Dell Configuration Guide for the S6100–ON System 9.14.1.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2018 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents 1 About this Guide...........................................................................................................................................37 Audience............................................................................................................................................................................37 Conventions.....................................................................................................................................................
Verify Software Images Before Installation...................................................................................................................60 4 Management................................................................................................................................................62 Configuring Privilege Levels............................................................................................................................................
LPC Bus Quality Degradation......................................................................................................................................... 83 LBQA (LPC Bus Quality Analyzer) Failure Detection mode..................................................................................84 Restoring the Factory Default Settings.........................................................................................................................84 Important Points to Remember...............
Allocating FP Blocks for VLAN Processes................................................................................................................... 115 ACL Optimization to Increase Number of Supported IPv4 ACLs..............................................................................116 Restrictions for ACL Optimization.......................................................................................................................... 116 Optimizing ACL for More Number of IPv4 ACL Rules.....
BFD Sessions............................................................................................................................................................ 150 BFD Three-Way Handshake.....................................................................................................................................151 Session State Changes............................................................................................................................................
Route-refresh and Soft-reconfiguration............................................................................................................... 206 Aggregating Routes.................................................................................................................................................209 Filtering BGP Routes................................................................................................................................................
View CAM Usage...........................................................................................................................................................256 Configuring CAM Threshold and Silence Period........................................................................................................ 257 Setting CAM Threshold and Silence Period..........................................................................................................257 CAM Optimization....................
Configuring Shared Head Room Buffer................................................................................................................ 284 Viewing Shared Head Room Usage.......................................................................................................................284 Monitoring Buffer Statistics for Tracking Purposes............................................................................................ 284 Behavior of Tagged Packets..................................
Configuring the DHCP Client System....................................................................................................................318 DHCP Client on a Management Interface.............................................................................................................319 DHCP Client Operation with Other Features.......................................................................................................
Configure a Port for a Bridge-to-Bridge Link.......................................................................................................350 Configure a Port for a Bridge-to-FCF Link...........................................................................................................350 Impact on Other Software Features...................................................................................................................... 351 FIP Snooping Restrictions............................
FRRP Support on VLT...................................................................................................................................................375 Example Scenario.....................................................................................................................................................376 Important Points to Remember..............................................................................................................................
20 Interfaces................................................................................................................................................ 402 Basic Interface Configuration.......................................................................................................................................402 Advanced Interface Configuration...............................................................................................................................402 Interface Types....
Defining Interface Range Macros................................................................................................................................ 426 Define the Interface Range.................................................................................................................................... 426 Choosing an Interface-Range Macro....................................................................................................................
Configuration Tasks for ARP........................................................................................................................................ 455 Configuring Static ARP Entries....................................................................................................................................455 Enabling Proxy ARP.......................................................................................................................................................
Displaying IPv6 Information.....................................................................................................................................477 Displaying an IPv6 Interface Information...............................................................................................................477 Showing IPv6 Routes..............................................................................................................................................
Change the IS-IS Metric Style in One Level Only.................................................................................................512 Leaks from One Level to Another...........................................................................................................................513 Sample Configurations...................................................................................................................................................514 25 In-Service Software Upgrade....
Recovering from Learning Limit and Station Move Violations........................................................................... 540 Disabling MAC Address Learning on the System................................................................................................. 541 Enabling port security.............................................................................................................................................. 541 NIC Teaming................................................
Limitations of the NLB Feature.................................................................................................................................... 573 Microsoft Clustering...................................................................................................................................................... 573 Enable and Disable VLAN Flooding .............................................................................................................................
Reducing Leave Latency...............................................................................................................................................603 Displaying MLD groups table........................................................................................................................................603 Displaying MLD Interfaces............................................................................................................................................
Track Layer 3 Interfaces..........................................................................................................................................636 Track IPv4 and IPv6 Routes................................................................................................................................... 637 Set Tracking Delays.................................................................................................................................................
Viewing the OSPFv3 MIB....................................................................................................................................... 687 36 Policy-based Routing (PBR).................................................................................................................... 688 Overview.........................................................................................................................................................................688 Implementing PBR...
Behavior of Flow-Based Monitoring.......................................................................................................................717 Enabling Flow-Based Monitoring............................................................................................................................ 718 Configuring IPv6 Flow-Based Mirroring................................................................................................................720 Remote Port Mirroring.......................
Honoring dot1p Priorities on Ingress Traffic.......................................................................................................... 757 Configuring Port-Based Rate Policing...................................................................................................................758 Configuring Port-Based Rate Shaping.................................................................................................................. 758 Policy-Based QoS Configurations.................
Setting the RMON Alarm........................................................................................................................................ 801 Configuring an RMON Event.................................................................................................................................. 801 Configuring RMON Collection Statistics..............................................................................................................
Configuring the SSH Server Key Exchange Algorithm....................................................................................... 846 Configuring the HMAC Algorithm for the SSH Server....................................................................................... 847 Configuring the SSH Server Cipher List............................................................................................................... 847 Configuring DNS in the SSH Server...........................................
Layer 2 Protocol Tunneling........................................................................................................................................... 884 Implementation Information....................................................................................................................................886 Enabling Layer 2 Protocol Tunneling......................................................................................................................
Copying the Startup-Config Files to the Server via FTP................................................................................... 909 Copying the Startup-Config Files to the Server via TFTP................................................................................. 909 Copy a Binary File to the Startup-Configuration.................................................................................................. 910 Additional MIB Objects to View Copy Statistics.................................
Add Tagged and Untagged Ports to a VLAN....................................................................................................... 938 Managing Overload on Startup....................................................................................................................................938 Enabling and Disabling a Port using SNMP................................................................................................................ 939 Fetch Dynamic MAC Entries using SNMP........
Configuring SupportAssist Activity............................................................................................................................. 969 Configuring SupportAssist Company.......................................................................................................................... 970 Configuring SupportAssist Person...............................................................................................................................
58 Virtual LANs (VLANs).............................................................................................................................. 997 Default VLAN................................................................................................................................................................. 998 Port-Based VLANs........................................................................................................................................................
PIM-Sparse Mode Configuration Example................................................................................................................1047 Verifying a VLT Configuration..................................................................................................................................... 1048 Additional VLT Sample Configurations....................................................................................................................... 1051 Troubleshooting VLT..........
Components of VXLAN network......................................................................................................................... 1084 Functional Overview of VXLAN Gateway.................................................................................................................1085 VXLAN Frame Format.................................................................................................................................................1085 Components of VXLAN Frame Format....
Route Leaking VRFs..................................................................................................................................................... 1130 Dynamic Route Leaking.................................................................................................................................................1131 Configuring Route Leaking without Filtering Criteria..........................................................................................
Border Gateway Protocol (BGP).......................................................................................................................... 1184 Open Shortest Path First (OSPF)........................................................................................................................ 1185 Intermediate System to Intermediate System (IS-IS)........................................................................................ 1185 Routing Information Protocol (RIP)....................
1 About this Guide This guide describes the protocols and features the Dell EMC Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell EMC Command Line Reference Guide for your system. The S6100–ON platform is available with Dell EMC Networking OS version 9.10(0.0) and beyond. Though this guide contains information about protocols, it is not intended to be a complete reference.
2 Configuration Fundamentals The Dell EMC Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
You can set user access rights to commands and command modes using privilege levels. The Dell EMC Networking OS CLI is divided into three major mode levels: • EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information.
PVST PORT-CHANNEL FAILOVER-GROUP PREFIX-LIST PRIORITY-GROUP PROTOCOL GVRP QOS POLICY RSTP ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP GRUB Navigating CLI Modes The Dell EMC Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode.
CLI Command Mode Prompt Access Command 40 Gigabit Ethernet Interface DellEMC(conf-if-fo-1/1/1)# interface (INTERFACE modes) 50 Gigabit Ethernet Interface DellEMC(conf-if-fi-1/1/1/1)# interface(INTERFACE modes) 100 Gigabit Ethernet Interface DellEMC(conf-if-hu-1/1/1)# interface(INTERFACE modes) Interface Group DellEMC(conf-if-group)# interface(INTERFACE modes) Interface Range DellEMC(conf-if-range)# interface (INTERFACE modes) Loopback Interface DellEMC(conf-if-lo-0)# interface (INTERFACE
CLI Command Mode Prompt Access Command ROUTER OSPFV3 DellEMC(conf-ipv6router_ospf)# ipv6 router ospf ROUTER RIP DellEMC(conf-router_rip)# router rip SPANNING TREE DellEMC(config-span)# protocol spanning-tree 0 TRACE-LIST DellEMC(conf-trace-acl)# ip trace-list CLASS-MAP DellEMC(config-class-map)# class-map CONTROL-PLANE DellEMC(conf-control-cpuqos)# control-plane-cpuqos DHCP DellEMC(config-dhcp)# ip dhcp server DHCP POOL DellEMC(config-dhcp-pool-name)# pool (DHCP Mode) ECMP DellEMC
The do Command You can enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode by preceding the EXEC mode command with the do command. The following example shows the output of the do command.
DellEMC(conf-if-te-1/1/1/1)#show config ! interface TenGigabitEthernet 1/1/1/1 no ip address no shutdown Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree.
Short-Cut Key Combination Action CNTL-I Completes a keyword. CNTL-K Deletes all characters from the cursor to the end of the command line. CNTL-L Re-enters the previous command. CNTL-N Return to more recent commands in the history buffer after recalling commands with CTRL-P or the UP arrow key. CNTL-P Recalls commands, beginning with the last command. CNTL-R Re-enters the previous command. CNTL-U Deletes the line. CNTL-W Deletes the previous word. CNTL-X Deletes the line.
Example of the grep Keyword DellEMC#show system brief | grep Management 1 Management online S6100-ON S6100-ON DellEMC# 9.10(0.0) 130 NOTE: Dell EMC Networking OS accepts a space or no space before and after the pipe. To filter a phrase with spaces, underscores, or ranges, enclose the phrase with double quotation marks. The except keyword displays text that does not match the specified text. The following example shows this command used in combination with the show system brief command.
If either of these messages appears, Dell EMC Networking recommends coordinating with the users listed in the message so that you do not unintentionally overwrite each other’s configuration changes. Configuring alias command You can configure shorter alias names for single–line command input using the alias command. To configure the alias name, perform the following steps: 1 Configure the terminal to enter the Global Configuration mode.
EXEC Privilege mode DellEMC#show alias details DellEMC# show alias details -----------------------------------------------------------------Name: showipbr10 Definition: show ip interface brief | grep tengig ignore-case ----------------------------------------------------------------------------------------------------------------------------------Name: showipbr40 Definition: show ip interface brief | grep fortygig ignore-case -----------------------------------------------------------------DellEMC# 3 Displ
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell EMC Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
Console Access The device has one RJ-45/RS-232 console port, an out-of-band (OOB) Ethernet port, and a micro USB-B console port. Serial Console The RS-232 console port and the RJ-45 out-of-band management Ethernet ports are on the left-hand side of the system as you face the I/O side of the chassis, as shown in the following illustration. The USB port is on the right-hand side. Figure 1. RJ-45 Console Port 1 USB port. 2 RS-232 console and RJ-45 out-of-band management Ethernet ports.
Table 2. Pin Assignments Between the Console and a DTE Terminal Server Console Port RJ-45 to RJ-45 Rollover RJ-45 to RJ-45 Rollover RJ-45 to DB-9 Adapter Cable Cable Terminal Server Device Signal RJ-45 Pinout RJ-45 Pinout DB-9 Pin Signal RTS 1 8 8 CTS NC 2 7 6 DSR TxD 3 6 2 RxD GND 4 5 5 GND GND 5 4 5 GND RxD 6 3 3 TxD NC 7 2 4 DTR CTS 8 1 7 RTS Micro USB-B Access The Micro USB type B console port is on the I/O side.
Default Configuration Although a version of Dell EMC Networking OS is pre-loaded onto the system, the system is not configured when you power up the system first time (except for the default hostname, which is DellEMC). You must configure the system using the CLI. Configuring a Host Name The host name appears in the prompt. The default host name is DellEMC. • Host names must start with a letter and end with a letter or digit. • Characters within the string can be letters, digits, and hyphens.
no shutdown Configure a Management Route Define a path from the system to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the system through the management port. To configure a management route, use the following command. • Configure a management route to the network from which you are accessing the system.
NOTE: dynamic-salt option is shown only with secret and password options. In dynamic-salt configuration, the length of type 5 secret and type 7 password is 32 and 16 characters more compared to the secret and password length without dynamic-salt configuration. An error message appears if the username command reaches the maximum length, which is 256 characters. The dynamic-salt support for the user configuration is added in REST API.
• To copy a remote file to Dell EMC Networking system, combine the file-origin syntax for a remote file location with the file-destination syntax for a local file location. Table 3.
Table 4. Mounting an NFS File System File Operation Syntax To mount an NFS file system: mount nfs rhost:path mountpoint username password The foreign file system remains mounted as long as the device is up and does not reboot. You can run the file system commands without having to mount or un-mount the file system each time you run a command. When you save the configuration using the write command, the mount command is saved to the startup configuration.
24 bytes successfully copied DellEMC# DellEMC#copy tftp://10.16.127.35/username/dv-maa-test ? flash: Copy to local file system ([flash://]filepath) nfsmount: Copy to nfs mount file system (nfsmount:///filepath) running-config remote host: Destination file name [test.c]: ! 225 bytes successfully copied DellEMC# Save the Running-Configuration The running-configuration contains the current system configuration. Dell EMC Networking recommends coping your running-configuration to the startup-configuration.
• dir flash: View the running-configuration. EXEC Privilege mode • show running-config View the startup-configuration. EXEC Privilege mode show startup-config Example of the dir Command The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.
show file-systems The output of the show file-systems command in the following example shows the total capacity, amount of free memory, file structure, media type, read/write privileges for each storage device in use.
In the Dell EMC Networking OS release 9.8(0.0), HTTP services support the VRF-aware functionality. If you want the HTTP server to use a VRF table that is attached to an interface, configure that HTTP server to use a specific routing table. You can use the ip http vrf command to inform the HTTP server to use a specific routing table. After you configure this setting, the VRF table is used to look up the destination address.
• flash: (Optional) Specifies the flash drive. The default uses the flash drive. You can enter the image file name. • hash-value: (Optional). Specify the relevant hash published on iSupport.
4 Management This chapter describes the different protocols or services used to manage the Dell EMC Networking system.
Creating a Custom Privilege Level Custom privilege levels start with the default EXEC mode command set. You can then customize privilege levels 2-14 by: • restricting access to an EXEC mode command • moving commands from EXEC Privilege to EXEC mode • restricting access A user can access all commands at his privilege level and below.
• removes the resequence command from EXEC mode by requiring a minimum of privilege level 4 • allows access to CONFIGURATION mode with the banner command • allows access to INTERFACE tengigabitethernet and LINE modes are allowed with no commands • Remove a command from the list of available commands in EXEC mode. CONFIGURATION mode • privilege exec level level {command ||...|| command} Move a command from EXEC Privilege to EXEC mode. CONFIGURATION mode • privilege exec level level {command ||...
exit Exit from interface configuration mode DellEMC(conf-if-te-1/1/2/1)#exit DellEMC(conf)# DellEMC(conf)#line ? console Primary terminal line vty Virtual terminal DellEMC(conf)#line vty 0 DellEMC(config-line-vty)#exit DellEMC(conf)# Applying a Privilege Level to a Username To set the user privilege level, use the following command. • Configure a privilege level for a user.
CONFIGURATION mode no logging console Audit and Security Logs This section describes how to configure, display, and clear audit and security logs. The following is the configuration task list for audit and security logs: • Enabling Audit and Security Logs • Displaying Audit and Security Logs • Clearing Audit Logs Enabling Audit and Security Logs You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network.
Example of Enabling Audit and Security Logs DellEMC(conf)#logging extended Displaying Audit and Security Logs To display audit logs, use the show logging auditlog command in Exec mode. To view these logs, you must first enable the logging extended command. Only the RBAC system administrator user role can view the audit logs. Only the RBAC security administrator and system administrator user role can view the security logs.
Figure 2. Setting Up a Secure Connection to a Syslog Server Pre-requisites To configure a secure connection from the switch to the syslog server: 1 On the switch, enable the SSH server DellEMC(conf)#ip ssh server enable 2 On the syslog server, create a reverse SSH tunnel from the syslog server to the Dell OS switch, using following syntax: ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.
Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
• Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the UNIX system and assigning write permissions to the file. – Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/ftos.log – Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.log In the previous lines, local7 is the logging facility level and debugging is the severity level.
Display Login Statistics To view the login statistics, use the show login statistics command. Example of the show login statistics Command The show login statistics command displays the successful and failed login details of the current user in the last 30 days or the custom defined time period. DellEMC#show login statistics -----------------------------------------------------------------User: admin Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.
Example of the show login statistics user user-id command The show login statistics user user-id command displays the successful and failed login details of a specific user in the last 30 days or the custom defined time period. DellEMC# show login statistics user admin -----------------------------------------------------------------User: admin Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.
login concurrent-session limit number-of-sessions Example of Configuring Concurrent Session Limit The following example limits the permitted number of concurrent login sessions to 4. DellEMC(config)#login concurrent-session limit 4 Enabling the System to Clear Existing Sessions To enable the system to clear existing login sessions, follow this procedure: • Use the following command.
Enabling Secured CLI Mode The secured CLI mode prevents the users from enhancing the permissions or promoting the privilege levels. • Enter the following command to enable the secured CLI mode: CONFIGURATION Mode secure-cli enable After entering the command, save the running-configuration. Once you save the running-configuration, the secured CLI mode is enabled. If you do not want to enter the secured mode, do not save the running-configuration.
To view the logging buffer and configuration, use the show logging command in EXEC privilege mode, as shown in the example for Display the Logging Buffer and the Logging Configuration. To view the logging configuration, use the show running-config logging command in privilege mode, as shown in the example for Configure a UNIX Logging Facility Level.
– lpr (for line printer system messages) – mail (for mail system messages) – news (for USENET news messages) – sys9 (system use) – sys10 (system use) – sys11 (system use) – sys12 (system use) – sys13 (system use) – sys14 (system use) – syslog (for syslog messages) – user (for user programs) – uucp (UNIX to UNIX copy protocol) Example of the show running-config logging Command To view nondefault settings, use the show running-config logging command in EXEC mode.
• limit: the range is from 20 to 300. The default is 20. To view the logging synchronous configuration, use the show config command in LINE mode. Enabling Timestamp on Syslog Messages By default, syslog messages include a time/date stamp, taken from the datetime, stating when the error or message was created. To enable timestamp, use the following command. • Add timestamp to syslog messages.
Enabling the FTP Server To enable the system as an FTP server, use the following command. To view FTP configuration, use the show running-config ftp command in EXEC privilege mode. • Enable FTP on the system. CONFIGURATION mode ftp-server enable Example of Viewing FTP Configuration DellEMC#show running ftp ! ftp-server enable ftp-server username nairobi password 0 zanzibar DellEMC# Configuring FTP Server Parameters After you enable the FTP server on the system, you can configure different parameters.
– For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the stack/slot/port/subport information. – For a 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the stack/slot/port information. – For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. – For a port channel interface, enter the keywords port-channel then a number. – For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
Example of an ACL that Permits Terminal Access Example Configuration To view the configuration, use the show config command in LINE mode. DellEMC(config-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.1 DellEMC(config-std-nacl)#line vty 0 DellEMC(config-line-vty)#show config line vty 0 access-class myvtyacl DellEMC(conf-ipv6-acl)#do show run acl ! ip access-list extended testdeny seq 10 deny ip 30.1.1.
aaa authentication login {method-list-name | default} [method-1] [method-2] [method-3] [method-4] [method-5] [method-6] 2 Apply the method list from Step 1 to a terminal line. CONFIGURATION mode login authentication {method-list-name | default} 3 If you used the line authentication method in the method list you applied to the terminal line, configure a password for the terminal line.
Using Telnet to get to Another Network Device To telnet to another device, use the following commands. NOTE: The device allows 120 Telnet sessions per minute, allowing the login and logout of 10 Telnet sessions, 12 times in a minute. If the system reaches this non-practical limit, the Telnet service is stopped for 10 minutes. You can use console and SSH service to access the system during downtime. • Telnet to a device with an IPv4 or IPv6 address.
Example of Locking CONFIGURATION Mode for Single-User Access DellEMC(conf)#configuration mode exclusive auto BATMAN(conf)#exit 3d23h35m: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by console DellEMC#config ! Locks configuration mode exclusively. DellEMC(conf)# If another user attempts to enter CONFIGURATION mode while a lock is in place, the following appears on their terminal (message 1): % Error: User "" on line console0 is in exclusive configuration mode.
Usage Information Version Description 9.11(2.0) Introduced on the C9010, S3048–ON, S6100–ON and Z9100–ON. Enables Intel CPU LPC (Low Pin Count) clock-failure monitoring and issues a warning syslog to the user to take appropriate action if signal degradation is seen. LBQA (LPC Bus Quality Analyzer) Failure Detection mode The following functions are performed as a part of this mode: 1 The LBQA will be started as part of FTOS application init (typically as a poller in sysd).
-----------------------1 Success Power-cycling the unit(s). .... Restoring Factory Default Environment Variables The Boot line determines the location of the image that is used to boot up the chassis after restoring factory default settings. Ideally, these locations contain valid images, using which the chassis boots up. When you restore factory-default settings, you can either use a flash boot procedure or a network boot procedure to boot the switch.
file name : systemb BOOT_USER # To boot from network: BOOT_USER # boot change primary boot device : tftp file name : FTOS-SI-9-5-0-169.bin Server IP address : 10.16.127.35 BOOT_USER # 4 Assign an IP address and netmask to the Management Ethernet interface. BOOT_USER # interface management ethernet ip address ip_address_with_mask For example, 10.16.150.106/16. 5 Assign an IP address as the default gateway for the system. default-gateway gateway_ip_address For example, 10.16.150.254.
The following example shows how to reload the system: DellEMC# reload Proceed with reload [confirm yes/no]: yes The following example shows how to reload the system into Dell diagnostics mode: DellEMC#reload dell-diag Proceed with reload [confirm yes/no]: yes The following example shows how to reload the system into ONIE mode: DellEMC#reload onie Proceed with reload [confirm yes/no]: yes The following example shows how to reload the system into ONIE prompt and enter the install mode directly: DellEMC#reload
5 802.1X 802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is verified (through a username and password, for example). 802.
Figure 4. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
• • • • • • Configuring Dynamic VLAN Assignment with Port Authentication Guest and Authentication-Fail VLANs Multi-Host Authentication Multi-Supplicant Authentication MAC Authentication Bypass Dynamic CoS with 802.1X Port-Authentication Process The authentication process begins when the authenticator senses that a link status has changed from down to up: 1 When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request frame.
Figure 6. EAP Over RADIUS RADIUS Attributes for 802.1X Support Dell EMC Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Enabling 802.1X Enable 802.1X globally. Figure 7. 802.1X Enabled 1 Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2 Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3 Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Examples of Verifying that 802.1X is Enabled Globally and on an Interface Verify that 802.
In the following example, the bold lines show that 802.1X is enabled. DellEMC#show running-config | find dot1x dot1x authentication ! [output omitted] ! interface TenGigabitEthernet 1/1/1/1 no ip address dot1x authentication no shutdown ! DellEMC# To view 802.1X configuration information for an interface, use the show dot1x interface command. In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default. DellEMC#show dot1x interface TenGigabitEthernet 1/1/1/1 802.
802.1x profile information ----------------------------Dot1x Profile test Profile MACs 00:00:00:00:01:11 Configuring MAC addresses for a do1x Profile To configure a list of MAC addresses for a dot1x profile, use the mac command. You can configure 1 to 6 MAC addresses. • Configure a list of MAC addresses for a dot1x profile. DOT1X PROFILE CONFIG (conf-dot1x-profile) mac mac-address mac-address — Enter the keyword mac and type up to the 48– bit MAC addresses using the nn:nn:nn:nn:nn:nn format.
Untagged VLAN id: Guest VLAN: Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts:3 Critical VLAN: Critical VLAN id: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: None Enable 100 Enable 200 Enable 300 Disable Enable Sample 90 seconds 120 seconds 10 30 seconds 30 seconds 7200 seconds 10 SINGLE_HOST Authenticated Idle Configuring Criti
Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: 30 seconds 30 seconds 3600 seconds 2 SINGLE_HOST Authenticated Idle Configuring Request Identity Re-Transmissions When the authenticator sends a Request Identity frame and the supplicant does not respond, the authenticator waits for 30 seconds and then re-transmits the frame.
Example of Configuring and Verifying Port Authentication The following example shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame: • after 90 seconds and a maximum of 10 times for an unresponsive supplicant • re-transmits an EAP Request Identity frame The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions.
802.1x information on Te 1/1/1/1: ----------------------------Dot1x Status: Enable Port Control: AUTO Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Forcibly Authorizing or Unauthorizing a Port The 802.
Auth PAE State: Backend State: Initialize Initialize Re-Authenticating a Port You can configure the authenticator for periodic re-authentication. After the supplicant has been authenticated, and the port has been authorized, you can configure the authenticator to re-authenticate the supplicant periodically. If you enable re-authentication, the supplicant is required to re-authenticate every 3600 seconds by default, and you can configure this interval.
1 The host sends a dot1x packet to the Dell EMC Networking system 2 The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number 3 The RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the VLAN assignment using TunnelPrivate-Group-ID The illustration shows the configuration on the Dell EMC Networking system before connecting the end user device in black and blue text, and after connecting the device in red text.
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate themselves.
! interface TenGigabitEthernet 1/1/1/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown DellEMC(conf-if-Te-1/1/1/1)# Example of Viewing Configured Authentication View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest VLAN or using the show dot1x interface command from EXEC Privilege mode. 802.
Example of Viewing Configured Server Timeouts The example shows configuration information for a port for which the authenticator terminates the authentication process for an unresponsive supplicant or server after 15 seconds. The bold lines show the new supplicant and server timeouts. DellEMC(conf-if-Te-1/1/1/1)#dot1x port-control force-authorized DellEMC(conf-if-Te-1/1/1/1)#do show dot1x interface TenGigabitEthernet 1/1/1/1 802.
When multiple end users are connected to a single authenticator port, single-host mode authentication does not authenticate all end users, and all but one are denied access to the network. For these cases, the Dell EMC Networking OS supports multi-host mode authentication. Figure 10. Multi-Host Authentication Mode When you configure multi-host mode authentication, the first client to respond to an identity request is authenticated and subsequent responses are still ignored.
802.
Multi-Supplicant Authentication 802.1X multi-supplicant authentication enables multiple devices on a single authenticator port to access the network by authenticating each device. In addition, multi-supplicant authentication uses dynamic MAC-based VLAN assignment to place devices on different VLANs.
Untagged VLAN id: Auth PAE State: Backend State: 400 Authenticated Idle Restricting Multi-Supplicant Authentication To restrict the number of devices that 802.1X can authenticate on a port in multi-supplicant (multi-auth) mode, enter the dot1x maxsupplicants number command in Interface mode. By default, the maximum number of multi-supplicant devices is 128.
MAB in Multi-Supplicant Authentication Mode Multi-supplicant authentication (multi-auth) mode is similar to other 802.1X modes in that the switch first attempts to authenticate a supplicant using 802.1X. 802.1X times out if the supplicant does not respond to the Request Identity frame. Then, if MAB authentication is enabled, the switch tries to authenticate every MAC it learns on the port, up to 128 MACs, which is the maximum number of supplicants that 802.
Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts: Critical VLAN: Critical VLAN id: Mac-Auth-Bypass: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: NONE Disable NONE NONE Disable NONE Enable Disable Disable NONE 30 seconds 60 seconds 2 30 seconds 30 seconds 3600 seconds 2 SINGLE_HOST Authenticated Idle Dynamic CoS with 802.
4 5 6 7 • 3 1 2 4 4 5 2 4 0 0 0 2 The priority of untagged packets is assigned according to the remapped value of priority 0 traffic in the RADIUS-based table. For example, in the following remapping table, untagged packets are tagged with priority 2: DellEMC#show dot1x cos-mapping interface TenGigabitethernet 2/3 802.1Xp CoS remap table on Te 2/3: ----------------------------Dot1p Remapped Dot1p 0 2 1 6 2 5 3 4 4 3 5 2 6 1 7 0 • After being re-tagged by dynamic CoS for 802.
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This section describes the access control list (ACL) virtual local area network (VLAN) group, and content addressable memory (CAM) enhancements. Optimizing CAM Utilization During the Attachment of ACLs to VLANs To minimize the number of entries in CAM, enable and configure the ACL CAM feature. Use this feature when you apply ACLs to a VLAN (or a set of VLANs) and when you apply ACLs to a set of ports.
• The ACL VLAN group is deleted and it does not contain VLAN members. • The ACL is applied or removed from a group and the ACL group does not contain a VLAN member. • The description of the ACL group is added or removed. Guidelines for Configuring ACL VLAN Groups Keep the following points in mind when you configure ACL VLAN groups: • The interfaces where you apply the ACL VLAN group function as restricted interfaces.
description description 3 Apply an egress IP ACL to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode ip access-group {group name} out implicit-permit 4 Add VLAN member(s) to an ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode member vlan {VLAN-range} 5 Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name.
EXEC Privilege mode DellEMC#show cam-usage switch Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|============|============|============= 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 Codes: * - cam usage is above 90%. Viewing CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub- partitions) using the show cam-usage command in EXEC Privilege mode.
| | IN-V6 ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL 2 | 0 | IN-L2 ACL | | IN-L3 ACL | | IN-V6 ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL 3 | 0 | IN-L2 ACL | | IN-L3 ACL | | IN-V6 ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL Codes: * - cam usage is above 90%.
• To allocate the number of FP blocks for ACL VLAN optimization, use the cam-acl-vlan vlanaclopt <0-2> command. To reset the number of FP blocks to the default, use the no version of these commands. By default, zero groups are allocated for the ACL in VCAP. ACL VLAN groups or CAM optimization is not enabled by default. You must also allocate the slices for CAM optimization. To display the number of FP blocks that is allocated for the different VLAN services, use the show cam-acl-vlan command.
After the system reloads, the Dell Networking OS enables the feature. DellEMC(conf)#feature acloptimized Configuration change will be in effect after save and reload. ACL config containing TTL, layer3 and VRF conflicts with ACL Cam optimzation feature and these keywords would be discarded while applying the ACL.
7 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
Topics: • IP Access Control Lists (ACLs) • Important Points to Remember • IP Fragment Handling • Configure a Standard IP ACL • Configure an Extended IP ACL • Configure Layer 2 and Layer 3 ACLs • Assign an IP ACL to an Interface • Applying an IP ACL • Configure Ingress ACLs • Configure Egress ACLs • IP Prefix Lists • ACL Remarks • ACL Resequencing • Route Maps IP Access Control Lists (ACLs) In Dell EMC Networking switch/routers, you can create two different types of IP ACLs: stand
User Configurable CAM Allocation Allocate space for IPV6 ACLs by using the cam-acl command in CONFIGURATION mode. The CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 9 FP blocks. (There are 12 FP blocks, but System Flow requires three blocks that cannot be reallocated.) Enter the ipv6acl allocation as a factor of 3 (3, 6, 9). All other profile allocations can use either even or odd numbered ranges.
In the Dell EMC Networking OS versions prior to 9.13(0.0), the system does not install any of your ACL rules if the available CAM space is lesser than what is required for your set of ACL rules. Effective with the Dell EMC Networking OS version 9.13(0.0), the system installs your ACL rules until all the allocated CAM memory is used. If there is no implicit permit in your rule, the Dell EMC Networking OS ensures that an implicit deny is installed at the end of your rule.
DellEMC(conf-policy-map-in)#service-queue 7 class-map cmap1 DellEMC(conf-policy-map-in)#service-queue 4 class-map cmap2 DellEMC(conf-policy-map-in)#exit DellEMC(conf)#interface te 10/1/1 DellEMC(conf-if-te-10/1/1)#service-policy input pmap Configure ACL Range Profiles Dell EMC Networking OS allows L3 ACLs to configure range of L4 source and destination ports using the operators and range of ports. This results in multiple ACL entries that use more space in the forwarding table.
Important Points to Remember • • • For route-maps with more than one match clause: – Two or more match clauses within the same route-map sequence have the same match commands (though the values are different), matching a packet against these clauses is a logical OR operation. – Two or more match clauses within the same route-map sequence have different match commands, matching a packet against these clauses is a logical AND operation.
command, such as redistribute, traffic passes through all instances of that route map until a match is found. The following is an example with two instances of a route map. The following example shows matching instances of a route-map.
DellEMC(config-route-map)#match tag 2000 DellEMC(config-route-map)#match tag 3000 Example of the match Command to Match All Specified Values In the next example, there is a match only if a route has both of the specified characteristics. In this example, there a match only if the route has a tag value of 1000 and a metric value of 2000. Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens in any instance of that routemap.
CONFIG-ROUTE-MAP mode match ip address prefix-list-name • Match destination routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode match ipv6 address prefix-list-name • Match next-hop routes specified in a prefix list (IPv4). CONFIG-ROUTE-MAP mode match ip next-hop {access-list-name | prefix-list prefix-list-name} • Match next-hop routes specified in a prefix list (IPv6).
• set automatic-tag Specify an OSPF area or ISIS level for redistributed routes. CONFIG-ROUTE-MAP mode • set level {backbone | level-1 | level-1-2 | level-2 | stub-area} Specify a value for the BGP route’s LOCAL_PREF attribute. CONFIG-ROUTE-MAP mode • set local-preference value Specify a value for redistributed routes. CONFIG-ROUTE-MAP mode • set metric {+ | - | metric-value} Specify an OSPF or ISIS type for redistributed routes.
In the following example, the redistribute command calls the route map static ospf to redistribute only certain static routes into OSPF. According to the route map static ospf, only routes that have a next hop of interface 1/1/1/1 and that have a metric of 255 are redistributed into the OSPF backbone area. NOTE: When re-distributing routes using route-maps, you must create the route-map defined in the redistribute command under the routing protocol.
IP Fragment Handling Dell EMC Networking OS supports a configurable option to explicitly deny IP fragmented packets, particularly second and subsequent packets. It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable to all Layer protocols (permit/ deny ip/tcp/udp/icmp). • Both standard and extended ACLs support IP fragments. • Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these fragments.
• If a packet's FO = 0, the next ACL line is processed. Example of Permitting All Packets from a Specified Host In this first example, TCP packets from host 10.1.1.1 with TCP destination port equal to 24 are permitted. All others are denied. DellEMC(conf)#ip access-list extended ABC DellEMC(conf-ext-nacl)#permit tcp host 10.1.1.
Example of Viewing the Rules of a Specific ACL on an Interface The following is an example of viewing the rules of a specific ACL on an interface. DellEMC#show ip accounting access-list ToOspf interface gig 1/6 Standard IP access list ToOspf seq 5 deny any seq 10 deny 10.2.0.0 /16 seq 15 deny 10.3.0.0 /16 seq 20 deny 10.4.0.0 /16 seq 25 deny 10.5.0.0 /16 seq 30 deny 10.6.0.0 /16 seq 35 deny 10.7.0.0 /16 seq 40 deny 10.8.0.0 /16 seq 45 deny 10.9.0.0 /16 seq 50 deny 10.10.0.
To view all configured IP ACLs, use the show ip accounting access-list command in EXEC Privilege mode. The following examples shows how to view a standard ACL filter sequence for an interface. DellEMC#show ip accounting access example interface gig 4/12 Extended IP access list example seq 15 deny udp any any eq 111 seq 20 deny udp any any eq 2049 seq 25 deny udp any any eq 31337 seq 30 deny tcp any any range 12345 12346 seq 35 permit udp host 10.21.126.225 10.4.5.0 /28 monitor 300 seq 40 permit udp host 10.
seq 35 permit tcp any range www 194 any eq 101 seq 40 permit udp any eq 434 any gt mobile-ip seq 45 deny udp any eq 53 any lt ntp Configure Filters, ICMP Packets To create a filter for ICMP packets with a specified sequence number, use the following commands. 1 Create either an extended IPv4 or IPv6 ACL and assign it a unique name. CONFIGURATION mode ip access-list extended access-list-name ipv6 access-list extended access-list-name 2 Configure an extended IP ACL filter for ICMP packets.
seq seq seq seq seq 25 30 35 40 45 permit permit permit permit permit icmp icmp icmp icmp icmp any any any any any any any any any any packet-too-big count parameter-problem count time-exceeded count dest-unreachable count port-unreachable count DellEMC(config-ext-nacl)#show ipv6 accounting access-list ! Extended Ingress IPv6 access list icmpv6 on TenGigabitEthernet 1/1/1/1 Total cam count 9 seq 5 permit icmp any any echo count (40 packets) seq 10 permit icmp any any echo-reply count (50 packets) seq
The example below shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 15 was configured before filter 5, but the show config command displays the filters in the correct order. DellEMC(config-ext-nacl)#seq 15 deny ip host 112.45.0.0 any log monitor 501 DellEMC(config-ext-nacl)#seq 5 permit tcp 12.1.3.45 0.0.255.255 any DellEMC(config-ext-nacl)#show config ! ip access-list extended dilling seq 5 permit tcp 12.1.0.0 0.0.255.
• When Dell EMC Networking OS routes the packets, only the L3 ACL governs them because they are not filtered against an L2 ACL. • When Dell EMC Networking OS switches the packets, first the L3 ACL filters them, then the L2 ACL filters them. • When Dell EMC Networking OS switches the packets, the egress L3 ACL filters the packet.
NOTE: • The number of entries allowed per ACL is hardware-dependent. For detailed specification about entries allowed per ACL, refer to your line card documentation. • 4 One of the usage scenarios is to avoid ACL being applied on the L2 traffic which comes in via ICL. The layer 3 keyword can be used at the VLAN level. Apply rules to the new ACL.
DellEMC(conf)#ip access-list extended abcd DellEMC(config-ext-nacl)#permit tcp any any DellEMC(config-ext-nacl)#deny icmp any any DellEMC(config-ext-nacl)#permit 1.1.1.2 DellEMC(config-ext-nacl)#end DellEMC#show ip accounting access-list ! Extended Ingress IP access list abcd on tengigabitethernet 1/1/1/1 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.2 Configure Egress ACLs Egress ACLs are applied to line cards and affect the traffic leaving the system.
DellEMC(conf-if-te-1/1/2/1)#end DellEMC# Applying Egress Layer 3 ACLs (Control-Plane) By default, packets originated from the system are not filtered by egress ACLs. For example, if you initiate a ping session from the system and apply an egress ACL to block this type of traffic on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and CPU-forwarded traffic.
• After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route. Implementation Information In Dell EMC Networking OS, prefix lists are used in processing routes for routing protocols (for example, router information protocol [RIP], open shortest path first [OSPF], and border gateway protocol [BGP]). NOTE: It is important to know which protocol your system supports prior to implementing prefix-lists.
ip prefix-list juba seq 12 deny 134.23.0.0/16 seq 15 deny 120.0.0.0/8 le 16 seq 20 permit 0.0.0.0/0 le 32 DellEMC(conf-nprefixl)# NOTE: The last line in the prefix list Juba contains a “permit all” statement. By including this line in a prefix list, you specify that all routes not matching any criteria in the prefix list are forwarded. To delete a filter, use the no seq sequence-number command in PREFIX LIST mode.
Examples of the show ip prefix-list Command The following example shows the show ip prefix-list detail command. DellEMC>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 seq 5 deny 100.100.1.
network 10.0.0.0 DellEMC(conf-router_rip)#router ospf 34 Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands. • Enter OSPF mode. CONFIGURATION mode • router ospf Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded.
ip access-list {extended | standard} access-list-name ipv6 access-list {extended | standard} access-list-name 2 Define the ACL rule. CONFIG-EXT-NACL mode or CONFIG-STD-NACL seq sequence-number {permit | deny} options 3 Write a remark. CONFIG-EXT-NACL mode or CONFIG-STD-NACL remark [remark-number] remark-text The remark number is optional.
ACL Resequencing ACL resequencing allows you to re-number the rules and remarks in an access or prefix list. The placement of rules within the list is critical because packets are matched against rules in sequential order. To order new rules using the current numbering scheme, use resequencing whenever there is no opportunity. For example, the following table contains some rules that are numbered in increments of 1.
ip access-list extended test remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4 DellEMC# end DellEMC# resequence access-list ipv4 test 2 2 DellEMC# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.
Route maps also have an “implicit deny.” Unlike ACLs and prefix lists; however, where the packet or traffic is dropped, in route maps, if a route does not match any of the route map conditions, the route is not redistributed. The implementation of route maps allows route maps with the no match or no set commands. When there is no match command, all traffic matches the route map and the set command applies.
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 11. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Detection Multiplier The number of packets that must be missed in order to declare a session down. Length The entire length of the BFD packet. My Discriminator A random number generated by the local system to identify the session. Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface.
Demand mode If one system requests Demand mode, the other system stops sending periodic control packets; it only sends a response to status inquiries from the Demand mode initiator. Either system (but not both) can request Demand mode at any time. NOTE: Dell EMC Networking OS supports Asynchronous mode only. A session can have four states: Administratively Down, Down, Init, and Up. State Description Administratively Down The local system does not participate in a particular session.
Figure 12.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 13.
• Configure BFD for OSPF • Configure BFD for OSPFv3 • Configure BFD for IS-IS • Configure BFD for BGP • Configure BFD for VRRP • Configuring Protocol Liveness Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol.
Establishing a Session on Physical Ports To establish a session, enable BFD at the interface level on both ends of the link, as shown in the following illustration. The configuration parameters do not need to match. Figure 14. Establishing a BFD Session on Physical Ports 1 Enter interface mode. CONFIGURATION mode interface 2 Assign an IP address to the interface if one is not already assigned.
Int: TenGigabitEthernet 1/1/4/1 State: Up Configured parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Neighbor parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Actual parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Role: Active Delete session on Down: False Client Registered: CLI Uptime: 00:03:57 Statistics: Number of packets received from neighbor: 1775 Number of packets sent to neighbor: 1775 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/
Disabling and Re-Enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured. If you disable BFD, all of the sessions on that interface are placed in an Administratively Down state ( the first message example), and the remote systems are notified of the session state change (the second message example). To disable and re-enable BFD on an interface, use the following commands. • Disable BFD on an interface.
Establishing Sessions for Static Routes for Default VRF Sessions are established for all neighbors that are the next hop of a static route on the default VRF. Figure 15. Establishing Sessions for Static Routes To establish a BFD session, use the following command. • Establish BFD sessions for all neighbors that are the next hop of a static route.
ip route bfd vrf vrf-name [prefix-list prefix-list-name] [interval interval min_rx min_rx multiplier value role {active | passive}] Example Configuration and Verification The following example contains static routes for both default and nondefault VRFs. Dell#sh run | grep bfd bfd enable ip route bfd prefix-list p4_le ip route bfd vrf vrf1 ip route bfd vrf vrf2 ip route bfd vrf vrf1 prefix-list p4_le The following example shows that sessions are created for static routes for the default VRF.
Establishing Static Route Sessions on Specific Neighbors You can selectively enable BFD sessions on specific neighbors based on a destination prefix-list. When you establish a BFD session using the ip route bfd command, all the next-hop neighbors in the static route become part of the BFD session. Starting with Dell EMC Networking OS release 9.11.0.0, you can enable BFD sessions on specific next-hop neighbors.
CONFIGURATION mode ip route bfd [prefix-list prefix-list-name] interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command. Disabling BFD for Static Routes If you disable BFD, all static route BFD sessions are torn down. A final Admin Down packet is sent to all neighbors on the remote systems, and those neighbors change to the Down state. To disable BFD for static routes, use the following command.
B C I O O3 R M V VT - LocalAddr * 11::1 BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel RemoteAddr 11::2 Interface Te 1/1/1 State Rx-int Tx-int Mult Clients Up 200 200 3 R To view detailed session information, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information.
The following example shows that sessions are created for static routes for the nondefault VRFs.
Establishing Sessions with OSPF Neighbors for the Default VRF BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 16. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Enable BFD globally.
INTERFACE mode ip ospf bfd all-neighbors Example of Verifying Sessions with OSPF Neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 * 2.2.3.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1/1 Up 100 100 3 O 2.2.3.
B C I O O3 R M V VT - BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 5.1.1.1 RemoteAddr 5.1.1.2 Interface Po 30 State Rx-int Tx-int Mult Up 200 200 3 Clients O * 6.1.1.1 6.1.1.2 Vl 30 Up 200 200 3 O * 7.1.1.1 7.1.1.2 Te 1/1/1/1 Up 200 200 3 O The following example shows the show bfd vrf neighbors command output showing the nondefault VRF.
Number of messages communicated b/w Manager and Agent: 4 Session Discriminator: 7 Neighbor Discriminator: 2 Local Addr: 6.1.1.1 Local MAC Addr: 00:a0:c9:00:00:02 Remote Addr: 6.1.1.
ROUTER-OSPF mode bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] • Change parameters for all OSPF sessions on an interface. INTERFACE mode ip ospf bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command.
• Establish sessions with OSPFv3 neighbors on a single interface. INTERFACE mode ipv6 ospf bfd all-neighbors To view the established sessions, use the show bfd neighbors command. The following example shows the show bfd neighbors command output for default VRF. DellEMC#show bfd neighbors * - Active session role Ad Dn - Admin Down B - BGP C - CLI I - ISIS O - OSPF O3 - OSPFv3 R - Static Route (RTM) M - MPLS V - VRRP VT - Vxlan Tunnel LocalAddr * 1.1.1.1 RemoteAddr 1.1.1.
The following example shows the configuration to establish sessions with all OSPFv3 neighbors on a single interface in a specific VRF: interface vlan 102 ip vrf forwarding vrf vrf1 ipv6 ospf bfd all-neighbors The following example shows the show bfd vrf neighbors command output for nondefault VRF: DellEMC#show bfd vrf vrf1 neighbors * - Active session role Ad Dn - Admin Down B - BGP C - CLI I - ISIS O - OSPF O3 - OSPFv3 R - Static Route (RTM) M - MPLS V - VRRP VT - Vxlan Tunnel LocalAddr Clients * 10.1.1.
• Change parameters for OSPFv3 sessions on a single interface. INTERFACE mode ipv6 ospf bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] Disabling BFD for OSPFv3 If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state. If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote system are placed in a Down state.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 17. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. ROUTER-ISIS mode • bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1/1 Up 100 100 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface.
For example, the following illustration shows a sample BFD configuration on Router 1 and Router 2 that use eBGP in a transit network to interconnect AS1 and AS2. The eBGP routers exchange information with each other as well as with iBGP routers to maintain connectivity and accessibility within each autonomous system. Figure 18.
Prerequisites Before configuring BFD for BGP, you must first configure the following settings: • Configure BGP on the routers that you want to interconnect. Establishing Sessions with BGP Neighbors for Default VRF To establish sessions with either IPv6 or IPv4 BGP neighbors for the default VRF, follow these steps: 1 Enable BFD globally. CONFIGURATION mode bfd enable 2 Specify the AS number and enter ROUTER BGP configuration mode.
DellEMC(conf-router_bgp)#address-family ipv6 unicast DellEMC(conf-router_bgpv6_af)#neighbor 20::2 activate DellEMC(conf-router_bgpv6_af)#exit DellEMC(conf-router_bgp)#bfd all-neighbors DellEMC(conf-router_bgp)#show config ! router bgp 1 neighbor 10.1.1.2 remote-as 2 neighbor 10.1.1.
9 Activate the neighbor in IPv6 address family. CONFIG-ROUTERBGPv6_ADDRESSFAMILY mode neighbor ipv6-address activate 10 Configure parameters for a BFD session established with all neighbors discovered by BGP. Or establish a BFD session with a specified BGP neighbor or peer group using the default BFD session parameters. CONFIG-ROUTERBGP mode bfd all-neighbors DellEMC(conf)#router bgp 1 DellEMC(conf-router_bgp)#address-family ipv4 vrf vrf1 DellEMC(conf-router_bgp_af)#neighbor 10.1.1.
• Verify a BFD for BGP configuration. EXEC Privilege mode show running-config bgp • Verify that a BFD for BGP session has been successfully established with a BGP neighbor. A line-by-line listing of established BFD adjacencies is displayed. EXEC Privilege mode • show bfd neighbors [interface] [detail] Check to see if BFD is enabled for BGP connections. EXEC Privilege mode • show ip bgp summary Displays routing information exchanged with BGP neighbors, including BFD for BGP sessions.
Remote MAC Addr: 00:01:e8:8a:da:7b Int: TenGigabitEthernet 1/1/1/1 State: Up Configured parameters: TX: 200ms, RX: 200ms, Multiplier: 3 Neighbor parameters: TX: 200ms, RX: 200ms, Multiplier: 3 Actual parameters: TX: 200ms, RX: 200ms, Multiplier: 3 Role: Active Delete session on Down: True Client Registered: BGP Uptime: 00:07:55 Statistics: Number of packets received from neighbor: 4762 Number of packets sent to neighbor: 4490 Number of state changes: 2 Number of messages from IFA about port state change: 0
• Message displays when you enable a BFD session with a BGP neighbor using the neighbor ip-address bfd command. • Message displays when you enable a BGP neighbor in a peer group for which you enabled a BFD session using the neighbor peergroup-name bfd command R2# show ip bgp neighbors 2.2.2.2 BGP neighbor is 2.2.2.2, remote AS 1, external link BGP version 4, remote router ID 12.0.0.
Configure BFD for VRRP When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the route processor module (RPM). BFD sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state change occurred. Configuring BFD for VRRP is a three-step process: 1 Enable BFD globally. Refer to Enabling BFD Globally.
Establishing VRRP Sessions on VRRP Neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions. VRRP BFD sessions on the backup router cannot change to the UP state. Configure the master router to establish an individual VRRP session the backup router. To establish a session with a particular VRRP neighbor, use the following command. • Establish a session with a particular VRRP neighbor.
INTERFACE mode vrrp bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] • Change parameters for a particular VRRP session. INTERFACE mode vrrp bfd neighbor ip-address interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command. Disabling BFD for VRRP If you disable any or all VRRP sessions, the sessions are torn down.
9 Border Gateway Protocol (BGP) Border Gateway Protocol (BGP) is an interdomain routing protocol that manages routing between edge routers. BGP uses an algorithm to exchange routing information between switches enabled with BGP. BGP determines a path to reach a particular destination using certain attributes while avoiding routing loops. BGP selects a single path as the best path to a destination network or host. You can also influence BGP to select different path by altering some of the BGP attributes.
BGP Autonomous Systems BGP autonomous systems (ASs) are a collection of nodes under common administration with common network routing policies. Devices in the AS use IGP to communicate with one another. For devices in different AS to communicate, they need to use EGP. BGP is the EGP which allows the devices to communicate. Each AS has a number, which an internet authority already assigns. You do not assign the BGP number.
Since each BGP router talking to another router is a session, a BGP network needs to be in “full mesh.” This is a topology that has every router directly connected to every other router. Each BGP router within an AS must have iBGP sessions with all other BGP routers in the AS. For example, a BGP network within an AS needs to be in “full mesh.
• All AS numbers between 0 and 65535 are represented as a decimal number when entered in the CLI and when displayed in the show commands output. • AS numbers larger than 65535 are represented using ASPLAIN notation. When entered in the CLI and when displayed in the show commands output, 65546 is represented as 65546. ASDOT+ representation splits the full binary 4-byte AS number into two words of 16 bits separated by a decimal point (.): ..
Example of the Running Configuration When AS Notation is Disabled AS NOTATION DISABLED DellEMC(conf-router_bgp)#no bgp asnotation DellEMC(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
MBGP uses either an IPv4 address configured on the interface (which is used to establish the IPv6 session) or a stable IPv4 address that is available in the box as the next-hop address. As a result, while advertising an IPv6 network, exchange of IPv4 routes does not lead to martian next-hop message logs. NOTE: It is possible to configure BGP peers that exchange both unicast and multicast network layer reachability information (NLRI), but you cannot connect multiprotocol BGP with BGP.
BGP global and address family configuration Implementing BGP is divided into global and address family configuration. BGP configuration command levels are grouped as high level and address family configuration. All independent commands are grouped at the beginning of the configuration and followed by separate sub commands specific to each address family. Following is the order of BGP configuration: • Global configuration — General configuration that is applied to BGP.
Item Default Distance external distance = 20 internal distance = 200 local distance = 200 Timers keepalive = 60 seconds holdtime = 180 seconds Add-path Disabled BGP Attributes for selecting Best Path Routes learned using BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination.
NOTE: The bgp bestpath as-path multipath-relax command is disabled by default, preventing BGP from loadbalancing a learned route across two or more eBGP peers. To enable load-balancing across different eBGP peers, enable the bgp bestpath as-path multipath-relax command. A system error results if you configure the bgp bestpath as-path ignore command and the bgp bestpath as-path multipath-relax command at the same time. Only enable one command at a time.
10 a the IBGP multipath or EBGP multipath are configured (the maximum-path command). b the paths being compared were received from the same AS with the same number of ASs in the AS Path but with different NextHops. c the paths were received from IBGP or EBGP neighbor respectively. If the bgp bestpath router-id ignore command is enabled and: a if the Router-ID is the same for multiple paths (because the routes were received from the same route) skip this step.
Figure 23. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 24. Multi-Exit Discriminators NOTE: Configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
AS Path The AS path is the list of all ASs that all the prefixes listed in the update have passed through. The local AS number is added by the BGP speaker when advertising to a eBGP neighbor. NOTE: Any update that contains the AS path number 0 is valid. The AS path is shown in the following example. The origin attribute is shown following the AS path information (shown in bold).
both IGP and BGP convergence and can be a lengthy process. BGP add-path also helps switchover to the next new best path when the current best path is unavailable. Advertise IGP Cost as MED for Redistributed Routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting others to a constant pre-defined metric as MED value.
Router C without immediately updating Router C’s configuration. Local-AS allows this behavior to happen by allowing Router B to appear as if it still belongs to Router B’s old network (AS 200) as far as communicating with Router C is concerned. Figure 25. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature.
• The f10BgpM2AsPathTableEntry table, f10BgpM2AsPathSegmentIndex, and f10BgpM2AsPathElementIndex are used to retrieve a particular ASN from the AS path. These indices are assigned to the AS segments and individual ASN in each segment starting from 0. For example, an AS path list of {200 300 400} 500 consists of two segments: {200 300 400} with segment index 0 and 500 with segment index 1. ASN 200, 300, and 400 are assigned 0, 1, and 2 element indices in that order.
• deterministic multi-exit discriminator (MED) (default) • a path with a missing MED is treated as worst path and assigned an MED value of (0xffffffff) • the community format follows RFC 1998 • delayed configuration (the software at system boot reads the entire configuration file prior to sending messages to start BGP peer sessions) The following are not yet supported: • auto-summarization (the default is no auto-summary) • synchronization (the default is no synchronization) Basic BGP configurat
NOTE: If you enter a 4-Byte AS number, 4-Byte AS support is enabled automatically. 2 Add a BGP neighbor or peer and AS number. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address| peer-group name} remote-as as-number • ip-address: IPv4 address of the neighbor • ipv6-address: IPv6 address of the neighbor • peer-group name: Name of the peer group. It can contain 16 characters. • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.
To view the status of BGP neighbors, use the show ip bgp neighbors command in EXEC Privilege mode as shown in the first example. For BGP neighbor configuration information, use the show running-config bgp command in EXEC Privilege mode as shown in the second example. NOTE: The showconfig command in CONFIGURATION ROUTER BGP mode gives the same information as the show running-config bgp command.
neighbor {ip-address | ipv6–address | peer-group-name} remote-as as-number • Enable the neighbor. CONFIG-ROUTERBGP mode neighbor ip-address | ipv6-address | peer-group-name no shutdown • Specify the IPv4 address family configuration. CONFIG-ROUTER-BGP mode address-family ipv4 [multicast | vrf vrf-name] multicast — Specifies the IPv4 multicast address family. vrf vrf-name — Specifies the name of VRF instance associated with the IPv4 address-family configuration.
NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If you do not implement 4-Byte AS numbers, only ASPLAIN representation is supported. Only one form of AS number representation is supported at a time. You cannot combine the types of representations within an AS. To configure AS4 number representations, use the following commands. • Enable ASPLAIN AS Number representation.
neighbor 172.30.1.250 no shutdown 5332332 9911991 65057 18508 12182 7018 46164 i Configuring a BGP VRF address family To perform BGP configuration between two neighbors that must exchange IPv6 or IPv4 VRF information, use the following commands. Following are the steps to configure BGP VRF address-family between two peers. • Configure a VRF routing table. CONFIG mode ip vrf vrf-name • For more information on VRF configuration, see Virtual Routing and Forwarding (VRF).
DellEMC(conf-router_bgpv6_af)# neighbor 50.0.0.2 activate DellEMC(conf-router_bgp)# exit Following is the output of show ip bgp vrf vrf1 summary command for the above configuration. DellEMC#show ip bgp vrf vrf1 summary BGP router identifier 1.1.1.1, local AS number 100 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 1 neighbor(s) using 16384 bytes of memory Neighbor 50.0.0.
If you specify a BGP peer group by using the peer-group-name argument, all members of the peer group inherit the characteristic configured with this command. • Enable soft-reconfiguration for the BGP neighbor specified. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} soft-reconfiguration inbound BGP stores all the updates received by the neighbor but does not reset the peer-session.
If neighbor soft-reconfiguration inbound command is not configured ever in the router, then doing a soft reset is enough for the route refresh updates to be sent. Route-refresh updates for IPv4 and IPv6 prefixes This section explains the route-refresh functionality in different combinations for IPv4 or IPv6 prefix configured with IPv4 or IPv6 neighbors. By default, the IPv4 prefixes is sent for all the neighbors irrespective of IPv4 address family is enabled or disabled.
May 8 15:28:12 : BGP: 20.1.1.2 UPDATE rcvd packet len 56 May 8 15:28:12 : BGP: 20.1.1.2 rcvd UPDATE w/ attr: origin metric 0,
Filtering BGP Routes Filtering routes allows you to implement BGP policies. You can use either IP prefix lists, route maps, AS-PATH ACLs or IP community lists (using a route map) to control which routes the BGP neighbor or peer group accepts and advertises. Prefix lists filter routes based on route and prefix length, while AS-Path ACLs filter routes based on the ASN. Route maps can filter and set conditions, change attributes, and assign update policies.
• ip-address or ipv6-address or peer-group-name: enter the neighbor’s IPv4 or IPv6 address or the peer group’s name. • map-name: enter the name of a configured route map. • in: apply the route map to inbound routes. • out: apply the route map to outbound routes.
Example configuration for filtering BGP routes using AS-PATH information Following is the sample configuration for filtering BGP routes using AS-PATH information DellEMC# configure terminal DellEMC(conf)# ip as-path access-list 100 deny ^500$ DellEMC(conf)# ip as-path access-list 100 permit .* DellEMC(conf)# router bgp 400 DellEMC(conf_router_bgp)# neighbor 10.10.10.1 remote-as 450 DellEMC(conf_router_bgp_af)# address-family ipv4 multicast DellEMC(conf_router_bgp_af)# neighbor 10.10.10.
neighbor {ip-address | ipv6-address | peer-group-name} remote-as as-number • peer-group Name: 16 characters. • as-number: the range is from 0 to 65535 (2-Byte) or 1 to 4294967295 | 0.1 to 65535.65535 (4-Byte) or 0.1 to 65535.65535 (Dotted format) To add an external BGP (EBGP) neighbor, configure the as-number parameter with a number different from the BGP as-number configured in the router bgp as-number command.
To disable a peer group, use the neighbor peer-group-name shutdown command in CONFIGURATION-ROUTER-BGP mode. The configuration of the peer group is maintained, but it is not applied to the peer group members. When you disable a peer group, all the peers within the peer group that are in the ESTABLISHED state move to the IDLE state. To view the status of peer groups, use the show ip bgp peer-group command in EXEC Privilege mode, as shown in the following example.
Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int te 1/1/2/1 R1(conf-if-te-1/1/2/1)#ip address 10.0.1.21/24 R1(conf-if-te-1/1/2/1)#no shutdown R1(conf-if-te-1/1/2/1)#show config ! interface TengigabitEthernet 1/1/2/1 ip address 10.0.1.
R1(conf-router_bgp)#neighbor 192.168.128.3 no shut R1(conf-router_bgp)#neighbor 192.168.128.3 update-source loop 0 R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.
! interface TengigabitEthernet 1/1/4/1 ip address 10.0.3.33/24 no shutdown R3(conf-if-lo-0)#int te 3/21/1 R3(conf-if-te-3/21/1)#ip address 10.0.2.3/24 R3(conf-if-te-3/21/1)#no shutdown R3(conf-if-te-3/21/1)#show config ! interface TengigabitEthernet 3/21/1 ip address 10.0.2.3/24 no shutdown R3(conf-if-te-3/21/1)# R3(conf-if-te-3/21/1)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#network 192.168.128.0/24 R3(conf-router_bgp)#neighbor 192.168.128.
MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 1, neighbor version 1 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes advertised 1, denied 0, withdrawn 0 from peer Connections established 2; dropped 1 Last reset 00:00:57, due to user reset Notification History 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:00:57 ago fffffff
2 neighbor(s) using 9216 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.1 99 140 136 2 0 (0) 00:11:24 1 192.168.128.3 100 138 140 2 0 (0) 00:18:31 1 Example of Enabling Peer Groups (Router 3) R3#conf R3(conf)#router bgp 100 R3(conf-router_bgp)# neighbor AAA peer-group R3(conf-router_bgp)# neighbor AAA no shutdown R3(conf-router_bgp)# neighbor CCC peer-group R3(conf-router_bgp)# neighbor CCC no shutdown R3(conf-router_bgp)# neighbor 192.168.128.
Last read 00:00:45, last write 00:00:44 Hold time is 180, keepalive interval is 60 seconds Received 138 messages, 0 in queue 7 opens, 2 notifications, 7 updates 122 keepalives, 0 route refresh requests Sent 140 messages, 0 in queue Configuring BGP Fast Fall-Over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fall-over feature reduces the convergence time while maintaining stability.
MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) fall-over enabled Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 52, neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dropped 5 Last reset 00:19:37, due to Reset by peer Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 20.20.20.2, Local port: 65519 Foreign host: 10.10.
You can constrain the number of passive sessions accepted by the neighbor. The limit keyword allows you to set the total number of sessions the neighbor will accept, between 2 and 265. The default is 256 sessions. 1 Configure a peer group that does not initiate TCP connections with other peers. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6–address | peer-group-name} peer-group passive limit Enter the limit keyword to restrict the number of sessions accepted. 2 Assign a subnet to the peer group.
bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.
neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 allowas-in 9 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.2 no shutdown R2(conf-router_bgp)#R2(conf-router_bgp)# Enabling Graceful Restart Use this feature to lessen the negative effects of a BGP restart. Dell EMC Networking OS advertises support for this feature to BGP neighbors through a capability advertisement.
• Enable the local router to support graceful restart as a receiver only. CONFIG-ROUTER-BGP mode bgp graceful-restart [role receiver-only] Example configuration for enabling graceful restart DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# bgp graceful-restart DellEMC(conf-router_bgp)# exit The above example configuration shows how to enable the BGP graceful restart.
Example of the show ip bgp paths Command To view all BGP path attributes in the BGP database, use the show ip bgp paths command in EXEC Privilege mode.
Regular Expression Definition | (pipe) Matches characters on either side of the metacharacter; logical OR. As seen in the following example, the expressions are displayed when using the show commands. To view the AS-PATH ACL configuration, use the show config command in CONFIGURATION AS-PATH ACL mode and the show ip as-path-access-list command in EXEC Privilege mode. For more information about this command and route filtering, refer to Filtering BGP Routes.
Configure the following parameters: – connected: Indicate that you are redistributing routes to directly connected routes into BGP. – static: Indicate that you are redistributing static routes into BGP. • – route-map map-name: Specify the name of a configured route map to be consulted before adding the connected or static route. Include specific ISIS routes into BGP.
2 • send: Indicate that the system sends multiple paths to peers. • received: Indicate that the system accepts multiple paths from peers. • both: Indicate that the system sends and accepts multiple paths from peers. • path-count: Indicate that the system sends multiple paths to peers. The range is from 2 to 64. Allow the specified neighbor or peer group to allow multiple path advertisements.
{deny | permit} {community-number | local-AS | no-advertise | no-export | quote-regexp regular-expression-list | regexp regular-expression} • community-number: use AA:NN format where AA is the AS number (2 Bytes or 4 Bytes) and NN is a value specific to that autonomous system. • local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED. • no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE. • no-export: routes with the COMMUNITY attribute of NO_EXPORT.
Example of the show ip extcommunity-lists Command To set or modify an extended community attribute, use the set extcommunity {rt | soo} {ASN:NN | IPADDR:NN} command. To view the configuration, use the show config command in CONFIGURATION COMMUNITY-LIST or CONFIGURATION EXTCOMMUNITY LIST mode or the show ip {community-lists | extcommunity-list} command in EXEC Privilege mode.
Example configuration for filtering routes with community lists DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# neighbor 10.10.10.1 remote-as 500 DellEMC(conf-router_bgp)# neighbor 10.10.10.
Configure a community list by denying or permitting specific community numbers or types of community. 3 • community-number: use AA:NN format where AA is the AS number (2 or 4 Bytes) and NN is a value specific to that autonomous system. • local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED and are not sent to EBGP peers. • no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE and are not advertised. • no-export: routes with the COMMUNITY attribute of NO_EXPORT.
Changing MED Attributes By default, Dell EMC Networking OS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths received from different BGP neighbors or peers from the same AS for the same route. You can configure the device to compare the MED attributes from neighbors or peers in different AS using the bgp always-compare-med command. To change the usage of MED attribute to choose the best path among the advertised, enter any or all of the following commands.
Configuring the local System or a Different System to be the Next Hop for BGP-Learned Routes You can configure the local router or a different router as the next hop for BGP-learned routes. To change how the NEXT_HOP attribute is used, enter the first command. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. You can also use route maps to change this and other BGP attributes.
To view BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show runningconfig bgp command in EXEC Privilege mode. Enabling Multipath By default, the software allows one path to a destination. You can enable multipath to allow up to 64 parallel paths to a destination. You can configure the maximum number of parallel routes (multipath support) to a destination in BGP. NOTE: Dell EMC Networking recommends not using multipath and add path simultaneously in a route reflector.
Figure 27. BGP Router Rules 1 Router B receives an advertisement from Router A through eBGP. Because the route is learned through eBGP, Router B advertises it to all its iBGP peers: Routers C and D. 2 Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B.
To view a route reflector configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp in EXEC Privilege mode. Configuring BGP Confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, BGP confederations are recommended only for IBGP peering involving many IBGP peering sessions per router.
• penalized path — a path that is assigned a penalty To configure route flap dampening parameters, set dampening parameters using a route map, clear information on route dampening and return suppressed routes to active state, view statistics on route flapping, or change the path selection from the default mode (deterministic) to non-deterministic, use the following commands. • Enable route dampening.
bgp non-deterministic-med NOTE: When you change the best path selection method, path selection for existing paths remains unchanged until you reset it by entering the clear ip bgp command in EXEC Privilege mode. Examples of Configuring a Route and Viewing the Number of Dampened Routes To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show runningconfig bgp command in EXEC Privilege mode.
• whichever is the lower value; one-third of the new holdtime value, or the configured keepalive value is the new keepalive value. • Configure timer values for a BGP neighbor or peer group. CONFIG-ROUTER-BGP mode neighbors {ip-address | ipv6-address | peer-group-name} timers keepalive holdtime – keepalive: Time interval, in seconds, between keepalive messages sent to the neighbor routers. The range is from 1 to 65535. The default is 60 seconds.
timers bgp extended idle holdtime idle-holdtime: the range is from 1 to 32767. Time interval, in seconds, during which the peer remains in idle state. The default is 15 seconds. Enabling or disabling BGP neighbors You can enable or disable all the configured BGP neighbors using the shutdown all command in ROUTER BGP mode.
For more information on enabling BGP, see Enabling BGP. When you use the shutdown all command in global configuration mode, this command takes precedence over the shutdown address-family-ipv4-unicast, shutdown address-family-ipv4-multicast, and shutdown address-familyipv6-unicast commands. Irrespective of whether the BGP neighbors are disabled earlier, the shutdown all command brings down all the configured BGP neighbors.
Enabling MBGP Configurations Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of routes: one set for unicast routing and one set for multicast routing. The routes associated with multicast routing are used by the protocol independent multicast (PIM) to build data distribution trees. Dell EMC Networking OS MBGP is implemented per RFC 1858. You can enable the MBGP feature per router and/or per peer/peer-group. The default is IPv4 Unicast routes.
neighbor {ip-address | ipv6–address | peer-group-name} activate Example of configuring BGP Peers DellEMC(conf)# router bgp 10 DellEMC(conf-router_bgp)# neighbor 2001::1 remote-as 200 DellEMC(conf-router_bgp)# neighbor 2001::1 no shutdown DellEMC(conf-router_bgp)# address-family ipv6 unicast DellEMC(conf-router_bgpv6_af)#neighbor 2001::1 activate DellEMC(conf-router_bgpv6_af)#exit Following is the output of show ip bgp ipv6 unicast summary command for the above configuration example.
or IPv6 unicast prefixes, exchanging of prefixes can be deactivated using no neighbor activate command under the IPv4 multicast or IPv6 unicast address family. In the above example configuration, the peer (3000::1) is deactivated from exchanging IPv4 unicast prefixes. The show ip bgp summary or show ip bgp ipv4 unicast summary displays IPv4 unicast address family configuration.
2 neighbor(s) using 40960 bytes of memory Neighbor 20.20.20.1 2001::1 AS 10 10 MsgRcvd 10 40 MsgSent 20 45 TblVer 0 0 InQ 0 0 OutQ Up/Down State/Pfx 0 00:06:11 0 0 00:03:14 0 Following is the sample output of show ip bgp ipv4 multicast summary command. R2# show ip bgp ipv4 multicast summary BGP router identifier 2.2.2.2, local AS number 200 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 1 neighbor(s) using 24576 bytes of memory Neighbor 20.20.20.
Example configuration of BGP to automatically pick IPv6 address automatically for IPv6 prefix advertised over an IPv4 neighbor The following example configuration demonstrates how to configure BGP to automatically pick IPv6 address for IPv6 prefix advertised over an IPv4 neighbor. Example configuration performed in R1 DellEMC# configure terminal DellEMC(conf)# router bgp 655 DellEMC(conf-router_bgp)# neighbor 10.1.1.2 remote-as 20 DellEMC(conf-router_bgp)# neighbor 10.1.1.
*> *> *> *> Network 2001::/64 3001::/64 4001::/64 5001::/64 Next Hop 2001::1 3001::1 3001::1 3001::1 Metric 0 0 0 0 LocPrf Weight 0 0 0 0 Path 655 ? 655 ? 655 ? 655 ? BGP Regular Expression Optimization Dell EMC Networking OS optimizes processing time when using regular expressions by caching and re-using regular expression evaluated results, at the expense of some memory in RP1 processor.
Dell EMC Networking OS displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode. To disable a specific debug command, use the keyword no then the debug command. For example, to disable debugging of BGP updates, use no debug ip bgp updates command. To disable all BGP debugging, use the no debug ip bgp command. To disable all debugging, use the undebug all command.
Capturing PDUs To capture incoming and outgoing PDUs on a per-peer basis, use the capture bgp-pdu neighbor direction command. To disable capturing, use the no capture bgp-pdu neighbor direction command. The buffer size supports a maximum value between 40 MB (the default) and 100 MB. The capture buffers are cyclic and reaching the limit prompts the system to overwrite the oldest PDUs when new ones are received for a given neighbor or direction.
BGP table version is 313511, main routing table version 313511 207896 network entrie(s) and 207896 paths using 42364576 bytes of memory 59913 BGP path attribute entrie(s) using 2875872 bytes of memory 59910 BGP AS-PATH entrie(s) using 2679698 bytes of memory 3 BGP community entrie(s) using 81 bytes of memory Neighbor AS 1.1.1.2 2 172.30.1.
10 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On Dell EMC Networking systems, CAM stores Layer 2 (L2) and Layer 3 (L3) forwarding information, access-lists (ACLs), flows, and routing policies. CAM Allocation CAM Allocation for Ingress To allocate the space for regions such has L2 ingress ACL, IPV4 ingress ACL, IPV6 ingress ACL, IPV4 QoS, L2 QoS, PBR, VRF ACL, and so forth, use the cam-acl command in CONFIGURATION mode.
The following additional CAM allocation settings are supported. Table 12. Additional Default CAM Allocation Settings Additional CAM Allocation Setting FCoE ACL (fcoeacl) 0 ISCSI Opt ACL (iscsioptacl) 0 You must enter l2acl, ipv4acl, l2qos, l2pt, ipv4qos, ipv4pbr, vrfv4acl, and fcoe allocations as a factor of 2, ipv6acl, openflow, and vman_qos allocations as a factor of 3. Ipv4 acl region should also be in multiples of 3 when ipv4udf option is enabled.
4 Reload the system. EXEC Privilege mode reload Test CAM Usage To determine whether sufficient CAM space is available to enable a service-policy, use the test-cam-usage command. To verify the actual CAM space required, create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege mode. The Status column in the command output indicates whether or not you can enable the policy.
Example of Viewing CAM-ACL Settings NOTE: If you change the cam-acl setting from CONFIGURATION mode, the output of this command does not reflect any changes until you save the running-configuration and reload the chassis.
| | | | | OUT-V6 ACL | | IN-L3 QOS | | IN-L3 FIB Codes: * - cam usage is above 90%. | | | 202 0 90112 | | | 3 0 5 | | | 199 0 90107 Configuring CAM Threshold and Silence Period This section describes how to configure CAM threshold and silence period between CAM threshold syslog warnings. The CAM threshold and silence period configuration is applicable only for Ingress L2, IPv4, IPv6 and Egress L2, IPv4, and IPv6 ACL CAM groups.
Table 13. Possible Scenarios of Syslog Warning Old CAM Threshold New CAM Threshold Current CAM Usage Syslog 90 80 85 DellEMC(conf)#Nov 5 19:55:12 %S6000:0 %ACL_AGENT-4ACL_AGENT_CAM_USAGE_OVER_THE_THRESHOLD: The Ipv4Acl cam region on stack-unit 0 Portpipe 0 Pipeline 0 is more than 80% Full. 90 95 91 DellEMC(conf)#Nov 5 19:55:12 %S6000:0 %ACL_AGENT-4ACL_AGENT_CAM_USAGE_BELOW_THE_THRESHOLD: The cam-usage of Ipv4Acl cam region on stack-unit 0 Portpipe 0 Pipeline 0 is below 95%.
A table-full error message is displayed once the number of entries is crossed the table size. Table-full message is generated only once when it crosses the threshold. For subsequent addition of entries, the table-full message is not recorded you clear the table-full message. The table-full message is cleared internally when the number of entries is less than the table size.
EXEC Privilege show hardware forwarding-table mode DellEMC#show hardware forwarding-table mode Mode L2 MAC Entries L3 Host Entries L3 Route Entries : : : : Current Settings Default 72K 72K 16K Next Boot Settings scaled-l3-hosts 8K 136K 16K IPv6 CAM ACL Region The IPv6 ACL CAM region is triple-wide in the platform. You can change the IPv6 ACL region to be double-wide mode. This results in a better scale of the IPv6 ACL entries. The IPV6 ACL CAM region can also be shared with the IPv4 QOS CAM region.
EXEC Privilege mode copy running-config startup-config 4 Reload the system. EXEC Privilege mode reload If the ipv6acl option of the cam-acl command is not in multiples of two, the system does not allow reload. Sharing CAM space between IPv4 QoS and IPv6 ACLs To share CAM space between IPv4 QoS and IPv6 ACLs, follow these steps. 1 Convert the IPv6 ACL CAM to double-wide. CONFIGURATION mode feature ipv6acloptimized You can use the no feature ipv6acloptimized command to disable this feature.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 30. CoPP Implemented Versus CoPP Not Implemented Configure Control Plane Policing The system can process a maximum of 8500 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
CONTROL-PLANE mode service-policy rate-limit-protocols Examples of Configuring CoPP for Different Protocols The following example shows creating the IP/IPv6/MAC extended ACL.
DellEMC(conf-policy-map-in-cpuqos)#class-map class_lacp qos-policy rate_limit_200k DellEMC(conf-policy-map-in-cpuqos)#class-map class-ipv6 qos-policy rate_limit_200k DellEMC(conf-policy-map-in-cpuqos)#exit The following example shows creating the control plane service policy.
The following example shows creating the control plane service policy. DellEMC#conf DellEMC(conf)#control-plane DellEMC(conf-control-plane)#service-policy rate-limit-cpu-queues cpuq_rate_policy Protocol to CPU Queue Mapping CoPP enables you to rate-limit control-plane packets that are destined to the CPU there by, preventing undesired or malicious traffic from entering the CPU queues. You can rate-limit CPU bound traffic both on a per protocol as well as per queue basis.
CPU-PROTOCOL-GROUP protocol-list protocol1, protocol2, protocol3,..... The list of protocols that you specify using this command are associated with the protocol group that you created in Step1. 3 Exit the CPU PROTOCOL GROUP mode. CPU-PROTOCOL-GROUP exit The command prompt enters the configuration mode. 4 Create a CoPP profile. CONFIGURATION copp-profile profile-name The system enters the CoPP profile mode. 5 Assign a protocol group or a QoS policy to the CoPP profile that you have created.
Q10 Q11 600 300 50 50 Example of Viewing Queue Mapping To view the queue mapping for each configured protocol, use the show ip protocol-queue-mapping command.
12 Data Center Bridging (DCB) Data center bridging (DCB) refers to a set of enhancements to Ethernet local area networks used in data center environments, particularly with clustering and storage area networks.
DCB refers to a set of IEEE Ethernet enhancements that provide data centers with a single, robust, converged network to support multiple traffic types, including local area network (LAN), server, and storage traffic. Through network consolidation, DCB results in reduced operational cost, simplified management, and easy scalability by avoiding the need to deploy separate application-specific networks.
Figure 31. Illustration of Traffic Congestion The system supports loading two DCB_Config files: • FCoE converged traffic with priority 3. • iSCSI storage traffic with priority 4. In the Dell EMC Networking OS, PFC is implemented as follows: • PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface.
Figure 32. Enhanced Transmission Selection The following table lists the traffic groupings ETS uses to select multiprotocol traffic for transmission. Table 16. ETS Traffic Groupings Traffic Groupings Description Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7 configurable; 8 - 14 reservation and 15.0 - 15.7 is strict priority group.. Group bandwidth Percentage of available bandwidth allocated to a priority group.
ETS parameters ETS Configuration TLV and ETS Recommendation TLV. Data Center Bridging in a Traffic Flow The following figure shows how DCB handles a traffic flow on an interface. Figure 33. DCB PFC and ETS Traffic Handling Enabling Data Center Bridging DCB is automatically configured when you configure FCoE or iSCSI optimization. Data center bridging supports converged enhanced Ethernet (CEE) in a data center network. DCB is disabled by default. It must be enabled to support CEE.
DCB Maps and its Attributes This topic contains the following sections that describe how to configure a DCB map, apply the configured DCB map to a port, configure PFC without a DCB map, and configure lossless queues. DCB Map: Configuration Procedure A DCB map consists of PFC and ETS parameters. By default, PFC is not enabled on any 802.1p priority and ETS allocates equal bandwidth to each priority. To configure user-defined PFC and ETS settings, you must create a DCB map.
The default dot1p priority-queue assignments are applied as follows: DellEMC(conf)#do show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 6 7 Queue : 1 0 2 3 4 5 6 7 PFC is not applied on specific dot1p priorities. ETS: Equal bandwidth is assigned to each port queue and each dot1p priority in a priority group. To configure PFC and ETS parameters on an interface, you must specify the PFC mode, the ETS bandwidth allocation for a priority group, and the 802.
NOTE: You cannot enable PFC and link-level flow control at the same time on an interface. Configuring Lossless Queues DCB also supports the manual configuration of lossless queues on an interface when PFC mode is turned off. Prerequisite: A DCB with PFC configuration is applied to the interface with the following conditions: • PFC mode is off (no pfc mode on). • No PFC priority classes are configured (no pfc priority priority-range).
CONFIGURATION mode pfc-nodrop-priority l2-dlf drop 4 View the packets drop count corresponding to the priority.
When you apply or remove a DCB input policy from an interface, one or two CRC errors are expected to be noticed on the ingress ports for each removal or attachment of the policy. This behavior occurs because the port is brought down when PFC is configured.
Table 17. DCB Map to an Ethernet Port Step Task Command Command Mode 1 Enter interface configuration mode on an Ethernet port. interface interface-type } CONFIGURATION 2 Apply the DCB map on the Ethernet port to configure it with the PFC and ETS settings in the map; for example: dcb-map name INTERFACE DellEMC# interface tengigabitEthernet 1/1/1 DellEMC(config-if-te-1/1/1)# dcb-map SAN_A_dcb_map1 Repeat Steps 1 and 2 to apply a DCB map to more than one port.
Table 19. Configuring PFC Assymetric Step Task Command Command Mode 1 Enter interface configuration mode on an Ethernet port. DellEMC#interface interface-type CONFIGURATION 2 Enable pfc asymmetric on interface.
Although the system contains 4 MB of space for shared buffers, a minimum guaranteed buffer is provided to all the internal and external ports in the system for both unicast and multicast traffic. This minimum guaranteed buffer reduces the total available shared buffer to 3399 KB. This shared buffer can be used for lossy and lossless traffic. The default behavior causes up to a maximum of 2656 KB to be used for PFC-related traffic. The remaining approximate space of 744 KB can be used by lossy traffic.
The following table illustrates the buffer usage statistics when shared headroom is not used and each queue is allocated with a fixed headroom buffer space: Table 20.
NOTE: When only few lossless queues are configured, the Shared headroom pool must be configured carefully to avoid any ingress MMU drops due to insufficient headroom buffer. Configuring Shared Head Room Buffer You can configure a shared head room pool limit, which is the threshold value for the shared head room pool size.
NOTE: The detail option display the peak headroom pool usage in each of the Pipelines in the device. DellEMC#show hardware buffer-stats-snapshot resource headroom-pool --------------------------------------HP# PEAK USE COUNT(CELLS) --------------------------------------0 0 1 0 2 0 3 0 DellEMC# Behavior of Tagged Packets The below is example for enabling PFC for priority 2 for tagged packets. Priority (Packet Dot1p) 2 will be mapped to PG6 on PRIO2PG setting.
dellNetFpStatsPerP gTable This table fetches the Allocated Min cells, Shared cells, and Headroom cells per Priority Group, the mode in which the buffer cells are allocated — Static or Dynamic and the Used Min Cells, Shared cells and Headroom cells per Priority Group. The table fetches a value of 0 if the mode of allocation is Static and a value of 1 if the mode of allocation is Dynamic. This table lists thestack-unit number, port number and priority group number.
1 Create class-maps to group the DSCP subsets class-map match ip ! class-map match ip 2 match-any dscp-pfc-1 dscp 0-5,10-15 match-any dscp-pfc-2 dscp 20-25,30-35 Associate above class-maps to Queues Queue assignment as below. DellEMC(conf)#do show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 6 7 Queue : 1 0 2 3 4 5 6 7 3 Dot1p->Queue Mapping Configuration is retained at the default value. 4 Interface Configurations on server connected ports. a Enable DCB globally.
The dcb-map-name variable can have a maximum of 32 characters. 2 Create an ETS priority group. CONFIGURATION mode priority-group group-num {bandwidth bandwidth | strict-priority} pfc off The range for priority group is from 0 to 7. Set the bandwidth in percentage. The percentage range is from 1 to 100% in units of 1%. Committed and peak bandwidth is in megabits per second. The range is from 0 to 40000. Committed and peak burst size is in kilobytes. Default is 50. The range is from 0 to 10000.
ETS Operation with DCBx The following section describes DCBx negotiation with peer ETS devices. In DCBx negotiation with peer ETS devices, ETS configuration is handled as follows: • ETS TLVs are supported in DCBx versions CIN, CEE, and IEEE2.5. • The DCBx port-role configurations determine the ETS operational parameters (refer to Configure a DCBx Operation). • ETS configurations received from TLVs from a peer are validated.
• ETS configuration error: If an error occurs in an ETS configuration, the configuration is ignored and the scheduler and bandwidth allocation settings are reset to the ETS default value: 100% of available bandwidth is allocated to priority group 0 and the bandwidth is equally assigned to each dot1p priority. If an error occurs when a port receives a peer’s ETS configuration, the port’s configuration resets to the ETS configuration in the previously configured DCB map.
• Strict-priority groups: If priority group 1 or 2 has free bandwidth, (20 + 30)% of the free bandwidth is distributed to priority group 3. Priority groups 1 and 2 retain whatever free bandwidth remains up to the (20+ 30)%. If two priority groups have strict-priority scheduling, traffic assigned from the priority group with the higher priority-queue number is scheduled first.
• Accepts the DCB configuration from a peer if a DCBx port is in “willing” mode to accept a peer’s DCB settings and then internally propagates the received DCB configuration to its peer ports. DCBx Port Roles To enable the auto-configuration of DCBx-enabled ports and propagate DCB configurations learned from peer DCBx devices internally to other switch ports, use the following DCBx port roles.
source. If you enable DCBx, ports in Manual mode advertise their configurations to peer devices but do not accept or propagate internal or external configurations. Unlike other user-configured ports, the configuration of DCBx ports in Manual mode is saved in the running configuration. On a DCBx port in a manual role, all PFC, application priority, ETS recommend, and ETS configuration TLVs are enabled.
– The port role is auto-upstream. – The port is enabled with link up and DCBx enabled. – The port has performed a DCBx exchange with a DCBx peer. – The switch is capable of supporting the received DCB configuration values through either a symmetric or asymmetric parameter exchange. A newly elected configuration source propagates configuration changes received from a peer to the other auto-configuration ports.
DCBx Example The following figure shows how to use DCBx. The external 40GbE ports on the base module (ports 33 and 37) of two switches are used for uplinks configured as DCBx auto-upstream ports. The device is connected to third-party, top-of-rack (ToR) switches through uplinks. The ToR switches are part of a Fibre Channel storage network. The internal ports (ports 1-32) connected to the 10GbE backplane are configured as auto-downstream ports. Figure 34.
4 Configure ports to operate in a manual role. 1 Enter INTERFACE Configuration mode. CONFIGURATION mode interface type slot/port 2 Enter LLDP Configuration mode to enable DCBx operation. INTERFACE mode [no] protocol lldp 3 Configure the DCBx version used on the interface, where: auto configures the port to operate using the DCBx version received from a peer. PROTOCOL LLDP mode [no] DCBx version {auto | cee | cin | ieee-v2.5} • cee: configures the port to use CEE (Intel 1.01).
• fcoe: enables the advertisement of FCoE in Application Priority TLVs. • iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled to advertise FCoE and iSCSI. NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-appln-tlv iscsi. For information about how to use iSCSI, refer to To verify the DCBx configuration on a port, use the show interface DCBx detail command.
[no] advertise DCBx-appln-tlv {fcoe | iscsi} • fcoe: enables the advertisement of FCoE in Application Priority TLVs. • iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled and advertise FCoE and iSCSI. NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-appln-tlv iscsi. 6 Configure the FCoE priority advertised for the FCoE protocol in Application Priority TLVs.
– config-exchng: enables traces for DCBx configuration exchanges. – fail: enables traces for DCBx failures. – mgmt: enables traces for DCBx management frames. – resource: enables traces for DCBx system resource frames. – sem: enables traces for the DCBx state machine. – tlv: enables traces for DCBx TLVs. Verifying the DCB Configuration To display DCB configurations, use the following show commands. Table 23.
PG:0 TSA:ETS BW:50 PFC:OFF Priorities:0 1 2 5 6 7 PG:1 TSA:ETS BW:50 Priorities:3 4 PFC:ON The following example shows the show interfaces pfc summary command.
Fields Description Local is enabled DCBx operational status (enabled or disabled) with a list of the configured PFC priorities Operational status (local port) DCBx operational status (enabled or disabled) with a list of the configured PFC priorities. Port state for current operational PFC configuration: • • • Init: Local PFC configuration parameters were exchanged with peer. Recommend: Remote PFC configuration parameters were received from peer.
Te Te Te Te Te 1/1/1 1/1/1 1/1/1 1/1/1 1/1/1 P3 P4 P5 P6 P7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 The following example shows the show interface ets summary command.
TC-grp 0 1 2 3 4 5 6 7 Priority# 0,1,2,3,4,5,6,7 Priority# Bandwidth TSA 0 1 2 3 4 5 6 7 Remote Parameters: ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# 0 0,1,2,3,4,5,6,7 1 2 3 4 5 6 7 Bandwidth 100% 0% 0% 0% 0% 0% 0% 0% TSA ETS ETS ETS ETS ETS ETS ETS ETS 13% 13% 13% 13% 12% 12% 12% 12% ETS ETS ETS ETS ETS ETS ETS ETS Bandwidth 100% 0% 0% 0% 0% 0% 0% 0% TSA ETS ETS ETS ETS ETS ETS ETS ETS Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12
Field Description Remote Parameters ETS configuration on remote peer port, including Admin mode (enabled if a valid TLV was received or disabled), priority groups, assigned dot1p priorities, and bandwidth allocation. If the ETS Admin mode is enabled on the remote port for DCBx exchange, the Willing bit received in ETS TLVs from the remote peer is included.
The following example shows the show interface DCBx detail command (legacy CEE).
Field Description Local DCBx Configured mode DCBx version configured on the port: CEE, CIN, IEEE v2.5, or Auto (port auto-configures to use the DCBx version received from a peer). Peer Operating version DCBx version that the peer uses to exchange DCB parameters. Local DCBx TLVs Transmitted Transmission status (enabled or disabled) of advertised DCB TLVs (see TLV code at the top of the show command output). Local DCBx Status: DCBx Operational Version DCBx version advertised in Control TLVs.
Configuring the Dynamic Buffer Method Priority-based flow control using dynamic buffer spaces is supported on the switch. To configure the dynamic buffer capability, perform the following steps: 1 Enable the DCB application. By default, DCB is enabled and link-level flow control is disabled on all interfaces. CONFIGURATION mode dcb enable 2 Configure the shared PFC buffer size and the total buffer size. A maximum of 4 lossless queues are supported.
Sample DCB Configuration The following shows examples of using PFC and ETS to manage your data center traffic. In the following example: • Incoming SAN traffic is configured for priority-based flow control. • Outbound LAN, IPC, and SAN traffic is mapped into three ETS priority groups and configured for enhanced traffic selection (bandwidth allocation and scheduling). • One lossless queue is used. Figure 35.
dot1p Value in the Incoming Frame Priority Group Assignment 0 LAN 1 LAN 2 LAN 3 SAN 4 IPC 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment. Priority Group Bandwidth Assignment IPC 5% SAN 50% LAN 45% PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic.
13 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Figure 36. DHCP packet Format The following table lists common DHCP options. Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
Option Number and Description Rebinding Time Option 59 Specifies the amount of time after the IP address is granted that the client attempts to renew its lease with any server, if the original server does not respond. Vendor Class Identifer Option 60 L2 DHCP Snooping Option 82 Identifies a user-defined string used by the Relay Agent to forward DHCP client packets to a specific server.
Figure 37. Client and Server Messaging Implementation Information The following describes DHCP implementation. • Dell EMC Networking implements DHCP based on RFC 2131 and RFC 3046. • IP source address validation is a sub-feature of DHCP Snooping; the Dell EMC Networking OS uses access control lists (ACLs) internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP source address validation.
DHCP Server Responsibilities Description keeping track of which addresses have been allocated and which are still available. Configuration Parameter Storage and Management DHCP servers also store and maintain other parameters that are sent to clients when requested. These parameters specify in detail how a client is to operate. Lease Management DHCP servers use leases to allocate addresses to clients for a limited time.
Configuration Tasks To configure DHCP, an administrator must first set up a DHCP server and provide it with configuration parameters and policy information including IP address ranges, lease length specifications, and configuration data that DHCP hosts need.
Configure a Method of Hostname Resolution Dell systems are capable of providing DHCP clients with parameters for two methods of hostname resolution—using DNS or NetBIOS WINS. Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1 Create a domain. DHCP domain-name name 2 Specify in order of preference the DNS servers that are available to a DHCP client.
DHCP host address 3 Specify the client hardware address. DHCP hardware-address hardware-address type • hardware-address: the client MAC address. • type: the protocol of the hardware platform. The default protocol is Ethernet. Debugging the DHCP Server To debug the DHCP server, use the following command. • Display debug information for DHCP server.
in Layer 3 mode and pre-configured with no shutdown and no ip address. For this reason, you cannot enter configuration commands to set up the switch. To interrupt a BMP process, prevent a loop from occurring, and apply the Dell EMC Networking OS image and startup configuration stored in the local flash, enter the stop bmp command from the console.
ip address dhcp Dynamically assigned IP addresses can be released without removing the DHCP client operation on the interface on a switch configured as a DHCP client. 3 Manually acquire a new IP address from the DHCP server by releasing a dynamically acquired IP address while retaining the DHCP client configuration on the interface. EXEC Privilege mode release dhcp interface type slot/port[/subport] 4 Acquire a new IP address with renewed lease time from a DHCP server.
DHCP Client Operation with Other Features The DHCP client operates with other Dell EMC Networking OS features, as the following describes. Stacking The DHCP client daemon runs only on the master unit and handles all DHCP packet transactions. It periodically synchronizes the lease file with the standby unit. When a stack failover occurs, the new master requires the same DHCP server-assigned IP address on DHCP client interfaces.
DHCP Relay When DHCP Server and Client are in Different VRFs When the DHCP server and DHCP clients belong to different VRFs on the relay agent, you can configure the system to leak routes across VRFs. You can configure the system to leak the following routes across VRFs: • Connected routes • The complete routing table • Selective routes The following illustration depicts the topology in which routes are leaked between VRFs in the relay agent.
ip route-import 1:1 map1 ip route-export 2:2 map2 ! ip vrf VRF_2 ip route-import 2:2 ip route-export 1:1 ! ! route-map map1 permit 10 match ip address ip1 ! route-map map2 permit 20 match ip address ip2 ! ip prefix-list ip1 seq 5 permit 20.0.0.0/24 <----- This is needed for data forwarding seq 10 permit 20.0.0.2/32 <---- This is specific to internal operation of DHCP relay ! ip prefix-list ip2 seq 5 permit 10.0.0.
Example configuration of global DHCP relay source IPv4 or IPv6 interface Following is the sample configuration to configure loopback interface with IPv4 and IPv6 address in CONFIGURATION MODE. Dell(conf)# interface loopback 1 Dell(conf-if-lo-1)# ip vrf forwarding vrf1 Dell(conf-if-lo-1)# ip address 1.1.1.
IPv6 configuration, and two different loopback interfaces (loopback 2 and 3). DHCP relay forwards packets using the loopback 2 interface with IPv4 and IPv6 addresses ((2.2.2.2/32 and 2::2/128) from Vlan 2. The same way, the relay uses IPv4 and IPv6 addresses (3.3.3.3/32 and 3::3/128) of loopback 3 interface from Vlan 3. Dell(conf)# interface Vlan 2 Dell(conf-if-vl-2)# ip vrf forwarding vrf1 Dell(conf-if-vl-2)# ip address 2.0.0.
Option 82 RFC 3046 (the relay agent information option, or Option 82) is used for class-based IP address assignment. The code for the relay agent information option is 82, and is comprised of two sub-options, circuit ID and remote ID. Circuit ID This is the interface on which the client-originated message is received. Remote ID This identifies the host from which the message is received. The value of this sub-option is the MAC address of the relay agent that adds Option 82.
DHCP snooping is supported on Layer 2 and Layer 3 traffic. DHCP snooping on Layer 2 interfaces does not require a relay agent. Binding table entries are deleted when a lease expires or when the relay agent encounters a DHCPRELEASE. Line cards maintain a list of snooped VLANs. When the binding table is exhausted, DHCP packets are dropped on snooped VLANs, while these packets are forwarded across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made.
CONFIGURATION mode ipv6 dhcp snooping 2 Specify ports connected to IPv6 DHCP servers as trusted. INTERFACE mode ipv6 dhcp snooping trust 3 Enable IPv6 DHCP snooping on a VLAN or range of VLANs. CONFIGURATION mode ipv6 dhcp snooping vlan vlan-id Adding a Static Entry in the Binding Table To add a static entry in the binding table, use the following command. • Add a static entry in the binding table.
Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. • Display the DHCP snooping information. EXEC Privilege mode show ip dhcp snooping Display the contents of the binding table. • EXEC Privilege mode show ip dhcp snooping binding Example of the show ip dhcp snooping Command View the DHCP snooping statistics with the show ip dhcp snooping command.
View the DHCP snooping binding table using the show ip dhcp snooping binding command. DellEMC#show ip dhcp snooping binding Codes : S - Static D - Dynamic IP Address MAC Address Expires(Sec) Type VLAN Interface ========================================================================= 10.1.1.254 00:00:a0:00:00:02 162 D Vl 200 Hu 1/4 10.1.1.
Example of the show ipv6 dhcp snooping binding Command View the DHCP snooping statistics with the show ipv6 dhcp snooping command.
Dynamic ARP Inspection Dynamic address resolution protocol (ARP) inspection prevents ARP spoofing by forwarding only ARP frames that have been validated against the DHCP binding table. ARP is a stateless protocol that provides no authentication mechanism. Network devices accept ARP requests and replies from any device. ARP replies are accepted even when no request was sent.
To see how many valid and invalid ARP packets have been processed, use the show arp inspection statistics command. DellEMC#show arp inspection statistics Dynamic ARP Inspection (DAI) Statistics --------------------------------------Valid ARP Requests : 0 Valid ARP Replies : 1000 Invalid ARP Requests : 1000 Invalid ARP Replies : 0 DellEMC# Configuring dynamic ARP inspection-limit To configure dynamic ARP inspection rate limit on a port, perform the following task. 1 Enter into global configuration mode.
Source Address Validation Using the DHCP binding table, Dell EMC Networking OS can perform three types of source address validation (SAV). Table 28. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table.
DHCP MAC Source Address Validation DHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against the client hardware address field (CHADDR) in the payload. Dell EMC Networking OS ensures that the packet’s source MAC address is checked against the CHADDR field in the DHCP header only for packets from snooped VLANs. • Enable DHCP MAC SAV.
Viewing the Number of SAV Dropped Packets The following output of the show ip dhcp snooping source-address-validation discard-counters command displays the number of SAV dropped packets.
14 Equal Cost Multi-Path (ECMP) This chapter describes configuring ECMP. This chapter describes configuring ECMP. ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Configuring the Hash Algorithm Seed Deterministic ECMP sorts ECMPs in order even though RTM provides them in a random order. However, the hash algorithm uses as a seed the lower 12 bits of the chassis MAC, which yields a different hash result for every chassis.
Enable link bundle monitoring using the ecmp-group command. NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indexes are generated in even numbers (0, 2, 4, 6... 1022) and are for information only. For link bundle monitoring with ECMP, to enable the link bundle monitoring feature, use the ecmp-group command.
The range is from 1 to 64. 2 Add interfaces to the ECMP group bundle. CONFIGURATION ECMP-GROUP mode interface interface 3 Enable monitoring for the bundle. CONFIGURATION ECMP-GROUP mode link-bundle-monitor enable Modifying the ECMP Group Threshold You can customize the threshold percentage for monitoring ECMP group bundles. To customize the ECMP group bundle threshold and to view the changes, use the following commands. • Modify the threshold for monitoring ECMP group bundles.
Host table on the device is a Hash table. In this scenario, a workaround does not exist for the user having route entries programmed in host table. When the command is issued, you are prompted with a warning message stating that the command configuration can take effect on existing prefixes only when “clear ip route *” command is used. When you use the clear command, all the existing /32 IPv4 prefix route entries are reprogrammed in appropriate table.
IPV4 FIELDS : source-ipv4 dest-ipv4 vlan protocol L4-source-port L4-dest-port IPV6 Load Balancing Enabled IPV6 FIELDS : source-ipv6 dest-ipv6 vlan protocol L4-source-port L4-dest-port Mac Load Balancing Enabled MAC FIELDS : source-mac dest-mac vlan ethertype Load Balancing Configuration for tunnels ipv4-over-ipv4 Payload header ipv4-over-ipv6 Payload header ipv6-over-ipv6 Payload header ipv6-over-ipv4 Payload header ipv4-over-gre-ipv4 Payload header ipv6-over-gre-ipv4 Payload header ipv4-over-gre-ipv6 Paylo
Polarization Multipath routing is a method that is often used to address data forwarding issues during network failures so that the network traffic reaches its desired destination. Multipath routing in IP networks is typically implemented using Equal-Cost Multipath (ECMP) routing, which employs load balancing algorithms to distribute the traffic over multiple paths towards its destination.
The preceding anti-polarization techniques require some coordinated configuration of network nodes to solve the problem and these techniques are not scalable when the number of tiers in the network is high. Flow based hashing specifically addresses this using Macro flow-based Hash function. It facilitates a dynamic hash function selection across different nodes in a network on a macro flow basis, thus reducing unfair distribution of bandwidth between members and starvation.
Figure 39. After Polarization Effect Traffic flow after enabling flow-based hashing When the flow-based hashing is enabled at all the nodes in the multi-tier network, traffic distribution is balanced at all tiers of the network nullifying the polarization effect. Traffic occurs by the randomness for the flow-based hashing algorithm across multiple nodes in a given network.
15 FIP Snooping The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces or in a switch stack.
FIP provides functionality for discovering and logging into an FCF. After discovering and logging in, FIP allows FCoE traffic to be sent and received between FCoE end-devices (ENodes) and the FCF. FIP uses its own EtherType and frame format. The following illustration shows the communication that occurs between an ENode server and an FCoE switch (FCF). The following table lists the FIP functions. Table 29.
FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be transmitted between an FCoE end-device and an FCF. An Ethernet bridge that provides these functions is called a FIP snooping bridge (FSB). On a FIP snooping bridge, ACLs are created dynamically as FIP login frames are processed.
Figure 41. FIP Snooping on a Dell EMC Networking Switch The following sections describe how to configure the FIP snooping feature on a switch: • Allocate CAM resources for FCoE. • Perform FIP snooping (allowing and parsing FIP frames) globally on all VLANs or on a per-VLAN basis. • To assign a MAC address to an FCoE end-device (server ENode or storage device) after a server successfully logs in, set the FCoE MAC address prefix (FC-MAP) value an FCF uses.
Using FIP Snooping There are four steps to configure FCoE transit. 1 Enable the FCoE transit feature on a switch. 2 Enable FIP snooping globally on all Virtual Local Area Networks (VLANs) or individual VLANs on a FIP snooping bridge. 3 Configure the FC-Map value applied globally by the switch on all VLANs or an individual VLAN. 4 Configure FCF mode for a FIP snooping bridge-to-FCF link. For a sample FIP snooping configuration, refer to FIP Snooping Configuration Example.
• You must apply the CAM-ACL space for the FCoE region before enabling the FIP-Snooping feature. If you do not apply CAM-ACL space, the following error message is displayed: DellEMC(conf)#feature fip-snooping % Error: Cannot enable fip snooping. CAM Region not allocated for Fcoe. DellEMC(conf)# NOTE: Manually add the CAM-ACL space to the FCoE region as it is not applied by default.
configurations are synchronized. By default, all FCoE and FIP frames are dropped unless specifically permitted by existing FIP snoopinggenerated ACLs. You can reconfigure any of the FIP snooping settings. If you disable FCoE transit, FIP and FCoE traffic are handled as normal Ethernet frames and no FIP snooping ACLs are generated. The VLAN-specific and FIP snooping configuration is disabled and stored until you re-enable FCoE transit and the configurations are re-applied.
Impact on Other Software Features When you enable FIP snooping on a switch, other software features are impacted. The following table lists the impact of FIP snooping. Table 30. Impact of Enabling FIP Snooping Impact Description MAC address learning MAC address learning is not performed on FIP and FCoE frames, which are denied by ACLs dynamically created by FIP snooping on server-facing ports in ENode mode.
fip-snooping port-mode fcf NOTE: To disable the FCoE transit feature or FIP snooping on VLANs, use the no version of a command; for example, no feature fip-snooping or no fip-snooping enable. Displaying FIP Snooping Information Use the following show commands to display information on FIP snooping. Table 31.
The following table describes the show fip-snooping sessions command fields. Table 32. show fip-snooping sessions Command Description Field Description ENode MAC MAC address of the ENode . ENode Interface Slot/port number of the interface connected to the ENode. FCF MAC MAC address of the FCF. FCF Interface Slot/port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FCoE MAC MAC address of the FCoE session assigned by the FCF.
The following table describes the show fip-snooping fcf command fields. Table 34. show fip-snooping fcf Command Description Field Description FCF MAC MAC address of the FCF. FCF Interface Slot/port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FC-MAP FC-Map value advertised by the FCF. ENode Interface Slot/port number of the interface connected to the ENode.
Number of FCF Discovery Timeouts :0 Number of VN Port Session Timeouts :0 Number of Session failures due to Hardware Config :0 The following example shows the show fip-snooping statistics port-channel command.
Field Description Number of FLOGI Accepts Number of FIP FLOGI accept frames received on the interface. Number of FLOGI Rejects Number of FIP FLOGI reject frames received on the interface. Number of FDISC Accepts Number of FIP FDISC accept frames received on the interface. Number of FDISC Rejects Number of FIP FDISC reject frames received on the interface. Number of FLOGO Accepts Number of FIP FLOGO accept frames received on the interface.
FCoE Transit Configuration Example The following illustration shows a switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 42. Configuration Example: FIP Snooping on a Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
Example of Configuring the ENode Server-Facing Port DellEMC(conf)# interface tengigabitethernet 1/1/1/1 DellEMC(conf-if-te-1/1/1/1)# portmode hybrid DellEMC(conf-if-te-1/1/1/1)# switchport DellEMC(conf-if-te-1/1/1/1)# protocol lldp DellEMC(conf-if-te-1/1/1/1-lldp)# dcbx port-role auto-downstream NOTE: A port is enabled by default for bridge-ENode links.
16 Flex Hash and Optimized Boot-Up This chapter describes the Flex Hash and fast-boot enhancements. Topics: • Flex Hash Capability Overview • Configuring the Flex Hash Mechanism • Configuring Fast Boot and LACP Fast Switchover • Optimizing the Boot Time • Interoperation of Applications with Fast Boot and System States • RDMA Over Converged Ethernet (RoCE) Overview • Preserving 802.
When load balancing RRoCE packets using flex hash is enabled, the show ip flow command is disabled. Similarly, when the show ip flow command is in use (ingress port-based load balancing is disabled), the hashing of RRoCE packets is disabled. Flex hash APIs do not mask out unwanted byte values after extraction of the data from the Layer 4 headers for the offset value.
adjacency settings) is learned and installed before the traffic resumes. In a typical network scenario, a traffic disconnection of 150 seconds or more usually occurs. When you employ the optimized booting functionality, the traffic outage duration is reduced drastically.
ports to be 10-Gigabit Ethernet interfaces and 8 ports as 40-Gigabit Ethernet interfaces. You must configure the switch to operate with an uplink speed of 40 Gigabit Ethernet per second. Interoperation of Applications with Fast Boot and System States This functionality is supported on the platform.
BGP Graceful Restart When the system contains one or more BGP peerings configured for BGP graceful restart, fast boot performs the following actions: • A closure of the TCP sessions is performed on all sockets corresponding to BGP sessions on which Graceful Restart has been negotiated. This behavior is to force the peer to perform the helper role so that any routes advertised by the restarting system are retained and the peering session will not go down due to BGP Hold timeout.
Changes to BGP Multipath When the system becomes active after a fast-boot restart, a change has been made to the BGP multipath and ECMP behavior. The system delays the computation and installation of additional paths to a destination into the BGP routing information base (RIB) and forwarding table for a certain period of time.
enabled, the packets comprise TCP and UDP packets and they can be marked with DSCP code points. Multicast is not supported in that network. RRoCE packets are received and transmitted on specific interfaces called lite-subinterfaces. These interfaces are similar to the normal Layer 3 physical interfaces except for the extra provisioning that they offer to enable the VLAN ID for encapsulation. You can configure a physical interface or a Layer 3 Port Channel interface as a lite subinterface.
17 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) and may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
In the following example, FRRP 101 is a ring with its own Control VLAN, and FRRP 202 has its own Control VLAN running on another ring. A Member VLAN that spans both rings is added as a Member VLAN to both FRRP groups. Switch R3 has two instances of FRRP running on it: one for each ring. The example topology that follows shows R3 assuming the role of a Transit node for both FRRP 101 and FRRP 202. Figure 43.
• STP disabled on ring interfaces. • Master node secondary port is in blocking state during Normal operation. • Ring health frames (RHF) – Hello RHF: sent at 500ms (hello interval); Only the Master node transmits and processes these. – Topology Change RHF: triggered updates; processed at all nodes. Important FRRP Concepts The following table lists some important FRRP concepts.
Concept Explanation number, on any topology change to ensure that all Transit nodes receive it. There is no periodic transmission of TCRHFs. The TCRHFs are sent on triggered events of ring failure or ring restoration only. Implementing FRRP • FRRP is media and speed independent. • FRRP is a Dell proprietary protocol that does not interoperate with any other vendor. • You must disable the spanning tree protocol (STP) on both the Primary and Secondary interfaces before you can enable FRRP.
Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • You can only add ring nodes to the VLAN. • A control VLAN can belong to one FRRP group only. • Tag control VLAN ports. • All ports on the ring must use the same VLAN ID for the control VLAN. • You cannot configure a VLAN as both a control VLAN and member VLAN on the same ring. • Only two interfaces can be members of a control VLAN (the Master Primary and Secondary ports).
CONFIG-FRRP mode. no disable Configuring and Adding the Member VLANs Control and member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to the Layer 2 chapter. Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • Tag control VLAN ports. Member VLAN ports, except the Primary/Secondary interface, can be tagged or untagged.
CONFIG-FRRP mode. member-vlan vlan-id {range} VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs. 6 Enable this FRRP group on this switch. CONFIG-FRRP mode. no disable Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time 3 times the Hello-Interval. • Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode.
• Show the information for the identified FRRP group. EXEC or EXEC PRIVELEGED mode. show frrp ring-id • Ring ID: the range is from 1 to 255. Show the state of all FRRP groups. EXEC or EXEC PRIVELEGED mode. show frrp summary Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • Each Control Ring must use a unique VLAN ID. • Only two interfaces on a switch can be Members of the same control VLAN.
mode master no disable Example of R2 TRANSIT interface TenGigabitEthernet 1/1/2/1 no ip address switchport no shutdown ! interface TenGigabitEthernet 1/1/2/2 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TenGigabitEthernet 1/1/2/1,1/1/2/2 no shutdown ! interface Vlan 201 no ip address tagged TenGigabitEthernet 1/1/2/1, 1/1/2/2 no shutdown ! protocol frrp 101 interface primary TenGigabitEthernet 1/1/2/1 secondary TenGigabitEthernet 1/1/2/2 controlvlan 101 member-vlan 201 mode
NOTE: This configuration connects VLT devices across Data Centers using FRRP; however, the VLTi may or may not participate as a ring interface of any FRRP ring. Following figure shows a simple FRRP ring inter-connecting VLT device: Figure 44. FRRP Ring Connecting VLT Devices You can also configure an FRRP ring where both the VLT peers are connected to the FRRP ring and the VLTi acts as the primary interface for the FRRP Master and transit nodes.
member VLANS are configured (for example, M1 to M10) that carry the data traffic across the FRRP rings. The secondary port P2 is tagged to the control VLAN (V1). VLTi is implicitly tagged to the member VLANs when these VLANs are configured in the VLT peer. As a result of the VLT Node2 configuration on R2, the primary interface VLTi and the secondary interface P1 act as forwarding ports for the member VLANs (M1 to M10). In the FRRP ring R2, the primary interface for VLT Node1 (transit node) is the VLTi.
18 GARP VLAN Registration Protocol (GVRP) The generic attribute registration protocol (GARP) VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and deregister attribute values, such as VLAN IDs, with each other.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 46.
Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch. CONFIGURATION mode gvrp enable Example of Configuring GVRP DellEMC(conf)#protocol gvrp DellEMC(config-gvrp)#no disable DellEMC(config-gvrp)#show config ! protocol gvrp no disable DellEMC(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command.
Based on the configuration in the following example, the interface is not removed from VLAN 34 or VLAN 35 despite receiving a GVRP Leave message. Additionally, the interface is not dynamically added to VLAN 45 or VLAN 46, even if a GVRP Join message is received.
19 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
IGMP messages are encapsulated in IP packets, as shown in the following illustration. Figure 47. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1 One router on a subnet is elected as the querier.
still receives no response, the querier removes the group from the list associated with forwarding port and stops forwarding traffic for that group to the subnet. IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. • Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers.
Figure 49. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1 The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2 The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Figure 50. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1 Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary.
Figure 51. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1 Enable multicast routing using the ip multicast-routing command. 2 Enable a multicast routing protocol.
Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. • View IGMP-enabled IPv4 interfaces. EXEC Privilege mode • show ip igmp interface View IGMP-enabled IPv6 interfaces. EXEC Privilege mode show ipv6 mld interface Example of the show ip igmp interface Command DellEMC#show ip igmp interface TenGigabitEthernet 1/1/1/1 Inbound IGMP access group is not set Internet address is 165.87.34.
Internet address is 1.1.1.1/24 IGMP is enabled on interface IGMP query interval is 60 seconds IGMP querier timeout is 125 seconds IGMP max query response time is 10 seconds IGMP last member query response interval is 1000 ms IGMP immediate-leave is disabled IGMP activity: 0 joins, 0 leaves, 0 channel joins, 0 channel leaves IGMP querying router is 1.1.1.1 (this system) IGMP version is 3 Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command.
When the querier receives a leave message from a host, it sends a group-specific query to the subnet. If no response is received, it sends another. The amount of time that the querier waits to receive a response to the initial query before sending a second one is the last member query interval (LMQI). The switch waits one LMQI after the second query before removing the group from the state table. • Adjust the period between queries.
IGMP Snooping IGMP snooping enables switches to use information in IGMP packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers. Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather than one unique device.
Removing a Group-Port Association To configure or view the remove a group-port association feature, use the following commands. • Configure the switch to remove a group-port association after receiving an IGMP Leave message. INTERFACE VLAN mode ip igmp fast-leave • View the configuration.
Configuring the Switch as Querier To configure the switch as a querier, use the following command. Hosts that do not support unsolicited reporting wait for a general query before sending a membership report. When the multicast source and receivers are in the same VLAN, multicast traffic is not routed and so there is no querier. Configure the switch to be the querier for a VLAN so that hosts send membership reports and the switch can generate a forwarding table by snooping.
Transit traffic (destination IP not configured in the switch) that is received on the front-end port with destination on the management port is dropped and received in the management port with destination on the front-end port is dropped. Switch-destined traffic (destination IP configured in the switch) is: • Received in the front-end port with destination IP equal to management port IP address or management port subnet broadcast address is dropped.
Application Name Port Number Client Server 443 for secure httpd 8008 HTTP server port for confd application 8888 secure HTTP server port for confd application If you configure a source interface is for any EIS management application, EIS might not coexist with that interface and the behavior is undefined in such a case. You can configure the source interface for the following applications: FTP, ICMP (ping and traceroute utilities), NTP, RADIUS, TACACS, Telnet, TFTP, syslog, and SNMP traps.
• For ping and traceroute utilities that are initiated from the switch, if reachability needs to be tested through routes in the management EIS routing table, you must configure ICMP as a management application. • If ping and traceroute are destined to the management port IP address, the response traffic for these packets is sent by doing route lookup in the EIS routing table.
• If the route lookup in the EIS routing table fails or if management port is down, then packets are dropped. The application-specific count of the dropped packets is incremented and is viewed using the show management application pkt-drop-cntr command. This counter is cleared using clear management application pkt-drop-cntr command. • Packets whose destination TCP/UDP port does not match a configured management application, take the regular route lookup flow in the IP stack.
Handling of Transit Traffic (Traffic Separation) This is forwarded traffic where destination IP is not an IP address configured in the switch. • Packets received on the management port with destination on the front-end port is dropped. • Packets received on the front-end port with destination on the management port is dropped. • A separate drop counter is incremented for this case. This counter is viewed using the netstat command, like all other IP layer counters.
This phenomenon occurs where traffic is terminated on the switch. Traffic has not originated from the switch and is not transiting the switch. The switch accepts all traffic destined to the switch, which is received on management or front-end data port. Response traffic with management port IP address as source IP address is handled in the same manner as switch originated traffic. Switch-Originated Traffic This phenomenon occurs where traffic is originating from the switch.
Protocol Behavior when EIS is Enabled Behavior when EIS is Disabled telnet EIS Behavior Default Behavior tftp EIS Behavior Default Behavior icmp (ping and traceroute) EIS Behavior for ICMP Default Behavior Behavior of Various Applications for Switch-Destined Traffic This section describes the different system behaviors that occur when traffic is terminated on the switch. Traffic has not originated from the switch and is not transiting the switch.
• ARP-related processing for switch-destined traffic is done by both master and standby units. VLT VLT feature is for the front-end port only. Because this feature is specific to the management port, this feature can coexist with VLT and nothing specific needs to be done in this feature to handle VLT scenario. DHCP • If DHCP Client is enabled on the management port, a management default route is installed to the switch.
20 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell EMC Networking Operating System (OS). The system supports 10–Gigabit, 25–Gigabit, 40–Gigbit, 50–Gigabit, and 100–Gigabit QSFP 28 interfaces. NOTE: Only Dell-qualified optics are supported on these interfaces. Non-Dell optics for 40–Gigbit, 25–Gigabit, 50–Gigabit, and 100–Gigabit are set to error-disabled state.
• Null Interfaces • Port Channel Interfaces • Bulk Configuration • Defining Interface Range Macros • Monitoring and Maintaining Interfaces • Split 40G Ports on a 16X40G QSFP+ Module • Splitting 100G Ports • Link Dampening • Link Bundle Monitoring • Using Ethernet Pause Frames for Flow Control • Configure the MTU Size on an Interface • Port-Pipes • CR4 Auto-Negotiation • FEC Configuration • Setting the Speed of Ethernet Interfaces • Syslog Warning Upon Connecting SFP28 Optics w
This command has options to display the interface status, IP and MAC addresses, and multiple counters for the amount and type of traffic passing through the interface. If you configured a port channel interface, this command lists the interfaces configured in the port channel. NOTE: To end output from the system, such as the output from the show interfaces command, enter CTRL+C and Dell EMC Networking OS returns to the command prompt.
TenGigabitEthernet fortyGigE 1/1/11 fortyGigE 1/1/12 fortyGigE 1/1/13 fortyGigE 1/1/14 TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet fortyGigE 1/2/1 fortyGigE 1/2/2 1/1/9/4 1/1/15/1 1/1/15/2 1/1/15/3 1/1/15/4 unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned NO NO NO NO NO NO NO NO NO NO NO Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual Manual administratively administratively ad
show config DellEMC(conf-if-te-1/1/5/1)#show config ! interface TenGigabitEthernet 1/1/5/1 no ip address shutdown All the applied configurations are removed and the interface is set to the factory default state. Enabling a Physical Interface After determining the type of physical interfaces available, to enable and configure the interfaces, enter INTERFACE mode by using the interface interface command. 1 Enter the keyword interface then the type of interface and slot/port[/subport] information.
• Management Interfaces • Adjusting the Keepalive Timer • Clearing Interface Counters Overview of Layer Modes On all systems running Dell EMC Networking OS, you can place physical interfaces, port channels, and VLANs in Layer 2 mode or Layer 3 mode. By default, VLANs are in Layer 2 mode. Table 41. Layer Modes Type of Interface Possible Modes Requires Creation Default State 10 Gigabit Ethernet, 25–Gigabit Ethernet, 40–Gigabit Ethernet, 50–Gigabit Ethernet, and 100– Gigabit Ethernet.
Configuring Layer 2 (Interface) Mode To configure an interface in Layer 2 mode, use the following commands. • Enable the interface. INTERFACE mode no shutdown • Place the interface in Layer 2 (switching) mode. INTERFACE mode switchport To view the interfaces in Layer 2 mode, use the show interfaces switchport command in EXEC mode. Configuring Layer 3 (Network) Mode When you assign an IP address to a physical interface, you place it in Layer 3 mode.
• Enable the interface. INTERFACE mode no shutdown • Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/xx). Add the keyword secondary if the IP address is the interface’s backup IP address. Example of the show ip interface Command You can only configure one primary IP address per interface.
Following is the sample syslog displayed when the timer for Err-disable recovery is started: May 8 17:18:57 %STKUNIT1-M:CP %IFMGR-5-ERR_DIS_RECOVERY_TIMER_START: 180 seconds timer started to attempt recovery of interface Gi 2/18 from error disabled state caused by bpdu-guard. Following is the sample syslog displayed when the recovery action is complete: May 8 17:21:57 %STKUNIT1-M:CP %IFMGR-5-ERR_DIS_RECOVERY_COMPLETE: Error Disable Recovery timer expired for interface Gi 2/18.
Important Points to Remember • Deleting a management route removes the route from both the EIS routing table and the default routing table. • If the management port is down or route lookup fails in the management EIS routing table, the outgoing interface is selected based on route lookup from the default routing table. • If a route in the EIS table conflicts with a front-end port route, the front-end port route has precedence.
ip address ip-address mask – ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in /prefix format (/x). Viewing Two Global IPv6 Addresses Important Points to Remember — virtual-ip You can configure two global IPv6 addresses on the system in EXEC Privilege mode. To view the addresses, use the show interface managementethernet command, as shown in the following example. If you try to configure a third IPv6 address, an error message displays.
• After the virtual IP address is removed, the system is accessible through the native IP address of the primary RPM’s management interface. • Primary and secondary management interface IP and virtual IP must be in the same subnet. To view the Primary RPM Management port, use the show interface Managementethernet command in EXEC Privilege mode. If there are two RPMs, you cannot view information on that interface.
S6100 — OIR This section deals with information on the S6100–OIR (Online Insertion and Removal) feature. Online Insertion and Removal of Modules There are 3 scenarios you may come across with regard to Online Insertion and Removal of Modules: 1 2 3 Inserting a module in an empty slot (a module slot that did not have any module-type provision at, and since the last reboot of the system): a QSFP+, and QSFP28 modules can be inserted in the empty module slot without any provisioning.
– secondary: the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Example of a Configuration for a VLAN Participating in an OSPF Process interface Vlan 10 ip address 1.1.1.
• Port Channel Benefits • Port Channel Implementation • Configuration Tasks for Port Channel Interfaces Port Channel Definition and Standards Link aggregation is defined by IEEE 802.3ad as a method of grouping multiple physical interfaces into a single logical interface—a link aggregation group (LAG) or port channel. A LAG is “a group of links that appear to a MAC client as if they were a single link” according to IEEE 802.3ad.
Interfaces in Port Channels When interfaces are added to a port channel, the interfaces must share a common speed. When interfaces have a configured speed different from the port channel speed, the software disables those interfaces. The common speed is determined when the port channel is first enabled. Then, the software checks the first interface listed in the port channel configuration. If you enabled that interface, its speed configuration becomes the common speed of the port channel.
Adding a Physical Interface to a Port Channel The physical interfaces in a port channel can be on any line card in the chassis, but must be the same physical type. NOTE: Port channels can contain a mix of Ethernet interfaces, but Dell EMC Networking OS disables the interfaces that are not the same speed of the first channel member in the port channel (refer to 10/100/1000 Mbps Interfaces in Port Channels). You can add any physical interface to a port channel if the interface configuration is minimal.
Internet address is 1.1.120.
INTERFACE PORT-CHANNEL mode channel-member interface Example of Moving an Interface to a New Port Channel The following example shows moving an interface from port channel 4 to port channel 3.
untagged port-channel id number • An interface without tagging enabled can belong to only one VLAN. Remove the port channel with tagging enabled from the VLAN. INTERFACE VLAN mode no tagged port-channel id number or no untagged port-channel id number • Identify which port channels are members of VLANs.
ip address ip-address mask [secondary] – ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in slash format (/24). – secondary: the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Deleting or Disabling a Port Channel To delete or disable a port channel, use the following commands. • Delete a port channel. CONFIGURATION mode no interface portchannel channel-number • Disable a port channel.
– tcp-udp enable — Distribute traffic based on the TCP/UDP source and destination ports. – ingress-port — Option to Source Port Id for ECMP/ LAG hashing. – ipv6-selection— Set the IPV6 key fields to use in hash computation. – tunnel— Set the tunnel key fields to use in hash computation. Changing the Hash Algorithm The load-balance command selects the hash criteria applied to port channels.
• xor4 —Upper 8 bits of CRC16-BISYNC and lower 8 bits of xor4 • xor8 — Upper 8 bits of CRC16-BISYNC and lower 8 bits of xor8 • xor16 — uses 16 bit XOR. Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range.
Create a Single-Range The following is an example of a single range.
Commas The following is an example of how to use commas to add different interface types to a range of interfaces. Example of Adding Interface Ranges DellEMC(conf)#interface range fo 1/1/1-1/1/4 , te 1/1/5/1 - 1/1/5/4 DellEMC(conf-if-range-te-1/1/5/1-1/1/5/4,fo-1/1/1...)# Add Ranges The following example shows how to use commas to add VLAN and port-channel interfaces to the range.
Example of Using a Macro to Change the Interface Range Configuration Mode The following example shows how to change to the interface-range configuration mode using the interface-range macro named “test.” DellEMC(config)# interface range macro test DellEMC(config-if)# Monitoring and Maintaining Interfaces Monitor interface statistics with the monitor interface command. This command displays an ongoing list of the interface status (up/ down), number of packets, traffic statistics, and so on.
m l T q - Change mode Page up Increase refresh interval Quit c - Clear screen a - Page down t - Decrease refresh interval q DellEMC# Split 40G Ports on a 16X40G QSFP+ Module You can only split the 40G ports in the top row (odd numbered ports) on a 16X40G module. If you configure 4X10G on a 40G interface, the subsequent even numbered interface is removed and unavailable for use.
Splitting 100G Ports The platform supports splitting a single 100G QSFP 28 port into any of the following ports: • • • • Two 50G ports Four 25G ports One 40G port Four 10G ports NOTE: You can use the supported breakout cables (for a list of supported cables, refer to the Installation Guide or the Release Notes). To split a single 100G port into 50G, 25G, 40G, and 10G ports, use the following commands: • Split a 100G port into two 50G ports.
transient loops and black holes. Dampening limits the notification of status to the routing protocols. Link dampening minimizes the risk created by flapping by imposing a penalty (1024) for each interface flap and decaying the penalty exponentially based on the half-time. When the accumulated penalty exceeds a certain threshold (suppress threshold), the interface is put in an Error-Disabled state and for all practical purposes of routing, the interface is deemed to be “down.
Figure 52. Interface State Change Consider an interface periodically flaps as shown above. Every time the interface goes down, a penalty (1024) is added. In the above example, during the first interface flap (flap 1), the penalty is added to 1024. And, the accumulated penalty will exponentially decay based on the set half-life, which is set as 10 seconds in the above example.
accumulated. When the accumulated penalty exceeds the configured suppress threshold (2400), the interface state is set to Error-Disabled state. After the flap (flap 3), the interface flap stops. Then, the accumulated penalty decays exponentially and when it reaches below the set reuse threshold (300), the interface is unsuppressed and the interface state changes to “up” state. Enabling Link Dampening To enable link dampening, use the following command. • Enable link dampening.
Link Dampening Support for XML View the output of the following show commands in XML by adding | display xml to the end of the command. • show interfaces dampening • show interfaces dampening summary • show interfaces interface slot/port/subport Configure MTU Size on an Interface In Dell EMC Networking OS, Maximum Transmission Unit (MTU) is defined as the entire Ethernet packet (Ethernet header + FCS + payload).
link-bundle-distribution trigger-threshold DellEMC(conf)#link-bundle-distribution trigger-threshold • View the link bundle monitoring status. show link-bundle-distribution Using Ethernet Pause Frames for Flow Control Ethernet pause frames and threshold settings are supported on the Dell EMC Networking OS. Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it.
The flow control sender and receiver must be on the same port-pipe. Flow control is not supported across different port-pipes. To enable pause frames, use the following command. • Control how the system responds to and generates 802.3x pause frames on the Ethernet ports. INTERFACE mode flowcontrol {rx [off | on] tx [off | on] | monitor session-ID} – rx on: enter the keywords rx on to process the received flow control frames on this port.
For example, the VLAN contains tagged members with Link MTU of 1522 and IP MTU of 1500 and untagged members with Link MTU of 1518 and IP MTU of 1500. The VLAN’s Link MTU cannot be higher than 1518 bytes and its IP MTU cannot be higher than 1500 bytes. Port-Pipes A port pipe is a Dell EMC Networking-specific term for the hardware packet-processing elements that handle network traffic to and from a set of front-end I/O ports. The physical, front-end I/O ports are referred to as a port-set.
The CL74 keyword enables BaseR-FEC on 25G or 50G interfaces as per 25G/50G Ethernet Consortium. The system displays an error message when this is applied on 100G interfaces. The CL108 keyword enables RS-FEC for single 25G lane as per IEEE 802.3by. The system displays an error message when this is applied on 100G interfaces. • To disable FEC, use the no fec enable command. Set to default FEC value. INTERFACE mode • fec default Verify the configuration.
0 CRC, 0 overrun, 0 discarded 669 FEC bit errors, 172 FEC uncorrected code words Output Statistics: 0 packets, 0 bytes, 0 underruns 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
Example of the show interfaces status Command to View Link Status NOTE: The show interfaces status command displays link status, but not administrative status. For both link and administrative status, use the show ip interface command.
• View the new setting. INTERFACE mode show config View Advanced Interface Information The following options have been implemented for the show [ip | running-config] interfaces commands for (only) stack-unit interfaces. When you use the configured keyword, only interfaces that have non-default configurations are displayed. Dummy stack-unit interfaces (created with the stack-unit command) are treated like any other physical interface.
To configure the number of seconds of traffic statistics to display in the show interfaces output, use the following command. • Configure the number of seconds of traffic statistics to display in the show interfaces output. INTERFACE mode rate-interval Example of the rate-interval Command The bold lines shows the default value of 299 seconds, the change-rate interval of 100, and the new rate interval set to 100.
Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds. The following example shows how to configure rate interval when changing the default value. To configure the number of seconds of traffic statistics to display in the show interfaces output, use the following command.
ARP type: ARPA, ARP Timeout 04:00:00 Queueing strategy: fifo Input Statistics: 13932 packets, 1111970 bytes 5588 64-byte pkts, 8254 over 64-byte pkts, 89 over 127-byte pkts 1 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 13761 Multicasts, 9 Broadcasts, 162 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 13908 packets, 1114396 bytes, 0 underruns 5555 64-byte pkts, 8213 over 64-byte pkts, 140 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pk
– For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the stack/slot/port/subport information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the stack/slot/port[/subport] information. – For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the stack/slot/port/subport information. – For a 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the stack/slot/port information.
Uncompressed Compressed ! ! interface TenGigabitEthernet 1/1/1/1 interface TenGigabitEthernet 1/1/1/1 no ip address no ip address switchport switchport shutdown shutdown ! ! interface TenGigabitEthernet 1/1/1/2 Interface group TenGigabitEthernet 1/1/2/1 – 1/1/2/4 , TenGigabitEthernet 1/1/7/1 no ip address shutdown ! interface TenGigabitEthernet 1/1/1/3 no ip address shutdown ! interface TenGigabitEthernet 1/1/1/4 no ip address shutdown ! interface TenGigabitEthernet 1/1/5/1 n
Uncompressed Compressed tagged te 1/1/1/1 no ip address shutdown ! interface Vlan 4 tagged te 1/1/1/1 no ip address shutdown ! interface Vlan 5 tagged te 1/1/1/1 no ip address shutdown ! interface Vlan 100 no ip address no shutdown ! interface Vlan 1000 ip address 1.1.1.1/16 no shutdown Uncompressed config size – 52 lines write memory compressed The write memory compressed CLI will write the operating configuration to the startup-config file in the compressed mode.
21 IPv4 Routing The Dell EMC Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell EMC Networking OS.
• UDP Helper with Broadcast-All Addresses • UDP Helper with Subnet Broadcast Addresses • UDP Helper with Configured Broadcast Addresses • UDP Helper with No Configured Broadcast Addresses • Troubleshooting UDP Helper IP Addresses Dell EMC Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks. Supernetting, which increases the number of subnets, is also supported.
2 • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the stack/slot/port[/subport] information. • For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the stack/slot/port/subport information. • For a 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the stack/slot/port information. • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383.
– permanent: keep the static route in the routing table (if you use the interface option) even if you disable the interface with the route. (optional) – tag tag-value: the range is from 1 to 4294967295. (optional) Example of the show ip route static Command To view the configured routes, use the show ip route static command. DellEMC#show ip route static Destination Gateway ----------------S 2.1.2.0/24 Direct, Nu 0 S 6.1.2.0/24 via 6.1.20.2, S 6.1.2.2/32 via 6.1.20.2, S 6.1.2.3/32 via 6.1.20.2, S 6.1.2.
10.16.0.0/16 172.16.1.0/24 ManagementEthernet 1/1 10.16.151.4 Connected Active Connected Static IPv4 Path MTU Discovery Overview The size of the packet that can be sent across each hop in the network path without being fragmented is called the path maximum transmission unit (PMTU). This value might vary for the same route between two devices, mainly over a public network, depending on the network load and speed, and it is not a consistent value.
Configure the source to send the configured source interface IP address instead of using its front-end IP address in the ICMP unreachable messages and in the traceroute command output. Use the ip icmp source-interface interface or the ipv6 icmp source-interface interface commands in Configuration mode to enable the ICMP error messages to be sent with the source interface IP address. This functionality is supported on loopback, VLAN, port channel, and physical interfaces for IPv4 and IPv6 messages.
Resolution of Host Names Domain name service (DNS) maps host names to IP addresses. This feature simplifies commands such as Telnet and FTP by allowing you to enter a name instead of an IP address. Dynamic resolution of host names is disabled by default. Unless you enable the feature, the system resolves only host names entered into the host table with the ip host command.
• Enter up to 63 characters to configure one domain name. CONFIGURATION mode ip domain-name name • Enter up to 63 characters to configure names to complete unqualified host names. CONFIGURATION mode ip domain-list name Configure this command up to six times to specify a list of possible domain names. Dell EMC Networking OS searches the domain names in the order they were configured until a match is found or the list is exhausted.
ARP Dell EMC Networking OS uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP. ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, Dell EMC Networking OS creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time.
Enabling Proxy ARP By default, Proxy ARP is enabled. To disable Proxy ARP, use the no proxy-arp command in the interface mode. To re-enable Proxy ARP, use the following command. • Re-enable Proxy ARP. INTERFACE mode ip proxy-arp To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output.
• Enable ARP learning via gratuitous ARP. CONFIGURATION mode arp learn-enable ARP Learning via ARP Request In Dell EMC Networking OS versions prior to 8.3.1.0, Dell EMC Networking OS learns via ARP requests only if the target IP specified in the packet matches the IP address of the receiving router interface. This is the case when a host is attempting to resolve the gateway address. If the target IP does not match the incoming interface, the packet is dropped.
• Set the number of ARP retries. CONFIGURATION mode arp retries number The default is 5. • The range is from 1 to 20. Set the exponential timer for resending unresolved ARPs. CONFIGURATION mode arp backoff-time The default is 30. • The range is from 1 to 3600. Display all ARP entries learned via gratuitous ARP.
UDP Helper User datagram protocol (UDP) helper allows you to direct the forwarding IP/UDP broadcast traffic by creating special broadcast addresses and rewriting the destination IP address of packets to match those addresses. Configure UDP Helper To configure Dell EMC Networking OS to direct UDP broadcast, enable UDP helper and specify the UDP ports for which traffic is forwarded.
1 Packet 1 is dropped at ingress if you did not configure UDP helper address. 2 If you enable UDP helper (using the ip udp-helper udp-port command), and the UDP destination port of the packet matches the UDP port configured, the system changes the destination address to the configured broadcast 1.1.255.255 and routes the packet to VLANs 100 and 101.
UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces. In the following illustration, Packet 1 has a destination IP address that matches the configured broadcast address of VLAN 100 and 101. If you enabled UDP helper and the UDP port number matches, the packet is flooded on both VLANs with an unchanged destination address. Packet 2 is sent from a host on VLAN 101.
2017-08-05 11:59:35 %RELAY-I-BOOTREQUEST, Forwarded BOOTREQUEST for 00:02:2D:8D:46:DC to 137.138.17.6 2017-08-05 11:59:36 %RELAY-I-PACKET, BOOTP REPLY (Unicast) received at interface 194.12.129.98 BOOTP Reply, XID = 0x9265f901, secs = 0 hwaddr = 00:02:2D:8D:46:DC, giaddr = 172.21.50.193, hops = 2 2017-08-05 11:59:36 %RELAY-I-BOOTREPLY, Forwarded BOOTREPLY for 00:02:2D:8D:46:DC to 128.141.128.90 Packet 0.0.0.0:68 -> 255.255.255.
22 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell EMC Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
Extended Address Space The address format is extended from 32 bits to 128 bits. This not only provides room for all anticipated needs, it allows for the use of a hierarchical address space structure to optimize global addressing. Stateless Autoconfiguration When a booting device comes up in IPv6 and asks for its network prefix, the device can get the prefix (or prefixes) from an IPv6 router on its link.
• Flow Label (20 bits) • Payload Length (16 bits) • Next Header (8 bits) • Hop Limit (8 bits) • Source Address (128 bits) • Destination Address (128 bits) IPv6 provides for extension headers. Extension headers are used only if necessary. There can be no extension headers, one extension header or more than one extension header in an IPv6 packet. Extension headers are defined in the Next Header field of the preceding IPv6 header.
The platforms uses only IPv6 /0 – 0/64 prefix route entries. Support for /0 – /128 IPv6 prefix route entries is available, although they are not utilized. A total of eight pools or regions are present with each region containing 1024 210-bit entries (supports up to 0/64 prefix). To support up to /128 prefixes, you must use 2 banks (410-bit entries). It is necessary to partition the LPM. The optimized booting functionality does not use Openflow and therefore SDN support is not available.
Next Header (8 bits) The Next Header field identifies the next header’s type. If an Extension header is used, this field contains the type of Extension header (as shown in the following table). If the next header is a transmission control protocol (TCP) or user datagram protocol (UDP) header, the value in this field is the same as for IPv4. The Extension header is located between the IP header and the TCP or UDP header. The following lists the Next Header field values.
Source Address (128 bits) The Source Address field contains the IPv6 address for the packet originator. Destination Address (128 bits) The Destination Address field contains the intended recipient’s IPv6 address. This can be either the ultimate destination or the address of the next hop router. Extension Header Fields Extension headers are used only when necessary. Due to the streamlined nature of the IPv6 header, adding extension headers do not severely impact performance.
10 Discard the packet and send an ICMP Parameter Problem Code 2 message to the packet’s Source IP Address identifying the unknown option type. 11 Discard the packet and send an ICMP Parameter Problem, Code 2 message to the packet’s Source IP Address only if the Destination IP Address is not a multicast address. The second byte contains the Option Data Length. The third byte specifies whether the information can change en route to the destination.
the same IPv6 address to a particular computer, and never to assign that IP address to another computer. This allows static IPv6 addresses to be configured in one place, without having to specifically configure each computer on the network in a different way. In IPv6, every interface, whether using static or dynamic address assignments, also receives a local-link address automatically in the fe80::/64 subnet.
Figure 59. Path MTU discovery process IPv6 Neighbor Discovery The IPv6 neighbor discovery protocol (NDP) is a top-level protocol for neighbor discovery on an IPv6 network. In place of address resolution protocol (ARP), NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for determining relationships between neighboring nodes.
Figure 60. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
DellEMC(conf-if-te-1/1/1)#ipv6 nd dns-server 1000::1 ? <0-4294967295> Max lifetime (sec) which RDNSS address may be used for name resolution infinite Infinite lifetime (sec) which RDNSS address may be used for name resolution DellEMC(conf-if-te-1/1/1)#ipv6 nd dns-server 1000::1 1 Debugging IPv6 RDNSS Information Sent to the Host To verify that the IPv6 RDNSS information sent to the host is configured correctly, use the debug ipv6 nd command in EXEC Privilege mode.
ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 198 to 600 seconds ND router advertisements live for 1800 seconds ND advertised hop limit is 64 IPv6 hop limit for originated packets is 64 ND dns-server address is 1000::1 with lifetime of 1 seconds ND dns-server address is 3000::1 with lifetime of 1 seconds ND dns-server address is 2000::1 with lifetime of 0 seconds IP unicast RPF check is not supported To display IPv6
• IPv6 L3 ACL (ipv6acl): 0 • L3 QoS (ipv4qos): 1 • L2 QoS (l2qos): 1 To have the changes take effect, save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings. • Allocate space for IPV6 ACLs. Enter the CAM profile name then the allocated amount. CONFIGURATION mode cam-acl { ipv6acl } When not selecting the default option, enter all of the profiles listed and a range for each. The total space allocated must equal 13.
Assigning a Static IPv6 Route To configure IPv6 static routes, use the ipv6 route command. NOTE: After you configure a static IPv6 route (the ipv6 route command) and configure the forwarding router’s address (specified in the ipv6 route command) on a neighbor’s interface, the IPv6 neighbor does not display in the show ipv6 route command output. • Set up IPv6 static routes.
SNMP over IPv6 You can configure SNMP over IPv6 transport so that an IPv6 host can perform SNMP queries and receive SNMP notifications from a device running Dell EMC Networking OS IPv6. The Dell EMC Networking OS SNMP-server commands for IPv6 have been extended to support IPv6. For more information regarding SNMP commands, refer to the SNMP and SYSLOG chapters in the Dell EMC Networking OS Command Line Interface Reference Guide.
– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the stack/slot/port/subport information. – For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the stack/slot/port/subport information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the stack/slot/port[/subport] information. – For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the stack/slot/port/subport information.
– To display information about ISO IS-IS routes, enter isis. – To display information about Open Shortest Path First (OSPF) routes, enter ospf. – To display information about Routing Information Protocol (RIP), enter rip. – To display information about static IPv6 routes, enter static. – To display information about an IPv6 Prefix lists, enter list and the prefix-list name. Examples of the show ipv6 route Commands The following example shows the show ipv6 route summary command.
– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the stack/slot/port/subport information. – For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the stack/slot/port/subport information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the stack/slot/port[/subport] information. – For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the stack/slot/port/subport information.
Configuring IPv6 RA Guard The IPv6 Router Advertisement (RA) guard allows you to block or reject the unwanted router advertisement guard messages that arrive at the network device platform. To configure the IPv6 RA guard, perform the following steps: 1 Configure the terminal to enter the Global Configuration mode. EXEC Privilege mode configure terminal 2 Enable the IPv6 RA guard. CONFIGURATION mode ipv6 nd ra-guard enable 3 Create the policy.
router—lifetime value The router lifetime range is from 0 to 9,000 seconds. 11 Apply the policy to trusted ports. POLICY LIST CONFIGURATION mode trusted-port 12 Set the maximum transmission unit (MTU) value. POLICY LIST CONFIGURATION mode mtu value 13 Set the advertised reachability time. POLICY LIST CONFIGURATION mode reachable—time value The reachability time range is from 0 to 3,600,000 milliseconds. 14 Set the advertised retransmission time.
EXEC Privilege mode show ipv6 nd ra-guard policy policy-name The policy name string can be up to 140 characters. Example of the show ipv6 nd ra-guard policy Command DellEMC#show ipv6 nd ra-guard policy test ipv6 nd ra-guard policy test device-role router hop-limit maximum 1 match ra ipv6-access-list access other-config-flag on router-preference maximum medium trusted-port Interfaces : Te 1/1/1 DellEMC# Monitoring IPv6 RA Guard To debug IPv6 RA guard, use the following command.
23 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
• iSCSI QoS — A user-configured iSCSI class of service (CoS) profile is applied to all iSCSI traffic. Classifier rules are used to direct the iSCSI data traffic to queues that can be given preferential QoS treatment over other data passing through the switch. Preferential treatment helps to avoid session interruptions during times of congestion that would otherwise cause dropped iSCSI packets. • iSCSI DCBx TLVs are supported.
Monitoring iSCSI Traffic Flows The switch snoops iSCSI session-establishment and termination packets by installing classifier rules that trap iSCSI protocol packets to the CPU for examination. Devices that initiate iSCSI sessions usually use well-known TCP ports 3260 or 860 to contact targets. When you enable iSCSI optimization, by default the switch identifies IP packets to or from these ports as iSCSI traffic.
If more than 256 simultaneous sessions are logged continuously, the following message displays indicating the queue rate limit has been reached: %STKUNIT2-M:CP %iSCSI-5-ISCSI_OPT_MAX_SESS_EXCEEDED: New iSCSI Session Ignored: ISID 400001370000 InitiatorName - iqn.1991-05.com.microsoft:dt-brcd-cna-2 TargetName iqn.2001-05.com.equallogic:4-52aed6-b90d9446c-162466364804fa49-wj-v1 TSIH - 0" NOTE: If you are using EqualLogic or Compellent storage arrays, more than 256 simultaneous iSCSI sessions are possible.
including jumbo frames and flow-control on all ports; no storm control and spanning-tree port fast to be enabled on the port of detection. After you execute the iscsi profile-compellent command, the following actions occur: • Jumbo frame size is set to the maximum for all interfaces on all ports and port-channels, if it is not already enabled. • Spanning-tree portfast is enabled on the interface. • Unicast storm control is disabled on the interface.
Default iSCSI Optimization Values The following table lists the default values for the iSCSI optimization feature. Table 44. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization global setting Disabled. iSCSI CoS mode (802.1p priority queue mapping) dot1p priority 4 without the remark setting when you enable iSCSI. If you do not enable iSCSI, this feature is disabled.
CONFIGURATION mode iscsi enable 3 For a DCB environment: Configure DCB and iSCSI. 4 Save the configuration on the switch. EXEC Privilege mode write memory 5 Reload the switch. EXEC Privilege mode reload After the switch is reloaded, DCB/ DCBx and iSCSI monitoring are enabled. 6 (Optional) Configure the iSCSI target ports and optionally the IP addresses on which iSCSI communication is monitored. CONFIGURATION mode [no] iscsi target port tcp-port-1 [tcp-port-2...
The default is 10 minutes. 9 (Optional) Configures DCBX to send iSCSI TLV advertisements. LLDP CONFIGURATION mode or INTERFACE LLDP CONFIGURATION mode [no] advertise dcbx-app-tlv iscsi. You can send iSCSI TLVs either globally or on a specified interface. The interface configuration takes priority over global configuration. The default is Enabled. 10 (Optional) Configures the advertised priority bitmap in iSCSI application TLVs. LLDP CONFIGURATION mode [no] iscsi priority-bits.
Target: iqn.2001-05.com.equallogic:0-8a0906-0e70c2002-10a0018426a48c94-iom010 Initiator: iqn.1991-05.com.microsoft:win-x9l8v27yajg ISID: 400001370000 VLT PEER2 Session 0: -----------------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0f60c2002-0360018428d48c94-iom011 iqn.1991-05.com.microsoft:win-x9l8v27yajg ISID: 400001370000 The following example shows the show iscsi session detailed command.
24 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell EMC Networking supports both IPv4 and IPv6 versions of IS-IS.
• area address — within your routing domain or area, each area must have a unique area value. The first byte is called the authority and format indicator (AFI). • system address — the router’s MAC address. • N-selector — this is always 0. The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.0001) are the area address. The system portion is 000c.000a.4321 and the last byte is always 0. Figure 62.
Interface Support MT IS-IS is supported on physical Ethernet interfaces, physical synchronous optical network technologies (SONET) interfaces, portchannel interfaces (static and dynamic using LACP), and virtual local area network (VLAN) interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement MT extensions.
IPv6 Reachability and IPv6 Interface Address. Also, a new IPv6 protocol identifier has also been included in the supported TLVs. The new TLVs use the extended metrics and up/down bit semantics. Multi-topology IS-IS adds TLVs: • MT TLV — contains one or more Multi-Topology IDs in which the router participates. This TLV is included in IIH and the first fragment of an LSP. • MT Intermediate Systems TLV — appears for every topology a node supports.
Configuration Tasks for IS-IS The following describes the configuration tasks for IS-IS. • Enabling IS-IS • Configure Multi-Topology IS-IS (MT IS-IS) • Configuring IS-IS Graceful Restart • Changing LSP Attributes • Configuring the IS-IS Metric Style • Configuring IS-IS Cost • Changing the IS-Type • Controlling Routing Updates • Configuring Authentication Passwords • Setting the Overload Bit • Debugging IS-IS Enabling IS-IS By default, IS-IS is not enabled.
4 • For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the stack/slot/port/subport information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the stack/slot/port[/subport] information. • For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the stack/slot/port/subport information. • For a 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the stack/slot/port information.
Distance: 115 Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: DellEMC# level-1-2 level-1-2 none none To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
Use this command for IPv6 route computation only when you enable multi-topology. If using single-topology mode, to apply to both IPv4 and IPv6 route computations, use the spf-interval command in CONFIG ROUTER ISIS mode. 4 Implement a wide metric-style globally. ROUTER ISIS AF IPV6 mode isis ipv6 metric metric-value [level-1 | level-2 | level-1-2] To configure wide or wide transition metric style, the cost can be between 0 and 16,777,215.
ROUTER-ISIS mode graceful-restart t3 {adjacency | manual seconds} – adjacency: the restarting router receives the remaining time value from its peer and adjusts its T3 value so if user has configured this option. – manual: allows you to specify a fixed value that the restarting router should use. The range is from 50 to 120 seconds. The default is 30 seconds.
Hello Interval: 10, Hello Multiplier: 3, CSNP Interval: 10 Number of active level-2 adjacencies: 1 Next IS-IS LAN Level-1 Hello in 4 seconds Next IS-IS LAN Level-2 Hello in 6 seconds LSP Interval: 33 Next IS-IS LAN Level-1 Hello in 4 seconds Next IS-IS LAN Level-2 Hello in 6 seconds LSP Interval: 33 Restart Capable Neighbors: 2, In Start: 0, In Restart: 0 DellEMC# Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information.
Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63. If you configure wide or wide transition metric style, the cost can be a number between 0 and 16,777,215.
Distance: 115 Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: DellEMC# level-1-2 level-1-2 none none Configuring the IS-IS Cost When you change from one IS-IS metric style to another, the IS-IS metric value could be affected. For each interface with IS-IS enabled, you can assign a cost or metric that is used in the link state calculation. To change the metric or cost of the interface, use the following commands. • Assign an IS-IS metric.
Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router. ROUTER ISIS mode is-type {level-1 | level-1-2 | level-2-only} • Default is level-1-2. Change the IS-type for the IS-IS process.
– For a 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the stack/slot/port information. – For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. – For a port channel interface, enter the keywords port-channel then a number. – For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Distribute Routes Another method of controlling routing information is to filter the information through a prefix list.
Applying IPv6 Routes To apply prefix lists to incoming or outgoing IPv6 routes, use the following commands. NOTE: These commands apply to IPv6 IS-IS only. To apply prefix lists to IPv4 routes, use ROUTER ISIS mode, previously shown. • Apply a configured prefix list to all incoming IPv6 IS-IS routes.
redistribute {bgp as-number | connected | rip | static} [level-1 level-1-2 | level-2] [metric metric-value] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: – level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. – metric-value the range is from 0 to 16777215. The default is 0. – metric-type: choose either external or internal. The default is internal. • – map-name: enter the name of a configured route map.
– match external: the range is 1 or 2. – match internal – metric-type: external or internal. – map-name: name of a configured route map. To view the IS-IS configuration globally (including both IPv4 and IPv6 settings), use the show running-config isis command in EXEC Privilege mode. To view the current IPv4 IS-IS configuration, use the show config command in ROUTER ISIS mode. To view the current IPv6 IS-IS configuration, use the show config command in ROUTER ISIS-ADDRESS FAMILY IPV6 mode.
no set-overload-bit Example of Viewing the Overload Bit Setting When the bit is set, a 1 is placed in the OL column in the show isis database command output. The overload bit is set in both the Level-1 and Level-2 database because the IS type for the router is Level-1-2. DellEMC#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000003 0x07BF eljefe.00-00 * 0x0000000A 0xF963 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
EXEC Privilege mode debug isis update-packets [interface] To view specific information, enter the following optional parameter: – interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. Dell EMC Networking OS displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode. To disable a specific debug command, enter the keyword no then the debug command.
Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow. When you change from one IS-IS metric style to another, the IS-IS metric value (configured with the isis metric command) could be affected.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value narrow transition transition original value wide transition wide original value wide transition narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition narrow transition default value (10) if the original value is greater than 63. A message is sent to the console. wide transition transition truncated value (the truncated value appears in the LSP only).
Level-1 Metric Style Level-2 Metric Style Resulting Metric Value wide transition truncated value narrow transition wide original value narrow transition narrow original value narrow transition wide transition original value narrow transition transition original value transition wide original value transition narrow original value transition wide transition original value transition narrow transition original value wide transition wide original value wide transition narrow
Figure 63. IPv6 IS-IS Sample Topography IS-IS Sample Configuration — Congruent Topology IS-IS Sample Configuration — Multi-topology IS-IS Sample Configuration — Multi-topology Transition The following is a sample configuration for enabling IPv6 IS-IS. DellEMC(conf-if-te-1/1/1/1)#show config ! interface TenGigabitEthernet 1/1/1/1 ip address 24.3.1.
exit-address-family DellEMC(conf-router_isis)# DellEMC(conf-if-te-1/1/1/1)#show config ! interface TenGigabitEthernet 1/1/1/1 ipv6 address 24:3::1/76 ipv6 router isis no shutdown DellEMC(conf-if-te-1/1/1/1)# DellEMC(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
25 In-Service Software Upgrade This chapter deals with In-Service Software Upgrade (ISSU) and its dependencies. Topics: • • • • • • • • • ISSU Introduction Fastboot 2.0 (Zero Loss Upgrade) L2 ISSU L3 ISSU CoPP Mirroring flow control packets PFC QoS Tunnel Configuration ISSU Introduction In-service software upgrades (ISSU), also known as warmboot or fastboot 2.0, allow Dell EMC Networking to address software bugs and add new features to switches and routers without interrupting network availability.
and traffic will be treated seamlessly, during reload. After the reload is complete, the running-config and startup-config will be compared and if there is a difference, the device will be programmed based on the startup-config. L2 ISSU This section deals with L2 ISSU related information.
CoPP Control Plane Policing (CoPP) in Dell EMC Networking OS provides a method for protecting CPU bound control plane packets by policing packets punted to CPU with a specified rate and from undesired or malicious traffic.
and if there is a difference, the device will be programmed based on the startup-config. If tunnel keepalive is configured over the tunnel interface then tunnel keepalive threshold should be set to 90 seconds.
26 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell EMC Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel by Dell EMC Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic.
LACP Modes Dell EMC Networking OS provides three modes for configuration of LACP — Off, Active, and Passive. • Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. • Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state.
The default is 32768. LACP Configuration Tasks The following configuration tasks apply to LACP. • Creating a LAG • Configuring the LAG Interfaces as Dynamic • Setting the LACP Long Timeout • Monitoring and Debugging LACP • Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. • Create a dynamic port channel (LAG).
DellEMC(conf)#interface TenGigabitethernet 1/1/1/2 DellEMC(conf-if-te-1/1/1/2)#no shutdown DellEMC(conf-if-te-1/1/1/2)#port-channel-protocol lacp DellEMC(conf-if-te-1/1/1/2-lacp)#port-channel 32 mode active ...
• Debug LACP, including configuration and events. EXEC mode [no] debug lacp [config | events | pdu [in | out | [interface [in | out]]]] Shared LAG State Tracking Shared LAG state tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG.
Example of LAGs in the Same Failover Group DellEMC#config DellEMC(conf)#port-channel failover-group DellEMC(conf-po-failover-grp)#group 1 port-channel 1 port-channel 2 To view the failover group configuration, use the show running-configuration po-failover-group command. DellEMC#show running-config po-failover-group ! port-channel failover-group group 1 port-channel 1 port-channel 2 As shown in the following illustration, LAGs 1 and 2 are members of a failover group.
Important Points about Shared LAG State Tracking The following is more information about shared LAG state tracking. • • • • • This feature is available for static and dynamic LAGs. Only a LAG can be a member of a failover group. You can configure shared LAG state tracking on one side of a link or on both sides. If a LAG that is part of a failover group is deleted, the failover group is deleted. If a LAG moves to the Down state due to this feature, its members may still be in the Up state.
Port is part of Port-channel 10 Hardware is DellEMCEth, address is 00:01:e8:06:95:c0 Current address is 00:01:e8:06:95:c0 Interface Index is 109101113 Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit, Mode full duplex, Slave Flowcontrol rx on tx on ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:02:11 Queueing strategy: fifo Input statistics: 132 packets, 163668 bytes 0 Vlans 0 64-byte pkts,
Figure 67.
Figure 68.
Figure 69.
Summary of the LAG Configuration on Bravo Bravo(conf-if-te-1/1/1/3)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 1/1/1/3 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-1/1/1/3)#port-channel-protocol lacp Bravo(conf-if-te-1/1/1/3-lacp)#port-channel 10 mode a
Figure 70.
Figure 71.
Figure 72. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
27 Layer 2 This chapter describes the Layer 2 features supported on the device. Manage the MAC Address Table You can perform the following management tasks in the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table.
In this case, the configuration is still present in the running-config and show output. Remove the configuration before re-applying a MAC learning limit with a lower value. Also, ensure that you can view the Syslog messages on your session. NOTE: The CAM-check failure message beginning in Dell EMC Networking OS version 8.3.1.0 is different from versions 8.2.1.
When you enable sticky mac on an interface, dynamically-learned MAC addresses do not age, even if you enabled mac-learninglimit dynamic. If you configured mac-learning-limit and mac-learning-limit dynamic and you disabled sticky MAC, any dynamically-learned MAC addresses ages. mac learning-limit station-move The mac learning-limit station-move command allows a MAC address already in the table to be learned from another interface.
Setting Station Move Violation Actions no-station-move is the default behavior. You can configure the system to take an action if a station move occurs using one the following options with the mac learning-limit command. To display a list of interfaces configured with MAC learning limit or station move violation actions, use the following commands. • Generate a system log message indicating a station move. INTERFACE mode station-move-violation log • Shut down the first port to learn the MAC address.
Disabling MAC Address Learning on the System You can configure the system to not learn MAC addresses from LACP and LLDP BPDUs. To disable source MAC address learning from LACP and LLDP BPDUs, follow this procedure: • Disable source MAC address learning from LACP BPDUs. CONFIGURATION mode mac-address-table disable-learning lacp • Disable source MAC address learning from LLDP BPDUs. CONFIGURATION mode mac-address-table disable-learning lldp • Disable source MAC address learning from LACP and LLDP BPDUs.
Figure 73. Redundant NICs with NIC Teaming When you use NIC teaming, consider that the server MAC address is originally learned on Port 0/1 of the switch (shown in the following) and Port 0/5 is the failover port. When the NIC fails, the system automatically sends an ARP request for the gateway or host NIC to resolve the ARP and refresh the egress interface.
following illustration). The redundant pairs feature allows you to create redundant links in networks that do not use STP by configuring backup interfaces for the interfaces on either side of the primary link. NOTE: For more information about STP, refer to Spanning Tree Protocol (STP). Assign a backup interface to an interface using the switchport backup command. The backup interface remains in a Down state until the primary fails, at which point it transitions to Up state.
To ensure that existing network applications see no difference when a primary interface in a redundant pair transitions to the backup interface, be sure to apply identical configurations of other traffic parameters to each interface. If you remove an interface in a redundant link (remove the line card of a physical interface or delete a port channel with the no interface port-channel command), the redundant pair configuration is also removed.
1 L2 up 00:08:33 Te 1/1/1/1 (Up) 2 L2 up 00:00:02 Te 1/1/1/2 (Up) DellEMC#configure DellEMC(conf)#interface port-channel 1 DellEMC(conf-if-po-1)#switchport backup interface port-channel 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Po 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-STATE_ACT_STBY: Changed interface state to standby: Po 2 DellEMC(conf-if-po-1)# DellEMC# Dell
In the event of a far-end failure, the device stops receiving frames and, after the specified time interval, assumes that the far-end is not available. The connecting line protocol is brought down so that upper layer protocols can detect the neighbor unavailability faster. FEFD State Changes FEFD has two operational modes, Normal and Aggressive.
Configuring FEFD You can configure FEFD for all interfaces from CONFIGURATION mode, or on individual interfaces from INTERFACE mode. To enable FEFD globally on all interfaces, use the following command. • Enable FEFD globally on all interfaces. CONFIGURATION mode fefd-global To report interval frequency and mode adjustments, use the following commands. 1 Setup two or more connected interfaces for Layer 2 or Layer 3.
fefd [mode {aggressive | normal}] • Disable FEFD protocol on one interface. INTERFACE mode fefd disable Disabling an interface shuts down all protocols working on that interface’s connected line. It does not delete your previous FEFD configuration which you can enable again at any time. To set up and activate two or more connected interfaces, use the following commands. 1 Setup two or more connected interfaces for Layer 2 or Layer 3.
2w1d22h: %RPM0-P:CP %IFMGR-5-INACTIVE: Changed Vlan interface state to inactive: Vl 1 2w1d22h : FEFD state on Te 4/1/1 changed from Bi-directional to Unknown DellEMC#debug fefd packets DellEMC#2w1d22h : FEFD packet sent via interface Te 1/1/1 Sender state -- Bi-directional Sender info -- Mgmt Mac(00:01:e8:14:89:25), Slot-Port-Subport(Te 1/1/1) Peer info -- Mgmt Mac (00:01:e8:14:89:25), Slot-Port-Subport(Te 4/1/1) Sender hold time -- 3 (second) 2w1d22h : FEFD packet received on interface Te 4/1/1 Sender stat
28 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP). 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Table 51. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of a LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live An administratively assigned name that identifies a port through which TLVs are sent and received.
Figure 79. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell EMC Networking system to advertise any or all of these TLVs. Table 52. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. Dell EMC Networking OS does not currently support this TLV.
Type TLV Description in the Dell EMC Networking OS implementation of LLDP, but is available and mandatory (non-configurable) in the LLDPMED implementation. 127 Link Aggregation Indicates whether the link is capable of being aggregated, whether it is currently in a LAG, and the port identification of the LAG. Dell EMC Networking OS does not currently support this TLV. 127 Maximum Frame Size Indicates the maximum frame size capability of the MAC and PHY.
Type SubType TLV Description • LLDP device class 127 2 Network Policy Indicates the application type, VLAN ID, Layer 2 Priority, and DSCP value. 127 3 Location Identification Indicates that the physical location of the device expressed in one of three possible formats: • • • 127 4 Inventory Management TLVs Implementation of this set of TLVs is optional in LLDP-MED devices. None or all TLVs must be supported. Dell EMC Networking OS does not currently support these TLVs.
When you enable LLDP-MED in Dell EMC Networking OS (using the advertise med command), the system begins transmitting this TLV. Figure 80. LLDP-MED Capabilities TLV Table 54. Dell EMC Networking OS LLDP-MED Capabilities Bit Position TLV Dell EMC Networking OS Support 0 LLDP-MED Capabilities Yes 1 Network Policy Yes 2 Location Identification Yes 3 Extended Power via MDI-PSE Yes 4 Extended Power via MDI-PD No 5 Inventory No 6–15 reserved No Table 55.
NOTE: As shown in the following table, signaling is a series of control packets that are exchanged between an endpoint device and a network connectivity device to establish and maintain a connection. These signal packets might require a different network policy than the media packets for which a connection is made. In this case, configure the signaling application. Table 56.
• Power Value — Dell EMC Networking advertises the maximum amount of power that can be supplied on the port. By default the power is 15.4W, which corresponds to a power value of 130, based on the TIA-1057 specification. You can advertise a different power value using the max-milliwatts option with the power inline auto | static command. Dell EMC Networking also honors the power value (power requirement) the powered device sends when the port is configured for power inline auto. Figure 82.
• Configurations made at the INTERFACE level affect only the specific interface; they override CONFIGURATION level configurations.
Enabling LLDP on Management Ports LLDP on management ports is enabled by default. To enable LLDP on management ports, use the following command. 1 Enter Protocol LLDP mode. CONFIGURATION mode protocol lldp 2 Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode management-interface 3 Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP on Management Ports To disable or undo LLDP on management ports, use the following command. 1 Enter Protocol LLDP mode.
advertise {dcbx-appln-tlv | dcbx-tlv | dot3-tlv | interface-port-desc | management-tlv | med } Include the keyword for each TLV you want to advertise. • For management TLVs: system-capabilities, system-description. • For 802.1 TLVs: port-protocol-vlan-id, port-vlan-id . • For 802.3 TLVs: max-frame-size.
The system processes each LLDP frame to retrieve the type and length, and stores the retrieved data of reserved unrecognized LLDP TLVs in a list. The stored list of unrecognized TLVs is removed when subsequent LLDP neighbor frame is received, neighbor is lost, or neighbor ages out. If there are multiple unrecognized TLVs with the same TLV type, only the information of first unrecognized TLV is stored and the TLV discard counter is incremented for the successive TLVs.
no disable DellEMC(conf-lldp)# DellEMC(conf-lldp)#exit DellEMC(conf)#interface tengigabitethernet 1/1/5/1 DellEMC(conf-if-te-1/1/5/1)#show config ! interface TenGigabitEthernet 1/1/5/1 no ip address switchport no shutdown DellEMC(conf-if-te-1/1/5/1)#protocol lldp DellEMC(conf-if-te-1/1/5/1-lldp)#show config ! protocol lldp DellEMC(conf-if-te-1/1/5/1-lldp)# Viewing Information Advertised by Adjacent LLDP Neighbors To view brief information about adjacent devices or to view all the information that neighbors
( 59, 4) ( 60, 4) ( 61, 4) ( 62, 4) ( 63, 4) ( 64, 4) ( 65, 4) ( 69, 4) ( 70, 4) ( 71, 4) ( 72, 4) ( 73, 4) ( 74, 4) ( 75, 4) ( 79, 4) ( 80, 4) ( 81, 4) ( 82, 4) ( 83, 4) ( 84, 4) ( 85, 4) ( 89, 4) ( 90, 4) ( 91, 4) ( 92, 4) ( 93, 4) ( 94, 4) ( 95, 4) ( 99, 4) (100, 4) (101, 4) (102, 4) (103, 4) (104, 4) (105, 4) (109, 4) (110, 4) (111, 4) (112, 4) (113, 4) (114, 4) (115, 4) (119, 4) (120, 4) (121, 4) (122, 4) (123, 4) (124, 4) (125, 4) OrgUnknownTLVList: ----------------------------------------------------
Time since last information change of this neighbor: 00:01:41 UnknownTLVList: OrgUnknownTLVList: ((00-01-66),127, 4) ((00-01-66),126, 4) ((00-01-66),125, 4) ((00-01-66),124, ((00-01-66),122, 4) ((00-01-66),121, 4) ((00-01-66),120, 4) ((00-01-66),119, --------------------------------------------------------------------------- 4) ((00-01-66),123, 4) ((00-01-66),118, 4) 4) Configuring LLDPDU Intervals LLDPDUs are transmitted periodically; the default interval is 30 seconds.
• – Example: snmpset —c public —v2c 10.16.127.10 LLDP-MIB::lldpNotificationInterval.0 I 20 REST API — Through configuring by REST API method. Configuring Transmit and Receive Mode After you enable LLDP, the system transmits and receives LLDPDUs by default. To configure the system to transmit or receive only and return to the default, use the following commands. • Transmit only. CONFIGURATION mode or INTERFACE mode • mode tx Receive only.
• Return to the default multiplier value. CONFIGURATION mode or INTERFACE mode.
Figure 84. The debug lldp detail Command — LLDPDU Packet Dissection Example of debug lldp Command Output with Unrecognized Reserved and Organizational Specific LLDP TLVs The following is an example of LLDPDU with both (Reserved and Organizational specific) unrecognized TLVs.
Table 57. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplier Multiplier value. msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs.
TLV Type 4 5 6 7 8 TLV Name Port Description System Name System Description System Capabilities Management Address TLV Variable port description system name system description system capabilities enabled capabilities management address length management address subtype management address interface numbering subtype interface number OID System LLDP MIB Object Remote lldpRemPortId Local lldpLocPortDesc Remote lldpRemPortDesc Local lldpLocSysName Remote lldpRemSysName Local
TLV Type TLV Name TLV Variable PPVID 127 VLAN Name VID VLAN name length VLAN name System LLDP MIB Object Remote lldpXdot1RemProtoVlanEna bled Local lldpXdot1LocProtoVlanId Remote lldpXdot1RemProtoVlanId Local lldpXdot1LocVlanId Remote lldpXdot1RemVlanId Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Table 60.
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object L2 Priority Local lldpXMedLocMediaPolicyPri ority Remote lldpXMedRemMediaPolicyP riority Local lldpXMedLocMediaPolicyDs cp Remote lldpXMedRemMediaPolicyD scp Local lldpXMedLocLocationSubty pe Remote lldpXMedRemLocationSubt ype Local lldpXMedLocLocationInfo Remote lldpXMedRemLocationInfo DSCP Value 3 Location Identifier Location Data Format Location ID Data Link Layer Discovery Protocol (LLDP) 571
29 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
With Multicast NLB mode, the data forwards to all the servers based on the port specified using the following Layer 2 multicast command in CONFIGURATION MODE: mac-address-table static multicast vlan output-range , Limitations of the NLB Feature The following limitations apply to switches on which you configure NLB: • The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN.
CONFIGURATION mode ip vlan-flooding There might be some ARP table entries that are resolved through ARP packets, which had the Ethernet MAC SA different from the MAC information inside the ARP packet. This unicast data traffic flooding occurs only for those packets that use these ARP entries.
30 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell EMC Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 86.
active sources in the area of the other RPs. If any of the RPs fail, IP routing converges and one of the RPs becomes the active RP in more than one area. New sources register with the backup RP. Receivers join toward the new RP and connectivity is maintained. Implementation Information The Dell EMC Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process.
Figure 87.
Figure 88.
Figure 89.
Figure 90. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1 Enable MSDP. CONFIGURATION mode ip multicast-msdp 2 Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source Examples of Configuring and Viewing MSDP R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
R3(conf)#do show ip msdp summary Peer Addr Description Local Addr State Source SA Up/Down To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
show ip msdp sa-limit If the total number of active sources is already larger than the limit when limiting is applied, the sources that are already in Dell EMC Networking OS are not discarded. To enforce the limit in such a situation, use the clear ip msdp sa-cache command to clear all existing entries. Clearing the Source-Active Cache To clear the source-active cache, use the following command. • Clear the SA cache of all, local, or rejected entries, or entries for a specific group.
Figure 91.
Figure 92.
Figure 93. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
GroupAddr 229.0.50.2 229.0.50.3 229.0.50.4 SourceAddr 24.0.50.2 24.0.50.3 24.0.50.4 RPAddr 200.0.0.50 200.0.0.50 200.0.0.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 DellEMC#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 Expire 73 73 73 UpTime 00:13:49 00:13:49 00:13:49 LearnedFrom 10.0.50.
R1_E600(conf)#do show ip msdp sa-cache R1_E600(conf)#do show ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 1 rejected SAs received, cache-size 1000 UpTime GroupAddr SourceAddr RPAddr LearnedFrom 00:02:20 239.0.0.1 10.11.4.2 192.168.0.1 local Reason Redistribute Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1 OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache.
Example of Verifying the System is not Advertising Local Sources In the following example, R1 stops advertising source 10.11.4.2. Because it is already in the SA cache of R3, the entry remains there until it expires. [Router 1] R1(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.3 list mylocalfilter R1(conf)#do show run acl ! ip access-list extended mylocalfilter seq 5 deny ip host 239.0.0.1 host 10.11.4.
Output (S,G) filter: none [Router 1] R1(conf)#do show ip msdp peer Peer Addr: 192.168.0.3 Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:03 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Clearing Peer Statistics To clear the peer statistics, use the following command. • Reset the TCP connection to the peer and clear all peer statistics.
03:17:10 : MSDP-0: Peer 192.168.0.3, 03:17:27 : MSDP-0: Peer 192.168.0.3, Input (S,G) filter: none Output (S,G) filter: none rcvd Keepalive msg sent Source Active msg MSDP with Anycast RP Anycast RP uses MSDP with PIM-SM to allow more than one active group to use RP mapping.
Figure 94. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1 In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2 Make this address the RP for the group.
4 Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5 Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP.
interface Loopback 1 ip address 192.168.0.11/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.22 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.22 ip msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.
The following example shows an R3 configuration for MSDP with Anycast RP. ip multicast-routing ! interface TenGigabitEthernet 1/1/4/1 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface TenGigabitEthernet 1/1/5/1 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 192.168.0.1/32 area 0 network 10.11.3.0/24 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 MSDP Sample Configuration: R2 Running-Config ip multicast-routing ! interface TenGigabitEthernet 1/1/1/1 ip pim sparse-mode ip address 10.11.4.
ip address 10.11.6.34/24 no shutdown ! interface ManagementEthernet 1/1 ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.
31 Multicast Listener Discovery Protocol Dell Networking OS Supports Multicast Listener Discovery (MLD) protocol. Multicast Listener Discovery (MLD) is a Layer 3 protocol that IPv6 routers use to learn of the multicast receivers that are directly connected to them and the groups in which the receivers are interested. Multicast routing protocols (like PIM) use the information learned from MLD to route multicast traffic to all interested receivers.
Joining a Multicast Group The Querier periodically sends a General Query to the all-nodes multicast address FF02::1. A host that wants to join a multicast group responds to the general query with a report that contains the group address; the report is also addressed to the group (in the IPv6 Destination Address field). To avoid duplicate reporting, any host that hears a report from another host for the same group in which it itself is interested cancels its report for that group.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | * * | | * Source Address [1] * | | * * | | +-+ | | * * | | * Source Address [2] * | | * * | | +. -+ . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version 2 multicast listener reports are sent by IP nodes to report (to neighboring routers) the current multicast listening state, or changes in the multicast listening state, of their interfaces.
| | * Multicast Address * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | * * | | * Source Address [1] * | | * * | | +-+ | | * * | | * Source Address [2] * | | * * | | +-+ . . . . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Auxiliary Data . . .
ipv6 mld query-interval Reducing Host Response Burstiness General Queries contain a Query Response Interval value, which is the amount of time the host has to respond to a general query. Hosts set a timer to a random number less than the Query Response Interval upon receiving a general query, and send a report when the timer expires. Increasing this value spreads host responses over a greater period of time, and so reduces response burstiness.
ipv6 mld explicit-tracking Reducing Leave Latency Leave Latency is the amount of time after the last host leaves the MLD group that the router stops forwarding traffic for that group. Latency is introduced because the router attempts several times to determine if there are any remaining members before stopping traffic for the group. The Querier sends a Multicast-Address-Specific Query upon receiving a Done message to ascertain whether there are any remain receivers for a group.
waste of bandwidth. MLD Snooping enables switches to use information in MLD packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers. Enable MLD Snooping MLD is automatically enabled when you enable IPv6 PIM, but MLD snooping must be explicitly enabled.
EXEC Privilege mode show ipv6 mld snooping mrouter Enable Snooping Explicit Tracking The switch can be a querier, and therefore also has an option of updating the group table through explicit-tracking. Whether the switch is the querier or not, if snooping is enabled, the switch tracks all the MLD joins. It has a separate explicit tracking table which contains group, source, interface, VLAN, and reporter details.
32 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview MSTP — specified in IEEE 802.
• Adding and Removing Interfaces • Creating Multiple Spanning Tree Instances • Influencing MSTP Root Selection • Interoperate with Non-Dell Bridges • Changing the Region Name or Revision • Modifying Global Parameters • Modifying the Interface Parameters • Configuring an EdgePort • Flush MAC Addresses after a Topology Change • MSTP Sample Configurations • Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell EMC Networking OS supports four variations of spanning
• Adding and Removing Interfaces • Influencing MSTP Root Selection • Interoperate with Non-Dell EMC Networking OS Bridges • Changing the Region Name or Revision • Modifying Global Parameters • Modifying the Interface Parameters • Configuring an EdgePort • Flush MAC Addresses after a Topology Change • Debugging and Verifying MSTP Configurations • Prevent Network Disruptions with BPDU Guard • Enabling SNMP Traps for Root Elections and Topology Changes • Configuring Spanning Trees as Hit
• Create an MSTI. PROTOCOL MSTP mode msti Specify the keyword vlan then the VLANs that you want to participate in the MSTI. Examples of Configuring and Viewing MSTI The following examples shows the msti command.
! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 MSTI 2 bridge-priority 0 Interoperate with Non-Dell Bridges Dell EMC Networking OS supports only one MSTP region. A region is a combination of three unique qualities: • Name is a mnemonic string you assign to the region. The default region name is null. • Revision is a 2-byte number. The default revision number OS is 0. • VLAN-to-instance mapping is the placement of a VLAN in an MSTI.
• Max-hops — the maximum number of hops a BPDU can travel before a receiving switch discards it. NOTE: Dell EMC Networking recommends that only experienced network administrators change MSTP parameters. Poorly planned modification of MSTP parameters can negatively affect network performance. To change the MSTP parameters, use the following commands on the root bridge. 1 Change the forward-delay parameter. PROTOCOL MSTP mode forward-delay seconds The range is from 4 to 30. The default is 15 seconds.
Modifying the Interface Parameters You can adjust two interface parameters to increase or decrease the probability that a port becomes a forwarding port. • Port cost is a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. • Port priority influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode, an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states. The bpduguard shutdown-on-violation option causes the interface hardware to be shut down when it receives a BPDU.
MSTP Sample Configurations The running-configurations support the topology shown in the following illustration. The configurations are from Dell EMC Networking OS systems. Figure 96. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology.
no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 1/1/1/1,1/1/1/2 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/1/1/1,1/1/1/2 no shutdown Router 2 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology. 3 Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
(Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs. EXEC Privilege mode • debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages.
MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 The following example shows viewing the debug log of a successful MSTP configuration. DellEMC#debug spanning-tree mstp bpdu MSTP debug bpdu is ON DellEMC# 4w0d4h : MSTP: Sending BPDU on Te 2/21/1 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x6e CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.
33 Multicast Features NOTE: Multicast routing is supported on secondary IP addresses; it is not supported on IPv6. NOTE: Multicast routing is supported across default and non-default virtual routing and forwarding (VRFs).
Protocol Ethernet Address OSPF 01:00:5e:00:00:05 01:00:5e:00:00:06 RIP 01:00:5e:00:00:09 NTP 01:00:5e:00:01:01 VRRP 01:00:5e:00:00:12 PIM-SM 01:00:5e:00:00:0d • • • • The Dell EMC Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. Multicast is not supported on secondary IP addresses. If you enable multicast routing, egress Layer 3 ACL is not applied to multicast data traffic.
• Limit the total number of multicast routes on the system. CONFIGURATION mode ip multicast-limit The range is from 1 to . The default is 4000. NOTE: The IN-L3-McastFib CAM partition stores multicast routes and is a separate hardware limit that exists per port-pipe. Any software-configured limit may supersede this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit is reached using the ip multicast-limit command.
Figure 97. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 63. Preventing a Host from Joining a Group — Description Location Description 1/21/1 • • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31/1 • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1/1 • • • • Interface TenGigabitEthernet 2/1/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11/1 • • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31/1 • • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1/1 • • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.5.
Preventing a PIM Router from Forming an Adjacency To prevent a router from participating in PIM (for example, to configure stub multicast routing), use the following command. • Prevent a router from participating in PIM. INTERFACE mode ip pim neighbor-filter Setting a Threshold for Switching to the SPT The functionality to specify a threshold for switchover to the shortest path trees (SPTs) is available on the system.
Figure 98. Preventing a Source from Transmitting to a Group The following table lists the location and description shown in the previous illustration. Table 65. Preventing a Source from Transmitting to a Group — Description Location Description 1/21/1 • • • • Interface TenGigabitEthernet 1/1/1/1 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31/1 • • • Interface TenGigabitEthernet 1/1/1/2 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1/1 • • • • Interface TenGigabitEthernet 1/1/1/3 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11/1 • • • • Interface TenGigabitEthernet 1/1/1/4 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31/1 • • • • Interface TenGigabitEthernet 1/1/2/1 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1/1 • • • • Interface TenGigabitEthernet 1/1/2/2 ip pim sparse-mode ip address 10.11.5.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell EMC Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
Important Points to Remember • Destination address of the mtrace query message can be either a unicast or a multicast address. NOTE: When you use mtrace to trace a specific multicast group, the query is sent with the group's address as the destination. Retries of the query use the unicast address of the receiver. • When you issue an mtrace without specifying a group address (weak mtrace), the destination address is considered as the unicast address of the receiver.
– Forwarding code — error code as present in the response blocks – Source Network/Mask — source mask Example of the mtrace Command to View the Network Path The following is an example of tracing a multicast route. R1>mtrace 103.103.103.3 1.1.1.1 226.0.0.3 Type Ctrl-C to abort. Querying reverse path for source 103.103.103.3 to destination 1.1.1.1 via group 226.0.0.
The response data block filled in by the last-hop router contains a Forwarding code field. Forwarding code can be added at any node and is not restricted to the last hop router. This field is used to record error codes before forwarding the response to the next neighbor in the path towards the source. In a response data packet, the following error codes are supported: Table 67.
Scenario Output -4 103.103.103.3 --> Source ----------------------------------------------------------------- You can issue the mtrace command specifying the source multicast tree and multicast group without specifying the destination. Mtrace traces the complete path traversing through the multicast group to reach the source. The output displays the destination and the first hop (-1) as 0 to indicate any PIM enabled interface on the node. R1>mtrace 103.103.103.3 1.1.1.1 226.0.0.3 Type Ctrl-C to abort.
Scenario Output 103.103.103.0/24 -3 2.2.2.1 PIM 103.103.103.0/24 -4 103.103.103.3 --> Source ----------------------------------------------------------------- You can issue the mtrace command by providing the source and multicast information. However, if the multicast group is a shared group (*,G), then mtrace traces the path of the shared tree until it reaches the RP. The source mask field reflects the shared tree that is being used to trace the path.
Scenario Output -3 10.10.10.1 PIM No route default ----------------------------------------------------------------- If a multicast tree is not formed due to a configuration issue (for example, PIM is not enabled on one of the interfaces on the path), you can invoke a weak mtrace to identify the location in the network where the error has originated. R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort.
Scenario Output -3 2.2.2.1 PIM 99.99.0.0/16 -4 * * * * ----------------------------------------------------------------- If there is no response for mtrace even after switching to expanded hop search, the command displays an error message. R1>mtrace 99.99.99.99 1.1.1.1 Type Ctrl-C to abort. While traversing the path from source to destination, if the mtrace packet exhausts the maximum buffer size of the packet, then NO SPACE error is displayed in the output.
Scenario Output scenario, a corresponding error message is displayed. ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 4.4.4.5 --> Destination -1 4.4.4.4 PIM 6.6.6.0/24 -2 20.20.20.2 PIM 6.6.6.0/24 -3 10.10.10.1 PIM Wrong interface 6.6.6.0/24 ----------------------------------------------------------------R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort.
34 Object Tracking IPv4 or IPv6 object tracking is available on Dell EMC Networking OS. Object tracking allows the Dell EMC Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell EMC Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 99. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • UP and DOWN thresholds used to report changes in a route metric. • A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
Track IPv4 and IPv6 Routes You can create an object that tracks an IPv4 or IPv6 route entry in the routing table. Specify a tracked route by its IPv4 or IPv6 address and prefix-length. Optionally specify a tracked route by a virtual routing and forwarding (VRF) instance name if the route to be tracked is part of a VRF. The next-hop address is not part of the definition of the tracked object.
Set Tracking Delays You can configure an optional UP and/or DOWN timer for each tracked object to set the time delay before a change in the state of a tracked object is communicated to clients. The configured time delay starts when the state changes from UP to DOWN or the opposite way. If the state of an object changes back to its former UP/DOWN state before the timer expires, the timer is cancelled and the client is not notified.
To configure object tracking on the status of a Layer 2 interface, use the following commands. 1 Configure object tracking on the line-protocol state of a Layer 2 interface. CONFIGURATION mode track object-id interface interface line-protocol Valid object IDs are from 1 to 500. 2 (Optional) Configure the time delay used before communicating a change in the status of a tracked interface. OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0.
• The Layer 3 status of an IPv4 interface goes DOWN when its Layer 2 status goes down (for a Layer 3 VLAN, all VLAN ports must be down) or the IP address is removed from the routing table. For an IPv6 interface, a routing object only tracks the UP/DOWN status of the specified IPv6 interface (the track interface ipv6routing command). • The status of an IPv6 interface is UP only if the Layer 2 status of the interface is UP and the interface has a valid IPv6 address.
Track 103 Interface TenGigabitEthernet 1/1/2/1 ipv6 routing Description: Austin access point Track an IPv4/IPv6 Route You can create an object that tracks the reachability or metric of an IPv4 or IPv6 route. You specify the route to be tracked by its address and prefix-length values. Optionally, for an IPv4 route, you can enter a VRF instance name if the route is part of a VPN routing and forwarding (VRF) table. The next-hop address is not part of the definition of a tracked IPv4/ IPv6 route.
Tracking Route Reachability Use the following commands to configure object tracking on the reachability of an IPv4 or IPv6 route. To remove object tracking, use the no track object-id command. 1 Configure object tracking on the reachability of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} reachability [vrf vrf-name] Valid object IDs are from 1 to 500.
The following example configures object tracking on the reachability of an IPv6 route: DellEMC(conf)#track 105 ipv6 route 1234::/64 reachability DellEMC(conf-track-105)#delay down 5 DellEMC(conf-track-105)#description Headquarters DellEMC(conf-track-105)#end DellEMC#show track 105 Track 105 IPv6 route 1234::/64 reachability Description: Headquarters Reachability is Down (route not in route table) 2 changes, last change 00:03:03 Configuring track reachability refresh interval If there is no entry in ARP tab
2 • OSPF routes - 1 to 1592. The efault is 1. Configure object tracking on the metric of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} metric threshold [vrf vrf-name] Valid object IDs are from 1 to 500. Enter an IPv4 address in dotted decimal format. Valid IPv4 prefix lengths are from /0 to /32. Enter an IPv6 address in X:X:X:X::X format. Valid IPv6 prefix lengths are from /0 to /128.
The following example configures object tracking on the metric threshold of an IPv6 route: DellEMC(conf)#track 8 ipv6 route 2::/64 metric threshold DellEMC(conf-track-8)#threshold metric up 30 DellEMC(conf-track-8)#threshold metric down 40 Displaying Tracked Objects To display the currently configured objects used to track Layer 2 and Layer 3 interfaces, and IPv4 and IPv6 routes, use the following show commands.
IP Route Resolution ISIS 1 OSPF 1 IPv6 Route Resolution ISIS 1 Example of the show track vrf Command DellEMC#show track vrf red Track 5 IP route 192.168.0.0/24 reachability, Vrf: red Reachability is Up (CONNECTED) 3 changes, last change 00:02:39 First-hop interface is TenGigabitEthernet 1/1/4/1 Example of Viewing Object Tracking Configuration DellEMC#show running-config track track 1 ip route 23.0.0.
35 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell EMC Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell EMC Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Areas allow you to further organize your routers within in the AS. One or more areas are required within the AS. Areas are valuable in that they allow sub-networks to "hide" within the AS, thus minimizing the size of the routing tables on all routers. An area within the AS may not see the details of another area’s topology. AS areas are known by their area number or the router’s IP address. Figure 100. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.
• A not-so-stubby area (NSSA) can import AS external route information and send it to the backbone. It cannot receive external AS information from the backbone or other areas. • Totally stubby areas are referred to as no summary areas in the Dell EMC Networking OS. Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important.
Figure 101. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
An ABR can connect to many areas in an AS, and is considered a member of each area it connects to. Autonomous System Border Router (ASBR) The autonomous system border area router (ASBR) connects to more than one AS and exchanges information with the routers in other ASs. Generally, the ASBR connects to a non-interior gate protocol (IGP) such as BGP or uses static routes.
• Type 7: External LSA — Routers in an NSSA do not receive external LSAs from ABRs, but are allowed to send external routing information for redistribution. They use Type 7 LSAs to tell the ABRs about these external routes, which the ABR then translates to Type 5 external LSAs and floods as normal to the rest of the OSPF network. • Type 8: Link LSA (OSPFv3) — This LSA carries the IPv6 address information of the local links.
Figure 102. Priority and Cost Examples OSPF with Dell EMC Networking OS The Dell EMC Networking OS supports up to 128,000 OSPF routes for OSPFv2. Dell EMC Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell EMC Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell EMC Networking OS supports only one OSPFv3 process per VRF. OSPFv2 and OSPFv3 can co-exist but you must configure them individually.
Graceful Restart When a router goes down without a graceful restart, there is a possibility for loss of access to parts of the network due to ongoing network topology changes. Additionally, LSA flooding and reconvergence can cause substantial delays. It is, therefore, desirable that the network maintains a stable topology if it is possible for data flow to continue uninterrupted.
Fast Convergence (OSPFv2, IPv4 Only) Fast convergence allows you to define the speeds at which LSAs are originated and accepted, and reduce OSPFv2 end-to-end convergence time. Dell EMC Networking OS allows you to accept and originate LSAs as soon as they are available to speed up route information propagation. NOTE: The faster the convergence, the more frequent the route calculations and updates. This impacts CPU utilization and may impact adjacency stability in larger topologies.
ACKs 2 (shown in bold) is printed only for ACK packets. The following example shows no change in the updated packets (shown in bold). ACKs 2 (shown in bold) is printed only for ACK packets. 00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.2 aid:1500 chk:0xdbee aut:0 auk: keyid:0 from:Vl 1000 LSType:Type-5 AS External id:160.1.1.0 adv:6.1.0.0 seq:0x8000000c LSType:Type-5 AS External id:160.1.2.0 adv:6.1.0.0 seq:0x8000000c 00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.
Examples of Setting and Viewing a Dead Interval In the following example, the dead interval is set at 4x the hello interval (shown in bold). DellEMC(conf)#int tengigabitethernet 1/1/1/1 DellEMC(conf-if-te-1/1/1/1)#ip ospf hello-interval 20 DellEMC(conf-if-te-1/1/1/1)#ip ospf dead-interval 80 DellEMC(conf-if-te-1/1/1/1)# In the following example, the dead interval is set at 4x the hello interval (shown in bold).
• Troubleshooting OSPFv2 1 Configure a physical interface. Assign an IP address, physical or Loopback, to the interface to enable Layer 3 routing. 2 Enable OSPF globally. Assign network area and neighbors. 3 Add interfaces or configure other attributes. 4 Set the time interval between when the switch receives a topology change and starts a shortest path first (SPF) calculation.
The OSPF process ID is the identifying number assigned to the OSPF process. The router ID is the IP address associated with the OSPF process. After the OSPF process and the VRF are tied together, the OSPF process ID cannot be used again in the system.
• Enable OSPFv2 on an interface and assign a network address range to a specific OSPF area. CONFIG-ROUTER-OSPF-id mode network ip-address mask area area-id The IP Address Format is A.B.C.D/M. The area ID range is from 0 to 65535 or A.B.C.D/M. Enable OSPFv2 on Interfaces Enable and configure OSPFv2 on each interface (configure for Layer 3 protocol), and not shutdown. You can also assign OSPFv2 to a Loopback interface as a virtual interface.
Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 13.1.1.1, Interface address 10.2.3.2 Backup Designated Router (ID) 11.1.2.1, Interface address 10.2.3.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:05 Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 13.1.1.1 (Designated Router) DellEMC> Loopback interfaces also help the OSPF process.
area area-id stub [no-summary] Use the keywords no-summary to prevent transmission into the area of summary ASBR LSAs. Area ID is the number or IP address assigned when creating the area. Example of the show ip ospf database database-summary Command To view which LSAs are transmitted, use the show ip ospf database process-id database-summary command in EXEC Privilege mode. DellEMC#show ip ospf 34 database database-summary OSPF Router with ID (10.1.2.
Internet Address 10.1.2.100/24, Area 1.1.1.1 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DOWN, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 0.0.0.0 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.0 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 13:39:46 Neighbor Count is 0, Adjacent neighbor count is 0 TenGigabitEthernet 1/1/1/2 is up, line protocol is down Internet Address 10.1.3.
The following examples shows how to disable fast-convergence. DellEMC#(conf-router_ospf-1)#no fast-converge DellEMC#(conf-router_ospf-1)#ex DellEMC#(conf)#ex DellEMC##show ip ospf 1 Routing Process ospf 1 with ID 192.168.67.
• Change the priority of the interface, which is used to determine the Designated Router for the OSPF broadcast network. CONFIG-INTERFACE mode ip ospf priority number • – number: the range is from 0 to 255 (the default is 1). Change the retransmission interval between LSAs. CONFIG-INTERFACE mode ip ospf retransmit-interval seconds – seconds: the range is from 1 to 65535 (the default is 5 seconds). • The retransmit interval must be the same on all routers in the OSPF network.
• All neighboring routers must share password to exchange OSPF information. Set the authentication change wait time in seconds between 0 and 300 for the interface. CONFIG-INTERFACE mode ip ospf auth-change-wait-time seconds This setting is the amount of time OSPF has available to change its interface authentication type. When you configure the auth-change-wait-time, OSPF sends out only the old authentication scheme until the wait timer expires.
graceful-restart role [helper-only | restart-only] Dell EMC Networking OS supports the following options: • Helper-only: the OSPFv2 router supports graceful-restart only as a helper router. • Restart-only: the OSPFv2 router supports graceful-restart only during unplanned restarts. By default, OSPFv2 supports both restarting and helper roles. Selecting one or the other role restricts OSPFv2 to the single selected role.
Applying Prefix Lists To apply prefix lists to incoming or outgoing OSPF routes, use the following commands. • Apply a configured prefix list to incoming OSPF routes. CONFIG-ROUTEROSPF-id mode distribute-list prefix-list-name in [interface] • Assign a configured prefix list to outgoing OSPF routes. CONFIG-ROUTEROSPF-id distribute-list prefix-list-name out [connected | isis | rip | static] Redistributing Routes You can add routes from other routing instances or protocols to the OSPF process.
• Have you enabled OSPF globally? • Is the OSPF process active on the interface? • Are adjacencies established correctly? • Are the interfaces configured for Layer 3 correctly? • Is the router in the correct area type? • Have the routes been included in the OSPF database? • Have the OSPF routes been included in the routing table (not just the OSPF database)? Some useful troubleshooting commands are: • show interfaces • show protocols • debug IP OSPF events and/or packets • show neighbor
Example of Viewing OSPF Configuration DellEMC#show run ospf ! router ospf 4 router-id 4.4.4.4 network 4.4.4.0/28 area 1 ! ipv6 router ospf 999 default-information originate always router-id 10.10.10.10 DellEMC# Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. You can copy and paste from these examples to your CLI.
interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.0.23.0/24 area 0 ! interface Loopback 30 ip address 192.168.100.100/24 no shutdown ! interface TenGigabitEthernet 1/1/1/1 ip address 10.1.13.3/24 no shutdown ! interface TenGigabitEthernet 1/1/2/1 ip address 10.2.13.3/24 no shutdown OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.
3 No-summary – To act as totally stubby area — NSSA area can be converted intoa totally stubby area to reduce the number of Type-3 LSAs. Once it is configured, NSSA ABR will inject Type-3 LSAs into the NSSA area for default routes. The remaining Type-3 LSAs are not allowed inside this area. Configuration Task List for OSPFv3 (OSPF for IPv6) This section describes the configuration tasks for Open Shortest Path First version 3 (OSPF for IPv6) on the switch.
Assigning IPv6 Addresses on an Interface To assign IPv6 addresses to an interface, use the following commands. 1 Assign an IPv6 address to the interface. CONF-INT-type slot/port mode ipv6 address ipv6 address IPv6 addresses are normally written as eight groups of four hexadecimal digits; separate each group by a colon (:). The format is A:B:C::F/128. 2 Bring up the interface.
– number: the IPv4 address. The format is A.B.C.D. NOTE: Enter the router-id for an OSPFv3 router as an IPv4 IP address. • Disable OSPF. CONFIGURATION mode no ipv6 router ospf process-id • Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Assigning OSPFv3 Process ID and Router ID to a VRF To assign, disable, or reset OSPFv3 on a non-default VRF, use the following commands. • Enable the OSPFv3 process on a non-default VRF and enter OSPFv3 mode.
• Specify how the OSPF interface cost is calculated based on the reference bandwidth method. The cost of an interface is calculated as Reference Bandwidth/Interface speed. ROUTER OSPFv3 auto-cost [reference-bandwidth ref-bw] To return to the default bandwidth or to assign cost based on the interface type, use the no auto-cost [referencebandwidth ref-bw] command. – ref-bw: The range is from 1 to 4294967. The default is 100 megabits per second.
Redistributing Routes You can add routes from other routing instances or protocols to the OSPFv3 process. With the redistribute command, you can include RIP, static, or directly connected routes in the OSPF process. Route redistribution is also supported between OSPF Routing process IDs. To add redistributing routes, use the following command. • Specify which routes are redistributed into the OSPF process.
ROUTER OSPFv3 auto-cost [reference-bandwidth ref-bw] To return to the default bandwidth or to assign cost based on the interface type, use the no auto-cost [referencebandwidth ref-bw] command. – ref-bw: The range is from 1 to 4294967. The default is 100 megabits per second. Enabling OSPFv3 Graceful Restart Follow the procedure in this section to configure graceful restart for OSPFv3.
Displaying Graceful Restart To display information on the use and configuration of OSPFv3 graceful restart, enter any of the following commands. • Display the graceful-restart configuration for OSPFv2 and OSPFv3 (shown in the following example). EXEC Privilege mode • show run ospf Display the Type-11 Grace LSAs sent and received on an OSPFv3 router (shown in the following example).
Inter Area Rtr LSA Count 0 Group Mem LSA Count 0 The following example shows the show ipv6 ospf database grace-lsa command. DellEMC#show ipv6 ospf database grace-lsa ! Type-11 Grace LSA (Area 0) LS Age Link State ID Advertising Router LS Seq Number Checksum Length Associated Interface Restart Interval Restart Reason : : : : : : : : : 10 6.16.192.66 100.1.1.
OSPFv3 Authentication Using IPsec: Configuration Notes OSPFv3 authentication using IPsec is implemented according to the specifications in RFC 4552. • To use IPsec, configure an authentication (using AH) or encryption (using ESP) security policy on an interface or in an OSPFv3 area. Each security policy consists of a security policy index (SPI) and the key used to validate OSPFv3 packets. After IPsec is configured for OSPFv3, IPsec operation is invisible to the user.
ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} [key-encryption-type] key} – null: causes an authentication policy configured for the area to not be inherited on the interface. – ipsec spi number: the security policy index (SPI) value. The range is from 256 to 4294967295. – MD5 | SHA1: specifies the authentication type: Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1). – key-encryption-type: (optional) specifies if the key is encrypted.
• • • Remove null encryption on an interface to allow the interface to inherit the encryption policy configured for the OSPFv3 area. no ipv6 ospf encryption null Display the configuration of IPsec encryption policies on the router. show crypto ipsec policy Display the security associations set up for OSPFv3 interfaces in encryption policies.
The configuration of IPsec encryption on an interface-level takes precedence over an area-level configuration. If you remove an interface configuration, an area encryption policy that has been configured is applied to the interface. • Enable IPsec encryption for OSPFv3 packets in an area.
– For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Examples of the show crypto ipsec Commands In the first example, the keys are not encrypted (shown in bold). In the second and third examples, the keys are encrypted (shown in bold). The following example shows the show crypto ipsec policy command.
outbound esp sas Interface: TenGigabitEthernet 1/1/2/1 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 The system provides several tool
EXEC Privilege mode show ipv6 ospf [vrf vrf-name] database • View the configuration of OSPFv3 neighbors. EXEC Privilege mode show ipv6 ospf [vrf vrf-name] neighbor • View debug messages for all OSPFv3 interfaces. EXEC Privilege mode debug ipv6 ospf [vrf vrf-name] [event | packet] {type slot/port} – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the stack/slot/port/subport information.
Viewing the OSPFv3 MIB • To view the OSPFv3 MIB generated by the system, use the following command. snmpwalk -c ospf1 -v2c 10.16.133.129 1.3.6.1.2.1.191.1.1 SNMPv2-SMI::mib-2.191.1.1.1.0 = Gauge32: 336860180 SNMPv2-SMI::mib-2.191.1.1.2.0 = INTEGER: 1 SNMPv2-SMI::mib-2.191.1.1.3.0 = INTEGER: 3 SNMPv2-SMI::mib-2.191.1.1.4.0 = INTEGER: 1 SNMPv2-SMI::mib-2.191.1.1.5.0 = INTEGER: 2 SNMPv2-SMI::mib-2.191.1.1.6.0 = Gauge32: 0 SNMPv2-SMI::mib-2.191.1.1.7.0 = Gauge32: 0 SNMPv2-SMI::mib-2.191.1.1.8.
36 Policy-based Routing (PBR) Policy-based routing (PBR) allows a switch to make routing decisions based on policies applied to an interface. Overview When a router receives a packet, the router decides where to forward the packet based on the destination address in the packet, which is used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria: size, source, protocol type, destination, and so on.
• Destination port • TCP Flags After you apply a redirect-list to an interface, all traffic passing through it is subjected to the rules defined in the redirect-list. Traffic is forwarded based on the following: • Next-hop addresses are verified. If the specified next hop is reachable, traffic is forwarded to the specified next-hop. • If the specified next-hops are not reachable, the normal routing table is used to forward the traffic.
• Apply a Redirect-list to an Interface using a Redirect-group PBR Exceptions (Permit) To create an exception to a redirect list, use thepermit command. Exceptions are used when a forwarding decision should be based on the routing table rather than a routing policy. The Dell EMC Networking OS assigns the first available sequence number to a rule configured without a sequence number and inserts the rule into the PBR CAM region next to the existing entries.
• number is the number in sequence to initiate this rule • ip-address is the Forwarding router’s address • tunnel is used to configure the tunnel settings • tunnel-id is used to redirect the traffic • track is used to track the object-id • track is to enable the tracking • FORMAT: A.B.C.
You can apply multiple rules to a single redirect-list. The rules are applied in ascending order, starting with the rule that has the lowest sequence number in a redirect-list displays the correct method for applying multiple rules to one list. Example: Creating Multiple Rules for a Redirect-List DellEMC(conf)#ip redirect-list test DellEMC(conf-redirect-list)#seq 10 redirect 10.1.1.2 ip 20.1.1.0/24 any DellEMC(conf-redirect-list)#seq 15 redirect 10.1.1.3 ip 20.1.1.
Example: Applying a Redirect-list to an Interface DellEMC(conf-if-te-1/1/1/1)#ip redirect-group xyz DellEMC(conf-if-te-1/1/1/1)# Example: Applying a Redirect-list to an Interface DellEMC(conf-if-te-1/1/1/1)#ip redirect-group test DellEMC(conf-if-te-1/1/1/1)#ip redirect-group xyz DellEMC(conf-if-te-1/1/1/1)#show config ! interface TenGigabitEthernet 1/1/1/1 no ip address ip redirect-group test ip redirect-group xyz shutdown In addition to supporting multiple redirect-lists in a redirect-group, multiple redir
[up], Next-hop reachable (via Te /1/12/1) [up], Next-hop reachable (via Te 1/1/3/1) , Track 200 , Track 200 Use the show ip redirect-list (without the list name) to display all the redirect-lists configured on the device. DellEMC#show ip redirect-list IP redirect-list rcl0: Defined as: seq 5 permit ip 200.200.200.200 200.200.200.200 199.199.199.199 199.199.199.199 seq 10 redirect 1.1.1.2 tcp 234.224.234.234 255.234.234.234 222.222.222.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-2/23/1)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.
View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23/1), ARP resolved seq 10 redirect 10.99.99.254 ip 192.168.2.
seq 15 redirect 42.1.1.2 track 3 udp 155.55.0.0/16 host 144.144.144.144, Track 3 [up], Nexthop reachable (via Vl 20) seq 20 redirect 42.1.1.2 track 3 udp any host 144.144.144.144, Track 3 [up], Next-hop reachable (via Vl 20) seq 25 redirect 43.1.1.2 track 4 ip host 7.7.7.7 host 144.144.144.
Apply the Redirect Rule to an Interface: DellEMC#configure terminal DellEMC(conf)#interface TenGigabitEthernet 2/28 DellEMC(conf-if-te-2/28)#ip redirect-group explicit_tunnel DellEMC(conf-if-te-2/28)#exit DellEMC(conf)#end Verify the Applied Redirect Rules: DellEMC#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.
37 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information The following information is necessary for implementing PIM-SM.
Refuse Multicast Traffic A host requesting to leave a multicast group sends an IGMP Leave message to the last-hop DR. If the host is the only remaining receiver for that group on the subnet, the last-hop DR is responsible for sending a PIM Prune message up the RPT to prune its branch to the RP. 1 After receiving an IGMP Leave message, the gateway removes the interface on which it is received from the outgoing interface list of the (*,G) entry.
{ip | ipv6} multicast-routing [vrf vrf-name] Related Configuration Tasks The following are related PIM-SM configuration tasks. • Configuring S,G Expiry Timers • Configuring a Static Rendezvous Point • Configuring a Designated Router • Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1 Enable IPv4 or IPv6 multicast routing on the system. CONFIGURATION mode {ip | ipv6} multicast-routing [vrf vrf-name] 2 Enable PIM-Sparse mode.
To display PIM neighbors for each interface, use the show {ip | ipv6} pim neighbor [detail] command EXEC Privilege mode. Following is an example of show ip pim neighbor command output: DellEMC#show Neighbor Address 127.87.5.5 127.87.3.5 127.87.50.
hundredGigE 1/11/1 hundredGigE 1/12/1 hundredGigE 1/13/1 Configuring S,G Expiry Timers You can configure a global expiry time (for all [S,G] entries). By default, [S,G] entries expire in 210 seconds. When you create, delete, or update an expiry time, the changes are applied when the keep alive timer refreshes. To configure a global expiry time, use the following command. Enable global expiry timer for S, G entries.
no shutdown DellEMC#show running-configuration pim ! ipv6 pim rp-address 2111:dddd:0eee::22/64 group-address 2111:dddd:0eee::22/128 Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. Use the following command if you have configured a static RP for a group.
router with the greatest priority value is the DR. If the priority value is the same for two routers, then the router with the greatest IPv4 or IPv6 address is the DR. By default, the DR priority value is 192, so the IP address determines the DR. • Assign a DR priority value. INTERFACE mode {ip | ipv6} pim dr-priority priority-value • Change the interval at which a router sends hello messages. INTERFACE mode {ip | ipv6} pim query-interval seconds • Display the current value of these parameter.
Mode Count Intvl Prio Hu 1/3/1 v2/S 1 30 1 Address : fe80::201:e8ff:fe02:140f DR : this router Hu 1/11/1 v2/S 0 30 1 Address : fe80::201:e8ff:fe02:1417 DR : this router Dell# Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs). PMBRs connect each PIM domain to the rest of the Internet.
ipv6 pim bsr-candidate 2 Enter the following IPv4 or IPv6 command to make a PIM router a RP candidate: CONFIGURATION ip pim rp-candidate ipv6 pim rp-candidate 3 Display IPv4 or IPv6 Bootstrap Router information. EXEC Privilege show ip pim bsr-router Example: DellEMC# show ip pim bsr-router PIMv2 Bootstrap information This system is the Bootstrap Router (v2) BSR address: 7.7.7.
38 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
2 Enable PIM-SSM for a range of addresses. Related Configuration Tasks • Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1 Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2 Enter the ip pim ssm-range command and specify the ACL you created.
Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.
Some routers within the domain are configured to be C-RPs. Other routers are configured to be Bootstrap Router candidates (C-BSRs); one router is elected the BSR for the domain and the BSR is responsible for forwarding BSM containing RP-set information to other routers. The RP election process is as follows: 1 C-BSRs flood their candidacy throughout the domain in a BSM. Each message contains a BSR priority value, and the C-BSR with the highest priority value becomes the BSR.
BSR address: 200::1 (?) BSR Priority: 0, Hash mask length: 126 Expires: 00:01:43 This system is a candidate BSR Candidate BSR address: 100::1, priority: 0, hash mask length: 126 Next Cand_RP_advertisement in 00:00:25 RP: 100::1(Lo 0) DellEMC# Enabling RP to Server Specific Multicast Groups When you configure an RP candidate, its advertisement is sent to the entire multicast address range and the group-to-RP mapping is advertised for the entire range of multicast address.
39 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
• Single MD can be monitored on max. of 4 MG ports. Port Monitoring Port monitoring is supported on both physical and logical interfaces, such as VLAN and port-channel interfaces. The source port (MD) with monitored traffic and the destination ports (MG) to which an analyzer can be attached must be on the same switch. You can configure up to 128 source ports in a monitoring session. Only one destination port is supported in a monitoring session.
destination TeGig 11/6/2 direction tx, if the MD port TenGig 11/6/1 is an untagged member of any VLAN, all monitored frames that the MG port TeGig 11/6/2 receives are tagged with the VLAN ID of the MD port. Similarly, if BPDUs are transmitted, the MG port receives them tagged with the VLAN ID 4095. This behavior might result in a difference between the number of egress packets on the MD port and monitored packets on the MG port.
DellEMC(conf)#do show monitor session SessID Source Destination Dir Gre-Protocol FcMonitor ------ ---------------------------- --------0 Te 1/1/1/1 Te 1/1/1/2 rx A N/A No 0 Po 10 Te 1/1/1/2 rx A N/A No 1 Vl 40 Te 1/1/1/3 rx A N/A No Mode Source IP Dest IP DSCP TTL Drop Rate ---- --------- -------- ---- --- ---- ---- Port 0.0.0.0 0.0.0.0 0 0 No N/ Port 0.0.0.0 0.0.0.0 0 0 No N/ Flow 0.0.0.0 0.0.0.0 0 0 No N/ NOTE: Source as VLAN is achieved via Flow based mirroring.
EXEC Privilege mode show run monitor session DellEMC#show run monitor session ! monitor multicast-queue 7 DellEMC# Flow-Based Monitoring Flow-based monitoring conserves bandwidth by monitoring only the specified traffic instead of all traffic on the interface. It is available for Layer 3 ingress and known unicast egress traffic. You can specify the traffic that needs to be monitored using standard or extended access-lists.
seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte]] [order] [fragments] [log [threshold-in-msgs count]] [monitor] If you configure the flow-based enable command and do not apply an ACL on the source port or the monitored port, both flow-based monitoring and port mirroring do not function. You cannot apply the same ACL to an interface or a monitoring session context simultaneously.
NOTE: Flow-based monitoring is supported for known unicast egress traffic. 1 Create a monitoring session. CONFIGURATION mode monitor session session-id 2 Enable flow-based monitoring for a monitoring session. MONITOR SESSION mode flow-based enable 3 Specify the source and destination port and direction of traffic. MONITOR SESSION mode source source—port destination destination-port direction rx 4 Define IP access-list rules that include the monitor keyword.
DellEMC(conf)#do show monitor session 0 SessionID Source Destination Direction Mode Drop Rate Gre-Protocol FcMonitor --------- ------------------------ ------- ---- ----------- --------0 Te 1/1/1/1 Te 1/1/2/1 rx interface No N/A N/A yes Source IP Dest IP DSCP TTL --------- -------- ---- --- 0.0.0.0 0.0.0.0 0 0 The following is sample configuration for flow-based mirroring with ACLs applied to monitor sessions.
Enabling IPv6 Flow-Based Monitoring To enable IPv6 flow-based mirroring, use ipv6 access-group access-list-name command under monitor session. You can apply a new IPv6 ACL in a monitor session, when an ACL is already applied. If so, the new ACL will replace the old and overwrite it. 1 Create a monitoring session. CONFIGURATION mode monitor session session-id 2 Enable flow-based monitoring for a monitoring session.
The following show cam-acl output displays the CAM region ipv4udfmirracl configured for IPv6 flow-based mirroring with ACL.
Remote Port Mirroring Example Remote port mirroring uses the analyzers shown in the aggregation network in Site A. The VLAN traffic on monitored links from the access network is tagged and assigned to a dedicated L2 VLAN. Monitored links are configured in two source sessions shown with orange and green circles. Each source session uses a separate reserved VLAN to transmit mirrored packets (mirrored source-session traffic is shown with an orange or green circle with a blue border).
• You can configure any switch in the network with source ports and destination ports, and allow it to function in an intermediate transport session for a reserved VLAN at the same time for multiple remote-port mirroring sessions. You can enable and disable individual mirroring sessions. • BPDU monitoring is not required to use remote port mirroring.
• By default, ingress traffic on a destination port is dropped. Restrictions When you configure remote port mirroring, the following restrictions apply: • You can configure the same source port to be used in multiple source sessions. • You cannot configure a source port channel or source VLAN in a source session if the port channel or VLAN has a member port that is configured as a destination port in a remote-port mirroring session.
Configuring the Sample Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches). Table 70. Configuration Steps for RPM Step Command Purpose 1 configure terminal Enter global configuration mode.
Monitor Session 3 DellEMC(conf)#inte te 1/1/3/1 DellEMC(conf-if-te-1/30)#no shutdown DellEMC(conf-if-te-1/30)#switchport DellEMC(conf-if-te-1/30)#exit DellEMC(conf)#interface vlan 30 DellEMC(conf-if-vl-30)#mode remote-port-mirroring DellEMC(conf-if-vl-30)#tagged te 1/1/3/1 DellEMC(conf-if-vl-30)#exit DellEMC(conf)#interface port-channel 10 DellEMC(conf-if-po-10)#channel-member te 1/1/8/1 - 1/1/8/2 DellEMC(conf-if-po-10)#no shutdown DellEMC(conf-if-po-10)#exit DellEMC(conf)#monitor session 3 type rpm DellEMC
DellEMC(conf)#monitor session 2 type rpm DellEMC(conf-mon-sess-2)#source remote-vlan 20 destination te 1/5/1 DellEMC(conf-mon-sess-2)#tagged destination te 1/5/1 DellEMC(conf-mon-sess-2)#exit DellEMC(conf)#monitor session 3 type rpm DellEMC(conf-mon-sess-3)#source remote-vlan 30 destination te 1/6/1 DellEMC(conf-mon-sess-3)#tagged destination te 1/6/1 DellEMC(conf-mon-sess-3)#end DellEMC# DellEMC#show monitor session SessID Source Destination Dir Mode Source IP ------ ------------------ ---- --------1 remot
Encapsulated Remote Port Monitoring Encapsulated Remote Port Monitoring (ERPM) copies traffic from source ports/port-channels or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the destination IP address specified in the session. NOTE: When configuring ERPM, follow these guidelines • The Dell EMC Networking OS supports ERPM source session only. Encapsulated packets terminate at the destination IP address or at the analyzer.
Step Command Purpose 6 no disable Enter the no disable command to enable the ERPM session. The following example shows an ERPM configuration: DellEMC(conf)#monitor session 0 type erpm DellEMC(conf-mon-sess-0)#source tengigabitethernet 1/1/1/1 direction rx DellEMC(conf-mon-sess-0)#source port-channel 1 direction tx DellEMC(conf-mon-sess-0)#erpm source-ip 1.1.1.1 dest-ip 7.1.1.
ERPM Behavior on a typical Dell EMC Networking OS The Dell EMC Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported. Figure 106.
– Some tools support options to edit the capture file. We can make use of such features (for example: editcap ) and chop the ERPM header part and save it to a new trace file. This new file (i.e. the original mirrored packet) can be converted back into stream and fed to any egress interface. b Using Python script – Either have a Linux server's ethernet port ip as the ERPM destination ip or connect the ingress interface of the server to the ERPM MirrorToPort.
To mitigate this issue, the L2 VLT egress mask drops the duplicate packets that egress out of the VLT port. If the LAG status of the peer VLT device is OPER-UP, then the other VLT peer blocks the transmission of packets received through VLTi to its port or LAG. As a result, the destination port on the device to which the packet analyzer is connected does not receive duplicate mirrored packets.
Scenario RPM Restriction Recommended Solution Mirroring Orphan Ports across VLT Devices — In this scenario, an orphan port on the primary VLT device is mirrored to another orphan port on the secondary VLT device through the ICL LAG. The port analyzer is connected to the secondary VLT device. No restrictions apply to the RPM session. The following example shows the configuration on the primary VLT device:source orphan port destination remote vlan direction rx/tx/both.
40 Private VLANs (PVLAN) The private VLAN (PVLAN) feature is supported on Dell EMC Networking OS. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell EMC Networking OS Command Line Reference Guide. Private VLANs extend the Dell EMC Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
– A primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs in the switch. – A primary VLAN has one or more promiscuous ports. – A primary VLAN might have one or more trunk ports, or none. • Secondary VLAN — a subdomain of the primary VLAN. – There are two types of secondary VLAN — community VLAN and isolated VLAN.
• Display primary-secondary VLAN mapping. EXEC mode or EXEC Privilege mode show vlan private-vlan mapping • Set the PVLAN mode of the selected port. INTERFACE switchport mode private-vlan {host | promiscuous | trunk} NOTE: Secondary VLANs are Layer 2 VLANs, so even if they are operationally down while primary VLANs are operationally up, Layer 3 traffic is still transmitted across secondary VLANs. NOTE: The outputs of the show arp and show vlan commands provide PVLAN data.
The following example shows the switchport mode private-vlan command on a port and on a port channel.
6 (OPTIONAL) Assign an IP address to the VLAN. INTERFACE VLAN mode ip address ip address 7 (OPTIONAL) Enable/disable Layer 3 communication between secondary VLANs. INTERFACE VLAN mode ip local-proxy-arp NOTE: If a promiscuous or host port is untagged in a VLAN and it receives a tagged packet in the same VLAN, the packet is NOT dropped. Creating a Community VLAN A community VLAN is a secondary VLAN of the primary VLAN in a private VLAN.
3 Set the PVLAN mode of the selected VLAN to isolated. INTERFACE VLAN mode private-vlan mode isolated 4 Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add ports defined as host to the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 107. Sample Private VLAN Topology The following configuration is based on the example diagram for the Z9500: • Te 1/1 and Te 1/23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. • Te 1/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. • Te 1/24 and Te 1/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
In parallel, on S4810: • Te 1/3 is a promiscuous port and Te 1/25 is a PVLAN trunk port, assigned to the primary VLAN 4000. • Te 1/4-6 are host ports. Te 1/4 and Te 1/5 are assigned to the community VLAN 4001, while Te 1/6 is assigned to the isolated VLAN 4003. The result is that: • The S4810 ports would have the same intra-switch communication characteristics as described for the Z9500.
The following example shows using the show vlan private-vlan mapping command. S50-1#show vlan private-vlan mapping Private Vlan: Primary : 4000 Isolated : 4003 Community : 4001 NOTE: In the following example, notice the addition of the PVLAN codes – P, I, and C – in the left column. The following example shows viewing the VLAN status.
41 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN).
Table 73. Spanning Tree Variations Dell EMC Networking OS Supports Dell EMC Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The Dell EMC Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. • The Dell EMC Networking OS implementation of PVST+ uses IEEE 802.
no disable Disabling PVST+ To disable PVST+ globally or on an interface, use the following commands. • Disable PVST+ globally. PROTOCOL PVST mode disable • Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst Example of Viewing PVST+ Configuration To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
Figure 109. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. • Assign a bridge priority.
Number of topology changes 5, last change occurred 00:34:37 ago on Te 1/1/1/1 Port 375 (TenGigabitEthernet 1/1/2/1) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.375 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.
Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. • Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
The values for interface PVST+ parameters are given in the output of the show spanning-tree pvst command, as previously shown. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states.
Figure 110. PVST+ with Extend System ID • Augment the bridge ID with the VLAN ID. PROTOCOL PVST mode extend system-id Example of Viewing the Extend System ID in a PVST+ Configuration DellEMC(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
no ip address tagged TenGigabitEthernet 1/1/1/1,1/1/1/2 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/1/1/1,1/1/1/2 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface TenGigabitEthernet 1/1/1/1 no ip address switchport no shutdown ! interface TenGigabitEthernet 1/1/2/1 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TenGigabitEthernet 1/1/1/1,1/1/2/1 no shutdown ! interf
protocol spanning-tree pvst no disable vlan 300 bridge-priority 4096 Per-VLAN Spanning Tree Plus (PVST+) 753
42 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 75.
Feature Direction Create Policy Maps Ingress + Egress Create Input Policy Maps Ingress Honor DSCP Values on Ingress Packets Ingress Honoring dot1p Values on Ingress Packets Ingress Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 111.
• Policy-Based QoS Configurations • Enabling QoS Rate Adjustment • Enabling Strict-Priority Queueing • Queue Classification Requirements for PFC Functionality • Support for marking dot1p value in L3 Input Qos Policy • Weighted Random Early Detection • Pre-Calculating Available QoS CAM Space • Specifying Policy-Based Rate Shaping in Packets Per Second • Configuring Policy-Based Rate Shaping • Configuring Weights and ECN for WRED • Configuring WRED and ECN Attributes • Guidelines for Co
dot1p Queue Number 2 2 3 3 4 4 5 5 6 6 7 7 • Change the priority of incoming traffic on the interface.
Configuring Port-Based Rate Policing If the interface is a member of a VLAN, you may specify the VLAN for which ingress packets are policed. • Rate policing ingress traffic on an interface. INTERFACE mode rate police Example of the rate police Command The following example shows configuring rate policing.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 112. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, Dell EMC Networking OS matches packets against match criteria in the order that you configure them.
Use step 1 or step 2 to start creating a Layer 3 class map. 1 Create a match-any class map. CONFIGURATION mode class-map match-any 2 Create a match-all class map. CONFIGURATION mode class-map match-all 3 Specify your match criteria. CLASS MAP mode [seq sequence number] match {ip | ipv6 | ip-any} After you create a class-map, Dell EMC Networking OS places you in CLASS MAP mode. Match-any class maps allow up to five ACLs. Match-all class-maps allow only one ACL.
Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the class-map command. A Layer 2 class map differentiates traffic according to 802.1p value and/or VLAN and/or characteristics defined in a MAC ACL.. Use Step 1 or Step 2 to start creating a Layer 2 class map. 1 Create a match-any class map. CONFIGURATION mode class-map match-any 2 Create a match-all class map.
Displaying Configured Class Maps and Match Criteria To display all class-maps or a specific class map, use the following command. Dell EMC Networking OS Behavior: An explicit “deny any" rule in a Layer 3 ACL used in a (match any or match all) class-map creates a "default to Queue 0" entry in the CAM, which causes unintended traffic classification. In the following example, traffic is classified in two Queues, 1 and 2. Class-map ClassAF1 is “match any,” and ClassAF2 is “match all”.
Dot1p to Queue Mapping Requirement The dot1p to queue mapping on the system is global and this is used to configure the PRIO2COS table configuration. For DSCP based PFC feature on untagged packets, this mapping must be the same as the default dot1p to queue mapping and should not be changed (as in TABLE 1). If a custom dot1p to queue mapping is present it should be reconfigured to the default dot1p to queue mapping.
Creating an Input QoS Policy To create an input QoS policy, use the following steps. 1 Create a Layer 3 input QoS policy. CONFIGURATION mode qos-policy-input Create a Layer 2 input QoS policy by specifying the keyword layer2 after the qos-policy-input command.
Configuring Policy-Based Rate Shaping To configure policy-based rate shaping, use the following command. • Configure rate shape egress traffic. QOS-POLICY-OUT mode rate-shape Allocating Bandwidth to Queue The switch schedules packets for egress based on Deficit Round Robin (DRR). This strategy offers a guaranteed data rate. Allocate bandwidth to queues only in terms of percentage in 4-queue and 8-queue systems. The following table shows the default bandwidth percentage for each queue.
DSCP Color Maps This section describes how to configure color maps and how to display the color map and color map configuration. This sections consists of the following topics: • Creating a DSCP Color Map • Displaying Color Maps • Display Color Map Configuration Creating a DSCP Color Map You can create a DSCP color map to outline the differentiated services codepoint (DSCP) mappings to the appropriate color mapping (green, yellow, red) for the input traffic.
Create the DSCP color map profile, bat-enclave-map, with a yellow drop precedence , and set the DSCP values to 9,10,11,13,15,16 DellEMC(conf)# qos dscp-color-map bat-enclave-map DellEMC(conf-dscp-color-map)# dscp yellow 9,10,11,13,15,16 DellEMC(conf-dscp-color-map)# exit Assign the color map, bat-enclave-map to the interface. Displaying DSCP Color Maps To display DSCP color maps, use the show qos dscp-color-map command in EXEC mode. Examples for Creating a DSCP Color Map Display all DSCP color maps.
Create Policy Maps There are two types of policy maps: input and output. Creating Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2. 1 Create a Layer 3 input policy map. CONFIGURATION mode policy-map-input Create a Layer 2 input policy map by specifying the keyword layer2 with the policy-map-input command.
Table 78.
• All dot1p traffic is mapped to Queue 0 unless you enable service-class dynamic dot1p on an interface or globally. • Layer 2 or Layer 3 service policies supersede dot1p service classes. • Create service classes. INTERFACE mode service-class dynamic dot1p Guaranteeing Bandwidth to dot1p-Based Service Queues To guarantee bandwidth to dot1p-based service queues, use the following command.
Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. • Apply an output QoS policy to queues. INTERFACE mode service-queue Specifying an Aggregate QoS Policy To specify an aggregate QoS policy, use the following command. • Specify an aggregate QoS policy. POLICY-MAP-OUT mode policy-aggregate Applying an Output Policy Map to an Interface To apply an output policy map to an interface, use the following command.
For example, to include the Preamble and SFD, type qos-rate-adjust 8. For variable length overhead fields, know the number of bytes you want to include. The default is disabled. Enabling Strict-Priority Queueing In strict-priority queuing, the system de-queues all packets from the assigned queue before servicing any other queues. You can assign strict-priority to one unicast queue, using the strict-priority command.
it is possible to mark both DSCP and Dot1p simultaneously in the L3 Input Qos Policy. You are expected to mark the Dot1p priority when the ingress packets are untagged but go out to the peer as tagged NOTE: L2 qos-policy behavior will be retained and would not be changed, that is we would not allow to set both DSCP and Dot1p in the L2 Input Qos Policy. Example case: Consider that two switches A and B are connected back to back via a tagged interface.
Figure 113. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Enabling and Disabling WRED Globally By default, WRED is enabled on the system. You can disable or reenable WRED manually using a single command. Follow these steps to disable or enable WRED in Dell EMC Networking OS.
Applying a WRED Profile to Traffic After you create a WRED profile, you must specify to which traffic Dell EMC Networking OS should apply the profile. Dell EMC Networking OS assigns a color (also called drop precedence) — red, yellow, or green — to each packet based on it DSCP value before queuing it. DSCP is a 6–bit field. Dell EMC Networking uses the first three bits (LSB) of this field (DP) to determine the drop precedence. • DP values of 110 and 100, 101 map to yellow; all other values map to green.
show qos statistics egress-queue Example of show qos statistics egress-queue Command DellEMC#show qos statistics egress-queue tengigabitethernet 1/4/1/2 Interface Te 1/4/1/2 Unicast/Multicast Egress Queue Statistics Queue# Q# Type TxPkts TxPkts/s TxBytes TxBytes/s DroppedPkts DroppedPkts/s DroppedBytes DroppedBytes/s --------------------------------------------------------------------------------------------------------------------------0 UCAST 0 0 0 0 0 0 0 0 1 UCAST 0 0 0 0 0 0 0 0 2 UCAST 0 0 0 0 0 0 0 0
NOTE: The show cam-usage command provides much of the same information as the test cam-usage command, but whether a policy-map can be successfully applied to an interface cannot be determined without first measuring how many CAM entries the policy-map would consume; the test cam-usage command is useful because it provides this measurement. • Verify that there are enough available CAM entries.
DellEMC(config-qos-policy-out)# rate shape pps peak-rate burst-packets 2 Alternatively, configure the peak rate and peak burst size in bytes. QOS-POLICY-OUT mode DellEMC(config-qos-policy-out)# rate shape Kbps peak-rate burst-KB 3 Configure the committed rate and committed burst size in pps. QOS-POLICY-OUT mode DellEMC(config-qos-policy-out)# rate shape pps peak-rate burst-packets committed pps committed-rate burst-packets 4 Alternatively, configure the committed rate and committed burst size in bytes.
Global Service Pools With WRED and ECN Settings Support for global service pools is now available. You can configure global service pools that are shared buffer pools accessed by multiple queues when the minimum guaranteed buffers for the queue are consumed. Two service pools are used– one for loss-based queues and the other for lossless (priority-based flow control (PFC)) queues. You can enable WRED and ECN configuration on the global service-pools.
Configuring WRED and ECN Attributes The functionality to configure a weight factor for the WRED and ECN functionality for backplane ports is supported on the platform. WRED drops packets when the average queue length exceeds the configured threshold value to signify congestion. Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded.
• Because this functionality forcibly marks all the packets matching the specific match criteria as ‘yellow’, Dell EMC Networking OS does not support Policer based coloring and this feature concurrently. • If single rate two color policer is configured along with this feature, then by default all packets less than PIR would be considered as “Green” But ‘Green’ packets matching the specific match criteria for which ‘color-marking’ is configured will be over-written and marked as “Yellow”.
3 Attach the policy-map to the interface. Dell EMC Networking OS support different types of match qualifiers to classify the incoming traffic. Match qualifiers can be directly configured in the class-map command or it can be specified through one or more ACL which in turn specifies the combination of match qualifiers. Until Release 9.3(0.0), support is available for classifying traffic based on the 6-bit DSCP field of the IPv4 packet.
By default, all packets are considered as ‘green’ (without the rate-policer and trust-diffserve configuration) and hence support would be provided to mark the packets as ‘yellow’ alone will be provided. By default Dell EMC Networking OS drops all the ‘RED’ or ‘violate’ packets.
seq 5 permit any dscp 50 ecn 1 seq 10 permit any dscp 50 ecn 2 seq 15 permit any dscp 50 ecn 3 ! ip access-list standard dscp_40_ecn seq 5 permit any dscp 40 ecn 1 seq 10 permit any dscp 40 ecn 2 seq 15 permit any dscp 40 ecn 3 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40_ecn ! class-map m
Managing Hardware Buffer Statistics The memory management unit (MMU) is 12.2 MB in size. It contains approximately 60,000 cells, each of which is 208 bytes in size. MMU also has another portion of 3 MB allocated to it. The entire MMU space is shared across a maximum of 104 logical ports to support the egress admission-control functionality to implement scheduling and shaping on per-port and per-queue levels.
Enable this utility to be able to configure the parameters for buffer statistics tracking. By default, buffer statistics tracking is disabled. 3 Use show hardware buffer-stats-snapshot resource interface interface{priority-group { id | all } | queue { ucast{id | all}{ mcast {id | all} | all} to view buffer statistics tracking resource information for a specific interface.
43 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter.
Implementation Information Dell EMC Networking OS supports both versions of RIP and allows you to configure one version globally and the other version on interfaces or both versions on the interfaces. The following table lists the defaults for RIP in Dell EMC Networking OS. Table 81.
Enabling RIP Globally By default, RIP is not enabled in Dell EMC Networking OS. To enable RIP globally, use the following commands. 1 Enter ROUTER RIP mode and enable the RIP process on Dell EMC Networking OS. CONFIGURATION mode router rip 2 Assign an IP network address as a RIP network to exchange routing information.
192.161.1.0/24 auto-summary 192.162.3.0/24 [120/1] via 29.10.10.12, 00:01:22, Fa 1/4 192.162.3.0/24 auto-summary DellEMC#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 1/49 160.160.0.0/16 auto-summary 2.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 1/49 2.0.0.0/8 auto-summary 4.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 1/49 4.0.0.0/8 auto-summary 8.0.0.0/8 [120/1] via 29.10.10.12, 00:00:26, Fa 1/49 8.0.0.0/8 auto-summary 12.0.0.
neighbor ip-address • You can use this command multiple times to exchange RIP information with as many RIP networks as you want. Disable a specific interface from sending or receiving RIP routing information. ROUTER RIP mode passive-interface interface Assigning a Prefix List to RIP Routes Another method of controlling RIP (or any routing protocol) routing information is to filter the information through a prefix list. A prefix list is applied to incoming or outgoing routes.
– map-name: the name of a configured route map. To view the current RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. Setting the Send and Receive Version To change the RIP version globally or on an interface in Dell EMC Networking OS, use the following command. To specify the RIP version, use the version command in ROUTER RIP mode.
– always: Enter the keyword always to always generate a default route. – value The range is from 1 to 16. – route-map-name: The name of a configured route map. To confirm that the default route configuration is completed, use the show config command in ROUTER RIP mode. Summarize Routes Routes in the RIPv2 routing table are summarized by default, thus reducing the size of the routing table and improving routing efficiency in large networks.
– interface: the type, slot, and number of an interface. To view the configuration changes, use the show config command in ROUTER RIP mode. Debugging RIP The debug ip rip command enables RIP debugging. When you enable debugging, you can view information on RIP protocol changes or RIP routes. To enable RIP debugging, use the following command. • debug ip rip [interface | database | events | trigger] EXEC privilege mode Enable debugging of RIP.
RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Example of Configuring RIPv2 on Core 2 Core2(conf-if-te-1/1/2/1)# Core2(conf-if-te-1/1/2/1)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
Destination Gateway Dist/Metric Last Change ----------- ------- ----------- ----------C 10.11.10.0/24 Direct, Te 2/11/1 0/0 00:02:26 C 10.11.20.0/24 Direct, Te 2/3/1 0/0 00:02:02 R 10.11.30.0/24 via 10.11.20.1, Te 1/1/1/1 120/1 00:01:20 C 10.200.10.0/24 Direct, Te 2/4/1 0/0 00:03:03 C 10.300.10.0/24 Direct, Te 2/5/1 0/0 00:02:42 R 192.168.1.0/24 via 10.11.20.1, Te 1/1/1/1 120/1 00:01:20 R 192.168.2.0/24 via 10.11.20.1, Te 1/1/1/1 120/1 00:01:20 Core2# R 192.168.1.0/24 via 10.11.20.
Core 3 RIP Output The examples in this section show the core 2 RIP output. • To display Core 3 RIP database, use the show ip rip database command. • To display Core 3 RIP setup, use the show ip route command. • To display Core 3 RIP activity, use the show ip protocols command. Examples of the show ip Commands to View Learned RIP Routes on Core 3 The following example shows the show ip rip database command to view the learned RIP routes on Core 3.
Default version control: receive Interface Recv Send TenGigabitEthernet 1/1/1/1 2 TenGigabitEthernet 1/1/1/2 2 TenGigabitEthernet 1/1/1/3 2 TenGigabitEthernet 1/1/1/4 2 Routing for Networks: 10.11.20.0 10.11.30.0 192.168.2.0 192.168.1.0 version 2, send version 2 2 2 2 2 Routing Information Sources: Gateway Distance Last Update 10.11.20.
ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
44 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell EMC Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
Setting the RMON Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. • Set an alarm on any MIB object.
CONFIGURATION mode [no] rmon event number [log] [trap community] [description string] [owner string] – number: assigned event number, which is identical to the eventIndex in the eventTable in the RMON MIB. The value must be an integer from 1 to 65,535 and be unique in the RMON Event Table. – log: (Optional) generates an RMON log entry when the event is triggered and sets the eventType in the RMON MIB to log or logand-trap. Default is no log.
[no] rmon collection history {controlEntry integer} [owner ownername] [buckets bucket-number] [interval seconds] – controlEntry: specifies the RMON group of statistics using a value. – integer: a value from 1 to 65,535 that identifies the RMON group of statistics. The value must be a unique index in the RMON History Table. – owner: (Optional) specifies the name of the owner of the RMON group of statistics. The default is a null-terminated string.
45 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanningtree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.
• Dell EMC Networking OS supports only one Rapid Spanning Tree (RST) instance. • All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. • Adding a group of ports to a range of VLANs sends multiple messages to the rapid spanning tree protocol (RSTP) task, avoid using the range command. When using the range command, Dell EMC Networking recommends limiting the range to five ports and 40 VLANs.
Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. • Only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports. To enable RSTP globally for all Layer 2 interfaces, use the following commands.
Figure 115. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. DellEMC#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.379, designated path cost 0 Number of transitions to forwarding state 1 BPDU : sent 121, received 5 The port is not in the Edge port mode Port 380 (TenGigabitEthernet 1/1/5/1) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.380 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
The following table displays the default values for RSTP. Table 83.
The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps, use the following command. • Enable SNMP traps for RSTP, MSTP, and PVST+ collectively. snmp-server enable traps xstp Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values.
snmp-server enable traps xstp Influencing RSTP Root Selection RSTP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority or designate it as the primary or secondary root. PROTOCOL SPANNING TREE RSTP mode bridge-priority priority-value – priority-value The range is from 0 to 65535.
Example of Verifying an EdgePort is Enabled on an Interface To verify that EdgePort is enabled on a port, use the show spanning-tree rstp command from EXEC privilege mode or the show config command from INTERFACE mode. NOTE: Dell EMC Networking recommends using the show config command from INTERFACE mode. In the following example, the bold line indicates that the interface is in EdgePort mode.
46 Software-Defined Networking (SDN) The Dell EMC Networking OS supports software-defined networking (SDN). For more information, see the SDN Deployment Guide.
47 Security This chapter describes several ways to provide security to the Dell EMC Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide.
• Monitoring AAA Accounting (optional) Enabling AAA Accounting The aaa accounting command allows you to create a record for any or all of the accounting functions monitored. To enable AAA accounting, use the following command. • Enable AAA accounting and create a record for monitoring the accounting function.
Example of Configuring AAA Accounting to Track EXEC and EXEC Privilege Level Command Use In the following sample configuration, AAA accounting is set to track all usage of EXEC commands and commands on privilege level 15.
NOTE: If a console user logs in with RADIUS authentication, the privilege level is applied from the RADIUS server if the privilege level is configured for that user in RADIUS, whether you configure RADIUS authorization. Configuration Task List for AAA Authentication The following sections provide the configuration tasks.
login authentication {method-list-name | default} To view the configuration, use the show config command in LINE mode or the show running-config in EXEC Privilege mode. NOTE: Dell EMC Networking recommends using the none method only as a backup. This method does not authenticate users. The none and enable methods do not work with secure shell (SSH). You can create multiple method lists and assign them to different terminal lines.
The following example shows enabling local authentication for console and remote authentication for the VTY lines. DellEMC(config)# aaa authentication enable mymethodlist radius tacacs DellEMC(config)# line vty 0 9 DellEMC(config-line-vty)# enable authentication mymethodlist Server-Side Configuration Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication requests to a TACACS+ or RADIUS server.
Obscuring Passwords and Keys By default, the service password-encryption command stores encrypted passwords. For greater security, you can also use the service obscure-passwords command to prevent a user from reading the passwords and keys, including RADIUS, TACACS+ keys, router authentication strings, VRRP authentication by obscuring this information. Passwords and keys are stored encrypted in the configuration file and by default are displayed in the encrypted form when the configuration is displayed.
After you configure other privilege levels, enter those levels by adding the level parameter after the enable command or by configuring a user name or password that corresponds to the privilege level. For more information about configuring user names, refer to Configuring a Username and Password. By default, commands in Dell EMC Networking OS are assigned to different privilege levels. You can access those commands only if you have access to that privilege level.
Configuring the Enable Password Command To configure Dell EMC Networking OS, use the enable command to enter EXEC Privilege level 15. After entering the command, Dell EMC Networking OS requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level. You can always change a password for any privilege level. To change to a different privilege level, enter the enable command, then the privilege level.
• 2 Secret: Specify the secret for the user. Configure a password for privilege level. CONFIGURATION mode enable password [level level] [encryption-mode] password Configure the optional and required parameters: • level level: specify a level from 0 to 15. Level 15 includes all levels. • encryption-type: enter 0 for plain text or 7 for encrypted text. • password: enter a string up to 32 characters long. To change only the password for the enable command, configure only the password parameter.
The following example shows the Telnet session for user john. The show privilege command output confirms that john is in privilege level 8. In EXEC Privilege mode, john can access only the commands listed. In CONFIGURATION mode, john can access only the snmpserver commands. apollo% telnet 172.31.1.53 Trying 172.31.1.53... Connected to 172.31.1.53. Escape character is '^]'.
EXEC Privilege mode enable or enable privilege-level • If you do not enter a privilege level, Dell EMC Networking OS sets it to 15 by default. Move to a lower privilege level. EXEC Privilege mode disable level-number – level-number: The level-number you wish to set. If you enter disable without a level-number, your security level is 1. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol.
Idle Time Every session line has its own idle-time. If the idle-time value is not changed, the default value of 30 minutes is used. RADIUS specifies idle-time allow for a user during a session before timeout. When a user logs in, the lower of the two idle-time values (configured or default) is used. The idle-time value is updated if both of the following happens: • The administrator changes the idle-time of the line on which the user has logged in.
• Monitoring RADIUS (optional) For a complete listing of all Dell EMC Networking OS commands related to RADIUS, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide. NOTE: RADIUS authentication and authorization are done in a single step. Hence, authorization cannot be used independent of authentication. However, if you have configured RADIUS authorization and have not configured authentication, a message is logged stating this.
Specifying a RADIUS Server Host When configuring a RADIUS server host, you can set different communication parameters, such as the UDP port, the key password, the number of retries, and the timeout. To specify a RADIUS server host and configure its communication parameters, use the following command. • Enter the host name or IP address of the RADIUS server host.
• Configure the number of times Dell EMC Networking OS retransmits RADIUS requests. CONFIGURATION mode radius-server retransmit retries • – retries: the range is from 0 to 100. Default is 3 retries. Configure the time interval the system waits for a RADIUS server host response. CONFIGURATION mode radius-server timeout seconds – seconds: the range is from 0 to 1000. Default is 5 seconds.
Disconnect Messages Using the Disconnect Messages, the NAS can disconnect AAA and dot1x sessions. NAS can disconnect AAA sessions using either username or a combination of the username and session id. NAS can disconnect dot1x sessions using NAS-port, or calling-station ID, or both. The disconnect messages constitue one message request (DM request) and one of the following two possible responses: • Disconnect Acknowledgement (DM-Ack) - If the session is disconnected successfully, then NAS sends a DM-Ack.
Attribute code Attribute Description • • • • t=26(vendor-speific);l=length;vendor-identification-attribute;Length=value;data=”cmd=disable-hostport” t=26(vendor-speific);l=length;vendor-identification-attribute;Length=value;data=”cmd=bounce-hostport” t=26(vendor-speific);l=length;vendor-identification-attribute;Length=value;data=”cmd=terminatesession” t=26(vendor-speific);l=length;vendor-identification-attribute;Length=value;data=”cmd=disconnectuser” The vendor identification attribute can be one of the
Radius Attribute code Radius Attribute Description Mandatory 5 NAS-Port Port on which session is terminated Yes t=26(vendor-specific);l=length;vendor-identificationattribute;Length=value; Data=”cmd=bounce-host-port” Yes Description Mandatory Authorization Attributes 26 Vendor-Specific Table 91. CoA EAP/MAB Bounce Port Radius Attribute code Radius Attribute NAS Identification Attributes 4 NAS-IP-Address IPv4 address of the NAS. No 95 NAS-IPv6–Address IPv6 address of the NAS.
Radius Attribute code Radius Attribute Description Mandatory - AAA user name 5 NAS-Port Port on which session is terminated No t=26(vendor-specific);l=length;vendor-identificationattribute;Length=value; Data=”cmd=disconnect-user” Yes Authorization Attributes 26 Vendor-Specific Error-cause Values It is possible that a Dynamic Authorization Server cannot honor Disconnect Message request or CoA request packets for some reason.
CoA Packet Processing This section lists various actions that the NAS performs during CoA packet processing. The following activities are performed by NAS: • responds with CoA-Nak, if no matching session is found for the session identification attributes in CoA; Error-Cause value is “Session Context Not Found” (503). • responds with CoA-Nak, for any internal processing error in NAS; Error-Cause value is “Resources Unavailable” (506).
– 16 Zero Octets – Request Attributes – Shared secret (based on the source IP address of the packet) • discards the packets, if the message-authenticator received in the request is invalid. The message-authenticator is calculated using the following fields: – Code Type – Identifier – Length – Request Authenticator – Attributes Disconnect Message Processing This section lists various actions that the NAS performs during DM processing.
The range for the port number value that you can specify is from 1 to 65535. Dell(conf-dynamic-auth#)port 2000 Configuring shared key You can configure a global shared key for the dynamic authorization clients (DACs).
When DAC initiates a port bounce operation, the NAS server causes the links on the authentication port to flap. This incident in turn triggers re-negotiation on one of the ports that is flapped. 1 Enter the following command to configure the dynamic authorization feature: radius dynamic-auth 2 Enter the following command to configure port-bounce setttings on a 802.1x enabled port: coa-bounce-port NAS disables the authentication port that is hosting the session and re-enables it after 10 seconds.
• sends a CoA-Nak with an error-cause value of 506 (resource unavailable), if it is unable to initiate the re-authentication process. • sends a CoA-Nak if user authentication fails due to unresponsive supplicant or RADIUS server. • sends a CoA-Ack, if the user is configured with static MAB profile. • discards the packet, if simultaneous requests are received for the same calling-station-id or NAS-port or both.
To initiate shutting down of the 802.1x enabled port, the DAC sends a standard CoA request that contains one or more session identification attributes. NAS uses the NAS-port attributes to identify the 802.1x enabled physical port. 1 Enter the following command to configure the dynamic authorization feature: radius dynamic-auth 2 Enter the following command to disable the 802.1x enabled physical port: coa-disable-port NAS administratively shuts down the 802.1x enabled port that is hosting the session.
Configuring replay protection NAS enables you to configure the replay protection window period. NAS drops the packets if duplicate packets are received within replay protection window period. The default value is 5 minutes. Enter the following command to configure replay protection: replay-prot-window minutes NAS considers the new replay protection window value from next window period. The range is from 1 to 10 minutes. The default is 5 minutes.
For a complete listing of all commands related to TACACS+, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide. Choosing TACACS+ as the Authentication Method One of the login authentication methods available is TACACS+ and the user’s name and password are sent for authentication to the TACACS hosts specified.
aaa accounting exec default start-stop tacacs+ aaa accounting commands 1 default start-stop tacacs+ aaa accounting commands 15 default start-stop tacacs+ DellEMC(conf)# DellEMC(conf)#do show run tacacs+ ! tacacs-server key 7 d05206c308f4d35b tacacs-server host 10.10.10.10 timeout 1 DellEMC(conf)#tacacs-server key angeline DellEMC(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on vty0 (10.11.9.
Specifying a TACACS+ Server Host To specify a TACACS+ server host and configure its communication parameters, use the following command. • Enter the host name or IP address of the TACACS+ server host. CONFIGURATION mode tacacs-server host {hostname | ip-address} [port port-number] [timeout seconds] [key key] Configure the optional communication parameters for the specific host: – port port-number: the range is from 0 to 65535. Enter a TCP port number. The default is 49.
Protection from TCP Tiny and Overlapping Fragment Attacks Tiny and overlapping fragment attack is a class of attack where configured ACL entries — denying TCP port-specific traffic — is bypassed and traffic is sent to its destination although denied by the ACL. RFC 1858 and 3128 proposes a countermeasure to the problem. This countermeasure is configured into the line cards and enabled by default.
Using SCP with SSH to Copy a Software Image To use secure copy (SCP) to copy a software image through an SSH connection from one switch to another, use the following commands. 1 On Switch 1, set the SSH port number ( port 22 by default). CONFIGURATION MODE ip ssh server port number 2 On Switch 1, enable SSH. CONFIGURATION MODE copy ssh server enable 3 On Switch 2, invoke SCP.
Removing the RSA Host Keys and Zeroizing Storage Use the crypto key zeroize rsa command to delete the host key pairs, both the public and private key information for RSA 1 and or RSA 2 types. Note that when FIPS mode is enabled there is no RSA 1 key pair. Any memory currently holding these keys is zeroized (written over with zeroes) and the NVRAM location where the keys are stored for persistence across reboots is also zeroized.
• diffie-hellman-group1-sha1 • diffie-hellman-group14-sha1 When FIPS is enabled, the default is diffie-hellman-group14-sha1. Example of Configuring a Key Exchange Algorithm The following example shows you how to configure a key exchange algorithm.
The following ciphers are available. • 3des-cbc • aes128-cbc • aes192-cbc • aes256-cbc • aes128-ctr • aes192-ctr • aes256-ctr The default cipher list is aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc. Example of Configuring a Cipher List The following example shows you how to configure a cipher list.
CONFIGURATION mode ip ssh password-authentication enable Example of Enabling SSH Password Authentication To view your SSH configuration, use the show ip ssh command from EXEC Privilege mode. DellEMC(conf)#ip ssh server enable DellEMC(conf)#ip ssh password-authentication enable DellEMC# show ip ssh SSH server : enabled. SSH server version : v2. SSH server vrf : default. SSH server ciphers : 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192ctr,aes256-ctr.
Configuring Host-Based SSH Authentication Authenticate a particular host. This method uses SSH version 2. To configure host-based authentication, use the following commands. 1 Configure RSA Authentication. Refer to Using RSA Authentication of SSH. 2 Create shosts by copying the public RSA key to the file shosts in the directory .ssh, and write the IP address of the host to the file. cp /etc/ssh/ssh_host_rsa_key.pub /.ssh/shosts Refer to the first example.
Using Client-Based SSH Authentication To SSH from the chassis to the SSH client, use the following command. If the SSH port is a non-default value, use the ip ssh server port number command to change the default port number. You may only change the port number when SSH is disabled. Then use the -p option with the ssh command. • SSH from the chassis to the SSH client. ssh ip_address Example of Client-Based SSH Authentication DellEMC#ssh 10.16.127.
Authentication Method VTY access-class support? Username access-class support? Remote authorization support? RADIUS YES NO YES (with version 6.1.1.0 and later) provides several ways to configure access classes for VTY lines, including: • VTY Line Local Authentication and Authorization • VTY Line Remote Authentication and Authorization VTY Line Local Authentication and Authorization retrieves the access class from the local database. To use this feature: 1 Create a username.
Example of Configuring VTY Authorization Based on Access Class Retrieved from the Line (Per Network Address) DellEMC(conf)#ip access-list standard deny10 DellEMC(conf-ext-nacl)#permit 10.0.0.0/8 DellEMC(conf-ext-nacl)#deny any DellEMC(conf)# DellEMC(conf)#aaa authentication login tacacsmethod tacacs+ DellEMC(conf)#tacacs-server host 256.1.1.
• Configuring TACACS+ and RADIUS VSA Attributes for RBAC • Displaying User Roles • Displaying Accounting for User Roles • Displaying Information About Roles Logged into the Switch • Display Role Permissions Assigned to a Command Overview of RBAC With Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role. Users are granted permissions based on their user roles, not on their individual user ID.
2 Configure login authentication on the console. This ensures that all users are properly identified through authentication no matter the access point. If you do not configure login authentication on the console, the system displays an error when you attempt to enable role-based only AAA authorization. 3 Specify an authentication method list—RADIUS, TACACS+, or Local. You must specify at least local authentication.
• System Administrator (sysadmin). This role has full access to all the commands in the system, exclusive access to commands that manipulate the file system formatting, and access to the system shell. This role can also create user IDs and user roles. The following summarizes the modes that the predefined user roles can access.
The configuration in the following example creates a new user role, myrole, which inherits the security administrator (secadmin) permissions. Create a new user role, myrole and inherit security administrator permissions. DellEMC(conf)#userrole myrole inherit secadmin Verify that the user role, myrole, has inherited the security administrator permissions. The output highlighted in bold indicates that the user role has successfully inherited the security administrator permissions.
The following example allows the security administrator (secadmin) to configure the spanning tree protocol. Note command is protocol spanning-tree. DellEMC(conf)#role configure addrole secadmin protocol spanning-tree Example: Allow Security Administrator to Access Interface Mode The following example allows the security administrator (secadmin) to access Interface mode.
The following example resets only the secadmin role to its original setting. DellEMC(conf)#no role configure addrole secadmin protocol Example: Reset System-Defined Roles and Roles that Inherit Permissions In the following example the command protocol permissions are reset to their original setting or one or more of the system-defined roles and any roles that inherited permissions from them.
To configure AAA authentication, use the aaa authentication command in CONFIGURATION mode. aaa authentication login {method-list-name | default} method [… method4] Configure AAA Authorization for Roles Authorization services determine if the user has permission to use a command in the CLI. Users with only privilege levels can use commands in privilege-or-role mode (the default) provided their privilege level is the same or greater than the privilege level of those commands.
authorization exec ucraaa accounting commands role netadmin line vty 4 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 5 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 6 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 7 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 8 login authentication ucraaa authorization exe
In the following example, you create an AV pair for a user-defined role. You must also define a role, using the userrole myrole inherit command on the switch to associate it with this AV pair. Force10-avpair= ”shell:role=myrole“ The string, “myrole”, is associated with a TACACS+ user group. The user IDs are associated with the user group. Role Accounting This section describes how to configure role accounting and how to display active sessions for roles.
Display Information About User Roles This section describes how to display information about user roles and consists of the following topics: • • • Displaying User Roles Displaying Information About Roles Logged into the Switch Displaying Active Accounting Sessions for Roles Displaying User Roles To display user roles using the show userrole command in EXEC Privilege mode, use the show userroles and show users commands in EXEC privilege mode.
0 console 0 *3 vty 1 4 vty 2 admin sec1 ml1 sysadmin secadmin netadmin 15 14 12 idle idle idle 172.31.1.4 172.31.1.5 Two Factor Authentication (2FA) Two factor authentication also known as 2FA, strengthens the login security by providing one time password (OTP) in addition to username and password. 2FA supports RADIUS authentications with Console, Telnet, and SSHv2. To perform 2FA, follow these steps: • When the Network access server (NAS) prompts for the username and password, provide the inputs.
SSH server macs : hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96. SSH server kex algorithms : diffie-hellman-group-exchange-sha1,diffie-hellman-group1sha1,diffie-hellman-group14-sha1. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. Challenge Response Auth : enabled. Vty Encryption HMAC Remote IP 2 aes128-cbc hmac-md5 10.16.127.141 4 aes128-cbc hmac-md5 10.16.127.141 * 5 aes128-cbc hmac-md5 10.16.127.
ICMPv4 message types IP header bad (12) Timestamp request (13) Timestamp reply (14) Information request (15) Information reply (16) Address mask request (17) Address mask reply (18) NOTE: The Dell EMC Networking OS does not suppress the ICMP message type echo request (8). Table 97.
SSH Lockout Settings The system has a SSH protection mechanism which, by default, allows 10 login attempts (success or failure) per minute. After the 10th attempt, the system blocks the user login for one minute (since the first login attempt) before allowing the next set of login attempts. With Dell EMC Networking OS version 9.11(0.0), the SSH protection mechanism has been enhanced to allow 60 login attempts (success or failure) per minute.
You can get the hash value for your hashing algorithm from the Dell EMC iSupport page. You can use the MD5, SHA1, or SHA256 hash and the Dell EMC Networking OS automatically detects the type of hash. NOTE: The verified boot hash command is only applicable for OS images in the local file system. 3 Save the configuration.
The system continues to display a message stating that startup configuration verification failed. You can disable the startup configuration feature either by disabling startup configuration verification or save the running configuration to the startup configuration and update the hash for the startup configuration.
– A minimum of one numeric character (0 to 9) – A minimum of one special character including a space (" !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~") DellEMC)# show running-config | g root root-access password 7 f4dc0cb9787722dd1084d17f417f164cc7f730d4f03d4f0215294cbd899614e3 Locking Access to GRUB Interface You can configure the Dell EMC Networking OS to lock the GRUB interface using a password. If you configure a GRUB password, the system prompts for the password when you try to access the GRUB interface.
Enter the duration in minutes.
48 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell EMC Networking OS. VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
Figure 116. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. • Dell EMC Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
3 Enabling VLAN-Stacking for a VLAN. Related Configuration Tasks • Configuring the Protocol Type Value for the Outer VLAN Tag • Configuring Dell EMC Networking OS Options for Trunk Ports • Debugging VLAN Stacking • VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. • Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN.
Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. • Enable VLAN-Stacking for the VLAN. INTERFACE VLAN mode vlan-stack compatible Example of Viewing VLAN Stack Member Status To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLAN-Stackingenabled VLAN are marked with an M in column Q.
interface TenGigabitEthernet 1/1/1/1 no ip address portmode hybrid switchport vlan-stack trunk shutdown DellEMC(conf-if-te-1/1/1/1)#interface vlan 100 DellEMC(conf-if-vl-100)#untagged tengigabitethernet 1/1/1/1 DellEMC(conf-if-vl-100)#interface vlan 101 DellEMC(conf-if-vl-101)#tagged tengigabitethernet 1/1/1/1 DellEMC(conf-if-vl-101)#interface vlan 103 DellEMC(conf-if-vl-103)#vlan-stack compatible DellEMC(conf-if-vl-103-stack)#member tengigabitethernet 1/1/1/1 DellEMC(conf-if-vl-103-stack)#do show vlan Code
If the next-hop system’s TPID does not match the outer-tag TPID of the incoming frame, the system drops the frame. For example, as shown in the following, the frame originating from Building A is tagged VLAN RED, and then double-tagged VLAN PURPLE on egress at R4. The TPID on the outer tag is 0x9100. R2’s TPID must also be 0x9100, and it is, so R2 forwards the frame.
Figure 117.
Figure 118.
Figure 119. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet-drop precedence is supported on the switch. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults.
Table 98. Drop Eligibility Behavior Ingress Egress DEI Disabled DEI Enabled Normal Port Normal Port Retain CFI Set CFI to 0. Trunk Port Trunk Port Retain inner tag CFI Retain inner tag CFI. Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 Access Port Trunk Port To enable drop eligibility globally, use the following command. • Make packets eligible for dropping based on their DEI value.
Marking Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress. For ingress information, refer to Honoring the Incoming DEI Value. To mark egress packets, use the following command. • Set the DEI value on egress according to the color currently assigned to the packet.
NOTE: The ability to map incoming C-Tag dot1p to any S-Tag dot1p requires installing up to eight entries in the Layer 2 QoS and Layer 2 ACL table for each configured customer VLAN. The scalability of this feature is limited by the impact of the 1:8 expansion in these content addressable memory (CAM) tables.
• vman-qos-dual-fp: mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p. This method requires twice as many CAM entries as vman-qos and FP blocks in multiples of 2. The default is: 0 FP blocks for vman-qos and vman-qos-dual-fp. 2 The new CAM configuration is stored in NVRAM and takes effect only after a save and reload. EXEC Privilege mode copy running-config startup-config 3 Reload the system. reload 4 Map C-Tag dot1p values to a S-Tag dot1p value.
Figure 121. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 122. VLAN Stacking with L2PT Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. • No protocol packets are tunneled when you enable VLAN stacking. • L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1 Verify that the system is running the default CAM profile. Use this CAM profile for L2PT.
show cam-profile 2 Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3 Tunnel BPDUs the VLAN. INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell EMC Networking OS uses a Dell EMC Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command.
Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. 802.
49 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
hardware sampling rate is backed-off from 512 to 1024. Note that port 1 maintains its sampling rate of 16384; port 1 is unaffected because it maintains its configured sampling rate of 16384.: • If the interface states are up and the sampling rate is not configured on the port, the default sampling rate is calculated based on the line speed. • If the interface states are shut down, the sampling rate is set using the global sampling rate.
Egress Management Interface sFlow services are disabled Global default sampling rate: 32768 Global default counter polling interval: 20 Global default extended maximum header size: 128 bytes Global extended information enabled: switch 1 collectors configured Collector IP addr: 100.1.1.1, Agent IP addr: 1.1.1.
Example of the show sflow command when the sflow max-header-size extended is configured globally Example of viewing the sflow max-header-size extended on an Interface Mode Example of the show running-config sflow Command sFlow Show Commands Dell EMC Networking OS includes the following sFlow display commands. • • • Displaying Show sFlow Globally Displaying Show sFlow on an Interface Displaying Show sFlow on a Line Card Displaying Show sFlow Global To view sFlow statistics, use the following command.
Configured sampling rate Actual sampling rate Counter polling interval Extended max header size Samples rcvd from h/w :16384 :16384 :20 :128 :0 The following example shows the show running-config interface command.
CONFIGURATION mode or INTERFACE mode sflow polling-interval interval value – interval value: in seconds. The range is from 15 to 86400 seconds. The default is 20 seconds. Back-Off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces.
0 sFlow samples collected stack-unit 1 Port set 0 Hu 1/2/1: configured rate 131072, actual rate 131072 DellEMC# If you did not enable any extended information, the show output displays the following (shown in bold).
IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS Description BGP BGP Exported Exported Extended gateway data is packed.
50 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell EMC Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
• Manage VLANs using SNMP • Managing Overload on Startup • Enabling and Disabling a Port using SNMP • Fetch Dynamic MAC Entries using SNMP • Example of Deriving the Interface Index Number • Monitoring BGP sessions via SNMP • Monitor Port-Channels • Troubleshooting SNMP Operation • Transceiver Monitoring • Configuring SNMP context name Protocol Overview Network management stations use SNMP to retrieve or alter management data from network elements.
Table 100.
• Reading Managed Object Values • Writing Managed Object Values • Subscribing to Managed Object Value Updates using SNMP • Copying Configuration Files via SNMP • Manage VLANs Using SNMP • Enabling and Disabling a Port using SNMP • Fetch Dynamic MAC Entries using SNMP • Deriving Interface Indices • Monitor Port-channels Important Points to Remember • Typically, 5-second timeout and 3-second retry values on an SNMP server are sufficient for both LAN and WAN applications.
! snmp-server community mycommunity ro Setting Up User-Based Security (SNMPv3) When setting up SNMPv3, you can set users up with one of the following three types of configuration for SNMP read/write operations. Users are typically associated to an SNMP group with permissions provided, such as OID view. • • • noauth — no password or privacy. Select this option to set up a user with no password or privacy privileges. This setting is the basic configuration.
Select a User-based Security Type DellEMC(conf)#snmp-server host 1.1.1.1 traps {oid tree} version 3 ? auth Use the SNMPv3 authNoPriv Security Level noauth Use the SNMPv3 noAuthNoPriv Security Level priv Use the SNMPv3 authPriv Security Level DellEMC(conf)#snmp-server host 1.1.1.1 traps {oid tree} version 3 noauth ? WORD SNMPv3 user name Reading Managed Object Values You may only retrieve (read) managed object values if your management station is a member of the same community as the SNMP agent.
Example of Writing the Value of a Managed Object > snmpset -v 2c -c mycommunity 10.11.131.161 sysName.0 s "R5" SNMPv2-MIB::sysName.0 = STRING: R5 Configuring Contact and Location Information using SNMP You may configure system contact and location information from the Dell EMC Networking system or from the management station using SNMP. To configure system contact and location information from the Dell EMC Networking system and from the management station using SNMP, use the following commands.
• RFC 1157-defined traps — coldStart, warmStart, linkDown, linkUp, authenticationFailure, and egpNeighbborLoss. • Dell EMC Networking enterpriseSpecific environment traps — fan, supply, and temperature. • Dell EMC Networking enterpriseSpecific protocol traps — bgp, ecfm, stp, and xstp. To configure the system to send SNMP notifications, use the following commands. 1 Configure the Dell EMC Networking system to send notifications to an SNMP server.
Example of Dell EMC Networking Enterprise-specific SNMP Traps Enabling an SNMP Agent to Notify Syslog Server Failure You can configure a network device to send an SNMP trap if an audit processing failure occurs due to loss of connectivity with the syslog server. If a connectivity failure occurs on a syslog server that is configured for reliable transmission, an SNMP trap is sent and a message is displayed on the console.
Copy Configuration Files Using SNMP To do the following, use SNMP from a remote client. • copy the running-config file to the startup-config file • copy configuration files from the Dell EMC Networking system to a server • copy configuration files from a server to the Dell EMC Networking system You can perform all of these tasks using IPv4 or IPv6 addresses. The examples in this section use IPv4 addresses; however, you can substitute IPv6 addresses for the IPv4 addresses in all of the examples.
MIB Object OID Object Values Description copyDestFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.6 1 = flash Specifies the location of destination file. 2 = slot0 • 3 = tftp 4 = ftp If copyDestFileLocation is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. 5 = scp copyDestFileName .1.3.6.1.4.1.6027.3.5.1.1.1.1.7 Path (if the file is not in the default directory) and filename. Specifies the name of destination file. copyServerAddress .1.3.6.1.4.1.6027.3.5.1.1.
NOTE: You can use the entire OID rather than the object name. Use the form: OID.index i object-value. To view more information, use the following options in the snmpset command. • -c: View the community, either public or private. • -m: View the MIB files for the SNMP command. • -r: Number of retries using the option • -t: View the timeout. • -v: View the SNMP version (either 1, 2, 2c, or 3). The following examples show the snmpset command to copy a configuration.
FTOS-COPY-CONFIG-MIB::copySrcFileType.7 = INTEGER: runningConfig(3) FTOS-COPY-CONFIG-MIB::copyDestFileType.7 = INTEGER: startupConfig(2) The following example shows how to copy configuration files from a UNIX machine using OID. >snmpset -c public -v 2c 10.11.131.162 .1.3.6.1.4.1.6027.3.5.1.1.1.1.2.8 i 3 .1.3.6.1.4.1.6027.3.5.1.1.1.1.5.8 i 2 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.2.8 = INTEGER: 3 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.5.
Copy a Binary File to the Startup-Configuration To copy a binary file from the server to the startup-configuration on the Dell EMC Networking system via FTP, use the following command. • Copy a binary file from the server to the startup-configuration on the Dell EMC Networking system via FTP. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 1 copySrcFileLocation.index i 4 copySrcFileName.index s filepath/ filename copyDestFileType.
MIB Object OID Values Description copy. The state is set to active when the copy is completed. Obtaining a Value for MIB Objects To obtain a value for any of the MIB objects, use the following command. • Get a copy-config MIB object value. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address [OID.index | mibobject.index] index: the index value used in the snmpset command used to complete the copy operation. NOTE: You can use the entire OID rather than the object name.
Viewing the Reason for Last System Reboot Using SNMP • To view the reason for last system reboot using SNMP, you can use any one of the applicable SNMP commands: The following example shows a sample output of the snmpwalk command to view the last reset reason. [DellEMC ~]$ snmpwalk -c public -v 2c 10.16.133.172 1.3.6.1.4.1.6027.3.26.1.4.3.1.7 DELL-NETWORKING-CHASSIS-MIB::dellNetProcessorResetReason.stack.1.1 = STRING: Reboot by Software DELL-NETWORKING-CHASSIS-MIB::dellNetProcessorResetReason.stack.2.
MIB Support for 25G, 40G, 50G, 100G Optical Transceiver or DAC cable IDPROM user info Dell EMC Networking provides MIB objects to display the information for 25G, 40G, 50G, 100G Optical Transceiver or DAC cable IDPROM. The following table lists the related MIB objects, OID and description for the same: Table 106. MIB Objects to Display support for 25G, 40G, 50G, 100G Optical Transceiver or DAC cable IDPROM user info MIB Object OID Description dellNetIfTransceiverData 1.3.6.1.4.1.6027.3.11.1.
DELL-NETWORKING-IF-EXTENSION-MIB::dellNetIfTransTransmitPowerLane2.2112517 = "" DELL-NETWORKING-IF-EXTENSION-MIB::dellNetIfTransTransmitPowerLane3.2112517 = "" DELL-NETWORKING-IF-EXTENSION-MIB::dellNetIfTransTransmitPowerLane4.2112517 = "" DELL-NETWORKING-IF-EXTENSION-MIB::dellNetIfTransReceivePowerLane1.2112517 = STRING: "-1.433315" dBm DELL-NETWORKING-IF-EXTENSION-MIB::dellNetIfTransReceivePowerLane2.2112517 = STRING: "0.051805" dBm DELL-NETWORKING-IF-EXTENSION-MIB::dellNetIfTransReceivePowerLane3.
MIB Object OID Description chSysCoresFileName 1.3.6.1.4.1.6027.3.10.1.2.10.1.2 Contains the core file names and the file paths. chSysCoresTimeCreated 1.3.6.1.4.1.6027.3.10.1.2.10.1.3 Contains the time at which core files are created. chSysCoresStackUnitNumber 1.3.6.1.4.1.6027.3.10.1.2.10.1.4 Contains information that includes which stack unit or processor the core file was originated from. chSysCoresProcess 1.3.6.1.4.1.6027.3.10.1.2.10.1.
Table 109. MIB Objects to Display the Information for PFC Storm Control MIB Object OID Description dellNetFpPfcStormControl 1.3.6.1.4.1.6027.3.27.1.21 Index for the table. dellNetFpPfcStormControlStatus 1.3.6.1.4.1.6027.3.27.1.21.1 Storm control status. dellNetFpPfcStormControlStatusTable 1.3.6.1.4.1.6027.3.27.1.21.1.1 Table to show counters of Pfc StormControl on per port per priority basis. dellNetFpPfcStormControlStatusEntry 1.3.6.1.4.1.6027.3.27.1.21.1.1.
SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097157.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097157.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097413.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097413.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097669.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097669.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097925.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097925.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.4.2097157.
Table 110. MIB Objects to Display the Information for PFC no-drop-priority L2Dlf Drop MIB Object OID Description dellNetFpPfcL2DlfDropCounterTable 1.3.6.1.4.1.6027.3.27.1.22 Table to show the drop counters of pfcnodrop-priority l2-dlf drop. dellNetFpPfcL2DlfDropCounterEntry 1.3.6.1.4.1.6027.3.27.1.22.1 Table entry to show the drop counters of pfc-nodrop-priority l2-dlf drop. dellNetFpPfcL2DlfDropCounters 1.3.6.1.4.1.6027.3.27.1.22.1.
SNMPv2-SMI::enterprises.6027.3.27.1.23.1.3.1.1.3 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.3.1.1.4 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.4.1.1.1 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.4.1.1.2 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.4.1.1.3 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.4.1.1.4 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.5.1.1.1 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.5.1.1.2 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.5.1.1.3 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.5.1.1.
• 33997973 is the count of green packet-drops (Green Drops). • 329629607 is the count of yellow packet-drops (Yellow Drops). • 31997973 is the count of red packet-drops (Out of Profile Drops). MIB Support to Display the Available Partitions on Flash Dell EMC Networking provides MIB objects to display the information of various partitions such as /flash, /tmp, /usr/pkg, and /f10/ConfD. The dellNetFlashStorageTable table contains the list of all partitions on disk.
.1.3.6.1.4.1.6027.3.26.1.4.8.1.2.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.5 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.5 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.5 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.1 .1.3.6.1.4.1.6027.3.
MIB Support to ECMP Group Count Dell EMC Networking OS provides MIB objects to display the information of the ECMP group count information. The following table lists the related MIB objects: Table 116. MIB Objects to display ECMP Group Count MIB Object OID Description dellNetInetCidrECMPGrpMax 1.3.6.1.4.1.6027.3.9.1.6 Total CAM for ECMP group. dellNetInetCidrECMPGrpUsed 1.3.6.1.4.1.6027.3.9.1.7 Used CAM for ECMP group. dellNetInetCidrECMPGrpAvl 1.3.6.1.4.1.6027.3.9.1.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.10.1.1.0.24.0.0.0.0 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.10.1.1.1.32.1.4.10.1.1.1.1.4.10.1.1.1 = HexSTRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.10.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.20.1.1.0.24.0.0.0.0 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.20.1.1.1.32.1.4.20.1.1.1.1.4.20.1.1.1 = HexSTRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.100.100.100.0.24.1.4.30.1.1.1.1.4.30.1.1.1 = STRING: "Po 20" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.10.1.1.0.24.0.0.0.0 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.10.1.1.1.32.1.4.10.1.1.1.1.4.10.1.1.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.10.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.20.1.1.0.24.0.0.0.0 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.
dellNetFpIngPortSTPnotFwdDrops 1.3.6.1.4.1.6027.3.27.1.3.1.3 Packets dropped due to Spanning Tree State not in forwarding state. dellNetFpIngIPv4L3Discards 1.3.6.1.4.1.6027.3.27.1.3.1.4 IPv4 L3 Discards dellNetFpIngPolicyDiscards 1.3.6.1.4.1.6027.3.27.1.3.1.5 Packet dropped due to policy discards. dellNetFpIngPacketsDroppedByDELLNETFP 1.3.6.1.4.1.6027.3.27.1.3.1.6 Packets dropped by forwarding plane. dellNetFpIngL2L3Drops 1.3.6.1.4.1.6027.3.27.1.3.1.7 L2 L3 packets dropped.
dellNetFpWredOutOfProfileDrops 1.3.6.1.4.1.6027.3.27.1.3.1.31 Wred Out-Of-Profile Drops Counter. Viewing the FEC BER Details • To view the FEC BER details using SNMP, use the following command: ~ $ snmpwalk -c public -v 2c 10.16.210.151 1.3.6.1.4.1.6027.3.27.1.3.1.25 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2097166 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2097678 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2098180 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2098308 SNMPv2-SMI::enterprises.6027.3.27.1.
SNMPv2-SMI::enterprises.6027.3.27.1.3.1.26.2103310 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.26.2103822 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.26.2104334 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.26.2104846 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.26.2105358 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.26.2105870 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.26.2106382 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.26.2106894 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.26.2107406 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.26.
MIB Support for entAliasMappingTable Dell EMC Networking provides a method to map the physical interface to its corresponding ifindex value. The entAliasMappingTable table contains zero or more rows, representing the logical entity mapping and physical component to external MIB identifiers. The following table lists the related MIB objects: Table 118. MIB Objects for entAliasMappingTable MIB Object OID Description entAliasMappingTable 1.3.6.1.2.1.47.1.3.
MIB Object OID Description dot3adAgg 1.2.840.10006.300.43.1.1 dot3adAggTable 1.2.840.10006.300.43.1.1.1 Contains information about every Aggregator that is associated with a system. dot3adAggEntry 1.2.840.10006.300.43.1.1.1.1 Contains a list of Aggregator parameters and indexed by the ifIndex of the Aggregator. dot3adAggMACAddress 1.2.840.10006.300.43.1.1.1.1.1 Contains a six octet read–only value carrying the individual MAC address assigned to the Aggregator. dot3adAggActorSystemPriority 1.
MIB Object OID Description dot3adAggPortListPorts 1.2.840.10006.300.43.1.1.2.1.1 Contains a complete set of ports currently associated with the Aggregator. Viewing the LAG MIB • To view the LAG MIB generated by the system, use the following command. snmpbulkget -v 2c -c LagMIB 10.16.148.157 1.2.840.10006.300.43.1.1.1.1.1 iso.2.840.10006.300.43.1.1.1.1.1.1258356224 iso.2.840.10006.300.43.1.1.1.1.1.1258356736 iso.2.840.10006.300.43.1.1.1.1.2.1258356224 iso.2.840.10006.300.43.1.1.1.1.2.1258356736 iso.2.
iso.0.8802.1.1.2.1.4.1.1.6.0.3161605.2 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.4209668.6 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.4210181.2 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.9437185.2 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.7.0.2113029.2 = STRING: "fortyGigE 1/50" iso.0.8802.1.1.2.1.4.1.1.7.0.3161092.6 = STRING: "TenGigabitEthernEt 0/39" iso.0.8802.1.1.2.1.4.1.1.7.0.3161605.2 = STRING: "fortyGigE 1/49" iso.0.8802.1.1.2.1.4.1.1.7.0.4209668.6 = STRING: "TenGigabitEthernEt 0/40" iso.0.8802.1.1.2.1.4.
Viewing the Details of Organizational Specific Unrecognized LLDP TLVs • To view the information of organizational specific unrecognized LLDP TLVs using SNMP, use the following commands. snmpwalk -v2c -c public 10.16.150.83 1.0.8802.1.1.2.1.4.4.1.4 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.1.133 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.2.134 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.3.135 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.4.136 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.5.
The following table shows the MIB objects of the table dellNetPortSecIfConfigTable. The OID of the MIB table is 1.3.6.1.4.1.6027.3.31.1.2.1. Table 123. Interface level MIB Objects for Port Security MIB Object OID Access or Permission Description dellNetPortSecIfPortSecurityEna 1.3.6.1.4.1.6027.3.31.1.2.1.1.1 ble read-only Specifies if the port security feature is enabled or disabled on an interface. dellNetPortSecIfPortSecuritySta 1.3.6.1.4.1.6027.3.31.1.2.1.1.
snmpwalk -v 2c -c public 10.16.129.26 1.3.6.1.4.1.6027.3.31.1.2.1.1.3. 2101252 SNMPv2-SMI::enterprises.6027.3.31.1.2.1.1.3. 2101252 = INTEGER: 10 MIB objects for configuring MAC addresses This section describes about the MIB objects dellNetPortSecSecureStaticMacAddrTable to configure and un-configure static MAC addresses in the system. The OID of this MIB table is 1.3.6.1.4.1.6027.3.31.1.2.2.
• VLAN ID Table 125. MIB Objects for configuring MAC addresses MIB Object OID Access or Permission Description dellNetSecureMacIfIndex 1.3.6.1.4.1.6027.3.31.1.3.1.1.3 read-only Shows in which interface the dellNetSecureMacAddress is configured or learnt. dellNetSecureMacAddrType 1.3.6.1.4.1.6027.3.31.1.3.1.1.4 read-only Indicates if the secure MAC address is configured as a static, dynamic, or sticky.
Viewing the CAM MIB • To view the CAM MIB generated by the system, use the following commands. snmpwalk -c public -v 2c 10.16.133.177 1.3.6.1.4.1.6027.3.7.1.1.3.1.12 SNMPv2-SMI::enterprises.6027.3.7.1.1.3.1.12.1.1.1 SNMPv2-SMI::enterprises.6027.3.7.1.1.3.1.12.1.1.2 SNMPv2-SMI::enterprises.6027.3.7.1.1.3.1.12.1.1.3 SNMPv2-SMI::enterprises.6027.3.7.1.1.3.1.12.1.1.4 = = = = INTEGER: INTEGER: INTEGER: INTEGER: 0 0 0 0 snmpwalk -c public -v 2c 10.16.133.177 1.3.6.1.4.1.6027.3.7.1.1.3.1.
snmp-server traps mac-notification – Trap messages are generated only for the new MAC and for the MAC that is learnt for the first time in the system. If same MAC is learnt on different vlan–ids, then the system does not generate trap messages. – If station–move is detected within 3 seconds, then the system generates station–move trap messages and beyond 3 seconds, you cannot see any SYSLOG messages in the system.
Add Tagged and Untagged Ports to a VLAN The value dot1qVlanStaticEgressPorts object is an array of all VLAN members. The dot1qVlanStaticUntaggedPorts object is an array of only untagged VLAN members. All VLAN members that are not in dot1qVlanStaticUntaggedPorts are tagged. • To add a tagged port to a VLAN, write the port to the dot1qVlanStaticEgressPorts object. • To add an untagged port to a VLAN, write the port to the dot1qVlanStaticEgressPorts and dot1qVlanStaticUntaggedPorts objects.
The following OIDs are configurable through the snmpset command. The node OID is 1.3.6.1.4.1.6027.3.18 F10-ISIS-MIB::f10IsisSysOloadSetOverload F10-ISIS-MIB::f10IsisSysOloadSetOloadOnStartupUntil F10-ISIS-MIB::f10IsisSysOloadWaitForBgp F10-ISIS-MIB::f10IsisSysOloadV6SetOverload F10-ISIS-MIB::f10IsisSysOloadV6SetOloadOnStartupUntil F10-ISIS-MIB::f10IsisSysOloadV6WaitForBgp To enable overload bit for IPv4 set 1.3.6.1.4.1.6027.3.18.1.1 and IPv6 set 1.3.6.1.4.1.6027.3.18.1.4 To set time to wait set 1.3.6.1.4.1.
Table 128. MIB Objects for Fetching Dynamic MAC Entries in the Forwarding Database MIB Object OID MIB Description dot1dTpFdbTable .1.3.6.1.2.1.17.4.3 Q-BRIDGE MIB List the learned unicast MAC addresses on the default VLAN. dot1qTpFdbTable .1.3.6.1.2.1.17.7.1.2. 2 Q-BRIDGE MIB List the learned unicast MAC addresses on non-default VLANs. dot3aCurAggFdb Table .1.3.6.1.4.1.6027.3.2. 1.1.5 F10-LINK-AGGREGATION -MIB List the learned MAC addresses of aggregated links (LAG).
Example of Deriving the Interface Index Number If you know the interface index, use the following commands to find the interface number. DellEMC ~ $ snmpwalk -v 2c -c public 10.16.206.127 .1.3.6.1.2.1.2.2.1.2 | grep 2097156 IF-MIB::ifDescr.2097156 = STRING: TenGigabitEthernet 1/1 DellEMC ~ $ snmpwalk -v 2c -c public 10.16.206.127 .1.3.6.1.2.1.31.1.1.1.1 | grep 2097156 IF-MIB::ifName.2097156 = STRING: TenGigabitEthernet 1/1 You can use the show interfaces command to view the interface index.
2 • snmp-server context context1 • snmp-server context context2 • snmp mib community-map vrf1 context context1 • snmp mib community-map vrf1 context context2 Configure snmp context under the VRF instances. • sho run bgp • router bgp 100 • address-family ipv4 vrf vrf1 • snmp context context1 • neighbor 20.1.1.1 remote-as 200 • neighbor 20.1.1.1 no shutdown • exit-address-family • address-family ipv4 vrf vrf2 • snmp context context2 • timers bgp 30 90 • neighbor 30.1.1.
• • neighbor 30.1.1.1 no shutdown exit-address-family Example of SNMP Walk Output for BGP timer configured for vrf1 (SNMPv2c) snmpwalk -v 2c -c vrf1 10.16.131.125 1.3.6.1.4.1.6027.20.1.2.3 SNMPv2-SMI::enterprises.6027.20.1.2.3.1.1.1.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.1.1.2.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.1.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.2.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.3.0.1.
dot3aCurAggMacAddr SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.2.1.0.0.0.0.0.1.1 = Hex-STRING: 00 00 00 00 00 01 dot3aCurAggIndex SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.3.1.0.0.0.0.0.1.1 = INTEGER: 1 dot3aCurAggStatus SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.4.1.0.0.0.0.0.1.1 = INTEGER: 1 << Status active, 2 – status inactive Example of Viewing Changed Interface State for Monitored Ports Layer 3 LAG does not include this support. SNMP trap works for the Layer 2 / Layer 3 / default mode LAG.
SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.5.2113540 = STRING: "FINISAR CORP." SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.6.2113540 = STRING: "FTLX8571D3BCL-FC" SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.7.2113540 = STRING: "AL20L80" SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.8.2113540 = STRING: "-2.293689" SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.9.2113540 = "" SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.10.2113540 = "" SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.11.2113540 = "" SNMPv2-SMI::enterprises.6027.3.11.
• Verify SNMP context configuration. EXEC Privilege show running-config ospf Sample SNMP context configuration: DellEMC(conf-ipv6-router_ospf)#snmp context ospf1 DellEMC>show runnig-config ospf ! ipv6 router ospf 10 router-id 10.10.10.
51 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell EMC Networking Operating System (OS) Behavior: Dell EMC Networking OS supports unknown-unicast, muticast, and broadcast control for Layer 2 and Layer 3 traffic. To view the storm control broadcast configuration show storm-control broadcast | multicast | unknown-unicast | pfc-llfc[interface] command.
• Configure storm control. • INTERFACE mode Configure the packets per second of broadcast traffic allowed on an interface (ingress only). INTERFACE mode storm-control broadcast packets_per_second in • Configure the packets per second of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only. INTERFACE mode storm-control multicast packets_per_second in • Shut down the port if it receives the PFC/LLFC packets more than the configured rate.
Detect PFC Storm The following section explains the procedure to detect the PFC storm. You can detect the PFC storm by polling the lossless queues in a port or priority periodically. When the queue depth is not equal to zero or when the queue has traffic after subsequent number of polling, then the port or priority is detected to have the PFC storm. • • • Use the polling—interval {interval in milli-seconds} command to set the polling interval. The queue traffic and egress counters are polled.
-------------------------------------------------------------------------------Te 0/0 3 2 0 0 4 2 0 0 5 2 0 0 6 2 0 0 Te 0/1 3 0 0 0 4 0 0 0 5 0 0 0 6 0 0 0 Te 0/2 3 2 0 0 4 2 0 0 5 2 0 0 6 2 0 0 Te 0/3 3 2 0 0 4 2 0 0 5 2 0 0 6 2 0 0 Te 0/4 3 2 0 0 4 2 0 0 5 2 0 0 6 2 0 0 Te 0/5 3 2 0 0 4 2 0 0 5 2 0 0 6 2 0 0 Te 0/80 3 0 0 0 4 0 0 0 5 0 0 0 6 0 0 0 DellEMC# 950 Storm Control
52 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell EMC Networking OS.
Configure Spanning Tree Configuring spanning tree is a two-step process.
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 123. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1 If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2 Place the interface in Layer 2 mode. INTERFACE switchport 3 Enable the interface.
Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. DellEMC(conf-if-te-1/1/1/1)#show config ! interface TenGigabitEthernet 1/1/1/1 no ip address switchport no shutdown DellEMC(conf-if-te-1/1/1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default.
no disable Examples of Verifying Spanning Tree Information To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP.
PROTOCOL SPANNING TREE mode hello-time seconds NOTE: With large configurations (especially those with more ports) Dell EMC Networking recommends increasing the hellotime. The range is from 1 to 10. • the default is 2 seconds. Change the max-age parameter (the refresh interval for configuration information that is generated by recomputing the spanning tree topology). PROTOCOL SPANNING TREE mode max-age seconds The range is from 6 to 40. The default is 20 seconds.
Enabling PortFast The PortFast feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. Interfaces forward frames by default until they receive a BPDU that indicates that they should behave otherwise; they do not go through the Learning and Listening states. The bpduguard shutdown-on-violation option causes the interface hardware to be shut down when it receives a BPDU.
• When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware. • When you remove a physical port from a port channel in the Error Disable state, the Error Disabled state is cleared on this physical port (the physical port is enabled in the hardware). • You can clear the Error Disabled state with any of the following methods: – Perform a shutdown command on the interface.
Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ------------ -------- ---- ------- --- ------- -------------------Te 1/1/6/1 128.263 128 20000 FWD 20000 32768 0001.e805.fb07 128.653 Te 1/1/7/1 128.264 128 20000 EDS 20000 32768 0001.e85d.0e90 128.264 Interface Name Role PortID Prio Cost Sts Cost Link-type Edge ------------ ------ -------- ---- ------- --- ---------------Te 1/1/6/1 Root 128.
Root Guard Scenario For example, as shown in the following illustration (STP topology 1, upper left) Switch A is the root bridge in the network core. Switch C functions as an access switch connected to an external device. The link between Switch C and Switch B is in a Blocking state. The flow of STP BPDUs is shown in the illustration. In STP topology 2 (shown in the upper right), STP is enabled on device D on which a software bridge application is started to connect to the network.
– Spanning Tree Protocol (STP) – Rapid Spanning Tree Protocol (RSTP) – Multiple Spanning Tree Protocol (MSTP) – Per-VLAN Spanning Tree Plus (PVST+) • When enabled on a port, root guard applies to all VLANs configured on the port. • You cannot enable root guard and loop guard at the same time on an STP port. For example, if you configure root guard on a port on which loop guard is already configured, the following error message displays: • % Error: LoopGuard is configured. Cannot configure RootGuard.
Example of Configuring all Spanning Tree Types to be Hitless DellEMC(conf)#redundancy protocol xstp DellEMC#show running-config redundancy ! redundancy protocol xstp DellEMC# STP Loop Guard The STP loop guard feature provides protection against Layer 2 forwarding loops (STP loops) caused by a hardware failure, such as a cable failure or an interface fault.
Figure 127. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. The following conditions apply to a port enabled with loop guard: • Loop guard is supported on any STP-enabled port or port-channel interface.
• Enabling Portfast BPDU guard and loop guard at the same time on a port results in a port that remains in a blocking state and prevents traffic from flowing through it. For example, when Portfast BPDU guard and loop guard are both configured: – If a BPDU is received from a remote device, BPDU guard places the port in an Err-Disabled Blocking state and no traffic is forwarded on the port.
53 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell EMC Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell EMC Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell EMC Networking device. For more information on SmartScripts, see Dell EMC Networking Open Automation guide. Figure 128.
Configuring SupportAssist Using a Configuration Wizard You are guided through a series of queries to configure SupportAssist. The generated commands are added to the running configuration, including the DNS resolve commands, if configured. This command starts the configuration wizard for the SupportAssist. At any time, you can exit by entering Ctrl-C. If necessary, you can skip some data entry. Enable the SupportAssist service.
making such transfers, Dell shall ensure appropriate protection is in place to safeguard the Collected Data being transferred in connection with SupportAssist. If you are downloading SupportAssist on behalf of a company or other legal entity, you are further certifying to Dell that you have appropriate authority to provide this consent on behalf of that entity.
support-assist activity {full-transfer | core-transfer} start now DellEMC#support-assist activity full-transfer start now DellEMC#support-assist activity core-transfer start now Configuring SupportAssist Activity SupportAssist Activity mode allows you to configure and view the action-manifest file for a specific activity. To configure SupportAssist activity, use the following commands. 1 Move to the SupportAssist Activity mode for an activity.
action-manifest remove DellEMC(conf-supportassist-act-full-transfer)#action-manifest remove custom_file1.json DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist-act-event-transfer)#action-manifest remove custom_event_file1.json DellEMC(conf-supportassist-act-event-transfer)# 6 Enable a specific SupportAssist activity. By default, the full transfer includes the core files. When you disable the core transfer activity, the full transfer excludes the core files.
Configuring SupportAssist Person SupportAssist Person mode allows you to configure name, email addresses, phone, method and time zone for contacting the person. SupportAssist Person configurations are optional for the SupportAssist service. To configure SupportAssist person, use the following commands. 1 Configure the contact name for an individual.
[no] server server-name DellEMC(conf-supportassist)#server default DellEMC(conf-supportassist-serv-default)# 2 Configure a proxy for reaching the SupportAssist remote server. SUPPORTASSIST SERVER mode [no] proxy-ip-address {ipv4-address | ipv6-address}port port-number [ username userid password [encryption-type] password ] DellEMC(conf-supportassist-serv-default)#proxy-ip-address 10.0.0.
show running-config support-assist DellEMC# show running-config support-assist ! support-assist enable all ! activity event-transfer enable action-manifest install default ! activity core-transfer enable ! contact-company name Dell street-address F lane , Sector 30 address city Brussels state HeadState country Belgium postalcode S328J3 ! contact-person first Fred last Nash email-address primary des@sed.com alternate sed@dol.
54 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell EMC Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell EMC Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell EMC Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Following conventions established by the telephone industry [BEL86], the accuracy of each server is defined by a number called the stratum, with the topmost level (primary servers) assigned as one and each level downwards (secondary servers) in the hierarchy assigned as one greater than the preceding level. Dell EMC Networking OS synchronizes with a time-serving host to get the correct time. You can set Dell EMC Networking OS to poll specific NTP time-serving hosts for the current time.
Related Configuration Tasks • Configuring NTP Broadcasts • Disabling NTP on an Interface • Configuring a Source IP Address for NTP Packets (optional) Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell EMC Networking system synchronizes. To specify multiple servers, enter the command multiple times. You may specify an unlimited number of servers at the expense of CPU resources. • Specify the NTP server to which the Dell EMC Networking system synchronizes.
Disabling NTP on an Interface By default, NTP is enabled on all active interfaces. If you disable NTP on an interface, Dell EMC Networking OS drops any NTP packets sent to that interface. To disable NTP on an interface, use the following command. • Disable NTP on the interface. INTERFACE mode ntp disable To view whether NTP is configured on the interface, use the show config command in INTERFACE mode. If ntp disable is not listed in the show config command output, NTP is enabled.
startup-configuration from an Dell EMC Networking OS version in which you have configured ntp authentication-key, the system cannot correctly decrypt the key and cannot authenticate the NTP packets. In this case, re-enter this command and save the runningconfig to the startup-config. To configure NTP authentication, use the following commands. 1 Enable NTP authentication. CONFIGURATION mode ntp authenticate 2 Set an authentication key.
Examples of Configuring and Viewing an NTP Configuration The following example shows configuring an NTP server. Dell EMC(conf)#show running-config ntp ! ntp master ntp server 10.16.127.44 ntp server 10.16.127.86 ntp server 10.16.127.144 Dell EMC (conf)# Dell EMC#show ntp associations remote vrf-Id ref clock st when poll reach delay offset disp ==================================================================================== LOCAL(0) 0 .LOCL. 7 7 16 7 0.000 0.000 0.002 10.16.127.86 0 10.16.127.
ntp authenticate ntp authentication-key 345 md5 5A60910F3D211F02 ntp server 11.1.1.1 version 3 ntp trusted-key 345 DellEMC# Configuring NTP control key password The Network Time Protocal daemon (NTPD) design uses NTPQ to configure NTPD. NTP control key supports encrypted and unencrypted password options. The ntp control-key- passwd command authenticates NTPQ packets.
Setting the Time and Date for the Switch Software Clock You can change the order of the month and day parameters to enter the time and date as time day month year. You cannot delete the software clock. The software clock runs only when the software is up. The clock restarts, based on the hardware clock, when the switch reboots. To set the software clock, use the following command. • Set the system software clock to the current time and date.
Set Daylight Saving Time Dell EMC Networking OS supports setting the system to daylight saving time once or on a recurring basis every year. Setting Daylight Saving Time Once Set a date (and time zone) on which to convert the switch to daylight saving time on a one-time basis. To set the clock for daylight savings time once, use the following command. • Set the clock to the appropriate timezone and daylight saving time.
– time-zone: Enter the three-letter name for the time zone. This name displays in the show clock output. – start-week: (OPTIONAL) Enter one of the following as the week that daylight saving begins and then enter values for startday through end-time: ◦ week-number: Enter a number from 1 to 4 as the number of the week in the month to start daylight saving time. ◦ first: Enter the keyword first to start daylight saving time in the first week of the month.
55 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
interface Tunnel 2 no ip address ipv6 address 2::1/64 tunnel destination 90.1.1.1 tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): DellEMC(conf)#interface tunnel 3 DellEMC(conf-if-tu-3)#tunnel source 5::5 DellEMC(conf-if-tu-3)#tunnel destination 8::9 DellEMC(conf-if-tu-3)#tunnel mode ipv6 DellEMC(conf-if-tu-3)#ip address 3.1.1.
Configuring a Tunnel Interface You can configure the tunnel interface using the ip unnumbered and ipv6 unnumbered commands. To configure the tunnel interface to operate without a unique explicit IP or IPv6 address, select the interface from which the tunnel borrows its address. The following sample configuration shows how to use the interface tunnel configuration commands. DellEMC(conf-if-te-1/1/1/1)#show config ! interface TenGigabitEthernet 1/1/1/1 ip address 20.1.1.
Configuring Tunnel source anylocal Decapsulation The tunnel source anylocal command allows a multipoint receive-only tunnel to decapsulate tunnel packets addressed to any IPv4 or IPv6 (depending on the tunnel mode) address configured on the switch that is operationally UP. The source anylocal parameters can be used for packet decapsulation instead of the ip address or interface (tunnel allowremote command), but only on multipoint receive-only mode tunnels.
56 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
Figure 130. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 131. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
• If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error. The order in which downstream ports are disabled is from the lowest numbered port to the highest.
NOTE: Downstream interfaces in an uplink-state group are put into a Link-Down state with an UFD-Disabled error message only when all upstream interfaces in the group go down. To revert to the default setting, use the no downstream disable links command. 4 (Optional) Enable auto-recovery so that UFD-disabled downstream ports in the uplink-state group come up when a disabled upstream port in the group comes back up.
Example of Syslog Messages Before and After Entering the clear ufd-disable uplink-state-group Command (S50) The following example message shows the Syslog messages that display when you clear the UFD-Disabled state from all disabled downstream interfaces in an uplink-state group by using the clear ufd-disable uplink-state-group group-id command. All downstream interfaces return to an operationally up state.
– For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the slot/port/subport information. – For a 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the slot/port/subport information. – For a port channel interface, enter the keywords port-channel then a number. • If a downstream interface in an uplink-state group is disabled (Oper Down state) by uplink-state tracking because an upstream port is down, the message error-disabled[UFD] displays in the output.
Sample Configuration: Uplink Failure Detection The following example shows a sample configuration of UFD on a switch/router in which you configure as follows. • Configure uplink-state group 3. • Configure two downstream links to be disabled if an upstream link fails. • Add upstream links Tengigabitethernet 1/3/1 and 1/4/1. • Add a text description for the group. • Verify the configuration with various show commands.
57 Upgrade Procedures To find the upgrade procedures, go to the Dell EMC Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell EMC Networking OS version. To upgrade your system type, follow the procedures in the Dell EMC Networking OS Release Notes. You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website.
58 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
Default VLAN When you configure interfaces for Layer 2 mode, they are automatically placed in the Default VLAN as untagged interfaces. Only untagged interfaces can belong to the Default VLAN. The following example displays the outcome of placing an interface in Layer 2 mode. To configure an interface for Layer 2 mode, use the switchport command.
VLANs and Port Tagging To add an interface to a VLAN, the interface must be in Layer 2 mode. After you place an interface in Layer 2 mode, the interface is automatically placed in the Default VLAN. supports IEEE 802.1Q tagging at the interface level to filter traffic. When you enable tagging, a tag header is added to the frame after the destination and source MAC addresses. That information is preserved as the frame moves through the network.
• Configure a port-based VLAN (if the VLAN-ID is different from the Default VLAN ID) and enter INTERFACE VLAN mode. CONFIGURATION mode interface vlan vlan-id To activate the VLAN, after you create a VLAN, assign interfaces in Layer 2 mode to the VLAN. Example of Verifying a Port-Based VLAN To view the configured VLANs, use the show vlan command in EXEC Privilege mode.
Codes: * - Default VLAN, G - GVRP VLANs NUM Status Q * 1 Inactive 2 Active T T 3 Active T T Ports Po1(So 0/0-1) Te 1/1/1 Po1(So 0/0-1) Te 1/2/1 DellEMC#config DellEMC(conf)#interface vlan 4 DellEMC(conf-if-vlan)#tagged po 1 DellEMC(conf-if-vlan)#show conf ! interface Vlan 4 no ip address tagged Port-channel 1 DellEMC(conf-if-vlan)#end DellEMC#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM Status Q * 1 Inactive 2 Active T T 3 Active T T 4 Active T Ports Po1(So 0/0-1) Te 1/1/1 Po1(So 0/0-1) Te 1/2/1
Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 Status Active Active 3 Active Q U T T T T Ports Te 1/1/2/1 Po1(So 0/0-1) Te 1/1/3/1 Po1(So 0/0-1) Te 1/1/1/1 4 Inactive DellEMC#conf DellEMC(conf)#interface vlan 4 DellEMC(conf-if-vlan)#untagged tengigabitethernet 1/1/2/1 DellEMC(conf-if-vlan)#show config ! interface Vlan 4 no ip address untagged TenGigabitEthernet 1/1/2/1 DellEMC(conf-if-vlan)#end DellEMC#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 3 4 Status Q Inactive Active T T Act
Native VLAN support breaks this barrier so that you can connect a port to both VLAN-aware and VLAN-unaware stations. Such ports are referred to as hybrid ports. Physical and port-channel interfaces may be hybrid ports. Native VLAN is useful in deployments where a Layer 2 port can receive both tagged and untagged traffic on the same physical port. The classic example is connecting a voice-over-IP (VOIP) phone and a PC to the same port of the switch.
59 Virtual Link Trunking (VLT) Virtual link trunking (VLT) is a Dell EMC technology that provides two Dell EMC switches the ability to function as a single switch. VLT allows physical links between two Dell EMC switches to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR). As a result, the two physical switches appear as a single switch to the connected devices.
Figure 134. VLT providing multipath VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches and supporting a loop-free topology. To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol. After VLT is established, you may use rapid spanning tree protocol (RSTP) to prevent loops from forming with new links that are incorrectly connected and outside the VLT domain.
Figure 135. Example of VLT Deployment VLT offers the following benefits: • Allows a single device to use a LAG across two upstream devices. • Eliminates STP-blocked ports. • Provides a loop-free topology. • Uses all available uplink bandwidth. • Provides fast convergence if either the link or a device fails. • Optimized forwarding with virtual router redundancy protocol (VRRP). • Provides link-level resiliency. • Assures high availability. • Active-Active load sharing with VRRP.
VLT Terminology The following are key VLT terms. • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. • VLT backup link — The backup link monitors the connectivity between the VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. • VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches. Both ends must be on 10G, 25G, 40G, 50G, or 100G interfaces.
Layer-2 Traffic in VLT Domains In a VLT domain, the MAC address of any host connected to the VLT peers is synchronized between the VLT nodes. In the following example, VLAN 10 is spanned across three VLT domains. Figure 136. Layer-2 Traffic in VLT Domains If Host 1 from a VLT domain sends a frame to Host 2 in another VLT domain, the frame can use any link shown to reach Host 2.
30 30 30 30 30 30 a0:00:a1:00:00:07 a0:00:a1:00:00:08 a0:00:a1:00:00:09 a0:00:a1:00:00:0a a0:00:a1:00:00:0b a0:00:a1:00:00:0c Dynamic Dynamic Dynamic Dynamic Dynamic Dynamic (N) Po 11 Active (N) Po 11 Active (N) Po 11 Active (N) Po 11 Active (N) Po 11 Active Po 11 Active VLT-10-PEER-2#show vlt statistics mac VLT MAC Statistics -------------------L2 Info Pkts sent:0, L2 Mac-sync Pkts Sent:7 L2 Info Pkts Rcvd:0, L2 Mac-sync Pkts Rcvd:9 L2 Reg Request sent:0 L2 Reg Request rcvd:0 L2 Reg Response sent:0 L2
Figure 137. VLT on Core Switches The aggregation layer is mostly in the L2/L3 switching/routing layer. For better resiliency in the aggregation, Dell EMC Networking recommends running the internal gateway protocol (IGP) on the VLTi VLAN to synchronize the L3 routing table across the two nodes on a VLT system. Enhanced VLT Enhanced VLT (eVLT)) refers to the ability to connect two VLT domains.
Figure 138. Enhanced VLT Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember • • • • • • • • • • • You cannot enable stacking simultaneously with VLT. If you enable both at the same time, unexpected behavior can occur. VLT port channel interfaces must be switch ports. If you include RSTP on the system, configure it before VLT.
• BMP uses untagged dynamic host configuration protocol (DHCP) packets to communicate with the DHCP server. • o disable this feature on VLT and port channels, use no lacp ungroup member-independent {vlt | port-channel} command under the configuration mode. • When you enable IGMP snooping on the VLT peers, ensure the value of the delay-restore command is not less than the query interval.
– A VLT domain supports two chassis members, which appear as a single logical device to network access devices connected to VLT ports through a port channel. – A VLT domain consists of the two core chassis, the interconnect trunk, backup link, and the LAG members connected to attached devices. – Each VLT domain has a unique MAC address that you create or VLT creates automatically. – ARP tables are synchronized between the VLT peer nodes.
– If the size of the MTU for VLTi members is less than 1496 bytes, MAC addresses may not synchronize between VLT peers. Dell EMC Networking does not recommend using an MTU size lower than the default of 1554 bytes for VLTi members. • VLT backup link – In the backup link between peer switches, heartbeat messages are exchanged between the two chassis for health checks. The default time interval between heartbeat messages over the backup link is 1 second. You can configure this interval.
• Software features supported on VLT physical ports – In a VLT domain, the following software features are supported on VLT physical ports: 802.1p, LLDP, flow control, IPv6 dynamic routing, port monitoring, DHCP snooping, and jumbo frames. • Software features not supported with VLT – In a VLT domain, the following software features are not supported on VLT ports: 802.1x, GVRP, and BFD.
RSTP and VLT VLT provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures. Spanning tree topology changes are distributed to the entire layer 2 network, which can cause a network-wide flush of learned MAC and ARP addresses, requiring these addresses to be re-learned. However, enabling RSTP can detect potential loops caused by non-system issues such as cabling errors or incorrect configurations.
VLT IPv6 The following features have been enhanced to support IPv6: • VLT Sync — Entries learned on the VLT interface are synced on both VLT peers. • Non-VLT Sync — Entries learned on non-VLT interfaces are synced on both VLT peers. • Tunneling — Control information is associated with tunnel traffic so that the appropriate VLT peer can mirror the ingress port as the VLT interface rather than pointing to the VLT peer’s VLTi link.
Figure 139. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
Each VLT peer runs its own PIM protocol independently of other VLT peers. To ensure the PIM protocol states or multicast routing information base (MRIB) on the VLT peers are synced, if the incoming interface (IIF) and outgoing interface (OIF) are Spanned, the multicast route table is synced between the VLT peers. To verify the PIM neighbors on the VLT VLAN and on the multicast port, use the show ip pim neighbor, show ip igmp snooping mrouter, and show running config commands.
Figure 140. Packets without peer routing enabled If you enable peer routing, a VLT node acts as a proxy gateway for its connected VLT peer as shown in the image below. Even though the gateway address of the packet is different, Peer-1 routes the packet to its destination on behalf of Peer-2 to avoid sub-optimal routing. Figure 141. Packets with peer routing enabled Benefits of Peer Routing • • Avoids sub-optimal routing • Reduces latency by avoiding another hop in the traffic path.
• You can reduce the number of VLTi port channel members based on your specific design. With peer routing, you need not configure VRRP for the participating VLANs. As both VLT nodes act as a gateway for its peer, irrespective of the gateway IP address, the traffic flows upstream without any latency. There is no limitation for the number of VLANS. VLT Unicast Routing VLT unicast routing is a type of VLT peer routing that locally routes unicast packets destined for the L3 endpoint of the VLT peer.
The advantages of syncing the multicast routes between VLT peers are: • VLT resiliency — After a VLT link or peer failure, if the traffic hashes to the VLT peer, the traffic continues to be routed using multicast until the PIM protocol detects the failure and adjusts the multicast distribution tree. • Optimal routing — The VLT peer that receives the incoming traffic can directly route traffic to all downstream routers connected on VLT ports.
RSTP Configuration RSTP is supported in a VLT domain. Before you configure VLT on peer switches, configure RSTP in the network. RSTP is required for initial loop prevention during the VLT startup phase. You may also use RSTP for loop prevention in the network outside of the VLT port channel. For information about how to configure RSTP, Rapid Spanning Tree Protocol (RSTP). Run RSTP on both VLT peer switches.
Configure RSTP on VLT peers to prevent forwarding loops—VLT peer 1 Dell_VLTpeer1(conf)#protocol spanning-tree rstp Dell_VLTpeer1(conf-rstp)#no disable Dell_VLTpeer1(conf-rstp)#bridge-priority 4096 Configure RSTP on VLT peers to prevent forwarding loops—VLT peer 2 Dell_VLTpeer2(conf)#protocol spanning-tree rstp Dell_VLTpeer2(conf-rstp)#no disable Dell_VLTpeer2(conf-rstp)#bridge-priority 0 NOTE: When you remove the VLT configuration, RSTP is recommended as a backup solution to avoid spanning—tree loops.
Enter the same port-channel number configured with the peer-link port-channel command as described in Enabling VLT and Creating a VLT Domain. NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2 Remove any IP address from the interface if already present. INTERFACE PORT-CHANNEL mode no ip address 3 Add one or more port interfaces to the port channel.
You can optionally specify the time interval used to send hello messages. The range is from 1 to 5 seconds. 3 Configure the port channel to be used as the VLT interconnect between VLT peers in the domain. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 4 Enable peer routing. VLT DOMAIN CONFIGURATION mode peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer.
4 Configure a VLT backup link using the IPv4 or IPv6 address of the VLT peer’s management interface. MANAGEMENT INTERFACE mode back-up destination {ip address ipv4-address/ mask | ipv6 address ipv6-address/ mask} 5 Repeat Steps 1 to 4 on the VLT peer switch. To set an amount of time, in seconds, to delay the system from restoring the VLT port, use the delay-restore command at any time. For more information, refer to VLT Port Delayed Restoration.
Use this command to minimize the time required for the VLT system to synchronize the default MAC address of the VLT domain on both peer switches when one peer switch reboots. 4 (Optional) When you create a VLT domain on a switch, Dell EMC Networking OS automatically assigns a unique unit ID (0 or 1) to each peer switch. VLT DOMAIN CONFIGURATION mode unit-id {0 | 1} To explicitly configure the default values on each peer switch, use the unit-id command.
vlt-peer-lag port-channel id-number 7 Repeat Steps 1 to 6 on the VLT peer switch to configure the same port channel as part of the VLT domain. 8 On an attached switch or server: To connect to the VLT domain and add port channels to it, configure a port channel. For an example of how to verify the port-channel configuration, refer to VLT Sample Configuration.
vlt domain domain-id The range of domain IDs is from 1 to 1000. 4 Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 5 Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out-of-band hello messages.
INTERFACE PORT-CHANNEL mode no shutdown 12 Add links to the eVLT port. Configure a range of interfaces to bulk configure. CONFIGURATION mode interface range {port-channel id} 13 Enable LACP on the LAN port. INTERFACE mode port-channel-protocol lacp 14 Configure the LACP port channel mode. INTERFACE mode port-channel number mode [active] 15 Ensure that the interface is active. MANAGEMENT INTERFACE mode no shutdown 16 Enable peer routing.
EXEC Privilege mode show running-config vlt 7 Configure the peer 1 management ip/ interface ip for which connectivity is present in VLT peer 1. EXEC mode or EXEC Privilege mode show interfaces interface 8 Configure the VLT links between VLT peer 1 and VLT peer 2 to the top of rack unit (shown in the following example). 9 Configure the static LAG/LACP between ports connected from VLT peer 1 and VLT peer 2 to the top of rack unit.
Configure the VLT links between VLT peer 1 and VLT peer 2 to the Top of Rack unit. In the following example, port Te 1/1/4/1 in VLT peer 1 is connected to Te 1/1/8/1 of ToR and port Te 1/1/5/1 in VLT peer 2 is connected to Te 1/1/3/1 of ToR. 1 Configure the static LAG/LACP between the ports connected from VLT peer 1 and VLT peer 2 to the Top of Rack unit. 2 Configure the VLT peer link port channel id in VLT peer 1 and VLT peer 2.
Verify VLT is up. Verify that the VLTi (ICL) link, backup link connectivity (heartbeat status), and VLT peer link (peer chassis) are all up.
Configure PVST+ on VLT Peers to Prevent Forwarding Loops (VLT Peer 2) Dell_VLTpeer2(conf)#protocol spanning-tree pvst Dell_VLTpeer2(conf-pvst)#no disable Dell_VLTpeer2(conf-pvst)#vlan 1000 bridge-priority 4096 Configure both ends of the VLT interconnect trunk with identical PVST+ configurations. When you enable VLT, the show spanningtree pvst brief command output displays VLT information.
Figure 142. Peer Routing Configuration Example Dell-1 Switch Configuration In the following output, RSTP is enabled with a bridge priority of 0. This ensures that Dell-1 becomes the root bridge. DellEMC#1#show run | find protocol protocol spanning-tree pvst no disable vlan 1,20,800,900 bridge-priority 0 The following output shows the existing VLANs.
The following is the configuration in interfaces: DellEMC#1#sh run int ma0/0 interface ManagementEthernet 0/0 description Used_for_VLT_Keepalive ip address 10.10.10.1/24 no shutdown (The management interfaces are part of a default VRF and are isolated from the switch’s data plane.) In Dell-1, te 0/0 and te 0/1 are used for VLTi.
Port channel 2 connects the access switch A1. DellEMC#1#sh run int po2 interface Port-channel 2 description port-channel_to_access_switch_A1 no ip address portmode hybrid switchport vlt-peer-lag port-channel 2 no shutdown Vlan 20 is used in Dell-1, Dell-2, and R1 to form OSPF adjacency. When OSPF is converged, the routing tables in all devices are synchronized. DellEMC#1#sh run int vlan 20 interface Vlan 20 description OSPF PEERING VLAN ip address 192.168.20.
----------------Destination: Peer HeartBeat status: Destination VRF: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.10.10.2 Up default 1 3 34998 4 5 Use the show vlt detail command to verify that VLT is functional and that the correct VLANs are allowed.
Verify if peer routing has populated the CAM table with the correct information using the show cam mac command.
no ip address no shutdown The following example shows that te 0/0 and te 0/1 are included in port channel 10. Also note that configuration on the VLTi links does not contain the switchport command. Dell-2#sh run int po10 interface Port-channel 10 description VLTi Port-Channel no ip address channel-member TenGigabitEthernet 0/0-1 no shutdown Te 0/4 connects to the access switch A1.
tagged Port-channel 2 no shutdown The following output shows Dell-2 is configured with VLT domain 1. The peer-link port-channel command makes port channel 10 as the VLTi link. The peer-routing command enables peer routing between VLT peers in VLT domain 1. The IP address configured with the backupdestination command is the management IP address of the VLT peer (Dell-1). A priority value of 55000 makes Dell-2 as the secondary VLT peer.
network 192.168.8.0/24 area 0 network 192.168.9.0/24 area 0 network 172.16.1.0/24 area 0 network 192.168.20.0/29 area 0 passive-interface default no passive-interface vlan 20 While the passive-interface default command prevents all interfaces from establishing an OSPF neighborship, the no passive-interface vlan 20 command allows the interface for VLAN 20, the OSPF peering VLAN, to establish OSPF adjacencies. The following output displays that Dell-1 forms neighborship with Dell-2 and R1.
! interface Loopback4 ip address 4.4.4.2 255.255.255.0 R1#show run int port-channel 1 interface Port-channel1 switchport ip address 192.168.20.3 255.255.255.248 R1#show run | find router router ospf 1 router-id 172.15.1.1 passive-interface default no passive-interface Port-channel1 network 2.2.2.0 0.0.0.255 area 0 network 3.3.3.0 0.0.0.255 area 0 network 4.4.4.0 0.0.0.255 area 0 (The above subnets correspond to loopback interfaces lo2, lo3 and lo4.
This default route is configured for testing purposes, as described in the next section. The access switch (A1) is used to generate ICMP test PINGs to a loopback interface on CR1. This default route points to DellEMC#2’s VLAN 800 SVI interface. It’s in place to ensure that routed test traffic has DellEMC#2’s MAC address as the destination address in the Ethernet frame’s header When A1 sends a packet to R1, the VLT peers act as the default gateway for each other.
Domain_1_Peer1(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer1(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 1. Domain_1_Peer1(conf)#interface range tengigabitethernet 1/1/6/1 - 1/1/6/2 Domain_1_Peer1(conf-if-range-te-1/1/6/1-2)# port-channel-protocol LACP Domain_1_Peer1(conf-if-range-te-1/1/6/1-2)# port-channel 100 mode active Domain_1_Peer1(conf-if-range-te-1/1/6/1-2)# no shutdown Next, configure the VLT domain and VLTi on Peer 2.
Domain_1_Peer4#no shutdown Domain_2_Peer4(conf)#vlt domain 200 Domain_2_Peer4(conf-vlt-domain)# peer-link port-channel 1 Domain_2_Peer4(conf-vlt-domain)# back-up destination 10.18.130.12 Domain_2_Peer4(conf-vlt-domain)# system-mac mac-address 00:0b:00:0b:00:0b Domain_2_Peer4(conf-vlt-domain)# peer-routing Domain_2_Peer4(conf-vlt-domain)# unit-id 1 Configure eVLT on Peer 4.
Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, use any of the following show commands on the primary and secondary VLT switches. • Display information on backup link operation. EXEC mode • show vlt backup-link Display general status information about VLT domains currently configured on the switch.
----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.18 Up 1 3 34998 1026 1025 Dell_VLTpeer2# show vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.20 Up 1 3 34998 1030 1014 The following example shows the show vlt brief command.
Local System MAC address: 00:01:e8:8a:df:bc Local System Role Priority: 32768 Dell_VLTpeer2# show vlt role VLT Role ---------VLT Role: System MAC address: System Role Priority: Local System MAC address: Local System Role Priority: Secondary 00:01:e8:8a:df:bc 32768 00:01:e8:8a:df:e6 32768 The following example shows the show running-config vlt command. Dell_VLTpeer1# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.
Po 111 128.112 128 200000 DIS(vlt) Po 120 128.121 128 2000 FWD(vlt) 800 800 4096 4096 0001.e88a.d656 128.112 0001.e88a.d656 128.121 Dell_VLTpeer2# show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 0001.e88a.dff8 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 0, Address 0001.e88a.
Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged G - GVRP tagged, M - Vlan-stack, H - Hyperpull tagged NUM Status Description Q Ports 10 Active U Po110(Fo 1/8) T Po100(Fo 1/5,6) Configuring Virtual Link Trunking (VLT Peer 2) Enable VLT and create a VLT domain with a backup-link VLT interconnect (VLTi). Dell_VLTpeer2(conf)#vlt domain 999 Dell_VLTpeer2(conf-vlt-domain)#peer-link port-channel 100 Dell_VLTpeer2(conf-vlt-domain)#back-up destination 10.11.206.
Troubleshooting VLT To help troubleshoot different VLT issues that may occur, use the following information. NOTE: For information on VLT Failure mode timing and its impact, contact your Dell EMC Networking representative. Table 133. Troubleshooting VLT Description Behavior at Peer Up Behavior During Run Time Action to Take Bandwidth monitoring A syslog error message and an SNMP trap is generated when the VLTi bandwidth usage goes above the 80% threshold and when it drops below 80%.
Description Behavior at Peer Up Behavior During Run Time Action to Take information, refer to the Release Notes for this release. VLT LAG ID is not configured on one VLT peer A syslog error message is generated. The peer with the VLT configured remains active. A syslog error message is generated. The peer with the VLT configured remains active. Verify the VLT LAG ID is configured correctly on both VLT peers. VLT LAG ID mismatch The VLT port channel is brought down.
Keep the following points in mind when you configure VLT nodes in a PVLAN: • Configure the VLTi link to be in trunk mode. Do not configure the VLTi link to be in access or promiscuous mode. • You can configure a VLT LAG or port channel to be in trunk, access, or promiscuous port modes when you include the VLT LAG in a PVLAN. The VLT LAG settings must be the same on both the peers. If you configure a VLT LAG as a trunk port, you can associate that LAG to be a member of a normal VLAN or a PVLAN.
PVLAN Operations When One VLT Peer is Down When a VLT port moves to the Admin or Operationally Down state on only one of the VLT nodes, the VLT Lag is still considered to be up. All the PVLAN MAC entries that correspond to the operationally down VLT LAG are maintained as synchronized entries in the device. These MAC entries are removed when the peer VLT LAG also becomes inactive or a change in PVLAN configuration occurs.
Table 134.
VLT LAG Mode Peer1 PVLAN Mode of VLT VLAN Peer2 ICL VLAN Membership Mac Synchronization Peer1 Peer2 - Primary VLAN Y - Primary VLAN X No No Promiscuous Access Primary Secondary No No Trunk Access Primary/Normal Secondary No No Configuring a VLT VLAN or LAG in a PVLAN You can configure the VLT peers or nodes in a private VLAN (PVLAN).
vlt domain domain-id The range of domain IDs is from 1 to 1000. 7 Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 8 (Optional) To configure a VLT LAG, enter the VLAN ID number of the VLAN where the VLT forwards packets received on the VLTi from an adjacent peer that is down.
The list of secondary VLANs can be: • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). • Specified with this command even before they have been created. • Amended by specifying the new secondary VLAN to be added to the list. Proxy ARP Capability on VLT Peer Nodes The proxy ARP functionality is supported on VLT peer nodes. A proxy ARP-enabled device answers the ARP requests that are destined for the other router in a VLT domain.
VLT nodes start performing Proxy ARP when the ICL link goes down. When the VLT peer comes up, proxy ARP stops for the peer VLT IP addresses. When the peer node is rebooted, the IP address synchronized with the peer is not flushed. Peer down events cause the proxy ARP to commence. When a VLT node detects peer up, it does not perform proxy ARP for the peer IP addresses. IP address synchronization occurs again between the VLT peers. Proxy ARP is enabled only if you enable peer routing on both the VLT peers.
Configuring VLAN-Stack over VLT To configure VLAN-stack over VLT, follow these steps. 1 Configure the VLT LAG as VLAN-Stack access or Trunk mode on both the peers. INTERFACE PORT-CHANNEL mode vlan-stack {access | trunk} 2 Configure VLAN as VLAN-stack compatible on both the peers. INTERFACE VLAN mode vlan-stack compatible 3 Add the VLT LAG as a member to the VLAN-stack on both the peers. INTERFACE VLAN mode member port-channel port—channel ID 4 Verify the VLAN-stack configurations.
DellEMC# DellEMC(conf)#interface port-channel 20 DellEMC(conf-if-po-20)#switchport DellEMC(conf-if-po-20)#vlt-peer-lag port-channel 20 DellEMC(conf-if-po-20)#vlan-stack trunk DellEMC(conf-if-po-20)#no shutdown DellEMC#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown DellEMC# Configure the VLAN as a VLAN-Stack VLAN and add the VLT LAG as Members to the VLAN DellEMC(conf)#interface vlan 50 DellEMC(conf-
unit-id 1 DellEMC# Configure the VLT LAG as VLAN-Stack Access or Trunk Port DellEMC(conf)#interface port-channel 10 DellEMC(conf-if-po-10)#switchport DellEMC(conf-if-po-10)#vlt-peer-lag port-channel 10 DellEMC(conf-if-po-10)#vlan-stack access DellEMC(conf-if-po-10)#no shutdown DellEMC#show running-config interface port-channel 10 ! interface Port-channel 10 no ip address switchport vlan-stack access vlt-peer-lag port-channel 10 no shutdown DellEMC# DellEMC(conf)#interface port-channel 20 DellEMC(conf-if-po-
DellEMC# V Po1(Te 1/1/3-5/1) IPv6 Peer Routing in VLT Domains Overview VLT enables the physical links between two devices that are called VLT nodes or peers, and within a VLT domain, to be considered as a single logical link to external devices that are connected using LAG bundles to both the VLT peers. This capability enables redundancy without the implementation of Spanning tree protocol (STP), thereby providing a loop-free network with optimal bandwidth utilization.
Synchronization of IPv6 ND Entries in a Non-VLT Domain Layer 3 VLT provides a higher resiliency at the Layer 3 forwarding level. Routed VLT allows you to replace VRRP with routed VLT to route the traffic from Layer 2 access nodes. With ND synchronization, both the VLT nodes perform Layer 3 forwarding on behalf of each other. Synchronization of NDPM entries learned on non-VLT interfaces between the non-VLT nodes.
Figure 144. Sample Configuration of IPv6 Peer Routing in a VLT Domain Sample Configuration of IPv6 Peer Routing in a VLT Domain Consider a sample scenario as shown in the following figure in which two VLT nodes, Unit1 and Unit2, are connected in a VLT domain using an ICL or VLTi link. To the south of the VLT domain, Unit1 and Unit2 are connected to a ToR switch named Node B. Also, Unit1 is connected to another node, Node A, and Unit2 is linked to a node, Node C.
Figure 145. Sample Configuration of IPv6 Peer Routing in a VLT Domain Neighbor Solicitation from VLT Hosts Consider a case in which NS for VLT node1 IP reaches VLT node1 on the VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in the ToR. When VLT node1 receives NS from VLT VLAN interface, it unicasts the NA packet on the VLT interface. When NS reaches VLT node2, it is flooded on all interfaces including ICL.
Consider a situation in which NA for VLT node1 reaches VLT node1 on a non-VLT interface and NA for VLT node1 reaches VLT node2 on a non-VLT interface. When VLT node1 receives NA on a VLT interface, it learns the Host MAC address on the received interface. This learned neighbor entry is synchronized to VLT node2 as it is learned on ICL.
Non-VLT host to Non-VLT host traffic flow When VLT node receives traffic from non-VLT host intended to the non-VLT host, it does neighbor entry lookup and routes traffic over ICL interface. If traffic reaches wrong VLT peer, it routes the traffic over ICL. Router Solicitation When VLT node receives router Solicitation on VLT interface/non-VLT interface it consumes the packets and will send RA back on the received interface. VLT node will drop the RS message if it is received over ICL interface.
Static VXLAN Configuration in a VLT setup Configuration steps are covered below: 1 Both Gateway VTEPs need VLT configured. • ICL port configuration interface Port-channel 1 no ip address channel-member TenGigabitEthernet 0/4-5 no shutdown • VLT Domain Configuration vlt domain 100 peer-link port-channel 1 back-up destination 10.11.70.
2 • VXLAN Instance Configuration vxlan-instance 1 static local-vtep-ip 14.14.14.14 no shutdown vni-profile test vnid 200 remote-vtep-ip 3.3.3.3 vni-profile test • VLT Access port configuration interface TengigabitEthernet 0/12 port-channel-protocol lacp port-channel 30 mode active interface Port-channel 30 no ip address vxlan-instance 1 switchport vlt-peer-lag port-channel 30 no shutdown Configure loopback interface and VXLAN instances on both the peers.
60 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Command Line Reference Guide.
Figure 146. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: • Proxy gateway is supported only for VLT; for example, across a VLT domain. • You must enable the VLT peer-routing command for the VLT proxy gateway to function.
• You cannot change the VLT LAG to a legacy LAG when it is part of proxy-gateway. • You cannot change the link layer discovery protocol (LLDP) port channel interface to a legacy LAG when you enable a proxy gateway. • Dell EMC Networking recommends the vlt-peer-mac transmit command only for square VLTs without diagonal links. • The virtual router redundancy (VRRP) protocol and IPv6 routing is not supported. • Private VLANs (PVLANs) are not supported.
• You must configure the interface proxy gateway LLDP to enable or disable a proxy-gateway LLDP TLV on specific interfaces. • The interface is typically a VLT port-channel that connects to a remote VLT domain. • The new proxy gateway TLV is carried on the physical links under the port channel only. • You must have at least one link connection to each unit of the VLT domain. Following are the prerequisites for Proxy Gateway LLDP configuration: • You must globally enable LLDP.
LLDP VLT Proxy Gateway in a Square VLT Topology Figure 147. Sample Configuration for a VLT Proxy Gateway • The preceding figure shows a sample square VLT Proxy gateway topology. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This causes sub-optimal routing.
• Any L3 packet, when it gets an L3 hit and is routed, it has a time to live (TTL) decrement as expected. • You can disable the VLT Proxy Gateway for a particular VLAN using an "Exclude-VLAN" configuration. The configuration has to be done in both the VLT domains [C and D in VLT domain 1 and C1 and D1 in VLT domain 2].
Figure 148. VLT Proxy Gateway Sample Topology VLT Domain Configuration Dell-1 and Dell-2 constitute VLT domain 120. Dell-3 and Dell-4 constitute VLT domain 110. These two VLT domains are connected using a VLT LAG P0 50. To know how to configure the interfaces in VLT domains, see the Configuring VLT section. Dell-1 VLT Configuration vlt domain 120 peer-link port-channel 120 back-up destination 10.1.1.
switchport no spanning-tree vlt-peer-lag port-channel 50 no shutdown Note that on the inter-domain link, the switchport command is enabled. On a VLTi link between VLT peers in a VLT domain, the switchport command is not used. VLAN 100 is used as the OSPF peering VLAN between Dell-1 and Dell-2. interface Vlan 100 description OSPF Peering VLAN to Dell-2 ip address 10.10.100.1/30 ip ospf network point-to-point no shutdown VLAN 101 is used as the OSPF peering VLAN between the two VLT domains.
The following output shows that Dell-1 forms OSPF neighborship with Dell-2. Dell-2#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface Area 4.4.4.4 1 FULL/ - 00:00:33 10.10.100.1 Vl 100 0 Dell-3 VLT Configuration vlt domain 110 peer-link port-channel 110 back-up destination 10.1.1.
The following output shows that Dell-4 and VLT domain 120 form OSPF neighborship with Dell-3. Dell-3#sh ip ospf nei ! Neighbor ID Pri State Dead Time Address Interface Area 4.4.4.4 1 FULL/ - 00:00:33 10.10.101.1 Vl 101 0 1.1.1.1 1 FULL/ - 00:00:34 10.10.102.2 Vl 102 0 Dell-4 VLT Configuration vlt domain 110 peer-link port-channel 110 back-up destination 10.1.1.
61 Virtual Extensible LAN (VXLAN) Virtual Extensible LAN (VXLAN) is supported on Dell EMC Networking OS. Overview The switch acts as the VXLAN gateway and performs the VXLAN Tunnel End Point (VTEP) functionality. VXLAN is a technology where in the data traffic from the virtualized servers is transparently transported over an existing legacy network. Figure 149. VXLAN Gateway NOTE: In a stack setup, the Dell EMC Networking OS does not support VXLAN.
• VXLAN Service nodes for BFD • Static Virtual Extensible LAN (VXLAN) • Preserving 802.1 p value across VXLAN tunnels • VxLAN Scenario • Routing in and out of VXLAN tunnels • NSX Controller-based VXLAN for VLT Components of VXLAN network VXLAN provides a mechanism to extend an L2 network over an L3 network. In short, VXLAN is an L2 overlay scheme over an L3 network and this overlay is termed as a VXLAN segment.
• Binds the Port and VLAN to logical networks based on messages from the NVP. • Binds MACs to the VTEP and logical network based on messages from the NVP. • Advertises MACs learnt on south-facing VXLAN capable-ports to the NVP client. VXLAN Hypervisor It is the VTEP that connects the Virtual Machines (VM) to the underlay legacy network to the physical infrastructure. Service Node(SN) It is also another VTEP, but it is fully managed by the controller.
Components of VXLAN Frame Format Some of the important fields of the VXLAN frame format are described below: Outer Ethernet Header: Outer IP Header: The Outer Ethernet Header consists of the following components: • Destination Address: Generally, it is a first hop router's MAC address when the VTEP is on a different address. • Source Address : It is the source MAC address of the router that routes the packet.
• Single VNI can be mapped to Single VLAN in both static and NSX controller-based VXLAN. Hence, only 4000 VNIs are supported while configuring static VXLAN. • You can map multiple VNIs with multiple VLANs in an NSX-based VXLAN. • You can configure only one Nuage controller in a VXLAN setup. Nuage controller datapath-learning is not supported.
The Add hardware Device window opens. Enter a name and copy the generated certificate of the VTEP to the Certificate box and click OK. Figure 151. Create VXLAN Gateway To create a VXLAN L2 Gateway, the IP address of the Gateway is required. After connectivity is established between the VTEP and NSX controller, the management IP address and the connectivity status are populated as shown in the following image. Figure 152. Hardware Devices 3 Add a service node or replicator.
Figure 153. Add Service Node or Replicator NOTE: Ensure L3 reachability between the VTEP and the replicator. 4 Create Logical Switch. You can create a logical network by creating a logical switch. The logical network acts as the forwarding domain for workloads on the physical as well as virtual infrastructure. Click Home > Networking and Security > Logical Switches and click Add. The New Logical Switch window opens. Enter a name and select Unicast as the replication mode and click OK.
Figure 154. Create Logical Switch 5 Create Logical Switch Port. A logical switch port provides a logical connection point for a VM interface (VIF) and a L2 gateway connection to an external network. It binds the virtual access ports in the gateway to logical network (VXLAN) and VLAN. In the Manage Hardware Bindings window, expand a VTEP and click Add. The Manage Hardware Bindings Window opens. Click the Select link and the Specify Hardware Port window opens. Click the hardware port and click OK.
Figure 155. Specify Hardware Port In the Manage Hardware Bindings window, under the VLAN column, enter the VLAN ID and press OK.
Figure 156. Create Logical Switch Port 6 (Optional) Enable or disable BFD globally. Go to Hardware Devices tab > BFD Configuration, and click the Edit button. The Edit BFD Configuration windows opens. Check or uncheck the Enable BFD check box. You can also change the probe interval if required.
Figure 157. Edit VXLAN BFD Configuration NOTE: For more details about NSX controller configuration, refer to the NSX user guide from VMWare . Configuring and Controling VXLAN from Nuage Controller GUI The Dell EMC Networking OS supports Nuage controller for VXLAN. You can configure and control VXLAN from the Nuage controller GUI, by adding a hardware device to the Nuage controller and authenticating the device. 1 Under the Infrastructure tab, add a datacenter gateway.
Figure 158. Add Data center Gateway 2 Create port-to-VLAN mappings. Figure 159. Port-to-VLAN mappings 3 Under the Networks tab, create an L2 domain. Under the L2 domain, create a logical network (VNI) and add access ports of the VTEP in the logical network. Figure 160.
Configuring VxLAN Gateway To configure the VxLAN gateway on the switch, follow these steps: 1 Connecting to NVP controller 2 Advertising VXLAN access ports to controller Connecting to an NVP Controller To connect to an NVP controller, use the following commands. 1 Enable the VXLAN feature. CONFIGURATION mode feature vxlan You must configure feature VXLAN to configure vxlan-instance. 2 Create a VXLAN instance that connects to the controller.
Advertising VXLAN Access Ports to Controller To advertise the access ports to the controller, use the following command. In INTERFACE mode, vxlan-instance command configures a VXLAN-Access Port into a VXLAN-instance. INTERFACE mode vxlan-instance Displaying VXLAN Configurations To display the VXLAN configurations, use the following commands. Examples of the show vxlan-instance Command The following example shows the show vxlan vxlan-instance command.
6.6.6.2 : vxlan_over_ipv4 (up) 6.6.6.3 : vxlan_over_ipv4 (up) The following example shows the show vxlan vxlan-instance unicast-mac-local command. DellEMC# show vxlan vxlan-instance <1> unicast-mac-local Total Local Mac Count: 5 VNI MAC PORT VLAN 4656 4656 4656 4656 4656 00:00:02:00:03:00 00:00:02:00:03:01 00:00:02:00:03:02 00:00:02:00:03:03 00:00:02:00:03:04 Te Te Te Te Te 0/17 0/17 0/17 0/17 0/17 0 0 0 0 0 The following example shows the show vxlan vxlan-instance unicast-mac-remote command.
Static Virtual Extensible LAN (VXLAN) When you create a Virtual Extensible LAN (VXLAN) , you need Network Virtualization Platform (NVP) Controller to configure and control the VXLAN. When you create a VXLAN instance in static mode, you can configure the VXLAN using CLIs instead of using the Controller. Once you create a VXLAN instance in the static mode, you can create a VNI profile, associate a VNID to the VNI profile, associate a remote VTEP to the VNID, and associate the VNID to a VLAN using the CLIs.
vxlan-instance Instance ID 9 Associate VNID to VLAN. INTERFACE VLAN mode vxlan-vnid VNID Displaying Static VXLAN Configurations To display the static VXLAN configurations, use the following commands. Examples of the show vxlan-instance Command The following example displays the basic configuration details. DellEMC# show vxlan vxlan-instance 1 Instance : 1 Mode : Static Admin State : Up Local vtep ip : 101.101.101.
Preserving 802.1 p value across VXLAN tunnels The 802.1p QoS marking preservation is supported over the VXLAN tunnel. The 802.1p priority is carried over from the VXLAN tunnel to the remote VTEP—VXLAN tunnel endpoint. The packets egress out to the correct queue based on the priority value. In such a scenario, if there is any congestion in the queue, the system generates a pause. The network port should be a vlan for priority to be carried by the vxlan outer header.
In this RIOT scheme, whenever R1 tries to reach R2, the packet gets to P1 on VTEP 1 with VLAN 10 and gets routed out of P2 on VLAN 20. VTEP 1 sends an ARP request for R2 (10.1.2.1) through P2. This request gets VXLAN encapsulated at P3 and is sent out of P4. Eventually, the native ARP request reaches R2. R2 sends an ARP response that is VXLAN encapsulated at VTEP 2. This response reaches VTEP 1 on P4 with a VXLAN encapsulation. At this point, the ARP response is de-capsulated at P4.
• When you ping for 10.1.2.1 (Vlan 20’s IP on R2) from R1, the packet would get to P1 on VTEP 1 with Vlan 10, and try to get routed out of P2 on Vlan 20. • VTEP 1 sends an ARP request for 10.1.2.1 out of P2. This gets VXLAN encapsulated at P2, and gets sent out of P3. • VXLAN encapsulated ARP request lands on VTEP 2 which is decapsulated and sent out of P5 and P6. • Packets looped back to P5 will not be forwarded again to either to P4 or P6 because of the added ACL rule 4.4.3.
While 4000 VLANS or VNIDs are supported in a Layer 2 context; for VXLAN RIOT, the number of VLANS or VNIDs supported is limited to 1000. Configuring VXLAN RIOT Physical Loopback In order for this configuration to work, the physical loopback ports are required to be in port-channels. There are two types of physical loopback interfaces: VXLAN Loopback Port and Non-VXLAN Loopback Port. These two port-channels are implicitly made no spanning tree, so that they do not go into a blocked state if xSTP is enabled.
In this topology, P2 and P3 in VTEP 1 are VLT port-channels with corresponding VLT peer LAGs being P2 and P3 in VTEP 2. Similarly, P6 and P7 in VTEP 3 are VLT port-channels with corresponding VLT peer LAGs being P6 and P7 in VTEP 4. NOTE: P2, P3, P6, and P7 can be a single port or multi-port port-channels that are VLT port-channels. NOTE: The VLT VXLAN configuration for RIOT deviates from the standard VLT behavior when these physical loopbacks are provisioned as VLT port-channels.
Figure 161. Controller-based VXLAN for VLT Providing Redundancy Important Points to Remember • The VLT peer port channel number must be the same on both VLT peers. • before configuring controller-based VXLAN with VLT, remove any existing standalone VXLAN configuration. • BFD tunnels come up only after the NSX controller sends tunnel details. The details come after the remote MAC addresses are downloaded from NSX controller.
Configuring BFD and UFD for VXLAN For controller-based VXLAN, you can optionally configure BFD and UFD for more resiliency. To configure BFD and UFD, follow these steps: 1 Enable BFD globally. CONFIGURATION mode bfd enable Enter the result of your step here (optional). 2 Create an uplink-state group. CONFIGURATION mode uplink-state-group group-id group-id: values are from 1 to 16. 3 Assign a VLT port channel to the uplink-state group as an upstream link.
peer-ovsdbserver-ip ovsdb-IP-address The peer OVSDB server is the peer VLT device. 6 Enter the fail mode. VxLAN INSTANCE mode fail-mode secure 7 Enable the VxLAN instance. VxLAN INSTANCE mode no shutdown NOTE: Dell EMC Networking recommends the non-secure fail mode if you are configuring VxLAN for a VLT setup and use a physical L3 link for peer OVSDB connectivity. Also using of controller connected IP address for peer OVSDB connectivity leads to double failure, when connected link fails..
unit-id NOTE: For controller-based VxLAN, the VLT unit ID is mandatory. 8 Repeat these steps on the VLT peer switch. VLT configuration: DellEMC#show runn vlt ! vlt domain 100 peer-link port-channel 1 back-up destination 38.0.0.
Admin State Controller Type Management IP Gateway IP MAX Backoff Controller 1 Managers Fail Mode Port List Te 1/21 : : : : : : : : : : : : Po 10 enabled Nsx 10.16.140.36 4.3.3.3 8000 10.16.140.181:6640 ssl 10.16.140.181:6640 ssl (connected) 10.16.140.182:6640 ssl (connected) 10.16.140.
DellEMC#show vxlan vxlan-instance 1 physical-locator Instance : 1 Tunnel : count 1 6.6.6.2 : vxlan_over_ipv4 (up) DellEMC# DellEMC# DellEMC#show vxlan vxlan-instance 1 unicast-mac-local Total Local Mac Count: 1 VNI MAC PORT 5000 00:00:00:cc:00:00 Te 1/21 VLAN 20 DellEMC# DellEMC#show vxlan vxlan-instance 1 unicast-mac-remote Total Remote Mac Count: 1 VNI MAC TUNNEL 5000 00:00:bb:00:00:00 4.3.3.
Mode Admin State Controller Type Management IP Gateway IP MAX Backoff Controller 1 Managers Fail Mode Port List Te 1/21 : : : : : : : : : : : : : Po 10 Controller enabled Nsx 10.16.140.37 4.3.3.3 8000 10.16.140.181:6640 ssl 10.16.140.181:6640 ssl (connected via vltPeer) 10.16.140.182:6640 ssl (connected via vltPeer) 10.16.140.
DellEMC#show cam mac stack-unit 1 port-set 0 VlanId Mac Address Region Interface 500 14:18:77:0a:53:82 STATIC Po 1 500 ff:ff:ff:ff:ff:ff STATIC 00001 28674 00:00:00:cc:00:00 DYNAMIC 0x80000001(vxlan) 28674 00:00:bb:00:00:00 DYNAMIC 0x80000006(vxlan) 0 ff:ff:ff:ff:ff:ff STATIC 00001 1 00:01:e8:8b:7a:6e DYNAMIC Po 11 20 00:00:00:cc:00:00 STATIC Po 1 0 00:10:18:ff:ff:ff STATIC Invalid 500 34:17:eb:37:11:02 DYNAMIC Po 1 0 f4:8e:38:2b:3e:87 LOCAL_DA 00001 0 f4:8e:38:2b:3e:87 LOCAL_DA 00001 0 14:18:77:0a:53:82 LO
Select Home > Networking and Security > Service Definition > Hardware Devices. Under Hardware Devices, click the Add button. The Add hardware Device window opens. Enter a name and copy the generated certificate of the VTEP to the Certificate box and click OK. Figure 162. Create VXLAN Gateway To create a VXLAN L2 Gateway, the IP address of the Gateway is required.
Under Home > Networking and Security > Service Definition > Hardware Devices > Replication Cluster, click the Edit button. Select required hosts for replication and click OK. Figure 164. Add Service Node or Replicator NOTE: Ensure L3 reachability between the VTEP and the replicator. 4 Create Logical Switch. You can create a logical network by creating a logical switch. The logical network acts as the forwarding domain for workloads on the physical as well as virtual infrastructure.
Figure 165. Create Logical Switch 5 Create Logical Switch Port. A logical switch port provides a logical connection point for a VM interface (VIF) and a L2 gateway connection to an external network. It binds the virtual access ports in the gateway to logical network (VXLAN) and VLAN. In the Manage Hardware Bindings window, expand a VTEP and click Add. The Manage Hardware Bindings Window opens. Click the Select link and the Specify Hardware Port window opens. Click the hardware port and click OK.
Figure 166. Specify Hardware Port In the Manage Hardware Bindings window, under the VLAN column, enter the VLAN ID and press OK.
Figure 167. Create Logical Switch Port 6 (Optional) Enable or disable BFD globally. Go to Hardware Devices tab > BFD Configuration, and click the Edit button. The Edit BFD Configuration windows opens. Check or uncheck the Enable BFD check box. You can also change the probe interval if required.
Figure 168. Edit VXLAN BFD Configuration NOTE: For more details about NSX controller configuration, refer to the NSX user guide from VMWare .
62 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time. VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices.
Figure 169. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
If the next-hop IP in a static route VRF statement is VRRP IP of another VRF, this static route does not get installed on the VRRP master. VRF supports some routing protocols only on the default VRF (default-vrf) instance. Table 1 displays the software features supported in VRF and whether they are supported on all VRF instances or only the default VRF. NOTE: To configure a router ID in a non-default VRF, configure at least one IP address in both the default as well as the nondefault VRF. Table 135.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF OSPFv3 Yes Yes IS-IS Yes Yes BGP Yes Yes ACL Yes No Multicast No No NDP Yes Yes RAD Yes Yes DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance.
Assigning an Interface to a VRF You must enter the ip vrf forwarding command before you configure the IP address or any other setting on an interface. NOTE: You can configure an IP address or subnet on a physical or VLAN interface that overlaps the same IP address or subnet configured on another interface only if the interfaces are assigned to different VRFs. If two interfaces are assigned to the same VRF, you cannot configure overlapping IP subnets or the same IP address on them.
show ip vrf [vrf-name] Assigning an OSPF Process to a VRF Instance OSPF routes are supported on all VRF instances. See the Open Shortest Path First (OSPFv2) chapter for complete OSPF configuration information. Assign an OSPF process to a VRF instance . Return to CONFIGURATION mode to enable the OSPF process. The OSPF Process ID is the identifying number assigned to the OSPF process, and the Router ID is the IP address associated with the OSPF process.
Task Command Syntax Command Mode 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 43, Gratuitous ARP sent: 0 Virtual MAC address: 00:00:5e:00:01:0a Virtual IP address: 10.1.1.100 Authentication: (none) Configuring Management VRF You can assign a management interface to a management VRF. NOTE: The loopback interface cannot be added into the management VRF. 1 Create a management VRF.
Configuring a Static Route • Configure a static route that points to a management interface. CONFIGURATION management route ip-address mask managementethernet ormanagement route ipv6-address prefixlength managementethernet You can also have the management route to point to a front-end port in case of the management VRF. For example: management route 2::/64 tengigabitethernet 1/1/1/1. • Configure a static entry in the IPv6 neighbor discovery.
Figure 171. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface TenGigabitEthernet no ip address switchport no shutdown ! interface TenGigabitEthernet ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding orange ip address 20.0.0.
ip vrf forwarding green ip address 30.0.0.1/24 no shutdown ! interface Vlan 128 ip vrf forwarding blue ip address 1.0.0.1/24 tagged TenGigabitEthernet 1/1/1/3 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged TenGigabitEthernet 1/1/1/3 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged TenGigabitEthernet 1/1/1/3 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.
ip address 2.0.0.2/24 tagged TenGigabitEthernet 1/1/1/3 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.2/24 tagged TenGigabitEthernet 1/1/1/3 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface TenGigabitEthernet 1/1/2/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface TenGigabitEthernet 1/1/2/2 ! ip route vrf green30.0.0.0/24 3.0.0.
DellEMC#show ip route vrf orange Codes: C - connected, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set C C O Destination ----------2.0.0.0/24 20.
Dynamic Route Leaking Route Leaking is a powerful feature that enables communication between isolated (virtual) routing domains by segregating and sharing a set of services such as VOIP, Video, and so on that are available on one routing domain with other virtual domains. Inter-VRF Route Leaking enables a VRF to leak or export routes that are present in its RTM to one or more VRFs.
A non-default VRF named VRF-Shared is created and the interface 1/4 is assigned to this VRF. 2 Configure the export target in the source VRF:. ip route-export 1:1 3 Configure VRF-red. ip vrf vrf-red interface-type slot/port[/subport] ip vrf forwarding VRF-red ip address ip—address mask A non-default VRF named VRF-red is created and the interface is assigned to this VRF. 4 Configure the import target in VRF-red. ip route-import 1:1 5 Configure the export target in VRF-red.
ip route-import ! ip vrf VRF-Green ! ip vrf VRF-shared ip route-export ip route-import ip route-import 1:1 1:1 2:2 3:3 Show routing tables of all the VRFs (without any route-export and route-import tags being configured) DellEMC# show ip route vrf VRF-Red O 11.1.1.1/32 via 111.1.1.1 110/0 C 111.1.1.0/24 Direct, Te 1/1/1/1 0/0 00:00:10 22:39:59 DellEMC# show ip route vrf VRF-Blue O 22.2.2.2/32 via 122.2.2.2 110/0 00:00:11 C 122.2.2.
O 44.4.4.4/32 00:00:11 via 144.4.4.4 C Direct, Te 1/1/4/1 144.4.4.0/24 110/0 0/0 00:32:36 Important Points to Remember • If the target VRF conatins the same prefix as either the sourced or Leaked route from some other VRF, then route Leaking for that particular prefix fails and the following error-log is thrown. SYSLOG (“Duplicate prefix found %s in the target VRF %d”, address, import_vrf_id) with The type/level is EVT_LOGWARNING. • The source routes always take precedence over leaked routes.
A non-default VRF named VRF-red is created and the interface is assigned to this VRF. 2 Define a route-map export_ospfbgp_protocol. DellEMC(config)route-map export_ospfbgp_protocol permit 10 3 Define the matching criteria for the exported routes. DellEMC(config-route-map)match source-protocol ospf DellEMC(config-route-map)match source-protocol bgp This action specifies that the route-map contains OSPF and BGP as the matching criteria for exporting routes from vrf-red.
O 44.4.4.4/32 via vrf-red:144.4.4.4 0/0 00:32:36 << only OSPF and BGP leaked from VRF-red Important Points to Remember • Only Active routes are eligible for leaking. For example, if VRF-A has two routes from BGP and OSPF, in which the BGP route is not active. In this scenario, the OSPF route takes precedence over BGP. Even though the Target VRF-B has specified filtering options to match BGP, the BGP route is not leaked as that route is not active in the Source VRF.
63 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
Figure 172. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. In conjunction with Virtual Link Trunking (VLT), you can configure optimized forwarding with virtual router redundancy protocol (VRRP).
CAUTION: Increasing the advertisement interval increases the VRRP Master dead interval, resulting in an increased failover time for Master/Backup election. Take caution when increasing the advertisement interval, as the increased dead interval may cause packets to be dropped during that switch-over time. NOTE: In a VLT environment, VRRP configuration acts as active-active and if route is not present in any of the VRRP nodes, the packet to the destination is dropped on that VRRP node. Table 137.
The VRID range is from 1 to 255. • NOTE: The interface must already have a primary IP address defined and be enabled, as shown in the second example. Delete a VRRP group. INTERFACE mode no vrrp-group vrid Examples of Configuring and Verifying VRRP The following examples how to configure VRRP. DellEMC(conf)#interface tengigabitethernet 1/1/1/1 DellEMC(conf-if-te-1/1/1/1)#vrrp-group 111 DellEMC(conf-if-te-1/1/1/1-vrid-111)# The following examples how to verify the VRRP configuration.
Example: Migrating an IPv4 VRRP Group from VRRPv2 to VRRPv3 NOTE: Carefully following this procedure, otherwise you might introduce dual master switches issues. To migrate an IPv4 VRRP Group from VRRPv2 to VRRPv3: 1 Set the backup switches to VRRP version to both. Dell_backup_switch1(conf-if-te-1/1/1/1-vrid-100)#version both Dell_backup_switch2(conf-if-te-1/1/2/1-vrid-100)#version both 2 Set the master switch to VRRP protocol version 3.
Examples of the Configuring and Verifying a Virtual IP Address The following example shows how to configure a virtual IP address. DellEMC(conf-if-te-1/1/1/1-vrid-111)#virtual-address 10.10.10.1 DellEMC(conf-if-te-1/1/1/1-vrid-111)#virtual-address 10.10.10.2 DellEMC(conf-if-te-1/1/1/1-vrid-111)#virtual-address 10.10.10.3 The following example shows how to verify a virtual IP address configuration. NOTE: In the following example, the primary IP address and the virtual IP addresses are on the same subnet.
• Configure the priority for the VRRP group. INTERFACE -VRID mode priority priority The range is from 1 to 255. The default is 100. Examples of the priority Command DellEMC(conf-if-te-1/1/2/1)#vrrp-group 111 DellEMC(conf-if-te-1/1/2/1-vrid-111)#priority 125 To verify the VRRP group priority, use the show vrrp command. Dellshow vrrp -----------------TenGigabitEthernet 1/1/1/1, VRID: 111, Net: 10.10.10.1 VRF: 0 default State: Master, Priority: 255, Master: 10.10.10.
Examples of the authentication-type Command The bold section shows the encryption type (encrypted) and the password. DellEMC(conf-if-te-1/1/1/1-vrid-111)#authentication-type ? DellEMC(conf-if-te-1/1/1/1-vrid-111)#authentication-type simple 7 force10 The following example shows verifying the VRRP authentication configuration using the show conf command. The bold section shows the encrypted password.
Changing the Advertisement Interval By default, the MASTER router transmits a VRRP advertisement to all members of the VRRP group every one second, indicating it is operational and is the MASTER router. If the VRRP group misses three consecutive advertisements, the election process begins and the BACKUP virtual router with the highest priority transitions to MASTER.
Track an Interface or Object You can set Dell EMC Networking OS to monitor the state of any interface according to the virtual group. Each VRRP group can track up to 12 interfaces and up to 20 additional objects, which may affect the priority of the VRRP group. If the tracked interface goes down, the VRRP group’s priority decreases by a default value of 10 (also known as cost). If the tracked interface’s state goes up, the VRRP group’s priority increases by 10.
• (Optional) Display the configuration and the UP or DOWN state of tracked interfaces and objects in VRRP groups, including the time since the last change in an object’s state. EXEC mode or EXEC Privilege mode • show vrrp (Optional) Display the configuration of tracked objects in VRRP groups on a specified interface.
Tracking states for 2 resource Ids: 2 - Up IPv6 route, 2040::/64, priority-cost 20, 00:02:11 3 - Up IPv6 route, 2050::/64, priority-cost 30, 00:02:11 The following example shows verifying the VRRP configuration on an interface.
The default is 0. Sample Configurations Before you set up VRRP, review the following sample configurations. VRRP for an IPv4 Configuration The following configuration shows how to enable IPv4 VRRP. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. R2(conf)#interface tengigabitethernet 1/1/3/1 R2(conf-if-te-1/1/3/1)#ip address 10.1.1.1/24 R2(conf-if-te-1/1/3/1)#vrrp-group 99 R2(conf-if-te-1/1/3/1-vrid-99)#priority 200 R2(conf-if-te-1/1/3/1-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-1/1/3/1-vrid-99)#no shut R2(conf-if-te-1/1/3/1)#show conf ! interface TenGigabitEthernet 1/1/3/1 ip address 10.1.1.
Figure 174. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
R2(conf-if-te-1/1/1/1-vrid-10)#virtual-address fe80::10 R2(conf-if-te-1/1/1/1-vrid-10)#virtual-address 1::10 R2(conf-if-te-1/1/1/1-vrid-10)#no shutdown R2(conf-if-te-1/1/1/1)#show config interface TenGigabitEthernet 1/1/1/1 ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-1/1/1/1)#end R2#show vrrp -----------------TenGigabitEthernet 1/1/1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default State: Master, Priority:
VRRP in a VRF: Non-VLAN Scenario The following example shows how to enable VRRP in a non-VLAN. The following example shows a typical use case in which you create three virtualized overlay networks by configuring three VRFs in two switches. The default gateway to reach the Internet in each VRF is a static route with the next hop being the virtual IP address configured in VRRP. In this scenario, a single VLAN is associated with each VRF.
S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface TenGigabitEthernet 1/1/1/1 S1(conf-if-te-1/1/1/1)#ip vrf forwarding VRF-1 S1(conf-if-te-1/1/1/1)#ip address 10.10.1.5/24 S1(conf-if-te-1/1/1/1)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177. S1(conf-if-te-1/1/1/1-vrid-101)#priority 100 S1(conf-if-te-1/1/1/1-vrid-101)#virtual-address 10.10.1.
! S2(conf)#interface TenGigabitEthernet 1/1/3/1 S2(conf-if-te-1/1/3/1)#ip vrf forwarding VRF-3 S2(conf-if-te-1/1/3/1)#ip address 20.1.1.6/24 S2(conf-if-te-1/1/3/1)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S2(conf-if-te-1/1/3/1-vrid-105)#priority 100 S2(conf-if-te-1/1/3/1-vrid-105)#virtual-address 20.1.1.
DellEMC#show vrrp vrf vrf1 vlan 400 -----------------Vlan 400, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 1 vrf1 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 278, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.100 Authentication: (none) DellEMC#show vrrp vrf vrf2 port-channel 1 -----------------Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.
S2(conf-if-vl-300)#no shutdown DellEMC#show vrrp vrf vrf1 vlan 400 -----------------Vlan 400, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 1 vrf1 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 278, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.100 Authentication: (none) Vlan 400, IPv4 VRID: 10, Version: 2, Net: 20.1.1.
Figure 176. VRRP for IPv6 Topology NOTE: This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, and so on.
NOTE: The virtual IPv6 address you configure should be the same as the IPv6 subnet to which the interface belongs.
Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 DellEMC#show vrrp tengigabitethernet 1/1/8/1 TenGigabitEthernet 1/1/8/1, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:e9ed VRF: 0 default State: Master, Priority: 110, Master: fe80::201:e8ff:fe8a:e9ed (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 120 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:
Proxy Gateway with VRRP VLT proxy gateway solves the inefficient traffic trombone problem when VLANs are extended between date centers and when VMs are migrated between the two DCs. Starting from Dell EMC Networking OS 9.14.0.0, VRRP provides a much simpler method to solve the traffic trombone problem. This is achieved by configuring same VRRP group IDs to the extended L3 VLANs and VRRP stays active-active across all four VLT nodes even though they are in two different VLT domains.
• The core routers C1 and D1 in local VLT Domain along with C2 and D2 in the remote VLT Domain are part of a Layer 3 cloud. • The core routers C1, D1, C2, D2 are in a VRRP group with the same vrrp-group ID. When a virtual machine running in Server Rack 1 migrates to Server Rack 2, L3 packets for that VM are routed through the default gateway. The following examples show sample configurations of the core routers.
back-up destination 10.16.140.5 system-mac mac-address 00:00:aa:00:00:00 unit-id 1 peer-routing interface port-channel 128 channel member ten 1/1/1 channel member ten 1/1/2 no shutdown int ten 1/5/1 port-channel-protocol lacp port-channel 10 mode active no shut int ten 1/4/1 port-channel-protocol lacp port-channel 20 mode active no shut interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.
no shut int ten 1/4/1 port-channel-protocol lacp port-channel 20 mode active no shut interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.3/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.
no shutdown int vlan 100 ip address 100.1.1.4/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.
64 Debugging and Diagnostics This chapter describes debugging and diagnostics for the device. Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostics tests are grouped into three levels: • • • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, Level 0 diagnostics verify the identification registers of the components on the board.
3 Start diagnostics on the unit. diag stack-unit stack-unit-number When the tests are complete, the system displays the following message and automatically reboots the unit. Diagnostic results are printed to a file in the flash using the filename format TestReport-SU-.txt. Log messages differ somewhat when diagnostics are done on a standalone unit and on a stack member. 4 View the results of the diagnostic tests. EXEC Privilege mode show file flash://TestReport-SU-stack-unit-id.
QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP 1/2/1 1/2/1 1/2/1 1/2/1 1/2/1 1/2/1 1/2/1 1/2/1 1/2/1 1/2/1 1/2/1 1/2/1 1/2/1 1/2/1 1/2/1 1/2/1 1/2/1 1/2/1 1/2/1 1/2/1 Serial ID Base Fields Id = Ext Id = Connector = Transceiver Code = Encoding = Length(SFM) Km = Length(OM3) 2m = Length(OM2) 1m = Length(OM1) 1m = Length(Copper) 1m = Vendor Rev = Laser Wavelength = CheckCodeBase = Serial ID Extended Fields BR max = BR min = Vendor SN = Datecode = CheckCode
-- Temperature Limits (deg C) ------------------------ --------------------------------------------Minor Minor Off Major Major Off Shutdown SwitchOn 47 46 50 49 NA -- Temperature Limits (deg C) ------------------------ --------------------------------------------Minor Minor Off Major Major Off Shutdown FP-GE 47 46 50 49 NA -- Temperature Limits (deg C) ------------------------ --------------------------------------------Minor Minor Off Major Major Off Shutdown FP-SFP+ 47 46 50 49 NA -- Temperature Limits (d
Recognize an Under-Voltage Condition If the system detects an under-voltage condition, it sends an alarm. To recognize this condition, look for the following system message: %CHMGR-1-CARD_SHUTDOWN: Major alarm: stack unit 2 down - auto-shutdown due to under voltage. This message indicates that the specified card is not receiving enough power. In response, the system first shuts down Power over Ethernet (PoE). If the under-voltage condition persists, line cards are shut down, then the RPMs.
Buffer Tuning Buffer Tuning allows you to modify the way your switch allocates buffers from its available memory and helps prevent packet drops during a temporary burst of traffic. Using a PreDefined Buffer Profile Dell EMC Networking OS provides two predefined buffer profiles, one for single-queue (for example, non-quality-of-service [QoS]) applications, and one for four-queue (for example, QoS) applications.
• • • • • • • show hardware buffer inteface interface{priority-group { id | all } | queue { id| all} | detail} buffer-info show hardware buffer-stats-snapshot resource interface interface{priority-group { id | all } | queue { ucast{id | all}{ mcast {id | all} | all} show hardware drops interface interface clear hardware stack-unit stack-unit-number counters clear hardware stack-unit stack-unit-number unit 0-1 counters clear hardware stack-unit stack-unit-number cpu data-plane statistics clear hardware stac
Aged Drops : 0 --- Egress MAC counters--Egress FCS Drops : 0 --- Egress FORWARD PROCESSOR Drops --IPv4 L3UC Aged & Drops : 0 TTL Threshold Drops : 0 INVALID VLAN CNTR Drops : 0 L2MC Drops : 0 PKT Drops of ANY Conditions : 0 Hg MacUnderflow : 0 TX Err PKT Counter : 0 --- Error counters--Internal Mac Transmit Errors : 0 Unknown Opcodes : 0 Internal Mac Receive Errors : 0 --- FEC Counters --Ingress FEC uncorrected code words: 172 --- Error Ratio Counters --Ingress preFEC Bit Error Ratio: 3.
txPkt(COS0 ) txPkt(COS1 ) txPkt(COS2 ) txPkt(COS3 ) txPkt(COS4 ) txPkt(COS5 ) txPkt(COS6 ) txPkt(COS7 ) txPkt(COS8 ) txPkt(COS9 ) txPkt(COS10) txPkt(COS11) txPkt(UNIT0) :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 Example of Viewing Party Bus Statistics DellEMC#sh hardware stack-unit 1 cpu party-bus statistics Input Statistics: 27550 packets, 2559298 bytes 0 dropped, 0 errors Output Statistics: 1649566 packets, 1935316203 bytes 0 errors Display Stack Port Statistics The show hardware stack-unit stack-port comm
RX RX RX RX RX RX RX RX RX - 65 to 127 Byte Frame Counter 128 to 255 Byte Frame Counter 256 to 511 Byte Frame Counter 512 to 1023 Byte Frame Counter 1024 to 1518 Byte Frame Counter 1519 to 1522 Byte Good VLAN Frame Counter 1519 to 2047 Byte Frame Counter 2048 to 4095 Byte Frame Counter 4096 to 9216 Byte Frame Counter 0 0 0 0 0 0 0 0 0 Example of Displaying Counter Information for a Specific Interface DellEMC#show hardware counters interface hundredGigE 1/1/1 unit: 0 port: 50 (interface Hu 1/1/1) Descrip
TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - 1024 to 1518 Byte Frame Counter 1519 to 1522 Byte Good VLAN Frame Counter 1519 to 2047 Byte Frame Counter 2048 to 4095 Byte Frame Counter 4096 to 9216 Byte Frame Counter Good Packet Counter Packet/Frame Counter Unicast Frame Counter Multicast Frame Counter Broadcast Frame Counter Byte Counter Control Frame Counter Pause Control Frame Counter Oversized Frame Counter Jabber Counter VLAN Tag
A mini core dump contains critical information in the event of a crash. Mini core dump files are located in flash:/ (root dir). The application mini core filename format is f10StkUnit..acore.mini.txt. The kernel mini core filename format is f10StkUnit.kcore.mini.txt. The following are sample filenames. The panic string contains key information regarding the crash.
Enabling TCP Dumps A TCP dump captures CPU-bound control plane traffic to improve troubleshooting and system manageability. When you enable TCP dump, it captures all the packets on the local CPU, as specified in the CLI. You can save the traffic capture files to flash, FTP, SCP, or TFTP. The files saved on the flash are located in the flash://TCP_DUMP_DIR/ Tcpdump_/ directory and labeled tcpdump_*.pcap. There can be up to 20 Tcpdump_ directories.
65 Standards Compliance This chapter describes standards compliance for Dell EMC Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell EMC Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
SFF-8431 SFP+ Direct Attach Cable (10GSFP+Cu) MTU 12,000 bytes RFC and I-D Compliance Dell EMC Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell EMC Networking OS first supports the standard. General Internet Protocols The following table lists the Dell EMC Networking OS support per platform for general internet protocols. Table 139.
R F C # Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 24 Definition of 7.7.1 74 the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 26 PPP over 15 SONET/SDH 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 26 A Two Rate 9 Three Color 8 Marker 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.
General IPv4 Protocols The following table lists the Dell EMC Networking OS support per platform for general IPv4 protocols. Table 140. General IPv4 Protocols RF C# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 791 Internet Protocol 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 826 An Ethernet Address Resolution 7.6.1 Protocol 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
General IPv6 Protocols The following table lists the Dell EMC Networking OS support per platform for general IPv6 protocols. Table 141. General IPv6 Protocols RFC # Full Name S-Series 1886 DNS Extensions to support IP 7.8.1 version 6 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 1981 Path MTU Discovery for IP (Part version 6 ial) 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
Border Gateway Protocol (BGP) The following table lists the Dell EMC Networking OS support per platform for BGP protocols. Table 142. Border Gateway Protocol (BGP) RFC# Full Name S-Series/ZSeries S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1997 BGP ComAmtturnibituitees 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2385 Protection of BGP Sessions via the TCP MD5 Signature Option 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2439 BGP Route Flap Damping 7.8.
Open Shortest Path First (OSPF) The following table lists the Dell EMC Networking OS support per platform for OSPF protocol. Table 143. Open Shortest Path First (OSPF) RFC # Full Name S-Series/ZSeries S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1587 The OSPF Not-SoStubby Area (NSSA) Option 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2154 OSPF with Digital Signatures 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2370 The OSPF Opaque LSA Option 7.6.1 9.8(0.
RFC# Full Name S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 3784 Intermediate System to Intermediate System (IS-IS) Extensions in Support of Generalized Multi-Protocol Label Switching (GMPLS) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 5120 MT-ISIS: Multi Topology (MT) 9.8(0.0P2) Routing in Intermediate System to Intermediate Systems (ISISs) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 5306 Restart Signaling for IS-IS 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
Multicast The following table lists the Dell EMC Networking OS support per platform for Multicast protocol. Table 146. Multicast RFC# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1112 Host Extensions for IP Multicasting 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2236 Internet Group Management Protocol, Version 2 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 3376 Internet Group Management Protocol, Version 3 7.8.1 9.8(0.0P2) 9.8(0.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) dot1dTpLearnedEntryDiscards object] 1724 RIP Version 2 MIB Extension 1850 OSPF Version 2 Management Information Base 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 1901 Introduction to Community-based SNMPv2 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2011 SNMPv2 Management Information Base for the Internet Protocol using SMIv2 7.6.1 9.8(0.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON Internet-standard Network Management Framework 2578 Structure of Management Information Version 2 (SMIv2) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2579 Textual Conventions for SMIv2 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2580 Conformance Statements for SMIv2 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON Network Management Protocol (SNMP) 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3434 Remote Monitoring MIB 7.6.1 Extensions for High Capacity Alarms, High-Capacity Alarm Table (64 bits) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3580 IEEE 802.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.2(0.0) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) isisISAdjIPAddrTable isisISAdjProtSuppTable draftietfnetmod interfac escfg-03 Defines a YANG data model for the configuration of network interfaces. Used in the Programmatic Interface RESTAPI feature. IEEE 802.1A B Management Information Base 7.7.1 module for LLDP configuration, statistics, local system data and remote systems data components. 9.8(0.0P2) 9.8(0.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORCE Force10 E-Series Enterprise 10Chassis MIB CHASS IS-MIB 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORCE Force10 File Copy MIB (supporting 7.7.1 10SNMP SET operation) COPYCONFI G-MIB 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON FORCE Force10 Textual Convention 10-TCMIB 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORCE Force10 Trap Alarm MIB 10TRAPALARM -MIB 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) ONENT -MIB MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/CSPortal20/KnowledgeBase/Documentation.
66 X.509v3 supports X.509v3 standards. Topics: • Introduction to X.509v3 certification • X.509v3 support in • Information about installing CA certificates • Information about Creating Certificate Signing Requests (CSR) • Information about installing trusted certificates • Transport layer security (TLS) • Online Certificate Status Protocol (OSCP) • Verifying certificates • Event logging Introduction to X.509v3 certification X.
1 An entity or organization that wants a digital certificate requests one through a CSR. 2 To request a digital certificate through a CSR, a key pair is generated and the CSR is signed using the secret private key. The CSR contains information identifying the applicant and the applicant's public key. This public key is used to verify the signature of the CSR and the Distinguished Name (DN). 3 This CSR is sent to a Certificate Authority (CA).
The Root CA generates a private key and a self-signed CA certificate. The Intermediate CA generates a private key and a Certificate Signing Request (CSR). Using its private key, the root CA signs the intermediate CA’s CSR generating a CA certificate for the Intermediate CA. This intermediate CA can then sign certificates for hosts in the network and also for further intermediate CAs.
During the initial TLS protocol negotiation, both participating parties also check to see if the other’s certificate is revoked by the CA. To do this check, the devices query the CA’s designated OCSP responder on the network. The OCSP responder information is included in the presented certificate, the Intermediate CA inserts the info upon signing it, or it may be statically configured on the host. Information about installing CA certificates Dell EMC Networking OS enables you to download and install X.
If you do not specify the cert-file option, the system prompts you to enter metadata information related to the CSR as follows: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value; if you enter '.', the field will be left blank.
NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell EMC Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS. This trusted certificate is also presented to the TLS server implementations that require client authentication such as Syslog.
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS compression is disabled by default. TLS session resumption is also supported to reduce processor and traffic overhead due to public key cryptographic operations and handshake traffic. However, the maximum time allowed for a TLS session to resume without repeating the TLS authentication or handshake process is configurable with a default of 1 hour.
NOTE: If you have an IPv6 address in the URL, then enclose this address in square brackets. For example, http:// [1100::203]:6514. Configuring OCSP behavior You can configure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders. To configure this behavior, follow this step: In CONFIGURATION mode, enter the following command: crypto x509 ocsp {[nonce] [sign-request]} Both the none and sign-request parameters are optional.
Verifying Server certificates Verifying server certificates is mandatory in the TLS protocol. As a result, all TLS-enabled applications require certificate verification, including Syslog servers. The system checks the Server certificates against installed CA certificates. NOTE: As part of the certificate verification, the hostname or IP address of the server is verified against the hostname or IP address specified in the application.
