks are mandatory; others are optional.
no shutdown 3. Return to CONFIGURATION mode to enable the OSPFv2 process globally. CONFIGURATION mode router ospf process-id [vrf {vrf name}] • vrf name: enter the keyword VRF and the instance name to tie the OSPF instance to the VRF. All network commands under this OSPF instance are later tied to the VRF instance. The range is from 0 to 65535. The OSPF process ID is the identifying number assigned to the OSPF process. The router ID is the IP address associated with the OSPF process.
network ip-address mask area area-id The IP Address Format is A.B.C.D/M. The area ID range is from 0 to 65535 or A.B.C.D/M. Enable OSPFv2 on Interfaces Enable and configure OSPFv2 on each interface (configure for Layer 3 protocol), and not shutdown. You can also assign OSPFv2 to a Loopback interface as a virtual interface. OSPF functions and features, such as MD5 Authentication, Grace Period, Authentication Wait Time, are assigned on a per interface basis.
Example of Viewing OSPF Status on a Loopback Interface DellEMC#show ip ospf 1 int TenGigabitEthernet 1/23 is up, line protocol is up Internet Address 10.168.0.1/24, Area 0.0.0.1 Process ID 1, Router ID 10.168.253.2, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 10.168.253.5, Interface address 10.168.0.4 Backup Designated Router (ID) 192.168.253.3, Interface address 10.168.0.
Enabling Passive Interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface. Although the passive interface does not send or receive routing updates, the network on that interface is still included in OSPF updates sent via other interfaces. To suppress the interface’s participation on an OSPF interface, use the following command. This command stops the router from sending updates on that interface.
The parameter range is from 1 to 4. The higher the number, the faster the convergence. When disabled, the parameter is set at 0. NOTE: A higher convergence level can result in occasional loss of OSPF adjacency. Generally, convergence level 1 meets most convergence requirements. Only select higher convergence levels following consultation with Dell Technical Support.
CONFIG-INTERFACE mode ip ospf message-digest-key keyid md5 key • • keyid: the range is from 1 to 255. Key: a character string. NOTE: Be sure to write down or otherwise record the key. You cannot learn the key after it is configured. You must be careful when changing this key. • NOTE: You can configure a maximum of six digest keys on an interface. Of the available six digest keys, the switches select the MD5 key that is common. The remaining MD5 keys are unused.
• Set the authentication change wait time in seconds between 0 and 300 for the interface. CONFIG-INTERFACE mode ip ospf auth-change-wait-time seconds This setting is the amount of time OSPF has available to change its interface authentication type. When you configure the auth-change-wait-time, OSPF sends out only the old authentication scheme until the wait timer expires. After the wait timer expires, OSPF sends only the new authentication scheme.
For more information about OSPF graceful restart, refer to the Dell EMC Networking OS Command Line Reference Guide. When you configure a graceful restart on an OSPFv2 router, the show run ospf command displays information similar to the following. DellEMC#show run ospf ! router ospf 1 graceful-restart grace-period 300 graceful-restart role helper-only graceful-restart mode unplanned-only graceful-restart helper-reject 10.1.1.1 graceful-restart helper-reject 20.1.1.1 network 10.0.2.
• • route-map map-name: enter a name of a configured route map. tag tag-value: the range is from 0 to 4294967295. To view the current OSPF configuration, use the show running-config ospf command in EXEC mode or the show config command in ROUTER OSPF mode. DellEMC(conf-router_ospf)#show config ! router ospf 34 network 10.1.2.32 0.0.0.255 area 2.2.2.2 network 10.1.3.24 0.0.0.255 area 3.3.3.
• • • • event: view OSPF event messages. packet: view OSPF packet information. spf: view SPF information. database-timers rate-limit: view the LSAs currently in the queue. DellEMC#show run ospf ! router ospf 4 router-id 4.4.4.4 network 4.4.4.0/28 area 1 ! ipv6 router ospf 999 default-information originate always router-id 10.10.10.10 DellEMC# Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These examples are not comprehensive directions.
interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.0.23.0/24 area 0 ! interface Loopback 30 ip address 192.168.100.100/24 no shutdown ! interface TenGigabitEthernet 3/1 ip address 10.1.13.3/24 no shutdown ! interface TenGigabitEthernet 3/2 ip address 10.2.13.3/24 no shutdown OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.
Configuration Task List for OSPFv3 (OSPF for IPv6) This section describes the configuration tasks for Open Shortest Path First version 3 (OSPF for IPv6) on the switch. The configuration options of OSPFv3 are the same as those options for OSPFv2, but you may configure OSPFv3 with differently labeled commands. Specify process IDs and areas and include interfaces and addresses in the process. Define areas as stub or totally stubby.
• Specify how the OSPF interface cost is calculated based on the reference bandwidth method. The cost of an interface is calculated as Reference Bandwidth/Interface speed. ROUTER OSPFv3 auto-cost [reference-bandwidth ref-bw] To return to the default bandwidth or to assign cost based on the interface type, use the no auto-cost [referencebandwidth ref-bw] command. • ref-bw: The range is from 1 to 4294967. The default is 100 megabits per second.
• no ipv6 router ospf process-id Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Assigning OSPFv3 Process ID and Router ID to a VRF To assign, disable, or reset OSPFv3 on a non-default VRF, use the following commands. • Enable the OSPFv3 process on a non-default VRF and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID} vrf {vrf-name} • The process ID range is from 0 to 65535. Assign the router ID for this OSPFv3 process.
Redistributing Routes You can add routes from other routing instances or protocols to the OSPFv3 process. With the redistribute command, you can include RIP, static, or directly connected routes in the OSPF process. Route redistribution is also supported between OSPF Routing process IDs. To add redistributing routes, use the following command. • Specify which routes are redistributed into the OSPF process.
graceful-restart grace-period seconds • The valid values are from 40 to 1800 seconds. Configure an OSPFv3 interface to not act on the Grace LSAs that it receives from a restarting OSPFv3 neighbor. • INTERFACE mode ipv6 ospf graceful-restart helper-reject Specify the operating mode and type of events that trigger a graceful restart. CONF-IPV6-ROUTER-OSPF mode graceful-restart mode [planned-only | unplanned-only] • • • Planned-only: the OSPFv3 router supports graceful restart only for planned restarts.
AS Scope LSA Cksum sum 0 Originate New LSAS 73 Rx New LSAS 114085 Ext LSA Count 0 Rte Max Eq Cost Paths 5 GR grace-period 180 GR mode planned and unplanned Area 0 database summary Type Brd Rtr Count AS Bdr Rtr Count LSA count Summary LSAs Rtr LSA Count Net LSA Count Inter Area Pfx LSA Count Inter Area Rtr LSA Count Group Mem LSA Count Count/Status 2 2 12010 1 4 3 12000 0 0 The following example shows the show ipv6 ospf database grace-lsa command.
may be used together. The difference between the two mechanisms is the extent of the coverage. ESP only protects IP header fields if they are encapsulated by ESP. You decide the set of IPsec protocols that are employed for authentication and encryption and the ways in which they are employed. When you correctly implement and deploy IPsec, it does not adversely affect users or hosts. AH and ESP are designed to be cryptographic algorithm-independent.
• • • • • • • ipsec spi number: the security policy index (SPI) value. The range is from 256 to 4294967295. MD5 | SHA1: specifies the authentication type: Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1). key-encryption-type: (optional) specifies if the key is encrypted. The valid values are 0 (key is not encrypted) or 7 (key is encrypted). • key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information.
Configuring IPSec Authentication for an OSPFv3 Area To configure, remove, or display IPSec authentication for an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)). The security policy index (SPI) value must be unique to one IPSec security policy (authentication or encryption) on the router.
• • • • • • key-encryption-type: (optional) specifies if the key is encrypted. Valid values: 0 (key is not encrypted) or 7 (key is encrypted). authentication-algorithm: specifies the authentication algorithm to use for encryption. The valid values are MD5 or SHA1. key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For MD5 authentication, the key must be 32 hex digits (non-encrypted) or 64 hex digits (encrypted).
Inbound ESP SPI : 501 (0x1F5) Outbound ESP SPI : 501 (0x1F5) Inbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb7c0c30808825fb5 Outbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb7c0c30808825fb5 Inbound ESP Cipher Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba10345a1039ba8f8a Outbound ESP Cipher Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba10345a1039ba8f8a Transform set : esp-128-aes esp-sha1-hmac The following examp
• • • • Did you configure the interfaces for Layer 3 correctly? Is the router in the correct area type? Did you include the routes in the OSPF database? Did you include the OSPF routes in the routing table (not just the OSPF database)? Some useful troubleshooting commands are: • • • • • show ipv6 interfaces show ipv6 protocols debug ipv6 ospf events and/or packets show ipv6 neighbors show ipv6 routes Viewing Summary Information To get general route, configuration, links status, and debug information, us
MIB Object OID Description ospfv3IfEntry 1.3.6.1.2.1.191.1.7.1 Contains OSPFv3 interface entry describing one interface from the viewpoint of OSPFv3. ospfv3NbrEntry 1.3.6.1.2.1.191.1.9.1 Contains a table describing all neighbors in the locality of the OSPFv3 router. Viewing the OSPFv3 MIB • To view the OSPFv3 MIB generated by the system, use the following command. snmpwalk -c ospf1 -v2c 10.16.133.129 1.3.6.1.2.1.191.1.1 SNMPv2-SMI::mib-2.191.1.1.1.0 = Gauge32: 336860180 SNMPv2-SMI::mib-2.191.1.1.
35 Policy-based Routing (PBR) Overview When a router receives a packet, the router decides where to forward the packet based on the destination address in the packet, which is used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria: size, source, protocol type, destination, and so on.
• • Dell EMC Networking OS supports multiple next-hop entries in the redirect lists. Redirect-lists are applied at Ingress. PBR with Redirect-to-Tunnel Option: You can provide a tunnel ID for a redirect rule. In this case, the resolved next hop is the tunnel interface IP. The qualifiers of the rule pertain to the inner IP details. You must provide a tunnel ID for the next hop to be a tunnel interface.
To ensure the permit permit statement or PBR exception is effective, use a lower sequence number, as shown: ip redirect-list rcl0 seq 10 permit ip host 3.3.3.3 any seq 15 redirect 2.2.2.2 ip any any Create a Redirect List To create a redirect list, use the following commands. Create a redirect list by entering the list name. CONFIGURATION mode ip redirect-list redirect-list-name redirect-list-name: 16 characters. To delete the redirect list, use the no ip redirect-list command.
Example: Creating a Rule DellEMC(conf-redirect-list)#redirect ? A.B.C.D Forwarding router's address DellEMC(conf-redirect-list)#redirect 3.3.3.3 ? <0-255> An IP protocol number icmp Internet Control Message Protocol ip Any Internet Protocol tcp Transmission Control Protocol udp User Datagram Protocol DellEMC(conf-redirect-list)#redirect 3.3.3.3 ip ? A.B.C.D Source address any Any source host host A single source host DellEMC(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 ? Mask A.B.C.
To apply a redirect list to an interface, use the following command. You can apply multiple redirect-lists can be applied to a redirect-group. It is also possible to create two or more redirect-groups on one interface for backup purposes. Apply a redirect list (policy-based routing) to an interface. INTERFACE mode ip redirect-group redirect-list-name test l2–switch • • • redirect-list-name is the name of a redirect list to apply to this interface.
show cam-usage List the redirect list configuration using the show ip redirect-list redirect-list-name command. The non-contiguous mask displays in dotted format (x.x.x.x). The contiguous mask displays in /x format. DellEMC#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.
Sample Configuration You can use the following example configuration to set up a PBR. These are not comprehensive directions but are intended to give you a guidance with typical configurations. You can copy and paste from these examples to your CLI. Make the necessary changes to support your own IP addresses, interfaces, names, and so on. The Redirect-List GOLD defined in this example creates the following rules: • • • • description Route Gold traffic to the DS3 seq 5 redirect 10.99.99.254 ip 192.168.1.
Assign Redirect-List GOLD to Interface 2/11 EDGE_ROUTER(conf)#int Te 2/11 EDGE_ROUTER(conf-if-Te-2/11)#ip add 192.168.3.2/24 EDGE_ROUTER(conf-if-Te-2/11)#no shut EDGE_ROUTER(conf-if-Te-2/11)# EDGE_ROUTER(conf-if-Te-2/11)#ip redirect-group GOLD EDGE_ROUTER(conf-if-Te-2/11)#no shut EDGE_ROUTER(conf-if-Te-2/11)#end EDGE_ROUTER(conf-redirect-list)#end EDGE_ROUTER# View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.
Verify the Applied Redirect Rules: DellEMC#show ip redirect-list redirect_list_with_track IP redirect-list redirect_list_with_track Defined as: seq 5 redirect 42.1.1.2 track 3 tcp 155.55.2.0/24 222.22.2.0/24, Track 3 [up], Next-hop reachable (via Vl 20) seq 10 redirect 42.1.1.2 track 3 tcp any any, Track 3 [up], Next-hop reachable (via Vl 20) seq 15 redirect 42.1.1.2 track 3 udp 155.55.0.0/16 host 144.144.144.144, Track 3 [up], Nexthop reachable (via Vl 20) seq 20 redirect 42.1.1.2 track 3 udp any host 144.
DellEMC(conf-redirect-list)#redirect tunnel 2 track 2 tcp any any DellEMC(conf-redirect-list)#end DellEMC# Apply the Redirect Rule to an Interface: DellEMC#configure terminal DellEMC(conf)#interface TenGigabitEthernet 2/28 DellEMC(conf-if-te-2/28)#ip redirect-group explicit_tunnel DellEMC(conf-if-te-2/28)#exit DellEMC(conf)#end Verify the Applied Redirect Rules: DellEMC#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.
36 PIM Sparse-Mode (PIM-SM) Implementation Information The following information is necessary for implementing PIM-SM. • • • • • The Dell EMC Networking implementation of PIM-SM is based on IETF Internet Draft draft-ietf-pim-sm-v2-new-05. The platform supports a maximum of 95 IPv4 and IPv6 PIM interfaces and 2000 multicast entries including (*,G), and (S,G) entries. The maximum number of PIM neighbors is the same as the maximum number of PIM-SM interfaces.
Send Multicast Traffic With PIM-SM, all multicast traffic must initially originate from the RP. A source must unicast traffic to the RP so that the RP can learn about the source and create an SPT to it. Then the last-hop DR may create an SPT directly to the source. 1. The source gateway router (first-hop DR) receives the multicast packets and creates an (S,G) entry in its multicast routing table. The first-hop DR encapsulates the initial multicast packets in PIM Register packets and unicasts them to the RP.
To display which interfaces are enabled with PIM-SM, use the show ip pim interface command from EXEC Privilege mode. Following is an example of show ip pim interface command output: DellEMC#show ip pim interface Address Interface Ver/ Mode 165.87.34.5 Te 1/10 v2/S 10.1.1.2 Vl 10 v2/S 20.1.1.5 Vl 20 v2/S 165.87.31.
Outgoing interface list: TenGigabitEthernet 1/11 TenGigabitEthernet 1/12 TenGigabitEthernet 1/13 --More-DellEMC#show ipv6 pim tib PIM Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, ff0e::225:1:2:1), uptime 00:29:36, expires 00:03:26, RP 10.87.2.
Following is an example of show ip pim rp command output: DellEMC#show Group 225.0.1.40 226.1.1.1 ip pim rp RP 165.87.50.5 165.87.50.5 To display the assigned RP for a group range (group-to-RP mapping), use the show ip pim rp mapping command in EXEC privilege mode. Following is an example of show ip pim rp mapping command output: DellEMC#show ip pim rp mapping PIM Group-to-RP Mappings Group(s): 224.0.0.0/4, Static RP: 165.87.50.
0/0 0/0 0/0 0/0 0/0 BSR messages sent/received State-Refresh messages sent/received MSDP updates sent/received Null Register messages sent/received Register-stop messages sent/received Data path event summary: 0 no-cache messages received 0 last-hop switchover messages received 0/0 pim-assert messages sent/received 0/0 register messages sent/received DellEMC# Dell#show ipv6 pim interface Interface Ver/ Nbr Query DR Mode Count Intvl Prio Te 1/3 v2/S 1 30 1 Address : fe80::201:e8ff:fe02:140f DR : this route
37 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode. R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.
R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:07 Never Member Ports: Te 1/1 239.0.0.1 Vlan 400 INCLUDE 00:00:10 Never 10.11.4.2 R1(conf)#show ip igmp ssm-map Last Reporter 10.11.3.2 Interface Vlan 101 Group 226.0.0.0 Uptime 10:40:31 Expires Never Router mode IGMPv2 Last reporter 110.0.101.
Last reporter Last reporter mode Last report Group source Source address 10.11.5.2 00:00:01 10.11.3.2 IGMPv2 received Join list Uptime Expires Never Interface Vlan 400 Group 239.0.0.1 Uptime 00:00:05 Expires Never Router mode INCLUDE Last reporter 10.11.4.2 Last reporter mode INCLUDE Last report received ALLOW Group source list Source address Uptime Expires 10.11.5.
Example: DellEMC# show ip pim bsr-router PIMv2 Bootstrap information This system is the Bootstrap Router (v2) BSR address: 7.7.7.7 (?) BSR Priority: 0, Hash mask length: 30 Next bootstrap message in 00:00:08 This system is a candidate BSR Candidate BSR address: 7.7.7.
38 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
configure up to 128 source ports in a monitoring session. Only one destination port is supported in a monitoring session. The platform supports multiple source-destination statements in a single monitor session. The maximum number of source ports that can be supported in a session is 128. The maximum number of destination ports that can be supported depends on the port mirroring directions as follows: • • • 4 per port pipe, if the four destination ports mirror in one direction, either rx or tx.
Drop Rate Gre-Protocol FcMonitor ------ --------------------- -------------- --------0 Te 1/13 Te 1/1 rx No N/A N/A yes 10 Te 1/14 Te 1/1 rx No N/A N/A yes 20 Te 1/15 Te 1/1 rx No N/A N/A yes 30 Te 1/16 Te 1/1 rx No N/A N/A yes 300 Te 1/17 Te 1/1 rx No N/A N/A yes DellEMC# ---- --------- -------- ---- --- interface 0.0.0.0 0.0.0.0 0 0 interface 0.0.0.0 0.0.0.0 0 0 interface 0.0.0.0 0.0.0.0 0 0 interface 0.0.0.0 0.0.0.0 0 0 interface 0.0.0.0 0.0.0.
Configuring Port Monitoring To configure port monitoring, use the following commands. 1. Verify that the intended monitoring port has no configuration other than no shutdown, as shown in the following example. EXEC Privilege mode show interface 2. Create a monitoring session using the command monitor session from CONFIGURATION mode, as shown in the following example. CONFIGURATION mode monitor session monitor session type rpm/erpm type is an optional keyword, required only for rpm and erpm 3.
In the following example, the host and server are exchanging traffic which passes through the uplink interface 1/1. Port 1/1 is the monitored port and port 1/42 is the destination port, which is configured to only monitor traffic received on tengigabitethernet 1/1 (hostoriginated traffic). Figure 104. Port Monitoring Example Configuring Monitor Multicast Queue To configure monitor QoS multicast queue ID, use the following commands. 1. Configure monitor QoS multicast queue ID.
Behavior of Flow-Based Monitoring You can activate flow-based monitoring for a monitoring session using the flow-based enable command in the Monitor Session mode. When you enable this flow-based monitoring, traffic with particular flows that are traversing through the interfaces are examined in accordance with the applied ACLs. By default, flow-based monitoring is not enabled. There are two ways in which you can enable flow-based monitoring in Dell EMC Networking OS.
Extended Ingress IP access list kar on TenGigabitEthernet 1/1 Total cam count 1 seq 5 permit ip 192.168.20.0/24 173.168.20.0/24 monitor DellEMC#show ipv6 accounting access-list ! Ingress IPv6 access list kar on TenGigabitEthernet 1/1 Total cam count 1 seq 5 permit ipv6 22::/24 33::/24 monitor Enabling Flow-Based Monitoring Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead of all traffic on the interface.
Extended Ingress IP access list testflow on TenGigabitEthernet 1/1 Total cam count 4 seq 5 permit icmp any any 53 monitor 53 count bytes (0 packets 0 bytes) seq 10 permit ip 102.1.1.
Enabling IPv6 Flow-Based Monitoring To enable IPv6 flow-based mirroring, use ipv6 access-group access-list-name command under monitor session. You can apply a new IPv6 ACL in a monitor session, when an ACL is already applied. If so, the new ACL will replace the old and overwrite it. 1. Create a monitoring session. CONFIGURATION mode monitor session session-id 2. Enable flow-based monitoring for a monitoring session. MONITOR SESSION mode flow-based enable 3.
VmanQos : EcfmAcl : FcoeAcl : iscsiOptAcl : ipv4pbr : vrfv4Acl : Openflow : fedgovacl : nlbclusteracl : ipv4udfmirracl: ipv4mirracl : ipv6mirracl : 0 0 0 0 0 0 0 0 0 0 0 2 To view an access-list that you applied to an interface, use the show ipv6 accounting access-list command.
Figure 105. Remote Port Mirroring Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
• • • The reserved VLAN for remote port mirroring can be automatically configured in intermediate switches by using GVRP. There is no restriction on the VLAN IDs used for the reserved remote-mirroring VLAN. Valid VLAN IDs are from 2 to 4094. The default VLAN ID is not supported.
To display the currently configured source and destination sessions for remote port mirroring on a switch, enter the show monitor session command in EXEC Privilege mode.
You can configure the below steps on other source switches to configure additional source ports for this RPM session. 1. Configure a new RPM session and specifying type as rpm defined a RPM session. CONFIGURATION mode monitor session session-id type rpm The session-id needs to be unique. 2. Configure the source ports or list of ports, ingress/egress traffic to be monitored. MONITOR SESSION mode source {interface | range | any} destination remote—vlan vlan-id direction {rx | tx | both} 3.
Following are the port numbers referred in the above illustration: • • • • • • 1 is tengigabitethernet 2 is tengigabitethernet 4 is tengigabitethernet 5 is tengigabitethernet 7 is tengigabitethernet 8 is tengigabitethernet 1/1 1/2 1/4 1/5 1/7 1/8 Configuring Remote Port Mirroring on a source switch The below configuration example shows that the source is a source port and the destination is the reserved VLAN (for example, remotevlan 10).
DellEMC(conf-if-vl-20)#tagged tengigabitethernet 1/2 DellEMC(conf-if-vl-20)#exit DellEMC(conf)#monitor session 2 type rpm DellEMC(conf-mon-sess-2)#source vlan 100 destination remote-vlan 20 dir rx DellEMC(conf-mon-sess-2)#no disable DellEMC(conf-mon-sess-2)#flow-based enable DellEMC(conf-mon-sess-2)#exit DellEMC(conf)#mac access-list standard mac_acl DellEMC(config-std-macl)#permit 00:00:00:00:11:22 count monitor DellEMC(config-std-macl)#exit DellEMC(conf)#interface vlan 100 DellEMC(conf-if-vl-100)#mac acce
Following is a sample configuration of RPM on an intermediate switch. DellEMC(conf)#interface vlan 30 DellEMC(conf-if-vl-20)#mode remote-port-mirroring DellEMC(conf-if-vl-20)#tagged tengigabitethernet 1/4 DellEMC(conf-if-vl-20)#tagged tengigabitethernet 1/5 DellEMC(conf-if-vl-20)#exit Configuring Remote Port Mirroring on a Destination switch Following is a sample configuration of RPM on a destination switch.
Step Command Purpose 2 monitor session type erpm Specify a session ID and ERPM as the type of monitoring session, and enter the Monitoring-Session configuration mode. The session number needs to be unique and not already defined. 3 source { interface | range } direction {rx | tx | both} Specify the source port or range of ports. Specify the ingress (rx), egress (tx), or both ingress and egress traffic to be monitored.
ERPM Behavior on a typical Dell EMC Networking OS The Dell EMC Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported. Figure 107.
• Either have a Linux server's ethernet port ip as the ERPM destination ip or connect the ingress interface of the server to the ERPM MirrorToPort. The analyzer should listen in the forward/egress interface. If there is only one interface, one can choose the ingress and forward interface to be same and listen in the tx direction of the interface. • Download/ Write a small script (for example: erpm.py) such that it will strip the given ERPM packet starting from the bit where GRE header ends.
RPM over VLT Scenarios This section describes the restrictions that apply when you configure RPM in a VLT set up. Consider a simple VLT setup where two VLT peers are connected using VLTi and a top-of-rack switch is connected to both the VLT peers using VLT LAGs in a ring topology. In this setup, the following table describes the possible restrictions that apply when RPM is used to mirror traffic: Table 72.
Scenario RPM Restriction Recommended Solution member port of the VLT LAG is mirrored to rate limit value is configured in the RPM an orphan port on the peer VLT device. The mirror session. packet analyzer is connected to the peer VLT device. Mirroring member port of ICL LAG to VLT LAG — In this scenario, a member port of the ICL LAG is mirrored to the VLT LAG on the same VLT device. The packet analyzer is connected to the TOR switch. No restrictions apply.
39 Per-VLAN Spanning Tree Plus (PVST+) Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 108. Per-VLAN Spanning Tree The Dell EMC Networking OS supports three other variations of spanning tree, as shown in the following table. Table 73.
Implementation Information • • The Dell EMC Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. The Dell EMC Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table). Other implementations use IEEE 802.1w costs as the default costs. If you are using Dell EMC Networking systems in a multivendor network, verify that the costs are values you intended.
To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode. Dell_E600(conf-pvst)#show config verbose ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Influencing PVST+ Root Selection As shown in the previous per-VLAN spanning tree illustration, all VLANs use the same forwarding topology because R2 is elected the root, and all TenGigabitEthernet ports have the same cost.
To display the PVST+ forwarding topology, use the show spanning-tree pvst [vlan vlan-id] command from EXEC Privilege mode. Dell_E600(conf)#do show spanning-tree pvst vlan 100 VLAN 100 Root Identifier has priority 4096, Address 0001.e80d.b6d6 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 4096, Address 0001.e80d.b6d6 Configured hello time 2, max age 20, forward delay 15 We are the root of VLAN 100 Current root has priority 4096, Address 0001.e80d.
Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. • • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
shut down when it receives a BPDU. When you only implement bpduguard, although the interface is placed in an Error Disabled state when receiving the BPDU, the physical interface remains up and spanning-tree drops packets in the hardware after a BPDU violation. BPDUs are dropped in the software after receiving the BPDU violation. This feature is the same as PortFast mode in spanning tree. CAUTION: Configure EdgePort only on links connecting to an end station.
Figure 110. PVST+ with Extend System ID • Augment the bridge ID with the VLAN ID. PROTOCOL PVST mode extend system-id DellEMC(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/22,32 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface TenGigabitEthernet 2/12 no ip address switchport no shutdown ! interface TenGigabitEthernet 2/32 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TenGigabitEthernet 2/12,32 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 2/12,32 no shutdown ! interface Vlan 3
40 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 75.
Feature Direction Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 111.
• Enabling Buffer Statistics Tracking Implementation Information The Dell EMC Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
Honoring dot1p Priorities on Ingress Traffic By default, Dell EMC Networking OS does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries.
Configuring Port-Based Rate Shaping Rate shaping buffers, rather than drops, traffic exceeding the specified rate until the buffer is exhausted. If any stream exceeds the configured bandwidth on a continuous basis, it can consume all of the buffer space that is allocated to the port. Dell EMC Networking OS Behavior: Rate shaping is effectively rate limiting because of its smaller buffer size.
Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, Dell EMC Networking OS matches packets against match criteria in the order that you configure them. Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value or IP precedence, and characteristics defined in an IP ACL.
The following example matches the IPv4 and IPv6 traffic with a precedence value of 3: DellEMC(conf)# class-map match-any test1 DellEMC(conf-class-map)#match ip-any precedence 3 Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the classmap command. A Layer 2 class map differentiates traffic according to 802.1p value and/or VLAN and/or characteristics defined in a MAC ACL..
The following example shows incorrect traffic classifications.
• • • • • • ACK FIN SYN PSH RST URG In the existing software, ECE/CWR TCP flag qualifiers are not supported. • • • Because this functionality forcibly marks all the packets matching the specific match criteria as ‘yellow’, Dell EMC Networking OS does not support Policer based coloring and this feature concurrently.
Setting a dot1p Value for Egress Packets To set a dot1p value for egress packets, use the following command. • Set a dscp or dot1p value for egress packets. QOS-POLICY-IN mode set mac-dot1p Constraints The systems supporting this feature should use only the default global dot1p to queue mapping configuration as described in Dot1p to Queue Mapping Requirement. Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1. Create an output QoS policy.
When you assign a percentage to one queue, note that this change also affects the amount of bandwidth that is allocated to other queues. Therefore, whenever you are allocating bandwidth to one queue, Dell EMC Networking recommends evaluating your bandwidth requirements for all other queues as well. • Assign each queue a bandwidth percentage ranging from 1 to 100%, in increments of 1%.
To create a DSCP color map: 1. Create the color-aware map QoS DSCP color map. CONFIGURATION mode qos dscp-color-map color-map-name 2. Create the color aware map profile. DSCP-COLOR-MAP dscp {yellow | red} {list-dscp-values} 3. Apply the map profile to the interface. CONFIG-INTERFACE mode qos dscp-color-policy color-map-name Example: Create a DSCP Color Map The following example creates a DSCP color map profile, color-awareness policy, and applies it to interface 1/11.
TE 1/10 TE 1/11 mapONE mapTWO Display summary information about a color policy for a specific interface. DellEMC# show qos dscp-color-policy summary tengigabitethernet 1/10 Interface dscp-color-map TE 1/10 mapONE Display detailed information about a color policy for a specific interface DellEMC# show qos dscp-color-policy detail tengigabitethernet 1/10 Interface TenGigabitEthernet 1/10 Dscp-color-map mapONE yellow 4,7 red 20,30 Create Policy Maps There are two types of policy maps: input and output.
Table 78.
Guaranteeing Bandwidth to dot1p-Based Service Queues To guarantee bandwidth to dot1p-based service queues, use the following command. Apply this command in the same way as the bandwidth-percentage command in an output QoS policy (refer to Allocating Bandwidth to Queue). The bandwidth-percentage command in QOS-POLICY-OUT mode supersedes the service-class bandwidthpercentage command. • Guarantee a minimum bandwidth to queues globally.
You can apply the same policy map to multiple interfaces, and you can modify a policy map after you apply it. Enabling QoS Rate Adjustment By default while rate limiting, policing, and shaping, Dell EMC Networking OS does not include the Preamble, SFD, or the IFG fields. These fields are overhead; only the fields from MAC destination address to the CRC are used for forwarding and are included in these rate metering calculations.
Consider the case where untagged packets arrive on switch A, if you want to generate PFC for priority 2 for DSCP range 0-7, then you have to match the interested traffic. You must use the class map and associate to queue 1 using the policy map. The same class map needs to be applied in switch B as well and when queue 1 gets congested, PFC would be generated for priority 2. Switch A on receiving PFC frames with priority 2 would stop scheduling queue 1.
maximum threshold, for example, 2000KB, is reached, all incoming packets are dropped until the buffer space consumes less than 2000KB of the specified traffic. Figure 113. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Enabling and Disabling WRED Globally By default, WRED is enabled on the system. You can disable or reenable WRED manually using a single command. Follow these steps to disable or enable WRED in Dell EMC Networking OS.
Applying a WRED Profile to Traffic After you create a WRED profile, you must specify to which traffic Dell EMC Networking OS should apply the profile. Dell EMC Networking OS assigns a color (also called drop precedence) — red, yellow, or green — to each packet based on it DSCP value before queuing it. DSCP is a 6–bit field. Dell EMC Networking uses the first three bits (LSB) of this field (DP) to determine the drop precedence. • • DP values of 110 and 100, 101 map to yellow; all other values map to green.
12 MCAST 13 MCAST 14 MCAST 15 MCAST 16 MCAST 17 MCAST 18 MCAST 19 MCAST DellEMC# 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Pre-Calculating Available QoS CAM Space Before Dell EMC Networking OS version 7.3.
Specifying Policy-Based Rate Shaping in Packets Per Second You can configure the rate shaping in packets per second (pps) for QoS output policies. You can configure rate shaping in pps for a QoS output policy, apart from specifying the rate shaping value in bytes. You can also configure the peak rate and the committed rate for packets in kilobits per second (Kbps) or pps. Committed rate refers to the guaranteed bandwidth for traffic entering or leaving the interface under normal network conditions.
Configuring Weights and ECN for WRED The feature to configure a weight factor for weighted random early detection (WRED) and Explicit Congestion Notification (ECN) functionality for backplane ports is supported on the Additionally, the feature to configure a weight for WRED and ECN functionality for front-end ports is supported on the Dell EMC Networking OS. The WRED congestion avoidance functionality drops packets to prevent buffering resources from being consumed.
Table 80. Scenarios of WRED and ECN Configuration Queue Configuration Service-Pool Configuration WRED Threshold Relationship Expected Functionality Q threshold = Q-T, Service pool threshold = SP-T WRED ECN WRED ECN 0 0 X X X WRED/ECN not applicable 1 0 0 X X Queue based WRED, 1 X Q-T < SP-T SP-T < Q-T No ECN marking SP based WRED, No ECN marking 1 1 0 X X Queue-based ECN marking above queue threshold.
5. Create a service class and associate the threshold weight of the shared buffer with each of the queues per port in the egress direction.
Classifying Incoming Packets Using ECN and ColorMarking Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded. If you configure ECN for WRED, devices employ this functionality of ECN to mark the packets and reduce the rate of sending packets in a congested, heavily-loaded network.
• • Classification based on ECN only Classification based on ECN and DSCP concurrently You can now use the set-color yellow keyword with the match ip access-group command to mark the color of the traffic as ‘yellow’ would be added in the ‘match ip’ sequence of the class-map configuration. By default, all packets are considered as ‘green’ (without the rate-policer and trust-diffserve configuration) and hence support would be provided to mark the packets as ‘yellow’ alone will be provided.
! ip access-list standard dscp_40_ecn seq 5 permit any dscp 40 ecn 1 seq 10 permit any dscp 40 ecn 2 seq 15 permit any dscp 40 ecn 3 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40_ecn ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-g
counters, at a particular time, using a triggering utility. The trigger can either be software-based or based on a predetermined threshold event. Software-based triggers are supported, which are the values derived from the show command output in the Max Use count mode. In Dell EMC Networking OS Release 9.3(0.0), only the Max Use count mode of operation is supported for the computation of maximum counter values.
--------------------------------------MCAST 3 0 Unit 1 unit: 3 port: 17 (interface Fo 1/160) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------MCAST 3 0 Unit 1 unit: 3 port: 21 (interface Fo 1/164) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------MCAST 3 0 Unit 1 unit: 3 port: 25 (interface Fo 1/168) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS -----------------------
41 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter.
Feature Default • Transmit RIPv1 RIP timers • • • • update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Auto summarization Enabled ECMP paths supported 16 Configuration Information By default, RIP is disabled in Dell EMC Networking OS. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
network 10.0.0.0 DellEMC(conf-router_rip)# When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes. DellEMC#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 1/4 160.160.0.0/16 auto-summary 2.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 1/4 2.0.0.0/8 auto-summary 4.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 1/4 4.0.0.0/8 auto-summary 8.0.0.0/8 [120/1] via 29.10.10.
[120/1] via 29.10.10.12, 00:01:22, Fa 1/49 192.162.3.0/24 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode. Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes. By default, interfaces that you enable and configure with an IP address in the same subnet as the RIP network address receive RIPv1 and RIPv2 routes and send RIPv1 routes.
• • map-name: the name of a configured route map. Include specific OSPF routes in RIP. ROUTER RIP mode redistribute ospf process-id [match external {1 | 2} | match internal] [metric value] [routemap map-name] Configure the following parameters: • • • process-id: the range is from 1 to 65535. metric: the range is from 0 to 16. map-name: the name of a configured route map. To view the current RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode.
To configure an interface to receive or send both versions of RIP, include 1 and 2 in the command syntax. The command syntax for sending both RIPv1 and RIPv2 and receiving only RIPv2 is shown in the following example. DellEMC(conf-if)#ip rip send version 1 2 DellEMC(conf-if)#ip rip receive version 2 The following example of the show ip protocols command confirms that both versions are sent out that interface.
Controlling Route Metrics As a distance-vector protocol, RIP uses hop counts to determine the best route, but sometimes the shortest hop count is a route over the lowest-speed link. To manipulate RIP routes so that the routing protocol prefers a different route, manipulate the route by using the offset command. Exercise caution when applying an offset command to routers on a broadcast network, as the router using the offset command is modifying RIP advertisements before sending out those advertisements.
• RIP Configuration Summary Figure 114. RIP Topology Example RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Core2(conf-if-te-2/3)# Core2(conf-if-te-2/3)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change ----------- ------- ----------- ----------C 10.11.10.
version 2 Core3(conf-router_rip)# Core 3 RIP Output The examples in this section show the core 2 RIP output. • • • To display Core 3 RIP database, use the show ip rip database command. To display Core 3 RIP setup, use the show ip route command. To display Core 3 RIP activity, use the show ip protocols command. The following example shows the show ip rip database command to view the learned RIP routes on Core 3. Core3#show ip rip database Total number of routes in RIP database: 7 10.11.10.
TenGigabitEthernet 3/24 2 2 TenGigabitEthernet 3/23 2 2 Routing for Networks: 10.11.20.0 10.11.30.0 192.168.2.0 192.168.1.0 Routing Information Sources: Gateway Distance Last Update 10.11.20.2 120 00:00:22 Distance: (default is 120) Core3# RIP Configuration Summary The following example shows viewing the RIP configuration on Core 2. ! interface TenGigabitEthernet ip address 10.11.10.1/24 no shutdown ! interface TenGigabitEthernet ip address 10.11.20.
network 192.168.1.0 network 192.168.2.
42 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell EMC Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
[no] rmon hc-alarm number variable interval {delta | absolute} rising-threshold value eventnumber falling-threshold value event-number [owner string] Configure the alarm using the following optional parameters: • • • • • • • • • • number: alarm number, an integer from 1 to 65,535, the value must be unique in the RMON Alarm Table. variable: the MIB object to monitor — the variable must be in SNMP OID format; for example, 1.3.6.1.2.1.1.3.
Configuring RMON Collection Statistics To enable RMON MIB statistics collection on an interface, use the RMON collection statistics command in INTERFACE CONFIGURATION mode. • Enable RMON MIB statistics collection. CONFIGURATION INTERFACE (config-if) mode [no] rmon collection statistics {controlEntry integer} [owner ownername] • • • • controlEntry: specifies the RMON group of statistics using a value. integer: a value from 1 to 65,535 that identifies the RMON Statistics Table.
43 Rapid Spanning Tree Protocol (RSTP) Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). The Dell EMC Networking OS supports three other variations of spanning tree, as shown in the following table. Table 82.
RSTP and VLT Virtual link trunking (VLT) provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures. Spanning tree topology changes are distributed to the entire Layer 2 network, which can cause a network-wide flush of learned media access control (MAC) and address resolution protocol (ARP) addresses, requiring these addresses to be re-learned.
To verify that RSTP is enabled, use the show config command from PROTOCOL SPANNING TREE RSTP mode. The bold line indicates that RSTP is enabled. DellEMC(conf-rstp)#show config ! protocol spanning-tree rstp no disable DellEMC(conf-rstp)# Figure 115. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output.
The port is not in the Edge port mode Port 379 (TenGigabitEthernet 2/3) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.379 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
NOTE: Dell EMC Networking recommends that only experienced network administrators change the Rapid Spanning Tree group parameters. Poorly planned modification of the RSTP parameters can negatively affect network performance. The following table displays the default values for RSTP. Table 83.
Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • • Port cost — a value that is based on the interface type. The previous table lists the default values. The greater the port cost, the less likely the port is selected to be a forwarding port. Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
shut down when it receives a BPDU. When only bpduguard is implemented, although the interface is placed in an Error Disabled state when receiving the BPDU, the physical interface remains up and spanning-tree drops packets in the hardware after a BPDU violation. BPDUs are dropped in the software after receiving the BPDU violation. This feature is the same as PortFast mode in Spanning Tree. CAUTION: Configure EdgePort only on links connecting to an end station.
NOTE: The hello time is encoded in BPDUs in increments of 1/256ths of a second. The standard minimum hello time in seconds is 1 second, which is encoded as 256. Millisecond. hello times are encoded using values less than 256; the millisecond hello time equals (x/1000)*256. When you configure millisecond hellos, the default hello interval of 2 seconds is still used for edge ports; the millisecond hello interval is not used.
44 Software-Defined Networking (SDN) 706 Software-Defined Networking (SDN)
45 Security This chapter describes several ways to provide security to the Dell EMC Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide.
aaa accounting {commands level | dot1x | exec | rest | suppress | system} {default | name} {start-stop | wait-start | stop-only} {radius | tacacs+} The variables are: • • • • • • • • • • • system: sends accounting information of any other AAA configuration. exec: sends accounting information when a user has logged in to EXEC mode. dot1x: sends accounting information when a dot1x user has logged in to EXEC mode. command level: sends accounting of commands executed at the specified privilege level.
Monitoring AAA Accounting Dell EMC Networking OS does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command. • Step through all active sessions and print all the accounting records for the actively accounted functions.
Acct-Multi-Session-Id = "1e-3c-39-b3-00-00-00-11-33-44-77-88-6c-b3-d5-5cc" Acct-Status-Type = Start Event-Timestamp = "May 10 2019 12:20:43 CDT" Tmp-String-9 = "ai:" Acct-Unique-Session-Id = "2d6c5beef615d18fa21bbde29411f6d5" Timestamp = 1557508843 EAP STOP accounting record: Fri May 10 12:22:15 2019 NAS-IP-Address = 10.16.133.
RADIUS Accounting attributes The following tables describe the various types of attributes that identify the supplicant sessions: Table 84. RADIUS Accounting Start Record Attributes for CLI user RADIUS Attribute code RADIUS Attribute Description 4 NAS-IP-Address IPv4 address of the NAS. 95 NAS-IPv6–Address IPv6 address of the NAS. NAS Identification Attributes Session Identification Attributes 1 User-Name User name. 5 NAS-Port Port on which session is connected (CLI Session-Id).
CLI event Accounting type Attributes CLI user session disconnects due to Dynamic authorization Stop Stop record attributes with termination cause as Admin Reset (6). Table 87. RADIUS Accounting Start Record Attributes for dot1x supplicant RADIUS Attribute code RADIUS Attribute Description 4 NAS-IP-Address IPv4 address of the NAS. 95 NAS-IPv6–Address IPv6 address of the NAS.
RADIUS Attribute code RADIUS Attribute Description 51 Acct-Link-Count 1 46 Acct-Session Time Time the user has received the service. 49 Acct-Terminate-Cause Reason for session termination. 61 NAS-Port-Type Ethernet NOTE: During the administrative initiated reload and system failover events, the accounting Stop records for the 802.1x authorized supplicants are not sent to RADIUS server. Table 89.
AAA Authentication Dell EMC Networking OS supports a distributed client/server system implemented through authentication, authorization, and accounting (AAA) to help secure networks against unauthorized access.
CONFIGURATION mode line {aux 0 | console 0 | vty number [... end-number]} 3. Assign a method-list-name or the default list to the terminal line. LINE mode login authentication {method-list-name | default} To view the configuration, use the show config command in LINE mode or the show running-config in EXEC Privilege mode. NOTE: Dell EMC Networking recommends using the none method only as a backup. This method does not authenticate users. The none and enable methods do not work with secure shell (SSH).
Server-Side Configuration Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication requests to a TACACS+ or RADIUS server. • • TACACS+ — When using TACACS+, Dell EMC Networking sends an initial packet with service type SVC_ENABLE, and then sends a second packet with just the password. The TACACS server must have an entry for username $enable$.
If you are using role-based access control (RBAC), only the system administrator and security administrator roles can enable the service obscure-password command. To enable the obscuring of passwords and keys, use the following command. • Turn on the obscuring of passwords and keys in the configuration. CONFIGURATION mode service obscure-passwords Example of Obscuring Password and Keys DellEMC(config)# service obscure-passwords AAA Authorization Dell EMC Networking OS enables AAA new-model by default.
Configuring a Username and Password In Dell EMC Networking OS, you can assign a specific username to limit user access to the system. To configure a username and password, use the following command. • Assign a user name and password. CONFIGURATION mode username name [access-class access-list-name] [nopassword | password [encryption-type] password] [privilege level][secret] Configure the optional and required parameters: • • • • • • • name: Enter a text string up to 63 characters long.
Configure the optional and required parameters: • • • • • • • name: Enter a text string up to 63 characters(maximum) long. access-class access-list-name: Restrict access by access-class.. privilege level: The range is from 0 to 15. nopassword: No password is required for the user to log in. encryption-type: Enter 0 for plain text or 7 for encrypted text. password: Enter a string. Specify the password for the user. Secret: Specify the secret for the user. 2. Configure a password for privilege level.
The following example shows the Telnet session for user john. The show privilege command output confirms that john is in privilege level 8. In EXEC Privilege mode, john can access only the commands listed. In CONFIGURATION mode, john can access only the snmpserver commands. apollo% telnet 172.31.1.53 Trying 172.31.1.53... Connected to 172.31.1.53. Escape character is '^]'.
If you enter disable without a level-number, your security level is 1. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol. This protocol transmits authentication, authorization, and configuration information between a central RADIUS server and a RADIUS client (the Dell EMC Networking system). The system sends user information to the RADIUS server and requests authentication of the user and password.
Auto-Command You can configure the system through the RADIUS server to automatically execute a command when you connect to a specific line. The auto-command command is executed when the user is authenticated and before the prompt appears to the user. • Automatically execute a command. auto-command Privilege Levels Through the RADIUS server, you can configure a privilege level for the user to enter into when they connect to a session. This value is configured on the client system. • Set a privilege level.
• line {aux 0 | console 0 | vty number [end-number]} Enable AAA login authentication for the specified RADIUS method list. LINE mode login authentication {method-list-name | default} • This procedure is mandatory if you are not using default lists. To use the method list.
CONFIGURATION mode radius-server retransmit retries • • retries: the range is from 0 to 100. Default is 3 retries. Configure the time interval the system waits for a RADIUS server host response. CONFIGURATION mode radius-server timeout seconds • seconds: the range is from 0 to 1000. Default is 5 seconds. To view the configuration of RADIUS communication parameters, use the show running-config command in EXEC Privilege mode.
Support for Change of Authorization and Disconnect Messages packets The Network Access Server (NAS) uses RADIUS to authenticate AAA or dot1x user-access to the switch. The RADIUS service does not support unsolicited messages sent from the RADIUS server to the NAS. However, there are many instances in which it is desirable for changes to be made to session characteristics, without requiring the NAS to initiate the exchange.
Table 92. Session Identification Attributes Attribute code Attribute Description 31 Calling-Station-Id (MAC Address) The link address from which session is connected. Table 93.
Radius Attribute code Radius Attribute Description Mandatory 4 NAS-IP-Address IPv4 address of the NAS. No 95 NAS-IPv6–Address IPv6 address of the NAS. No Port on which session is terminated Yes t=26(vendor-specific);l=length;vendor-identificationattribute;Length=value; Data=”cmd=bounce-host-port” Yes Description Mandatory Session Identification Attributes 5 NAS-Port Authorization Attributes 26 Vendor-Specific Table 97.
Radius Attribute code Radius Attribute Description Mandatory 5 NAS-Port Port on which session is terminated No t=26(vendor-specific);l=length;vendor-identificationattribute;Length=value; Data=”cmd=disconnect-user” Yes Authorization Attributes 26 Vendor-Specific Error-cause Values It is possible that a Dynamic Authorization Server cannot honor Disconnect Message request or CoA request packets for some reason. The Error-Cause Attribute provides more detail on the cause of the problem.
• • rejects the CoA-Request containing NAS-IP-Address or NAS-IPV6-Address attribute that does not match the NAS with a CoA-Nak; Error-Cause value is “NAS Identification Mismatch” (403). responds with a CoA-Nak, if it is configured to prohibit honoring of corresponding CoA-Request messages; Error-Cause value is “Administratively Prohibited” (501). NOTE: The Administratively Prohibited Error-Cause is also applicable to following scenarios: • if the dot1x feature is not enabled in the NAS-port.
• • NOTE: Unsupported attributes are the ones that are not mentioned in the RFC 5176 but present in the disconnect message that is received by the NAS. rejects the disconnect message containing NAS-IP-Address or NAS-IPV6-Address attribute that does not match NAS with DM-Nak; Error-Cause value is “NAS Identification Mismatch” (403). responds with a DM-Nak, if the NAS is configured to prohibit honoring of disconnect messages; Error-Cause value is “Administratively Prohibited” (501).
NAS takes the following actions: • • • • • validates the DM request and the session identification attributes. sends a DM-Nak with an error-cause of 402 (missing attribute), if the DM request does not contain the User-Name. sends a DM-Ack, if it is able to successfully disconnect the admin user. sends a DM-Nak with an error-cause value of 506 (resource unavailable), if it is not able to disconnect the admin user.
NAS re-initiates the user authentication state. Dell(conf#)radius dynamic-auth Dell(conf-dynamic-auth#)coa-reauthenticate NAS takes the following actions whenever re-authentication is triggered: • • • • • • • • • • validates the CoA request and the session identification attributes. sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain both the calling-station-id as well as the NAS-port attribute. sends a CoA-Ack if the re-authentication of the 802.
To initiate shutting down of the 802.1x enabled port, the DAC sends a standard CoA request that contains one or more session identification attributes. NAS uses the NAS-port attributes to identify the 802.1x enabled physical port. 1. Enter the following command to configure the dynamic authorization feature: radius dynamic-auth 2. Enter the following command to disable the 802.1x enabled physical port: coa-disable-port NAS administratively shuts down the 802.1x enabled port that is hosting the session.
Rate-limiting RADIUS packets NAS enables you to allow or reject RADIUS dynamic authorization packets based on the rate-limiting value that you specify. NAS lets you to configure number of RADIUS dynamic authorization packets allowed per minute. The default value is 30 packets per minute. NAS discards the packets, if the number of RADIUS dynamic authorization packets in the current interval cross the configured rate-limit value.
3. Enter LINE mode. CONFIGURATION mode line {aux 0 | console 0 | vty number [end-number]} 4. Assign the method-list to the terminal line. LINE mode login authentication {method-list-name | default} To view the configuration, use the show config in LINE mode or the show running-config tacacs+ command in EXEC Privilege mode. If authentication fails using the primary method, Dell EMC Networking OS employs the second method (or third method, if necessary) automatically.
system closes the Telnet session immediately. The following example demonstrates how to configure the access-class from a TACACS+ server. This configuration ignores the configured access-class on the VTY line. If you have configured a deny10 ACL on the TACACS+ server, the system downloads it and applies it. If the user is found to be coming from the 10.0.0.0 subnet, the system also immediately closes the Telnet connection. Note, that no matter where the user is coming from, they see the login prompt.
Protection from TCP Tiny and Overlapping Fragment Attacks Tiny and overlapping fragment attack is a class of attack where configured ACL entries — denying TCP port-specific traffic — is bypassed and traffic is sent to its destination although denied by the ACL. RFC 1858 and 3128 proposes a countermeasure to the problem. This countermeasure is configured into the line cards and enabled by default.
CONFIGURATION MODE ip ssh server port number 2. On Switch 1, enable SSH. CONFIGURATION MODE copy ssh server enable 3. On Switch 2, invoke SCP. CONFIGURATION MODE copy scp: flash: 4. On Switch 2, in response to prompts, enter the path to the desired file and enter the port number specified in Step 1. EXEC Privilege Mode 5. On the chassis, invoke SCP.
To configure the time or volume rekey threshold at which to re-generate the SSH key during an SSH session, use the ip ssh rekey [time rekey-interval] [volume rekey-limit] command. CONFIGURATION mode. Configure the following parameters: • • rekey-interval: time-based rekey threshold for an SSH session. The range is from 10 to 1440 minutes. The default is 60 minutes. rekey-limit: volume-based rekey threshold for an SSH session. The range is from 1 to 4096 to megabytes. The default is 1024 megabytes.
• • hmac-md5 hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256,hmac-sha1,hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list. DellEMC(conf)# ip ssh server mac hmac-sha1-96 Configuring the HMAC Algorithm for the SSH Client To configure the HMAC algorithm for the SSH client, use the ip ssh mac hmac-algorithm command in CONFIGURATION mode.
Configuring the SSH Client Cipher List To configure the cipher list supported by the SSH client, use the ip ssh cipher cipher-list command in CONFIGURATION mode. cipher-list-: Enter a space-delimited list of ciphers the SSH Client supports. The following ciphers are available. • • • • • • • 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr The default cipher list is in the given order: aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc.
DellEMC# show ip ssh SSH server : enabled. SSH server version : v2. SSH server vrf : default. SSH server ciphers : 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192ctr,aes256-ctr. SSH server macs : hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmacsha2-256-96. SSH server kex algorithms : diffie-hellman-group-exchange-sha1,diffie-hellman-group1sha1,diffie-hellman-group14-sha1. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled.
6. Enable host-based authentication. CONFIGURATION mode ip ssh hostbased-authentication enable 7. Bind shosts and rhosts to host-based authentication. CONFIGURATION mode ip ssh pub-key-file flash://filename or ip ssh rhostsfile flash://filename The following example shows creating shosts. admin@Unix_client# cd /etc/ssh admin@Unix_client# ls moduli sshd_config ssh_host_dsa_key.pub ssh_host_key.pub ssh_host_rsa_key.
If the IP address in the RSA key does not match the IP address from which you attempt to log in, the following message appears. In this case, verify that the name and IP address of the client is contained in the file /etc/hosts: RSA Authentication Error. Telnet To use Telnet with SSH, first enable SSH, as previously described. By default, the Telnet daemon is enabled. If you want to disable the Telnet daemon, use the following command, or disable Telnet in the startup config.
Example of Configuring VTY Authorization Based on Access Class Retrieved from a Local Database (Per User) DellEMC(conf)#user gooduser password abc privilege 10 access-class permitall DellEMC(conf)#user baduser password abc privilege 10 access-class denyall DellEMC(conf)# DellEMC(conf)#aaa authentication login localmethod local DellEMC(conf)# DellEMC(conf)#line vty 0 9 DellEMC(config-line-vty)#login authentication localmethod DellEMC(config-line-vty)#end VTY Line Remote Authentication and Authorization retr
• • • • • • • • • • • • • • • • Configuring Role-based Only AAA Authorization System-Defined RBAC User Roles Creating a New User Role Modifying Command Permissions for Roles Adding and Deleting Users from a Role Role Accounting Configuring AAA Authentication for Roles Configuring AAA Authorization for Roles Configuring an Accounting for Roles Applying an Accounting Method to a Role Displaying Active Accounting Sessions for Roles Configuring TACACS+ and RADIUS VSA Attributes for RBAC Displaying User Roles D
2. Configure login authentication on the console. This ensures that all users are properly identified through authentication no matter the access point. If you do not configure login authentication on the console, the system displays an error when you attempt to enable role-based only AAA authorization. 3. Specify an authentication method list—RADIUS, TACACS+, or Local. You must specify at least local authentication.
netoperator netadmin Exec Config Interface Router IP Route-map Protocol MAC secadmin Exec Config Line sysadmin Exec Config Interface Line Router IP Route-map Protocol MAC User Roles This section describes how to create a new user role and configure command permissions and contains the following topics.
myrole secadmin Exec Config Line Modifying Command Permissions for Roles You can modify (add or delete) command permissions for newly created user roles and system defined roles using the role mode { { { addrole | deleterole } role-name } | reset } command command in Configuration mode. NOTE: You cannot modify system administrator command permissions. If you add or delete command permissions using the role command, those changes only apply to the specific user role.
The following example shows that the secadmin role can now access Interface mode (highlighted in bold). Role Inheritance netoperator netadmin secadmin sysadmin Modes Exec Config Interface Router IP RouteMap Protocol MAC Exec Config Interface Line Exec Config Interface Line Router IP RouteMap Protocol MAC Example: Remove Security Administrator Access to Line Mode.
The following example adds a user, to the secadmin user role. DellEMC(conf)# username john role secadmin password 0 password AAA Authentication and Authorization for Roles This section describes how to configure AAA Authentication and Authorization for Roles.
! tacacs-server host 10.16.150.203 key ! aaa authentication login ucraaa tacacs+ radius local aaa authorization exec ucraaa tacacs+ radius local aaa accounting commands role netadmin ucraaa start-stop tacacs+ ! The following configuration example applies a method list other than default to each VTY line. NOTE: Note that the methods were not applied to the console so the default methods (if configured) are applied there.
The following example configures an AV pair which allows a user to login from a network access server with a privilege level of 15, to have access to EXEC commands. The format to create a Dell EMC Networking AV pair for privilege level is shell:priv-lvl= where number is a value between 0 and 15.
Displaying Active Accounting Sessions for Roles To display active accounting sessions for each user role, use the show accounting command in EXEC mode.
Displaying Information About Users Logged into the Switch To display information on all users logged into the switch, using the show users command in EXEC Privilege mode. The output displays privilege level and/or user role. The mode is displayed at the start of the output and both the privilege and roles for all users is also displayed. If the role is not defined, the system displays "unassigned" .
SSH server vrf : default. SSH server ciphers : aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128cbc,3des-cbc. SSH server macs : hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96. SSH server kex algorithms : diffie-hellman-group-exchange-sha1,diffie-hellman-group1sha1,diffie-hellman-group14-sha1. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. Challenge Response Auth : enabled. Vty Encryption HMAC Remote IP 2 aes128-cbc hmac-md5 10.
ICMPv4 message types Information request (15) Information reply (16) Address mask request (17) Address mask reply (18) NOTE: The Dell EMC Networking OS does not suppress the ICMP message type echo request (8). Table 103.
Dell EMC Networking OS Security Hardening The security of a network consists of multiple factors. Apart from access to the device, best practices, and implementing various security features, security also lies with the integrity of the device. If the software itself is compromised, all of the aforementioned methods become ineffective. The Dell EMC Networking OS is enhanced verify whether the OS image and the startup configuration file are altered before loading.
upgrade system DellEMC# upgrade system tftp://10.16.127.35/FTOS-SE-9.11.0.1 A: Hash Value: e42e2548783c2d5db239ea2fa9de4232 !!!!!!!!!!!!!!... Startup Configuration Verification Dell EMC Networking OS comes with startup configuration verification feature. When enabled, it checks the integrity of the startup configuration that the system uses while the system reboots and loads only if it is intact.
Configuring the root User Password For added security, you can change the root user password. If you configure the secure-cli command on the system, the Dell EMC Networking OS resets any previously-configured root access password without displaying any warning message. With the secure-cli command enabled on the system, the CONFIGURATION mode does not display the root access password option. To change the default root user password, follow these steps: • Change the default root user password.
46 Service Provider Bridging VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. Using only 802.
Figure 116. VLAN Stacking in a Service Provider Network Important Points to Remember • • • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. Dell EMC Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
• • Debugging VLAN Stacking VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. • • Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN. Trunk port — a port on a service provider bridge that connects to another service provider bridge and is a member of multiple service provider VLANs.
5 6 Inactive Active DellEMC# M Po1(Te 3/14-15) M Te 3/13 Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. • Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100. To display the S-Tag TPID for a VLAN, use the show running-config command from EXEC privilege mode.
NUM * 1 100 101 103 Status Inactive Inactive Inactive Inactive Description Q Ports U Te 1/1 T Te 1/1 M Te 1/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command. • Debug the internal state and membership of a VLAN and its ports. debug member The port notations are as follows: • • • • • MT — stacked trunk MU — stacked access port T — 802.1Q trunk port U — 802.
Figure 117.
Figure 118.
Figure 119. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet-drop precedence is supported on the switch. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults.
Ingress Egress Access Port Trunk Port DEI Disabled DEI Enabled Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 To enable drop eligibility globally, use the following command. • Make packets eligible for dropping based on their DEI value. CONFIGURATION mode dei enable By default, packets are colored green, and DEI is marked 0 on egress.
-------------------------------Te 1/1 Green 0 Te 1/1 Yellow 1 Te 2/9 Yellow 0 Te 2/10 Yellow 0 Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.1p priority bits in the tag to indicate the level of QoS desired. When an S-Tag is added to incoming customer frames, the 802.1p bits on the S-Tag may be configured statically for each customer or derived from the C-Tag using Dynamic Mode CoS. Dynamic Mode CoS maps the C-Tag 802.
qos-policy-input 3 layer2 rate-police 40 Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3. All other packets will have outer dot1p 0 and hence are queued to Queue 1. They are therefore policed according to qos-policy-input 1.
Figure 121. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 122. VLAN Stacking with L2PT Implementation Information • • • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. No protocol packets are tunneled when you enable VLAN stacking. L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2.
protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell EMC Networking OS uses a Dell EMC Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command. • Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network.
The same is true for GARP VLAN registration protocol (GVRP). 802.1ad specifies that provider bridges participating in GVRP use a reserved destination MAC address called the Provider Bridge GVRP Address, 01-80-C2-00-00-0D, to exchange GARP PDUs instead of the GVRP Address, 01-80-C2-00-00-21, specified in 802.1Q. Only bridges in the service provider network use this destination MAC address so these bridges treat GARP PDUs originating from the customer network as normal data frames, rather than consuming them.
47 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
To avoid the back-off, either increase the global sampling rate or configure all the line card ports with the desired sampling rate even if some ports have no sFlow configured. Important Points to Remember • • • • • • • • • The Dell EMC Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset. By default, sFlow collection is supported only on data ports.
If you did not enable any extended information, the show output displays the following (shown in bold). DellEMC#show sflow sFlow services are disabled Global default sampling rate: 32768 Global default counter polling interval: 20 Global extended information enabled: none 0 collectors configured 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Enabling and Disabling sFlow on an Interface By default, sFlow is disabled on all interfaces.
Actual sampling rate Counter polling interval Extended max header size :256 Samples rcvd from h/w :16384 :20 :0 Example of the show running-config sflow Command DellEMC#show running-config sflow ! sflow collector 100.1.1.12 agent-addr 100.1.1.
The following example shows the show sflow interface command. DellEMC#show sflow interface tengigabitethernet 1/1 Te 1/1 sFlow type :Ingress Configured sampling rate :16384 Actual sampling rate :16384 Counter polling interval :20 Extended max header size :128 Samples rcvd from h/w :0 The following example shows the show running-config interface command.
• interval value: in seconds. The range is from 15 to 86400 seconds. The default is 20 seconds. Back-Off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces.
Global default counter polling interval: 20 Global extended information enabled: none 0 collectors configured 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Important Points to Remember • • • • • To export extended-gateway data, BGP must learn the IP destination address. If the IP destination address is not learned via BGP the Dell EMC Networking system does not export extended-gateway data.
48 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell EMC Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
• • • Troubleshooting SNMP Operation Transceiver Monitoring Configuring SNMP context name Protocol Overview Network management stations use SNMP to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a management information base (MIB).
You cannot modify the FIPS mode if SNMPv3 users are already configured and present in the system. An error message is displayed if you attempt to change the FIPS mode by using the fips mode enable command in Global Configuration mode. You can enable or disable FIPS mode only if SNMPv3 users are not previously set up. If previously configured users exist on the system, you must delete the existing users before you change the FIPS mode.
Creating a Community For SNMPv1 and SNMPv2, create a community to enable the community-based security in Dell EMC Networking OS. The management station generates requests to either retrieve or alter the value of a management object and is called the SNMP manager. A network element that processes SNMP requests is called an SNMP agent. An SNMP community is a group of SNMP agents and managers that are allowed to interact.
NOTE: To give a user read and write privileges, repeat this step for each privilege type. • Configure an SNMP group (with password or privacy privileges). • CONFIGURATION mode snmp-server group group-name {oid-tree} priv read name write name Configure the user with a secure authorization password and privacy password. • CONFIGURATION mode snmp-server user name group-name {oid-tree} auth md5 auth-password priv des56 priv password Configure an SNMPv3 view.
The following example shows reading the value of the many managed objects at one time. > snmpwalk -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1 SNMPv2-MIB::sysDescr.0 = STRING: Dell EMC Real Time Operating System Software Dell Operating System Version: 1.0 Dell Application Software Version: E_MAIN4.9.4.0.0 Copyright (c) 1999-2014 by Dell Build Time: Mon May 12 14:02:22 PDT 2008 SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6027.1.3.
The default is None. Subscribing to Managed Object Value Updates using SNMP By default, the Dell EMC Networking system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system. Dell EMC Networking OS supports the following three sets of traps: • • • RFC 1157-defined traps — coldStart, warmStart, linkDown, linkUp, authenticationFailure, and egpNeighbborLoss.
NOTE: You must configure notify option for the SNMPv3 traps to work. envmon STACK_STATE: Stack unit %d is in Active State STACKUNITUP: Stack unit 0 is up envmon CARD_SHUTDOWN: %sLine card %d down - %s CARD_DOWN: %sLine card %d down - %s LINECARDUP: %sLine card %d is up CARD_MISMATCH: Mismatch: line card %d is type %s - type %s required.
Instance Id 0 port Te 1/8 transitioned from forwarding to discarding state.
Table 107. List of Syslog Server MIBS that have read access MIB Object OID Object Values Description dF10SysLogTraps 1.3.6.1.4.1.6027.3.30.1.1 1 = reachable2 = unreachable Specifies whether the syslog server is reachable or unreachable. The following example shows the SNMP trap that is sent when connectivity to the syslog server is lost: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (19738) 0:03:17.38 SNMPv2MIB::snmpTrapOID.0 = OID: SNMPv2SMI::enterprises.6027.3.30.1.1.1 SNMPv2-SMI::enterprises.
MIB Object OID Object Values Description 3 = tftp • 4 = ftp 5 = scp 6 = usbflash copySrcFileName .1.3.6.1.4.1.6027.3.5.1.1.1.1.4 Path (if the file is not in the current directory) and filename. If copySrcFileLocation is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. Specifies name of the file. • If copySourceFileType is set to running-config or startupconfig, copySrcFileName is not required. copyDestFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.
CONFIGURATION mode snmp-server community community-name rw 2. Copy the f10-copy-config.mib MIB from the Dell iSupport web page to the server to which you are copying the configuration file. 3. On the server, use the snmpset command as shown in the following example. snmpset -v snmp-version -c community-name -m mib_path/f10-copy-config.mib force10system-ipaddress mib-object.index {i | a | s} object-value... • • Every specified object must have an object value and must precede with the keyword i.
Copying the Startup-Config Files to the Running-Config To copy the startup-config to the running-config from a UNIX machine, use the following command. • Copy the startup-config to the running-config from a UNIX machine. snmpset -c private -v 2c force10system-ip-address copySrcFileType.index i 3 copyDestFileType.index i 2 The following example shows how to copy configuration files from a UNIX machine using the object name. > snmpset -c public -v 2c -m ./f10-copy-config.mib 10.11.131.162 copySrcFileType.
Copy a Binary File to the Startup-Configuration To copy a binary file from the server to the startup-configuration on the Dell EMC Networking system via FTP, use the following command. • Copy a binary file from the server to the startup-configuration on the Dell EMC Networking system via FTP. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 1 copySrcFileLocation.index i 4 copySrcFileName.index s filepath/ filename copyDestFileType.
The following examples show the snmpget command to obtain a MIB object value. These examples assume that: • • • • the server OS is UNIX you are using SNMP version 2c the community name is public the file f10-copy-config.mib is in the current directory NOTE: In UNIX, enter the snmpset command for help using this command. The following examples show the command syntax using MIB object names and the same command using the object OIDs.
average input-power start time. These statistics can also be obtained by using the CLI command:show environment. The following table lists the related MIB objects, OID and description for the same: Table 111. MIB Objects to Display the Information for Power Monitoring MIB Object OID Description envMonSupplyCurrentPower 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.5 Displays per PSU input power (current configuration). envMonSupplyAveragePower 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.
MIB Object OID Description dellNetIfTransReceivePowerLane1 1.3.6.1.4.1.6027.3.11.1.3.1.1.12 Specifies Lane 1 Rx power value in dBm dellNetIfTransReceivePowerLane2 1.3.6.1.4.1.6027.3.11.1.3.1.1.13 Specifies Lane 2 Rx power value in dBm dellNetIfTransReceivePowerLane3 1.3.6.1.4.1.6027.3.11.1.3.1.1.14 Specifies Lane 3 Rx power value in dBm dellNetIfTransReceivePowerLane4 1.3.6.1.4.1.6027.3.11.1.3.1.1.15 Specifies Lane 4 Rx power value in dBm dellNetIfTransTemperature 1.3.6.1.4.1.6027.3.11.1.3.
MIB Support to Display the Software Core Files Generated by the System Dell EMC Networking provides MIB objects to display the software core files generated by the system. The chSysSwCoresTable contains the list of software core files generated by the system. The following table lists the related MIB objects. Table 114. MIB Objects for Displaying the Software Core Files Generated by the System MIB Object OID Description chSysSwCoresTable 1.3.6.1.4.1.6027.3.10.1.2.
MIB Support for CAM Dell EMC Networking provides a method to retrieve the CAM usage information. The following table lists the related MIB objects: Table 115. MIB Objects for CAM MIB Object OID Description camUsageL2Pip 1.3.6.1.4.1.6027.3.7.1.1.2.1.11 eLine Contains information about the pipe line number of the chip on the layer 2 switch where CAM is located. camUsageL3Pip 1.3.6.1.4.1.6027.3.7.1.1.3.1.
MIB Object OID Description dellNetFpPfcStormControlStatusEntry 1.3.6.1.4.1.6027.3.27.1.21.1.1.1 Table entry of PFC storm-control status counters. dellNetFpPfcStormControlQueueState 1.3.6.1.4.1.6027.3.27.1.21.1.1.1.1 Queue state (normal/drop). dellNetFpPfcStormControlDurationInDiscard 1.3.6.1.4.1.6027.3.27.1.21.1.1.1.2 State Number of milli-seconds the queue is in discard state. dellNetFpPfcStormControlDroppedPacketsI 1.3.6.1.4.1.6027.3.27.1.21.1.1.1.3 ngress Number of packets dropped on ingress.
SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.5.2097157.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.5.2097157.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.5.2097413.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.5.2097413.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.5.2097669.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.5.2097669.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.5.2097925.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.5.2097925.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.6.2097157.
SNMPv2-SMI::enterprises.6027.3.27.1.22.1.1.1.1.6 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.22.1.1.1.1.7 = Counter64: 0 MIB Support for Monitoring the overall buffer usage for lossy and lossless traffic per XPE Dell EMC Networking provides MIB objects to display the information for Monitoring the overall buffer usage for lossy and lossless traffic per XPE. These statistics can also be obtained by using the CLI command:show hardware buffer service-pool buffer-info.
SNMP Support for WRED Green/Yellow/Red Drop Counters Dell EMC Networking provides MIB objects to display the information for WRED Green (Green Drops)/Yellow (Yellow Drops)/Red (Out of Profile Drops) Drop Counters. These statistics can also be obtained by using the CLI command:show qos statistics wred-profile. The following table lists the related MIB objects, OID and description for the same: Table 119.
MIB Support to Display the Available Partitions on Flash Dell EMC Networking provides MIB objects to display the information of various partitions such as /flash, /tmp, /usr/pkg, and /f10/ConfD. The dellNetFlashStorageTable table contains the list of all partitions on disk. The following table lists the related MIB objects: Table 120. MIB Objects to Display the Available Partitions on Flash MIB Object OID Description dellNetFlashPartitionNumber 1.3.6.1.4.1.6027.3.26.1.4.8.1.1 Index for the table.
.1.3.6.1.4.1.6027.3.26.1.4.8.1.4.4 = INTEGER: 400528 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.5 = INTEGER: 60 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.1 = INTEGER: 3872014 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.2 = INTEGER: 56527 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.3 = INTEGER: 138860 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.4 = INTEGER: 1608180 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.5 = INTEGER: 51140 .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.1 = STRING: "/usr/pkg" .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.2 = STRING: "/tmpimg" .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.20.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = INTEGER: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.30.1.1.0.24.0.0.0.0 = INTEGER: 1275078656 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.30.1.1.1.32.1.4.30.1.1.1.1.4.30.1.1.1 = INTEGER: 1275078656 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.30.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = INTEGER: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.70.70.70.0.24.0.0.0.0 = INTEGER: 2097157 SNMPv2-SMI::enterprises.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.0.24.0.0.0.0 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.1.32.1.4.30.1.1.1.1.4.30.1.1.1 = STRING: "Po 20" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.70.70.70.0.24.0.0.0.0 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.70.70.70.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = STRING: "CP" SNMPv2SMI::enterprises.6027.3.9.
MIB Support for entAliasMappingTable Dell EMC Networking provides a method to map the physical interface to its corresponding ifindex value. The entAliasMappingTable table contains zero or more rows, representing the logical entity mapping and physical component to external MIB identifiers. The following table lists the related MIB objects: Table 123. MIB Objects for entAliasMappingTable MIB Object OID Description entAliasMappingTable 1.3.6.1.2.1.47.1.3.
MIB Object OID Description dellNetFpIngPolicyDiscards 1.3.6.1.4.1.6027.3.27.1.3.1.5 Packet dropped due to policy discards. dellNetFpIngPacketsDroppedByDELLNETFP 1.3.6.1.4.1.6027.3.27.1.3.1.6 Packets dropped by forwarding plane. dellNetFpIngL2L3Drops 1.3.6.1.4.1.6027.3.27.1.3.1.7 L2 L3 packets dropped. dellNetFpIngPortBitMapZeroDrops 1.3.6.1.4.1.6027.3.27.1.3.1.8 Port bitmap zero drop condition. dellNetFpIngRxVLANDrops 1.3.6.1.4.1.6027.3.27.1.3.1.9 Rx VLAN drop condition.
$snmpwalk -c public -v 2c 10.16.150.245 1.3.6.1.4.1.6027.3.27.1.3.1.28 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.28.1048581 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.28.1049093 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.28.1049604 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.28.1049732 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.28.1049860 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.28.1049988 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.28.1050116 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.28.1050244 SNMPv2-SMI::enterprises.6027.3.
MIB Object OID Description dot3adAggTable 1.2.840.10006.300.43.1.1.1 Contains information about every Aggregator that is associated with a system. dot3adAggEntry 1.2.840.10006.300.43.1.1.1.1 Contains a list of Aggregator parameters and indexed by the ifIndex of the Aggregator. dot3adAggMACAddress 1.2.840.10006.300.43.1.1.1.1.1 Contains a six octet read–only value carrying the individual MAC address assigned to the Aggregator. dot3adAggActorSystemPriority 1.2.840.10006.300.43.1.1.1.1.
snmpbulkget -v 2c -c LagMIB 10.16.148.157 1.2.840.10006.300.43.1.1.1.1.1 iso.2.840.10006.300.43.1.1.1.1.1.1258356224 iso.2.840.10006.300.43.1.1.1.1.1.1258356736 iso.2.840.10006.300.43.1.1.1.1.2.1258356224 iso.2.840.10006.300.43.1.1.1.1.2.1258356736 iso.2.840.10006.300.43.1.1.1.1.3.1258356224 iso.2.840.10006.300.43.1.1.1.1.3.1258356736 iso.2.840.10006.300.43.1.1.1.1.4.1258356224 iso.2.840.10006.300.43.1.1.1.1.4.1258356736 iso.2.840.10006.300.43.1.1.1.1.5.1258356224 iso.2.840.10006.300.43.1.1.1.1.5.
MIB Support to Display Organizational Specific Unrecognized LLDP TLVs The lldpRemOrgDefInfoTable contains organizationally defined information that is not recognized by the local neighbor. The following table lists the related MIB objects: Table 127. MIB Objects for Displaying Organizational Specific Unrecognized LLDP TLVs MIB Object OID Description lldpRemOrgDefInfoTable 1.0.8802.1.1.2.1.4.4 This table contains organizationally defined information that is not recognized by the local neighbor.
Global MIB objects for port security This section describes about the scalar MIB objects of the global MIB dellNetPortSecGlobalObjects. The following table shows the scalar global MIB objects for port security. Table 128. Global MIB Objects for Port Security MIB Object OID Access or Permission Description dellNetGlobalPortSecurityMode 1.3.6.1.4.1.6027.3.31.1.1.1 read-write Enables or disables port security feature globally on the device. dellNetGlobalTotalSecureAddres 1.3.6.1.4.1.6027.3.31.1.1.
MIB Object OID Access or Permission Description dellNetPortSecIfResetViolationS 1.3.6.1.4.1.6027.3.31.1.2.1.1.10 tatus read-write Resets the violation status of an interface based on the specified type. dellNetPortSecIfSecureMacAge Enable read-write Enables aging of the dynamically secured MAC addresses learnt on the interface. 1.3.6.1.4.1.6027.3.31.1.2.1.1.
snmpset -v 2c -c public 10.16.129.26 1.3.6.1.4.1.6027.3.31.1.2.2.1.4.6.0.0.0.0.17.17.100.2101252 i 6 To retrieve the static MAC address configured, use the following command. snmpget -v 2c -c public 10.16.129.26 1.3.6.1.4.1.6027.3.31.1.2.2.1.4.6.0.0.0.0.17.17.100.2101252 MIB objects for configuring MAC addresses This section describes about the MIB table dellNetPortSecSecureMacAddrTable that contains the MAC database of the system.
Configuring SNMP traps for new MAC learning or station–move You can configure the system to send SNMP MAC notifications from the Dell EMC Networking OS. To configure the system to send SNMP MAC-notifications, use the following command: • Enable MAC-notification traps. CONFIGURATION mode snmp-server traps mac-notification • • • Trap messages are generated only for the new MAC and for the MAC that is learnt for the first time in the system.
Displaying the Ports in a VLAN Dell EMC Networking OS identifies VLAN interfaces using an interface index number that is displayed in the output of the show interface vlan command. Add Tagged and Untagged Ports to a VLAN The value dot1qVlanStaticEgressPorts object is an array of all VLAN members. The dot1qVlanStaticUntaggedPorts object is an array of only untagged VLAN members. All VLAN members that are not in dot1qVlanStaticUntaggedPorts are tagged.
The following OIDs are configurable through the snmpset command. The node OID is 1.3.6.1.4.1.6027.3.18 F10-ISIS-MIB::f10IsisSysOloadSetOverload F10-ISIS-MIB::f10IsisSysOloadSetOloadOnStartupUntil F10-ISIS-MIB::f10IsisSysOloadWaitForBgp F10-ISIS-MIB::f10IsisSysOloadV6SetOverload F10-ISIS-MIB::f10IsisSysOloadV6SetOloadOnStartupUntil F10-ISIS-MIB::f10IsisSysOloadV6WaitForBgp To enable overload bit for IPv4 set 1.3.6.1.4.1.6027.3.18.1.1 and IPv6 set 1.3.6.1.4.1.6027.3.18.1.4 To set time to wait set 1.3.6.1.4.1.
In the following example, R1 has one dynamic MAC address, learned off of port TenGigabitEthernet 1/21, which a member of the default VLAN, VLAN 1. The SNMP walk returns the values for dot1dTpFdbAddress, dot1dTpFdbPort, and dot1dTpFdbStatus. Each object comprises an OID concatenated with an instance number. In the case of these objects, the instance number is the decimal equivalent of the MAC address; derive the instance number by converting each hex pair to its decimal equivalent.
MIB Objects for Viewing the System Image on Flash Partitions To view the system image on Flash Partition A, use the chSysSwInPartitionAImgVers object or, to view the system image on Flash Partition B, use the chSysSwInPartitionBImgVers object. Table 134. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImgVers 1.3.6.1.4.1.6027.3.10.1.2.8.1.11 List the version string of the system image in Flash Partition A.
• snmp-server context cx1 • snmp-server context cx2 • snmp-server group admingroup 3 auth read readview write writeview • snmp-server group admingroup 3 auth read readview context cx1 • snmp-server group admingroup 3 auth read readview context cx2 • snmp-server user admin admingroup 3 auth md5 helloworld • snmp mib community-map VRF1 context cx1 • snmp mib community-map VRF2 context cx2 • snmp-server view readview .1 included • snmp-server view writeview .1 included 2.
Monitor Port-Channels To check the status of a Layer 2 port-channel, use f10LinkAggMib (.1.3.6.1.4.1.6027.3.2). In the following example, Po 1 is a switchport and Po 2 is in Layer 3 mode. Example of SNMP Trap for Monitored Port-Channels [senthilnathan@lithium ~]$ snmpwalk -v 2c -c public 10.11.1.1 .1.3.6.1.4.1.6027.3.2.1.1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.1 = INTEGER: 1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.2 = INTEGER: 2 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.2.
Troubleshooting SNMP Operation When you use SNMP to retrieve management data from an SNMP agent on a Dell EMC Networking router, take into account the following behavior. • • • When you query an IPv4 icmpMsgStatsInPkts object in the ICMP table by using the snmpwalk command, the output for echo replies may be incorrectly displayed. To correctly display this information under ICMP statistics, use the show ip traffic command.
Field (OID) Description SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.10 Transmit Power Lane3 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.11 Transmit Power Lane4 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.12 Receive Power Lane1 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.13 Receive Power Lane2 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.14 Receive Power Lane3 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.15 Receive Power Lane4 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.
49 Stacking Using the Dell EMC Networking OS stacking feature, you can interconnect multiple switch units with stacking ports or front end user ports. The stack becomes manageable as a single switch through the stack management unit. The system accepts Unit ID numbers from 0 to 6 and the S6000 supports stacking up to six units with Dell EMC Networking OS version 9.7(0.0).
Stack Master Election The stack elects a master and standby unit at bootup time based on two criteria. • • Unit priority — User-configurable. The range is from 1 to 14. A higher value (14) means a higher priority. The default is 0. By removing the stack-unit priority using the no stack-unit priority command, you can set the priority back to the default value of zero.
Virtual IP You can manage the stack using a single IP, known as a virtual IP, that is retained in the stack even after a failover. The virtual IP address is used to log in to the current master unit of the stack. Both IPv4 and IPv6 addresses are supported as virtual IPs. Use the following command to configure a virtual IP: Dell(conf)#virtual-ip {ip-address | ipv6–address | dhcp} Failover Roles If the stack master fails (for example, is powered off), it is removed from the stack topology.
5 Member not present 6 Member not present 7 Member not present [output omitted] Stack#show system stack-unit 0 | grep priority Master priority : 0 Stack#show system stack-unit 1 | grep priority Master priority : 0 Example of Adding a Standalone with a Lower MAC Address and Equal Priority to a Stack ---------------STANDALONE AFTER CONNECTION----------------Standalone#%STKUNIT0-M:CP %POLLMGR-2-ALT_STACK_UNIT_STATE: Alternate Stack-unit is present 00:20:20: %STKUNIT0-M:CP %CHMGR-5-STACKUNITDETECTED: Stack unit
Figure 123. Supported Stacking Topologies High Availability on Stacks Stacks have master and standby management units analogous to Dell EMC Networking route processor modules (RPM). The master unit synchronizes the running configuration and protocol states so that the system fails over in the event of a hardware or software fault on the master unit. In such an event, or when the master unit is removed, the standby unit becomes the stack manager and Dell EMC Networking OS elects a new standby unit.
format fsck pwd rename reset show ssh-peer-stack-unit start telnet-peer-stack-unit terminal upload Dell(standby)# Format a filesystem Filesystem check utility Display current working directory Rename a file Reset selected card Show running system information Open a SSH connection to the peer stack-unit Start shell Open a telnet connection to the peer stack-unit Set terminal line parameters Upload file -----------------CONSOLE ACCESS ON A MEMBER---------------------------Dell(stack-member-1)#? reset-self R
Figure 124. Stack-Group Assignments You can connect the units while they are powered down or up. Stacking ports are bidirectional. When a unit is added to a stack, the management unit performs a system check on the new unit to ensure the hardware type is compatible. A similar check is performed on the Dell EMC Networking OS version. If the stack is running Dell EMC Networking OS version9.7.0.0and the new unit is running an earlier software version, the new unit is put into a card problem state.
EXEC Privilege mode reload Dell EMC Networking OS automatically assigns a number to the new unit and adds it as member switch in the stack. The new unit synchronizes its running and startup configurations with the stack. 4. After the units are reloaded, the system reboots. The units come up in a stack after the reboot completes. To view the port assignments, use the show system stack-unit command.
Figure 125. Creating a new stack In the above example, stack unit 1 is the master management unit, stack unit 2 is the standby unit. The cables are connected to each unit.
-----------------------------------------------------------------------------------0 Member not present S6000 1 Member not present 2 Standby online S6000 S6000 1-0(0-3387) 128 3 Member not present S6000 4 Member not present 5 Management online S6000 S6000 1-0(0-3387) 128 -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) --------------------------------------------------------------------------2 0 up AC up 6720 2 1 up AC up 6688 5 0 up AC up 6688 5 1 down UNKNOWN down 0 -- Fan Status -Unit Bay
The following example shows adding a stack unit with a conflicting stack number (before).
8. If a standalone switch already has stack groups configured. Attach cables to connect the ports already configured as stack groups on the switch to one or more switches in the stack. Dell EMC Networking OS automatically assigns a number to the new unit and adds it as member switch in the stack. The new unit synchronizes its running and startup configurations with the stack.
Renumbering the stack manager triggers the whole stack to reload, as shown in the message below. When the stack comes back online, the master unit remains the management unit. Dell#stack-unit 2 renumber 1 Renumbering master unit will reload the stack. WARNING: Interface configuration for current unit will be lost! Proceed to renumber [confirm yes/no]: yes Creating a Virtual Stack Unit on a Stack Use virtual stack units to configure ports on the stack before adding a new unit.
-- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -----------------------------------------------------------2 0 up up 7021 up 7072 2 1 up up 7021 up 7072 2 2 up up 7021 up 7021 Speed in RPM -- Unit 5 -Unit Type : Management Unit Status : online Next Boot : online Required Type : S6000 - 32-port TE/FG (SI) Current Type : S6000 - 32-port TE/FG (SI) Master priority : 234881024 Hardware Rev : 4.
2 2 5 5 5 1 2 0 1 2 up up up up up up up up up up 7021 7021 7021 6971 7021 up up up up up 7021 6971 7123 7021 6971 Speed in RPM The following example shows the show system stack-ports command.
Resetting a Unit on a Stack You may reset any stack unit except for the master management unit, as shown in the following message. % Error: Reset of master unit is not allowed. To rest a unit on a stack, use the following commands. • Reload a stack-unit. • EXEC Privilege mode reset stack-unit unit-number Reload a member unit, from the unit itself. • EXEC Privilege mode reset-self Reset a stack-unit when the unit is in a problem state.
Up Time : 1 day, 0 hr, 0 min Dell Networking OS Version : 1-0(0-3666) Jumbo Capable : yes POE Capable : no FIPS Mode : disabled Boot Flash : 3.1.1.3 Boot Selector : 3.1.0.
The following example shows removing a stack member (before).
Recover from Stack Link Flaps Stack link integrity monitoring enables units to monitor their own stack ports and disable any stack port that flaps five times within 10 seconds. Dell EMC Networking OS displays console messages for the local and remote members of a flapping link, and on the primary (master) and standby management units as KERN-2-INT messages if the flapping port belongs to either of these units. In the following example, a stack-port on the master flaps.
5 5 5 0 1 2 up up up up up up 7021 6971 7021 up up up 7123 7021 6971 Speed in RPM Stacking 847
50 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell EMC Networking Operating System (OS) Behavior: Dell EMC Networking OS supports unknown-unicast, muticast, and broadcast control for Layer 2 and Layer 3 traffic. To view the storm control broadcast configuration show storm-control broadcast | multicast | unknown-unicast | pfc-llfc[interface] command.
• storm-control multicast packets_per_second in Shut down the port if it receives the PFC/LLFC packets more than the configured rate. INTERFACE mode storm-control pfc-llfc pps in shutdown NOTE: PFC/LLFC storm control enabled interface disables the interfaces if it receives continuous PFC/LLFC packets. It can be a result of a faulty NIC/Switch that sends spurious PFC/LLFC packets.
Restore Queue Drop State You can restore the queue drop triggered due to the storm control PFC detection to the normal state. Once the storm control PFC is detected on a port or priority, you can activate the queue drop action. You can restore the dropped queue to normal state on the following conditions. You can restore the queue after a particular period of time. Use the queue-drop backoff-force polling—count command to remove the queue-drop state after the specified number of polling is done.
5 6 0 0 0 0 0 0 DellEMC# Storm Control 851
51 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell EMC Networking OS.
• • • • • Enabling PortFast Prevent Network Disruptions with BPDU Guard STP Root Guard Enabling SNMP Traps for Root Elections and Topology Changes Configuring Spanning Trees as Hitless Important Points to Remember • • • • • STP is disabled by default. The Dell EMC Networking OS supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+). You may only enable one flavor of spanning tree at any one time.
1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface. INTERFACE mode no shutdown To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode.
CONFIGURATION mode protocol spanning-tree 0 2. Enable STP. PROTOCOL SPANNING TREE mode no disable To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP.
To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally. Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. • • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port.
Prevent Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs. If an edgeport does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
Figure 128. Enabling BPDU Guard Dell EMC Networking OS Behavior BPDU guard: • • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. drops the BPDU after it reaches the RP and generates a console message. Example of Blocked BPDUs DellEMC(conf-if-te-1/7)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e805.fb07 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e85d.
Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. • Assign a number as the bridge priority or designate it as the root or secondary root.
Figure 129. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell EMC Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • • • • • Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
To verify the STP root guard configuration on a port or port-channel interface, use the show spanning-tree 0 guard [interface interface] command in a global configuration mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps individually or collectively, use the following commands. • • Enable SNMP traps for spanning tree state changes. snmp-server enable traps stp Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
Figure 130. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. The following conditions apply to a port enabled with loop guard: • • Loop guard is supported on any STP-enabled port or port-channel interface.
• • If no BPDU is received from a remote device, loop guard places the port in a Loop-Inconsistent Blocking state and no traffic is forwarded on the port. When used in a PVST+ network, STP loop guard is performed per-port or per-port channel at a VLAN level. If no BPDUs are received on a VLAN interface, the port or port-channel transitions to a Loop-Inconsistent (Blocking) state only for this VLAN. To enable a loop guard on an STP-enabled port or port-channel interface, use the following command.
52 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell EMC Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell EMC Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell EMC Networking device. For more information on SmartScripts, see Dell EMC Networking Open Automation guide. Figure 131.
Enable the SupportAssist service. CONFIGURATION mode support-assist activate DellEMC(conf)#support-assist activate This command guides you through steps to configure SupportAssist. Configuring SupportAssist Manually To manually configure SupportAssist service, use the following commands. 1. Accept the end-user license agreement (EULA). CONFIGURATION mode eula-consent {support-assist} {accept | reject} NOTE: Once accepted, you do not have to accept the EULA again.
support-assist DellEMC(conf)#support-assist DellEMC(conf-supportassist)# 3. (Optional) Configure the contact information for the company. SUPPORTASSIST mode contact-company name {company-name}[company-next-name] ... [company-next-name] DellEMC(conf)#support-assist DellEMC(conf-supportassist)#contact-company name test DellEMC(conf-supportassist-cmpy-test)# 4. (Optional) Configure the contact name for an individual.
[no] activity {full-transfer|core-transfer|event-transfer} DellEMC(conf-supportassist)#activity full-transfer DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist)#activity core-transfer DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist)#activity event-transfer DellEMC(conf-supportassist-act-event-transfer)# 2. Copy an action-manifest file for an activity to the system.
[no] enable DellEMC(conf-supportassist-act-full-transfer)#enable DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist-act-core-transfer)#enable DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist-act-event-transfer)#enable DellEMC(conf-supportassist-act-event-transfer)# Configuring SupportAssist Company SupportAssist Company mode allows you to configure name, address and territory information of the company.
SUPPORTASSIST PERSON mode [no] email-address primary email-address [alternate email-address] DellEMC(conf-supportassist-pers-john_doe)#email-address primary jdoe@mycompany.com DellEMC(conf-supportassist-pers-john_doe)# 3. Configure phone numbers of the contact person. SUPPORTASSIST PERSON mode [no] phone primary phone [alternate phone] DellEMC(conf-supportassist-pers-john_doe)#phone primary +919999999999 DellEMC(conf-supportassist-pers-john_doe)# 4. Configure the preferred method for contacting the person.
[no] url uniform-resource-locator DellEMC(conf-supportassist-serv-default)#url https://192.168.1.1/index.htm DellEMC(conf-supportassist-serv-default)# Viewing SupportAssist Configuration To view the SupportAssist configurations, use the following commands: 1. Display information on the SupportAssist feature status including any activities, status of communication, last time communication sent, and so on.
show eula-consent {support-assist | other feature} DellEMC#show eula-consent support-assist SupportAssist EULA has been: Accepted Additional information about the SupportAssist EULA is as follows: By installing SupportAssist, you allow Dell to save your contact information (e.g. name, phone number and/or email address) which would be used to provide technical support for your Dell products and services. Dell may use the information for providing recommendations to improve your IT infrastructure.
53 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell EMC Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell EMC Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell EMC Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately. Information included in the NTP message allows each client/server peer to determine the timekeeping characteristics of its other peers, including the expected accuracies of their clocks.
To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. DellEMC#show ntp status Clock is synchronized, stratum 4, reference is 10.16.151.117, vrf-id is 0 frequency is -44.862 ppm, stability is 0.050 ppm, precision is -18 reference time deeef7ef.85eeaa10 Tue, Jul 10 2018 9:16:31.523 UTC clock offset is -0.167449 msec, root delay is 149.194 msec root dispersion is 54.557 msec, peer dispersion is 0.
• • • • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. For the Management interface, enter the keyword ManagementEthernet then the slot/port information. For a port channel interface, enter the keywords port-channel then a number. For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. To view the configuration, use the show running-config ntp command in EXEC privilege mode (refer to the example in Configuring NTP Authentication).
To configure the switch as NTP Server use the ntp master command. stratum number identifies the NTP Server's hierarchy. The following example shows configuring an NTP server. Dell EMC(conf)#show running-config ntp ! ntp master ntp server 10.16.127.44 ntp server 10.16.127.86 ntp server 10.16.127.
To view the NTP configuration, use the show running-config ntp command in EXEC privilege mode. The following example shows an encrypted authentication key (in bold). All keys are encrypted. DellEMC#show running ntp ! ntp authenticate ntp authentication-key 345 md5 5A60910F3D211F02 ntp server 11.1.1.1 version 3 ntp trusted-key 345 DellEMC# Configuring NTP control key password The Network Time Protocal daemon (NTPD) design uses NTPQ to configure NTPD.
Dell EMC Networking OS Time and Date You can set the time and date using the Dell EMC Networking OS CLI. Configuration Task List The following is a configuration task list for configuring the time and date settings.
Set Daylight Saving Time Dell EMC Networking OS supports setting the system to daylight saving time once or on a recurring basis every year. Setting Daylight Saving Time Once Set a date (and time zone) on which to convert the switch to daylight saving time on a one-time basis. To set the clock for daylight savings time once, use the following command. • Set the clock to the appropriate timezone and daylight saving time.
• • • • • • • • start-year: Enter a four-digit number as the year. The range is from 1993 to 2035. start-time: Enter the time in hours:minutes. For the hour variable, use the 24-hour format; example, 17:15 is 5:15 pm. end-week: If you entered a start-week, enter the one of the following as the week that daylight saving ends: • week-number: Enter a number from 1 to 4 as the number of the week in the month to start daylight saving time.
54 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): DellEMC(conf)#interface tunnel 3 DellEMC(conf-if-tu-3)#tunnel source 5::5 DellEMC(conf-if-tu-3)#tunnel destination 8::9 DellEMC(conf-if-tu-3)#tunnel mode ipv6 DellEMC(conf-if-tu-3)#ip address 3.1.1.1/24 DellEMC(conf-if-tu-3)#ipv6 address 3::1/64 DellEMC(conf-if-tu-3)#no shutdown DellEMC(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.
ip address 20.1.1.1/24 ipv6 address 20:1::1/64 no shutdown DellEMC(conf)#interface tunnel 1 DellEMC(conf-if-tu-1)#ip unnumbered tengigabitethernet 1/1 DellEMC(conf-if-tu-1)#ipv6 unnumbered tengigabitethernet 1/1 DellEMC(conf-if-tu-1)#tunnel source 40.1.1.1 DellEMC(conf-if-tu-1)#tunnel mode ipip decapsulate-any DellEMC(conf-if-tu-1)#no shutdown DellEMC(conf-if-tu-1)#show config ! interface Tunnel 1 ip unnumbered TenGigabitEthernet 1/1 ipv6 unnumbered TenGigabitEthernet 1/1 tunnel source 40.1.1.
tunnel allow-remote 40.1.1.2 tunnel mode ipip decapsulate-any no shutdown Guidelines for Configuring Multipoint ReceiveOnly Tunnels • • • • • You can configure up to eight remote end-points for a multipoint receive-only tunnel. The maximum number of remote end-points supported for all multipoint receive-only tunnels on the switch depends on the hardware table size to setup termination.
55 Uplink Failure Detection (UFD) Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity. However, the devices do not receive a direct indication that upstream connectivity is lost because connectivity to the switch is still operational. UFD allows a switch to associate downstream interfaces with upstream interfaces.
Figure 133. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 134. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
• If you disable an uplink-state group, the downstream interfaces are not disabled regardless of the state of the upstream interfaces. • • If an uplink-state group has no upstream interfaces assigned, you cannot disable downstream interfaces when an upstream link goes down. To enable the debug messages for events related to a specified uplink-state group or all groups, use the debug uplink-stategroup [group-id] command, where the group-id is from 1 to 16.
6. (Optional) Disable upstream-link tracking without deleting the uplink-state group. UPLINK-STATE-GROUP mode no enable The default is upstream-link tracking is automatically enabled in an uplink-state group. To re-enable upstream-link tracking, use the enable command. Clearing a UFD-Disabled Interface You can manually bring up a downstream interface in an uplink-state group that UFD disabled and is in a UFD-Disabled Error state.
Displaying Uplink Failure Detection To display information on the UFD feature, use any of the following commands. • Display status information on a specified uplink-state group or all groups. EXEC mode show uplink-state-group [group-id] [detail] • • group-id: The values are from 1 to 16. • detail: displays additional status information on the upstream and downstream interfaces in each group. Display the current status of a port or port-channel interface assigned to an uplink-state group.
Upstream Interfaces : Te 1/4(Dwn) Po 8(Dwn) Downstream Interfaces : Te 1/10(Dwn) The following example shows viewing the interface status with UFD information.
• Verify the configuration with various show commands.
56 Upgrade Procedures To find the upgrade procedures, go to the Dell EMC Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell EMC Networking OS version. To upgrade your system type, follow the procedures in the Dell EMC Networking OS Release Notes. You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website.
57 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
• • Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN. Alternatively, use the no switchport command, and Dell EMC Networking OS removes the interface from the Default VLAN. A tagged interface requires an additional step to remove it from Layer 2 mode. Because tagged interfaces can belong to multiple VLANs, remove the tagged interface from all VLANs using the no tagged interface command.
Information contained in the tag header allows the system to prioritize traffic and to forward information to ports associated with a specific VLAN ID. Tagged interfaces can belong to multiple VLANs, while untagged interfaces can belong only to one VLAN. Configuration Task List This section contains the following VLAN configuration tasks.
To tag frames leaving an interface in Layer 2 mode, assign that interface to a port-based VLAN to tag it with that VLAN ID. To tag interfaces, use the following commands. 1. Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface. CONFIGURATION mode interface vlan vlan-id 2. Enable an interface to include the IEEE 802.1Q tag header.
untagged interface This command is available only in VLAN interfaces. The no untagged interface command removes the untagged interface from a port-based VLAN and places the interface in the Default VLAN. You cannot use the no untagged interface command in the Default VLAN. The following example shows the steps and commands to move an untagged interface from the Default VLAN to another VLAN. To determine interface status, use the show vlan command.
Configuring Native VLANs Traditionally, ports can be either untagged for membership to one VLAN or tagged for membership to multiple VLANs. You must connect an untagged port to a VLAN-unaware station (one that does not understand VLAN tags), and you must connect a tagged port to a VLAN-aware station (one that generates and understands VLAN tags). Native VLAN support breaks this barrier so that you can connect a port to both VLAN-aware and VLAN-unaware stations. Such ports are referred to as hybrid ports.
58 Virtual Link Trunking (VLT) Overview In a traditional switched topology as shown below, spanning tree protocols (STPs) are used to block one or more links to prevent loops in the network. Although loops are prevented, bandwidth of all links is not effectively utilized by the connected devices. Figure 136. Traditional switched topology VLT not only overcomes this caveat, but also provides a multipath to the connected devices.
To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol. After VLT is established, you may use rapid spanning tree protocol (RSTP) to prevent loops from forming with new links that are incorrectly connected and outside the VLT domain. VLT provides Layer 2 multipathing, creating redundancy through increased bandwidth, enabling multiple parallel paths between nodes, and load-balancing traffic where alternate paths exist.
between the two VLT chassis. IGMP and VLT configurations must be identical on both sides of the trunk to ensure the same behavior on both sides. The following example shows how VLT is deployed. The switches appear as a single virtual switch from the point of view of the switch or server supporting link aggregation control protocol (LACP). VLT Terminology The following are key VLT terms. • • • • • • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches.
If Host 1 from a VLT domain sends a frame to Host 2 in another VLT domain, the frame can use any link shown to reach Host 2. MAC synchronization between VLT peers handles the traffic flow even if it is hashed and forwarded through the other member of the portchannel.
VLT on Core Switches Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing. This set up requires “horizontal” stacking at the access layer and VLT at the aggregation layer such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode. This example provides the highest form of resiliency, scaling, and load balancing in data center switching networks.
Figure 141. Enhanced VLT Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember • • • • • • • • • • • • • You cannot enable stacking simultaneously with VLT. If you enable both at the same time, unexpected behavior can occur. VLT port channel interfaces must be switch ports. If you include RSTP on the system, configure it before VLT.
• • • • • • • • When you enable IGMP snooping on the VLT peers, ensure the value of the delay-restore command is not less than the query interval. When you enable Layer 3 routing protocols on VLT peers, make sure the delay-restore timer is set to a value that allows sufficient time for all routes to establish adjacency and exchange all the L3 routes between the VLT peers before you enable the VLT ports.
• • Separately configure each VLT peer switch with the same VLT domain ID and the VLT version. If the system detects mismatches between VLT peer switches in the VLT domain ID or VLT version, the VLT Interconnect (VLTi) does not activate. To find the reason for the VLTi being down, use the show vlt statistics command to verify that there are mismatch errors, then use the show vlt brief command on each VLT peer to view the VLT version on the peer switch.
• • • • • • The discovery protocol running between VLT peers automatically generates the ID number of the port channel that connects an access device and a VLT switch. The discovery protocol uses LACP properties to identify connectivity to a common client device and automatically generates a VLT number for port channels on VLT peers that connects to the device. The discovery protocol requires that an attached device always runs LACP over the port-channel interface.
• • Configure the same L3 routing (static and dynamic) on each peer so that the L3 reachability and routing tables are identical on both VLT peers. Both the VRRP master and backup peers must be able to locally forward L3 traffic in the same way. • In a VLT domain, although both VLT peers actively participate in L3 forwarding as the VRRP master or backup router, the show vrrp command output displays one peer as master and the other peer as backup.
VLT Bandwidth Monitoring When bandwidth usage of the VLTi (ICL) exceeds 80%, a syslog error message (shown in the following message) and an SNMP trap are generated. %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (portchannel 25) crosses threshold. Bandwidth usage (80 ) When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (shown in the following message) and an SNMP trap.
PIM-Sparse Mode Support on VLT The designated router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources. Figure 142.
Each VLT peer runs its own PIM protocol independently of other VLT peers. To ensure the PIM protocol states or multicast routing information base (MRIB) on the VLT peers are synced, if the incoming interface (IIF) and outgoing interface (OIF) are Spanned, the multicast route table is synced between the VLT peers. To verify the PIM neighbors on the VLT VLAN and on the multicast port, use the show ip pim neighbor, show ip igmp snooping mrouter, and show running config commands.
Figure 143. Packets without peer routing enabled If you enable peer routing, a VLT node acts as a proxy gateway for its connected VLT peer as shown in the image below. Even though the gateway address of the packet is different, Peer-1 routes the packet to its destination on behalf of Peer-2 to avoid sub-optimal routing. Figure 144. Packets with peer routing enabled Benefits of Peer Routing • • • • Avoids sub-optimal routing Reduces latency by avoiding another hop in the traffic path.
VLT Unicast Routing VLT unicast routing is a type of VLT peer routing that locally routes unicast packets destined for the L3 endpoint of the VLT peer. This method avoids sub-optimal routing. Peer-routing syncs the MAC addresses of both VLT peers and requires two local DA entries in TCAM. If a VLT node is down, a timer that allows you to configure the amount of time needed for peer recovery provides resiliency. You can enable VLT unicast across multiple configurations using VLT links.
• • When using factory default settings on a new switch deployed as a VLT node, packet loss may occur due to the requirement that all ports must be open. ECMP is not compatible on VLT nodes using VLT multicast. You must use a single VLAN. Configuring VLT Multicast To enable and configure VLT multicast, follow these steps. 1. Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2. Enable peer-routing.
1. Configure RSTP in the core network and on each peer switch as described in Rapid Spanning Tree Protocol (RSTP). Disabling RSTP on one VLT peer may result in a VLT domain failure. 2. Enable RSTP on each peer switch. PROTOCOL SPANNING TREE RSTP mode no disable 3. Configure each peer switch with a unique bridge priority.
1. Configure the VLT interconnect for the VLT domain. The primary and secondary switch roles in the VLT domain are automatically assigned after you configure both sides of the VLTi. NOTE: If you use a third-party ToR unit, to avoid potential problems if you reboot the VLT peers, Dell EMC recommends using static LAGs on the VLTi between VLT peers. 2. Enable VLT and create a VLT domain ID. VLT automatically selects a system MAC address. 3. Configure a backup link for the VLT domain. 4.
3. Configure the port channel to be used as the VLT interconnect between VLT peers in the domain. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 4. Enable peer routing. VLT DOMAIN CONFIGURATION mode peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer. 5.
CONFIGURATION mode delay-restore delay-restore-time The range is from 1 to 1200. The default is 90 seconds. Reconfiguring the Default VLT Settings (Optional) To reconfigure the default VLT settings, use the following commands. 1. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 2.
channel-member interface interface: specify one of the following interface types: • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. 5. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 6. Associate the port channel to the corresponding port channel in the VLT peer for the VLT connection to an attached device.
peer-link port-channel id-number 5. Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out-of-band hello messages. VLT DOMAIN CONFIGURATION mode back-up destination ip-address [interval seconds] You can optionally specify the time interval used to send hello messages. The range is from 1 to 5 seconds. 6.
peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer. 17. Repeat steps 1 through 16 for the VLT peer node in Domain 1. 18. Repeat steps 1 through 16 for the first VLT node in Domain 2. 19. Repeat steps 1 through 16 for the VLT peer node in Domain 2. To verify the configuration of a VLT domain, use any of the show commands described in Verifying a VLT Configuration. VLT Sample Configuration To review a sample VLT configuration setup, study these steps. 1.
Dell-4(conf)#vlt domain 5 Dell-4(conf-vlt-domain)# Configure the VLTi between VLT peer 1 and VLT peer 2. 1. You can configure the LACP/static LAG between the peer units (not shown). 2. Configure the peer-link port-channel in the VLT domains of each peer unit.
In the ToR unit, configure LACP on the physical ports.
PVST+ Configuration PVST+ is supported in a VLT domain. Before you configure VLT on peer switches, configure PVST+ in the network. PVST+ is required for initial loop prevention during the VLT startup phase. You may also use PVST+ for loop prevention in the network outside of the VLT port channel. Run PVST+ on both VLT peer switches. A PVST+ instance is created for every VLAN configured in the system. PVST+ instances running in the Primary Peer control the VLT-LAGs on both Primary and Secondary peers.
• • • • • • • Access switch A1 is connected to two VLT peers (Dell-1 and Dell-2). The two VLT peers are connected to an upstream switch R1. OSPF is configured in Dell-1, Dell-2, and R1 switches. Dell-1 is configured as the root bridge. Dell-1 is configured as the VLT primary. As the Router ID of Dell-1 is the highest in the topology (highest loopback address of 172.17.1.1), Dell-1 is the OSPF Designated Router. As the Router ID of Dell-2 is the second highest in the topology (172.16.1.
The following is the configuration in interfaces: DellEMC#1#sh run int ma0/0 interface ManagementEthernet 0/0 description Used_for_VLT_Keepalive ip address 10.10.10.1/24 no shutdown (The management interfaces are part of a default VRF and are isolated from the switch’s data plane.) In Dell-1, te 0/0 and te 0/1 are used for VLTi.
description port-channel_to_access_switch_A1 no ip address portmode hybrid switchport vlt-peer-lag port-channel 2 no shutdown Vlan 20 is used in Dell-1, Dell-2, and R1 to form OSPF adjacency. When OSPF is converged, the routing tables in all devices are synchronized. DellEMC#1#sh run int vlan 20 interface Vlan 20 description OSPF PEERING VLAN ip address 192.168.20.1/29 untagged Port-channel 1 no shutdown ! DellEMC#1#sh run int vlan 800 interface Vlan 800 description Client-VLAN ip address 192.168.8.
HeartBeat Messages Sent: HeartBeat Messages Received: 4 5 Use the show vlt detail command to verify that VLT is functional and that the correct VLANs are allowed. DellEMC#1#sh vlt detail Local LAG Id -----------1 2 Peer LAG Id ----------1 2 Local Status -----------UP UP Peer Status ----------UP UP Active VLANs ------------20 1, 800, 900 The following output displays the OSPF configuration in Dell-1 DellEMC#1#sh run | find router router ospf 1 router-id 172.17.1.1 network 192.168.9.
800 0 0 0 ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff 90:b1:1c:f4:2c:bd 90:b1:1c:f4:29:f3 STATIC STATIC LOCAL_DA LOCAL_DA 00001 00001 00001 00001A The above output shows that the 90:b1:1c:f4:2c:bd MAC address belongs to Dell-1. The 90:b1:1c:f4:29:f3 MAC address belongs to Dell-2. Also note that these MAC addresses are marked with LOCAL_DA. This means, these are the local destination MAC addresses used by hosts when routing is required.
Te 0/4 connects to the access switch A1. Dell-2#sh run int te0/4 interface TenGigabitEthernet 0/4 description To_Access_Switch_A1_fa0/13 no ip address port-channel-protocol LACP port-channel 2 mode active no shutdown Te 0/6 connects to the uplink switch R1. Dell-2#sh run int te0/6 interface TenGigabitEthernet 0/6 description To_CR1_fa0/13 no ip address port-channel-protocol LACP port-channel 1 mode active no shutdown Port channel 1 connects the uplink switch R1.
unit-id 0 peer routing Verify if VLT on Dell-1 is functional Dell-2#sh vlt brief VLT Domain Brief -----------------Domain ID: Role: Role Priority: 1 Secondary 55000 ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: Peer routing : Peer routing-Timeout timer: Multicast peer routing timeout: Up Up Up 1 6(3) 90:b1:1c:f4:29:f1 90:b1:1c:f4:2c:bb 90:b1:1c:f4:0
The following output displays the routes learned using OSPF. Dell-2 also learns the routes to the loopback addresses on R1 through OSPF. Dell-2#show ip route ospf Destination Gateway ----------------O 2.2.2.2/24 via 192.168.20.3, O 3.3.3.2/24 via 192.168.20.3, O 4.4.4.2/24 via 192.168.20.3, O 172.15.1.1/32 via 192.168.20.3, O 172.16.1.2/32 via 192.168.20.
network 172.15.1.0 0.0.0.255 area 0 network 192.168.20.0 0.0.0.7 area 0 CR1#show ip ospf neighbor (R1 is a DROTHER) Neighbor ID Pri State Dead Time Address Interface 172.16.1.2 1 FULL/BDR 00:00:31 192.168.20.2 Port-channel1 172.17.1.1 1 FULL/DR 00:00:38 192.168.20.1 Port-channel1 CR1#show ip route (Output Truncated) 2.0.0.0/24 is subnetted, 1 subnets C 2.2.2.0 is directly connected, Loopback2 3.0.0.0/24 is subnetted, 1 subnets C 3.3.3.0 is directly connected, Loopback3 O 192.168.8.0/24 [110/2] via 192.168.
Figure 146. eVLT Configuration Example eVLT Configuration Step Examples In Domain 1, configure the VLT domain and VLTi on Peer 1. Domain_1_Peer1#configure Domain_1_Peer1(conf)#interface port-channel 1 Domain_1_Peer1(conf-if-po-1)# channel-member TenGigabitEthernet 1/8-9 Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)# peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)# back-up destination 10.16.130.
Configure eVLT on Peer 2. Domain_1_Peer2(conf)#interface port-channel 100 Domain_1_Peer2(conf-if-po-100)# switchport Domain_1_Peer2(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer2(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 2.
PIM-Sparse Mode Configuration Example The following sample configuration shows how to configure the PIM Sparse mode designated router functionality on the VLT domain with two VLT port-channels that are members of VLAN 4001. For more information, refer to PIM-Sparse Mode Support on VLT. Examples of Configuring PIM-Sparse Mode The following example shows how to enable PIM multicast routing on the VLT node globally.
• Display the current configuration of all VLT domains or a specified group on the switch. • EXEC mode show running-config vlt Display statistics on VLT operation. • • EXEC mode show vlt statistics Display the RSTP configuration on a VLT peer switch, including the status of port channels used in the VLT interconnect trunk and to connect to access devices. EXEC mode show spanning-tree rstp Display the current status of a port or port-channel interface used in the VLT domain.
Multicast peer-routing timeout DellEMC# : 150 seconds The following example shows the show vlt detail command.
HeartBeat Messages Received: 978 ICL Hello's Sent: 89 ICL Hello's Received: 89 The following example shows the show spanning-tree rstp command. The bold section displays the RSTP state of port channels in the VLT domain. Port channel 100 is used in the VLT interconnect trunk (VLTi) to connect to VLT peer2. Port channels 110, 111, and 120 are used to connect to access switches or servers (vlt).
Dell_VLTpeer1(conf-if-ma-0/0)#no shutdown Dell_VLTpeer1(conf-if-ma-0/0)#exit Configure the VLT interconnect (VLTi). Dell_VLTpeer1(conf)#interface port-channel 100 Dell_VLTpeer1(conf-if-po-100)#no ip address Dell_VLTpeer1(conf-if-po-100)#channel-member fortyGigE 1/48,52 Dell_VLTpeer1(conf-if-po-100)#no shutdown Dell_VLTpeer1(conf-if-po-100)#exit Configure the port channel to an attached device.
Verify that the port channels used in the VLT domain are assigned to the same VLAN.
Description Behavior at Peer Up Behavior During Run Time Action to Take System MAC mismatch A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated. Verify that the unit ID of VLT peers is not the same on both units and that the MAC address is the same on both units. Unit ID mismatch The VLT peer does not boot up. The VLTi is forced to a down state. The VLT peer does not boot up. The VLTi is forced to a down state.
When a VLTi port in trunk mode is a member of symmetric VLT PVLANs, the PVLAN packets are forwarded only if the PVLAN settings of both the VLT nodes are identical. You can configure the VLTi in trunk mode to be a member of non-VLT PVLANs if the VLTi is configured on both the peers. MAC address synchronization is performed for VLT PVLANs across peers in a VLT domain. Keep the following points in mind when you configure VLT nodes in a PVLAN: • • • Configure the VLTi link to be in trunk mode.
PVLAN Operations When a VLT Peer is Restarted When the VLT peer node is rebooted, the VLAN membership of the VLTi link is preserved and when the peer node comes back online, a verification is performed with the newly received PVLAN configuration from the peer. If any differences are identified, the VLTi link is either added or removed from the VLAN. When the peer node restarts and returns online, all the PVLAN configurations are exchanged across the peers.
VLT LAG Mode PVLAN Mode of VLT VLAN ICL VLAN Membership Mac Synchronization Peer1 Peer2 Peer1 Peer2 Access Access Secondary (Community) Secondary (Isolated) No No • • Yes Yes Promiscuous Promiscuous Primary X Primary X Primary Primary Yes Yes - Secondary (Community) - Secondary (Community) Yes Yes - Secondary (Isolated) - Secondary (Isolated) Yes Yes Promiscuous Trunk Primary Normal No No Promiscuous Trunk Primary Primary Yes No Access Access Secondary (Communi
2. Remove an IP address from the interface. INTERFACE PORT-CHANNEL mode no ip address 3. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. 4. Ensure that the port channel is active.
private-vlan mode primary 8. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: • • • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). Specified with this command even before they have been created. Amended by specifying the new secondary VLAN to be added to the list.
Proxy ARP is enabled only if you enable peer routing on both the VLT peers. If you disable peer routing by using the no peerroutingcommand in VLT DOMAIN node, a notification is sent to the VLT peer to disable the proxy ARP. If you disable peer routing when ICL link is down, a notification is not sent to the VLT peer and in such a case, the VLT peer does not disable the proxy ARP operation. When you remove the VLT domain on one of the VLT nodes, the peer routing configuration removal is notified to the peer.
show running-config Sample configuration of VLAN-stack over VLT (Peer 1) Configure the VLT domain DellEMC(conf)#vlt domain 1 DellEMC(conf-vlt-domain)#peer-link port-channel 1 DellEMC(conf-vlt-domain)#back-up destination 10.16.151.116 DellEMC(conf-vlt-domain)#primary-priority 100 DellEMC(conf-vlt-domain)#system-mac mac-address 00:00:00:11:11:11 DellEMC(conf-vlt-domain)#unit-id 0 DellEMC(conf-vlt-domain)# DellEMC#show running-config vlt ! vlt domain 1 peer-link port-channel 1 back-up destination 10.16.151.
shutdown DellEMC# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN DellEMC#show vlan id 50 Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C Community, I - Isolated O - Openflow Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged o - OpenFlow untagged, O - OpenFlow tagged G - GVRP tagged, M - Vlan-stack i - Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged NUM 50 Status Active Description De
no shutdown DellEMC# Configure the VLAN as a VLAN-Stack VLAN and add the VLT LAG as members to the VLAN DellEMC(conf)#interface vlan 50 DellEMC(conf-if-vl-50)#vlan-stack compatible DellEMC(conf-if-vl-50-stack)#member port-channel 10 DellEMC(conf-if-vl-50-stack)#member port-channel 20 DellEMC(conf-if-vl-50-stack)# DellEMC#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown DellEMC# Verify that the Port Channels used in the VLT Domain are Assigned
level hashing in the ToR switch, it is routed instead of forwarding the packet to node1. This processing occurs because of the match or hit for the entry in the TCAM of the VLT node2. Synchronization of IPv6 ND Entries in a VLT Domain Because the VLT nodes appear as a single unit, the ND entries learned via the VLT interface are expected to be the same on both VLT nodes. VLT V6 VLAN and neighbor discovery protocol monitor (NDPM) entries synchronization between VLT nodes is performed.
Figure 147. Sample Configuration of IPv6 Peer Routing in a VLT Domain Sample Configuration of IPv6 Peer Routing in a VLT Domain Consider a sample scenario as shown in the following figure in which two VLT nodes, Unit1 and Unit2, are connected in a VLT domain using an ICL or VLTi link. To the south of the VLT domain, Unit1 and Unit2 are connected to a ToR switch named Node B. Also, Unit1 is connected to another node, Node A, and Unit2 is linked to a node, Node C.
Neighbor Solicitation from VLT Hosts Consider a case in which NS for VLT node1 IP reaches VLT node1 on the VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in the ToR. When VLT node1 receives NS from VLT VLAN interface, it unicasts the NA packet on the VLT interface. When NS reaches VLT node2, it is flooded on all interfaces including ICL. When VLT node 1 receives NS on ICL, it floods the NA packet on the VLAN.
When VLT node receives traffic from non-VLT host intended to VLT host, it routes the traffic to VLT interface. If VLT interface is not operationally up VLT node will route the traffic over ICL. Non-VLT host to North Bound traffic flow When VLT node receives traffic from non-VLT host intended to north bound with DMAC as self MAC it routes traffic to next hop.
ToR 1. Enable BFD globally. TOR(conf)# bfd enable 2. Configure a VLT peer LAG. TOR(conf)#interface tengigabitethernet 1/1 TOR(conf-if-te-1/1)#no ip address TOR(conf-if-te-1/1)#port-channel-protocol lacp TOR(conf-if-te-1/1)#port-channel 10 mode active TOR(conf-if-te-1/1)#no shutdown TOR(conf)#interface tengigabitethernet 1/2 TOR(conf-if-te-1/2)#no ip address TOR(conf-if-te-1/2)#port-channel-protocol lacp TOR(conf-if-te-1/2)#port-channel 10 mode active TOR(conf-if-te-1/2)#no shutdown 3.
VLT Primary 1. Enable BFD globally. VLT_Primary(conf)# bfd enable 2. Configure port channel which is used as VLTi link. VLT_Primary(conf)# interface VLT_Primary(conf-if-po-100)# VLT_Primary(conf-if-po-100)# VLT_Primary(conf-if-po-100)# port-channel 100 no ip address channel-member tengigabitethernet 1/1, 1/2 no shutdown 3. Enable VLT and configure a VLT domain.
4. Configure a VLT peer LAG. VLT_Primary(conf)#interface tengigabitethernet 1/3 VLT_Primary(conf-if-te-1/3)#no ip address VLT_Primary(conf-if-te-1/3)#port-channel-protocol lacp VLT_Primary(conf-if-te-1/3)#port-channel 10 mode active VLT_Primary(conf-if-te-1/3)#no shutdown VLT_Primary(conf)#interface port-channel 10 VLT_Primary(conf-if-po-10)#no ip address VLT_Primary(conf-if-po-10)#switchport VLT_Primary(conf-if-po-10)#vlt-peer-lag port-channel 10 VLT_Primary(conf-if-po-10)#no shutdown 5.
Remote System MAC address: Remote system version: Delay-Restore timer: Delay-Restore Abort Threshold: Peer-Routing : Peer-Routing-Timeout timer: Multicast peer-routing timeout: f4:8e:38:6a:97:3f 6(9) 90 seconds 60 seconds Enabled 0 seconds 150 seconds VXLAN on VLT VLT peers are two nodes in the network that are loosely coupled. It provides high availability to the other ends.
Static VXLAN Configuration in a VLT setup Configuration steps are covered below: 1. Both Gateway VTEPs need VLT configured. • ICL port configuration interface Port-channel 1 no ip address channel-member TenGigabitEthernet 0/4-5 no shutdown • VLT Domain Configuration vlt domain 100 peer-link port-channel 1 back-up destination 10.11.70.14 • this is ip address of the peer node VXLAN Instance Configuration vxlan-instance 1 static local-vtep-ip 14.14.14.
59 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Command Line Reference Guide.
Figure 149. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: • • • • • • • • • • • • • Proxy gateway is supported only for VLT; for example, across a VLT domain. You must enable the VLT peer-routing command for the VLT proxy gateway to function.
• • • • When a Virtual Machine (VM) moves from one VLT domain to the another VLT domain, the VM host sends the gratuitous ARP (GARP) , which in-turn triggers a mac movement from the previous VLT domain to the newer VLT domain. After a station move, if the host sends a TTL1 packet destined to its gateway; for example, a previous VLT node, the packet can be dropped.
• LLDP packets fail to reach the remote VLT domain devices (for example, because the system is down, rebooting, or the port’s physical link connection is down). LLDP VLT Proxy Gateway in a Square VLT Topology Figure 150. Sample Configuration for a VLT Proxy Gateway • The preceding figure shows a sample square VLT Proxy gateway topology. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This causes sub-optimal routing.
• You can disable the VLT Proxy Gateway for a particular VLAN using an "Exclude-VLAN" configuration. The configuration has to be done in both the VLT domains [C and D in VLT domain 1 and C1 and D1 in VLT domain 2].
Figure 151. VLT Proxy Gateway Sample Topology VLT Domain Configuration Dell-1 and Dell-2 constitute VLT domain 120. Dell-3 and Dell-4 constitute VLT domain 110. These two VLT domains are connected using a VLT LAG P0 50. To know how to configure the interfaces in VLT domains, see the Configuring VLT section. Dell-1 VLT Configuration vlt domain 120 peer-link port-channel 120 back-up destination 10.1.1.
Note that on the inter-domain link, the switchport command is enabled. On a VLTi link between VLT peers in a VLT domain, the switchport command is not used. VLAN 100 is used as the OSPF peering VLAN between Dell-1 and Dell-2. interface Vlan 100 description OSPF Peering VLAN to Dell-2 ip address 10.10.100.1/30 ip ospf network point-to-point no shutdown VLAN 101 is used as the OSPF peering VLAN between the two VLT domains. interface Vlan 101 description ospf peering vlan across VLTPG_Po50 ip address 10.10.
Neighbor ID Pri State Dead Time Address Interface Area 4.4.4.4 1 FULL/ - 00:00:33 10.10.100.1 Vl 100 0 Dell-3 VLT Configuration vlt domain 110 peer-link port-channel 110 back-up destination 10.1.1.1 primary-priority 4096 system-mac mac-address 02:01:e8:d8:93:02 unit-id 0 peer-routing ! proxy-gateway static remote-mac-address 00:01:e8:d8:93:07 remote-mac-address 00:01:e8:d8:93:e5 These MAC addresses are the system L2 interface addresses for each switch at the remote site, Dell-1 and Dell-2.
Dell-4 VLT Configuration vlt domain 110 peer-link port-channel 110 back-up destination 10.1.1.0 primary-priority 24576 system-mac mac-address 02:01:e8:d8:93:02 unit-id 1 peer-routing ! proxy-gateway static remote-mac-address 00:01:e8:d8:93:07 remote-mac-address 00:01:e8:d8:93:e5 These MAC addresses are the system L2 interface addresses for each switch at the remote site, Dell-1 and Dell-2. interface Vlan 102 description ospf peering vlan to DELL-3 ip address 10.10.102.
60 Virtual Extensible LAN (VXLAN) Virtual Extensible LAN (VXLAN) is supported on Dell EMC Networking OS. Overview The switch acts as the VXLAN gateway and performs the VXLAN Tunnel End Point (VTEP) functionality. VXLAN is a technology where in the data traffic from the virtualized servers is transparently transported over an existing legacy network. Figure 152. VXLAN Gateway NOTE: In a stack setup, the Dell EMC Networking OS does not support VXLAN.
• NSX Controller-based VXLAN for VLT Components of VXLAN network VXLAN provides a mechanism to extend an L2 network over an L3 network. In short, VXLAN is an L2 overlay scheme over an L3 network and this overlay is termed as a VXLAN segment.
• • • • VTEP is responsible for identifying and binding a Port and VLAN to a logical network VTEP maintains MAC bindings to a VTEP. VXLAN communicates with the VTEP using a standard protocol called OvsDb Protocol. The protocol uses the JSON RPC-based message format. The VTEP acts according to the TOR schema defined by VMWare. The solution is very specific to VMWare-based orchestration platforms and does not work with other orchestration platforms.
VXLAN Header : • • • Frame Check Sequence (FCS): Note that the original Ethernet frame's FCS is not included, but new FCS is generated on the outer Ethernet frame. VXLAN Flags : Reserved bits set to zero except bit 3, the first bit, which is set to 1 for a valid VNI VNI: The 24-bit field that is the VXLAN Network Identifier Reserved: A set of fields, 24 bits and 8 bits, that are reserved and set to zero .
+cnuaNu7Kq2V0DGSdR7eIkDTHkflttHbMmRfStHLetk3bA0HgXTW5c+vFn79EX/nJqxIvkl5ADT7k5JZR +j6i9eskgUlvBuV5OOZKzh29Gy4sjXvdYL5GirZFon8iZNY5FON +WlpcLJ9GjMvVfwvJx7exVs9cqXvm6UZ4Bf262STKbm+Q4qz30tyjDdF1xDBcBjL83UcEvSW65V/ sSFKBohqu40EWXIBJ0QbKvFWv91rbjkgtsrHVTdohrA== -----END CERTIFICATE----Copy and paste the generated certificate to the NSX.
Figure 155. Hardware Devices 3. Add a service node or replicator. Under Home > Networking and Security > Service Definition > Hardware Devices > Replication Cluster, click the Edit button. Select required hosts for replication and click OK. Figure 156. Add Service Node or Replicator NOTE: Ensure L3 reachability between the VTEP and the replicator. 4. Create Logical Switch. You can create a logical network by creating a logical switch.
Figure 157. Create Logical Switch 5. Create Logical Switch Port. A logical switch port provides a logical connection point for a VM interface (VIF) and a L2 gateway connection to an external network. It binds the virtual access ports in the gateway to logical network (VXLAN) and VLAN. In the Manage Hardware Bindings window, expand a VTEP and click Add. The Manage Hardware Bindings Window opens. Click the Select link and the Specify Hardware Port window opens. Click the hardware port and click OK.
Figure 159. Create Logical Switch Port 6. (Optional) Enable or disable BFD globally. Go to Hardware Devices tab > BFD Configuration, and click the Edit button. The Edit BFD Configuration windows opens. Check or uncheck the Enable BFD check box. You can also change the probe interval if required. Figure 160. Edit VXLAN BFD Configuration NOTE: For more details about NSX controller configuration, refer to the NSX user guide from VMWare .
Configuring and Controling VXLAN from Nuage Controller GUI The Dell EMC Networking OS supports Nuage controller for VXLAN. You can configure and control VXLAN from the Nuage controller GUI, by adding a hardware device to the Nuage controller and authenticating the device. 1. Under the Infrastructure tab, add a datacenter gateway. Figure 161. Add Data center Gateway 2. Create port-to-VLAN mappings. Figure 162. Port-to-VLAN mappings 3. Under the Networks tab, create an L2 domain.
Configuring VxLAN Gateway To configure the VxLAN gateway on the switch, follow these steps: 1. Connecting to NVP controller 2. Advertising VXLAN access ports to controller Connecting to an NVP Controller To connect to an NVP controller, use the following commands. 1. Enable the VXLAN feature. CONFIGURATION mode feature vxlan You must configure feature VXLAN to configure vxlan-instance. 2. Create a VXLAN instance that connects to the controller.
Displaying VXLAN Configurations To display the VXLAN configurations, use the following commands. The following example shows the show vxlan vxlan-instance command. DellEMC#show vxlan vxlan-instance 1 Instance : 1 Mode : Controller Admin State : enabled Controller Type : Nsx Management IP : 10.16.140.34 Gateway IP : 4.3.3.3 MAX Backoff : 8000 Controller : 10.16.140.181:6640 ssl Controller Cluster : : 10.16.140.181:6640 ssl (connected) : 10.16.140.182:6640 ssl (connected) : 10.16.140.
The following example shows the show vxlan vxlan-instance unicast-mac-remote command. DellEMC# show vxlan vxlan-instance <1> unicast-mac-remote Total Local Mac Count: 1 VNI MAC TUNNEL 4656 00:00:01:00:00:01 36.1.1.1 The following example shows the show vxlan vxlan-instance unicast-mac-remote command when the tunnel is down. DellEMC# show vxlan vxlan-instance <1> unicast-mac-remote Total Local Mac Count: 1 VNI MAC TUNNEL 4656 00:00:01:00:00:01 36.1.1.
1. Enable VXLAN configuration globally on the platform. CONFIGURATION mode feature vxlan 2. Enable static VXLAN instance. CONFIGURATION mode INTERFACE mode vxlan-instance instance ID [static] You can configure vxlan-instance on INTERFACE mode to enable VXLAN on specific ports. 3. Set the local IP Address that can be used as a source for VXLAN tunnels. VXLAN-INSTANCE mode local-vtep-ip IP Address 4. Create a VNI profile to associate with remote VTEP configuration.
The following example displays VXLAN statistics for a specific port and VLAN combination. DellEMC# show vxlan statistics interface te 0/0 vlan 2 Statistics for Port : Te 0/0 Vlan : 2 Rx Packets : 0 Rx Bytes : 0 Tx Packets : 0 Tx Bytes : 0 The following example displays VXLAN statistics for the specified VXLAN tunnel. DellEMC# show vxlan vxlan-instance 1 statistics remote-vtep-ip 1.1.1.1 Statistics for Remote-vtep-ip : 1.1.1.
VXLAN Scenario VXLAN tunnel stays down even if the remote VTEP IP is reachable through a recursive route. Following section explains the scenario through an example configuration. The following illustration depicts the topology in which the VTEPs are connected. Figure 164. VXLAN Scenario In the above illustration, R1 and R2 are the VTEPs that are trying to form the VXLAN tunnel. R3, the route reflector, exchanges the routes across two IBGP peers (R1 and R2).
In this RIOT scheme, whenever R1 tries to reach R2, the packet gets to P1 on VTEP 1 with VLAN 10 and gets routed out of P2 on VLAN 20. VTEP 1 sends an ARP request for R2 (10.1.2.1) through P2. This request gets VXLAN encapsulated at P3 and is sent out of P4. Eventually, the native ARP request reaches R2. R2 sends an ARP response that is VXLAN encapsulated at VTEP 2. This response reaches VTEP 1 on P4 with a VXLAN encapsulation. At this point, the ARP response is de-capsulated at P4.
• • • • • • • When you ping for 10.1.2.1 (Vlan 20’s IP on R2) from R1, the packet would get to P1 on VTEP 1 with Vlan 10, and try to get routed out of P2 on Vlan 20. VTEP 1 sends an ARP request for 10.1.2.1 out of P2. This gets VXLAN encapsulated at P2, and gets sent out of P3. VXLAN encapsulated ARP request lands on VTEP 2 which is decapsulated and sent out of P5 and P6. Packets looped back to P5 will not be forwarded again to either to P4 or P6 because of the added ACL rule 4.4.3.
In order for this configuration to work, the physical loopback ports are required to be in port-channels. There are two types of physical loopback interfaces: VXLAN Loopback Port and Non-VXLAN Loopback Port. These two port-channels are implicitly made no spanning tree, so that they do not go into a blocked state if xSTP is enabled. Internal Loopback To configure internal loopback port-channels, add free ports in the device as members of a port-channel, say 10, then configure vxlaninstance 1 loopback.
For VLT, in addition to the masks specified earlier, the VLT specific mask, to disallow frames that ingress on an ICL from going out of a VLT port channel would be permanently in place. These masks won’t be removed for the loopback ports even if the VLT peer LAG goes down (this is a deviation from standard VLT behavior, when these loopbacks are provisioned as VLT port-channels.). NSX Controller-based VXLAN for VLT Apart from static VXLAN for VLT, you can also use an NSX controller for VXLAN in a VLT setup.
• • before configuring controller-based VXLAN with VLT, remove any existing standalone VXLAN configuration. BFD tunnels come up only after the NSX controller sends tunnel details. The details come after the remote MAC addresses are downloaded from NSX controller. Configure NSX Controller-based VxLAN in VLT Setup You can configure NSX controller-based VxLAN in a VLT setup. To configure NSX controller-based VxLAN in a VLT setup, perform the following tasks: 1. (Optional) Configure BFD and UFD.
gateway-ip gateway-IP-address 5. Enter the IP address of the peer OVSDB server. peer-ovsdbserver-ip ovsdb-IP-address The peer OVSDB server is the peer VLT device. 6. Enter the fail mode. VxLAN INSTANCE mode fail-mode secure 7. Enable the VxLAN instance. VxLAN INSTANCE mode no shutdown NOTE: Dell EMC Networking recommends the non-secure fail mode if you are configuring VxLAN for a VLT setup and use a physical L3 link for peer OVSDB connectivity.
unit-id 0 peer-routing Configuration on an interface that is not part of VLT (orphan port): DellEMC#show run interface te 1/21 ! interface TenGigabitEthernet 1/21 1122 Virtual Extensible LAN (VXLAN) vxlan-instance 1 no ip address switchport no shutdown DellEMC# Configuration on VLT port channel: DellEMC#show run int po 10 ! interface Port-channel 10 vxlan-instance 1 no ip address switchport vlt-peer-lag port-channel 10 no shutdown The following are some of the show command outputs on the VLT primary: DellEM
* - No VLAN mapping exists and yet to be installed Name VNID a35fe7f7-fe82-37b4-b69a-0af4244d1fca 5000 DellEMC#$nstance 1 logical-network name a35fe7f7-fe82-37b4-b69a-0af4244d1fca Name : a35fe7f7-fe82-37b4-b69a-0af4244d1fca Description : Type : ELAN Tunnel Key : 5000 VFI : 28674 Unknown Multicast MAC Tunnels: 6.6.6.
DellEMC#show cam mac stack-unit 1 port-set 0 VlanId Mac Address Region Interface 500 ff:ff:ff:ff:ff:ff STATIC 00001 28674 00:00:00:cc:00:00 DYNAMIC 0x80000004(vxlan) 28674 00:00:bb:00:00:00 DYNAMIC 0x80000006(vxlan) 0 ff:ff:ff:ff:ff:ff STATIC 00001 1 00:01:e8:8b:7a:6e DYNAMIC Po 11 20 00:00:00:cc:00:00 STATIC Te 1/21 500 f4:8e:38:2b:3e:87 STATIC Po 1 0 00:10:18:ff:ff:ff STATIC Invalid 500 34:17:eb:37:11:02 DYNAMIC Te 1/51/1 0 14:18:77:0a:53:82 LOCAL_DA 00001 0 14:18:77:0a:53:82 LOCAL_DA 00001 0 f4:8e:38:2b:
Tunnel Key : 5000 VFI : 28674 Unknown Multicast MAC Tunnels: 6.6.6.2 : vxlan_over_ipv4 (up)(Active) Port Vlan Bindings: Te 1/21: VLAN: 20 (0x80000004), Po 1: VLAN: 20 (0x80000001), Po 10: VLAN: 20 (0x80000002), Po 20: VLAN: 20 (0x80000005), DellEMC# DellEMC# DellEMC# DellEMC# DellEMC# DellEMC#show vxlan vxlan-instance 1 multicast-mac * - Active Replicator LN-Name VNID a35fe7f7-fe82-37b4-b69a-0af4244d1fca 5000 MAC unknown dst TUNNEL-LIST 6.6.6.
• show file flash://vtep-cert.
Figure 167. Hardware Devices 3. Add a service node or replicator. Under Home > Networking and Security > Service Definition > Hardware Devices > Replication Cluster, click the Edit button. Select required hosts for replication and click OK. Figure 168. Add Service Node or Replicator NOTE: Ensure L3 reachability between the VTEP and the replicator. 4. Create Logical Switch. You can create a logical network by creating a logical switch.
Figure 169. Create Logical Switch 5. Create Logical Switch Port. A logical switch port provides a logical connection point for a VM interface (VIF) and a L2 gateway connection to an external network. It binds the virtual access ports in the gateway to logical network (VXLAN) and VLAN. In the Manage Hardware Bindings window, expand a VTEP and click Add. The Manage Hardware Bindings Window opens. Click the Select link and the Specify Hardware Port window opens. Click the hardware port and click OK.
Figure 171. Create Logical Switch Port 6. (Optional) Enable or disable BFD globally. Go to Hardware Devices tab > BFD Configuration, and click the Edit button. The Edit BFD Configuration windows opens. Check or uncheck the Enable BFD check box. You can also change the probe interval if required. Figure 172. Edit VXLAN BFD Configuration NOTE: For more details about NSX controller configuration, refer to the NSX user guide from VMWare .
61 Virtual Routing and Forwarding (VRF) VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices. Using VRF also increases network security and can eliminate the need for encryption and authentication due to traffic segmentation. Internet service providers (ISPs) often take advantage of VRF to create separate virtual private networks (VPNs) for customers; VRF is also referred to as VPN routing and forwarding.
VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF PBR, L3 QoS on VLANs Yes No NOTE: QoS not supported on VLANs. IPv4 ARP Yes Yes sFlow Yes No VRRP on physical and logical interfaces Yes Yes VRRPV3 Yes Yes Secondary IP Addresses Yes Yes Basic Yes Yes OSPFv3 Yes Yes IS-IS Yes Yes BGP Yes Yes ACL Yes No Multicast No No NDP Yes Yes RAD Yes Yes DHCP DHCP requests are not forwarded across VRF instances.
The VRF ID range is from 1 to 511. 0 is the default VRF ID. Assigning an Interface to a VRF You must enter the ip vrf forwarding command before you configure the IP address or any other setting on an interface. NOTE: You can configure an IP address or subnet on a physical or VLAN interface that overlaps the same IP address or subnet configured on another interface only if the interfaces are assigned to different VRFs.
CONFIGURATION router ospf process-id vrf vrf name The process-id range is from 0-65535. Configuring VRRP on a VRF Instance You can configure the VRRP feature on interfaces that belong to a VRF instance. In a virtualized network that consists of multiple VRFs, various overlay networks can exist on a shared physical infrastructure. Nodes (hosts and servers) that are part of the VRFs can be configured with IP static routes for reaching specific destinations through a given gateway in a VRF.
VRF MODE interface management When Management VRF is configured, the following interface range or interface group commands are disabled: • • • • • • • • • • • • • • • • ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 nd dad — Duplicated Address Detection nd dns-server — Configure DNS distribution option in RA packets originated by the router nd hop-limit — Set hop limit advertised in RA and used in IPv6 data packets originated by the router nd managed-config-flag — Hosts sh
Figure 174.
Figure 175. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface TenGigabitEthernet no ip address switchport no shutdown ! interface TenGigabitEthernet ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding orange ip address 20.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding green ip address 30.0.0.
ip vrf forwarding blue ip address 1.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.0/24 area 0 ! router ospf 2 vrf orange router-id 2.0.0.1 network 2.0.0.0/24 area 0 network 20.0.0.
! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/2 ! ip route vrf green30.0.0.0/24 3.0.0.1 ! The following shows the output of the show commands on Router 1.
C C O Destination ----------2.0.0.0/24 20.0.0.0/24 21.0.0.0/24 Gateway ------Direct, Vl 192 Direct, Te 1/2 via 2.0.0.
O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination ----------2.0.0.0/24 20.0.0.0/24 21.0.0.0/24 C O C Gateway ------Direct, Vl 192 via 2.0.0.
You can also leak global routes to be made available to VRFs. As the global RTM usually contains a large pool of routes, when the destination VRF imports global routes, these routes will be duplicated into the VRF's RTM. As a result, it is mandatory to use route-maps to filter out leaked routes while sharing global routes with VRFs. Configuring Route Leaking without Filtering Criteria You can use the ip route-export tag command to export all the IPv4 routes corresponding to a source VRF.
A non-default VRF named VRF-blue is created and the interface 1/12 is assigned to it. 7. Configure the import target in VRF-blue. ip route-import 1:1 8. Configure the export target in VRF-blue. ip route-import 3:3 9. Configure VRF-green. ip vrf vrf-green interface-type slot/port ip vrf forwarding VRF-green ip address ip—address mask A non-default VRF named VRF-green is created and the interface is assigned to it. 10.
O C 44.4.4.4/32 144.4.4.0/24 via VRF-shared:144.4.4.4 0/0 Direct, VRF-shared:Te 1/4 0/0 DellEMC# show ip route vrf VRF-Blue O 22.2.2.2/32 via 122.2.2.2 00:00:11 C O C 122.2.2.0/24 44.4.4.4/32 144.4.4.0/24 00:32:36 00:32:36 110/0 Direct, Te 1/12 0/0 22:39:61 via vrf-shared:144.4.4.4 0/0 00:32:36 Direct, vrf-shared:Te 1/4 0/0 00:32:36 DellEMC# show ip route vrf VRF-Green O 33.3.3.3/32 00:00:11 via 133.3.3.3 C Direct, Te 1/13 0/0 133.3.3.
While importing these routes into VRF-blue, you can further specify match conditions at the import end to define the filtering criteria based on which the routes are imported into VRF-blue. You can define a route-map import_ospf_protocol and then specify the match criteria as OSPF using the match source-protocol ospf command. You can then use the ip route-import route-map command to import routes matching the filtering criteria defined in the import_ospf_protocol route-map.
O 22.2.2.2/32 00:00:11 via 122.2.2.2 O via vrf-red:144.4.4.4 0/0 00:32:36 << only OSPF and BGP leaked from VRF-red 44.4.4.4/32 110/0 Important Points to Remember • • • Only Active routes are eligible for leaking. For example, if VRF-A has two routes from BGP and OSPF, in which the BGP route is not active. In this scenario, the OSPF route takes precedence over BGP.
62 Virtual Router Redundancy Protocol (VRRP) VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN). The MASTER router is chosen from the virtual routers by an election process and forwards packets sent to the next hop IP address.
Figure 176. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. In conjunction with Virtual Link Trunking (VLT), you can configure optimized forwarding with virtual router redundancy protocol (VRRP).
Table 142. Recommended VRRP Advertise Intervals Total VRRP Groups Recommended Advertise Interval Groups/Interface Less than 250 1 second 12 Between 250 and 450 2–3 seconds 24 Between 450 and 600 3–4 seconds 36 Between 600 and 800 4 seconds 48 Between 800 and 1000 5 seconds 84 Between 1000 and 1200 7 seconds 100 Between 1200 and 1500 8 seconds 120 VRRP Configuration By default, VRRP is not configured.
interface TenGigabitEthernet 1/1 ip address 10.10.10.1/24 ! vrrp-group 111 no shutdown Configuring the VRRP Version for an IPv4 Group For IPv4, you can configure a VRRP group to use one of the following VRRP versions: • • VRRPv2 as defined in RFC 3768, Virtual Router Redundancy Protocol (VRRP) VRRPv3 as defined in RFC 5798, Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6 You can also migrate a IPv4 group from VRRPv2 to VRRP3.
• The virtual IP addresses must be in the same subnet as the primary or secondary IP addresses configured on the interface. Though a single VRRP group can contain virtual IP addresses belonging to multiple IP subnets configured on the interface, Dell EMC Networking recommends configuring virtual IP addresses belonging to the same IP subnet for any one VRRP group. • • • For example, an interface (on which you enable VRRP) contains a primary IP address of 50.1.1.1/24 and a secondary IP address of 60.1.1.
VRF: 0 default State: Master, Priority: 100, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 27, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.3 Authentication: When the VRRP process completes its initialization, the State field contains either Master or Backup.
NOTE: Authentication for VRRPv3 is not supported. To configure simple authentication, use the following command. • Configure a simple text password. INTERFACE-VRID mode authentication-type simple [encryption-type] password Parameters: • • encryption-type: 0 indicates unencrypted; 7 indicates encrypted. password: plain text. The bold section shows the encryption type (encrypted) and the password.
Changing the Advertisement Interval By default, the MASTER router transmits a VRRP advertisement to all members of the VRRP group every one second, indicating it is operational and is the MASTER router. If the VRRP group misses three consecutive advertisements, the election process begins and the BACKUP virtual router with the highest priority transitions to MASTER.
For a virtual group, you can track the line-protocol state or the routing status of any of the following interfaces with the interface interface parameter: • • • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. For a port channel interface, enter the keywords port-channel then a number.
The following example shows verifying the tracking status.
When you configure both CLIs, the later timer rules VRRP enabling. For example, if you set vrrp delay reload 600 and vrrp delay minimum 300, the following behavior occurs: • • When the system reloads, VRRP waits 600 seconds (10 minutes) to bring up VRRP on all interfaces that are up and configured for VRRP. When an interface comes up and becomes operational, the system waits 300 seconds (5 minutes) to bring up VRRP on that interface.
Figure 177. VRRP for IPv4 Topology Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. R2(conf)#interface tengigabitethernet 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface TenGigabitEthernet 2/31 ip address 10.1.1.
-----------------TenGigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 VRF: 0 default State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#interface tengigabitethernet 3/21 R3(conf-if-te-3/21)#ip address 10.1.1.
Figure 178. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-1/1)#end R2#show vrrp -----------------TenGigabitEthernet 1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 135 Virtual MAC address: 00:00:5e:00:0
Both Switch-1 and Switch-2 have three VRF instances defined: VRF-1, VRF-2, and VRF-3. Each VRF has a separate physical interface to a LAN switch and an upstream VPN interface to connect to the Internet. Both Switch-1 and Switch-2 use VRRP groups on each VRF instance in order that there is one MASTER and one backup router for each VRF. In VRF-1 and VRF-2, Switch-2 serves as owner-master of the VRRP group and Switch-1 serves as the backup. On VRF-3, Switch-1 is the owner-master and Switch-2 is the backup.
S1(conf-if-te-1/2-vrid-101)#virtual-address 10.10.1.2 S1(conf-if-te-1/2)#no shutdown ! S1(conf)#interface TenGigabitEthernet 1/3 S1(conf-if-te-1/3)#ip vrf forwarding VRF-3 S1(conf-if-te-1/3)#ip address 20.1.1.5/24 S1(conf-if-te-1/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-1/3-vrid-105)#priority 255 S1(conf-if-te-1/3-vrid-105)#virtual-address 20.1.1.
This VLAN scenario often occurs in a service-provider network in which you configure VLAN tags for traffic from multiple customers on customer-premises equipment (CPE), and separate VRF instances associated with each VLAN are configured on the provider edge (PE) router in the point-of-presence (POP).
10.1.1.100 Authentication: (none) VRRP in VRF: Switch-2 VLAN Configuration Switch-2 S2(conf)#ip vrf VRF-1 1 ! S2(conf)#ip vrf VRF-2 2 ! S2(conf)#ip vrf VRF-3 3 ! S2(conf)#interface TenGigabitEthernet 1/1 S2(conf-if-te-1/1)#no ip address S2(conf-if-te-1/1)#switchport S2(conf-if-te-1/1)#no shutdown ! S2(conf-if-te-1/1)#interface vlan 100 S2(conf-if-vl-100)#ip vrf forwarding VRF-1 S2(conf-if-vl-100)#ip address 10.10.1.
Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 2 vrf2 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 419, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.100 Authentication: (none) VRRP for IPv6 Configuration This section shows VRRP IPv6 topology with CLI configurations.
NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be master even if one of two routers has a higher IP or IPv6 address. Router 2 R2(conf)#interface tengigabitethernet 1/1 R2(conf-if-te-1/1)#no ip address R2(conf-if-te-1/1)#ipv6 address 1::1/64 R2(conf-if-te-1/1)#vrrp-group 10 NOTE: You must configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
VRF: 0 default State: Backup, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 11, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:0a Virtual IP address: 1::10 fe80::10 DellEMC#show vrrp tengigabitethernet 0/0 TenGigabitEthernet 0/0, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:fd76 VRF: 0 default State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold Down
DellEMC#show vrrp vrf vrf2 port-channel 1 Port-channel 1, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:fd76 VRF: 2 vrf2 State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 548, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 Proxy Gateway with VRRP VLT proxy gateway solves the inefficient traffic trombone proble
• • • • • • A VLT link aggregation group (LAG) is present between A1 and B1 as well as A2 and B2. A1 and B1 are connected to core routers, C1 and D1 with VLT routing enabled. A2 and B2 are connected to core routers, C2 and D2, with VLT routing enabled. The core routers C1 and D1 in the local VLT domain are connected to the core routers C2 and D2 in the remote VLT Domain using VLT links. The core routers C1 and D1 in local VLT Domain along with C2 and D2 in the remote VLT Domain are part of a Layer 3 cloud.
Sample configuration of D1: vlt domain 10 peer-link port-channel 128 back-up destination 10.16.140.
port-channel 10 mode active no shut int ten 1/4/1 port-channel-protocol lacp port-channel 20 mode active no shut interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.3/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.
ip address 100.1.1.4/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.
63 Debugging and Diagnostics Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostics tests are grouped into three levels: • • • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, Level 0 diagnostics verify the identification registers of the components on the board. Level 1 — A smaller set of diagnostic tests.
When the tests are complete, the system displays the following message and automatically reboots the unit. DellEMC#00:09:42 : Diagnostic test results are stored on file: flash:/TestReport-SU-1.txt Diags completed... Rebooting the system now!!! Mar 12 10:40:35: %S6000:0 %DIAGAGT-6-DA_DIAG_DONE: Diags finished on stack unit 0 DellEMC#00:09:42 : Diagnostic test results are stored on file: flash:/TestReport-SU-0.txt Diags completed...
DellEMC#Dec 15 04:14:07: %S4820:0 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on stack unit 1 00:12:10 : System may take additional time for Driver Init. 00:12:10 : Approximate time to complete the Diags ... 6 Mins The following example shows the diag command (stack member).
Test 7 - Psu Fan Status Monitor Test ................................ NOT PRESENT Test 8.000 - Psu0 Fan AirFlow Type Test ............................. PASS diagS6000IsPsuGood[954]: ERROR: Psu:1, Power supply is not present. Test 8.001 - Psu1 Fan AirFlow Type Test .............................NOT PRESENT Test 8 - Psu Fan AirFlow Type Test ..................................NOT PRESENT Test 9 - Power Rail Status Test ..................................... PASS Test 10.000 - FanTray0 Presence Test .............
Auto Save on Crash or Rollover Exception information for MASTER or standby units is stored in the flash:/TRACE_LOG_DIR directory. This directory contains files that save trace information when there has been a task crash or timeout. • • On a MASTER unit, you can reach the TRACE_LOG_DIR files by FTP or by using the show file command from the flash:// TRACE_LOG_DIR directory.
QSFP 52 Bias High Warning threshold QSFP 52 RX Power High Warning threshold QSFP 52 Temp Low Warning threshold QSFP 52 Voltage Low Warning threshold QSFP 52 Bias Low Warning threshold QSFP 52 RX Power Low Warning threshold =================================== QSFP 52 Temperature QSFP 52 Voltage QSFP 52 TX1 Bias Current QSFP 52 TX2 Bias Current QSFP 52 TX3 Bias Current QSFP 52 TX4 Bias Current QSFP 52 RX1 Power QSFP 52 RX2 Power QSFP 52 RX3 Power QSFP 52 RX4 Power = = = = = = 9.500mA 1.738mW 0.000C 3.
Recognize an Under-Voltage Condition If the system detects an under-voltage condition, it sends an alarm. To recognize this condition, look for the following system message: %CHMGR-1-CARD_SHUTDOWN: Major alarm: stack unit 2 down - auto-shutdown due to under voltage. This message indicates that the specified card is not receiving enough power. In response, the system first shuts down Power over Ethernet (PoE). If the under-voltage condition persists, line cards are shut down, then the RPMs.
Dell EMC Networking OS Behavior: If you configure 1Q, save the running-config to the startup-config, and then delete the startup-config and reload the chassis. The only way to return to the default buffer profile is to remove the 1Q profile configured and then reload the chassis. If you have already applied a custom buffer profile on an interface, the buffer-profile global command fails and a message similar to the following displays: % Error: User-defined buffer profile already applied.
Total IngMac Drops :0 Total Mmu Drops :0 Total EgMac Drops :0 Total Egress Drops :0 UNIT No: 1 Total Ingress Drops :0 Total IngMac Drops :0 Total Mmu Drops :0 Total EgMac Drops :0 Total Egress Drops :0 DellEMC#show hardware stack-unit 0 drops unit 0 Port# :Ingress Drops :IngMac Drops :Total Mmu Drops :EgMac Drops :Egress Drops 1 0 0 0 0 0 2 0 0 0 0 0 3 0 0 0 0 0 4 0 0 0 0 0 5 0 0 0 0 0 6 0 0 0 0 0 7 0 0 0 0 0 8 0 0 0 0 0 Example of show hardware drops interface interface DellEMC#show hardware drops interfac
TX Err PKT Counter --- Error counters--Internal Mac Transmit Errors Unknown Opcodes Internal Mac Receive Errors : 0 : 0 : 0 : 0 Dataplane Statistics The show hardware stack-unit cpu data-plane statistics command provides insight into the packet types coming to the CPU. The show hardware stack-unit cpu party-bus statistics command displays input and output statistics on the party bus, which carries inter-process communication traffic between CPUs.
0 dropped, 0 errors Output Statistics: 1649566 packets, 1935316203 bytes 0 errors Display Stack Port Statistics The show hardware stack-unit stack-port command displays input and output statistics for a stack-port interface.
RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - RUNT frame counter Fragment counter VLAN tagged packets 64 Byte Frame Counter 64 to 127 Byte Frame Counter 128 to 255 Byte Frame Counter 256 to 511 Byte Frame Counter 512 to 1023 Byte Frame Counter 1024 to 1518 Byte Frame Counter 1519 to 1522 Byte Good VLAN Frame Counter 1519 to 2047 Byte Frame Counter 2048 to 4095 Byte Frame Counter 4096 to 9216 Byte Frame Counter Good Packet Counter Packet/frame Counter Unicast Packet Cou
TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - 256 to 511 Byte Frame Counter 512 to 1023 Byte Frame Counter 1024 to 1518 Byte Frame Counter 1519 to 1522 Byte Good VLAN Frame Counter 1519 to 2047 Byte Frame Counter 2048 to 4095 Byte Frame Counter 4096 to 9216 Byte Frame Counter Good Packet Counter Packet/frame Counter Unicast Packet Counter Multicast Packet Counter Broadcast Frame Counter Byte Counter Control frame counter Pause control frame counter Over size packet counter Jabber counte
Enabling Application Core Dumps Application core dumps are disabled by default. A core dump file can be very large. Due to memory requirements the file can only be sent directly to an FTP server; it is not stored on the local flash. To enable full kernel core dumps, use the following command. • Enable stack unit kernel full core dumps. CONFIGURATION mode logging coredump server To undo this command, use the no logging coredump server command.
----------------STACK TRACE END-----------------------------------FREE MEMORY--------------uvmexp.free = 0x2312 Enabling TCP Dumps A TCP dump captures CPU-bound control plane traffic to improve troubleshooting and system manageability. When you enable TCP dump, it captures all the packets on the local CPU, as specified in the CLI. You can save the traffic capture files to flash, FTP, SCP, or TFTP.
64 Standards Compliance This chapter describes standards compliance for Dell EMC Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell EMC Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance Dell EMC Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell EMC Networking OS first supports the standard. General Internet Protocols The following table lists the Dell EMC Networking OS support per platform for general internet protocols. Table 144.
R F C # Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 24 Definition of 7.7.1 74 the Differentiate d Services Field (DS Field) in the IPv4 and IPv6 Headers 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2 PPP over 61 SONET/SDH 5 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2 6 9 8 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
RF C# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 130 5 Network Time Protocol (Version 3) Specification, Implementation and Analysis 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 1519 Classless Inter-Domain Routing 7.6.1 (CIDR): an Address Assignment and Aggregation Strategy 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 154 2 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) Clarifications and Extensions for 7.6.
RFC Full Name # S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 4291 Internet Protocol Version 6 (IPv6) Addressing Architecture 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 4443 Internet Control Message Protocol (ICMPv6) for the IPv6 Specification 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 4861 8.3.12.0 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 4862 IPv6 Stateless Address Autoconfiguration 8.3.12.0 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.
Open Shortest Path First (OSPF) The following table lists the Dell EMC Networking OS support per platform for OSPF protocol. Table 148. Open Shortest Path First (OSPF) RFC # Full Name S-Series/ZSeries S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1587 The OSPF Not-SoStubby Area (NSSA) Option 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2154 OSPF with Digital Signatures 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2370 The OSPF Opaque LSA Option 7.6.1 9.8(0.
RFC# Full Name S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 5308 Routing IPv6 with IS-IS 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) draft-ietfisisigpp2poverlan-06 Point-to-point operation over LAN in link-state routing protocols 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) draftkaplanisis-e xteth-02 Extended Ethernet Frame Size 9.8(0.0P2) Support 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
Network Management The following table lists the Dell EMC Networking OS support per platform for network management protocol. Table 152. Network Management RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1155 Structure and Identification of Management Information for TCP/IP-based Internets 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 1156 Management Information Base for 7.6.1 Network Management of TCP/IP-based internets 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2574 User-based Security Model 7.6.1 (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2575 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON High Capacity Networks (64 bits): Ethernet Statistics High-Capacity Table, Ethernet History HighCapacity Table 3416 Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON draftietfnetmod interfac escfg-03 Defines a YANG data model for the configuration of network interfaces. Used in the Programmatic Interface RESTAPI feature. 9.2(0.0) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) IEEE 802.1A B Management Information Base module for LLDP configuration, statistics, local system data and remote systems data components. 7.7.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) IEEE 802.
RFC# Full Name SIONMIB by providing proprietary SNMP OIDs for other counters displayed in the "show interfaces" output) FORCE Force10 Enterprise Link 10Aggregation MIB LINKA GGMIB S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORCE Force10 E-Series Enterprise 10Chassis MIB CHASS IS-MIB FORCE Force10 File Copy MIB 10(supporting SNMP SET COPY- operation) CONFI G-MIB 7.7.1 9.8(0.
Some pages of iSupport require a login. To request an iSupport account, go to: https://www.force10networks.com/CSPortal20/AccountRequest/AccountRequest.aspx If you have forgotten or lost your account information, contact Dell TAC for assistance.
65 X.509v3 supports X.509v3 standards. Topics: • • • • • • • • • Introduction to X.509v3 certificates X.509v3 support in Information about installing CA certificates Information about Creating Certificate Signing Requests (CSR) Information about installing trusted certificates Transport layer security (TLS) Online Certificate Status Protocol (OSCP) Verifying certificates Event logging Introduction to X.509v3 certificates X.
Advantages of X.509v3 certificates Public key authentication is preferred over password-based authentication, although both may be used in conjunction, for various reasons. Public-key authentication provides the following advantages over normal password-based authentication: • • • Public-key authentication avoids the human problems of low-entropy password selection and provides more resistance to brute-force attacks than password-based authentication.
The other hosts on the network, such as the SUT switch, syslog server, and OCSP server, generate private keys and create Certificate Signing Requests (CSRs). The hosts then upload the CSRs to the Intermediate CA or make the CSRs available for the Intermediate CA to download. generates a CSR using the crypto cert generate request command. The hosts on the network (SUT, syslog, OCSP…) also download and install the CA certificates from the Root and Intermediate CAs.
Installing CA certificate To install a CA certificate, enter the crypto ca-cert install {path} command in Global Configuration mode. Information about Creating Certificate Signing Requests (CSR) Certificate Signing Request (CSR) enables a device to get a X.509v3 certificate from a CA. In order for a device to get a X.509v3 certificate, the device first requests a certificate from a CA through a Certificate Signing Request (CSR).
NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell EMC Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS. This trusted certificate is also presented to the TLS server implementations that require client authentication such as Syslog.
TLS compression is disabled by default. TLS session resumption is also supported to reduce processor and traffic overhead due to public key cryptographic operations and handshake traffic. However, the maximum time allowed for a TLS session to resume without repeating the TLS authentication or handshake process is configurable with a default of 1 hour. You can also disable session resumption.
Configuring Revocation Behavior You can configure the system behavior if an OCSP responder fails. By default, when all the OCSP responders fail to send a response to an OSCP request, the system accepts the certificate and logs the event. However, you can configure the system to reject the certificate in case OCSP responders fail.
• A secure session negotiation fails due to invalid, expired, or revoked certificate. 1080 X.