Dell EMC SmartFabric OS10 User Guide Release 10.5.2 06 2021 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 -2021 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: About this guide......................................................................................................... 28 Conventions........................................................................................................................................................................28 Related Documents...........................................................................................................................................................
Candidate configuration...................................................................................................................................................74 Copy running configuration ............................................................................................................................................77 Restore startup configuration .......................................................................................................................................
alias................................................................................................................................................................................ 112 alias (multi-line)...........................................................................................................................................................113 default (alias)......................................................................................................................................
MIBs.............................................................................................................................................................................. 143 SNMPv3....................................................................................................................................................................... 144 Configure SNMP.........................................................................................................................................
DHCP relay without route leaking......................................................................................................................... 276 VRRP Virtual IP as Server Override (sub option 11)......................................................................................... 277 DHCP snooping..........................................................................................................................................................279 System domain name and list............
High-power optical module commands................................................................................................................376 Digital optical monitoring............................................................................................................................................... 377 Enable DOM and DOM traps.................................................................................................................................. 378 Default MTU Configuration....
switchport access vlan............................................................................................................................................ 407 switchport mode....................................................................................................................................................... 407 switchport trunk allowed vlan................................................................................................................................ 407 wavelength..
zone default-zone permit........................................................................................................................................485 zoneset activate........................................................................................................................................................485 NPG commands...............................................................................................................................................................
802.1X.................................................................................................................................................................................513 Port authentication................................................................................................................................................... 514 EAP over RADIUS...........................................................................................................................................
Create or remove VLANs.........................................................................................................................................631 Access mode.............................................................................................................................................................. 632 Trunk mode.................................................................................................................................................................
Border Gateway Protocol............................................................................................................................................. 780 Sessions and peers.................................................................................................................................................... 781 Martian addresses......................................................................................................................................................
BGP commands.......................................................................................................................................................... 831 Equal cost multi-path..................................................................................................................................................... 879 Load balancing........................................................................................................................................................
Track route reachability...........................................................................................................................................998 Use PBR to permit and block specific traffic.....................................................................................................998 View PBR configuration.......................................................................................................................................... 999 PBR commands...................
DHCP relay on VTEPs .................................................................................................................................................. 1115 View VXLAN configuration........................................................................................................................................... 1115 VXLAN MAC addresses.................................................................................................................................................
Example: Migrating from Asymmetric IRB to Symmetric IRB...................................................................... 1259 Example - Route leaking across VRFs in a VXLAN BGP EVPN symmetric IRB topology...................... 1262 Controller-provisioned VXLAN................................................................................................................................... 1270 Configure controller-provisioned VXLAN........................................................................
controller.....................................................................................................................................................................1417 dpid-mac-address.................................................................................................................................................... 1418 in-band-mgmt......................................................................................................................................................
deny............................................................................................................................................................................ 1446 deny (IPv6)............................................................................................................................................................... 1447 deny (MAC)................................................................................................................................................
seq deny icmp...........................................................................................................................................................1473 seq deny icmp (IPv6)..............................................................................................................................................1473 seq deny ip................................................................................................................................................................
set metric-type......................................................................................................................................................... 1501 set next-hop............................................................................................................................................................. 1502 set origin.........................................................................................................................................................
match dscp................................................................................................................................................................1579 match precedence...................................................................................................................................................1579 match queue.............................................................................................................................................................
show qos ingress buffer-stats interface............................................................................................................1603 show qos maps........................................................................................................................................................ 1604 show qos maps (Z9332F-ON)............................................................................................................................. 1605 show qos port-map details........
show vlt domain-id delay restore orphan port................................................................................................. 1652 show vlt backup-link............................................................................................................................................... 1653 show vlt egress-mask-rule.................................................................................................................................... 1653 show vlt error-disabled-ports....
iSCSI commands...................................................................................................................................................... 1705 Converged network DCB example............................................................................................................................ 1709 Chapter 24: sFlow.....................................................................................................................1716 Enable sFlow................................
Refresh token............................................................................................................................................................1751 CLI commands for RESTCONF API.......................................................................................................................... 1752 rest api restconf.......................................................................................................................................................
View system logs..................................................................................................................................................... 1809 Environmental monitoring...................................................................................................................................... 1810 Link-bundle monitoring............................................................................................................................................
1 About this guide This guide is intended for system administrators who are responsible for configuring and maintaining networks. It covers the following details: ● Installation and setup of Dell EMC SmartFabric OS10. ● Description, configuration information, limitations and restrictions, and examples of features that SmartFabric OS10 supports. ● Reference information and examples on configuring protocols.
Table 1. SmartFabric OS10 Documentation (continued) Related Documentation Description Link ● SFS for leaf and spine switches ● SFS for PowerEdge MX ● Data Center PowerSwitch OS Table 2.
2 Change history The following table provides an overview of the changes to this guide from a previous OS10 release to the 10.5.2.6 release. For more information about the new features, see the respective sections. Table 3. New in 10.5.2.6 Revision Date Feature Description A05 2021-06-16 Telemetry client authentication using TLS Support for telemetry client authentication using TLS. Standards compliance: Precision Time Protocol (PTP) OS10 complies with the following standards: ● G. 8273.2 ● G.
Table 4. New in 10.5.2.4 Revision Date Feature Description A04 2021-04-14 OME-M Catalog Support OME-M supports catalog method to help and manage the upgrade of all components and dependencies among components. For more information about this feature, see Dell EMC PowerEdge MX Networking Deployment Guide. Default Management VLAN support SmartFabric Services (SFS) sets the MAC of the default management VLAN 4020 to the system MAC, which is different from the MAC that is used for data VLAN.
Table 5. New in 10.5.2.3 (continued) Revision Date Feature Description Display BGP routes that match an AS-path regular expression attribute Support for a new command, show ip bgp filterlist to display BGP routes that match any of the AS-path regular expression attributes from the given ASpath list. Deprecation of IPv6 Routing header Type 0 (RFC5095) Deny or permit IPv6 Routing Header Type 0 packets in the hardware and kernel.
Table 6. New in 10.5.2.2 (continued) Revision Date Feature Description TLVs sent out through the connected ports. Multirack Layer 3 VLAN network An SFS template that is used to configure IPv4 attributes for the racks in an NXST deployment consisting of multirack leaf spine topology. Table 7. New in 10.5.2.
Table 7. New in 10.5.2.1 (continued) Revision Date Feature Description in the configuration, the OSPFv2/v3 and BGP show configuration commands now display asnotation based output. 34 Change history ZTD automatic upgrade related changes To upgrade OS10 automatically using the ZeroTouch Deployment (ZTD) feature, use DHCP Option 240. High-power optical modules OS10 supports high-power optical modules on switches with QSFP56-DD ports.
Table 8. New in 10.5.2.0 Revision Date Feature Description A00 2020–09-25 Private VLANs Private VLANs provide L2 isolation between ports within the same VLAN.
Table 8. New in 10.5.2.0 (continued) Revision 36 Date Change history Feature Description Monitor CPU Utilization Configure the high or low CPU utilization threshold values. Monitor Memory Utilization Configure the high or low memory utilization threshold values. Low Latency Modes Low latency mode is used to reduce the switching latency for timing critical applications such as storage networks.
3 Getting Started with Dell EMC SmartFabric OS10 Dell EMC SmartFabric OS10 is a network operating system (NOS) supporting multiple architectures and environments. The SmartFabric OS10 solution allows multi-layered disaggregation of network functionality. SmartFabric OS10 bundles industrystandard management, monitoring, and Layer 2 and Layer 3 networking stacks over CLI, SNMP, and REST interfaces. Users can choose their own third-party networking, monitoring, management, and orchestration applications.
Starting from Release 10.5.1.0, SmartFabric OS10 comes with a single partition. Both the active and standby software images are stored in this partition. OS10 installation and upgrade procedures continue to work as usual. However, after you install 10.5.1.0 (or later) image, if you want to downgrade to 10.5.0.0 (or earlier) image, you must backup the configuration and license files. See Downgrade to Release 10.5.0.0 or earlier releases for more information.
Log in Connect a terminal emulator to the console serial port on the switch using a serial cable. Serial port settings are 115200 baud rate, 8 data bits, and no parity. To log in to an OS10 switch, power up and wait for the system to perform a power-on self-test (POST). Enter admin for both the default user name and user password. Change the default admin password after the first OS10 login. The system saves the new password for future logins.
Architecture: x86_64 Up Time: 1 day 00:54:13 Install firmware upgrade You may need to upgrade the firmware components on an OS10 switch without upgrading the OS10 image. NOTE: Do not upgrade the ONIE firmware and OS10 image simultaneously. Perform the ONIE firmware upgrade first before you upgrade the OS10 image. To upgrade firmware components in a separate operation: 1.
Upgrade OS10 manually from the CLI To upgrade an OS10 image, first download and unpack the new OS10 binary image as described in Download OS10 image for upgrade. Then copy the binary image file to a local server and follow the steps in Install OS10 upgrade. NOTE: ● To upgrade a Dell EMC ONIE switch to OS10 from OS9 or another network operating system (NOS), follow the procedure in Baremetal switch with only ONIE installed.
CAUTION: Please do not use copy commands to download the image to the switch, as it may result in loss of disk space for critical system applications and functions, and it may be difficult to locate the image. 1. (Optional) Backup the current running configuration to the startup configuration in EXEC mode. OS10# copy running-configuration startup-configuration 2. Backup the startup configuration in EXEC mode. OS10# copy config://startup.xml config:// 3.
Next-Boot: standby[A] NOTE: Use the show boot detail command to check 9. Depending on the release that is presently running on your system: ● System is presently running a release earlier than 10.5.1.0 and you are installing 10.5.2.0 or later Reload the new software image in EXEC mode. OS10# reload ● System is presently running 10.5.1.0 or later release and you are installing 10.5.2.0 or later now a. Change the next boot image to the standby image in EXEC mode.
In this example topology: ● ● ● ● VLT-Peer1 and VLT-Peer2 are leaf nodes that are connected to the spine switch through port channel 10. Host1 is connected to both the VLT peer nodes through port channel 20. Host2 uses switch-independent NIC teaming. Switch1 is connected to the VLT peer nodes through port channel 30. Summary of Upgrade Steps 1. Download the new OS10 image. 2. Install the image on VLT-Peer1 and VLT-Peer2 nodes. 3. Upgrade the secondary VLT node.
1. Download the new software image on both the VLT peer nodes from the Dell Support Site. Extract the bin files from the tar file, and save the file in EXEC mode. Download the extracted bin file to the OS10 switch using the image download command.
4. Use the show image status command to view the installation status.
12. Wait for VLT-Peer2 to come up. VLT adjacency will be established. VLT-Peer2 becomes the secondary node. Wait until VLT-Peer2 starts to forward traffic after the delay-restore timer expires. Upgrade on VLT peer nodes is now complete. Both the nodes actively forward traffic. After upgrade, VLT-Peer1 is the primary node and VLT-Peer2 is the secondary node. VLT upgrade with minimal loss for upgrades from 10.5.0.x or previous release to 10.5.1.
OS10(configure-router-bgpv4-af)# network OS10(configure-router-bgpv4-af)# Check OS10 license To check the status of the pre-installed OS10 license, use the show license status command. A factory-installed OS10 image runs with a perpetual license. If you pre-order a Dell EMC switch with OS10, you do not need to install a license. If you download OS10 on a trial basis, OS10 comes with a 120-day trial license. Purchase and install a perpetual license after the trial period expires.
Upgrade commands boot system Sets the boot image to use for the next reboot. Syntax boot system {active | standby} Parameters ● active — Reset the running image as the next boot image. ● standby — Set the standby image as the next boot image. Default Active Command Mode EXEC Usage Information Use this command to configure the location of the OS10 image used to reload the software at boot time. Use the show boot command to view the configured next boot image.
Example Supported Releases OS10# image copy active-to-standby 10.2.0E or later image download Downloads a new software image or firmware file to the local file system. Syntax image download file-url Parameters file-url—Enter the URL of the image file: ● ftp://userid:passwd@hostip/filepath—Enter the path to copy from the remote FTP server. ● http://hostip/filepath—Enter the path to copy from the remote HTTP server.
○ sftp://userid:passwd@hostip/filepath—Enter the path to install from a remote SFTP file system. ○ tftp://hostip/filepath—Enter the path to install from a remote TFTP file system. ○ image://filename—Enter the path to use to install the image from a local file system. ○ usb://filepath—Enter the path to use to install the image from the USB file system. Default All Command Mode EXEC Usage Information Use the show image status command to view the installation progress.
Usage Information Example Use the boot system command to set the boot image for the next reboot. OS10# show boot Current system image information: =================================== Type Boot Type Active Standby Next-Boot --------------------------------------------------------------Node-id 1 Flash Boot Example (Detail) Supported Releases [A] 10.5.0.4 [B] 10.5.1.
onie-updater-x86_64-dellemc_s5200_c3538-r0.3.40.1.1-6 Fail Supported Releases 3.40.1.1-6 10.5.0 or later show image status Displays image transfer and installation information. Syntax show image status Parameters None Default Not configured Command Mode EXEC Usage Information On older versions of OS10, the image install command may appear frozen and does not display the current image status.
Architecture: x86_64 Up Time: 1 day 00:54:13 Supported Releases 10.2.0E or later Baremetal switch with only ONIE installed If your Dell EMC ONIE-enabled switch does not have a default OS installed, you can download an OS10 software image from the Dell Digital Locker and install it using ONIE. Also, install OS10 on a Dell EMC ONIE device when: ● You convert a switch from OS9 or any third-party OS. ● You receive a replacement device from Dell EMC return material authorization (RMA).
| ONIE: Diag ONIE | +--------------------------------------------------------+ After the ONIE uninstall process completes, the switch boots to ONIE: Install OS mode. Download OS10 image If you purchase the OS10 Enterprise Edition image with an after point-of-sale order, your OS10 purchase allows you to download software images posted within the first 90 days of ownership. After the order is complete, you receive an email notification with a software entitlement ID, order number, and link to the DDL.
System setup Before installation, verify that the system is connected correctly: ● Connect a serial cable and terminal emulator to the console serial port — serial port settings are 115200 baud rate, 8 data bits, and no parity. ● Connect the Management port to the network to download an image over a network. To locate the Console port and the Management port, see the platform-specific Installation Guide at www.dell.com/support. Install OS10 For an ONIE-enabled switch, go to the ONIE boot menu.
1. On the TFTP server, rename the OS10 image to a supported installer file name, such as onie-installer, using the mv image-name default-filename command. mv PKGS_OS10-Base-10.3.1B.144-installer-x86_64.bin onie-installer 2. Boot up the switch in ONIE: Install mode to install an OS10 image. Starting: discover... done. ONIE:/ # Info: eth0: Checking link... up. Info: Trying DHCPv4 on interface: eth0 ONIE: Using DHCPv4 addr: eth0: 10.10.10.17 / 255.0.0.0 Info: eth1: Checking link... down. ONIE: eth1: link down.
5. Install the software on the device. The installation command accesses the OS10 software from the specified SCP, TFTP, or FTP URL, creates partitions, verifies installation, and reboots itself. $ onie-nos-install image_url For example, enter ONIE:/ # onie-nos-install ftp://a.b.c.d/PKGS_OS10–Enterprise-x.x.xx.bin Where a.b.c.d represents the location to download the image file from, and x.x.xx represents the version number of the software to install. The OS10 installer image creates several partitions.
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Dell EMC Network Operating System (OS10) *-* *-* Copyright (c) 1999-2018 by Dell Inc. All Rights Reserved. *-* *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*This product is protected by U.S. and international copyright and intellectual property laws. Dell EMC and the Dell EMC logo are trademarks of Dell Inc. in the United States and/or other jurisdictions.
Table 9. Install license using VRF (continued) File transfer method Default VRF Management VRF¹ Non-default VRF HTTP Yes Yes No localfs Yes Yes Yes SCP Yes Yes No SFTP Yes Yes No TFTP Yes Yes No USB Yes Yes Yes ¹ Before you configure the management VRF for use in OS10 license installation, remove all IP addresses on the management interface. Install license — SCP OS10# license install scp://user:userpwd@10.1.1.10/0A900Q2-NOSEnterprise-License.xml License installation success.
License installation success. Verify license installation OS10# show license status System Information --------------------------------------------------------Vendor Name : DELL EMC Product Name : S4148F-ON Hardware Version : X01 Platform Name : x86_64-dell_s4100_c2338-r0 PPID : TW09H9MN282987130026 Service Tag : 9531XC2 Product Base : Product Serial Number: Product Part Number : License Details ---------------Software : OS10-Enterprise Version : 10.5.1.
4. Enter the home folder using the vxrail-29-dnd# dir home command. The following information is displayed on the console: Directory contents for Date (modified) --------------------2021-05-26T11:15:42Z folder: home Size (bytes) -----------3816 Name -----------------------------------------269FXC2.lic Downgrade to Release 10.5.0.
Installation State: install-failed -------------------------------------------------State Detail: Failed: Downgrade image staged for clean install. Reload to downgrade. Task Start: 2019-11-19T06:55:53Z Task End: 2019-11-19T06:56:01Z NOTE: ● During this stage, the show boot detail command displays the details of the previous image that was installed. The boot system active | standby command is not applicable during this state.
To roll back, from the Linux shell prompt, enter: OS10# system bash bash (OS10) $ sudo os10-rollback-to-old-image NOTE: After rollback is complete, the system comes up with the previous release. However, the standby image becomes nonbootable. To boot using the standby image, you have to install the image again using the image install command. Downgrade to Release 10.5.1.0 or later releases In this example, the OS10 switch runs the 10.5.2.
Transfer Progress: Transfer Bytes: File Size: Transfer Rate: 100 % 469343880 bytes 469343880 bytes 67812 kbps Installation State: install-success -------------------------------------------------State Detail: Completed: Success Task Start: 2019-11-19T06:55:53Z Task End: 2019-11-19T06:56:01Z 9. Use the show boot detail to view the standby image. Change the next boot image to standby image in EXEC mode. Reload the device. The device comes up with 10.5.1.x software image.
1. Use the show boot detail command to view the standby image. OS10# show boot detail Current system image information detail: ========================================== Type: Node-id 1 Boot Type: Flash Boot Active Partition: B Active SW Version: 10.5.2.0 Active SW Build Version: 10.5.2.0 Active Kernel Version: Linux 4.9.168 Active Build Date/Time: 2020-03-07T11:43:33+0000 Active Partition: B Standby Partition: A Standby SW Version: 10.5.1.0 Standby SW Build Version: 10.5.1.0.
Feature limitation on the Z9100-ON and S5200-ON series switches On the Z9100-ON and S5200-ON series switches, system flow is enabled by default.
4. Enable the Management interface in INTERFACE mode. no shutdown Configure Management interface OS10(config)# interface OS10(conf-if-ma-1/1/1)# OS10(conf-if-ma-1/1/1)# OS10(conf-if-ma-1/1/1)# mgmt 1/1/1 no ip address dhcp ip address 10.1.1.10/24 no shutdown Configure Management route To set up remote access to OS10, configure a management route after you assign an IPv4 or IPv6 address to the Management port. The Management port uses the default management route to communicate with a different network.
○ username username — Enter a text string. A maximum of 32 alphanumeric characters; one character minimum. ○ password password — Enter a text string. A maximum of 32 alphanumeric characters; nine characters minimum. ○ role role — Enter a user role: ■ sysadmin — Full access to all commands in the system, exclusive access to commands that manipulate the file system, and access to the system shell. A system administrator can create user IDs and user roles. The default privilege level is 15.
4 CLI Basics The OS10 CLI is the software interface you use to access a device running the software — from the console or through a network connection. The CLI is an OS10-specific command shell that runs on top of a Linux-based OS kernel. By leveraging industry-standard tools and utilities, the CLI provides a powerful set of commands that you can use to monitor and configure devices running OS10.
until you commit them to activate the configuration. The start transaction command applies only to the current session. Changing the configuration mode of the current session to the Transaction-Based Configuration mode does not affect the configuration mode of other CLI sessions. ● After you explicitly enter the commit command to save changes to the candidate configuration, the session switches back to the default behavior of automatically saving the configuration changes to the running configuration.
Check device status Use show commands to check the status of a device and monitor activities. Refer Related Videos section for more information. ● Enter show ? from EXEC mode to view a list of commands to monitor a device; for example: OS10# show ? acl-table-usage alarms alias bfd boot candidate-configuration class-map clock ...
-- Fan Status -FanTray Status AirFlow Fan Speed(rpm) Status ---------------------------------------------------------------1 up NORMAL 1 13195 up 2 up NORMAL 1 13151 up 3 up NORMAL 1 13239 up 4 up NORMAL 1 13239 up Related Videos Check Device Status Command help To view a list of valid commands in any CLI mode, enter ?; for example: OS10# ? alarm alias batch boot clear clock commit configure copy crypto ...
Candidate configuration When you use OS10 configuration commands in Transaction-based configuration mode, changes do not take effect immediately and are stored in the candidate configuration. The configuration changes become active only after you commit the changes using the commit command. Changes in the candidate configuration are validated and applied to the running configuration. The candidate configuration allows you to avoid introducing errors during an OS10 configuration session.
To display only interface-related configurations in the candidate configuration, use the show candidate-configuration compressed and show running-configuration compressed commands. These views display only the configuration commands for VLAN and physical interfaces. OS10# show candidate-configuration compressed interface breakout 1/1/1 map 40g-1x interface breakout 1/1/2 map 40g-1x interface breakout 1/1/3 map 40g-1x interface breakout 1/1/4 map 40g-1x ...
Prevent configuration changes You can prevent configuration changes that are made on the switch in sessions other than the current CLI session using the lock command. To prevent and allow configuration changes in other sessions, use the lock and unlock commands in EXEC mode. When you enter the lock command, users in other active CLI sessions cannot make configuration changes.
OS10(conf-range-po-3)# switchport trunk allowed vlan 2-5 OS10(conf-range-po-3)# exit OS10(config)# no interface range vlan 2-4 OS10(conf-range-po-3)# % Error: Range configuration conflict - the last command was not applied. Please commit (or discard) the rest of the configuration changes and retry. If you see the error message in bold, commit the entire configuration and then delete a sub set of VLANs.
Copy running configuration to local directory or remote server OS10# copy running-configuration {config://filepath | home://filepath | ftp://userid:passwd@hostip/filepath | scp://userid:passwd@hostip/filepath | sftp://userid:passwd@hostip/filepath | tftp://hostip/filepath} OS10# copy running-configuration scp://root:calvin@10.11.63.120/tmp/qaz.
Restore startup file from server OS10# copy scp://admin:admin@hostip/backup-9-28.xml config://startup.xml OS10# reload System configuration has been modified. Save? [yes/no]:no Reload system image Reboot the system manually using the reload command in EXEC mode. You are prompted to confirm the operation. OS10# reload System configuration has been modified.
Common OS10 commands boot Configures the OS10 image to use the next time the system boots up. Syntax boot system [active | standby] Parameters ● active — Reset the running image as the next boot image. ● standby — Set the standby image as the next boot image. Default Not configured Command Mode EXEC Usage Information Use this command to configure the OS10 image that is reloaded at boot time. Use the show boot command to verify the next boot image. The boot system command applies immediately.
Example Supported Releases OS10# configure terminal OS10(config)# 10.2.0E or later copy Copies the current running configuration to the startup configuration and transfers files between an OS10 switch and a remote device.
Directory contents for folder: coredump Date (modified) Size (bytes) Name --------------------- ------------ -----------------2017-02-15T19:05:41Z 12402278 core.netconfdpro.2017-02-15_19-05-09.gz OS10# copy coredump://core.netconfd-pro.2017-02-15_19-05-09.gz scp:// os10user:os10passwd@10.11.222.1/home/os10/core.netconfd-pro.2017-02 -15_19-05-09.
● usb://filepath — (Optional) Delete from the USB file system. Default Not configured Command Mode EXEC Usage Information Use this command to remove a regular file, software image, or startup configuration. Removing the startup configuration restores the system to the factory default. You must reboot the switch using the reload command for the operation to take effect. NOTE: ● Use caution when removing the startup configuration.
--------------------2017-04-26T15:23:46Z -----------26704 OS10# dir severity-profile Date (modified) Size (bytes) --------------------- -----------2019-03-27T15:24:06Z 46741 2019-04-01T11:22:33Z 456 Supported Releases ----------startup.xml Name ------------default.xml mySevProf.xml 10.2.0E or later discard Discards changes made to the candidate configuration file.
end Returns to EXEC mode from any other command mode. Syntax end Parameters None Default Not configured Command Mode All Usage Information Use the end command to return to EXEC mode to verify currently configured settings with show commands. Example Supported Releases OS10(config)# end OS10# 10.2.0E or later exit Returns to the next higher command mode.
license Installs a license file from a local or remote location.
Parameters ● ipv4-address/mask — Enter an IPv4 network address in dotted-decimal format (A.B.C.D), then a subnet mask in prefix-length format (/xx). ● ipv6-address/prefix-length — Enter an IPv6 address in x:x:x:x::x format with the prefix length in /xxx format. The prefix range is /0 to /128. ● forwarding-router-address — Enter the next-hop IPv4/IPv6 address of a forwarding router (gateway) for network traffic from the Management port.
● debug — Disable debugging. ● support-assist-activity — SupportAssist-related activity. ● terminal — Reset terminal settings. Default Not configured Command Mode EXEC Usage Information Use this command in EXEC mode to disable or remove a configuration. Use the no ? in CONFIGURATION mode to view available commands. Example Supported Releases OS10# no alias goint 10.2.0E or later ping Tests network connectivity to an IPv4 device.
● ● ● ● ● ● ● ● ● ● ● ● ○ do prevents fragmentation, including local. ○ want performs PMTU discovery and fragments large packets locally. ○ dont does not set the Don’t Fragment (DF) flag. -p pattern — (Optional) Enter a maximum of 16 pad bytes to fill out the packet you send to diagnose data-related problems in the network; for example, -p ff fills the sent packet with all 1’s. -Q tos — (Optional) Enter a maximum of 1500 bytes in decimal or hex datagrams to set quality of service (QoS)-related bits.
ping6 Tests network connectivity to an IPv6 device. Syntax ping6 [vrf {management | vrf-name}] [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface] [-l preload] [-m mark] [-M pmtudisc_option] [-N nodeinfo_option] [-p pattern] [-Q tclass] [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline] [-W timeout] destination Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 90 CLI Basics vrf management — (Optional) Pings an IPv6 address in the management VRF instance.
● -w deadline — (Optional) Enter the time-out value in seconds before the ping exits regardless of how many packets are sent or received. ● -W timeout — (Optional) Enter the time to wait for a response in seconds. This setting affects the time-out only if there is no response, otherwise ping waits for two round-trip times (RTTs). ● hop1 ... (Optional) Enter the IPv6 addresses of the pre-specified hops for the ping packet to take.
show boot Displays detailed information about the boot image. Syntax show boot [detail] Parameters None Default Not configured Command Mode EXEC Usage Information The Next-Boot field displays the image that the next reload uses.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● compressed — (Optional) Current operating configuration in compressed format. control-plane — (Optional) Current operating control-plane configuration. dot1x — (Optional) Current operating dot1x configuration. evpn — (Optional) Current operating EVPN configuration. extcommunity-list — (Optional) Current operating extcommunity-list configuration. interface — (Optional) Current operating interface configuration.
! Last configuration change at Apr 11 10:36:43 2017 ! username admin password $6$q9QBeYjZ$jfxzVqGhkxX3smxJSH9DDz7/3OJc6m5wjF8nnLD7/ VKx8SloIhp4NoGZs0I/UNwh8WVuxwfd9q4pWIgNs5BKH. aaa authentication local snmp-server contact http://www.dell.com/support snmp-server location "United States" logging monitor disable ip route 0.0.0.0/0 10.11.58.
show environment Displays information about environmental system components, such as temperature, fan, and voltage.
Supported Releases 10.2.0E or later show ip management-route Displays the IPv4 routes used to access the Management port. Syntax show ip management-route [all | connected | dynamic | static summary] Parameters ● ● ● ● all — (Optional) Display the IPv4 routes that the Management port uses. connected — (Optional) Display only routes directly connected to the Management port. dynamic — (Optional) Display active management routes that are learned by a routing protocol.
show license status Displays license status information. Syntax show license status Parameters None Default Not configured Command Mode EXEC Usage Information Use the show license status command to verify the current license for running OS10, its duration, and the service tag assigned to the switch.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● compressed — (Optional) Current operating configuration in compressed format. control-plane — (Optional) Current operating control-plane configuration. crypto — (Optional) Current operating cryptographic configuration. dot1x — (Optional) Current operating dot1x configuration. evpn — (Optional) Current operating EVPN configuration. extcommunity-list — (Optional) Current operating extcommunity-list configuration.
Example Example (compressed) OS10# show running-configuration ! Version 10.2.9999E ! Last configuration change at Apr 11 01:25:02 2017 ! username admin password $6$q9QBeYjZ$jfxzVqGhkxX3smxJSH9DDz7/3OJc6m5wjF8nnLD7/ VKx8SloIhp4NoGZs0I/UNwh8WVuxwfd9q4pWIgNs5BKH. aaa authentication local snmp-server contact http://www.dell.com/support snmp-server location "United States" logging monitor disable ip route 0.0.0.0/0 10.11.58.
show startup-configuration Displays the contents of the startup configuration file. Syntax show startup-configuration [compressed] Parameters compressed — (Optional) View a compressed version of the startup configuration file. Default Not configured Command Mode EXEC Usage Information None Example Example (compressed) OS10# show startup-configuration username admin password $6$q9QBeYjZ$jfxzVqGhkxX3smxJSH9DDz7/3OJc6m5wjF8nnLD7/ VKx8SloIhp4NoGZs0I/UNwh8WVuxwfd9q4pWIgNs5BKH.
! policy-map type application policy-iscsi ! class-map type application class-iscsi Supported Releases 10.2.0E or later show system Displays system information. Syntax show system [brief | node-id] Parameters ● brief — View an abbreviated list of the system information. ● node-id — View the node ID number.
Interface Breakout capable Breakout state ----------------------------------------------------Eth 1/1/5 No BREAKOUT_1x1 Eth 1/1/6 No BREAKOUT_1x1 Eth 1/1/7 No BREAKOUT_1x1 Eth 1/1/8 No BREAKOUT_1x1 Eth 1/1/9 No BREAKOUT_1x1 Eth 1/1/10 No BREAKOUT_1x1 Eth 1/1/11 No BREAKOUT_1x1 Eth 1/1/12 No BREAKOUT_1x1 Eth 1/1/13 No BREAKOUT_1x1 Eth 1/1/14 No BREAKOUT_1x1 Eth 1/1/15 No BREAKOUT_1x1 Eth 1/1/16 No BREAKOUT_1x1 Eth 1/1/17 No BREAKOUT_1x1 Eth 1/1/18 No BREAKOUT_1x1 Eth 1/1/19 No BREAKOUT_1x1 Eth 1/1/20 No BREA
Example Supported Releases OS10# show version Dell EMC Networking OS10 Enterprise Copyright (c) 1999-2021 by Dell Inc. All Rights Reserved. OS Version: 10.5.2.6 Build Version: 10.5.2.6.215 Build Time: 2021-06-11T21:35:41+0000 System Type: S5248F-ON Architecture: x86_64 Up Time: 1 day 00:54:13 10.2.0E or later start Activates Transaction-Based Configuration mode for the active session. Syntax start transaction Parameters transaction - Enables the transaction-based configuration.
system-cli disable Disables the system command. Syntax system-cli disable Parameters None Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command enables OS10 system command. Example Supported Releases OS10# configure terminal OS10(config)# system-cli disable 10.4.3.0 or later system-user linuxadmin disable Disables the linuxadmin account.
terminal Sets the number of lines to display on the terminal and enables logging. Syntax terminal {length lines | monitor} Parameters ● length lines — Enter the number of lines to display on the terminal from 0 to 512; default 24. ● monitor — Enables logging on the terminal. Default 24 terminal lines Command Mode EXEC Usage Information Enter zero (0) for the terminal to display without pausing. Example Supported Releases OS10# terminal monitor 10.2.
○ host — (Required) Enter the name or IP address of the destination device. ○ packet_len — (Optional) Enter the total size of the probing packet. The default is 60 bytes for IPv4 and 80 for IPv6. Default Not configured Command Mode EXEC Usage Information None Example Example (IPv6) Supported Releases OS10# traceroute www.dell.com traceroute to www.dell.com (23.73.112.54), 30 hops max, 60 byte packets 1 10.11.97.254 (10.11.97.254) 4.298 ms 4.417 ms 4.398 ms 2 10.11.3.254 (10.11.3.254) 2.121 ms 2.
● role role—Enter a user role: ○ sysadmin — Full access to all commands in the system, exclusive access to commands that manipulate the file system, and access to the system shell. A system administrator can create user IDs and user roles. ○ secadmin — Full access to configuration commands that set security policy and system access, such as password strength, AAA authorization, and cryptographic keys.
Supported Releases 108 CLI Basics 10.2.
5 Advanced CLI tasks Command alias Provides information to create shortcuts for commonly used commands, see Command alias. Batch mode Provides information to run a batch file to execute multiple commands, see Batch mode. Linux shell commands Provides information to run commands from the Linux shell, see Linux shell commands. OS9 commands Provides information to enter configuration commands using an OS9 command syntax, see Using OS9 commands.
View alias output for goint OS10(config)# goint 1/1/1 OS10(conf-if-eth1/1/1)# View alias information OS10# show alias Name ---govlt goint shconfig showint shver Type ---Config Config Local Local Local Number of config aliases : 2 Number of local aliases : 3 View alias information brief. Displays the first 10 characters of the alias value. OS10# show alias brief Name Type ------govlt Config goint Config shconfig Local showint Local shver Local Value ----"vlt-domain..." "interface ..." "show runni...
● (Optional) You can enter the default values to use for the parameters defined as $n in ALIAS mode. default n input-value ● (Optional) Enter a description for the multi-line alias in ALIAS mode. description string ● Use the no form of the command to delete an alias in CONFIGURATION mode. no alias alias-name You can modify an existing multi-line alias by entering the corresponding ALIAS mode.
Number of config aliases : 1 Number of local aliases : 0 View alias information brief. Displays the first 10 characters of each line of each alias. OS10# show alias brief Name Type ------mTest Config Value ----line 1 "interface ..." line 2 "no shutdow..." line 3 "show confi..." default 1 "ethernet" default 2 "1/1/1" Number of config aliases : 1 Number of local aliases : 0 View alias detail. Displays the entire alias value.
Eth 1/1/3 up 40G A 1 Eth 1/1/4 up 40G A 1 Eth 1/1/5 up 40G A 1 Eth 1/1/6 up 40G A 1 Eth 1/1/7 up 40G A 1 Eth 1/1/8 up 40G A 1 Eth 1/1/9 up 40G A 1 Eth 1/1/10 up 40G A 1 Eth 1/1/11 up 40G A 1 Eth 1/1/12 up 40G A 1 Eth 1/1/13 up 40G A 1 Eth 1/1/14 up 40G A 1 Eth 1/1/15 up 40G A 1 Eth 1/1/16 up 40G A 1 Eth 1/1/17 up 40G A 1 Eth 1/1/18 up 40G A 1 Eth 1/1/19 up 40G A 1 Eth 1/1/20 up 40G A 1 Eth 1/1/21 up 40G A 1 Eth 1/1/22 up 40G A 1 Eth 1/1/23 up 40G A 1 Eth 1/1/24 up 40G A 1 Eth 1/1/25 up 40G A 1 Eth 1/1/26 up
default (alias) Configures default values for input parameters in a multi-line alias. Syntax default n value Parameters ● n — Enter the number of the argument, from 1 to 9. ● value — Enter the value for the input parameter. Default Not configured Command Mode ALIAS Usage Information To use special characters in the input parameter value, enclose the string in double quotation marks ("). The no version of this command removes the default value.
Usage Information Example Supported Releases The no version of this command removes the line number and the corresponding command from the multi-line alias. OS10(config)# alias mTest OS10(config-alias-mTest)# line 1 "interface $1 $2" OS10(config-alias-mTest)# line 2 "no shutdown" OS10(config-alias-mTest)# line 3 "show configuration" 10.4.0E(R1) or later show alias Displays configured alias commands available in both Persistent and Non-Persistent modes.
shconfig showint shver Local Local Local default 2 "1/1/1" "show running-configuration" "show interface $*" "show version" Number of config aliases : 3 Number of local aliases : 3 Supported Releases 10.3.0E or later Batch mode To execute a sequence of multiple commands, create and run a batch file. A batch file is an unformatted text file that contains two or more commands. Store the batch file in the home directory.
● /home/filepath — Enter the username and the filepath as follows: batch /home/username/ filename. ● config://filepath — Enter the filepath. Default Not configured Command Mode EXEC Usage Information Use this command to create a batch command file on a remote machine. Copy the command file to the home directory on your switch. This command executes commands in batch mode. OS10 automatically commits all commands in a batch file; you do not have to enter the commit command.
! router bgp 100 ! neighbor 100.1.1.1 remote-as 104 no shutdown admin@OS10:/opt/dell/os10/bin$ User admin logged out at session 16 ● Use the ifconfig -a command to display the interface configuration. The Linux kernel port numbers that correspond to front-panel port, port-channel, and VLAN interfaces are displayed. Port-channel interfaces are in boportchannelnumber format. VLAN interfaces are in brvlan-id format. In this example, e101-001-0 identifies port 1/1/1.
Architecture: x86_64 Up Time: 1 day 00:54:13 Using OS9 commands To enter configuration commands using an OS9 command syntax, use the feature config-os9-style command in CONFIGURATION mode and log out of the session. If you do not log out of the OS10 session, configuration changes made with OS9 command syntaxes do not take effect. After you log in again, you can enter OS9 commands, but only in the new session.
6 Dell EMC SmartFabric OS10 zero-touch deployment Zero-touch deployment (ZTD) allows OS10 users to automate switch deployment: ● Upgrade an existing OS10 image. ● Execute a CLI batch file to configure the switch. ● Execute a post-ZTD script to perform additional functions. ZTD is enabled by default when you boot up a switch with a factory-installed OS10 for the first time or when you perform an ONIE: OS Install from the ONIE boot menu.
3. If you specify an OS10 CLI batch file with configuration commands for CLI_CONFIG_FILE, ZTD executes the commands in the PRE-CONFIG and POST-CONFIG sections. After executing the PRE-CONFIG commands, the switch reloads with the new OS10 image and then executes the POST-CONFIG commands. For more information, see ZTD CLI batch file. 4. If you specify a post-ZTD script file for POST_SCRIPT_FILE, ZTD executes the script. For more information, see Post-ZTD script.
ZTD also generates failure messages. [os10:notify], %Dell EMC (OS10) %ZTD-FAILED: Zero Touch Deployment failed to download the image. Troubleshoot configuration locked When ZTD is enabled, the CLI configuration is locked. If you enter a CLI command, the error message configuration is locked displays. To configure the switch, disable ZTD by entering the ztd cancel command. OS10# configure terminal % Error: ZTD is in progress(configuration is locked).
Example #!/bin/bash #################################################################### # # # Example OS10 ZTD Provisioning Script # # #################################################################### ########## UPDATE THE BELOW CONFIG VARIABLES ACCORDINGLY ########### ########## ATLEAST ONE OF THEM SHOULD BE FILLED #################### IMG_FILE="http://50.0.0.1/OS10.bin" CLI_CONFIG_FILE="http://50.0.0.1/cli_config" POST_SCRIPT_FILE="http://50.0.0.1/no_post_script.
hostname LEAF-1 ! ip domain-list networks.dell.com ip name-server 8.8.8.8 1.1.1.1 ! ntp server 132.163.96.5 key 1 prefer ntp server 129.6.15.32 ! ! logging server 10.22.0.99 Post-ZTD script As a general guideline, use a post-ZTD script to perform any additional functions required to configure and operate the switch. In the ZTD provisioning script, specify the post-ZTD script path for the POST_SCRIPT_FILE variable.
Examples OS10# show ztd-status ----------------------------------ZTD Status : disabled ZTD State : completed Protocol State : idle Reason : ZTD process completed successfully at Mon Jul 16 19:31:57 2018 ----------------------------------OS10# show ztd-status ----------------------------------ZTD Status : disabled ZTD State : failed Protocol State : idle Reason : ZTD process failed to download post script file ----------------------------------● ZTD Status — Current operational status: enabled or disabled.
Command Mode EXEC Security and Access Sysadmin and secadmin Usage Information When you enter this command, if there are any configuration changes, the system prompts you for a confirmation to delete the startup configuration. If you have made configuration changes after the ZTD process stops, the system reloads. This command is similar to the reload ztd command. However, if you have not made any configuration changes after the ZTD process stops, this command does not reload the switch.
7 Dell EMC SmartFabric OS10 provisioning OS10 supports automated switch provisioning — configuration and monitoring — using: ● RESTCONF API — REST-like protocol that uses HTTPS connections. Use the OS10 RESTCONF API to set up the configuration parameters on OS10 switches with JavaScript Object Notation (JSON)-structured messages. You can use any programming language to create and send JSON messages; see RESTCONF API.
Ansible inventory file The inventory file contains the list of hosts on which you want to run commands. Ansible can run tasks on multiple hosts at the same time. Ansible playbooks use /etc/ansible/hosts as the default inventory file. To specify a different inventory file, use the -i filepath command as an option when you run an Ansible playbook. Ansible playbook file Using playbooks, Ansible can configure multiple devices. Playbooks are human-readable scripts that are expressed in YAML format.
After you install Ansible, verify the version by entering: $ ansible --version 2. Download and install Dell EMC Networking Ansible roles from the Ansible Galaxy web page; for example: $ ansible-galaxy install dell-networking.dellos-users $ ansible-galaxy install dell-networking.dellos-logging $ ansible-galaxy install dell-networking.dellos-ntp 3. Create a directory to store inventory and playbook files; for example: $ mkdir AnsibleOS10 4. Navigate to the directory and create an inventory file.
state: present dellos_users: - username: u1 password: Test@1347 role: sysadmin privilege: 0 state: present dellos_ntp: server: - ip: 3.3.3.3 The dellos_cfg_generate parameter creates a local copy of the configuration commands applied to the remote switch on the Ansible controller node, and saves the commands in the directory defined in the build_dir path. 8. Create a playbook file. $ vim playbook.yaml - hosts: OS10switch-1 OS10switch-2 connection: network_cli roles: - dell-networking.
8 SmartFabric Director SmartFabric Director manages the switches in a data center with or without any virtual infrastructure. SmartFabric Director provides a single view of operating, managing, and troubleshooting of physical and virtual networks. SmartFabric Director features ● ● ● ● ● ● ● Define, build, and maintain a Layer 2 or Layer 3 leaf-spine data center fabric (underlay).
certificates. A user role in SmartFabric director with Super Admin privileges can be used to access the agent. The security profile that is assigned to the gNMI agent must be pre-configured on the switch. The security profile is configured using the crypto security-profile command.
Table 11. Openconfig system Sensor group name YANG container oc-system ● openconfig-system/system ● openconfig-platform/components/component Table 12. Openconfig environment Sensor group name YANG container oc-environment openconfig-platform/components/component Table 13. Openconfig interface Sensor group name YANG container oc-interface openconfig-interfaces/interfaces/interface Table 14.
Table 21. Vendor UFD Sensor group name YANG container oc-vendor-ufd ufd/uplink-state-group-stats/ufd-groups Table 22. Vendor VXLAN Sensor group name YANG container oc-vendorvxlan vxlan/vxlan-state/remote-endpoint/stats Table 23. Openconfig VLAN Sensor group name YANG container oc-vlan openconfig-interfaces/interfaces/interface Table 24.
Table 27. cancel_upgrade API API Name Description cancel_upgrade Cancels an active OS10 image download process. The cancel_upgrade process uses a best effort mechanism that attempts to cancel an active image file download. This operation cancels the image file transfer and the upgrade operation is terminated. The image installation process starts immediately after the image file transfer is complete. As a result, the cancel upgrade operation cannot stop an installation that is already in progress.
show switch-operating-mode View the operating mode of the switch. Syntax show switch-operating-mode Parameters None Default Not configured Command mode EXEC Usage information Some OS10 switches operate in both Full Switch and SmartFabric modes. Example Supported releases OS10# show switch-operating-mode Switch-Operating-Mode : SmartFabric Director Mode 10.4.0E(R3S) or later show sfd status Displays the status corresponding to the SmartFabric Director.
9 System management System banners Provides information to configure a system login and message of the day (MOTD) text banners, see System banners. User session management Provides information to manage the active user sessions, see User session management. Telnet server Provides information to set up Telnet TCP/IP connections on the switch, see Telnet server. To set up secure, encrypted the secure shell (SSH) connections to the switch, see SSH server.
DellEMC S4148U-ON login Enter your username and password % To delete a login banner and reset it to the Dell EMC default banner, use the no banner login command. To disable the configured login banner, use the banner login disable command. Message of the day banner Configure a message of the day (MOTD) banner that displays after you log in. Enter any single delimiter character to start and end the MOTD banner.
Usage Information Example Supported Releases ● To enter a multiline banner text, use the interactive mode. Enter the command with the delimiter character and press Enter. Then enter each line and press Enter. Complete the banner configuration by entering a line that contains only the delimiter character. ● To delete a login banner and reset it to the Dell EMC default banner, use the no banner login command. To disable the configured login banner, use the banner login disable command.
Clear user session OS10# kill-session 3 View active user sessions OS10# show sessions Current session's operation mode: Non-transaction Session-ID User In-rpcs In-bad-rpcs Out-rpc-err Out-notify Login-time Lock -----------------------------------------------------------------------------------------3 snmp_user 114 0 0 0 2017-07-10T23:58:39Z 4 snmp_user 57 0 0 0 2017-07-10T23:58:40Z 6 admin 17 0 0 4 2017-07-12T03:55:18Z *7 admin 10 0 0 0 2017-07-12T04:42:55Z OS10# The asterisk (*) in the Session-ID column in
show sessions Displays the active management sessions. Syntax show sessions Parameters None Default Not configured Command Mode EXEC Usage Information Use this command to view information about the active user management sessions.
Telnet commands ip telnet server enable Enables Telnet TCP/IP connections to an OS10 switch. Syntax ip telnet server enable Parameters None Default Disabled Command Mode CONFIGURATION Usage Information By default, the Telnet server is disabled. When you enable the Telnet server, use the IP address configured on the management or any front-panel port to connect to an OS10 switch. After you reload the switch, the Telnet server configuration is maintained.
OS10 supports different security models and levels in SNMP communication between SNMP managers and agents. Each security model refers to an SNMP version used in SNMP messages. SNMP versions provide different levels of security, such as user authentication and message encryption. NOTE: ● OS10 does not support SNMP SET operations. ● SNMP traps over IPv6 are not supported with VRF management configuration.
Table 29. Standards MIBs (continued) Module Standard IP-MIB RFC 4293 LLDP-EXT-DOT1-MIB IEEE 802.1AB LLDP-EXT-DOT3-MIB IEEE 802.1AB LLDP-MIB IEEE 802.1AB OSPF-MIB RFC 4750 OSPFV3-MIB RFC 5643 Q-BRIDGE-MIB IEEE 802.
SNMP engine ID An engine ID identifies the SNMP entity that serves as the local agent on the switch. The engine ID is an octet colon-separated number; for example, 00:00:17:8B:02:00:00:01. When you configure an SNMPv3 user, you can specify that a localized authentication and/or privacy key be generated. The localized password keys are generated using the engine ID of the switch. A localized key is more complex and provides greater privacy protection.
NOTE: Create a remote engine ID with the snmp-server engineID command before you configure a remote user with the snmp-server user command. If you change the configured engine ID for a remote device, you must reconfigure the authentication and privacy passwords for all remote users associated with the remote engine ID.
To configure a view of the MIB tree on the SNMP agent, use the snmp-server view command. To configure an SNMPv3 user's authentication and privacy settings, use the snmp-server user command. To display the configured SNMP groups, use the show snmp group command.
OS10(config)# snmp-server user n3user ngroup remote 172.31.1.
snmp-server host {ipv4–address | ipv6–address} {informs version version-number | traps version version-number | version version-number} [snmpv3-security-level] [community-name] [udp-port port-number] [dom | entity | envmon | lldp | snmp] Configure SNMP v1 or v2C traps OS10(config)# snmp-server host 10.11.73.
Defaults None Command Mode EXEC Usage Information To configure an SNMP community, use the snmp-server community command. Example OS10# show snmp community Community : public Access : read-only Community Access ACL Supported Releases : dellOS10 : read-write : dellacl 10.4.2.0 or later show snmp engineID Displays the SNMP engine ID on the switch or on remote devices that access the SNMP agent on the switch.
version security level notifyview readview writeview Supported Releases : : : : : 3 priv alltraps readview writeview 10.4.2.0 or later show snmp user Displays the users configured to access the SNMP agent on the switch, including the SNMP group and security model. Syntax show snmp user Parameters None Defaults None Command Mode EXEC Usage Information To configure an SNMP user, use the snmp-server user command.
Parameters ● community name — Set the community name string to act as a password for SNMPv1 and SNMPv2c access. A maximum of 20 alphanumeric characters. ● ro — Set read-only access for the SNMP community. ● rw — Set read-write access for the SNMP community. ● acl acl-name — Enter an existing IPv4 ACL name to limit SNMP access in the SNMP community. Defaults An SNMP community has read-only access.
Table 31. Notification types and options Notification type Notification option entity — Enable entity change traps. None envmon — Enable SNMP environmental monitor traps. ○ fan — Enable fan traps. ○ power-supply — Enable power-supply traps. ○ temperature — Enable temperature traps. lldp — Enable LLDP state change traps. ○ rem-tables-change — Enable the lldpRemTablesChange trap. snmp — Enable SNMP traps. ○ authentication — Enable authentication traps.
Usage Information The local engine ID generates the localized keys for the authentication and privilege passwords. These passwords authenticate SNMP users and encrypt SNMP messages. If you reconfigure the local Engine ID, the localized keys also change. The existing values are no longer valid, and a warning message displays. As a result, you must reconfigure SNMP users with new localized password keys.
The no version of the command deletes an SNMP group. Example Supported Releases OS10(config)# snmp-server group os10admin p3 priv read readonlyview 10.4.2.0 or later snmp-server host Configures a host to receive SNMP notifications.
Example — Send SNMP traps to host OS10(config)# snmp-server host 1.1.1.1 traps version 3 priv user01 udpport 32 entity lldp Example — Send SNMP informs to host OS10(config)# snmp-server host 1.1.1.1 informs version 2c public envmon snmp Example — Send SNMP notifications to host Supported Releases OS10(config)# snmp-server host 1.1.1.1 version 3 noauth u1 snmp lldp 10.2.0E or later snmp-server location Configures the location of the SNMP server.
● priv — (SNMPv3 only) Configure encryption for SNMPv3 messages sent to the user: ○ aes — Encrypt messages using AES 128-bit algorithm. ○ des — Encrypt messages using DES 56-bit algorithm. ○ priv-password — Enter a text string used to generate the privacy key used in encrypted messages. A maximum of 32 alphanumeric characters. For an encrypted password, enter the encrypted string instead of plain text. ● localized — (SNMPv3 only) Generate an SNMPv3 authentication and/or privacy key in localized key format.
● excluded — (Optional) Exclude the MIB family from the view. Defaults Not configured Command Mode CONFIGURATION Usage Information The oid-tree value specifies the OID in the MIB tree hierarchy at which a view starts. Enter included or excluded to include or exclude the remaining part of the MIB sub-tree contents in the view. The no version of the command removes an SNMPv3 view. Example Supported Releases OS10(config)# snmp-server view readview 1.3.6.5 excluded 10.4.2.
Example: Configure SNMP This example shows how to configure SNMP on the switch, including SNMP engine ID, views, groups, and users. OS10(config)# OS10(config)# OS10(config)# OS10(config)# OS10(config)# OS10(config)# OS10(config)# OS10(config)# OS10(config)# Local default snmp-server contact "Contact Support" snmp-server engineID remote 192.168.1.
● Before you downgrade, disable the DST configuration or update the setting using the clock timezone command to specify only the local time zone. ● After the downgrade is complete, ignore the CLI error and reconfigure the setting using the clock timezone command to specify only the local time zone. Configure system time and date ● Enter the time and date in EXEC mode.
Table 32.
Table 32.
Table 32.
Table 32.
Table 32.
Table 32.
Table 32.
Table 32.
Table 32.
Table 32.
Table 32.
Table 32.
Table 32.
Table 32.
Table 32.
Table 32.
Parameters time Enter time in the format hour:minute:second, where hour is 1 to 24; minute is 1 to 60; second is 1 to 60. For example, enter 5:15 PM as 17:15:00. year-month-day Enter year-month-day in the format YYYY-MM-DD, where YYYY is a four-digit year, such as 2016; MM is a month from 1 to 12; DD is a day from 1 to 31. Default Not configured Command Mode EXEC Usage Information Use this command to reset the system time if the system clock is out of synch with the NTP time.
Example Supported Releases OS10# show clock 2017-01-25T11:00:31.68-08:00 10.2.1E or later show clock timezone Displays the time zone that is configured in the system. Syntax show clock timezone Parameters None Default Etc/UTC Command Mode EXEC Usage Information None Example Supported Releases OS10# show clock timezone Brazil/West (-04, -0400) 10.5.0 or later Network Time Protocol Network Time Protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients.
NOTE: OS10 supports both NTP server and client roles. Enable NTP NTP is disabled by default. To enable NTP, configure an NTP server where the system synchronizes. To configure multiple servers, enter the command multiple times. Multiple servers may impact CPU resources. ● Enter the IP address of the NTP server where the system synchronizes in CONFIGURATION mode.
10.16.150.185 10.16.151.123 16 1024 0 0.00000 0.000000 3.99217 OS10# show ntp associations remote local st poll reach delay offset disp ======================================================================= 10.16.150.185 10.16.151.123 16 1024 0 0.00000 0.000000 3.99217 Broadcasts Receive broadcasts of time information and set all the interfaces within the system to receive NTP information through broadcast. NTP is enabled on all active interfaces by default.
Authentication NTP authentication and the corresponding trusted key provide a reliable exchange of NTP packets with trusted time sources. NTP authentication begins with creating the first NTP packet after the key configuration. NTP authentication uses the message digest 5 (MD5), SHA-1, and SHA2-256 algorithms. The key is embedded in the synchronization packet that is sent to an NTP time source. 1. Enable NTP authentication in CONFIGURATION mode. ntp authenticate 2.
Sample NTP configuration The following example shows an NTP master (11.0.0.2), server (10.0.0.1), and client (10.0.0.2) connected through a nondefault VRF instance (VRF Red). OS10 acts as an NTP server to synchronize its clock with the NTP master available in the nondefault VRF instance red and provides time to NTP clients in the VRF. To create this sample NTP configuration: 1. Configure the NTP server: a. Create a nondefault VRF instance and assign an interface to the VRF.
a. Create a nondefault VRF instance and assign an interface to the VRF. OS10(config)# ip vrf red OS10(conf-vrf)# exit OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ip vrf forwarding red OS10(conf-if-eth1/1/1)# ip address 10.0.0.2/24 OS10(conf-if-eth1/1/1)# exit OS10(config)# b. Configure the NTP server IP address on the NTP client. OS10(config)# ntp server 10.0.0.1 OS10(config)# do show running-configuration ntp ntp server 10.0.0.1 OS10(config)# c.
OS10# show ntp status vrf red associd=0 status=0615 leap_none, sync_ntp, 1 event, clock_sync, system peer: 10.0.0.1:123 system peer mode: client leap indicator: 00 stratum: 11 log2 precision: -24 root delay: 0.991 root dispersion: 1015.099 reference ID: 10.0.0.1 reference time: dbc7b087.5d47aaa6 Sat, Nov 5 2016 1:12:39.364 system jitter: 0.000000 clock jitter: 0.462 clock wander: 0.003 broadcast delay: -50.000 symm. auth. delay: 0.000 OS10# 5. Verify that the NTP server (10.0.0.
Supported Releases 10.2.0E or later ntp authentication-key Configures the authentication key for trusted time sources. Syntax ntp authentication-key number {md5 | sha1 | sha2-256} {0 | 9} key Parameters ● ● ● ● ● ● ● Default 0 Command Mode CONFIGURATION Usage Information The authentication number must be the same as the number parameter configured in the ntp trusted-key command. Use the ntp authenticate command to enable NTP authentication.
Usage Information Use this command to configure OS10 to not listen to a particular server and prevent the interface from receiving NTP packets. The no version of this command reenables NTP on an interface. Example Supported Releases OS10(conf-if-eth1/1/7)# ntp disable 10.2.0E or later ntp enable vrf Enables NTP for the management or nondefault VRF instance. Syntax ntp enable vrf {management | vrf-name} Parameters ● management—Enter the keyword to enable NTP for the management VRF instance.
Default Not configured Command Mode CONFIGURATION Usage Information You can configure multiple time-serving hosts. From these time-serving hosts, the system chooses one NTP host to synchronize with. To determine which server to select, use the show ntp associations command. Dell Technologies recommends limiting the number of hosts you configure, as many polls to the NTP hosts can impact network performance. Example Supported Releases OS10(config)# ntp server eureka.com 10.2.
show ntp associations Displays the NTP master and peers. Syntax show ntp associations [vrf {management | vrf-name}] Parameters ● management—Enter the keyword to display NTP information corresponding to the management VRF instance. ● vrf-name—Enter the keyword then the name of the VRF to display NTP information corresponding to that nondefault VRF instance.
Command Mode EXEC Usage Information None Example (Status) OS10# show ntp status system peer: 0.0.0.0 system peer mode: unspec leap indicator: 11 stratum: 16 precision: -22 root distance: 0.00000 s root dispersion: 1.28647 s reference ID: [73.78.73.84] reference time: 00000000.00000000 Mon, Jan 1 1900 0:00:00.000 system flags: monitor ntp kernel stats jitter: 0.000000 s stability: 0.000 ppm broadcastdelay: 0.000000 s authdelay: 0.
PTP is more accurate than NTP because it uses hardware timestamping. PTP also accounts for device latency while synchronizing time. NTP synchronizes clocks with millisecond accuracy; PTP achieves submicrosecond accuracy. OS10 supports PTP on all platforms that support hardware time stamping. PTP-enabled devices consist of the following clock types: Ordinary clock A device with a single physical port is called an ordinary clock. This device could take on a master or slave clock role.
Message types ● Event messages: Timed messages with an accurate timestamp that is generated at both the transmit time and receive time. ○ Sync—Master sends a Sync message to distribute the time of the day. ○ Delay_Req—Slave sends a Delay_Req message to the master for end-to-end delay measurement, the requestresponse delay mechanism. ○ Pdelay_Req—Link node A sends a Pdelay_Req message to measure peer-to-peer delay. ○ Pdelay_Resp—Link node B sends a Pdelay_Resp message to measure peer-to-peer delay.
The following is the sequence of PTP messages during time synchronization: 1. 2. 3. 4. 5. 6. 7. Master sends a Sync message and makes note of the time t1 when the message was sent. Slave receives the Sync message and makes note of the time t2 when the message was sent. Master embeds the timestamp t1 in the Follow-Up message. Slave sends a Delay_request message to the master and makes note of the time t3 when the message was sent.
● Priority1—Has the highest preference in the list of attributes that are used for master clock device selection. ● Priority2—Has the fifth preference in the list of attributes that are used for master clock device selection. ● LocalPriority—(Applicable only for the G.8275.1 profile) Determines the master clock device when two clocks are similar to each other.
The following table describes the system clock behavior depending on whether you choose PTP or NTP as the system time source: Table 35. System clock behavior System time settings/time source System clock behavior When PTP is the system time source: ○ You cannot configure the system as an NTP client. ○ If you configure the PTP clock and it is phase locked, PTP sets the time. ○ If you do not configure the PTP clock and it is not phase locked, the free-running system clock sets the time.
● ● ● ● ● Configure Configure Configure Configure Configure boundary clock with L2 transport method boundary clock with IPv4 multicast transport method boundary clock with IPv4 unicast transport method end-to-end transparent clock boundary clock with IPv4 unicast transport method and L3 VLAN Global configurations You can configure the following settings globally. Configure the PTP clock Configure the PTP clock type on the switch and optionally specify a profile for the clock.
To enable PTP on an interface: OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp enable Configure the PTP role A PTP interface can operate in master or slave role. To configure PTP role: OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp role master NOTE: The PTP role is set to dynamic by default. If the role is set to dynamic, PTP uses the BMCA to select the master or slave role.
NOTE: If you are configuring PTP on an OS10 switch that functions as a virtual router, configure the local IP address as the source IP address for UNICAST TRANSPORT mode. Do not configure the virtual IP address as the source IP address. Configure a PTP VLAN You can configure a VLAN on a PTP-enabled interface. If you configure a VLAN on the grandmaster clock, the grandmaster clock can drop untagged packets.
View the PTP clock and synchronization OS10# show ptp clock PTP Clock Clock Identity Grandmaster Clock Identity Clock Mode Clock Quality Class Accuracy Offset Log Scaled Variance Domain Priority1 Priority2 Profile Steps Removed Mean Path Delay(ns) Offset From Master(ns) Number of Ports : : : : Boundary 68:4f:64:ff:ff:01:db:ec 00:16:00:ff:fe:00:02:00 One-step : : : : : : : : : : : 248 <=100ns 0 0 128 128 System-default 1 68 6 2 View the PTP local parent and grandmaster clock OS10# show ptp parent Parent
View the count of PTP packets sent to or received on an interface OS10# show ptp peer Interface : Ethernet1/1/22 Total number of peers : 1 Peer index : 0 Peer Clock Identity Peer Port number Peer Port Address Receiving Interface Announce messages transmitted Announce messages received Sync messages transmitted Sync messages received Follow up messages transmitted Follow up messages received Delay request messages transmitted Delay request messages received Delay response messages transmitted Delay response
Configure a boundary clock with two PTP interfaces using L2 transport method. The interface that is connected to the grandmaster clock or the best master clock becomes the slave device. The other interface becomes the master clock. 1. Configure the PTP boundary clock. The delay mechanism of the boundary clock is end-to-end by default. OS10(config)# ptp clock boundary 2. Enable PTP on interface 1 with L2 multicast transport mode. PTP role is dynamic by default.
Configure a boundary clock with two PTP interfaces using IPv4 multicast transport. The interface that is connected to the grandmaster clock or the best master clock becomes the slave device. The other interface becomes the master device. NOTE: For L3 interface, the interface IP address is used as the PTP multicast source IP address. If there is no interface IP address, then the multicast source IP address (GLOBAL CONFIGURATION mode) is used as the PTP source IP address. 1. Configure the PTP boundary clock.
Configure a boundary clock with two PTP interfaces using IPv4 unicast transport. Use unicast transport mode when you have clearly defined the role of each node in your deployment. 1. Configure the PTP boundary clock. The delay mechanism of the boundary clock is end-to-end by default. OS10(config)# ptp clock boundary 2. Enable PTP on interface 1 with IPv4 unicast transport mode.
● The OS10 switch sends all PTP packets to the multicast group address, 224.0.1.129. Ensure that the PTP-enabled interfaces are part of this multicast group. Use IGMP and PIM for multicast routing. You can enable the end-to-end transparent clock globally on the OS10 switch. The system applies this configuration on all the PTP-enabled interfaces. In the following example, port 1 is connected to the grandmaster clock and port 2 is connected to a slave device.
Use unicast transport mode when you have clearly defined the role of each node in your deployment. To configure a boundary clock with two PTP interfaces using IPv4 unicast transport method: 1. Configure the PTP boundary clock. The delay mechanism of the boundary clock is end-to-end by default. OS10(config)# ptp clock boundary 2. Enable PTP on interface 1 with IPv4 unicast transport mode. ● The interface is a trunk port.
Table 36. Example PTP topology—Switch connections, port numbers, and IP addresses From To Port number IP address CR1 GM Eth1/1/28:1 Nondefault VLAN 1 IP as source AG1 Eth1/1/1:1 (VLT PO11) AG1 Eth1/1/3:1 (VLT PO11) Global IPv4/IPv6 addresses: ● 10.0.0.
Table 36. Example PTP topology—Switch connections, port numbers, and IP addresses (continued) From AG1 AG2 TR1 AG3 AG4 TR2 206 System management To Port number IP address AG1 Eth1/1/3:1 (VLT PO11) AG1 Eth1/1/8:1 (VLT PO11) Global IPv4/IPv6 addresses: ● 10.0.0.
CR1 switch 1. Configure IP address for the VLAN and loopback interfaces. CR1(config)# interface vlan1 CR1(conf-if-vl-1)# ip address 200.1.1.5/24 CR1(conf-if-vl-1)# exit CR1(config)# interface loopback1 CR1(conf-if-lo-1)# ip address 10.0.0.5/32 CR1(conf-if-lo-1)# ipv6 address 10:0:0::5/128 2. Configure PTP globally. CR1(config)# CR1(config)# CR1(config)# CR1(config)# CR1(config)# ptp ptp ptp ptp ptp clock boundary local-priority 127 source ipv4 10.0.0.5 source ipv6 10:0:0::6 system-time enable 3.
CR2(config)# ptp source ipv6 10:0:0::6 CR2(config)# ptp system-time enable 3. Configure PTP on the interfaces.
AG1(conf-if-eth1/1/5:3)# ptp transport ipv4 multicast AG1(config)# interface ethernet 1/1/7:4 AG1(conf-if-eth1/1/7:4)# ptp enable AG1(conf-if-eth1/1/7:4)# ptp transport ipv4 multicast AG1(config)# interface ethernet 1/1/9:1 AG1(conf-if-eth1/1/9:1)# ptp enable AG1(conf-if-eth1/1/9:1)# ptp vlan 3002 AG1(conf-if-eth1/1/9:1)# ptp transport ipv6 unicast master AG1(conf-ethernet1/1/9:1-ptp-ipv6-master)# slave 2001:101:2::200a AG1(conf-ethernet1/1/9:1-ptp-ipv6-master)# slave 2001:101:2::200b AG1(conf-ethernet1/1/9
AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# slave 172.16.0.2 . . . AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# slave 172.16.0.39 AG2(conf-ethernet1/1/9:1-ptp-ipv4-master)# source 172.16.0.2 AG2(config)# interface ethernet 1/1/17:4 AG2(conf-if-eth1/1/17:4)# ptp enable AG2(conf-if-eth1/1/17:4)# ptp transport ipv6 multicast AG2(config)# interface ethernet 1/1/19:3 AG2(conf-if-eth1/1/19:3)# ptp enable AG2(conf-if-eth1/1/19:3)# ptp transport ipv4 multicast TR1 switch 1.
AG3 switch 1. Configure IP address for the loopback interface. AG3(config)# interface loopback1 AG3(conf-if-lo-1)# ip address 10.0.0.3/32 AG3(conf-if-lo-1)# ipv6 address 10:0:0::3/128 2. Configure PTP globally. AG3(config)# AG3(config)# AG3(config)# AG3(config)# ptp ptp ptp ptp clock boundary source ipv4 10.0.0.3 source ipv6 10:0:0::3 system-time enable 3. Configure PTP on the interfaces.
2. Configure PTP globally. TR2(config)# TR2(config)# TR2(config)# TR2(config)# ptp ptp ptp ptp clock boundary source ipv4 10.0.0.11 source ipv6 10:0:0::b system-time enable 3. Configure PTP on the interfaces.
Command Mode EXEC Security and Access Netadmin and sysadmin Usage Information Debug log messages are stored in the following file: /var/log/ptp.log. The debug ptp system command logs all information about internal data structures and is useful for debugging issues. Example Supported Releases OS10# debug ptp servo level 2 10.5.1.0 or later master Configures master clocks for the PTP slave devices.
Usage Information When a timeout event occurs, the system selects a port with dynamic role to be the master. The no form of this command removes the configuration. Example (system default profile) Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp announce interval 1 OS10(conf-if-eth1/1/1)# ptp announce timeout 5 10.5.1.0 or later ptp clock Configures the PTP clock type on the switch and specifies the profile for the clock.
Security and Access Netadmin and sysadmin Usage Information This configuration is only applicable for the boundary clock. The no form of this command removes the configuration. Example Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp delay-mechanism end-to-end 10.5.1.0 or later ptp delay-req-min-interval Configures the minimum interval between delay request messages.
Supported Releases 10.5.1.0 or later ptp enable Enables PTP on a physical or port channel interface. Syntax ptp enable Parameters None Defaults Disabled Command Mode INTERFACE CONFIGURATION Security and Access Netadmin and sysadmin Usage Information The PTP protocol operates only on interfaces with a network address. Ensure that you have configured the PTP transport method for the interface using the ptp transport command.
Defaults 128 Command Mode CONFIGURATION Security and Access Netadmin and sysadmin Usage Information The clock with the lowest priority1 value becomes the master clock. The lower the value of this attribute, the higher is the priority. The no form of this command removes the configuration. Example Supported Releases OS10(config)# ptp priority1 125 10.5.1.0 or later ptp priority2 Configures the priority2 attribute for advertising PTP clock.
Supported Releases 10.5.1.0 or later ptp source Configures the source IP address for the PTP multicast packets. Syntax ptp source {ipv4 ipv4-address | ipv6 ipv6-address} Parameters ● ipv4-address—Source IPv4 address for the PTP multicast packets ● ipv6-address—Source IPv6 address for the PTP multicast packets Defaults None Command Mode CONFIGURATION Security and Access Netadmin and sysadmin Usage Information Supports both IPv4 and IPv6 addresses.
ptp system-time enable Configures the PTP clock to set the system time on the switch. Syntax ptp system-time enable Parameters enable—Enables the PTP clock and sets the system time from the PTP clock. Defaults Disabled Command Mode CONFIGURATION Security and Access Netadmin and sysadmin Usage Information When you enable this configuration, PTP sets the system time on the switch only if the servo clock is phase locked.
Usage Information ● For unicast transport, you must configure an IP address in INTERFACE mode or a source IP address (in UNICAST IP CONFIGURATION mode) to represent the interface. NOTE: If you are configuring PTP on an OS10 switch that functions as a virtual router, configure the local IP address as the source IP address for unicast transport mode. Do not configure the virtual IP address as the source IP address.
Security and Access Netadmin and sysadmin Usage Information None Example Boundary clock Example Boundary clock configured in hybrid mode Example End-to-end transparent clock Supported Releases OS10# show ptp PTP Clock : Boundary Clock Identity : 68:4f:64:ff:ff:01:db:ec Grandmaster Clock Identity : 00:16:00:ff:fe:00:02:00 Clock Mode : One-step Clock Quality Class : 248 Accuracy : <=100ns Offset Log Scaled Variance : 0 Domain : 0 Priority1 : 128 Priority2 : 128 Profile : System-default Steps Removed :
show ptp clock Displays information about the local PTP clock and synchronization.
Total Announce messages Sent Total Announce messages Received Total Sync messages Sent Total Sync messages Received Total Follow Up messages Sent Total Follow Up messages Received Total Delay Request messages Sent Total Delay Request messages Received Total Delay Response messages Sent Total Delay Response messages Received Total Management messages Sent Total Management messages Received Total Signaling messages Sent Total Signaling messages Received Summary: Tx messages Rx messages Lost messages Interface
0(Best)00:16::1 6 <=100ns 0 100 128 437 eth1/1/22 ------------------------------------------------------------------------Supported Releases 10.5.1.0 or later show ptp interface Displays PTP information about the interface. Syntax show ptp interface [{ethernet node/slot/port[:subport]} | {port-channel port-channel-id}] Parameters ● ethernet node/slot/port[:subport]—Enter the Ethernet interface information. ● port-channel port-channel-id—Enter the port channel interface number.
Usage Information Example Supported Releases This command is not applicable for transparent clocks. OS10# show ptp parent Parent Clock Idenitity Parent Port Number Grandmaster Clock Identity Grandmaster Clock Quality Class Accuracy OffsetLogScaledVariance Grandmaster Clock Priority1 Grandmaster Clock Priority2 : 00:16:00:ff:fe:00:02:00 : 1 : 00:16:00:ff:fe:00:02:00 : : : : : 6 <=100ns 0 100 128 10.5.1.
Sync messages transmitted Sync messages received Follow up messages transmitted Follow up messages received Delay request messages transmitted Delay request messages received Delay response messages transmitted Delay response messages received Management messages transmitted Management messages received Signaling messages transmitted Signaling messages received Supported Releases 10.5.1.0 or later show ptp servo Displays PTP servo information such as servo state and lock status.
PTP Timescale Time source Supported Releases : False : Gps 10.5.1.0 or later slave Configures the IP address of PTP slave devices for the master clock. Syntax slave ip-address Parameters ip-address—IP address of the slave clock device Defaults No default IP address; unicast negotiation disabled Command Mode INTERFACE CONFIGURATION - MASTER submode Security and Access Netadmin and sysadmin Usage Information You can configure the IP addresses of multiple slaves.
Example - SLAVE submode Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ptp transport ipv4 unicast slave OS10(conf-ethernet1/1/1-ptp-ipv4-slave)# source 10.10.10.2 10.5.1.0 or later Synchronous Ethernet (SyncE) Frequency and time synchronization over a network is a key requirement for network service providers.
Table 37. Supported standards Supported standards Description G.8261 Timing and synchronization aspects in packet networks. NOTE: For G.8261, test cases 12-17 defined in Appendix VI of G.8261 standard can be performed only in a future OS10 release with ITU.G.8275.2 profile support. G.8262 Timing characteristics of the Synchronous Ethernet Equipment Clock (EEC). G.8262.1 Timing characteristics of the enhanced Synchronous Ethernet Equipment Clock (eEEC). G.
Manage clock selection Clock synchronization depends to a large extent on QL or priority of the clock sources. However, you can influence clock selection by modifying the following clock properties: ● Force switch—The switch forcibly selects a clock source regardless of its availability or quality. Use the sync-e switch force command to override the currently selected synchronization source. Ensure that the new source clock is enabled and is not locked out.
Figure 1. SyncE sample configuration The following sections explain the minimum configurations that are required to set up different modes of SyncE and hybrid clocking: ● ● ● ● SyncE QL-enabled mode with ESMC and SSM SyncE QL-disabled mode PTP and SyncE enabled on different Ethernet ports PTP and SyncE enabled on same Ethernet ports Example - SyncE QL-enabled mode with ESMC and SSM SyncE is configured in the QL-enabled mode and ESMC is enabled on Switch A and Switch B.
6. Verify the SyncE configuration.
Ethl/1/1 128 QL-PRC Up Available Primary ----------------------------------------------------------------- Example - SyncE QL-disabled mode In this example, SyncE is configured in the QL-disabled mode. In SyncE QL-disabled mode, QL value is not used for clock selection. To select any specific synchronization clock source, you can configure interface-level priority. If the interface-level priority is not configured, an arbitrary reference source from the available valid clock sources is selected.
1. Enable SyncE on the switch. SwitchB: configure terminal SwitchB(config)# sync-e enable 2. Set the SyncE mode to QL-disabled. SwitchB(config)# sync-e mode ql-disabled 3. Enable SyncE on the interfaces that are connected to the clock sources and interfaces transmitting to the neighboring SyncE node. SwitchB(config)# interface ethernet 1/1/1 SwitchB(conf-if-eth1/1/1)# sync-e enable 4. Verify the SyncE configuration.
SwitchA(conf-if-eth1/1/2)# exit SwitchA(config)# interface ethernet 1/1/3 SwitchA(conf-if-eth1/1/3)# sync-e enable 5. Enable ESMC mode on the interfaces that are connected to the clock sources and interfaces transmitting ESMC to the neighboring SyncE nodes. SwitchA(config)# interface SwitchA(conf-if-eth1/1/2)# SwitchA(conf-if-eth1/1/2)# SwitchA(config)# interface SwitchA(conf-if-eth1/1/3)# ethernet 1/1/2 sync-e esmc rx-only exit ethernet 1/1/3 sync-e esmc tx-only 6.
Number of slave ports :1 Number of master ports :1 9. Verify the PTP state and lock status. switchA# show ptp servo Servo State : Locked Lock Status : Phase-locked Switch B configuration 1. Enable SyncE on the switch. SwitchB: configure terminal SwitchB(config)# sync-e enable 2. Enable SyncE mode of QL operation. SwitchB(config)# sync-e mode ql-enabled 3. Configure the SSM network option ( default is option-1 for Europe). SwitchB(config)# sync-e ssm-network-option 1 4.
Clock Quality Class : 248 Accuracy : <=25ns Offset Log Scaled Variance : 0 Domain : 0 Priorityl : 128 Priority2 : 128 Profile : System-default Steps Removed : 1 Mean Path Delay(ns) : 176 Offset From Master(ns) : -8 Number of Ports : 1 -----------------------------------------------------Interface State Port Identity -----------------------------------------------------Ethl/1/1 Slave 20:04:0f:ff:ff:0d:5b:56:2 -----------------------------------------------------Number of slave ports :1 Number of master ports
5. Enable ESMC mode on the interfaces that are connected to the clock sources and interfaces transmitting ESMC to the neighboring SyncE nodes. SwitchA(config)# interface SwitchA(conf-if-eth1/1/1)# SwitchA(conf-if-eth1/1/1)# SwitchA(config)# interface SwitchA(conf-if-eth1/1/2)# SwitchA(conf-if-eth1/1/2)# SwitchA(config)# interface SwitchA(conf-if-eth1/1/3)# ethernet 1/1/1 sync-e esmc rx-tx exit ethernet 1/1/2 sync-e esmc rx-only exit ethernet 1/1/3 sync-e esmc tx-only 6.
------------------------------------------------------Number of slave ports :1 Number of master ports :1 9. Verify the PTP state and lock status. switchA# show ptp servo Servo State : Locked Lock Status : Phase-locked Switch B configuration 1. Enable SyncE on the switch. SwitchB: configure terminal SwitchB(config)# sync-e enable 2. Enable SyncE mode of QL operation. SwitchB(config)# sync-e mode ql-enabled 3. Configure the SSM network option ( default is option-1 for Europe).
Grandmaster Clock Identity : 00:11:00:ff:fe:00:00:01 Clock Mode : One-step Clock Quality Class : 248 Accuracy : <=25ns Offset Log Scaled Variance : 0 Domain : 0 Priorityl : 128 Priority2 : 128 Profile : System-default Steps Removed : 1 Mean Path Delay(ns) : 176 Offset From Master(ns) : -8 Number of Ports : 1 -----------------------------------------------------Interface State Port Identity -----------------------------------------------------Ethl/1/1 Slave 20:04:0f:ff:ff:0d:5b:56:2 -------------------------
Usage Information This command clears the lockout state on a specific interface or all the interfaces. After clearing the lockout status, the SyncE clock source on the interface is considered available for the selection process. Example Supported Releases OS10# clear sync-e lockout ethernet 1/1/1 10.5.2.1 or later clear sync-e switch Clears the manual or forced selection of a clock source.
● g781—Enables G.781-related debug logs. Default None Command Mode EXEC Security and Access Netadmin and sysadmin Usage Information The debug log messages are logged in the /var/log/synce.log file. Example Supported Releases OS10# debug sync-e esmc 10.5.2.1 or later show debug sync-e Shows the debug options enabled for Sync-E.
Example - QLenabled mode Example - QLdisabled mode Supported Releases OS10# show sync-e QL Mode : QL-Enabled Lock Status : Locked QL Out : QL-SSU-A Selection Process State : State 1A (QL-enabled and no active switch request) Primary Reference Interface : Ethernetl/1/1 Secondary Reference Interface : Ethernetl/1/2 Selected Reference Clock Identity : 3c:2c:30:ff:fe:04:05:80 Local Clock Identity : d8:9e:f3:ff:fe:ab:47:20 SSM Network Option : Option-1 Hold-off Time : 300 ms Wait-To-Restore Time : 300 secs Sy
Number of event packets received Number of Tx event packets discarded Number of Rx event packets discarded Number of information packets transmitted Number of information packets received Number of Tx information packets discarded Number of Rx information packets discarded Number of invalid packets discarded Summary: Transmitted packets Received packets Discarded packets Supported Releases : : : : : : : : 0 0 0 8770 11271 0 0 0 : 8771 : 11271 : 0 10.5.2.
Status Signal State Priority ESMC Capability QL QL Received QL Transmitted Hold-off Time Wait-To-Restore Time Example - QLdisabled mode Supported Releases : : : : : : : : : Primary Up 128 Rx and Tx QL-SSU-A QL-SSU-A QL-DNU 300 ms 5 secs OS10# show sync-e interface Interface : Ethernetl/1/1 SyncE : Enabled State : Available Status : Secondary Signal State : Up Priority : 128 ESMC Capability : QL : QL Received : QL Transmitted : Hold-off Time : 300 ms Wait-To-Restore Time : 300 secs Interface : Ethernetl/
Supported Releases 10.5.2.1 or later sync-e esmc Enables Ethernet Synchronization Messaging Channel (ESMC) capability on an interface. Syntax [no] sync-e esmc {disable | rx-only | rx-tx | tx-only} Parameters ● disable—Disables ESMC capability on an interface. ● rx-only—Configures an interface to receive ESMC quality level (QL) values for participating in clock selection process. ● rx-tx—Configures an interface to receive and transmit ESMC QL values.
Parameters milliseconds—Enter the hold-off time interval in milliseconds, from 300 to 1800. Default 300 Command Mode ● CONFIGURATION ● INTERFACE CONFIGURATION Security and Access Netadmin and sysadmin Usage Information This command enables hold-off time for the SyncE interfaces. The hold-off-time is the time period for which the switch waits before removing the clock source from the clock selection process when it goes down.
Security and Access Netadmin and sysadmin Usage Information By default, the QL mode is set to ql-disabled and the priority value is used to select the clock source. When you configure the ql-enabled mode, the received QL value is used to select the clock source. The no form of this command removes the configuration. Example Supported Releases OS10(config)# sync-e mode ql-enabled 10.5.2.1 or later sync-e priority Configures the priority for the clock source of an interface.
Supported Releases 10.5.2.1 or later sync-e ssm-network-option Configures the synchronization network. Syntax [no] sync-e ssm-network-option {1 | 2} Parameters ● 1—Enable synchronization network designed for Europe. The following clock source QL values are supported for this SSM network: QL-ePRTC, QL-PRTC, QL-ePRC, QL-PRC, QL-SSU-A, QL-SSU-B, QL-eEEC, QL-EEC1 and QL-DNU. ● 2—Enable synchronization network designed for US.
Security and Access Netadmin and sysadmin Usage Information Use this command to manually select the clock source on the interface, provided the quality level of clock source is not lesser than the selected source. In QL-enabled mode, a manual switch can be performed only to a source that has the highest QL. Example Supported Releases OS10# sync-e switch manual ethernet 1/1/1 10.5.2.1 or later sync-e vlan Configures a VLAN for SyncE-enabled interface.
Supported Releases 10.5.2.1 or later Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol (DHCP) is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations, also known as hosts, based on configuration policies network administrators determine. DHCP server Network device offering configuration parameters to the client. DHCP client Network device requesting configuration parameters from the server.
2. Run the show ip interface brief command to verify if an IP address is assigned to ethernet 1/1/2 port. OS10# show ip interface brief Interface Name IP-Address OK Method Status Protocol ==================================================================================== ===== Ethernet 1/1/1 unassigned YES unset up up Ethernet 1/1/2 40.1.1.1/24 YES manual up up … 3. Re-enable the DHCP server because it failed to start initially.
DHCP Option Description Domain name server 6 — Domain name servers (DNS) that are available to the client Domain name 15 — Domain name that clients use to resolve hostnames via DNS IP address lease time 51 — Amount of time that the client uses an assigned IP address DHCP message type 53: ● 1 — DHCPDISCOVER ● 2 — DHCPOFFER ● 3 — DHCPREQUEST ● 4 — DHCPDECLINE ● 5 — DHCPACK ● 6 — DHCPNACK ● 7 — DHCPRELEASE ● 8 — DHCPINFORM Parameter request list 55 — A list of parameters that a DHCP client requires
Automatic address allocation Automatic address allocation is an address assignment method that the DHCP server uses to lease an IP address to a client from a pool of available addresses. You cannot configure an empty DHCP pool under a DHCP pool configuration. For a successful commit, you must have either a network statement or host/hardware-address (manual binding) configuration. An IP address pool is a range of addresses that the DHCP server assigns. Both IPv4 and IPv6 DHCP pool configuration is supported.
Default gateway Ensure the IP address of the default router is on the same subnet as the client. 1. Enable DHCP server-assigned dynamic addresses on an interface in CONFIGURATION mode. ip dhcp server 2. Create an IP address pool and provide a name in DHCP mode. pool name 3. Enter the default gateway(s) for the clients on the subnet in order of preference in DHCP mode.
1. Enable DHCP server-assigned dynamic addresses on an interface in CONFIGURATION mode. ip dhcp server 2. Create an IP address pool and enter the pool name in DHCP mode. pool name 3. Enter the NetBIOS WINS name servers in the order of preference that they are available to DHCP clients in DHCP mode. netbios-name-server ip-address 4. Enter the keyword Hybrid as the NetBIOS node type in DHCP mode.
In the following example, the pool host1, which is the fixed host mapping pool, inherits the subnet and other attributes from the pool hostnetwork, which is the DHCP client IP address pool. There is no matching network pool for host2. Therefore, the DHCP client with the MAC address 00:0c:29:aa:22:f4 does not obtain the correct parameters. OS10# show running-configuration interface ethernet 1/1/2 ! interface ethernet1/1/2 no shutdown no switchport ip address 100.1.1.
In OS10, the MLD snooping and the Unknown Multicast Flood Control feature are enabled by default. Hence, all the unknown multicast packets are dropped. In this case, the DHCPv6 solicit message is considered an unknown multicast packet and is dropped. For the DHCPv6 solicit messages to reach the DHCP server: 1. On the intermediate switch (L2 switch), you must do one of the following: ● Disable multicast snooping flood-restrict globally.
This option secures all DHCP traffic that goes through a DHCP relay agent, and ensures that communication between the DHCP relay agent and the DHCP server is not compromised. The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the DHCP server. The DHCP server includes Option 82 back in its response to the relay agent. The relay agent uses this information to forward a reply out the interface on which the request was received rather than flooding it on the entire VLAN.
Option-82 is enabled by default. If you disable Option-82 Globally or at a specific Interface, Option-82 sub-options such as option 1,2,5,11,151,152 are also disabled. If Global DHCP snooping is enabled after disabling Option-82 globally, an error message displays. Similarly, if you disable Option-82 Globally after enabling Global DHCP snooping, an error message displays. If you enable DHCP snooping at the Interface level, you cannot disable the VLAN interface level Option-82.
If the client-connected interface is unnumbered, the server may not be able to reach the relay agent. This feature manually configures the interface for the relay agent to use as the source IP address for messages relayed to the DHCP server, which is used by the server to send the reply. This configuration allows the network administrator to specify a stable IP address (such as a Loopback interface). The specified interface IP address is used to fill the giaddr by the DHCP relay agent.
Loopback 0 is used as the relay source-interface for the default VRF clients. The server-override option is enabled on the default VRF. Configure the DHCP relay agent globally to insert the server ID override suboption (suboption-11) and link selection suboption (suboption-5) into the relay agent information option of the DHCP packet. The DHCP client sends a broadcast DHCP request on the network.
interface Ethernet 1/1/2 no shutdown ip address 20.1.1.1/24 DHCP Server OS10# show running-configuration ip dhcp ! ip dhcp server ! pool Client_1.1.1.0 network 1.1.1.0/24 default-router 1.1.1.254 range 1.1.1.2 1.1.1.10 ! pool Server_20.1.1.0 network 20.1.1.0/24 default-router 20.1.1.2 range 20.1.1.3 20.1.1.10 OS10# show running-configuration route ip route 1.1.1.0/24 20.1.1.1 ip route 3.1.1.0/24 20.1.1.
DHCP server is also configured with VRF pool default and hello for the same 1.1.1.x network range to assign the IP addresses to the clients requesting from the respective VRFs. Consider the following scenarios: ● The DHCP client sends a broadcast DHCP request on the network. ● The DHCP relay agent inserts the VRF vss-info value, server ID override suboption, and link selection suboption to its relay agent information option in the DHCP packet.
! interface ethernet1/1/2 no shutdown ip address 20.1.1.1/24 ! interface ethernet1/1/3 no shutdown ip vrf forwarding hello ip address 1.1.1.1/24 ip helper-address 30.1.1.2 vrf hello ip dhcp-relay vss-info type 0 serverVRF ! interface ethernet1/1/4 no shutdown ip vrf forwarding hello ip address 30.1.1.1/24 DHCP Server You must use a VRF aware DHCP server that is compliant with the following RFC standards: ● RFC 6607 - Virtual Subnet Selection Options (VSS). ● RFC 3527 - Link Selection sub-option.
Leaf1 configuration: 1. Enable DHCP Option-82 suboptions - link-selection, server-override, vss: OS10(config)# ip dhcp-relay link-selection OS10(config)# ip dhcp-relay server-override OS10(config)# ip dhcp-relay vss 2. Configure source interface (giaddr) to be used for DHCP relayed packets in each VRF. IP belonging to the loopback interface in underlay is given here as the server is reachable in the underlay network in default VRF. The response from the DHCP server comes to this IP in underlay default VRF.
3. Configure L3 virtual-network interface with VRF and IP address OS10(config)# interface OS10(conf-if-vn-10001)# OS10(conf-if-vn-10001)# OS10(conf-if-vn-10001)# OS10(conf-if-vn-10001)# OS10(config)# interface OS10(conf-if-vn-20001)# OS10(conf-if-vn-20001)# OS10(conf-if-vn-20001)# OS10(conf-if-vn-20001)# virtual-network 10001 ip vrf forwarding Yellow ip address 10.1.0.1/24 ip virtual-router address 10.1.0.254 virtual-network 20001 ip vrf forwarding Green ip address 10.2.0.1/24 ip virtual-router address 10.
OS10(conf-if-vn-20001)# ip dhcp-relay vss-info type 1 222:2222 OS10(conf-if-vn-20001)# ip helper-address 10.20.0.3 vrf Green OS10(conf-if-vn-10001)# exit Leaf3 configuration: 1. Enable DHCP Option-82 suboptions - link-selection, server-override, vss: OS10(config)# ip dhcp-relay link-selection OS10(config)# ip dhcp-relay server-override OS10(config)# ip dhcp-relay vss 2. Configure source interface (giaddr) to be used for DHCP relayed packets in each VRF.
OS10(config)# ip vrf Green OS10(conf-vrf)# ip route-import 0:0 OS10(conf-vrf)# exit OS10(config)# ip vrf Red OS10(conf-vrf)# ip route-import 0:0 OS10(conf-vrf)# exit OS10(config)# NOTE: If Border Leaf switch is already advertising a default route in each VRF to other VTEPs, there is no need to advertise this DHCP server route to other VTEPs. Otherwise, this leaked route could be advertised to other VTEPs using "advertise ipv4 connected" command under EVPN for each VRF. Leaf4 configuration: 1.
OS10(config)# OS10(config)# ip vrf default OS10(conf-vrf)# ip route-export OS10(conf-vrf)# exit OS10(config)# ip vrf Yellow OS10(conf-vrf)# ip route-import OS10(conf-vrf)# exit OS10(config)# ip vrf Green OS10(conf-vrf)# ip route-import OS10(conf-vrf)# exit OS10(config)# ip vrf Red OS10(conf-vrf)# ip route-import OS10(conf-vrf)# exit OS10(config)# 0:0 route-map RouteMap_DHCPServer 0:0 0:0 0:0 NOTE: If Border Leaf switch is already advertising a default route in each VRF to other VTEPs, there is no need to
If there is a mismatch in the interface-ID option between the VLT peers, the DHCPv6 client originated packet is dropped and a log is created to indicate the interface-ID option mismatch. If there is a mismatch in the remote-ID option between the VLT peers, the DHCPv6 client originated packet is dropped and a log is created to indicate the remote-ID option mismatch. If DHCPv6 hostname is configured for prefix, then Dell EMC Networking recommendeds to configure the same hostname for both the VLT peers.
interface Ethernet 1/1/1 no shutdown switchport mode trunk switch port trunk allowed vlan 10 ipv6 dhcp-relay interface-id description PORT ! interface vlan 10 no shutdown ip address 1.1.1.1/24 ip helper-address 20.1.1.2 ipv6 dhcp-relay interface-id description VLAN ! interface Ethernet 1/1/2 no shutdown ip address 20.1.1.1 ! DHCP Server OS10(config)# ip dhcp server OS10(config-dhcp)# pool dell_1 OS10(config-dhcp-dell_1)# network 10.1.1.0/24 OS10(config-dhcp-dell_1)# range 10.1.1.2 10.1.1.
The remote identification is configured globally. By default, the DHCPv6 relay agent type 3 DUID (system mac) is used as the remote-ID value. You can optionally configure a customized string. In VLT cases, VLT MAC address is used to generate the DUID. The prefix is an optional parameter to be configured globally. You can configure hostname, VRF Name, hostname, and VRF name or customized string as prefix. Optionally, you can configure DHCPv6 hostname.
! DHCPv6 Relay Agent 2: Global config: ipv6 dhcp-relay remote-id ipv6 dhcp-relay prefix remote-id hostname vrfname ipv6 dhcp-relay hostname DELL Interface configuration: OS10#show running-configuration interface Ethernet 1/1/1 no shutdown channel-group 10 mode active ! interface port channel 10 no shutdown vlt portchannel 10 ip address 10.1.1.0/24 ip helper-address 20.1.1.2 ip vrf forwarding red ! interface Ethernet 1/1/2 no shutdown ip address 20.1.1.
DHCPv4 relay counters The purpose of this feature is to enhance the DHCP relay component in OS10 to include interface DHCP relay packet counters. These counters are used to provide telemetry and debugging support. Overview The DHCPv4 relay agent maintains DHCPv4 relay counters per interface. These relay counters are configured for all the DHCP packets that are processed by the DHCP client-connected interfaces. You must configure DHCPv4 relay or helper address for the client-connected interfaces.
Use case - DHCPv4 relay counters Consider the following use case diagram in which three hosts (Host 1, Host 2 and Host 3) connected to the L2 switch in VLAN 100. The DHCPv4 relay switch is connected to the L2 switch. The DHCPv4 relay is configured in interface Ethernet 1/1/14. The DHCP server is connected to the DHCPv4 relay switch in VLAN 200. The DHCP packets to and from the DHCP clients (Host 1, Host 2, and Host 3) are counted at the interface Ethernet 1/1/14 (client-connected interface).
In this scenario the DHCP clients (Host 1, 2, 3) are part of the VRF Blue. The DHCP packet sent by these DHCP clients reach the DHCP relay in VLAN 10 in the VRF Blue. In the VLAN 10, you must configure the helper-address with the DHCP server reachable VRF services. DHCP relay forwards the DHCP client packets to the DHCP server without route leaking by forwarding it in the services VRF.
In a VRRP scenario, the VRRP virtual IP is reachable from the DHCP clients; hence, it is used as the server-override option. NOTE: In the current implementation, SmartFabric Services OS10 supports enabling or disabling of the server-override option. If the server-override option is enabled, the anycast gateway is used as the server-override option. VRRP and anycast gateway are mutually exclusive. Hence, for VRRP to support the server-override option, VRRP virtual IP is used as the server-override option.
In this scenario, in the VLT pairs (VLT Peer 1 and VLT Peer 2) VRRP is enabled and the virtual IP is configured to achieve gateway redundancy. Alternatively, you can configure VLAN anycast gateway to achieve the gateway redundancy. VRRP and anycast gateway are mutually exclusive. The DHCP clients (Host 1, 2, 3) in VLAN 10 or VRF BLUE and DHCP clients (Host 1, 2, 3) in VLAN 20 or VRF RED use VRRP virtual IP as the default gateway.
● Lease time ● DHCP binding type – static or dynamic The switch considers DHCP servers connected to trusted interfaces on the switch as legitimate servers. When a switch receives DHCP server-initiated packets (UDP destination port 67) on an untrusted interface, it drops the packet. When a switch receives DHCP renew, release, or decline messages from a client, it checks the DHCP snooping binding table for a match.
DHCP snooping with DHCP relay In the following topology, the DHCP snooping switch is the DHCP relay agent for DHCP clients on VLAN 100. The DHCP server is reachable on VLAN 200 through eth 1/1/2. The switch forwards the client DHCP messages to the trusted DHCP server. The switch processes DHCP packets from the DHCP server before forwarding them to DHCP clients. As the rogue server is connected to the switch to the eth 1/1/3 interface which is untrusted, the switch drops DHCP packets from that interface.
DHCP snooping in a VLT environment OS10 supports DHCP snooping in a VLT environment. DHCP snooping switches in a VLT topology synchronize DHCP snooping binding information between them. The system interprets the VLTi link between VLT peers as trusted interfaces. To configure DHCP snooping in a VLT environment: ● Enable DHCP snooping on both VLT peers. ● Configure the VLT port-channel interfaces facing the DHCP server as trusted interfaces.
Enable and configure DHCP snooping globally 1. Enable DHCP snooping globally in CONFIGURATION mode. ip dhcp snooping 2. Specify physical or port-channel interfaces that have connections towards DHCP servers as trusted in INTERFACE mode. ip dhcp snooping trust Add static DHCP snooping entry in the binding table ● Add a static DHCP snooping entry in the binding table in CONFIGURATION mode.
● Remove a static DHCP snooping entry from the binding table in CONFIGURATION mode. no ip dhcp snooping binding mac mac-address vlan vlan-id interface [ethernet slot/ port/sub-port | port-channel port-channel-id] Example for removing static DHCP snooping entry in the binding table OS10(config)# no ip dhcp snooping binding mac 00:04:96:70:8a:12 vlan 100 ip 100.1.1.
DHCP server OS10(config)# interface ethernet 1/1/1 S10(conf-if-eth1/1/1)# no shutdown OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ip address 10.1.1.1/24 OS10(conf-if-eth1/1/1)# exit OS10(config)# ip dhcp server OS10(config-dhcp)# no disable OS10(config-dhcp)# pool dell_server1 OS10(config-dhcp-dell_server1)# lease 0 1 0 OS10(config-dhcp-dell_server1)# network 10.1.1.0/24 OS10(config-dhcp-dell_server1)# range 10.1.1.2 10.1.1.
DHCP snooping switch as a relay agent This example uses a simple topology with a DHCP snooping switch configured as a DHCP relay agent. A DHCP server and a DHCP client are connected to the snooping switch through different VLANs. A rogue DHCP server attempts to pose as a legitimate DHCP server. With a configuration similar to the following, the DHCP snooping switch drops packets from the rogue DHCP server which is connected to an untrusted interface.
DHCP server OS10# configure terminal OS10(config)# ip dhcp server OS10(config-dhcp)# no disable OS10(config-dhcp)# pool dell_1 OS10(config-dhcp-dell_1)# network 10.1.1.0/24 OS10(config-dhcp-dell_1)# range 10.1.1.2 10.1.1.250 OS10(config-dhcp-dell_1)# exit OS10(config-dhcp)# pool dell_2 OS10(config-dhcp-dell_2)# network 10.2.1.
● Enable DHCP snooping globally. OS10(config)# ip dhcp snooping VLAN configuration ● Create a VLAN. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown VLT configuration 1. Create a VLT domain and configure VLTi. OS10(config)# interface range ethernet 1/1/4-1/1/5 OS10(conf-range-eth1/1/4-1/1/5)# no switchport OS10(conf-range-eth1/1/4-1/1/5)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet 1/1/4-1/1/5 2. Configure a VLT MAC address.
● Create a VLAN. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown VLT configuration 1. Create a VLT domain and configure VLTi. OS10(config)# interface range ethernet 1/1/4-1/1/5 OS10(conf-range-eth1/1/4-1/1/5)# no switchport OS10(conf-range-eth1/1/4-1/1/5)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet 1/1/4-1/1/5 2. Configure a VLT MAC address. OS10(conf-vlt-1)# vlt-mac 12:5e:23:f4:23:54 3.
The following output shows that the DHCP snooping switches (VLT peers) snooped DHCP messages. The interface column displays the local VLT port channel number. OS10# show ip dhcp snooping binding Number of entries : 1 Codes : S - Static D - Dynamic IPv4 Address MAC Address Expires(Sec) Type Interface VLAN ======================================================================================= 10.1.1.
● Create another VLAN and assign an IP address to it which can communicate with the DHCP server. OS10# configure terminal OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# no shutdown OS10(conf-if-vl-200)# ip address 10.2.1.1/24 OS10(conf-if-vl-200)# exit ● Configure SW 1 as the DHCP relay agent for the clients in the VM. The IP address that you specify here is the IP address of the DHCP server OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip helper-address 10.2.1.
● Enable DHCP snooping globally. OS10(config)# ip dhcp snooping VLAN configuration ● Create a VLAN and assign an IP address to it which acts as the gateway for the VMs. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown OS10(conf-if-vl-100)# ip address OS10(conf-if-vl-100)# ip address 10.1.1.2/24 OS10(conf-if-vl-100)# exit ● Create another VLAN and assign an IP address to it which can communicate with the DHCP server.
OS10(conf-if-po-20)# exit OS10(config)# interface ethernet 1/1/1,1/1/6 OS10(conf-if-eth1/1/1,1/1/6)# no shutdown OS10(conf-if-eth1/1/1,1/1/6)# channel-group 20 ( Optional) Peer routing configuration ● Configure peer routing. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# peer-routing DHCP server VLAN configuration OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# exit OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# ip address 10.2.1.
DAI violation logging You can configure the system to log DAI validation failures corresponding to ARP packets. DAI violations are logged at the console if it is enabled. DAI violation logging is disabled by default. If you configure an interface as trusted, the switch interprets ARP packets that ingress the interface from hosts as legitimate packets. By default, all interfaces are in DAI untrusted state. For DAI to work, enable the DHCP snooping feature on the switch. DAI is disabled by default.
Address Hardware Address Interface VLAN -------------------------------------------------------------------10.2.1.1 00:40:50:00:00:00 port-channel100 vlan3001 10.1.1.13 00:2a:10:01:00:00 port-channel100 vlan3001 10.1.1.62 00:2a:10:01:00:01 port-channel100 vlan3001 View DAI statistics You can view valid and invalid ARP requests that the switch has received and replies that the switch has sent.
Source IP and MAC address validation This feature filters IP traffic, based on both source IP and source MAC addresses and permits traffic only from clients found in the DHCP snooping binding table. The switch compares the following in the packet to the DHCP snooping binding table: ● ● ● ● Source MAC address Source IP address The VLAN to which the client is connected The interface (physical or port channel) to which the client is connected If there is a match, the switch forwards the packet.
2. Add names to complete unqualified hostnames in CONFIGURATION mode. ip domain-list name You can configure a domain name and list corresponding to a non-default VRF instance. 1. Enter a domain name corresponding to a non-default VRF instance in the CONFIGURATION mode. ip domain-name vrf vrf-name server-name 2. Add names to complete unqualified hostnames corresponding to a non-default VRF instance.
● port-channel id-number — (Optional) Specify the port-channel id-number on which you want to reset the DHCP packet statistics. ● vlan vlan-id — (Optional) Specify the VLAN vlan-id on which you want to reset the DHCP packet statistics. ● vitual-network vn-id — (Optional) Specify the virtual-network vn-id on which you want to reset the DHCP packet statistics.
Parameters ● vrf vrf-name — (Optional) Enter the keyword vrf and then the name of the VRF through which the host address can be reached. ● ipv6–address — Specify the DHCPv6 server address in the A::B format. Defaults Disabled Command Mode INTERFACE Usage Information Use this command on interfaces to which DHCPv6 clients connect, to forward the packets between IPv6 clients and a DHCPv6 server.
ip dhcp-relay vss Enables the support for the DHCPv4 Virtual Subnet Selection (VSS) option. Syntax ip dhcp-relay vss Parameters None. Defaults Disabled by default. Command Mode CONFIGURATION Usage Information After enabling the VSS option, the DHCPv4 virtual subnet selection support gets enabled globally. Additionally, to send VRF information to the DHCP server, you must configure the VSS type information on the respective DHCP client facing interfaces.
This command is restricted to netadmin and sysadmin role users.
● port-channel id-number - Enter the port channel interface type. ● vlan vlan-id - Enter the VLAN interface type. ● virtual-network vn-id - Enter the virtual network type. Defaults No source-interface configuration on the VRF and the client connected interface IP address is used by the relay for forwarding.
Supported Releases 10.5.2 or later ip dhcp-relay source-interface Configures the DHCP relay source interface to be used by the DHCP relay agents to forward the packets to and from the DHCP server.
Usage Information Disable the server identifier override (suboption-11) on the interface using the no ip dhcp-relay server-override command. If you enable server-override-enable Globally, DHCPv4 relay server identifier override option (suboption-11) is enabled on an interface by default. To avoid sending this option on selected client, you must explicitly disable the option on the interface using the no ip dhcp-relay serveroverride command.
OS10(config)# ipv6 dhcp-relay interface-id ? Supported Releases 10.5.2.1 or later ipv6 dhcp-relay prefix Configures the prefix value for the interace-id. Syntax ipv6 dhcp-relay prefix [interface-id {hostname [vrfname] | vrfname [hostname] user-defined-string} Parameters ● hostname - System hostname or configured DHCPv6 hostname. ● vrfname - Interface VRF name. ● user-defined-string - User-defined string. The maximum length is 96 characters. Defaults None.
Usage Information After enabling the remote-id option, the enterprise number and DHCPv6 relay agent type 3 DUID based on the system mac is used as as the remote-ID value. For VLT cases, VLT MAC is used as the remote-id value by default. SmartFabric Services OS10 uses the type 3 DUID link-layer address (DUID-LL) for stability and persistence. You can optionally configure any customized value for the remote-id option. Colon ( : ) is not supported for the customized string prefix configuration.
OS10(config)# ipv6 dhcp-relay prefix remote-id hostname? vrfname Use interface vrfname OS10(config)# ipv6 dhcp-relay prefix remote-id vrfname? hostname User-defined string for hostname Supported Releases 10.5.2.1 or later ipv6 dhcp-relay hostname Configures the DHCPv6 hostname.. Syntax ipv6 dhcp-relay hostname user-defined-string Parameters None Defaults None. Command Mode CONFIGURATION Usage Information You can optionally configure any customized value for the DHCPv6 relay hostname.
If the interface is part of VLAN, both VLAN and interface-name are used to update the default interfaceid description. ● If VLAN has port channel, then default description is vlan-port_channel. (physical-port will not be present). ● If VLAN has physical port, then default description is vlan-physicalport. ● If vn has member port, then default description is vn-name only.. IIf custom description is configured, then custom value is used as interface-id description.
● If the link selection field does not have an interface or anycast gateway IP, the link-selection field shows the value None ● If the server_override option is enabled, the server-override field displays Enabled() ● If the server_override option is enabled, and anycast gateway IP is not present , the serveroverride field displays Enabled(None) ● If the server_override option is disabled at the Globally or Interface level, the server-override field displays Disabled ● If the VSS option
If the remote-id option is enabled, the show command displays the option-37 value which is sent in packet format:- remote-id (or) prefix:remote-id (if prefix is configured) IIf interface-id option is disabled, the corresponding show command field displays Disabled. If remote-id option is disabled, the corresponding show command field displays Disabled. If an interface is associated to a VLAN, then it is mandatory to give both VLAN and port information in the show command.
Supported Releases 10.5.2.1 or later show ip dhcp-relay-counters Displays the statistics of the DHCP packets received or transmitted by the relay agent. Syntax show ip dhcp-relay-counters {interface [ethernet node/slot/port | portchannel id-number | vlan vlan-id | virtual-network vn-id | }} Parameters ● interface — Displays the interface statistics corresponding to the DHCP packet.
Inform Decline :0 :0 PACKETS SENT ---------------------Bootrequest :5 Booteply :4 Offer :2 Ack :2 Nack :0 PACKETS DROPPED ---------------------Invalid opcode :0 Invalid option :0 Total Dropped :1 Supported Release 10.5.2.3 or later show vlt mismatch dhcp-relay Displays the mismatch (if any), between the VLT peer for the DHCP relay options configuration on the Global level, VRF levels, and VLANs spanned across the VLT peers. Syntax show vlt vlt-domain mismatch dhcp-relay Parameters None.
---------------------------------------------------------------------* 1 type-0(Red) Present 2 type-1(ABC:1234) Not Present Supported Releases 10.5.2 or later show vlt mismatch dhcpv6-relay Displays the mismatch (if any), between the VLT peer for the DHCPv6 relay options configuration on the Global level, VLT port-channel, and VLANs and VxLANs spanned across the VLT peers. Syntax show vlt vlt-domain mismatch dhcpv6-relay Parameters None.
* 1 2 custom(force10) default VLT-PORTCHANNEL: 100 VLT Unit ID description -------------------------------------------------------------* 1 custom(force10) 2 custom(santaclara) Supported Releases 10.5.2.0 or later show vlt mismatch Displays mismatches in a VLT domain configuration.
VLAN mismatch: No mismatch VLT VLAN mismatch: VLT ID : 1 VLT Unit ID Mismatch VLAN List ---------------------------------* 1 1 2 2 VLT ID : 2 VLT Unit ID Mismatch VLAN List ---------------------------------* 1 1 2 2 Example (mismatch peer routing) Example (mismatch VLAN) OS10# show vlt 1 mismatch peer-routing Peer-routing mismatch: VLT Unit ID Peer-routing ---------------------------* 1 Enabled 2 Disabled OS10# show vlt 1 mismatch vlan VLAN mismatch: VLAN L2 mismatch: VLT Unit ID Mismatch VLAN List ------
Example (mismatch of VN mode) Example (mismatch of port and VLAN list) OS10# show vlt all mismatch virtual-network Virtual Network: 102 VLT Unit ID Configured Virtual Network Mode --------------------------------------------1 PV * 2 Attached OS10# show vlt all mismatch virtual-network Virtual Network: 102 VLT Unit ID Mismatch (VLT Port,Vlan) List -----------------------------------------1 * 2 (vlt-port-channel10,vlan99) Virtual Network: 103 VLT Unit ID Mismatch (VLT Port,Vlan) List -----------------------
configured on one of the virtual networks on both peers) Virtual-network: 10 VLT Unit ID Anycast-IP -------------------------1 10.16.128.25 * 2 ABSENT Virtual-network: 20 VLT Unit ID Anycast-IP -------------------------1 ABSENT * 2 10.16.128.30 Example (Virtual network mismatch and Anycast IP addresses mismatch) Interface virtual-network Anycast-IP mismatch: Virtual-network: 10 VLT Unit ID Anycast-IP --------------------------1 10.16.128.25 * 2 10.16.128.
VLAN: 4000 VLT Unit ID Anycast-IPs -------------------------------* 1 Not configured 2 Example (mismatch dhcprelay) 8.7.6.
DHCP server commands default-router address Assigns a default gateway to clients based on the IP address pool. Syntax default-router address [address2...address8] Parameters ● address — Enter an IPv4 or IPv6 address to use as the default gateway for clients on the subnet in A.B.C.D or A:B format. ● address2...address8 — (Optional) Enter up to eight IP addresses, in order of preference.
dns-server address Assigns a DNS server to clients based on the address pool. Syntax dns-server address [address2...address8] Parameters ● address — Enter the DNS server IP address that services clients on the subnet in A.B.C.D or A::B format. ● address2...address8 — (Optional) Enter up to eight DNS server addresses, in order of preference. Default Not configured Command Mode DHCP-POOL Usage Information None Example Supported Releases OS10(conf-dhcp-Dell)# dns-server 192.168.1.1 10.2.
ip dhcp server Enters DHCP configuration mode. Syntax ip dhcp server Parameters None Default Not configured Command Mode CONFIGURATION Usage Information Use the ip dhcp server command to enter the DHCP mode required to enable DHCP server-assigned dynamic addresses on an interface. Example Supported Releases OS10(config)# ip dhcp server OS10(conf-dhcp)# 10.2.0E or later lease Configures a lease time for the IP addresses in a pool.
Supported Releases 10.2.0E or later netbios-node-type Configures the NetBIOS node type for the DHCP client. Syntax netbios-node-type type Parameters type — Enter the NetBIOS node type: ● Broadcast — Enter b-node. ● Hybrid — Enter h-node. ● Mixed — Enter m-node. ● Peer-to-peer — Enter p-node. Default Hybrid Command Mode DHCP-POOL Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(conf-dhcp-Dell)# netbios-node-type h-node 10.2.
Example Supported Releases OS10(conf-dhcp)# pool Dell OS10(conf-dhcp-Dell)# 10.2.0E or later range Configures a range of IP addresses. Syntax range {ip-address1 [ip-address2]} Parameters ● ip-address1 — First IP address of the IP address range. ● ip-address2 — Last IP address of the IP address range.
DHCP snooping commands arp inspection Enables Dynamic ARP Inspection (DAI) on a VLAN. Syntax arp inspection Parameters None Defaults Disabled Command Mode INTERFACE VLAN Usage Information Dell EMC Networking recommends enabling DAI before enabling DHCP snooping. Example Supported Releases OS10(conf-if-vl-230)# arp inspection 10.5.0 or later arp inspection-trust Configures a port as trusted so that ARP frames are not validated against the DAI database.
clear ip arp inspection statistics Clear the Dynamic ARP Inspection statistics. Syntax clear ip arp inspection statistics [vlan vlan-id] Parameters ● vlan vlan-id—Enter the VLAN ID. The range is from 1 to 4093. Defaults None Command Mode EXEC Usage Information This command is accessible to users with sysadmin and secadmin roles. Example (Global) Supported Release OS10# clear ip dhcp snooping binding 10.5.
Command Mode CONFIGURATION Usage Information When you enable this feature, the switch begins to monitor all transactions between DHCP servers and DHCP clients and use the information to build the DHCP snooping binding table. If you disable DHCP snooping, the system removes the DHCP snooping binding table. Source Address Validation and Dynamic ARP Inspection entries are also removed. This command is accessible to users with sysadmin and secadmin roles.
Before creating a static entry for a VLAN, create the VLAN. If you do not create a VLAN before creating a static entry, the system displays an error message. Before deleting a port-channel or VLAN, remove any associated DHCP snooping entries. This command is accessible to users with sysadmin and secadmin roles. The no version of this command deletes the static entry from the DHCP snooping binding table.
show ip arp inspection database Displays the contents of the DAI database. Syntax show ip arp inspection database Parameters None Defaults None Command Mode EXEC Usage Information This command displays the list of snooped hosts from which ARP packets were processed. Example OS10# show ip arp inspection database Number of entries : 3 Address Hardware Address Interface VLAN -----------------------------------------------------------------------55.2.1.
Address Hw-Address Port VLAN First-detected-time Packet-count -----------------------------------------------------------------------------10.1.1.1 12:d3:43:a1:2e:23 ethernet1/1/1 10 00:23:14 2 Supported Releases 10.5.0 or later show ip dhcp snooping binding Displays the contents of the DHCP snooping binding table. Syntax show ip dhcp snooping binding [vlan vlan-id] Parameters ● vlan vlan-id—Enter the VLAN ID. The range is from 1 to 4093.
Supported Releases 10.2.0E or later ip domain-name Configures the default domain and appends to incomplete DNS requests. Syntax ip domain-name [vrf vrf-name] server-name Parameters ● vrf vrf-name — (Optional) Enter vrf and then the name of the VRF to configure the domain corresponding to that VRF. ● server-name — (Optional) Enter the server name the default domain uses. Default Not configured Command Mode CONFIGURATION Usage Information This domain appends to incomplete DNS requests.
Usage Information Example Supported Releases OS10 does not support sending DNS queries over a VLAN. DNS queries are sent out on all other interfaces, including the Management port. You can separately configure both IPv4 and IPv6 domain name servers. In a dual stack setup, the system sends both A (request for IPv4) and AAAA (request for IPv6) record requests to a DNS server even if you only configure this command. The no version of this command removes the IP name-server configuration.
● Use the following commands in the OS10 Linux Shell: sudo systemctl enable docker sudo systemctl start docker NOTE: When you run the docker run command to create a container, you must use the --net=host parameter. Install a Docker image ● To pull the latest Docker image from a Docker hub: docker pull nginx Or docker pull nginx:latest NOTE: Docker downloads the latest image if you do not specify the image file name.
● Open an interactive terminal inside a container: docker exec -it --name container-name Manage volumes ● Create a Docker volume: docker volume create volume-name ● Run a Docker in a particular volume mapped to "/work" inside the container: docker run -d -it -v workvol1:/work puppet-agent /bin/bash ● Display details of a volume: docker volume inspectvolume-name ● List all the volumes in the system: docker volume ls ● Remove a volume: docker volume rm volume-name Docker Management ● List all running Docker c
Low Latency Modes Low latency describes a system network that processes a high volume of data messages with minimal delay (latency). These networks support operations that require near real-time access to rapidly changing data. Use Low Latency mode to reduce the switching latency for timing-critical applications such as storage networks. By default, Low Latency mode is not enabled in OS10 switches. To achieve low latency, only the Memory Management Unit (MMU) Cut-Through (CT) mode is enabled.
11. Destination ports must have enough Egress Pipeline (EP) credits. Depending on the port speed, a different number of EP credits are required. 12. Any CPU-generated packets like STP, LLDP, IGMP, and so on that goes out of the destination port may affect the CT switching of data packets momentarily on that port.
Low Latency Modes CLI commands show switching-mode Displays the current configured switching-mode.
10 Interfaces You can configure and monitor physical interfaces (Ethernet), port-channels, and virtual local area networks (VLANs) in Layer 2 (L2) or Layer 3 (L3) modes. Table 43.
Unified port groups In an OS10 unified port group, all ports operate in either Ethernet or Fibre Channel (FC) mode. You cannot mix modes for ports in the same unified port group. To activate Ethernet interfaces, configure a port group to operate in Ethernet mode and specify the port speed. To activate Fibre Channel interfaces, see Fibre Channel interfaces. S4148U-ON On the S4148U-ON switch, the available Ethernet and Fibre Channel interfaces in a port group depend on the currently configured port profile.
interface ethernet1/1/41:1 no shutdown Z9264F-ON port-group profiles On the Z9264F-ON switch, the port-group profiles determine the available front-panel Ethernet ports and supported breakout interfaces. QSFP28 ports operate only in Ethernet mode. Use the port-group profile to configure breakout interfaces and specify the port speed. NOTE: The configuration steps to enable Ethernet interfaces on a Z9264F-ON port group are different than that of the S4100-ON series.
● 10g-4x — Split a port into four 10GE interfaces. 4. Return to CONFIGURATION mode. exit 5. Enter Ethernet Interface mode to configure other settings. Enter a single interface, a hyphen-separated range, or multiple interfaces separated by commas.
Table 44.
Table 45.
Table 46.
port-group1/1/6 port-group1/1/7 port-group1/1/8 port-group1/1/9 port-group1/1/10 port-group1/1/11 port-group1/1/12 port-group1/1/13 port-group1/1/14 port-group1/1/15 port-group1/1/16 port-group1/1/17 port-group1/1/18 port-group1/1/19 port-group1/1/20 port-group1/1/21 port-group1/1/22 port-group1/1/23 port-group1/1/24 port-group1/1/25 port-group1/1/26 port-group1/1/27 port-group1/1/28 port-group1/1/29 port-group1/1/30 port-group1/1/31 port-group1/1/32 Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth
Table 47.
Table 47. Port groups and breakout modes on the S5296F-ON switch (continued) Port Group Ports Supported breakout modes Port-group1/1/30 102 ● ● ● ● ● 100g-1x 50g-2x 40g-1x 25g-4x 10g-4x Port-group1/1/31 103 ● ● ● ● ● 100g-1x 50g-2x 40g-1x 25g-4x 10g-4x Port-group1/1/32 104 ● ● ● ● ● 100g-1x 50g-2x 40g-1x 25g-4x 10g-4x To configure breakout modes: 1. Configure a port group in CONFIGURATION mode. Enter 1/1 for node/slot and the port group number. port-group node/slot/port-group 2.
L2 mode configuration Each physical Ethernet interface uses a unique MAC address. Port-channels and VLANs use a single MAC address. By default, all the interfaces operate in L2 mode. From L2 mode you can configure switching and L2 protocols, such as VLANs and Spanning-Tree Protocol (STP) on an interface. Enable L2 switching on a port interface in Access or Trunk mode. By default, an interface is configured in Access mode.
OS10(conf-if-eth1/1/9)# ip address 10.10.1.92/24 OS10(conf-if-eth1/1/9)# no shutdown View L3 configuration error OS10(config)# interface ethernet 1/1/14 OS10(conf-if-eth1/1/14)# ip address 10.1.1.2/24 % Error: Interface ethernet1/1/14, IP address cannot exist with L2 modes. Fibre Channel interfaces OS10 unified port groups support FC interfaces. A unified port group operates in Fibre Channel or Ethernet mode.
6. Apply vfabric configuration on the interface. For more information about vfabric configuration, see Virtual fabric. vfabric fabric-ID 7. Enable the FC interface in INTERFACE mode.
NOTE: The supported wavelength range is from 1528.38 nm to 1568.77 nm. OS10(conf-if-eth1/1/14)# wavelength 1530.00 2. View the optical transmission values that you configured using the following command: show interface phy-eth [interface] [transceiver] OS10# show interface phy-eth 1/1/14 transceiver | grep "Tunable wavelength" SFP1/1/14 Tunable wavelength= 1530.000nm NOTE: To specify the wavelength value, you must enter exactly six digits - four before and two after the decimal point.
When using VLANs in a routing protocol, you must configure the no shutdown command to enable the VLAN for routing traffic. In VLANs, the shutdown command prevents L3 traffic from passing through the interface. L2 traffic is unaffected by this command. ● Configure an IP address in A.B.C.D/x format on the interface in INTERFACE mode. The secondary IP address is the interface’s backup IP address.
1. Configure the L2 VLAN scale profile in CONFIGURATION mode. scale-profile vlan 2. (Optional) Enable L3 routing on a VLAN in INTERFACE VLAN mode. mode L3 After you configure the VLAN scale profile and enable L3 routing on the respective VLANs, save the configuration and reload the switch for the scale profile settings to take effect. To reload the switch, use reload command.
View Loopback interface OS10# show interface loopback 4 Loopback 4 is up, line protocol is up Hardware is unknown. Interface index is 102863300 Internet address is 120.120.120.
● The administrative status applies to the port-channel. ● The port-channel configuration is applied to the member interfaces. ● A port-channel operates in either L2 (default) or L3 mode. To place a port-channel in L2 mode, use the switchport mode command. To place a port-channel in L3 mode and remove L2 configuration before you configure an IP address, use the no switchport command. ● All interfaces must have the same speed. ● An interface must not contain non-default L2/L3 configuration settings.
Assign Port Channel IP Address You can assign an IP address to a port channel and use port channels in L3 routing protocols. ● Configure an IP address and mask on the interface in INTERFACE PORT-CHANNEL mode. ip address ip-address/mask [secondary-ip-address] ○ ip-address/mask — Specify an IP address in dotted-decimal A.B.C.D format and the mask. ○ secondary-ip-address — Specify a secondary IP address in dotted-decimal A.B.C.D format, which acts as the interface’s backup IP address.
○ ipv6-selection [destination-ip | source-ip | protocol | vlan-id | l4–destination-port | l4–source-port] — Uses the destination IPv6 address, source IPv6 address, protocol, VLAN ID, Layer 4 port or Layer 4 source port in the hash calculation. ○ mac—selection [destination-mac | source-mac] [ethertype | vlan-id] — Uses the destination MAC address or source MAC address, and ethertype, or VLAN ID in the hash calculation.
no shutdown switchport access vlan 1 ! interface ethernet1/1/5 no shutdown switchport access vlan 1 Configure range of VLANs OS10(config)# interface range vlan 1-100 OS10(conf-range-vl-1-100)# Configure range of port channels OS10(config)# interface range port-channel 1-25 OS10(conf-range-po-1-25)# Switch-port profiles A port profile determines the enabled front-panel ports and supported breakout modes on Ethernet and unified ports.
Supported Profiles: profile-1 profile-2 profile-3 profile-4 profile-5 profile-6 S4148-ON Series port profiles On the S4148-ON Series of switches, port profiles determine the available front-panel Ethernet ports and supported breakout interfaces on uplink ports. In the port profile illustration, blue boxes indicate the supported ports and breakout interfaces. Blank spaces indicate ports and speeds that are not available.
● ● ● ● ● ● ● ● 25GE is a 4x25G breakout of a QSFP28 Ethernet port. 40GE is a QSFP+ or QSFP28 Ethernet port that uses QSFP+ 40GE transceivers. 50GE is a 2x50G breakout of a QSFP28 Ethernet port. 100GE is a QSFP28 Ethernet port. 4x8GFC are breakout interfaces in an SFP+ or QSFP28 FC port group. 2x16GFC are breakout interfaces (subports 1 and 3) in an SFP+ or QSFP28 FC port group. 4x16GFC are breakout interfaces in a QSFP28 FC port group. 1x32GFC (subport 1) are breakout interfaces in a QSFP28 FC port group.
Configure negotiation modes on interfaces On OS10, the auto negotiation mode is enabled by default. Configuration notes ● All Dell EMC PowerSwitches: ○ Platforms (Z9100, Z9264F, S5200 Series, Z9332F-ON, S4100 Series, MX series and S4200 Series) with 100G(QSFP28 and QSFP28DD) ports do not support 1G auto negotiation. ○ For 10G and 1G BASE-T ports, you cannot disable auto negotiation for copper Gigabit Ethernet interfaces.
! interface ethernet1/1/50 no shutdown switchport access vlan 1 flowcontrol receive on OS10(conf-if-eth1/1/50)# do show interface ethernet 1/1/50 Ethernet 1/1/50 is up, line protocol is up Hardware is Eth, address is e4:f0:04:3e:2d:86 Current address is e4:f0:04:3e:2d:86 Pluggable media present, QSFP28 type is QSFP28 100GBASE-CR4-2.
Table 49.
● 100G-1x Breakout to 1 100G interface ● 50G-2x Breakout to 2 50G interfaces ● 40G-1x Breakout to 1 40G interface Breakout auto-configuration You can globally enable front-panel Ethernet ports to automatically detect SFP pluggable media in a QSFP+ or QSFP28 port. The port autoconfigures breakout interfaces for media type and speed. For example, if you plug a 40G direct attach cable (DAC) with 4x10G far-side transceivers into a QSFP28 port, the port autoconfigures in 10g-4x Interface-breakout mode.
OS10(config)# default interface ethernet 1/1/1 Proceed to cleanup the interface config? [confirm yes/no]:y % Error: Discovery Interface mode must not be in switchport mode Configuration 1. From CONFIGURATION mode, enter INTERFACE mode and view the currently configured settings. interface {ethernet | fibrechannel} node/slot/port[:subport] show config 2. Return to CONFIGURATION mode. exit 3. Reset an interface to its default configuration in CONFIGURATION mode.
OS10(conf-if-fc1/1/1)# exit OS10(config)# default interface fc1/1/1 Proceed to cleanup the interface config? [confirm yes/no]:y ! OS10(config)# do show running-configuration interface fibrechannel 1/1/1 interface fibrechannel1/1/1 shutdown Forward error correction Forward error correction (FEC) enhances data reliability.
Output statistics: 15 packets, 1330 octets 10 64-byte pkts, 0 over 64-byte pkts, 5 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 15 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 Collisions, 0 wred drops Rate Info(interval 30 seconds): Input 0 Mbits/sec, 0 packets/sec, 0% of line rate Output 0 Mbits/sec, 0 packets/sec, 0% of line rate Time since last interface status change: 00:00:13 --more-- Energy-efficient Ethernet Energy-efficient Ethernet (EEE)
Clear all EEE counters OS10# clear counters interface eee Clear all eee counters [confirm yes/no]:yes Clear counters for specific interface OS10# clear counters interface 1/1/48 eee Clear eee counters on ethernet1/1/48 [confirm yes/no]:yes View EEE status/statistics You can view the EEE status or statistics for a specified interface, or all interfaces, using the show commands.
EEE commands clear counters interface eee Clears all EEE counters. Syntax clear counters interface eee Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# clear counters interface eee Clear all eee counters [confirm yes/no]:yes 10.3.0E or later clear counters interface ethernet eee Clears EEE counters on a specified Ethernet interface.
Example (Disable EEE) Supported Releases OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# no eee 10.3.0E or later show interface eee Displays the EEE status for all interfaces. Syntax show interface eee Parameters None Default Not configured Command Mode EXEC Example OS10# show interface eee Port EEE Status Speed Duplex --------------------------------------------Eth 1/1/1 off up 1000M ...
show interface ethernet eee Displays the EEE status for a specified interface. Syntax show interface ethernet node/slot/port[:subport] eee Parameters node/slot/port[:subport]—Enter the interface information. Default Not configured Command Mode EXEC Example OS10# show interface ethernet 1/1/48 eee Port EEE Status Speed Duplex --------------------------------------------Eth 1/1/48 on up 1000M Supported Releases 10.3.
View interface information OS10# show interface Ethernet 1/1/1 is up, line protocol is down Hardware is Eth, address is 00:0c:29:66:6b:90 Current address is 00:0c:29:66:6b:90 Pluggable media present, QSFP+ type is QSFP+ 40GBASE CR4 Wavelength is 64 Receive power reading is 0.
Time since last interface status change: 02:46:35 --more-View specific interface information OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# show configuration ! interface ethernet1/1/1 ip address 1.1.1.1/24 no switchport no shutdown View candidate configuration OS10(conf-if-eth1/1/1)# show configuration candidate ! interface ethernet1/1/1 ip address 1.1.1.1/24 no switchport no shutdown View running configuration OS10# show running-configuration Current Configuration ...
Ethernet 1/1/23 Ethernet 1/1/24 Ethernet 1/1/25 Ethernet 1/1/26 Ethernet 1/1/27 Ethernet 1/1/28 Ethernet 1/1/29 Ethernet 1/1/30 Ethernet 1/1/31 Ethernet 1/1/32 Management 1/1/1 Vlan 1 Vlan 10 Vlan 20 Vlan 30 unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned 10.16.153.
May May May May May 11 11 11 11 11 21:06:46 21:06:46 21:06:46 21:06:46 21:06:46 OS10 OS10 OS10 OS10 OS10 dn_pas_svc[1190]: dn_pas_svc[1190]: dn_pas_svc[1190]: dn_pas_svc[1190]: dn_pas_svc[1190]: [BOARD:sdi_sys_smbus_execute], sdi_sys_sm [BOARD:sdi_i2cdev_smbus_execute], i2c bus [BOARD:sdi_media_feature_support_status_g [PAS:dn_pas_media_wavelength_poll], Unabl [BOARD:sdi_sys_smbus_execute], sdi_sys_sm To view the tail portion of the log, enter the following command from the Linux prompt: root@OS10:~#
High-power optical modules OS10 supports high-power optical modules on switches with QSFP56-DD ports. This feature helps to prevent the risk of auto power shutdown and service disruptions because of high-power optic usage. Using this feature, you can: ● Monitor the maximum power rating on pluggable optics. ● Disable the optical module, if the maximum power exceeds the threshold permitted on the port. Table 50.
● The power rating of the optical module exceeds the Alarm threshold. <165>1 2017-04-07T17:05:47.733673+00:00 OS10 dn_alm 839 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) %EQM_MEDIA_PRESENT: Media inserted. Media QSFP56-DD 400GBASE-SR4.2 in slot:1 port:6 serial number:CN04HQ0005VG009 is high-power optics and is disabled. The show inventory media wattage command displays information about the plugged-in optic.
System Inventory Media wattage -----------------------------Node/Slot Media Media-wattage Max-threshold High-power-media /Port ------------------------------------------------------------------------1/1/1 Not Present 1/1/2 Not Present 1/1/3 Not Present 1/1/4 QSFP56-DD400GBASE 12.5W 15W Yes -SR8-AOC-10.0M 1/1/5 QSFP56-DD400GBASE 9W 15W No -SR8 --more-Supported Releases 10.5.2.
Table 51. DOM Alarms (continued) Alarm Category Power reception (Rx) Alarm Name Traps Generated? Severity Level Tx low Y Major Tx low warning N Minor Rx high Y Major Rx high warning N Minor Rx low Y Major Rx low warning N Minor You can enable or disable the DOM feature, configure traps, and view the DOM status. Enable DOM and DOM traps To generate DOM alarms, do the following. 1. Enable DOM. OS10(config)# dom enable 2. Enable DOM traps.
The following are examples of DOM traps. 2018-08-21 17:38:18 [UDP: [10.11.56.49]:51635->[10.11.86.108]:162]: iso.3.6.1.2.1.1.3.0 = Timeticks: (0) 0:00:00.00 iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.4.1.674.11000.5000.100.4.1.3.1.15 iso.3.6.1.4.1.674.11000.5000.100.4.1.3.2.4 = INTEGER: 1 iso.3.6.1.4.1.674.11000.5000.100.4.1.3.2.5 = INTEGER: 21 iso.3.6.1.4.1.674.11000.5000.100.4.1.3.2.1 = INTEGER: 1081393 iso.3.6.1.4.1.674.11000.5000.100.4.1.3.2.3 = INTEGER: 1 iso.3.6.1.4.1.674.11000.5000.100.4.1.3.
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output statistics: 0 packets, 0 octets 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 Collisions, wred drops Rate Info(interval seconds): Input 0 Mbits/sec, 0 packets/sec, 0% of line rate Output 0 Mbits
default interface Resets an Ethernet or Fibre Channel interface to its default settings. Syntax default interface interface-type Parameters interface-type — Enter the interface type: ● ethernet node/slot/port[:subport] — Resets an Ethernet interface to its default settings. ● fibrechannel node/slot/port[:subport] — Resets a Fibre Channel interface to its default settings. ● range ethernet node/slot/port:[subport]-node/slot/port[:subport] — Resets a range of Ethernet interfaces to their default settings.
OS10(config)# default interface fibrechannel 1/1/1 Proceed to cleanup the interface config? [confirm yes/no]:y ! OS10 # show running-configuration interface fibrechannel 1/1/1 interface fibrechannel1/1/1 shutdown Example (Range of interfaces) OS10(config)# interface range ethernet 1/1/1-1/1/4 OS10(conf-range-eth1/1/1-1/1/4)# show configuration ! interface ethernet1/1/1 no shutdown no switchport ip address 192.21.43.
interface ethernet1/1/3 no shutdown switchport access vlan 1 ! interface ethernet1/1/4 no shutdown switchport access vlan 1 OS10(conf-range-eth1/1/1-1/1/4)# Supported releases 10.4.0E(R1) or later default vlan-id Reconfigures the VLAN ID of the default VLAN. Syntax default vlan-id vlan-id Parameters vlan-id — Enter the default VLAN ID number, from 1 to 4093.
Parameters string — Enter a text string for the interface description. A maximum of 240 characters. Default Not configured Command Mode INTERFACE Usage Information ● To use special characters as a part of the description string, enclose the string in double quotes. ● To use comma as a part of the description string add double back slash before the comma.
Example OS10# configure terminal OS10(config)# dom enable OS10# configure terminal OS10(config)# no dom enable Supported Releases 10.4.3.0 or later enable dom traps Enables DOM traps if the specified parameter crosses the defined threshold three times. Syntax snmp-server enable traps dom {temperature | voltage | rx-power | tx-power | bias} Parameters temperature | voltage | rx-power | tx-power | bias — Enter the keyword to enable DOM traps for the specified category.
fec Configures Forward Error Correction on 25G, 50G, and 100G interfaces. Syntax fec {CL74-FC | CL91-RS | CL108-RS | off} Parameters ● ● ● ● Defaults CL74-FC — Supports 25G and 50G CL91-RS — Supports 100G CL108-RS — Supports 25G and 50G off — Disables FEC NOTE: Default FEC settings are determined by the inserted media type.
interface ethernet Configures a physical Ethernet interface. Syntax interface ethernet node/slot/port:subport Parameters node/slot/port:subport — Enter the Ethernet interface information. Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes the interface. Example Supported Releases OS10(config)# interface ethernet 1/1/10:1 OS10(conf-if-eth1/1/10:1)# 10.2.0E or later interface loopback Configures a Loopback interface.
interface null Configures a null interface on the switch. Syntax interface null number Parameters number — Enter the interface number to set as null (0). Default 0 Command Mode CONFIGURATION Usage Information You cannot delete the Null interface. The only configuration command possible in a Null interface is ip unreachables. Example Supported Releases OS10(config)# interface null 0 OS10(conf-if-nu-0)# 10.3.0E or later interface port-channel Creates a port-channel interface.
● Non-existing interfaces are excluded from the bulk configuration with a warning message. ● This command has multiple port ranges, the prompt excludes the smaller port range. ● If you enter overlapping port ranges, the port range extends to the smallest port and the largest end port. ● You can only use VLAN and port-channel interfaces created using the interface vlan and interface port-channel commands. ● You cannot create virtual VLAN or port-channel interfaces using the interface range command.
link-bundle-monitor Enables link-bundle monitor on an port-channel. Syntax link-bundle-monitor Parameters None Default Disabled Command Mode INTERFACE CONFIGURATION Usage Information If you enable link-bundle monitor in interface configuration mode, the show link-bundleutilization command displays the member link utilization information in percentage.
Command Mode PORT-GROUP Usage Information ● The mode {FC | Eth} command configures a port group to operate at line rate and guarantees no traffic loss. ● To configure oversubscription on a FC interface, use the speed command. ● To configure breakout interfaces on an Ethernet port, use the interface breakout command. ● To view the currently active ports and subports, use the show interfaces status command.
○ Tagged members must have a link MTU 4 bytes higher than untagged members to account for the packet tag. ○ Ensure that the MTU of VLAN members is greater than or equal to the VLAN MTU. OS10 selects the lowest MTU value configured on the VLAN or VLAN members to be the VLAN MTU. For example, the VLAN contains tagged members with Link MTU of 1522 and IP MTU of 1500 and untagged members with Link MTU of 1518 and IP MTU of 1500.
switchport access vlan 1 negotiation on flowcontrol receive on OS10(conf-if-eth1/1/50)# no negotiation OS10(conf-if-eth1/1/50)# show configuration ! interface ethernet1/1/50 no shutdown switchport access vlan 1 flowcontrol receive on OS10(conf-if-eth1/1/50)# do show interface ethernet 1/1/50 Ethernet 1/1/50 is up, line protocol is up Hardware is Eth, address is e4:f0:04:3e:2d:86 Current address is e4:f0:04:3e:2d:86 Pluggable media present, QSFP28 type is QSFP28 100GBASE-CR4-2.
port-group Configures a group of front-panel unified ports, or a double-density QSFP28 (QSFP28-DD) or single-density QSFP28 port group. Syntax port-group node/slot/port-group Parameters ● node/slot — Enter 1/1 for node/slot when you configure a port group. ● port-group — Enter the port-group number, from 1 to 16. The available port-group range depends on the switch.
scale-profile vlan Configures the L2 VLAN scale profile on a switch. Syntax scale-profile vlan Parameters None Defaults Not configured Command Mode CONFIGURATION Usage Information Use the VLAN scale profile when you scale the number of VLANs so that the switch consumes less memory. Enable the scale profile before you configure VLANs on the switch. The scale profile globally applies L2 mode on all VLANs you create and disables L3 transmission. The no version of the command disables L2 VLAN scaling.
Queuing strategy: fifo Input statistics: 0 packets, 0 octets 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output statistics: 0 packets, 0 octets 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded,
show interface description Displays the description that is configured on an interface. Syntax show interface [type] description Parameters type—Enter the interface type: ● ethernet node/slot/port[:subport]—Display the description of an Ethernet interface. ● loopback id—Display the description of Loopback IDs, from 0 to 16383. ● mgmt node/slot/port—Display the description of Management interface. ● port-channel id-number—Display the description of port channel interface IDs, from 1 to 128.
show interface switchport Displays the physical and port channel interfaces that are VLAN bridge ports or switch ports. Syntax show interface switchport [interface] Parameters interface—(Optional) Enter the interface type: ● ethernet node/slot/port[:subport]—Display Ethernet interface information. ● port-channel id-number—Display port channel interface IDs, from 1 to 128.
1/1/2 1/1/3 1/1/4 1/1/5 1/1/6 1/1/7 1/1/8 1/1/9 1/1/10 1/1/11 1/1/12 1/1/13 1/1/14 1/1/15 1/1/16 1/1/17 1/1/18 ...
show link-bundle-utilization Displays information about the link-bundle utilization. Syntax show link-bundle-utilization Parameters None Default Not configured Command Mode EXEC Usage Information None Example OS10# show link-bundle-utilization Link-bundle trigger threshold - 60 Supported Releases 10.2.0E or later show port-channel summary Displays port-channel summary information.
1/1/19(P) 23 port-channel23 (D) Eth STATIC Supported Releases 10.2.0E or later show port-group Displays the current port-group configuration on a switch. Syntax show port-group Parameters None Default None Command Mode EXEC Usage Information To view the ports that belong to each port-group, use the show port-group command. To configure a port-group, use the port-group command.
Command Mode EXEC Usage Information A switch-port profile determines the available front-panel ports and breakout modes on Ethernet and unified ports. To display the current port profile, use the show switch-port-profile command. To reset the switch to the default port profile, use the no switch-port-profile node/slot command.
show vlan Displays the current VLAN configuration. Syntax show vlan [vlan-id] Parameters vlan-id — (Optional) Enter a VLAN ID, from 1 to 4093. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show vlan Codes: * - Default VLAN, M - Management VLAN, R - Remote Port Mirroring VLANs Q: A - Access (Untagged), T - Tagged NUM Status Description Q Ports 1 down 10.2.0E or later shutdown Disables an interface.
Command Mode INTERFACE Usage Information ● To configure oversubscription for bursty storage traffic on a FC interface, use the speed command. Oversubscription allows a port to operate faster, but may result in traffic loss. For example, QSFP28 port groups in 4x8GFC mode support 16GFC oversubscription on member interfaces. QSFP28 breakout interfaces in 4x16GFC mode support 32GFC oversubscription. ● The no version of this command resets the port speed to the default value auto.
switch-port-profile Configures a port profile on the switch. The port profile determines the available front-panel ports and breakout modes. Syntax switch-port-profile node/unit profile Parameters ● node/unit—Enter switch information. For a standalone switch, enter 1/1. ● profile—Enter the name of a platform-specific profile.
○ profile-2 — SFP+ unified ports (1-24), QSFP28 unified ports (25-26 and 29-30), QSFP+ Ethernet ports (27-28), and SFP+ Ethernet ports (31-54) are enabled. ■ SFP+ unified ports operate in Ethernet 10GE mode by default. SFP+ unified port groups support 4x8GFC and 2x16GFC breakouts (ports 1 and 3) in FC mode. ■ QSFP28 unified ports 25 and 29 operate in Ethernet 100GE mode by default, and support 40GE with QSFP+ transceivers and 4x10G breakouts.
switchport access vlan Assigns access VLAN membership to a port in L2 Access or Trunk mode. Syntax switchport access vlan vlan-id Parameters vlan vlan-id — Enter the VLAN ID number, from 1 to 4093. Default VLAN 1 Command Mode INTERFACE Usage Information This command enables L2 switching for untagged traffic and assigns a port interface to default VLAN1. Use this command to change the assignment of the access VLAN that carries untagged traffic.
Parameters vlan-id-list — Enter the VLAN numbers of the tagged traffic that the L2 trunk port can carry. Comma-separated and hyphenated VLAN number ranges are supported. Default None Command Mode INTERFACE Usage Information Use the no version of this command to remove the configuration. Example OS10(conf-if-eth1/1/2)# switchport trunk allowed vlan 1000 OS10(conf-if-eth1/1/2)# no switchport trunk allowed vlan 1000 Supported Releases 10.2.
show default mtu Display the default MTU at system level. Syntax show default mtu Parameters None Defaults None Command Mode EXEC Usage Information The interface-level MTU may be different from the system-level MTU. Example Supported Releases OS10# show default mtu Default MTU 9216 bytes 10.5.1.
11 Fibre Channel OS10 switches with Fibre Channel (FC) ports operate in one of the following modes: Direct attach (F_Port), NPIV Proxy Gateway (NPG). In the FSB mode, you cannot use the FC ports. E_Port Expansion port (E_Port) in a switch is used to connect two fiber channel switches to form a multiswitch SAN fabric. The default port mode in a multiswitch setup is F.
Configuration notes Dell EMC PowerSwitch S4148U-ON: The total errors count in the show interface fibrechannel command output displays incorrect values during FC port flaps, IOM reboot, or port conversion from ETH to FC, followed by bringing up of the FC port. Fibre Channel over Ethernet Fibre Channel over Ethernet (FCoE) encapsulates Fibre channel frames over Ethernet networks. FCoE Initialization protocol (FIP) establishes Fibre channel connectivity with Ethernet ports.
5. Configure the maximum number of ENode sessions to be allowed using the fcoe max-sessions-per-enodemac max-session-number command in CONFIGURATION mode, from 1 to 64. NOTE: OS10 switches do not support multi-hop FIP snooping bridge (multi-hop FSB) capability; links to other FIP snooping bridges on a FIP snooping-enabled device (bridge-to-bridge links) are not supported.
-------------------------- ---- -------54:7f:ee:37:34:40 port-channel5 100 0e:fc:00 -------------- -------------4000 2 OS10# show fcoe enode Enode MAC Enode Interface VLAN FCFs Sessions ----------------- ---------------- ---- ---- -------d4:ae:52:1b:e3:cd ethernet1/1/54 100 1 5 Terminology ENode End Node or FCoE node FC Fibre Channel FC ID A 3-byte address used by FC to identify the end points FC Map A 3-byte prefix configured per VLAN, used to frame FCoE MAC address FCF Fibre Channel Forwarder
OS10(conf-vfabric-100)# vlan 1023 OS10(conf-vfabric-100)# fcoe fcmap 0xEFC64 OS10(conf-vfabric-100)# zoneset activate set OS10(conf-vfabric-100)# zone default-zone permit OS10(conf-vfabric-100)# exit OS10(config)# interface fibrechannel 1/1/1 OS10(conf-if-fc1/1/1)# vfabric 100 View vfabric configuration OS10(conf-vfabric-100)# show configuration ! vfabric 100 name 100 vlan 1023 fcoe fcmap 0xEFC64 zoneset activate set zone default-zone permit OS10# show vfabric Fabric Name 100 Fabric Type FPORT Fabric Id 100
3. Add FCoE parameters with the fcoe {fcmap fc-map | fcf-priority fcf-priority-value | fka-advperiod adv-period | vlan-priority vlan-priority-value | keep-alive} command. 4. (Optional) Add a name to the vfabric using the name vfabric-name command. 5. Apply the vfabric to interfaces using the vfabric fabric-ID command in INTERFACE mode.
3. Create a zone using the fc zone zone-name command in CONFIGURATION mode. The switch enters Zone CONFIGURATION mode. 4. Add members to the zone with the member {alias-name alias-name | wwn wwn-ID | fc-id fc-id} command in Zone CONFIGURATION mode. 5. Create a zoneset using the fc zoneset zoneset-name command in CONFIGURATION mode. The switch enters Zoneset CONFIGURATION mode. 6. Add the existing zones to the zoneset with the member zone-name command in Zoneset CONFIGURATION mode. 7.
ZoneName ZoneMember ================================================ hba2 *20:01:00:0e:1e:e8:e4:99 20:35:78:2b:cb:6f:65:57 50:00:d3:10:00:ec:f9:05 50:00:d3:10:00:ec:f9:1b 50:00:d3:10:00:ec:f9:1f hba1 *10:00:00:90:fa:b8:22:19 *21:00:00:24:ff:7b:f5:c8 OS10# show fc zoneset set ZoneSetName ZoneName ZoneMember ========================================================== set hba1 21:00:00:24:ff:7b:f5:c8 10:00:00:90:fa:b8:22:19 21:00:00:24:ff:7f:ce:ee 21:00:00:24:ff:7f:ce:ef hba2 20:01:00:0e:1e:e8:e4:99 50:00:d3
response change to the unstable state. The sessions keep flapping until the request and response converge in the same port. To avoid this, pin one of the ports in the port-channel. To support FCoE on multi-level VLT networks, use port pinning in FCoE LAGs. Port pinning is a static configuration that restricts the FIP and FCoE traffic to one port of the port-channel overriding hardware LAG hashing.
Sample FSB configuration on VLT network 1. Enable the FIP snooping feature globally. OS10(config)# feature fip-snooping with-cvl 2. Create the FCoE VLAN. OS10(config)#interface vlan 1001 OS10(conf-if-vl-1001)# fip-snooping enable 3. Configure the VLTi interface. OS10(config)# interface ethernet 1/1/27 OS10(conf-if-eth1/1/27)# no shutdown OS10(conf-if-eth1/1/27)# no switchport 4. Configure the VLT. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.151.
OS10(config)# policy-map type network-qos PFC OS10(config-pmap-network-qos)# class fcoematch OS10(config-pmap-c-nqos)# pause OS10(config-pmap-c-nqos)# pfc-cos 3 7. Create uplink and downlink port-channels, and configure the FCF facing port.
Version : 2.0 Local System MAC address : 50:9a:4c:d3:cf:70 Primary priority : 32768 VLT MAC address : 50:9a:4c:d3:cf:70 IP address : fda5:74c8:b79e:1::2 Delay-Restore timer : 90 seconds Peer-Routing : Disabled Peer-Routing-Timeout timer : 0 seconds VLTi Link Status port-channel1000 : up VLT Peer Unit ID System MAC Address Status IP Address Version ---------------------------------------------------------------------------------1 50:9a:4c:d3:e2:f0 up fda5:74c8:b79e:1::1 2.
2. Create the FC zones. OS10(config)# fc zone zoneA OS10(config-fc-zone-zoneA)# member wwn 10:00:00:90:fa:b8:22:19 <> OS10(config-fc-zone-zoneA)# member wwn 21:00:00:24:ff:7b:f5:c8 <> 3. Create the FC zoneset. OS10(config)# fc zoneset zonesetA OS10(conf-fc-zoneset-zonesetA)# member zoneA 4. Create the vfabric VLAN. OS10(config)# interface vlan 1001 5. Create vfabric and activate the FC zoneset.
OS10(conf-if-eth1/1/10)# OS10(conf-if-eth1/1/10)# OS10(conf-if-eth1/1/10)# OS10(conf-if-eth1/1/10)# OS10(conf-if-eth1/1/10)# no shutdown channel-group 10 mode active no switchport service-policy input type network-qos PFC priority-flow-control mode on View configuration Name server entries: OS10# show fc ns switch brief Total number of devices = 2 Intf# Domain port-channel10(Eth 1/1/9) 1 20:00:f4:e9:d4:a4:7d:c3 fibrechannel1/1/26 1 21:00:00:24:ff:7c:ae:0e FC-ID 01:00:00 Enode-WWPN 20:01:f4:e9:d4:a4:7d:c
OS10(conf-if-po-10)# switchport trunk allowed vlan 1001,10 OS10(conf-if-po-10)# fip-snooping port-mode fcf OS10(config)# interface port-channel 20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# switchport access vlan 1 OS10(conf-if-po-20)# switchport trunk allowed vlan 1001,10 6. Apply the PFC configuration on downlink and uplink interfaces. In addition, include the interfaces to the port-channel and configure one of the interfaces as pinned-port.
Pinned port status: OS10# show fcoe pinned-port Interface pinned-port FCoE Status ----------------- ---------------- ----------------Po 10 Eth 1/1/1 Up Po 20 Eth 1/1/3 Up Sample FC Switch configuration on non-VLT network 1. Enable the F_PORT mode. OS10(config)# feature fc domain-id 1 2. Create the FC zones.
OS10(conf-if-eth1/1/9)# service-policy input type network-qos PFC OS10(conf-if-eth1/1/9)# priority-flow-control mode on OS10(config)# interface ethernet 1/1/10 OS10(conf-if-eth1/1/10)# no shutdown OS10(conf-if-eth1/1/10)# channel-group 10 mode active OS10(conf-if-eth1/1/10)# no switchport OS10(conf-if-eth1/1/10)# service-policy input type network-qos PFC OS10(conf-if-eth1/1/10)# priority-flow-control mode on View configuration Name server entries: OS10# show fc ns switch brief Total number of devices = 2 In
rebuilding the fabric. When the principal ISL fails and if no other path exists between the two affected switches, then the build fabric (BF) operation is triggered. If the backup link (nonprincipal ISL) is available, then the link failure recovery is triggered. Whenever the principal switch election is retriggered nondisruptively, the switches check if the previously assigned domain IDs match the newly elected principal switch. The switches remember the previously assigned domain IDs.
Restrictions and limitations This section lists the restrictions, and limitations of the multiswitch fabric feature. ● The multiswitch feature does not support Virtual E-ports (VE), BB_credit configuration, autoport mode, static FC route, zone merging, ESC exchange between switches, and switch port initialization. ● Only one vfabric is supported per switch in the multiswitch mode. ● Interoperability with other vendors, such as non-OS10 switches are not supported.
Switch-1 configuration 1. Enable the multiswitch feature globally. OS10(config)# feature fc multi-switch 2. Create a vFabric VLAN. OS10(config)# interface vlan 1001 3. Create vFabric. OS10(config)# vfabric 1 OS10(conf-vfabric-1)# NOTE: The recommended configuration is to configure the same VLAN and fcmap values on all the switches. vFabric ID is of local significance, and hence the vFabric can have different values on different switches. 4. Create a port group.
9. Create and activate a zone set. OS10(config)# fc zoneset zoneset1 OS10(conf-fc-zoneset-zoneset1)# member zoneA OS10(config)# vfabric 1 OS10(conf-vfabric-1)# zoneset activate zoneset1 10. You can deactivate vFabric by removing either the VLAN or fcmap configuration. OS10(conf-vfabric-1)# no vlan 100 Warning: All traffic on this fabric will be lost. Continue? [yes/no]:yes Switch-2 configuration 1. Enable the multiswitch feature globally. OS10(config)# feature fc multi-switch 2. Create a vFabric VLAN.
Verify multiswitch fabric (E Port) configuration Verify the multiswitch configuration using the following show commands: ● To verify the current configured switch mode, run the show fc switch command. OS10# show fc switch Switch Mode : Disabled Switch WWN : ● To display the multiswitch mode after configuring the multiswitch feature, run the show fc switch command.
Switch Name 10:00:14:18:77:20:73:cf Domain Id 101 Switch Port FC1/1/1 FC-Id 65:00:01 Port Name 20:01:f4:e9:d4:f9:fc:44 Node Name 20:00:f4:e9:d4:f9:fc:43 Class of Service 8 Symbolic Port Name XXX Symbolic Node Name XXX Port Type N_Port Registered with NameServer Yes Registered for SCN No FC4-Types:FC4-Features fcp(0x08):0x2 ● To display the summary of the local switch name server entries, run the show fc ns switch brief command.
● To verify the fabric name server registration on switch-2, run the show fc ns fabric command.
========================================== Members fibrechannel1/1/1 fibrechannel1/1/2 ● To verify the vFabric in switch-2, principal switch, run the show vfabric command.
5 Error packets 0 Number of Reject packets received : ELP RJT 8 EFP RJT 12 BF RJT 3 RCF RJT 2 DIA RJT 5 RDI RJT 5 Error packets 0 Number of Request packets transmitted : ELP 8 EFP 12 BF 3 RCF 2 DIA 5 RDI 5 Error packets 0 Number of Accept packets transmitted : ELP ACC 8 EFP ACC 12 BF ACC 3 RCF ACC 2 DIA ACC 5 RDI ACC 5 Error packets 0 Number of Reject packets transmitted : ELP RJT 8 EFP RJT 12 BF RJT 3 RCF RJT 2 DIA RJT 5 RDI RJT 5 Error packets 0 ● To display the link state database information of switch-1
● To view the established shortest routes between the server and the target ports in switch-2, run the show fc fspf route command. OS10#show fc fspf route vfabric-Id Dest-Domain Route-Cost Next-hop -------------------------------------------------------------1 0x65(101) 125 fc1/1/2 ● To view the FSPF neighbor information in switch-1, use the show fc fspf neighbor command.
Supported Releases 10.5.1.0 or later clear fc flow-control-statistics Clears all flow-control counters for all domains. Syntax clear fc flow-control-statistics Parameters None Default None Command Mode EXEC Usage Information If multiswitch mode is disabled, this command returns silently.
Example Supported Releases OS10#clear fc fspf statistics interface fc 1/1/1 10.5.1.0 or later clear fc ns switch statistics Clears the Name Server statistics on all interfaces. Syntax clear fc ns switch statistics [interface type node/slot/port[:subport]| vfabric vfabric-id|vfabric vfabric-id domain [domain-id]] Parameters ● node/slot/port[:subport]—Enter the Interface type details. ● vfabric-ID—Enter the vfabric ID. ● domain-id—Enter the vfabric domain ID.
e_d_tov Configures the E_D_TOV FC timer value for every vfabric. Syntax e_d_tov timeout-val Parameters timeout-val—Valid values are from 1000 to 10000. Defaults 2000 ms Command Mode Vfabric CONFIGURATION Usage Information ● The configurations are supported only in the multiswitch mode. ● If you do not receive an expected response within the expected time, then consider the condition as an error condition.
feature fc Enables the multiswitch feature. Syntax feature fc [domain-id domain-id-val | npg | fip-snooping [with-cvl] | multi-switch] Parameters ● with-cvl—To enable CVL. ● domain-id—Enter the domain ID of the E_Port. ● domain-id-val—Valid values are from 1 to 239. Defaults Disabled Command Mode GLOBAL CONFIGURATION Usage Information ● ● ● ● Example Supported Releases Use the multiswitch option to support the multiswitch fabric mode. Delete multiswitch configurations when disabling a feature.
Usage Information Example Supported Releases ● The configurations are supported only in the multiswitch mode. ● This command specifies the maximum interval. You must first receive a hello message on the selected interface before the neighbor is considered lost and removed from the database. ● The no form of this command resets the command to default value, 80 s. OS10(config-if-fc-1/1/1)#fspf dead-interval 90 10.5.1.
fspf retransmit-interval Configures the FSPF retransmit interval value for every interface. Syntax fspf retransmit-interval timeout-val Parameters timeout-val—Valid values are from 1 to 65535. Defaults 5s Command Mode Fibre Channel INTERFACE Usage Information ● The configurations are supported only in multiswitch mode. ● This command specifies the retransmit time interval for unacknowledged link state updates. ● The no version of this command resets to the default value.
● This timer is used to mark the error conditions during domain ID allocation, SW-RSCN, and NS QUERY. Match this value with the other end, during port initialization. This type of configuration is not permitted when vfabric is active. ● If the configured R_A_TOV value is not the same on both the sides of the port, then the port is isolated. Ensure to configure the same R_A_TOV value on both the sides. ● You can change the R_A_TOV value only when vfabric is in inactive state.
○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ Example BB Credit Isolation R_A_TOV Mismatch E_D_TOV Mismatch Flow Control Not Supported Class of Services Not Supported Port Mode mismatch Isolation Invalid Switch Name Isolation Not Capable Principal Switch Domain ID Overlap Isolation due to ELP Failure Isolation due to Loop Back Connection Isolation due to EFP Max Retransmission Exceeded Isolation due to BF Max Retransmission Exceeded Isolation due to RCF Max Retransmission Exceeded Isolation due to DIA Max Retransmission
ACC 2 DIA ACC 5 RDI ACC 5 Number of Reject packets transmitted : ELP RJT 8 EFP RJT 12 BF RJT 3 RCF RJT 2 DIA RJT 5 RDI RJT 5 Supported Releases 10.5.1.0 or later show fc flow-control-statistics Displays flow-control counters for a specific domain or all domains. Syntax show fc flow-control-statistics [domain domain-id | vfabric vfabric-id] Parameters ● domain-id—Enter the domain ID of the E_Port, from 1 to 239. ● vfabric-id—Enter the vfabric ID.
Usage Information Example Supported Releases Use this command to display the FSPF link state database information of a switch. The database information includes the entire LSR information of the fabric that is constructed based on the LSRs received from other switches.
Usage Information Example Supported Releases Use this command to display the FSPF route information, and the route to reach every other switch in the fabric. OS10#show fc fspf route vfabric-Id Dest-Domain Route-Cost Next-hop --------------------------------------------------------------100 0x66(102) 125 fc1/1/2 10.5.1.0 or later show fc ns fabric Shows all the Name Server entries in the FC fabric shared among the fabric switches.
Supported Releases 10.5.1.0 or later show fc ns switch statistics Shows the Name Server statistics for an interface. Syntax show fc ns switch statistics [interface type node/slot/port[:subport]| vfabric vfabric-id|vfabric vfabric-id domain [domain-id]] Parameters ● node/slot/port[:subport]—Enter interface information. ● vfabric-id—Enter the vfabric ID. ● domain-id—Enter the vfabric domain ID.
show fc switch Shows the multiswitch mode. Syntax show fc switch Parameters None Defaults Not applicable Command Mode GLOBAL CONFIGURATION Usage Information Use this command to display the current configured switch mode. Example Supported Releases OS10# show fc switch 10.5.1.0 or later show interface fibre channel Shows the fibre channel interface port type, BB_Credit, and other port configurations.
show vfabric Shows the fc timer, E_D_TOV, R_A_TOV, principal switch priority, and domain ID values in the show vfabric command. Syntax show vfabric value Parameters value—Valid values are from 1 to 255. Defaults Not applicable Command Mode GLOBAL CONFIGURATION Usage Information Use this command to display the fc timers, E_D_TOVand R_A_TOV, principal switch priority and domain ID values.
Example Supported Releases OS10#show vfabric fspf FSPF routing for vfabric 10 SPF hold time is 0 msec MinLsArrival = 1000 msec , MinLsInterval = 5000 msec Local Domain is 0x64 (100) Number of LSRs = 3, Total Checksum = 0x0001288b Refresh time = 1800 sec Max age = 3600 sec Statistic counters : Number of SPF computations = 3 Number of checksum errors = 0 Number of transmitted packets : LSU 10 LSA 10 Hello 25 Retransmitted LSU 10 Number of received packets: LSU 10 LSA 10 Hello 25 Error packets 5 10.5.1.
Configure multi-hop FSB The following example shows a simple multi-hop FSB setup. CNA-2 and CNA-3 shown in this topology are for illustrative purposes only. The following example does not include CNA-2 and CNA-3 configurations. Ensure that the access and core FSB switches are running in FSB mode. To configure multi-hop FSB: 1. Configure the L2 switch. a. Disable flow control on the interfaces connected to CNA-4 and FSB1.
L2switch(config-pmap-network-qos)# class c3 L2switch(config-pmap-c-nqos)# pause L2switch(config-pmap-c-nqos)# pfc-cos 3 L2switch(config)# policy-map type queuing ets_policy L2switch(config-pmap-queuing)# class q0 L2switch(config-pmap-c-que)# bandwidth percent 30 L2switch(config-pmap-c-que)# class q3 L2switch(config-pmap-c-que)# bandwidth percent 70 f. Create a qos-map.
e. Create class-maps. FSB1(config)# class-map type network-qos c3 FSB1(config-cmap-nqos)# match qos-group 3 FSB1(config)# class-map type queuing q0 FSB1(config-cmap-queuing)# match queue 0 FSB1(config-cmap-queuing)# exit FSB1(config)# class-map type queuing q3 FSB1(config-cmap-queuing)# match queue 3 FSB1(config-cmap-queuing)# exit f. Create policy-maps.
j. Configure FIP snooping port mode on the L2 DCBX switch connected interface and FSB2 connected interface. The default port mode is ENode. Hence, CNA1-connected interface does not require additional configuration. On the L2 DCBX switch-connected interface: FSB1(config)# interface ethernet 1/1/5 FSB1(conf-if-eth1/1/5)# fip-snooping port-mode enode-transit On the FSB-connected interfaces: FSB1(config)# interface ethernet 1/1/2 FSB1(conf-if-eth1/1/2)# fip-snooping port-mode fcf 3.
h. Apply the QoS configurations on FSB1 and FCF connected interfaces.
FCF(conf-vfabric-2)# fcoe fcmap 0xEFC00 FCF(conf-vfabric-2)# zoneset activate zonesetA g. Enable DCBX. FCF(config)# dcbx enable h. Create class maps and policy maps.
FCOE VLAN List (Operational) : 777 FCFs : 1 Enodes : 2 Sessions : 2 ● To verify the discovered ENodes, use the show fcoe enode command. FSB1# show fcoe enode Enode MAC Enode Interface VLAN FCFs Sessions ----------------------------------------------------------------32:03:cf:45:00:00 Eth 1/1/31 777 1 1 f4:e9:d4:f9:fc:40 Eth 1/1/5 777 1 1 ● To verify the discovered FCFs, use the show fcoe fcf command. FSB1# show fcoe fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
Sample Multi-hop FSB configuration The following is a sample multi-hop FSB topology. In this topology: ● FSB1 and FSB2—access FSBs. ● FSB3 and FSB4—core FSBs. ● VLT is configured between FSB1 and FSB2, and requires port-pinning for VLT port channels configured between access FSBs and core FSBs.
Table 52. High-level configurations on FSB1, FSB3, and FCF1 FSB1/FSB2 FSB3/FSB4 Configure the uplink interface as the downlink interface as pinnedpinned-port. port. 12. Configure FIP snooping port mode on 12. Configure FIP snooping port mode the uplink interface. on the uplink interface and the port channel. FSB1 configuration 1. Enable FIP snooping. FSB1(config)# feature fip-snooping with-cvl 2. Enable DCBX. FSB1(config)# dcbx enable 3. Create FCoE VLAN and configure FIP snooping.
8. Configure VLTi interface member links.
FSB2 configuration 1. Enable FIP snooping. FSB2(config)# feature fip-snooping with-cvl 2. Enable DCBX. FSB2(config)# dcbx enable 3. Create FCoE VLAN and configure FIP snooping. FSB2(config)#interface vlan1001 FSB2(conf-if-vl-1001)# fip-snooping enable FSB2(conf-if-vl-1001)# no shutdown FSB2(config)#interface vlan1002 FSB2(conf-if-vl-1002)# fip-snooping enable FSB2(conf-if-vl-1002)# no shutdown 4. Create class-maps.
8. Configure VLTi interface member links.
FSB3 configuration 1. Enable FIP snooping. FSB3(config)# feature fip-snooping with-cvl 2. Enable DCBX. FSB3(config)# dcbx enable 3. Create FCoE VLAN and configure FIP snooping. FSB3(config)#interface vlan1001 FSB3(conf-if-vl-1001)# fip-snooping enable FSB3(conf-if-vl-1001)# no shutdown FSB3(config)#interface vlan1002 FSB3(conf-if-vl-1002)# fip-snooping enable FSB3(conf-if-vl-1002)# no shutdown 4. Create class-maps.
8. Configure VLTi interface member links.
12. Configure FIP snooping port mode on the port channel and the interface connected to FCF1. FSB3(config)# interface port-channel 10 FSB3(conf-if-po-10)# fip-snooping port-mode enode-transit FSB3(config)# interface ethernet 1/1/45 FSB3(conf-if-eth1/1/45)# fip-snooping port-mode fcf FSB4 configuration 1. Enable FIP snooping. FSB4(config)# feature fip-snooping with-cvl 2. Enable DCBX. FSB4(config)# dcbx enable 3. Create FCoE VLAN and configure FIP snooping.
8. Configure VLTi interface member links. FSB4(config)# interface ethernet1/1/34 FSB4(conf-if-eth1/1/34)# no shutdown FSB4(conf-if-eth1/1/34)# no switchport FSB4(conf-if-eth1/1/34)# channel-group 10 FSB4(config)# interface ethernet1/1/37 FSB4(conf-if-eth1/1/37)# no shutdown FSB4(conf-if-eth1/1/37)# no switchport FSB4(conf-if-eth1/1/37)# channel-group 10 9. Configure VLT domain. FSB4(config)# vlt-domain 3 FSB4(conf-vlt-2)# discovery-interface ethernet1/1/40 FSB4(conf-vlt-2)# vlt-mac 1a:2b:3c:2a:1b:1c 10.
3. Create zoneset. FCF1(config)# fc zoneset zonesetA FCF1(conf-fc-zoneset-setA)# member zoneA 4. Create a vfabric VLAN. FCF1(config)# interface vlan 1001 5. Create vfabric and activate the zoneset. FCF1(config)# vfabric FCF1(conf-vfabric-1)# FCF1(conf-vfabric-1)# FCF1(conf-vfabric-1)# 1 vlan 1001 fcoe fcmap 0xEFC00 zoneset activate zonesetA 6. Enable DCBX. FCF1(config)# dcbx enable 7. Create class-maps.
11. Apply vfabric on the interfaces connected to FSB3 and the target. FCF1(config)# interface ethernet 1/1/45 FCF1(conf-if-eth1/1/45)# switchport access vlan 1 FCF1(conf-if-eth1/1/45)# vfabric 1 FCF1(config)# interface fibrechannel 1/1/3 FCF1(conf-if-fc1/1/3)# description target_connected_port FCF1(conf-if-fc1/1/3)# no shutdown FCF1(conf-if-fc1/1/3)# vfabric 1 FCF2 configuration 1. Enable Fiber Channel F-Port mode globally. FCF2(config)# feature fc domain-id 3 2. Create zones.
FCF2(config-pmap-c-que)# class q3 FCF2(config-pmap-c-que)# bandwidth percent 70 9. Create a qos-map. FCF2(config)# qos-map traffic-class tc-q-map1 FCF2(config-qos-map)# queue 3 qos-group 3 FCF2(config-qos-map)# queue 0 qos-group 0-2,4-7 10. Apply QoS configurations on the interface connected to FSB4.
MAC FC-ID PORT WWPN PORT WWNN -----------------------------------------------------------------------------------------------------------------------------------------------00:0e:1e:f1:f1:84 Eth 1/1/1 14:18:77:20:80:ce Po 10(Eth 1/1/44:1)1002 0e:fc:00:02:01:00 02:01:00 20:01:00:0e:1e:f1:f1:84 20:00:00:0e:1e:f1:f1:84 FSB2# show fcoe fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
14:18:77:20:80:ce 1 Eth 1/1/42 F FSB4# show fcoe system Mode CVL Status FCOE VLAN List (Operational) FCFs Enodes Sessions : : : : : : 1002 0e:fc:00 8000 FSB Enabled 1001,1002 1 1 1 FCF1 FCF1# show fcoe sessions Enode MAC Enode Interface FCF MAC FCF interface VLAN FCoE MAC FC-ID PORT WWPN PORT WWNN ----------------------------------------------------------------------------------------------------------------------------------------------f4:e9:d4:f9:fc:42 Eth 1/1/45 14:18:77:20:86:ce ~ 1001 0e:fc:00:
● While configuring or unconfiguring the FC-Gateway uplink, the uplink interface flaps. As UFD is enabled by default for NPG (FCGateway Uplink) in SmartFabric mode; UFD brings down the server facing ports which are deployed with same FCoE VLAN as FCGateway uplink. ● Fibrechannel port flaps are observed on the IOM side if the IOM is operationally up and is connected to a storage device without configuring the FCDirectAttach uplink (vfabric) on this port.
5. Enable DCBX globally. OS10(config)# dcbx enable 6. Create a class map and policy map. OS10(config)# class‐map type network‐qos cmap1 OS10(config‐cmap‐nqos)# match qos‐group 3 OS10(config)# policy‐map type network‐qos pmap1 OS10(config‐pmap‐network‐qos)# class cmap1 OS10(config‐pmap‐c‐nqos)# pause OS10(config‐pmap‐c‐nqos)# pfc‐cos 3 7. Disable LLFC on the interface that connects to CNA 1. OS10(config)# interface ethernet 1/1/50 OS10(conf‐if‐eth1/1/50)# no flowcontrol receive 8.
OS10(config‐pmap‐c‐nqos)# pause OS10(config‐pmap‐c‐nqos)# pfc‐cos 3 7. Disable LLFC on the interface that connects to CNA 2. OS10(config)# interface ethernet 1/1/1 OS10(conf‐if‐eth1/1/1)# no flowcontrol receive 8. Enable PFC mode on the interface that connects to CNA 2. OS10(config)# interface ethernet 1/1/1 OS10(conf‐if‐eth1/1/1)# priority‐flow‐control mode on 9. Apply the service policy on the interface that connects to CNA 2.
Now the logical FCF takes care of the FIP functionality in the VLAN configured for the fabric. With this implementation, all control frames originating from the logical FCF use a system generated MAC address instead of the port's MAC address. This system generated MAC address of logical FCF is same for all the fabrics configured in the gateway switch; because, every FCF is uniquely identified by the end device using VLAN-MAC address pair and the VLAN used is unique for every fabric.
Switch WWN : 10:00:14:18:77:20:73:cf OS10# VLAN creation OS10(config)# interface vlan 100 vFabric Creation OS10(config)# vfabric 100 OS10(conf-vfabric-100)# vlan 100 OS10(conf-vfabric-100)# name NPG_Fabric OS10(conf-vfabric-100)# fcoe fcmap 0efc01 OS10(conf-vfabric-100)# exit Apply vFabric configuration on the FC upstream interfaces OS10(config)# interface range fibrechannel 1/1/1,1/1/2 OS10(conf-range-fc1/1/1,1/1/2)# vfabric 100 OS10(conf-range-fc1/1/1,1/1/2)# no shut OS10(conf-range-fc1/1/1,1/1/2)# exit A
Apply Service policy and Enable PFC mode on the interface that connects to FCoE End points(CNA) OS10(conf-range-eth1/1/54,1/1/55)# service-policy input type network-qos pmap1 OS10(conf-range-eth1/1/54,1/1/55)# priority-flow-control mode on Apply vFabric configuration on the interface that connects to FCoE End points(CNA) OS10(conf-range-eth1/1/54,1/1/55)# vfabric 100 OS10(conf-range-eth1/1/54,1/1/55)# no shut OS10(conf-range-eth1/1/54,1/1/55)# exit Apply fcoe delay FCF advertisement configuration globally (
Use case 2 - NPG fabric is connected to multiple upstream switches belonging to the same SAN fabric In this topology, the NPG device is connected to multiple FCF switches and all those FCF switches are part of same SAN fabric. Configurations in NPG device remains same as in Use case 1. Configuration in upstream devices remains same as well and it needs to be done in both the switches in the SAN fabric.
Usage Information Example Supported Releases The no version of this command deletes the FC zone. To delete an FC zone, first remove it from the FC zoneset. OS10(config)# fc zone hba1 OS10(config-fc-zone-hba1)# member wwn 10:00:00:90:fa:b8:22:19 OS10(config-fc-zone-hba1)# member wwn 21:00:00:24:ff:7b:f5:c8 10.3.1E or later fc zoneset Creates an FC zoneset and adds the existing FC zones to the zoneset. Syntax fc zoneset zoneset-name Parameters zoneset-name — Enter a name for the FC zoneset.
Defaults Not configured Command Mode Alias CONFIGURATION Usage Information The no version of this command removes the member from the FC alias. Example Supported Releases OS10(config)# fc alias test OS10(config-fc-alias-test)# member wwn 21:00:00:24:ff:7b:f5:c9 OS10(config-fc-alias-test)# member wwn 20:25:78:2b:cb:6f:65:57 10.3.1E or later member (zone) Adds members to existing zones. Identify a member by an FC alias, a world wide name (WWN), or an FC ID.
show fc alias Displays the details of a FC alias and its members. Syntax show fc alias [alias-name] Parameters alias-name — (Optional) Enter the FC alias name. Default Not configured Command Mode EXEC Usage Information Example OS10# show fc alias Alias Name Alias Member ============================================== test 21:00:00:24:ff:7b:f5:c9 20:25:78:2b:cb:6f:65:57 OS10# Supported Releases 10.3.1E or later show fc interface-area-id mapping Displays the FC ID to interface mapping details.
Example OS10# show fc ns switch Total number of devices = 1 Switch Name 10:00:14:18:77:13:38:28 Domain Id 4 Switch Port port-channel10(Eth 1/1/9) FC-Id 04:00:00 Port Name 50:00:d3:10:00:ec:f9:05 Node Name 50:00:d3:10:00:ec:f9:00 Class of Service 8 Symbolic Port Name Compellent Port QLGC FC 8Gbps; Slot=06 Port=01 in Controller: SN 60665 of Storage Center: DEVTEST 60665 Symbolic Node Name Compellent Storage Center: DEVTEST 60665 Port Type N_PORT Registered with NameServer Yes Registered for SCN No Example (
Supported Releases 10.3.1E or later show fc zoneset Displays the FC zonesets, the zones in the zoneset, and the zone members. Syntax show fc zoneset [active | zoneset-name] Parameters zoneset-name — Enter the FC zoneset name.
================================================================== set hba1 21:00:00:24:ff:7b:f5:c8 10:00:00:90:fa:b8:22:19 21:00:00:24:ff:7f:ce:ee 21:00:00:24:ff:7f:ce:ef hba2 Supported Releases 20:01:00:0e:1e:e8:e4:99 50:00:d3:10:00:ec:f9:1b 50:00:d3:10:00:ec:f9:05 50:00:d3:10:00:ec:f9:1f 20:35:78:2b:cb:6f:65:57 10.3.1E or later zone default-zone permit Enables access between all logged-in FC nodes of the vfabric in the absence of an active zoneset configuration.
fc port-mode F Configures port mode on Fibre Channel interfaces. Syntax fc port-mode F Parameters None Defaults N_Port Command Mode Fibre Channel INTERFACE Usage Information Configure the port mode when the port is in Shut mode and when NPG mode is enabled. The no version of this command returns the port mode to default. Example Supported Releases OS10(config)# interface fibrechannel 1/1/1 OS10(conf-if-fc1/1/1)# fc port-mode F 10.4.1.0 or later feature fc npg Enables the NPG mode globally.
ENode WWNN :20:00:d4:ae:52:1a:ee:54 FCoE MAC :0e:fc:00:01:04:02 FC-ID :01:04:02 Login Method :FLOGI Time since discovered(in Secs) :6253 Status :LOGGED_IN Example (brief) Supported Releases Total NPG Devices = 1 ENode-Interface ENode-WWPN FCoE-Vlan Fabric-Intf Vfabric-Id Log ---------------------------------------------------------------------------------Po 10(Eth 1/1/9) 20:01:d4:ae:52:1a:ee:54 1001 Fc 1/1/25 10 FLO LOGGED_IN 10.4.
Fc 1/1/1 Fc 1/1/2 01:00:01 01:00:02 8 8 8 16 3 1 3 9 6 10 6 15 OS10#show npg uplink-interfaces VFabric Id : 100 Uplink Speed Intf FC Id BB Credit (Gbps) FLOGI FDISC Total Redistributed ----------------------------------------------------------------------------Fc 1/1/1 01:00:01 8 8 3 3 6 6 Fc 1/1/2 01:00:02 8 16 1 9 10 15 VFabric Id : 200 Uplink Speed Intf FC Id BB Credit (Gbps) FLOGI FDISC Total Redistributed -------------------------------------------------------------------------------Fc 1/1/11 0
F_Port and NPG commands The following commands are supported on both F_Port and NPG modes: clear fc statistics Clears FC statistics for specified vfabric or fibre channel interface. Syntax clear fc statistics [vfabric vfabric-ID | interface fibrechannel] Parameters ● vfabric-ID — Enter the vfabric ID. ● fibrechannel — Enter the fibre channel interface name.
fcoe delay fcf-adv Delay the Multicast Discovery Advertisement from FCFs to be sent to Enodes. Syntax fcoe delay fcf-adv timeout Parameters timeout - Timeout range specified in seconds. Range is 1 to 30 seconds. Default Not configured Command Mode Global config Usage Information Time to wait after the first FCF in the vFabric connects to the NPG switch to send the Multicast discovery Advertisement. This command is supported in NPG mode.
● ● ● ● ● ● ● ● ● ● Example Uplink Intf—The name of the FC uplink interface. FLOGI—Number of Fabric Login Sessions in the FC uplink interface. FDISC—Number of Fabric Discovery Sessions in the FC uplink interface. Load—Total number of sessions (FLOGI and FDISC) in the FC uplink interface. Speed—Link speed of the FC uplink interface. Excess Load—Excess load is the absolute (Current load on the link - ((Minimum load per 8G speed in current * port-speed/8G)).
----------------------------------------------------------------Fc 1/1/1 1 9 10 8 7 Fc 1/1/2 3 3 6 16 0 ----------------------------------------------------------------4 12 16 24 7 ----------------------------------------------------------------Session Displacements: Total No. of Node(s) : 4 No. of Node(s) displaced : 4 ---------------------------------------------------------------------------------Node WWPN From Uplink Intf To Uplink Intf No.
● ● ● ● ● Example Speed—Link speed of the FC uplink interface. FLOGI—Number of Fabric Login Sessions in the FC uplink interface. FDISC—Number of Fabric Discovery Session in the FC uplink interface. Total—Total number of sessions (FLOGI and FDISC) in the FC uplink interface. Re-distributed—Number of sessions redistributed for better load balancing in the interface.
FCF Availability Status : No Uplink Duplicate Intf Upstream Fabric-Name Error Reason FC-Id(s) ----------------------------------------------------------------Fc 1/1/11 10:01:d4:ae:52:1a:ee:50 FLOGI_REJECTED 1 Fc 1/1/12 10:01:d4:ae:52:2b:ff:52 NONE 0 Supported Releases 10.5.2.0 or later show npg node-interface Display details in a Node-facing interface.
VFabric Id : 300 Node Intf FLOGI FDISC Re-distributed --------------------------------------------------Eth 1/1/51 1 9 10 Supported Releases 10.5.2.0 or later show fc statistics Displays the FC statistics. Syntax show fc statistics {vfabric vfabric-ID | interface fibrechannel} Parameters ● vfabric-ID — Enter the vfabric ID. ● fibrechannel — Enter the Fibre Channel interface name.
Example Supported Releases OS10# show fc switch Switch Mode : FPORT Switch WWN : 10:00:14:18:77:20:8d:cf 10.3.1E or later show running-config vfabric Displays the running configuration for the vfabric. Syntax show running-config vfabric Parameters None Defaults Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show running-configuration vfabric ! vfabric 10 vlan 100 fcoe fcmap 0xEFC00 fcoe fcf-priority 140 fcoe fka-adv-period 13 10.4.
Active ZoneSet: zoneset5 ========================================= Members fibrechannel1/1/25 port-channel10(Eth 1/1/9) Supported Releases 10.3.1E or later vfabric Configures a vfabric. Syntax vfabric fabric-ID Parameters fabric-ID — Enter the fabric ID, from 1 to 255. Defaults Not configured Command Mode CONFIGURATION Usage Information Enable the F_Port or NPG feature before configuring a vfabric. You can configure only one vfabric in F_Port mode.
Parameters vlan-ID — Enter an existing VLAN ID. Defaults Not configured Command Mode Vfabric CONFIGURATION Usage Information Create the VLAN ID before associating it to the vfabric. Do not use spanned VLAN as vfabric VLAN. The no version of this command removes the VLAN ID from the vfabric. Example Supported Releases OS10(config)# interface vlan 1023 OS10(conf-if-vl-1023)# exit OS10(config)# vfabric 100 OS10(conf-vfabric-100)# vlan 1023 10.3.
Usage Information Example Supported Releases Enable FIP snooping on a VLAN only after enabling the FIP snooping feature globally using the feature fip-snooping with-cvl command. OS10 supports FIP snooping on a maximum of 12 VLANs. The no version of this command disables FIP snooping on the VLAN. OS10(config)# interface vlan 3 OS10(conf-if-vl-3)# fip-snooping enable 10.4.0E(R1) or later fip-snooping fc-map Configures the FC map value for a specific VLAN.
Supported Releases 10.4.0E(R1) or later10.4.3.0 or later—Support for enode-transit and fcf-transit port modes added. FCoE commands The following commands are supported on all the three modes: F_Port, NPG, and FSB. clear fcoe database Clears the FCoE database for the specified VLAN.
Default Not configured Command Mode Global config Usage Information Time to wait after the first FCF in the vFabric connects to the NPG switch to send the Multicast discovery Advertisement. This command is supported in NPG mode. Example Supported Releases OS10(config)# fcoe delay fcf-adv 16 10.5.2.0 or later. In previous releases, the command is not available in full switch mode. From this release, the command is available both in full switch mode and fabric mode.
Parameter priority-value — Enter PFC priority value advertised in FCoE application TLV. You can enter one of the following values: 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, or 0x80. Default 0x08 Command Mode CONFIGURATION Usage Information You can configure only one PFC priority at a time. The no version of this command returns the configuration to default value. Example Supported Releases OS10(config)# fcoe priority-bits 0x08 10.4.
● ● ● ● ● ● ● ● ● ● Example Uplink Intf—The name of the FC uplink interface. FLOGI—Number of Fabric Login Sessions in the FC uplink interface. FDISC—Number of Fabric Discovery Sessions in the FC uplink interface. Load—Total number of sessions (FLOGI and FDISC) in the FC uplink interface. Speed—Link speed of the FC uplink interface. Excess Load—Excess load is the absolute (Current load on the link - ((Minimum load per 8G speed in current state) * port-speed/8G)).
----------------------------------------------------------------Fc 1/1/1 1 9 10 8 7 Fc 1/1/2 3 3 6 16 0 ----------------------------------------------------------------4 12 16 24 7 ----------------------------------------------------------------Session Re-distributions: 16 Session Re-distribution(s) ------------------------------------------------------------------------Node WWPN From Uplink Intf To Uplink Intf No.
Usage Information In NPG mode, displays all the logical FCF(s) associated with various fabrics available in the gateway switch. Since this logical FCF is not associated with any particular interface, the FCF interface column of this command's output will display a '~' symbol instead of the interface name. This convention is similar to the one used in FPORT and Multi-switch mode of operation. Starting from Release 10.5.2.
show fcoe sessions Displays the details of the established FCoE sessions. Syntax show fcoe sessions [interface vlan vlan-id] Parameters vlan-id — (Optional) Enter the VLAN ID. This option displays the sessions established on the specified VLAN.
Supported Releases 10.4.0E(R1) or later show fcoe system Displays system information related to the FCoE. Syntax show fcoe system Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show fcoe system Mode: FIP Snooping Bridge CVL Status: Enabled FCOE VLAN List (Operational) FCFs Enodes Sessions : : : : 1, 100 1 2 17 10.4.0E(R1) or later show fcoe vlan Displays details of FIP-snooping VLANs.
Usage Information Displays the statistics of node facing interfaces in all available or specified vFabrics. This command is supported in NPG mode. The following table lists the fields and descriptions displayed in the output: Table 54.
This command is supported in NPG mode. The fields and the corresponding descriptions are described as follows: ● Uplink Intf—The name of the FC uplink interface. ● FCF Availability Status—Status of the logical FCF of that fabric, whether it is available to establish session or not. This field takes values as Yes or No. ● FAD timeout left—Number of seconds left for the FCF Advertisement Delay timer to expire.
FCF Availability Status : No Uplink Duplicate Intf Upstream Fabric-Name Error Reason FC-Id(s) ----------------------------------------------------------------Fc 1/1/11 10:01:d4:ae:52:1a:ee:50 FLOGI_REJECTED 1 Fc 1/1/12 10:01:d4:ae:52:2b:ff:52 NONE 0 VFabric Id : 300 FAD Timeout Left : 0 second(s) FCF Availability Status : Yes Uplink Duplicate Intf Upstream Fabric-Name Error Reason FC-Id(s) ----------------------------------------------------------------Fc 1/1/13 20:01:d4:ae:52:1a:ee:53 NONE 1 Fc 1/1/14 20:0
● virt-mnt—Enables debug messages corresponding to the Rx Virtual Link Maintenance frames. ● vlan-disc—Enables debug messages corresponding to the Rx VLAN Discovery packet. ● sw-rscn—Enables debug messages that are involved during the Switch-Registered State Change Notification(Sw-RSCN).
Supported Releases 512 10.5.2.
12 Layer 2 802.1X Verifies device credentials before sending or receiving packets using the Extensible Authentication Protocol (EAP), see 802.1X Commands. Link Aggregation Control Protocol (LACP) Exchanges information between two systems and automatically establishes a link aggregation group (LAG) between the systems, see LACP Commands.
The authentication process contains three devices: ● Supplicant — The device attempting to access the network performs the role of supplicant. Regular traffic from this device does not reach the network until the port associated to the device is authorized. Before that, the supplicant can only exchange 802.1x messages (EAPOL frames) with the authenticator.
EAP over RADIUS 802.1X uses RADIUS to transfer EAP packets between the authenticator and the authentication server. EAP messages are encapsulated in RADIUS packets as an attribute of type, length, value (TLV) format—the type value for EAP messages is 79. Configure 802.1X You can configure and enable 802.1X on a port in a single process. OS10 supports 802.1X with EAP-MD5, EAP-TLS, and EAP-TTLS. All platforms support RADIUS as the authentication server.
Enable 802.1X 1. Enable 802.1X globally in CONFIGURATION mode. dot1x system-auth-control 2. Enter an interface or a range of interfaces in CONFIGURATION mode. interface range 3. Enable 802.1X on the supplicant interface only in INTERFACE mode. dot1x port-control auto Configure and verify 802.
Identity retransmissions If the authenticator sends a Request Identity frame but the supplicant does not respond, the authenticator waits 30 seconds and then retransmits the frame. There are several reasons why the supplicant might fail to respond—the supplicant maybe booting when the request arrived, there may be a physical layer problem, and so on. 1.
The Request Identity Retransmit interval is for an unresponsive supplicant. You can configure the interval for a maximum of 10 times for an unresponsive supplicant. 1. Configure the amount of time that the authenticator waits to retransmit a Request Identity frame after a failed authentication in INTERFACE mode from 1 to 65535, default 60 seconds.
● Place a port in the auto, force-authorized (default), or force-unauthorized state in INTERFACE mode. dot1x port-control {auto | force-authorized | force-unauthorized} Configure and verify force-authorized state OS10(conf-range-eth1/1/7-1/1/8)# dot1x port-control force-authorized OS10(conf-range-eth1/1/7-1/1/8)# do show dot1x interface ethernet 1/1/7 802.
Tx Period: Quiet Period: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: 120 seconds 120 seconds 30 seconds 30 seconds 3600 seconds 5 MULTI_HOST Initialize Initialize View interface running configuration OS10(conf-range-eth1/1/7-1/1/8)# do show running-configuration interface ...
View interface running configuration OS10(conf-range-eth1/1/7-1/1/8)# do show running-configuration interface ...
Command Mode INTERFACE Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# dot1x host-mode multi-host 10.2.0E or later dot1x max-req Changes the maximum number of requests that the device sends to a supplicant before restarting 802.1X authentication. Syntax dot1x max-req retry-count Parameters max-req retry-count — Enter the retry count for the request sent to the supplicant before restarting 802.
Default Disabled Command Mode INTERFACE Usage Information The no version of this command disables the periodic reauthentication of 8021.X supplicants. Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# dot1x re-authentication 10.2.0E or later dot1x timeout quiet-period Sets the number of seconds that the device remains in the quiet state following a failed authentication exchange with a supplicant.
Default 30 seconds Command Mode INTERFACE Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# dot1x server-timeout 60 10.2.0E or later dot1x timeout supp-timeout Sets the number of seconds that the device waits for the supplicant to respond to an EAP request frame before the device retransmits the frame.
Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show dot1x PAE Capability: Protocol Version: System Auth Control: Auth Server: Authenticator only 2 Enable Radius 10.2.0E or later show dot1x interface Displays 802.1X configuration information. Syntax show dot1x interface ethernet node/slot/port[:subport] Parameters ethernet node/slot/port[:subport]—Enter the Ethernet interface information.
RADIUS server commands radius-server host Configures a RADIUS server and the key used to authenticate the switch on the server. Syntax radius-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] Parameters ● hostname — Enter the host name of the RADIUS server. ● ip-address — Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server. ● key 0 authentication-key — Enter an authentication key in plain text.
Usage Information For RADIUS over TLS authentication, configure the radsec shared key on the server and OS10 switch. The show running-configuration output displays both the unencrypted and encrypted key in encrypted format. Configure global settings for the timeout and retransmit attempts allowed on a RADIUS over TLS servers using the radius-server retransmit and radius-server timeout commands. RADIUS over TLS authentication requires that X.
radius-server timeout Configures the timeout used to resend RADIUS authentication requests. Syntax radius-server timeout seconds Parameters seconds — Enter the time in seconds for retransmission, from 1 to 100. Default An OS10 switch stops sending RADIUS authentication requests after five seconds. Command Mode CONFIGURATION Usage Information Use this command to globally configure the timeout value used on RADIUS servers. The no version of this command resets the value to the default.
FEFD helps detect far-end failure when the following problems occur: ● Only one side receives packets although the physical layer (L1) of the link is up on both sides. ● Transceivers are not connected to the correct ports. FEFD states FEFD comprises the following four states: ● Idle—FEFD is disabled. ● Unknown—Shown when FEFD is enabled and changes to bi-directional after successful handshake with the peer. Also shown if the peer goes down in normal mode.
Table 55. FEFD state changes Local event (User intervention ) Configured FEFD mode Local state Local admin (Show display) State (Result) (Result) Local line protocol Remote state Status (Show display) (Result) Remote admin state Remote line protocol status (Result) Shutdown(us Normal er configuration) Admin Shutdown Down Down Line protocol is down. Up Down Shutdown(us Aggressive er configuration) Admin Shutdown Down Down Line protocol is down.
● Configure FEFD Aggressive mode globally using the fefd-global mode aggressive command in CONFIGURATION mode. OS10(Config)# fefd-global mode aggressive 2. (Optional) Configure the FEFD interval using the fefd-global interval command in CONFIGURATION mode and enter the interval in seconds. The range is from 3 to 255 seconds. OS10(Config)# fefd-global interval 20 3. (Optional) Disable FEFD on a specific interface if required using the fefd disable command in INTERFACE mode.
eth1/1/4 eth1/1/5 eth1/1/6 eth1/1/7 NA NA NA NA NA NA NA NA Idle Idle Idle Idle (Not (Not (Not (Not running) running) running) running) The following is a sample output of FEFD information for an interface: rt-maa-s4248FBL-3# show fefd ethernet 1/1/1 FEFD is globally 'ON', interval is 15 seconds, mode is Normal. INTERFACE MODE INTERVAL STATE ============================================================ eth1/1/1 NA NA Idle (Not running) FEFD Commands debug fefd Enables debugging of FEFD.
To unconfigure FEFD on an interface, use either the no fefd command or the no fefd mode command. To return to the default FEFD interval, use the no fefd interval command. Example OS10(conf-if-eth1/1/9)# fefd OS10(conf-if-eth1/1/9)# fefd mode aggressive OS10(conf-if-eth1/1/9)# fefd mode interval 10 Supported Releases 10.4.3.0 or later fefd-global Configures FEFD globally.
Usage Information Example If you do not enter the interface name, this command resets the error-disabled state of all interfaces because FEFD is set to Aggressive mode. OS10# fefd reset OS10# fefd reset ethernet 1/1/2 Supported Releases 10.4.3.0 or later show fefd Displays FEFD information globally or for a specific interface. Syntax show fefd [interface] Parameters ● (Optional) interface—Enter the interface information.
Link Aggregation Control Protocol Group Ethernet interfaces to form a single link layer interface called a LAG or port channel. Aggregating multiple links between physical interfaces creates a single logical LAG, which balances traffic across the member links within an aggregated Ethernet bundle and increases the uplink bandwidth. If one member link fails, the LAG continues to carry traffic over the remaining links. For information about LAG load balancing and hashing, see Load balancing.
Configure LACP OS10(config)# lacp system-priority 65535 OS10(config)# interface range ethernet 1/1/7-1/1/8 OS10(conf-range-eth1/1/7-1/1/8)# lacp port-priority 4096 OS10(conf-range-eth1/1/7-1/1/8)# lacp rate fast Verify LACP configuration OS10(conf-range-eth1/1/7-1/1/8)# do show running-configuration ... ! interface ethernet1/1/7 lacp port-priority 4096 lacp rate fast no shutdown ! interface ethernet1/1/8 lacp port-priority 4096 lacp rate fast no shutdown ! ...
Configure LACP timeout OS10(conf-if-eth1/1/29)# lacp rate fast View port status OS10# show lacp port-channel Port-channel 41 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address e4:f0:04:fe:9f:e1 Partner System ID: Priority 4096, Address de:11:de:11:de:11 Actor Admin Key 41, Oper Key 41, Partner Oper Key 41 Fallback: Not configured, Fallback port preemption: Configured, Fallback timeout: 15 seconds Fallback Port Elected: LACP LAG ID 41 is an aggregatable link A - Active LACP, B - Passive LA
OS10(conf-if-eth1/1/29)# OS10(conf-if-eth1/1/29)# OS10(conf-if-eth1/1/29)# OS10(conf-if-eth1/1/30)# OS10(conf-if-eth1/1/30)# OS10(conf-if-eth1/1/30)# OS10(conf-if-eth1/1/31)# OS10(conf-if-eth1/1/31)# no switchport channel-group 1 mode active interface ethernet 1/1/30 no switchport channel-group 1 mode active interface ethernet 1/1/31 no switchport channel-group 1 mode active Alpha verify LAG port configuration OS10# show lacp port-channel Port-channel 41 admin up, oper up, mode lacp Actor System ID: Prior
227562 64-byte pkts, 9344941 over 64-byte pkts, 1772495308 over 127-byte pkts 3544631784 over 255-byte pkts, 7088975548 over 511-byte pkts, 5.
42975359 64-byte pkts, 148695530 over 64-byte pkts, 36673423689 over 127-byte pkts 73342977260 over 255-byte pkts, 146685062757 over 511-byte pkts, 1.
You can set the timer using the lacp fallback timeout timer-value command. The LACP fallback feature adds a member port to LACP port channel if it does not receive LACP PDUs from the peer for a particular period. The server uses the fallback port to finalize the PXE-boot process. When the server starts with the operating system, the process completes the LACP handshake and the fallback port reunites the other members. The member port becomes active and sends packets to the PXE server.
LACP fallback in non-VLT network In a non-VLT network, LACP fallback enables rebooting of ToR or server that is connected to the switch through normal LACP. The other end of the switch is connected to a DHCP/PXE server, as shown in the following figure: In the above scenario, LACP fallback works as follows: 1. The ToR/server boots 2. The switch detects the link that is up and checks fallback enabled status. If fallback is enabled, the device waits for the time-out period for any LACP BPDUs.
In the above scenario, LACP fallback works as follows: 1. The ToR/server boots 2. One of the VLT peers takes care of controlling the LACP fallback mode. All events are sent to the controlling VLT peer for deciding the port that should be brought up and then the decision is passed on to peer device. 3. The controlling VLT peer can decide to bring up one of the ports in either the local port channel or in the peer VLT port channel. 4.
Usage Information Example Supported Releases When you delete the last physical interface from a port channel, the port channel remains. Configure these attributes on an individual member port. If you configure a member port with an incompatible attribute, OS10 suspends that port in the port channel. The member ports in a port channel must have the same setting for link speed capability and duplex capability. The no version of this command removes the interface from the port channel.
lacp fallback preemption Enables or disables LACP fallback port preemption. Syntax lacp fallback preemption {enable | disable} Parameters ● enable—Enables preemption on the port channel. ● disable—Disables preemption on the port channel. Default Enabled Command Mode Port-channel INTERFACE Usage Information When you enable preemption, the fallback port election preempts the already elected fallback port and elects a new fallback port.
Parameters max-bundle-number — Enter the maximum bundle size (1 to 32). Default 32 Command Mode INTERFACE Usage Information The no version of this command resets the maximum bundle size to the default value. Example Supported Releases OS10(conf-if-po-10)# lacp max-bundle 10 10.2.0E or later Lacp port-priority Sets the priority for the physical interfaces for LACP. Syntax lacp port-priority priority Parameters priority — Enter the priority for the physical interfaces (0 to 65535).
Default 32768 Command Mode CONFIGURATION Usage Information Each device that runs LACP has an LACP system priority value. LACP uses the system priority with the MAC address to form the system ID and also during negotiation with other systems. The system ID is unique for each device. The no version of this command resets the system priority to the default value. Example Supported Releases OS10(config)# lacp system-priority 32768 10.2.
Example OS10# show lacp interface ethernet 1/1/129 Invalid Port id, Max.
Partner Oper Key: 1 Partner Oper State:aggregation synchronization collecting distributing defaulted expired Supported Releases 10.2.0E or later show lacp port channel Displays information about LACP port channels. Syntax show lacp port-channel [interface port-channel channel-number] Parameters ● interface port channel — (Optional) Enter the interface port-channel. ● channel-number — (Optional) Enter the port channel number for the LACP neighbor (1 to 128).
Supported Releases 10.2.0E or later Link Layer Discovery Protocol Dell EMC SmartFabric OS10 supports: ● Link Layer Discovery protocol (LLDP) ● Link Layer Discovery Protocol — Media Endpoint Discovery (LLDP-MED) LLDP is a one-way protocol that enables network devices on a local area network (LAN) to discover and advertise its capabilities to adjacent LAN devices. LLDP devices advertise its capabilities in the form of LLDP data units (LLDPDUs).
Mandatory TLVs OS10 supports the three mandatory TLVs. These mandatory TLVs are at the beginning of the LLDPDU in the following order: ● Chassis ID TLV ● Port ID TLV ● Time-to-live TLV Table 56. Mandatory TLVs Mandatory TLVs Type Description Chassis ID 1 Identifies the chassis. Port ID 2 Identifies a port through which the LAN device transmits LLDPDUs. Time-to-live 3 Number of seconds that the received information in this LLDPDU is valid. End of LLDPDU 0 Marks the end of an LLDPDU.
Table 57. Basic TLVs (continued) TLV Type Description Management address 8 Network address of the management interface. Organizationally specific TLVs Table 58. 802.1x organizationally specific TLVs (Type – 127, OUI – 00-80-C2) TLV Subtype Description Link aggregation 7 ● Indicates whether the link associated with the port on which the LLDPDU is transmitted is aggregated. ● Provides the aggregated port identifier. Port VLAN ID 1 Untagged VLAN to which a port belongs.
Custom TLVs iDRAC organizationally specific TLVs Table 62. iDRAC organizationally specific TLVs; Subtypes used in iDRAC custom TLVs (Type – 127, OUI – 0xF8-0xB1-0x56) TLV Subtype Description Originator 1 Indicates the iDRAC string that is used as the originator. This string enables external switches to identify iDRAC LLDPDUs. Port type 2 Following are the applicable port types: 1. iDRAC port (dedicated) 2. NIC port 3.
Table 63. Isilon-related TLVs (Type – 127, OUI – 0xF8-0xB1-0x56) (continued) TLV Subtype Description address for the specific fabric instance. The RA prefix is different for each fabric. Fabric ID 3 Indicates the ID of the fabric the LLDPDU is originating from. Isilon-related TLVs – Subtypes used in LLDP custom TLVs that are transacted by the OS10 switches Originator 1 Indicates the OS10 string that is used as the originator. The string enables the OS10 switches to identify LLDPDUs.
Enable LLDP globally in CONFIGURATION mode. OS10(config)# lldp enable ● To enable LLDP on an interface: When you enable LLDP globally, it is enabled on all interfaces. You can enable or disable LLDP on individual interfaces to both transmit and receive LLDP information. Also, you can configure an interface to only transmit or receive LLDP information. Enable LLDP in INTERFACE mode.
For example, LLDP timer transmit interval is set to 30 seconds and the holdtime-multiplier is set to 4, the TTL is 120 seconds (30 x 4). The default TTL of 120 seconds. You can adjust the TTL value by changing the multiplier value of the holdtime. 1. Adjust the TTL value in CONFIGURATION mode. lldp holdtime-multiplier 2. Return to the default multiplier value in CONFIGURATION mode.
4. Specify a name for VLAN 1 in INTERFACE VLAN mode. vlan-name vlan1 Transmit the VLAN names of a specific set of VLANs When you configure the interface to send the names of specific VLANs using lldp vlan-name-tlv allowed vlan command, the interface can transmit a maximum of eight VLAN names. If you specify 10 VLANs and the default VLAN has a name, the interface transmits LLDPDUs with VLAN names of the default VLAN and the first seven VLANs configured with a name.
The interface transmits the name of the default VLAN even if the default VLAN ID is not explicitly configured. The interface transmits the first eight VLAN names and excludes the names of VLAN 9 and VLAN 10. Following shows that the interface transmits the names of VLANs 1 to 8: OS10# show lldp interface ethernet 1/1/1 local-device Device ID: 34:17:eb:f2:05:c4 Port ID: ethernet1/1/1 System Name: OS10 Capabilities: Router, Bridge, Repeater System description: Dell EMC Networking OS10 Enterprise.
5 vlan5 6 vlan6 7 vlan7 8 vlan8 9 vlan9 Maximum size of LLDP PDU: 1500 Current LLDP PDU Size: 386 LLDP PDU Truncated(Too many TLV's): false LLDP MED Capabilities: Supported: LLDP-MED Capabilities, Network Policy, Inventory Management Current: LLDP-MED Capabilities, Network Policy LLDP MED Device Type: Network connectivity Disable and reenable LLDP TLVs By default, the interfaces advertise all LLDP TLVs except VLAN name TLV. ● Disable LLDP TLVs in INTERFACE mode.
Enable LLDP TLVs OS10(config)# interface mgmt 1/1/1 OS10(conf-if-ma-1/1/1)# lldp tlv-select basic-tlv system-name system-description OS10(conf-if-ma-1/1/1)# lldp tlv-select dot1tlv port-vlan-id Advertise management address TLVs in a VLT domain The management address TLV advertises the IP address of the management interface to adjacent LAN devices. The system advertises this information in the management address TLV of all the physical ports.
R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# lldp lldp lldp lldp lldp lldp tlv-select basic-tlv system-name tlv-select dot3tlv macphy-config tlv-select dot3tlv max-framesize tlv-select dot1tlv link-aggregation tlv-select dot1tlv port-vlan-id management-addr-tlv ipv4 virtual-ip Sample configuration on R2: Enable the list of LLDP TLVs needs to be advertised from R2.
Total Total Total Total Total Total Total Med Med Med Med Med Med Med Frames Out : Frames In : Frames Discarded : TLVS Discarded : Capability TLVS Discarded: Policy TLVS Discarded : Inventory TLVS Discarded : 0 0 0 0 0 0 0 View LLDP neighbor advertisements ● View brief information about the LLDP neighbors learned by the OS10 switch.
LLDP-MED Capabilities, Network Policy, Location Identification, Extended Power via MDI - PSE, Extended Power via MDI - PD, Inventory Management Current: LLDP-MED Capabilities, Network Policy, Location Identification, Extended Power via MDI - PD, Inventory Management Device Class: Endpoint Class 3 Network Policy: Application: voice, Tag: Tagged, Vlan: 50, L2 Priority: 6, DSCP Value: 46 Inventory Management: H/W Revision : 12.1.1 F/W Revision : 10.1.9750B S/W Revision : 10.1.
Table 64. LLDP-MED organizationally specific TLVs (Type – 127) (continued) TLV Subtype Description ● Coordinate-based LCI ● Civic address LCI ● Emergency call services ELIN Extended power-via-MDI 4 ● Power requirements ● Priority ● Power status NOTE: Only Rx function is supported for location identification and extended power via MDI TLVs. LLDP-MED capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and network-connectivity device support.
● VLAN tagged or untagged status ● L2 priority ● DSCP value You can configure a LLDP-MED network policy to generate an individual network policy TLV for each application type. For more information, see Define network policies. NOTE: Signaling is a series of control packets that are exchanged between an endpoint device and a network-connectivity device to establish and maintain a connection. These signal packets might require a different network policy than the media packets where a connection is made.
● Disable LLDP-MED on an interface, use the lldp med disable command in INTERFACE mode. OS10(conf-if-eth1/1/1)# lldp med disable Enable LLDP-MED When LLDP-MED is disabled, you can reenable LLDP-MED on an interface. ● Enable LLDP-MED on an interface, use lldp med enable command in INTERFACE mode. OS10(conf-if-eth1/1/1)# lldp med enable NOTE: If you enable LLDP MED on an interface, the system transmits MED TLVs only when it receives a TLV from a peer.
Rapid availability is crucial for applications such as emergency call service location (E911). ● Configure fast start repeat count which is the number of packets that are sent during activation in CONFIGURATION mode, from 1 to 10, default 3. lldp-med fast-start-repeat-count number Configure fast start repeat count OS10(config)# lldp med fast-start-repeat-count 5 LLDP commands clear lldp counters Clears LLDP and LLDP-MED transmit, receive, and discard statistics from all physical interfaces.
Command Mode CONFIGURATION Usage Information This command enables LLDP globally for all Ethernet PHY interfaces, except on those interfaces where you manually disable LLDP. The no version of this command disables LLDP globally irrespective of whether you manually disable LLDP on an interface. Example Supported Releases OS10(config)# lldp enable 10.3.1E or later lldp holdtime-multiplier Configures the multiplier value for the hold time.
Command Mode INTERFACE Usage Information LLDP-MED communicates the types of TLVs that the endpoint device and network-connectivity device support. Use the no lldp med or lldp med disable command to disable LLDP-MED on a specific interface. Example Supported Releases OS10(conf-if-eth1/1/1)# lldp med disable 10.2.0E or later lldp med network-policy Manually defines an LLDP-MED network policy.
Default Not configured Command Mode INTERFACE Usage Information Attach only one network policy for per interface. Example Supported Release OS10(conf-if-eth1/1/5)# lldp med network-policy add 1 10.2.0E or later lldp med tlv-select Configures the LLDP-MED TLV type to transmit or receive. Syntax lldp med tlv-select {network—policy | inventory} Parameters ● network-policy — Enable or disable the port description TLV. ● inventory — Enable or disable the system TLV.
lldp receive Enables or disables the LLDP packet reception on a specific interface. Syntax lldp receive Parameters None Default Not configured Command Mode INTERFACE Usage Information Enable LLDP globally on the system before using the lldp receive command. The no version of this command disables the reception of LLDP packets. Example Supported Releases OS10(conf-if-eth1/1/3)# lldp receive 10.2.0E or later lldp reinit Configures the delay time in seconds for LLDP to initialize on any interface.
lldp tlv-select basic-tlv Enables or disables TLV attributes to transmit and receive LLDP packets. Syntax lldp tlv-select basic-tlv {port-description | system-name | systemdescription | system-capabilities | management-address [ipv4 | ipv6]} Parameters ● ● ● ● ● ● ● Default Enabled Command Mode INTERFACE Usage Information The no form of the command disables TLV attribute transmission and reception in LLDP packets.
● link-aggregation — Enable the link aggregation TLV. ● vlan-name — Configure dot1 TLVs to send and receive the names of VLANs in LLDP frames. Default Enabled. vlan-name is disabled. Command Mode INTERFACE Usage Information The link-aggregation parameter advertises link aggregation as a dot1 TLV in the LLDPDUs. The vlan-name parameter advertises the names of VLANs in LLDP frames. The no version of this command disables TLV transmissions.
lldp vlan-name-tlv allowed vlan Specifies a single or multiple VLANs' names to transmit in LLDPDUs. Syntax lldp vlan-name-tlv allowed vlan vlan-id Parameters vlan-id—Specify a single VLAN or multiple VLANs. Default Disabled Command Mode INTERFACE Usage Information This command specifies VLANs' names to transmit in LLDPDUs along with the configured default VLAN. If you do not use this command, the interface sends the name of the default VLAN if a name is configured.
System Name: 0075 Capabilities: Router, Bridge, Repeater System description: Dell EMC Networking OS10 Enterprise. Copyright (c) 1999-2019 by Dell Inc. All Rights Reserved. System Description: OS10 Enterprise. OS Version: 10.4.9999EX.
show lldp med Displays the LLDP MED information for all the interfaces. Syntax show lldp med Parameters None Default Not configured Command Mode EXEC Usage Information Use the show lldp interface command to view MED information for a specific interface.
Usage Information Example Example (Detail) This command status information includes local port ID, remote hostname, remote port ID, remote VLAN names, and remote node ID.
Example Supported Releases OS10# show lldp timers LLDP Timers: Holdtime in seconds: 120 Reinit-time in seconds: 6 Transmit interval in seconds: 30 10.2.0E or later show lldp tlv-select interface Displays the TLVs enabled for an interface. Syntax show lldp tlv-select interface ethernet node/slot/port[:subport] Parameters ethernet node/slot/port[:subport] — Enter the Ethernet interface information, from 1 to 253.
Example (Interface) OS10# show lldp traffic interface ethernet 1/1/2 LLDP Traffic Statistics: Total Frames Out : 45 Total Entries Aged : 1 Total Frames In : 33 Total Frames Received In Error : 0 Total Frames Discarded : 0 Total TLVS Unrecognized : 0 Total TLVs Discarded : 0 LLDP MED Traffic Statistics: Total Med Frames Out : Total Med Frames In : Total Med Frames Discarded : Total Med TLVS Discarded : Total Med Capability TLVS Discarded: Total Med Policy TLVS Discarded : Total Med Inventory TLVS Discarded
● Enter an aging time (in seconds) in CONFIGURATION mode, from 0 to 1000000, default 1800. mac address-table aging-time seconds NOTE: On the Dell EMC PowerSwitch S4200-ON series, the default MAC aging time is set as 550 seconds. This is the maximum value that can be configured.
View MAC Address Table Entries OS10# show mac address-table VlanId Mac Address 1 00:00:15:c6:ca:49 1 00:00:20:2a:25:55 1 90:b1:1c:f4:aa:ce 1 90:b1:1c:f4:aa:c6 10 34:17:eb:02:8c:33 Type dynamic dynamic dynamic dynamic static Interface ethernet1/1/21 ethernet1/1/21 ethernet1/1/21 ethernet1/1/21 ethernet1/1/1 View MAC Address Table Count OS10# show mac address-table count MAC Entries for all vlans : Dynamic Address Count : Static Address (User-defined) Count : Total MAC Addresses in Use: 4 1 5 Clear MAC A
Usage Information Example Example (VLAN) Supported Releases Use the all parameter to remove all dynamic entries from the address table. OS10# clear mac address-table dynamic all OS10# clear mac address-table dynamic vlan 20 10.2.0E or later mac address-table aging-time Configures the aging time for entries in the L2 address table. Syntax mac address-table aging-time seconds Parameters seconds — Enter the aging time for MAC table entries in seconds, from 0 to 1000000.
show mac address-table Displays information about the MAC address table. Syntax show mac address-table [address mac-address | aging-time | [count [vlan vlan-id] | dynamic | interface {ethernet node/slot/port[:subport] | portchannel number}]| static [address mac-address] | vlan vlan-id Parameters ● ● ● ● ● address mac-address — (Optional) Displays MAC address table information. aging-time — (Optional) Displays MAC address table aging-time information.
Supported Releases 10.2.0E or later Spanning-tree protocol This section describes how spanning-tree features work and also about the different variants of STP. Introduction to STP The spanning-tree protocol is a Layer 2 network protocol that prevents loops in a network topology. Spanning-tree is useful when more than one network path exists and devices in the network are either competing for or sharing these paths.
Use the spanning-tree disable command to disable the STP. Backward compatibility and interoperability Spanning tree modes are backward compatible and interoperable with the STP version. The OS10 interoperability feature is designed to support the convergence when the peer switch is running PVST+. When an OS10 switch that is configured in RPVST+ mode is connected to a vendor switch running PVST+ mode, convergence happens on all VLANs in the domain.
● When the port is added to the port channel that is in the Error Disable state, the new member port is disabled in the hardware. ● When the port is removed from the port channel that is in the Error Disable state, the system clears the Error_Disabled state on the physical port and enables it in the hardware. To clear the Error Disabled state: ● Use the shutdown command on the interface. ● Use the spanning-tree bpduguard disable command to disable the BPDU guard on the interface.
Loop guard OS10(config)# interface ethernet 1/1/4 OS10(conf-if-eth1/1/4)# spanning-tree guard loop OS10(conf-if-eth1/1/4)# do show spanning-tree interface ethernet 1/1/4 ethernet1/1/4 of vlan1 is root Forwarding Edge port:no (default) port guard :none (default) Link type is point-to-point (auto) Boundary: NO bpdu filter : bpdu guard : bpduguard shutdown-onviolation :disable RootGuard: disable LoopGuard enable Bpdus (MRecords) sent 7, received 20 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID
Error-Disable Cause Detect Status ----------------------------------------------bpduguard Enabled OS10# show errdisable recovery Error-Disable Recovery Timer Interval: 300 seconds Error-Disable Reason Recovery Status --------------------------------------------------bpduguard Enabled Recovery Time left Interface Errdisable Cause (seconds) --------------------------------------------------------------------ethernet 1/1/1:1 bpduguard 273 ethernet 1/1/2 bpduguard 4 port-channel 12 bpduguard 45 MAC flush optim
Rapid-PVST Rapid-PVST allows (VLAN, port) based flush until the number of calls sent is equal to the MAC flush threshold value that is configured. When the number of calls sent exceeds the configured threshold, rapid-PVST ignores further (VLAN, port) based flush and starts the MAC flush timer. When the timer starts, the system blocks further flush. When the timer expires for that specific instance, the system triggers VLAN-based flushing. By default, the MAC flush threshold value is set to 5.
MST instances Verify the VLAN-to-MST instance mapping using the show commands. If you see extra MST instances in the Sending or Received logs, an additional MST instance was configured on one router but not the others. ● View BPDUs in EXEC mode. debug spanning-tree bpdu ● View MST-triggered topology change messages in EXEC mode.
Common STP commands This section explains about the common commands in STP. STP variant specific commands are explained in the individual sections under RSTP, MSTP, and Rapid-PVST. There are two sets of STP related commands. ● STP commands that are common and can be used irrespective of the STP variant enabled on the device. ● STP commands that are specific to the particular STP variant. clear spanning-tree counters Clears the counters for STP.
Parameters None Default Enabled Command Mode CONFIGURATION Usage Information This command applies only to STP-enabled ports. The command takes effect only when the BPDU guard is configured on a port. When the detect cause option is enabled, the port is shut down whenever there is a BPDU guard violation. When the option is disabled, the port is not shut down but moved to BLOCKING state whenever there is a BPDU guard violation.
The no version of the command resets the timer to the default value. Example Supported Releases OS10(config)# errdisable recovery interval 45 10.4.2.0 or later clear spanning-tree detected-protocol Forces the ports to renegotiate with neighbors. Syntax clear spanning-tree detected-protocol [interface {ethernet node/slot/ port[:subport] | port-channel number}] Parameters ● interface — Enter the interface type: ○ ethernet node/slot/port[:subport] — Enter the Ethernet interface information, from 1 to 48.
Command Mode INTERFACE Usage Information BPDU guard prevents a port from receiving BPDUs. If the port receives a BPDU, it is placed in the Error-Disabled state. Example Supported Releases OS10(conf-if-eth1/1/4)# spanning-tree bpduguard enable 10.2.0E or later spanning-tree disable Disables Spanning-Tree mode configured with the spanning-tree mode command globally on the switch or specified interfaces. Syntax spanning-tree disable Parameters None Default Not configured.
● point-to-point—Specifies that the interface is a point-to-point or full-duplex link. ● shared—Specifies that the interface is a half-duplex medium. Default Auto Command Mode INTERFACE Usage Information As specified in IEEE 802.1w, OS10 assumes a port that runs in full-duplex mode as a point-to-point link. A point-to-point link transitions to forwarding state faster. By default, OS10 derives the link-type of a port from the duplex mode.
Supported Releases 10.2.0E or later spanning-tree port Sets the port type as the EdgePort. Syntax spanning-tree port type edge Parameters None Default Not configured Command Mode INTERFACE Usage Information When you configure an EdgePort on a device running STP, the port immediately transitions to the Forwarding state. Only configured ports connected to end hosts act as EdgePorts. Example Supported Releases OS10(config-inf)# spanning-tree port type edge 10.2.
ethernet1/1/10 port-channel100 port-channel128 Supported Releases bpduguard/mac-learning-limit/mac-move Mac-learning-limit mac-move 10 50 49 10.4.2.0 or later show spanning-tree interface Displays spanning-tree interface information for Ethernet and port-channels. Syntax show spanning-tree interface {ethernet node/slot/port [:subport] | portchannel port-id} [detail] Parameters ● ethernet node/slot/port[:subport] — Displays spanning-tree information for a physical interface.
Each VLAN is assigned an incremental default bridge priority. For example, if VLAN 1 is assigned a bridge priority value of 32769, then VLAN 2 (if created) is assigned a bridge priority value of 32770; similarly, VLAN 10 (if created) is assigned a bridge priority value of 32778, and so on. All three instances have the same forwarding topology. NOTE: Z9332F-ON supports a total of 64 instances, of which 3 VLANs are used for internal purposes.
Load balance and root selection By default, all VLANs use the same forwarding topology — R2 is elected as the root and all 10G Ethernet ports have the same cost. Bridge priority can be modified for each VLAN to enable different forwarding topologies. To achieve Rapid-PVST load balancing, assign a different priority on each bridge. Enable Rapid-PVST By default, Rapid-PVST is enabled and creates an instance during VLAN creation.
ethernet1/1/27 128.216 128 500 BLK 0 32769 3417.ec37.1400 128.56 ethernet1/1/28 128.224 128 500 BLK 0 32769 3417.ec37.1400 128.64 Interface Name Role PortID Prio Cost Sts Cost Link-type Edge -------------------------------------------------------------------------------------------ethernet1/1/5 Altr 128.40 128 500 BLK 500 AUTO No ethernet1/1/6 Altr 128.48 128 500 BLK 500 AUTO No ethernet1/1/7 Desg 128.56 128 500 FWD 500 AUTO No ethernet1/1/8 Altr 128.64 128 500 BLK 500 AUTO No ethernet1/1/9 Altr 128.
ethernet1/1/5 ethernet1/1/6 Desg Desg 128.276 128.280 128 128 500 500 FWD FWD 0 0 AUTO AUTO No No View brief configuration OS10# show spanning-tree brief Spanning tree enabled protocol rapid-pvst with force-version rstp VLAN 1 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 4097, Address 90b1.1cf4.a523 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 4097, Address 90b1.1cf4.
spanning-tree vlan vlan-id root primary command ensures that the switch has the lowest bridge priority value by setting the predefined value of 24,576. If an alternate root bridge is required, use the spanning-tree vlan vlan-id root secondary command. The command sets the priority for the switch to the predefined value of 28,672. If the primary root bridge fails, the command ensures that the alternate switch becomes the root bridge.
View Rapid-PVST global parameters OS10# show spanning-tree active Spanning tree enabled protocol rapid-pvst with force-version rstp VLAN 1 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32769, Address 90b1.1cf4.a523 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32769, Address 90b1.1cf4.
Usage Information Example Supported Releases The media speed of a LAN interface determines the STP port path cost default value. OS10(conf-if-eth1/1/4)# spanning-tree vlan 10 cost 1000 10.2.0E or later spanning-tree vlan disable Disables spanning tree on a specified VLAN. Syntax spanning-tree vlan vlan-id disable Parameters vlan-id — Enter the VLAN ID number, from 1 to 4093.
Example Supported Releases OS10(config)# spanning-tree rpvst force-version stp 10.2.0E or later spanning-tree vlan hello-time Sets the time interval between generation and transmission of Rapid-PVST BPDUs. Syntax spanning-tree vlan vlan-id hello-time seconds Parameters ● vlan-id — Enter the VLAN ID number, from 1 to 4093. ● seconds — Enter a hello-time interval value in seconds, from 1 to 10.
Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree vlan 10 max-age 10 10.2.0E or later spanning-tree vlan priority Sets the priority value for Rapid-PVST. Syntax spanning-tree vlan vlan-id priority priority value Parameters priority priority value — Enter a bridge-priority value in increments of 4096, from 0 to 61440.
Default Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree vlan 1 root primary 10.2.0E or later spanning-tree rapid-pvst default behavior Allows Rapid PVST+ switching between the current OS10 behavior and behavior expected by vendors other than OS9 or OS10.
Example (RapidPVST mode) OS10# show spanning-tree compatibility-mode Interface Name Instance Compatibility-mode -----------------------------------------------ethernet1/1/1 VLAN 1 RSTP ethernet1/1/1 VLAN 2 RSTP ethernet1/1/1 VLAN 3 RSTP ethernet1/1/1 VLAN 4 RSTP ethernet1/1/1 VLAN 5 RSTP ethernet1/1/2 VLAN 1 STP ethernet1/1/2 VLAN 2 STP ethernet1/1/2 VLAN 3 STP ethernet1/1/2 VLAN 4 STP ethernet1/1/2 VLAN 5 STP OS10# show spanning-tree compatibility-mode port-channel 1 Interface Name Instance Compatibility
Usage Information Example Supported Releases Forces a bridge that supports Rapid-PVST to operate in an STP-compatible mode. OS10(config)# spanning-tree rapid-pvst force-version stp 10.2.0E or later Rapid Spanning-Tree Protocol Rapid Spanning-Tree Protocol (RSTP) is similar to STP, but provides faster convergence and interoperability with devices configured with STP and MSTP. RSTP is disabled by default. All enabled interfaces in L2 mode automatically add to the RSTP topology.
View all port participating in RSTP OS10# show spanning-tree Spanning tree enabled protocol rstp with force-version rstp Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 3417.4455.667f Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 90b1.1cf4.
Interface Name Role PortID Prio Cost Sts Cost Link-type Edge ------------------------------------------------------------------------ethernet1/1/1 Disb 128.260 128 200000000 BLK 0 AUTO No ethernet1/1/2 Disb 128.264 128 200000000 BLK 0 AUTO No ethernet1/1/3 Disb 128.268 128 200000000 BLK 0 AUTO No ethernet1/1/4 Disb 128.272 128 200000000 BLK 0 AUTO No ethernet1/1/5:1 Disb 128.
ethernet1/1/2 248.128 128 500 BLK 0 32768 90b1.1cf4.9b8a ethernet1/1/3 252.128 128 500 FWD 0 32768 90b1.1cf4.9b8a ethernet1/1/4 256.128 128 500 BLK 0 32768 90b1.1cf4.9b8a Interface Name Role PortID Prio Cost Sts Cost Link-type Edge ---------------------------------------------------------ethernet1/1/1 Altr 128.244 128 500 BLK 0 AUTO No ethernet1/1/2 Altr 128.248 128 500 BLK 0 AUTO No ethernet1/1/3 Root 128.252 128 500 FWD 0 AUTO No ethernet1/1/4 Altr 128.256 128 500 BLK 0 AUTO No 128.248 128.252 128.
View bridge priority and root bridge assignment OS10# show spanning-tree active Spanning tree enabled protocol rstp with force-version rstp Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 3417.4455.667f Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 36864, Address 90b1.1cf4.
ethernet1/1/3 252.128 128 500 FWD 0 32768 90b1.1cf4.9b8a ethernet1/1/4 256.128 128 500 BLK 0 32768 90b1.1cf4.9b8a Interface Name Role PortID Prio Cost Sts Cost Link-type Edge -----------------------------------------------------------ethernet1/1/1 Altr 128.244 128 500 BLK 0 AUTO No ethernet1/1/2 Altr 128.248 128 500 BLK 0 AUTO No ethernet1/1/3 Root 128.252 128 500 FWD 0 AUTO No ethernet1/1/4 Altr 128.256 128 500 BLK 0 AUTO No Supported Releases 128.252 128.256 10.2.
Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree rstp forward-time 16 10.2.0E or later spanning-tree rstp hello-time Sets the time interval between generation and transmission of RSTP BPDUs. Syntax spanning-tree rstp hello-time seconds Parameters seconds — Enter a hello-time interval value in seconds, from 1 to 10.
Default 20 seconds Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree rstp max-age 10 10.2.0E or later spanning-tree rstp priority Sets the priority value for RSTP. Syntax spanning-tree rspt priority priority value Parameters priority priority value — Enter a bridge-priority value in increments of 4096, from 0 to 61440.
1. Enable MST, if the current running spanning-tree protocol (STP) version is not MST. 2. (Optional) Map the VLAN to different instances in such a way that the traffic is load balanced well and the link utilization is efficient. 3. Ensure the same region name is configured in all the bridges running MST. 4. (Optional) Configure the revision number. The revision number is the same on all the bridges.
OS10(conf-mst)# OS10(conf-mst)# OS10(conf-mst)# OS10(conf-mst)# revision instance instance instance 100 1 vlan 2-10 2 vlan 11-20 3 vlan 21-30 View VLAN instance mapping OS10# show spanning-tree mst configuration Region Name: Dell Revision: 100 MSTI VID 0 1,31-4093 1 2-10 2 11-20 3 21-30 View port forwarding/discarding state os10# show spanning-tree msti 0 brief Spanning tree enabled protocol msti with force-version mst MSTI 0 VLANs mapped 1-3999,4091-4093 Executing IEEE compatible Spanning Tree Protocol
ethernet1/1/13 128.104 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.104 ethernet1/1/14 128.112 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.112 ethernet1/1/15 128.120 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.120 ethernet1/1/16 128.128 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.128 ethernet1/1/17 128.136 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.136 ethernet1/1/18 128.144 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.144 ethernet1/1/19 128.152 128 200000000 BLK 0 32768 90b1.1cf4.a625 128.
ethernet1/1/9 AUTO No ethernet1/1/10 AUTO No ethernet1/1/11 AUTO No ethernet1/1/12 AUTO No ethernet1/1/13 AUTO No ethernet1/1/14 AUTO No ethernet1/1/15 AUTO No ethernet1/1/16 AUTO No ethernet1/1/17 AUTO No ethernet1/1/18 AUTO No ethernet1/1/19 AUTO No ethernet1/1/20 AUTO No ethernet1/1/21 AUTO No ethernet1/1/22 AUTO No ethernet1/1/23 AUTO No ethernet1/1/24 AUTO No ethernet1/1/25 AUTO No ethernet1/1/26 AUTO No ethernet1/1/27 AUTO No ethernet1/1/28 AUTO No ethernet1/1/29 AUTO No ethernet1/1/30 AUTO No etherne
Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 3417.4455.667f Root Bridge hello time 2, max age 20, forward delay 15, max hops 20 Bridge ID Priority 32768, Address 90b1.1cf4.a523 Configured hello time 2, max age 20, forward delay 15, max hops 20 CIST regional root ID Priority 32768, Address 90b1.1cf4.
Max-hops A maximum number of hops a BPDU travels before a receiving device discards it. NOTE: Dell EMC recommends that only experienced network administrators change MST parameters. Poorly planned modification of MST parameters can negatively affect network performance. 1. Change the forward-time parameter in CONFIGURATION mode, from 4 to 30, default 15. spanning-tree mst forward-time seconds 2. Change the hello-time parameter in CONFIGURATION mode, from 1 to 10, default 2.
● Port-channel with 1-Gigabit Ethernet interfaces — 18000 ● Port-channel with 10-Gigabit Ethernet interfaces — 1800 1. Change the port cost of an interface in INTERFACE mode, from 1 to 200000000. spanning-tree msti number cost 1 2. Change the port priority of an interface in INTERFACE mode, from 0 to 240 in increments of 16, default 128.
Usage Information By default, the MST protocol assigns the system MAC address as the region name. Two MST devices within the same region must share the same region name, including matching case. Example Supported Releases OS10(conf-mst)# name my-mst-region 10.2.0E or later revision Configures a revision number for the MSTP configuration. Syntax revision number Parameters number — Enter a revision number for the MSTP configuration, from 0 to 65535.
spanning-tree msti Configures the MSTI, cost, and priority values for an interface. Syntax spanning-tree msti instance {cost cost | priority value} Parameters ● msti instance — Enter the MST instance number, from 0 to 63. For Z9332F-ON platform, enter a MST instance value from 0 to 61. ● cost cost — (Optional) Enter a port cost value, from 1 to 200000000.
Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command enables spanning tree on the specified MST instance. Example Supported Releases OS10(config)# spanning-tree mst 10 disable 10.4.0E(R1) or later spanning-tree mst force-version Configures a forced version of STP to transmit BPDUs. Syntax spanning-tree mst force-version {stp | rstp} Parameters ● stp — Forces the version for the BPDUs transmitted by MST to STP.
Default 2 seconds Command Mode CONFIGURATION Usage Information Dell EMC recommends increasing the hello-time for large configurations, especially configurations with multiple ports. The no version of this command resets the value to the default. Example Supported Releases OS10(config)# spanning-tree mst hello-time 5 10.2.0E or later spanning-tree mst mac-flush-threshold Configures the mac-flush threshold value for a specific instance.
spanning-tree mst max-hops Configures the maximum hop count for a BPDU to travel before it is discarded. Syntax spanning-tree mst max-hops number Parameters number — Enter a maximum hop value, from 6 to 40. Default 20 Command Mode CONFIGURATION Usage Information A device receiving BPDUs waits until the max-hops value expires before discarding it. When a device receives the BPDUs, it decrements the received value of the remaining hops and uses the resulting value as remaining-hops in the BPDUs.
○ ethernet node/slot/port[:subport] — Enter the Ethernet port information, from 1 to 48. ○ port-channel — Enter the port-channel interface information, from 1 to 128. Default Not configured Command Mode EXEC Usage Information View the MST instance information for a specific MST instance number in detail or brief, or view physical Ethernet ports or port-channel information.
ethernet1/1/8 ...
Default Management VLAN SFS sets the MAC of the default management VLAN 4020 to the system MAC. This is different from the MAC that is used for Data VLAN. If you change the default management VLAN, the new management VLAN will also have the system MAC. NOTE: When the network operator initiates the upgrade, the management VLAN MAC will change automatically. Due to this change you may observe a change in the IP when MAC-IP binding is enabled.
Delete a range of VLANs OS10(config)# no interface range vlan 2-10 View configured VLANs OS10# show interface vlan Vlan 1 is up, line protocol is up Address is 00:00:00:00:00:c9, Current address is 00:00:00:00:10:c9 Interface index is 69208865 Internet address is 10.1.1.
1. Configure a port in CONFIGURATION mode. interface ethernet node/slot/port[:subport] 2. Set the interface to Switchport mode as access in INTERFACE mode. switchport mode access 3. Enter the VLAN number for the untagged port in INTERFACE mode. switchport access vlan vlan-id Configure port in Access mode OS10(config)# interface ethernet 1/1/9 OS10(config-if-eth1/1/9)# switchport mode access OS10(config-if-eth1/1/9)# switchport access vlan 604 Show running configuration OS10# show running-configuration ...
! ... Assign IP address You can assign an IP address to each VLAN to make it a L3 VLAN. All the ports in that VLAN belong to that particular IP subnet. The traffic between the ports in different VLANs route using the IP address. Configure the L3 VLAN interface to remain administratively UP or DOWN using the shutdown and no shutdown commands. This provisioning only affects the L3 traffic across the members of a VLAN and does not affect the L2 traffic.
Input statistics: 0 packets, 0 octets Output statistics: 0 packets, 0 octets Time since last interface status change: 15:48:51 Vlan 320 is up, line protocol is down Address is 00:00:00:00:00:c9, Current address is 00:00:00:00:10:c9 Interface index is 69209184 Internet address is 20.2.11.
LineSpeed 10G ARP type: ARPA, ARP Timeout: 60 Last clearing of "show interface" counters: 3 weeks 5 days 13:46:23 Queuing strategy: fifo Input statistics: 995446 packets, 342789180 octets Output statistics: 1368934 packets, 369275748 octets Time since last interface status change: 3 weeks 5 days 13:45:57 Vlan 200 is up, line protocol is down Address is 00:00:00:00:00:c9, Current address is 00:00:00:00:10:c9 Interface index is 69209064 Internet address is 10.1.15.
Since ACL rules are created on a per VLAN basis, the scale of VLANs is dependent on the number of ACL rules available. The ACL space is also shared by other applications such as FCoE. When more VLANs are created, the L2 QoS ACL space for the VLAN ACLs get exhausted. If the VLAN ACL creation fails, it results in VLAN creation failure. As a result, there cannot be more than 256 VLANs in Fabric mode.
The following figure shows the anycast IP-based gateway configuration for a VLAN: The ip virtual-router address and ipv6 virtual-router address commands assign the specified address as the virtual IPv4 or IPv6 address for the VLAN interface, respectively. Before assigning the anycast IP address to a VLAN interface, configure a virtual MAC address to the switch using the ip virtual-router mac-address command. All virtual addresses on all VLAN interfaces resolve to the configured virtual MAC address.
● Ensure that the anycast IPv4 or IPv6 address is different from the primary IPv4 or IPv6 address, respectively. For IPv6, you can configure more than one primary IP address. Even when more than one primary IPv6 addresses or subnets are configured, you can only configure one IPv6 address as gateway IP address. ● To ping an IPv6 host present in a remote VLAN, use the ping -I command and specify the interface IP address. The -I option is not required when you ping an IPv6 local host in a VLAN.
Example - Anycast IP Gateway for VLANs in VLT topology This section provides a sample anycast IP gateway configuration for VLANs in a VLT topology. AG1 configuration 1. Configure a global anycast MAC address. AG1# configure terminal AG1(config)# ip virtual-router mac-address 00:00:5e:00:01:01 2. Configure a VLAN Interface with the anycast virtual address. AG1(config)# interface vlan 3001 AG1(conf-if-vl-3001)# no shutdown AG1(conf-if-vl-3001)# ip address 10.1.1.
AG1(conf-if-vl-3001)# ipv6 virtual-router address 10:1:1::5 AG1(conf-if-vl-3001)# exit 3. Configure the VLT domain. AG1(config)# vlt-domain 1 AG1(conf-vlt-1)# backup destination 172.16.1.4 interval 3 AG1(conf-vlt-1)# delay-restore 300 AG1(conf-vlt-1)# discovery-interface ethernet1/1/25:1-1/1/25:4 AG1(conf-vlt-1)# peer-routing AG1(conf-vlt-1)# primary-priority 1 AG1(conf-vlt-1)# vlt-mac de:11:de:11:de:11 AG1(conf-vlt-1)# multicast peer-routing timeout 450 AG1(conf-vlt-1)# exit 4.
ethernet1/1/25:2 ethernet1/1/25:3 ethernet1/1/25:4 ethernet1/1/17:1 ethernet1/1/17:2 ethernet1/1/17:3 ethernet1/1/17:4 ethernet1/1/19:1 ethernet1/1/19:2 ethernet1/1/19:3 ethernet1/1/19:4 AG2 AG2 AG2 TR1 TR1 TR1 TR1 TR1 TR1 TR1 TR1 ethernet1/1/25:2 ethernet1/1/25:3 ethernet1/1/25:4 ethernet1/1/39 ethernet1/1/40 ethernet1/1/41 ethernet1/1/42 ethernet1/1/43 ethernet1/1/44 ethernet1/1/45 ethernet1/1/46 50:9a:4c:d4:d0:f0 50:9a:4c:d4:d0:f0 50:9a:4c:d4:d0:f0 e4:f0:04:fe:9f:e1 e4:f0:04:fe:9f:e1 e4:f0:04:fe:9f:e1
4. Configure a port channel interface towards AG3, AG4, TR1, CR1, and CR2.
7. View VLAN members. AG2# show vlan 3001 Codes: * - Default VLAN, M - Management VLAN, R - Remote Port Mirroring VLANs, @ - Attached to Virtual Network, P - Primary, C - Community, I - Isolated Q: A - Access (Untagged), T - Tagged NUM Status Description Q Ports 3001 Active T Eth1/1/9:1-1/1/9:2 T Po1,41-48,1000 8. View port channel members.
AG3(config)# interface port-channel 53 AG3(conf-if-po-53)# vlt-port-channel 53 AG3(config)# interface port-channel 54 AG3(conf-if-po-54)# vlt-port-channel 54 AG3(config)# interface port-channel 55 AG3(conf-if-po-55)# vlt-port-channel 55 AG3(config)# interface port-channel 56 AG3(conf-if-po-56)# vlt-port-channel 56 AG3(config)# interface port-channel 57 AG3(conf-if-po-57)# vlt-port-channel 57 AG3(config)# interface port-channel 58 AG3(conf-if-po-58)# vlt-port-channel 58 5.
51 52 53 54 55 56 57 58 L2-HYBRID L2-HYBRID L2-HYBRID L2-HYBRID L2-HYBRID L2-HYBRID L2-HYBRID L2-HYBRID up up up up up up up up 01:41:40 01:41:39 01:41:39 01:41:38 01:41:37 01:41:36 01:41:36 01:41:35 Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/24:3 1/1/24:4 1/1/26:1 1/1/26:2 1/1/26:3 1/1/26:4 1/1/17:1 1/1/17:2 1/1/17:3 1/1/17:4 1/1/19:1 1/1/19:2 1/1/19:3 1/1/19:4 (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) (Up) AG4 configuration 1.
5. Configure the interfaces as VLAN trunk ports and specify the allowed VLANs.
AG1 AG1# show ip arp 10.1.1.10 Codes: pv - private vlan where the mac is originally learnt Address Hardware address Interface Egress Interface ---------------------------------------------------------------10.1.1.10 00:41:30:01:00:00 vlan3001 port-channel41 AG1# show mac address-table address 00:41:30:01:00:00 Codes: pv - private vlan where the mac is originally learnt VlanId Mac Address Type Interface 3001 00:41:30:01:00:00 dynamic port-channel41 AG1# AG2 AG2# show ip arp 10.1.1.
Usage Information ● To use special characters as a part of the description string, enclose the string in double quotes. ● To use comma as a part of the description string add double back slash before the comma. Example Supported Releases OS10(config)# interface vlan 3 OS10(conf-if-vl-3)# description vlan3 10.2.0E or later interface vlan Creates a VLAN interface. Syntax interface vlan vlan-id Parameters vlan-id — Enter the VLAN ID number, from 1 to 4093.
ip virtual-router mac-address Configures the MAC address of an anycast L3 gateway for VLAN routing. Syntax ip virtual-router mac-address mac-address Parameters mac-address mac-address—Enter the MAC address of the anycast L3 gateway. Default Not configured Command mode CONFIGURATION Usage information Configure the same MAC address on all VLT switches. As the configured MAC address is automatically used for all VLANs, configure it in Global Configuration mode.
Example Supported Releases OS10# show vlan Codes: * - Default VLAN, M - Management VLAN, R - Remote Port Mirroring VLANs, @ - Attached to Virtual Network, P - Primary, C - Community, I Isolated Q: A - Access (Untagged), T - Tagged NUM Status Description Q Ports * 1 Active A Eth1/1/15 A Po100 2101 Active T Eth1/1/1,1/1/3 T Po100 2102 Active T Eth1/1/1,1/1/3 10.2.0E or later show vlt mismatch Displays the anycast IP configuration mismatch between VLT peers.
Example PVLAN uses: ● Guest access management—The network administrator in a hotel uses an isolated VLAN for providing guest users access to the Internet. Using isolated VLANs restricts direct access between the guest users. ● Service provider networks—Using PVLAN, a service provider can provide L2 security for customers and use IP addresses more efficiently. For example, the service provider can have a separate community VLAN per customer.
○ You can associate the PVLAN trunk port to both primary and secondary VLANs. This port carries traffic from both the primary and secondary VLANs. ○ To configure a PVLAN trunk port, associate a regular tagged port that is not a promiscuous or secondary port to a VLAN within a PVLAN domain. There are no specific CLI commands to configure a port as a PVLAN trunk port. NOTE: OS10 supports MAC address movement within a PVLAN domain.
● You can configure a regular VLAN as a PVLAN only when it does not have any member ports associated with it. Remove the member ports from a VLAN before you configure it as a PVLAN. ● To convert a PVLAN to a regular VLAN, you must remove the PVLAN mode. Ensure that you remove the member ports from the PVLAN and the primary and secondary VLAN mapping before you remove the PVLAN mode. ● You can configure an L2 switch port as a PVLAN port using the private-vlan mode {promiscuous | secondaryport} command.
a. Create a VLAN. OS10(config)# interface vlan 30 b. Configure the PVLAN mode as a community VLAN. OS10(conf-if-vl-30)# private-vlan mode community c. Configure a secondary port. OS10(config)# interface ethernet 1/1/3 OS10(conf-if-eth1/1/3)# switchport mode trunk OS10(conf-if-eth1/1/3)# private-vlan mode secondary-port d. Associate the secondary port to the community VLAN. OS10(conf-if-eth1/1/2)# switchport trunk allowed vlan 30 4. Associate the list of secondary VLANs to the primary VLAN.
NOTE: ● For a regular switch port in Trunk mode, you must tag all VLANs of the PVLAN domain. ● If you enable local proxy arp in the primary VLAN, both the host and the primary VLAN (as the local proxy) send an ARP reply. 1. Enter Configuration mode. OS10# configure terminal 2. Enter Interface Configuration mode. OS10(config)# interface ethernet 1/1/4 3. Configure the Switchport mode as trunk for the port to carry more than single VLAN traffic. OS10(conf-if-eth1/1/4)# switchport mode trunk 4.
5. Associate the port to be a trunk member of a PVLAN secondary VLAN. In this example, vlan 20 is an isolated secondary VLAN. OS10(conf-if-eth1/1/2)# switchport trunk allowed vlan 20 6. Associate the port to be a trunk member of a regular VLAN (non-PVLAN). OS10(conf-if-eth1/1/2)# switchport trunk allowed vlan 100 7. Configure the PVLAN port as member of untagged VLAN. Here VLAN 101 is a regular VLAN.
6. Associate the port to be a trunk member of regular VLAN.
1. Enter Configuration mode. OS10# configure terminal 2. Enter Interface Configuration mode. OS10(config)# interface ethernet 1/1/5 3. Remove the port from the PVLANs. OS10(conf-if-eth1/1/5)# no switchport access vlan OS10(conf-if-eth1/1/5)# no switchport trunk allowed vlan 10 OS10(conf-if-eth1/1/5)# show configuration ! interface ethernet1/1/5 no shutdown private-vlan mode promiscuous switchport mode trunk 4. Reset PVLAN Port mode.
no shutdown private-vlan mode secondary-port OS10(conf-if-vl-20)# View PVLAN information View PVLAN mapping information OS10# show vlan private-vlan mapping Private Vlan: Primary : 10 Isolated : 20 Community : 30 OS10# show vlan private-vlan Primary Secondary Type Active ------- --------- --------- -----10 Primary Yes 20 Isolated Yes 30 Community Yes Ports -------------------------------------------Eth1/1/1,1/1/5 Eth1/1/2 Eth1/1/3 OS10# show vlan Codes: * - Default VLAN, M - Management VLAN, R - Remote P
To view PVLAN ARP entries that are resolved or configured through a secondary VLAN, use the show ip arp command. OS10# show ip arp Codes: pv – private vlan where the mac is originally learnt Address Hardware address Interface Egress Interface ----------------------------------------------------------------------------11.1.1.2 90:b1:1c:f4:a6:ee ethernet1/1/25:1 ethernet1/1/25:1 41.1.1.2 4c:d9:8f:fa:2b:59 vlan100 port-channel100 pv 20 12.1.1.
1 Secondary-port * 2 vlt-port-channel ID : 30 VLT Unit ID Configured port-mode ---------------------------------------------------------------------------1 Secondary-port * 2 ● To view VLAN mode configuration mismatch: OS10# show vlt 1 mismatch private-vlan vlan-mode Private VLAN mode mismatch: VLAN: 10 VLT Unit ID Configured PVLAN mode ---------------------------------------------------------------------------1 Isolated * 2 Community Interaction with other features Port security OS10 supports the followin
L2 communication is not permitted between hosts connected to ports in an isolated VLAN and hosts connected to ports in any of the secondary VLANs. Also, hosts connected to ports in a community VLAN cannot communicate with hosts connected to ports in another community or isolated VLAN. However, these hosts can communicate with each other over L3 through the primary VLAN. To configure an L3 VLAN interface, enable the local proxy ARP feature. For more information, see Configure Layer 3 VLAN interface.
PVLAN commands ip local-proxy-arp Enables the local proxy Address Resolution Protocol (ARP) on an interface. Syntax ip local-proxy-arp Parameters None Default Not applicable Command Mode VLAN INTERFACE CONFIGURATION Usage Information ● The router responds to ARP requests for addresses that are on the same subnetwork of that interface. ● This command is applicable only for the primary VLAN. ● Ensure that you configure an IPv4 address on the primary VLAN before you enable local proxy ARP.
● isolated—Configures the VLAN as an isolated VLAN. ● primary—Configures the VLAN as a primary VLAN. Default Regular VLAN Command Mode VLAN INTERFACE CONFIGURATION Usage Information ● Configures a PVLAN as a community, isolated, or primary VLAN. You must not add VLAN members before you configure PVLAN mode.
Example—To configure an interface as PVLAN promiscuous port. OS10(config)# interface port-channel20 OS10(conf-if-po-20)# private-vlan mode promiscuous OS10(conf-if-po-20)#exit OS10(config)# interface ethernet 1/1/5 OS10(conf-if-eth1/1/5)# private-vlan mode promiscuous Example—To configure an interface as a secondary port. OS10(conf-if-po-20)# private-vlan mode secondary-port OS10(conf-if-po-20)# no private-vlan mode Example—To configure a secondary port as a trunk port.
Parameters vlan-id—(Optional) Enter a VLAN ID, from 1 to 4093. Command Mode EXEC Usage Information This command displays information about primary and secondary VLANs.
show vlan private-vlan isolated Displays the isolated VLANs and their members (secondary-port) in the device. Syntax show vlan private-vlan isolated Parameters None Command Mode EXEC Usage Information Use this command to verify information about the isolated VLANs and the associated primary VLAN.
Parameters interface-name—Enter the interface information in node/slot/port[:subport] format. Command Mode EXEC Usage Information Use this command to verify information about the PVLAN-specific details of an interface. This command displays the VLAN ID associated with the interface.
Example: PVLAN deployment with L2-L3 boundary at the spine layer The following use case illustrates a deployment scenario in which the end devices that belong to different tenants are separated using secondary VLANs. Here, the private VLAN domain is spanned across two data centers using an ISL trunk port. In this example: ● The configured trunk port carries the traffic for both the primary and secondary VLANs.
AG1 Leaf Switch 1. Configure the VLTi member links between AG1 and AG2. AG1(config)# interface ethernet1/1/11 AG1(conf-if-eth1/1/11)# no shutdown AG1(conf-if-eth1/1/11)# no switchport AG1(conf-if-eth1/1/11)# exit AG1(config)# interface ethernet1/1/12 AG1(conf-if-eth1/1/12)# no shutdown AG1(conf-if-eth1/1/12)# no switchport AG1(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG1(config)# vlt-domain 255 AG1(conf-vlt-255)# backup destination 100.104.80.
AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# discovery-interface ethernet1/1/11-1/1/12 peer-routing primary-priority 1 vlt-mac 00:00:00:00:01:01 exit 3. Configure the VLT port channels.
AG1(conf-if-po-101)# vlt-port-channel 1022 AG1(conf-if-po-101)# exit 4. Configure the primary VLANs and the PVLAN mode. AG1(config)# interface vlan 100 AG1(conf-if-vl-100)# private-vlan mode primary AG1(conf-if-vl-100)# exit AG1(config)# interface vlan 200 AG1(conf-if-vl-200)# private-vlan mode primary AG1(conf-if-vl-200)# exit 5. Configure the secondary VLANs and the respective PVLAN modes.
AG1(conf-if-eth1/1/2)# no shutdown AG1(conf-if-eth1/1/2)# private-vlan mode secondary-port AG1(conf-if-eth1/1/2)# exit 8. Associate the member ports to the secondary VLANs.
AG2(conf-if-eth1/1/12)# no switchport AG2(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG2(config)# vlt-domain 255 AG2(conf-vlt-255)# backup destination 100.104.80.14 AG2(conf-vlt-255)# discovery-interface ethernet1/1/11-1/1/12 AG2(conf-vlt-255)# peer-routing AG2(conf-vlt-255)# primary-priority 65535 AG2(conf-vlt-255)# vlt-mac 00:00:00:00:01:01 AG2(conf-vlt-255)# exit 3. Configure the VLT port channels.
AG2(conf-if-eth1/1/10)# no switchport AG2(conf-if-eth1/1/10)# channel-group 101 mode active AG2(conf-if-eth1/1/10)# exit AG2(config)# interface port-channel 101 AG2(conf-if-po-101)# vlt-port-channel 1022 AG2(conf-if-po-101)# exit 4. Configure the primary VLANs and the PVLAN mode. AG2(config)# interface vlan 100 AG2(conf-if-vl-100)# private-vlan mode primary AG2(conf-if-vl-100)# exit AG2(config)# interface vlan 200 AG2(conf-if-vl-200)# private-vlan mode primary AG2(conf-if-vl-200)# exit 5.
AG2(conf-if-eth1/1/1)# no shutdown AG2(conf-if-eth1/1/1)# private-vlan mode secondary-port AG2(conf-if-eth1/1/1)# exit AG2(config)# interface AG2(conf-if-eth1/1/2)# AG2(conf-if-eth1/1/2)# AG2(conf-if-eth1/1/2)# ethernet1/1/2 no shutdown private-vlan mode secondary-port exit 8. Associate the member ports to the secondary VLANs.
AG3(config)# interface ethernet1/1/12 AG3(conf-if-eth1/1/12)# no shutdown AG3(conf-if-eth1/1/12)# no switchport AG3(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG3(config)# vlt-domain 255 AG3(conf-vlt-255)# backup destination 100.104.80.15 AG3(conf-vlt-255)# discovery-interface ethernet1/1/11-1/1/12 AG3(conf-vlt-255)# peer-routing AG3(conf-vlt-255)# primary-priority 1 AG3(conf-vlt-255)# vlt-mac 00:00:00:00:00:02 AG3(conf-vlt-255)# exit 3. Configure the VLT port channels.
AG3(config)# interface vlan 13 AG3(conf-if-vl-13)# private-vlan mode isolated AG3(conf-if-vl-13)# exit AG3(config)# interface vlan 21 AG3(conf-if-vl-21)# private-vlan mode community AG3(conf-if-vl-21)# exit AG3(config)# interface vlan 22 AG3(conf-if-vl-22)# private-vlan mode isolated AG3(conf-if-vl-22)# exit 6. Associate the secondary VLANs to the primary VLAN.
AG4(conf-if-eth1/1/11)# no switchport AG4(conf-if-eth1/1/11)# exit AG4(config)# interface ethernet1/1/12 AG4(conf-if-eth1/1/12)# no shutdown AG4(conf-if-eth1/1/12)# no switchport AG4(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG4(config)# vlt-domain 255 AG4(conf-vlt-255)# backup destination 100.104.80.
AG4(conf-if-vl-12)# private-vlan mode community AG4(conf-if-vl-12)# exit AG4(config)# interface vlan 13 AG4(conf-if-vl-13)# private-vlan mode isolated AG4(conf-if-vl-13)# exit AG4(config)# interface vlan 21 AG4(conf-if-vl-21)# private-vlan mode community AG4(conf-if-vl-21)# exit AG4(config)# interface vlan 22 AG4(conf-if-vl-22)# private-vlan mode isolated AG4(conf-if-vl-22)# exit 6. Associate the secondary VLANs to the primary VLAN.
AG4(conf-if-po-128)# switchport trunk allowed vlan 11-13,21-22,100,200 AG4(conf-if-po-128)# exit Spine Switch 1. Create the primary VLANs extended from AG1 and AG2. SPINE(config)# interface vlan 100 SPINE(conf-if-vl-100)# ip address 172.1.1.1/16 SPINE(conf-if-vl-100)# exit SPINE(config)# interface vlan 200 SPINE(conf-if-vl-200)# ip address 172.2.1.1/16 SPINE(conf-if-vl-200)# exit 2. Associate the VLT port channels to the primary VLANs extended from AG1 and AG2.
To verify private VLAN configurations, use the show vlan private-vlan mapping command. AG1# show vlan private-vlan mapping Private Vlan: Primary : 100 Isolated : 13 Community : 11-12 Private Vlan: Primary : 200 Isolated : 22 Community : 21 AG1# To verify the MAC address table entries for the primary VLAN, use the show mac address-table command. On primary VLAN The output of this show command displays: ● The MAC addresses that are learned on the primary VLAN.
AG1 Leaf Switch 1. Configure the VLTi member links between AG1 and AG2. AG1(config)# interface ethernet1/1/11 AG1(conf-if-eth1/1/11)# no shutdown AG1(conf-if-eth1/1/11)# no switchport AG1(conf-if-eth1/1/11)# exit AG1(config)# interface ethernet1/1/12 AG1(conf-if-eth1/1/12)# no shutdown AG1(conf-if-eth1/1/12)# no switchport AG1(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG1(config)# vlt-domain 255 AG1(conf-vlt-255)# backup destination 100.104.80.
AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# AG1(conf-vlt-255)# discovery-interface ethernet1/1/11-1/1/12 peer-routing primary-priority 1 vlt-mac 00:00:00:00:01:01 exit 3. Configure the VLT port channels.
AG1(conf-if-po-3)# vlt-port-channel 1022 AG1(conf-if-po-3)# exit 4. Configure the primary VLANs and the PVLAN mode. AG1(config)# interface vlan 100 AG1(conf-if-vl-100)# private-vlan mode primary AG1(conf-if-vl-100)# exit AG1(config)# interface vlan 200 AG1(conf-if-vl-200)# private-vlan mode primary AG1(conf-if-vl-200)# exit 5. Configure the secondary VLANs and the respective PVLAN modes.
AG1(conf-if-eth1/1/2)# no shutdown AG1(conf-if-eth1/1/2)# private-vlan mode secondary-port AG1(conf-if-eth1/1/2)# exit 8. Associate the member ports to the secondary VLANs.
AG2 Leaf Switch 1. Configure the VLTi member links between AG1 and AG2. AG2(config)# interface ethernet1/1/11 AG2(conf-if-eth1/1/11)# no shutdown AG2(conf-if-eth1/1/11)# no switchport AG2(conf-if-eth1/1/11)# exit AG2(config)# interface ethernet1/1/12 AG2(conf-if-eth1/1/12)# no shutdown AG2(conf-if-eth1/1/12)# no switchport AG2(conf-if-eth1/1/12)# exit 2. Configure the VLT domain. AG2(config)# vlt-domain 255 AG2(conf-vlt-255)# backup destination 100.104.80.
AG2(config)# interface ethernet1/1/22 AG2(conf-if-eth1/1/22)# no shutdown AG2(conf-if-eth1/1/22)# no switchport AG2(conf-if-eth1/1/22)# channel-group 128 mode active AG2(conf-if-eth1/1/22)# exit AG2(config)# interface port-channel 128 AG2(conf-if-po-3)# vlt-port-channel 1024 AG2(conf-if-po-3)# exit AG2(config)# interface ethernet1/1/10 AG2(conf-if-eth1/1/10)# no shutdown AG2(conf-if-eth1/1/10)# no switchport AG2(conf-if-eth1/1/10)# channel-group 101 mode active AG2(conf-if-eth1/1/10)# exit AG2(config)# inte
AG2(config)# interface port-channel3 AG2(conf-if-po-3)# no shutdown AG2(conf-if-po-3)# private-vlan mode secondary-port AG2(conf-if-po-3)# exit AG2(config)# interface port-channel4 AG2(conf-if-po-4)# no shutdown AG2(conf-if-po-4)# private-vlan mode secondary-port AG2(conf-if-po-4)# exit AG2(config)# interface AG2(conf-if-eth1/1/1)# AG2(conf-if-eth1/1/1)# AG2(conf-if-eth1/1/1)# ethernet1/1/1 no shutdown private-vlan mode secondary-port exit AG2(config)# interface AG2(conf-if-eth1/1/2)# AG2(conf-if-eth1/1/2
AG2(conf-if-vl-200)# ip virtual-router address 172.2.0.254 AG2(conf-if-vl-200)# exit AG3 Leaf Switch 1. Configure the VLTi member links between AG1 and AG2. AG3(config)# interface ethernet1/1/11 AG3(conf-if-eth1/1/11)# no shutdown AG3(conf-if-eth1/1/11)# no switchport AG3(conf-if-eth1/1/11)# exit AG3(config)# interface ethernet1/1/12 AG3(conf-if-eth1/1/12)# no shutdown AG3(conf-if-eth1/1/12)# no switchport AG3(conf-if-eth1/1/12)# exit 2. Configure the VLT domain.
AG3(config)# interface vlan 200 AG3(conf-if-vl-200)# private-vlan mode primary AG3(conf-if-vl-200)# exit 5. Configure the secondary VLANs and the respective PVLAN modes.
9. Associate the ISL to the primary and the secondary VLANs as a normal trunk port. AG3(config)# interface port-channel128 AG3(conf-if-po-128)# switchport mode trunk AG3(conf-if-po-128)# switchport trunk allowed vlan 11-13,21-22,100,200 AG3(conf-if-po-128)# exit 10. Configure anycast MAC address. AG3(config)# ip virtual-router mac-address 00:00:00:44:44:44 11. Configure IP address and anycast IP address on the primary VLANs. AG3(config)# interface vlan 100 AG3(conf-if-vl-100)# ip address 172.1.1.
AG4(conf-if-eth1/1/21)# AG4(conf-if-eth1/1/21)# AG4(conf-if-eth1/1/21)# AG4(conf-if-eth1/1/21)# no shutdown no switchport channel-group 128 mode active exit AG4(config)# interface ethernet1/1/24 AG4(conf-if-eth1/1/24)# no shutdown AG4(conf-if-eth1/1/24)# no switchport AG4(conf-if-eth1/1/24)# channel-group 128 mode active AG4(conf-if-eth1/1/24)# exit AG4(config)# interface port-channel128 AG4(conf-if-po-128)# vlt-port-channel 1024 AG4(conf-if-po-128)# exit 4. Configure the primary VLANs and the PVLAN mode.
AG4(config)# interface AG4(conf-if-eth1/1/2)# AG4(conf-if-eth1/1/2)# AG4(conf-if-eth1/1/2)# ethernet1/1/2 no shutdown private-vlan mode secondary-port exit 8. Associate the member ports to the secondary VLANs.
SPINE(config)# interface ethernet1/1/11 SPINE(conf-if-eth1/1/11)# no shutdown SPINE(conf-if-eth1/1/11)# no switchport SPINE(conf-if-eth1/1/11)# channel-group 101 mode active SPINE(conf-if-eth1/1/11)# exit 3. (Optional) To enable connectivity between end devices that belong to different secondary VLANs (community or isolated or both) of a PVLAN domain, enable ip local-proxy arp on the VLAN in the spine switch. SPINE(config)# interface vlan100 SPINE(conf-if-vl-100)# ip address 172.1.1.
Local port monitoring In local port monitoring, the monitored source ports and monitoring destination ports are on the same device. In the following diagram, the local port mirroring enables the network switch to forward the copy of the packet on the source port (Eth 1/1/7) to the destination port (Eth 1/1/1). The monitoring device connected with the destination port analyzes the packet.
Configure source and destination port, and traffic direction OS10(conf-mon-local-1)# source interface Eth1/1/1 rx OS10(conf-mon-local-1)# destination interface Eth1/1/2 OS10(conf-mon-local-1)# no shut View configured monitoring sessions In the State field, true indicates that the port is enabled. In the Reason field, Is UP indicates that hardware resources are allocated. OS10# show monitor session all S.
● Destination session, where destination ports connect to analyzers on destination devices. Configure any network device with source and destination ports. Enable the network device to function in an intermediate transport session for a reserved VLAN for multiple remote port monitoring sessions. You can enable and disable individual monitoring sessions.
2. Enter the source to monitor traffic in MONITOR-SESSION mode. source interface interface-type {both | rx | tx}interface-range direction 3. Enter the destination to send the traffic to in MONITOR-SESSION mode. destination remote-vlan vlan-id 4. Enable the monitoring interface in MONITOR-SESSION mode.
! interface ethernet1/1/1 no shutdown switchport mode trunk switchport access vlan 1 switchport trunk allowed vlan 20 flowcontrol receive on Interface connected to destination intermediate# show running-configuration interface ethernet 1/1/4 ! interface ethernet1/1/4 no shutdown switchport mode trunk switchport access vlan 1 switchport trunk allowed vlan 20 flowcontrol receive on Destination switch: interface vlan20 no shutdown destination# show running-configuration access-list ! mac access-list rspan seq
View monitoring session OS10(conf-mon-rpm-source-10)# do show monitor session all S.Id Source Destination Dir SrcIP DstIP DSCP TTL State Reason --------------------------------------------------------------1 vlan10 vlan 100 rx N/A N/A N/A N/A true Is UP Encapsulated remote port monitoring You can also have the monitored traffic transmitted over a port-channel network to a remote analyzer. The encapsulated remote port monitoring (ERPM) session mirrors traffic from the source ports, LAGs, or source VLANs.
4. Configure TTL and DSCP values in MONITOR-SESSION mode. ip {ttl ttl-number | dscp dscp-number} 5. Enable the monitoring interface in MONITOR-SESSION mode.
1. Enable flow-based monitoring for a monitoring session in MONITOR-SESSION mode. flow-based enable 2. Return to CONFIGURATION mode. exit 3. Create an access list in CONFIGURATION mode. ip access-list access-list-name 4. Define access-list rules using seq, permit, and deny statements in CONFIG-ACL mode. ACL rules describe the traffic to monitor. seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte]] [fragments] [threshold-in-msgs count] [capture session session-id] 5.
OS10(conf-if-eth1/1/9)# mac access-group mac1 in OS10(conf-if-eth1/1/9)# end OS10# show mac access-lists in Ingress MAC access-list mac1 Active on interfaces : ethernet1/1/9 seq 10 deny any any capture session 1 count (0 packets) Remote port monitoring on VLT In a network, devices you configure with peer VLT nodes are considered as a single device. You can apply remote port monitoring (RPM) on the VLT devices in a network.
Configs on VLTPeer1 device Monitor session configs: monitor session 1 type rpm-source destination remote-vlan 100 source interface ethernet1/1/1 //VLTi member port source interface ethernet1/1/2 //VLTi member port no shut RSPAN-VLAN: interface vlan100 no shutdown remote-span Config on VLT port-channel: interface port-channel1 no shutdown switchport mode trunk switchport access vlan 1 switchport trunk allowed vlan 100 vlt-port-channel 1 ToR switch configs: interface vlan100 no shutdown mac access-list rspan
! switchport access vlan 1 switchport trunk allowed vlan 100 mac access-group rspan in monitor session 1 destination interface ethernet1/1/26:1 flow-based enable source interface port-channel1 rx no shut ! Connect port to packet analyzer: interface ethernet 1/1/26:1 no shutdown no switchport flowcontrol receive on ! NOTE: ● An access-list can not be applied on the member ports of a port-channel and flow based monitor seession is not applicable to VLTi member ports.
remote-span mac access-list rspan seq 10 permit any any capture session 1 vlan 10 ! Orphan port: interface ethernet 1/1/25:1 no shutdown switchport mode trunk switchport access vlan 1 switchport trunk allowed vlan 10 flowcontrol receive on mac access-group rspan in ! interface port-channel 1 no shutdown switchport mode trunk switchport access vlan 1 switchport trunk allowed vlan 100 vlt-port-channel 1 ! monitor session 1 type rpm-source destination remote-vlan 100 flow-based enable source interface ethernet
Port monitoring commands description Configures a description for the port monitoring session. The monitoring session can be: local, RPM, or ERPM. Syntax description string Parameters string—Enter a description of the monitoring session. A maximum of 255 characters. Default Not configured Command Mode MONITOR-SESSION Usage Information ● To use special characters as a part of the description string, enclose the string in double quotes.
Parameters None Default Disabled Command Mode MONITOR-SESSION Usage Information The no version of this command disables the flow-based monitoring. Example OS10(conf-mon-local-1)# flow-based enable OS10(conf-mon-rpm-source-2)# flow-based enable OS10(conf-mon-erpm-source-3)# flow-based enable Supported Releases 10.2.0E or later ip Configures the IP time-to-live (TTL) value and the differentiated services code point (DSCP) value for the ERPM traffic.
Example (RPM) Example (ERPM) Supported Releases OS10(config)# monitor session 5 type rpm-source OS10(conf-mon-rpm-source-5)# OS10(config)# monitor session 10 type erpm-source OS10(conf-mon-erpm-source-10)# 10.2.0E or later show monitor session Displays information about a monitoring session. Syntax show monitor session {session-id | all} Parameters ● session-id—Enter the session ID number, from 1 to 18. ● all—View all monitoring sessions.
Example OS10(config)# monitor session 1 OS10(conf-mon-local-1)# no shut OS10(config)# monitor session 5 type rpm-source OS10(conf-mon-rpm-source-5)# no shut OS10(config)# monitor session 10 type erpm-source OS10(conf-mon-erpm-source-10)# no shut Supported Releases 10.2.0E or later source Configures a source for port monitoring. The monitoring session can be: local, RPM, or ERPM.
Command Mode MONITOR-SESSION Usage Information Example Supported Releases OS10(config)# monitor session 10 OS10(conf-mon-erpm-source-10)# source-ip 10.16.132.181 destination-ip 172.16.10.11 gre-protocol 35006 10.4.
13 Layer 3 Bidirectional forwarding detection (BFD) Provides rapid failure detection in links with adjacent routers (see BFD commands). Border Gateway Protocol (BGP) Provides an external gateway protocol that transmits inter-domain routing information within and between autonomous systems (see BGP Commands). Equal Cost Multi- Provides next-hop packet forwarding to a single destination over multiple best paths (see ECMP Path (ECMP) Commands).
1. Enter the ip vrf management command in CONFIGURATION mode. Use Non-Transaction-Based Configuration mode only. Do not use Transaction-Based mode. 2. Add the management interface using the interface management command in VRF CONFIGURATION mode. Configure management VRF OS10(config)# ip vrf management OS10(conf-vrf)# interface management You can enable various services in both management or default VRF instances. The services that are supported in the management and default VRF instances are: Table 68.
The following example shows removing IP address, configuring management VRF, and then adding IP address: OS10(conf-if-ma-1/1/1)# do show version Dell EMC Networking OS10 Enterprise Copyright (c) 1999-2020 by Dell Inc. All Rights Reserved. OS Version: 10.5.2.0 Build Version: 10.5.2.0.
When you create a new non-default VRF instance, OS10 does not assign any interface to it. You can assign the new VRF instance to any of the existing physical or logical interfaces, provided they are not already assigned to another non-default VRF. NOTE: When you create a new logical interface, OS10 assigns it automatically to the default VRF instance. In addition, OS10 initially assigns all physical Layer 3 interfaces to the default VRF instance.
ip address 10.1.1.1/24 4. Assign an IPv6 address to the interface. INTERFACE CONFIGURATION ipv6 address 1::1/64 You can also auto configure an IPv6 address using the ipv6 address autoconfig command. Assign an interface back to the default VRF instance Table 69. Configurations to be deleted CONFIGURATION MODE COMMAND IP address—In interface configuration mode, undo the IP address configuration.
Deleting a non-default VRF instance Before deleting a non-default VRF instance, ensure all the dependencies and associations corresponding to that VRF instance are first deleted or disabled. The following procedure describes how to delete a non-default VRF instance: After deleting all dependencies, you can delete the non-default VRF instances that you have created.
Figure 4. Setup VRF Interfaces Router 1 ip vrf blue ! ip vrf orange ! ip vrf green ! interface ethernet 1/1/1 no shutdown switchport mode trunk switchport access vlan 1 switchport trunk allowed vlan 128,192,256 flowcontrol receive off ! interface ethernet1/1/2 no shutdown no switchport ip vrf forwarding blue ip address 20.0.0.
no switchport ip vrf forwarding orange ip address 30.0.0.1/24 ! interface ethernet1/1/4 no shutdown no switchport ip vrf forwarding green ip address 40.0.0.1/24 ! interface vlan128 mode L3 no shutdown ip vrf forwarding blue ip address 1.0.0.1/24 ! interface vlan192 mode L3 no shutdown ip vrf forwarding orange ip address 2.0.0.1/24 ! ! interface vlan256 mode L3 no shutdown ip vrf forwarding green ip address 3.0.0.1/24 ! ip route vrf green 31.0.0.0/24 3.0.0.
ip vrf forwarding orange ip address 2.0.0.2/24 ! interface vlan256 mode L3 no shutdown ip vrf forwarding green ip address 3.0.0.2/24 ! ip route vrf green 30.0.0.0/24 3.0.0.
Router 2 show command output OS10# show ip vrf VRF-Name blue Interfaces Eth1/1/5 Vlan128 default Mgmt1/1/1 Vlan1,24-25,200 green Eth1/1/7 Vlan256 orange Eth1/1/6 Vlan192 OS10# show ip route vrf blue Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, * - candidate default, + - summary route, > - non-active route Gateway of las
Static route leaking Route leaking enables routes that are configured in a default or non-default VRF instance to be made available to another VRF instance. You can leak routes from a source VRF instance to a destination VRF instance. The routes need to be leaked in both source and destination VRFs to achieve end-to-end traffic flow. If there are any connected routes in the same subnet as statically leaked routes, then the connected routes take precedence.
--------------------------------------------------------------------------------------------------C 120.0.0.0/24 via 120.0.0.1 ethernet1/1/1 0/0 00:00:57 S 140.0.0.
Figure 5. Route leaking between VRFs with asymmetric IRB routing For VXLAN-related configurations, see Configure VXLAN. To configure route leaking between VRFs with asymmetric IRB routing: VTEP1 1. Configure IP helper address specifying the DHCP server ip address in the client-connected virtual networks with the client-connected VRF name. For IPv6 DHCP helper address, specify the server VRF in the helper-address command.
VTEP2 1. Configure IP helper address specifying the DHCP server ip address in the client-connected virtual networks with the client-connected VRF name. For IPv6 DHCP helper address, specify the server VRF in the helper-address command. VTEP2(config)# interface virtual-network 10 VTEP2(conf-if-vn-10)# ip helper-address 20.1.1.100 vrf GREEN 2. Configure loopback interfaces. Assign the loopback interfaces as source interfaces for the VRF.
Table 70. Unsupported export and import route map attributes Route map option Attribute Protocol set as-path BGP set community BGP set comm-list BGP set tag OSPF set extcommunity BGP set extcomm-list BGP set local-preference BGP set origin BGP set metric-type BGP set weight BGP set route-type local BGP Table 71.
Route selection in the leaked VRF ● If a route is present in the local VRF and the same route is leaked from another VRF, OS10 prefers the route with the lowest administrative distance. ● If a route is present in the local VRF and the same route is leaked from another VRF with the same administrative distance, OS10 prefers the local route. ● When OS10 compares routes that are received from different sources, the software prefers routes with the lowest administrative distance.
OS10(conf-vrf)# ip route-export 2:2 Leak all IPv6 routes from one VRF to another VRF Use the following procedure to export (leak) all IPv6 routes from all routing protocols from one VRF instance to another VRF instance: 1. Enter the VRF from which you want to leak routes in CONFIGURATION mode. ip vrf source-vrf-name 2. Export all routes that belong to one VRF instance in VRF-CONFIGURATION mode. ipv6 route-export route-target 3. Enter the VRF instance to which you want to leak routes in CONFIGURATION mode.
Or ipv6 route-export route-target route-map route-map-name Use any of the supported match or set attributes as required. ● Enter the VRF instance to which you want to leak routes in CONFIGURATION mode. ip vrf destination-vrf-name ● Import routes from another VRF instance in VRF-CONFIGURATION mode using the same route target. ip route-import route-target route-map route-map-name Or ipv6 route-import route-target route-map route-map-name Use any of the supported match or set attributes as required.
OS10(conf-vrf)# ipv6 route-import 1:1 OS10(conf-vrf)# ipv6 route-export 2:2 route-map export_ospf Example - Leak only IPv4 static routes In the following example, a route map exports only the static routes from vrf1 and is received by vrf2.
OS10(conf-vrf)# ip route-import 1:1 OS10(conf-vrf)# ip route-export 2:2 route-map export_iBGP Example - Leak only IPv6 iBGP routes In the following example, a route map exports only the iBGP routes from vrf1 and is received by vrf2.
Redistribute leaked routes from one VRF to another VRF Use the following procedure to export (leak) and redistribute specific IPv4 routes from one VRF instance to another VRF instance: ● Create a route map. route-map route-map-name Use any of the supported match or set attributes as required. ● Enter the VRF from which you want to leak routes in CONFIGURATION mode. ip vrf source-vrf-name ● Export all routes that belong to one VRF instance in VRF-CONFIGURATION mode.
○ Redistribute leaked EVPN routes in BGP-AF-CONFIGURATION mode. redistribute l2vpn evpn [route-map rmap-name] ○ Use the following command to redistribute leaked routes across routing protocols as available: redistribute {connected | bgp | ospf | static | l2vpn evpn} Use any of the supported match or set attributes as required.
OS10(config)# ip vrf vrf1 OS10(conf-vrf)# ipv6 route-export 1:1 route-map export_iBGP OS10(conf-vrf)# ipv6 route-import 2:2 OS10(conf-vrf)# exit OS10(config)# ip vrf vrf2 OS10(conf-vrf)# ipv6 route-import 1:1 OS10(conf-vrf)# ipv6 route-export 2:2 route-map export_iBGP OS10(config)# router bgp 65000 OS10(config-router-bgp-65000)# vrf vrf2 OS10(config-router-bgp-65000-vrf)# address-family ipv6 unicast OS10(configure-router-bgpv6-vrf-af)# redistribute imported-bgp-routes vrf vrf1 Example - Redistribute leaked
OS10(config)# ip vrf vrf1 OS10(conf-vrf)# ipv6 route-export 1:1 route-map export_EVPN OS10(conf-vrf)# ipv6 route-import 2:2 OS10(conf-vrf)# exit OS10(config)# ipv6 route-import 1:1 OS10(config)# ipv6 route-export 2:2 route-map export_EVPN OS10(config)# router bgp 100 OS10(config-router-bgp-100)# address-family ipv6 unicast OS10(configure-router-bgpv6-af)# redistribute l2vpn evpn Example - Route leaking across VRFs in a VXLAN BGP EVPN symmetric IRB topology The following VXLAN with BGP EVPN example uses a C
The following explains how the network is configured: ● All VTEPs perform symmetric IRB routing. In this example, all spine nodes are in one autonomous system and each VTEP in the leaf network belongs to a different autonomous system. Spine switch 1 is in AS 101. Spine switch 2 is in AS 101. For leaf nodes, VLT domain 1 is in AS 201; VLT domain 2 is in AS 202. VLT domain 2 is a border leaf VTEP.
● On VTEPs 1 and 2, two VRFs are present – VRF-Yellow and VRF-Green. VN10001 is part of VRF-Yellow and VN20001 is part of VRF-Green. ● On VTEPs 3 and 4, three VRFs are present – VRF-Yellow, VRF-Green and VRF-Red. VN10001 is part of VRF-Yellow and VN30001 is part of VRF-Red. VRF-Green does not have local VNs. ● On all VTEPs, symmetric IRB is configured in EVPN mode using a unique, dedicated VXLAN VNI, and Auto RD/RT values for each tenant VRF.
3. Configure EVPN with IP-VRFs.
OS10(config-evpn)# vrf Green OS10(config-evpn-vrf-Green)# advertise ipv4 bgp OS10(config-evpn-vrf-Green)# exit b. If the border-leaf does not get a default route from an external router: Configure a static null default route in each VRF and advertise it using advertise ipv4 static command for each VRF in the EVPN. OS10(config)# ip route vrf Yellow 0.0.0.0/0 interface null 0 OS10(config)# ip route vrf Green 0.0.0.
OS10(config-route-map)# match ip address prefix-list PrefixList_Deny_YellowVrfRoutes OS10(config-route-map)# OS10(config-route-map)# router bgp 202 OS10(config-router-bgp-202)# address-family ipv4 unicast OS10(configure-router-bgpv4-af)# redistribute l2vpn evpn OS10(configure-router-bgpv4-af)# redistribute connected OS10(configure-router-bgpv4-af)# exit OS10(config-router-bgp-202)# neighbor 192.168.2.
4. Configure a border-leaf to advertise the default route into the EVPN in each VRF. From the other VTEPs, any traffic to external network and also to networks which are not within the local VRF reaches the Border-Leaf router using this default route. a. If the border-leaf is already getting a default route from an external router for each VRF: Advertise the BGP route using the advertise ipv4 bgp command for each VRF in the EVPN.
OS10(config)# ip vrf Red OS10(conf-vrf)# ip route-export 3:3 route-map RouteMap_RedVrf_Export OS10(conf-vrf)# ip route-import 1:1 OS10(conf-vrf)# exit 7. (Optional) For advertising leaked routes from the Yellow VRF only to an external router in the default VRF and not to an underlay network, use route-maps on spine facing eBGP neighbors and also on the iBGP neighbor between the VLT peers. OS10(config)# ip prefix-list PrefixList_Deny_YellowVrfRoutes deny 10.1.0.
O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, * - candidate default, + - summary route, > - non-active route Gateway of last resort is Direct to network 0.0.0.0 Destination Gateway Dist/ Metric Last Change --------------------------------------------------------------------------------------------------------*S 0.0.0.0/0 Direct null0 0/0 00:39:24 C 10.1.0.0/24 via 10.1.0.
B EX 172.16.1.1/32 20/0 00:22:58 B EX 172.16.1.2/32 20/0 00:22:58 B EX 172.16.1.3/32 20/0 00:22:58 B EX 172.16.1.4/32 20/0 00:22:58 B EX 172.16.1.201/32 20/0 00:22:58 B EX 172.16.1.202/32 20/0 00:22:58 B EX 192.168.0.1/32 20/0 00:22:58 B EX 192.168.0.2/32 20/0 00:22:58 B EX 192.168.2.0/31 20/0 00:14:11 B EX 192.168.2.2/31 20/0 00:14:11 B EX 192.168.2.4/31 20/0 00:13:49 B EX 192.168.2.6/31 20/0 00:13:49 B EX 192.168.2.240/31 20/0 00:14:11 via 10.10.0.1 via 10.10.0.2 via 10.10.0.1 via 10.10.0.2 via 10.10.0.
Configure administrative distance for leaked routes 1. Enter the VRF from which you want to leak routes in CONFIGURATION mode. ip vrf source-vrf-name 2. Export all routes that belong to one VRF instance in VRF-CONFIGURATION mode. IPv4: ip route-export route-target route-map route-map-name IPv6: ipv6 route-export route-target route-map route-map-name 3. Create a route-map. route-map rmap-name 4. Change the administrative distance for leaked routes in ROUTE-MAP mode.
Parameters ● management—Enter the keyword management to configure a domain list for the management VRF instance. ● vrf-name—Enter the name of the non-default VRF instance to configure a domain list for that non-default VRF instance. ● domain-names—Enter the list of domain names. Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the domain list configuration from the management or the non-default VRF instance.
Example Supported Releases OS10(config)# ip vrf vrf-test OS10(conf-vrf-test)# 10.4.1.0 or later ip ftp vrf Configures an FTP client for the management or non-default VRF instance. Syntax ip ftp vrf {management | vrf vrf-name} Parameters ● management — Enter the keyword to configure an FTP client on the management VRF instance. ● vrf vrf-name — Enter the keyword then the name of the VRF to configure an FTP client on that non-default VRF instance.
ip http vrf Configures an HTTP client for the management or non-default VRF instance. Syntax ip http vrf {management | vrf vrf-name} Parameters ● management — Enter the keyword to configure an HTTP client for the management VRF instance. ● vrf vrf-name — Enter the keyword then the name of the VRF to configure an HTTP client for that non-default VRF instance.
To filter IPv4 routes imported from across VRFs, use a route map. Use the no form of this command to remove the imported routes. Example OS10(conf-vrf)# ip route-import 1:1 ==> No route-map attached OS10(conf-vrf)# ip route-import 1:1 route-map importOSPFBGProutes Supported Releases 10.4.3.0 or later ip route-export Exports an IPv4 static route from one VRF instance to another.
To filter IPv6 routes imported from across VRFs, use a route map. Use the no form of this command to remove the imported routes. Example OS10(conf-vrf)# ipv6 route-import 1:1 ==> No route-map attached OS10(conf-vrf)# ipv6 route-import 1:1 route-map importOSPFBGProutes Supported Releases 10.4.3.0 or later ipv6 route-export Exports an IPv6 static route from a VRF instance to another VRF instance.
Example Supported Releases OS10(config)# ip scp vrf management OS10(config)# ip scp vrf vrf-blue 10.4.0E(R1) or later ip sftp vrf Configures an SFTP client for the management or non-default VRF instance. Syntax ip sftp vrf {management | vrf vrf-name} Parameters ● management — Enter the keyword to configure an SFTP client for a management VRF instance. ● vrf vrf-name — Enter the keyword then the name of the VRF to configure an SFTP client for that non-default VRF instance.
Usage Information Example Supported Releases Enter the ip vrf management command only in non-transaction-based configuration mode. Do not use transaction-based mode. The no version of this command removes the management VRF instance configuration. OS10(config)# ip vrf management OS10(conf-vrf)# 10.4.0E(R1) or later match source-protocol Matches the source routing protocol in a route map.
redistribute imported-bgp-routes Redistributes leaked eBGP and iBGP routes from a VRF domain into the BGP session of another VRF domain. Syntax redistribute imported-bgp-routes vrf vrf-name [route-map route-map-name] Parameters ● vrf vrf-name—Enter the VRF instance from which to import routes. ● route-map route-map-name—Enter the route map name to filter the leaked BGP routes.
Usage Information Redistribute leaked routes from all imported VRFs to another VRF with additional filtering using a route map. There is no option to redistribute a specific leaked OSPF routes of a VRF.
set distance Sets the administrative distance (AD) for the routes, which are exported from one VRF to another using a route-map. Syntax [no] set distance value Parameters value—Enter a number to assign to routes, from 1 to 255. Default None Command Mode ROUTE-MAP Security and Access netadmin, sysadmin, and secadmin Usage Information Use this command when exporting routes from one VRF to another. Example The no version of this command deletes the AD configuration.
show ip vrf Displays the VRF instance information. Syntax show ip vrf [management | vrf-name] Parameters ● management—Enter the keyword management to display information corresponding to the management VRF instance. ● vrf-name—Enter the name of the non-default VRF instance to display information corresponding to that VRF instance.
BFD is a simple hello mechanism. Two neighboring routers running BFD establish a session using a three-way handshake. After the session is established, the routers exchange periodic control packets at subsecond intervals. If a router does not receive a hello packet within the specified time, routing protocols are notified that the forwarding path is down. In addition, BFD sends a control packet when there is a state change or change in a session parameter.
NOTE: BFD sessions flap when the node has multiple unresolved IPv6 PTP slaves and hence Dell EMC recommends running one of the protocols in the node. This issue exists only with the IPv6 slaves. BFD three-way handshake A ● ● ● BFD session requires a three-way handshake between neighboring routers. In the following example, the handshake assumes: One router is active, and the other router is passive. This is the first session established on this link. The default session state on both ports is Down. 1.
BFD configuration Before you configure BFD for a routing protocol, first enable BFD globally on both routers in the link. BFD is disabled by default. ● ● ● ● OS10 does not support Demand mode, authentication, and Echo function. OS10 does not support BFD on multihop and virtual links. OS10 supports protocol liveness only for routing protocols. OS10 BFD is supported in default and nondefault VRF for the following protocols: Static route (v4 and v6), OSPFv2, OSPFv3, BGPv4, and BGPv6.
● multiplier number — Enter the number of consecutive packets that must not be received from a BFD peer before the session state changes to Down, from 3 to 50. The default is 3. ● role {active | passive} — Enter active if the router initiates BFD sessions. Both BFD peers can be active at the same time. Enter passive if the router does not initiate BFD sessions, and only responds to a request from an active BFD to initialize a session. The default is active. 2. Enable BFD globally in CONFIGURATION mode.
When you configure a BFD session with a BGP neighbor, you can: ● Establish a BFD session with a specified BGP neighbor using the neighbor ip-address and bfd commands. ● Establish BFD sessions with all neighbors discovered by BGP using the bfd all-neighbors command. For example: Router 1 OS10(conf)# bfd enable OS10(conf)# router bgp 1 OS10(config-router-bgp-1)# neighbor 2.2.4.
Configure BFD for BGP OS10 supports BFD sessions with IPv4 or IPv6 BGP neighbors using the default and nondefault VRF. When you configure BFD for BGP, you can enable BFD sessions with all BGP neighbors that BGP discovered or with a specified neighbor. 1. Configure BFD session parameters and enable BFD globally on all interfaces in CONFIGURATION mode as described in Configure BFD globally. bfd interval milliseconds min_rx milliseconds multiplier number role {active | passive} bfd enable 2.
OS10(config-router-bgp-4)# bfd all-neighbors interval 200 min_rx 200 multiplier 6 role active BFD for BGP single-neighbor configuration OS10(conf)# bfd interval 200 min_rx 200 multiplier 6 role active OS10(conf)# bfd enable OS10(conf)# router bgp 1 OS10(config-router-bgp-1)# neighbor 150.150.1.
Last read 00:24:31 seconds Hold time is 180, keepalive interval is 60 seconds Configured hold time is 180, keepalive interval is 60 seconds Fall-over disabled Neighbor is using Global level BFD Configuration Received 784 messages 1 opens, 0 notifications, 0 updates 783 keepalives, 0 route refresh requests Sent 780 messages 2 opens, 0 notifications, 0 updates 778 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Ca
CONFIGURATION Mode 2. Enter ROUTER-OSPF mode router ospf ospf-instance CONFIGURATION Mode 3. Establish sessions with all OSPFv2 neighbors. bfd all-neighbors ROUTER-OSPF Mode 4. Enter INTERFAC E CONFIGURATION mode. interface interface-name CONFIGURATION Mode 5. Establish BFD sessions with OSPFv2 neighbors corresponding to a single OSPF interface.
ip vrf forwarding red ip address 30.1.1.1/24 ip ospf 200 area 0.0.0.0 ! router ospf 200 vrf red bfd all-neighbors log-adjacency-changes router-id 2.3.3.1 ! In this example OSPF is enabled in non-default VRF red. BFD is enabled globally at the router OSPF level and all the interfaces associated with this VRF OSPF instance inherit the global BFD configuration. However, this global BFD configuration does not apply to interfaces in which the interface level BFD configuration is already present.
1. Enable BFD Globally. 2. Establish sessions with OSPFv3 neighbors. Establishing BFD sessions with OSPFv3 neighbors To establish BFD sessions with OSPFv3 neighbors: 1. Enable BFD globally bfd enable CONFIGURATION Mode 2. Enter ROUTER-OSPF mode router ospfv3 ospfv3-instance CONFIGURATION 3. Establish sessions with all OSPFv3 neighbors. bfd all-neighbors ROUTER-OSPFv3 Mode 4. Enter INTERFAC E CONFIGURATION mode. interface interface-name CONFIGURATION Mode 5.
Changing OSPFv3 session parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role. Configure these parameters for all OSPFv3 sessions or all OSPFv3 sessions on a particular interface. If you change a parameter globally, the change affects all OSPFv3 neighbors sessions.
3. Configure BFD for static route using the ip route bfd command. Establishing BFD Sessions for IPv4 Static Routes Sessions are established for all neighbors that are the next hop of a static route. To establish a BFD session, use the following command. Establish BFD sessions for all neighbors that are the next hop of a static route.
Establishing BFD Sessions for IPv6 Static Routes To establish a BFD session for IPv6 static routes, use the following command. Establish BFD sessions for all neighbors that are the next hop of a static route. ipv6 route bfd [interval interval min_rx min_rx multiplier value role {active | passive}] CONFIGURATION Mode Enter the time interval for sending and receiving BFD control packets from 50 to 1000.
The following example enables BFD for specific static routes on a nondefault VRF: OS10(config)#ip route vrf LAN2 10.2.2.0/24 10.1.1.
OS10(config-router-neighbor)# bfd OS10(config-router-neighbor)# no shutdown OS10(config)# router bgp 300 OS10(config-router-bgp-300)# template ebgppg OS10(config-router-template)# bfd OS10(config-router-template)# exit OS10(config-router-bgp-300)# neighbor 3.1.1.1 OS10(config-router-neighbor)# inherit template ebgppg OS10(config-router-neighbor)# no shutdown Supported releases 10.4.1.
Parameters None Default Not configured Command Mode ROUTER-NEIGHBOR Usage Information Use the neighbor ip-address command in ROUTER-BGP mode to specify a neighbor. Use the bfd disable command to disable BFD sessions with the neighbor. Example Supported releases OS10(conf)# router bgp 1 OS10(config-router-bgp-1)# neighbor 10.1.1.1 OS10(config-router-neighbor)# bfd disable 10.4.1.0 or later bfd enable Enables BFD on all interfaces on the switch.
command. The no version of this command deletes the configured global settings and returns to the default values. If you enable BFD on a specific static route, use the bfd interval command to configure the BFD parameters for that specific static route. Example Supported releases OS10(config)# bfd interval 250 min_rx 300 multiplier 4 role passive 10.4.1.0 or later ip ospf bfd all-neighbors Enables and configures the default BFD parameters for all OSPFv2 neighbors in this interface.
● min_rx milliseconds — Enter the maximum waiting time for receiving control packets from BFD peers, from 100 to 1000. Dell EMC recommends using more than 100 milliseconds. ● multiplier number — Enter the maximum number of consecutive packets that must not be received from a BFD peer before the session state changes to Down, from 3 to 50. ● role {active | passive} — Enter active if the router initiates BFD sessions. Both BFD peers can be active at the same time.
Supported releases 10.4.2E or later ipv6 route bfd Enables or disables BFD on IPv6 static routes. Syntax ipv6 route [vrf vrf-name] bfd [interval millisec min_rx min_rx multiplier role {active | passive}] Parameters ● vrf vrf-name — Enter the keyword VRF and then the name of the VRF to configure static route in that VRF. ● interval milliseconds — Enter the time interval for sending control packets to BFD peers, from 50 to 1000.
Example OS10# show bfd neighbors * - Active session role ---------------------------------------------------------------------------------LocalAddr RemoteAddr Interface State RxInt TxInt Mult VRF Cli ---------------------------------------------------------------------------------* 100.100.1.1 100.100.1.2 ethernet1/1/26:1 up 200 200 3 red osp * 100.100.3.1 100.100.3.2 ethernet1/1/26:3 up 200 200 3 default osp * 200.1.1.2 200.1.1.1 vlan102 up 200 200 3 black bgp * 200.1.5.2 200.1.5.
Border Gateway Protocol Border Gateway Protocol (BGP) is an interautonomous system routing protocol that transmits interdomain routing information within and between autonomous systems (AS). BGP exchanges network reachability information with other BGP systems. BGP adds reliability to network connections by using multiple paths from one router to another. Unlike most routing protocols, BGP uses TCP as its transport protocol.
● By default, routes that are learned on multiple paths to eBGP peers are advertised to IBGP peers with the next-hop local IP address. This behavior allows for local repair of atomic failure of any external peers. ● Fast external failover is enabled by default. To disable or re-enable fast external failover, use the [no] fast-externalfallover command.
● 0.0.0.0/8 ● 127.0.0.0/8 ● 224.0.0.0/4 ● :: / 128 ● FF00::/8 FE80::/16 ● ::0002-::FFFF- all prefixes Route reflectors Route reflectors (RRs) reorganize the IBGP core into a hierarchy and allow route advertisement rules. Route reflection divides IBGP peers into two groups — client peers and nonclient peers.
Multiprotocol BGPv6 supports many of the same features and functionality as BGPv4. IPv6 enhancements to MBGP include support for an IPv6 address family and Network Layer Reachability Information (NLRI) and next hop attributes that use the IPv6 addresses. Attributes Routes learned using BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination.
● Configure the IBGP multipath or EBGP multipath using the maximum-path command. ● The paths being compared were received from the same AS with the same number of AS in the AS Path but with different next-hops. ● The paths were received from IBGP or EBGP neighbor, respectively. 8. If you enable the bgp bestpath router-id ignore command and: ● If the Router-ID is the same for multiple paths because the routes were received from the same route—skip this step.
One AS assigns the MED a value. Other AS uses that value to decide the preferred path. Assume that the MED is the only attribute applied and there are two connections between AS 100 and AS 200. Each connection is a BGP session. AS 200 sets the MED for its Link 1 exit point to 100 and the MED for its Link 2 exit point to 50. This sets up a path preference through Link 2. The MEDs advertise to AS 100 routers so they know which is the preferred path. MEDs are nontransitive attributes.
Best path selection Best path selection selects the best route out of all paths available for each destination, and records each selected route in the IP routing table for traffic forwarding. Only valid routes are considered for best path selection. BGP compares all paths, in the order in which they arrive, and selects the best paths. Paths for active routes are grouped in ascending order according to their neighboring external AS number.
Advertise cost As the default process for redistributed routes, OS10 supports IGP cost as MED. Both autosummarization and synchronization are disabled by default. BGPv4 and BGPv6 support ● Deterministic MED, default ● A path with a missing MED is treated as worst path and assigned an 0xffffffff MED value. ● Delayed configuration at system boot—OS10 reads the entire configuration file BEFORE sending messages to start BGP peer sessions.
Router A, Router B, and Router C belong to AS 100, 200, and 300, respectively. Router A acquired Router B — Router B has Router C as its client. When Router B is migrating to Router A, it must maintain the connection with Router C without immediately updating Router C’s configuration. Local-AS allows Router B to appear as if it still belongs to Router B’s old network, AS 200, to communicate with Router C.
Enable BGP Before enabling BGP, assign a BGP router ID to the switch using the following command: ● In the ROUTER BGP mode, enter the router-id ip-address command. Where in, ip-address is the IP address corresponding to a configured L3 interface (physical, loopback, or LAG). BGP is disabled by default. The system supports one AS number — you must assign an AS number to your device. To establish BGP sessions and route traffic, configure at least one BGP neighbor or peer.
Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 5.1.1.2 4294967295 0 0 0 0 0 00:00:00 Active For the router ID, the system selects the first configured IP address or a random number. To view the status of BGP neighbors, use the show ip bgp neighbors command. For BGP neighbor configuration information, use the show running-config bgp command. The example shows two neighbors — one is an external BGP neighbor; and the other is an internal BGP neighbor.
4. Add a remote AS in ROUTER-NEIGHBOR mode, from 1 to 65535 for 2-byte or 1 to 4294967295 for 4-byte. remote-as as-number 5. Enable the BGP neighbor in ROUTER-NEIGHBOR mode. no shutdown 6. (Optional) Add a description text for the neighbor in ROUTER-NEIGHBOR mode. description text To reset the configuration when you change the configuration of a BGP neighbor, use the clear ip bgp * command. To view the BGP status, use the show ip bgp summary command.
4. Enable BGP on the device. router bgp as-number 5. Enter an unnumbered neighbor in ROUTER-BGP mode. neighbor interface interface-type interface interface-type — (Optional) Enter one of the following interface types: ● ethernet node/slot/port[:subport] — Display Ethernet interface information. ● port-channel id-number — Display port channel interface IDs, from 1 to 128. ● vlan vlan-id — Display the VLAN interface number, from 1 to 4093. 6. Enable the BGP neighbor in ROUTER-NEIGHBOR mode.
4_OCTET_AS(65) Extended Next Hop Encoding (5) Capabilities advertised to neighbor for IPv4 Unicast: MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) 4_OCTET_AS(65) Extended Next Hop Encoding (5) Prefixes accepted 0, Prefixes advertised 0 Connections established 1; dropped 0 Last reset never Prefixes ignored due to: Martian address 0, Our own AS in AS-PATH 0 Invalid Nexthop 0, Invalid AS-PATH length 0 Wellknown community 0, Locally originated 0 Local host: fe80::76e6:e2ff:fef5:b281, Local port: 45
Configure an auto-unnumbered neighbor To configure an auto-unnumbered neighbor: 1. Configure minimum and maximum RA intervals in CONFIGURATION mode. ipv6 nd min-ra-interval interval ipv6 nd max-ra-interval interval 2. Configure physical or port-channel interfaces as Layer 3 interfaces in INTERFACE mode. interface range ethernet 1/1/1-1/1/4 no shutdown no switchport 3. Enable RAs on the interfaces in INTERFACE mode. ipv6 nd send-ra 4.
Router A configuration 1. Configure recommended RA timers globally for fast convergence in CONFIGURATION mode. OS10-A(config)# ipv6 nd min-ra-interval 3 OS10-A(config)# ipv6 nd max-ra-interval 4 2. Make the required interfaces in CONFIGURATION mode and convert them to Layer 3 routing interfaces. OS10-A(config)# interface range ethernet 1/1/1-1/1/4 OS10-A(conf-range-eth1/1/1-1/1/4)# no shutdown OS10-A(conf-range-eth1/1/1-1/1/4)# no switchport 3.
3. Enable RA transmission on all the interfaces in the range in INTERFACE mode. OS10-B(conf-range-eth1/1/1-1/1/8)# ipv6 nd send-ra 4. Configure the interfaces as BGP auto-unnumbered interfaces in INTERFACE mode. OS10-B(conf-range-eth1/1/1-1/1/4)# ipv6 bgp unnumbered ebgp-template OS10-B(conf-range-eth1/1/5-1/1/8)# ipv6 bgp unnumbered ibpg-template 5. Create BGP instance in CONFIGURATION mode. OS10-B(config)# router bgp 100 6. Create a template and assign necessary parameters in ROUTER-BGP mode.
7. Configure the BGP auto-unnumbered neighbor in ROUTER-BGP mode. OS10-C(config-router-bgp-100)# neighbor unnumbered-auto OS10-C(config-router-neighbor)# no shutdown 8. Configure the peer group template that the neighbors use to inherit peer-group configuration in ROUTER-NEIGHBOR mode. This template is applied only to the auto-unnumbered interfaces configured with the ipv6 bgp unnumbered command. OS10-C(config-router-neighbor)# inherit ibgp-template int-bgp 9.
2. Use one of the following commands to enter the respective ADDRESS-FAMILY mode from ROUTER-BGP mode: IPv4: address-family ipv4 unicast IPv6: address-family ipv6 unicast 3. Change the administrative distance for BGP from the respective ADDRESS-FAMILY mode.
7. (Optional) Add a remote neighbor, and enter the AS number in ROUTER-TEMPLATE mode. remote-as as-number ● To add an EBGP neighbor, configure the as-number parameter with a number different from the BGP as-number configured in the router bgp as-number command. ● To add an IBGP neighbor, configure the as-number parameter with the same BGP as-number configured in the router bgp as-number command. NOTE: When you configure an unnumbered interface, do not configure the remote AS number. 8.
100.5.1.1 100.6.1.1 OS10# show ip bgp peer-group bg1 Peer-group bg1, remote AS 0 BGP version 4 Minimum time between advertisement runs is 30 seconds For address family: Unicast BGP neighbor is bg1, peer-group external Update packing has 4_OCTET_AS support enabled Number of peers in this group 2 Peer-group members: 40.1.1.2 ethernet 1/1/1 OS10# show ip bgp peer-group leaf_v4 summary BGP router identifier 100.0.0.8 local AS number 64601 Neighbor AS MsgRcvd MsgSent Up/Down 100.5.1.1 64802 376 325 04:28:25 100.
1. Enable BGP, and assign the AS number to the local BGP speaker in CONFIGURATION mode, from 1 to 65535 for 2 bytes, 1 to 4294967295 | 0.1 to 65535.65535 for 4 bytes, or 0.1 to 65535.65535, in dotted format. router bgp as-number 2. Enter CONFIG-ROUTER-VRF mode to create a peer template for the nondefault VRF instance that you create. vrf vrf-name 3. Create a peer template by assigning a neighborhood name to it in CONFIG-ROUTER-VRF mode. template template-name 4.
Neighbor fall-over The BGP neighbor fall-over feature reduces the convergence time while maintaining stability. When you enable fall-over, BGP tracks IP reachability to the peer remote address and the peer local address. When remote or peer local addresses become unreachable, BGP brings the session down with the peer. For example, if no active route exists in the routing table for peer IPv6 destinations/local address, BGP brings the session down. By default, the hold time governs a BGP session.
Prefixes ignored due Martian address 0, Invalid Nexthop 0, Wellknown community to: Our own AS in AS-PATH 0 Invalid AS-PATH length 0 0, Locally originated 0 For address family: IPv6 Unicast Allow local AS number 0 times in AS-PATH attribute Local host: 3.1.1.3, Local port: 58633 Foreign host: 3.1.1.1, Foreign port: 179 Verify neighbor fall-over on peer-group OS10# show running-configuration ! router bgp 102 ! address-family ipv4 unicast aggregate-address 6.1.0.0/16 ! neighbor 40.1.1.
Peer 1 in ROUTER-TEMPLATE mode OS10# configure terminal OS10(config)# interface ethernet 1/1/5 OS10(conf-if-eth1/1/5)# no switchport OS10(conf-if-eth1/1/5)# ip address 11.1.1.1/24 OS10(conf-if-eth1/1/5)# router bgp 10 OS10(config-router-bgp-10)# template pass OS10(config-router-template)# password 9 f785498c228f365898c0efdc2f476b4b27c47d972c3cd8cd9b91f518c14ee42d OS10(config-router-template)# exit OS10(config-router-bgp-10)# neighbor 11.1.1.
remote-as 20 no shutdown OS10(config-router-neighbor)# do show running-configuration bgp ! router bgp 20 neighbor 11.1.1.2 password 9 f785498c228f365898c0efdc2f476b4b27c47d972c3cd8cd9b91f518c14ee42d remote-as 20 no shutdown Fast external fallover Fast external fallover terminates EBGP sessions of any directly adjacent peer if the link used to reach the peer goes down. BGP does not wait for the hold-down timer to expire. Fast external fallover is enabled by default.
! address-family ipv6 unicast activate OS10(config-router-bgp-300)# OS10(conf-if-eth1/1/1)# do clear ip bgp * OS10# show ip bgp summary BGP router identifier 11.11.11.11 local AS number 300 Neighbor AS MsgRcvd MsgSent Up/Down State/Pfx ----------------------------------------------------------------3.1.1.1 100 7 4 00:00:08 3 3::1 100 9 5 00:00:08 4 OS10# OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# shutdown OS10(conf-if-eth1/1/1)# do show ip bgp summary BGP router identifier 11.11.11.
OS10(conf-router-template)# remote-as 100 OS10(conf-router-template)# listen 32.1.0.0/8 limit 10 Local AS During BGP network migration, you can maintain existing AS numbers. Reconfigure your routers with the new information to disable after the migration. Network migration is not supported on passive peer templates. You must configure Peer templates before assigning it to an AS.
AS number limit Sets the number of times an AS number occurs in an AS path. The allow-as parameter permits a BGP speaker to allow the AS number for a configured number of times in the updates received from the peer. The AS-PATH loop is detected if the local AS number is present more than the number of times in the command. 1. Enter the neighbor IP address to use the AS path in ROUTER-BGP mode. neighbor ip address 2. Enter Address Family mode in ROUTER-NEIGHBOR mode.
r - redistributed/network, S - stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric *>I 55::/64 172:16:1::2 0 i *>I 55:0:0:1::/64 172:16:1::2 0 i *>I 55:0:0:2::/64 172:16:1::2 0 i LocPrf 0 Weight 0 Path 100 200 300 400 0 0 100 200 300 400 0 0 100 200 300 400 Redistribute routes Add routes from other routing instances or protocols to the BGP process. You can include OSPF, static, or directly connected routes in the BGP process with the redistribute command.
Redistribute active and inactive IPv4 OSPF routes into BGP OS10# configure terminal OS10(config)# route-map redis-inactive-routes OS10(config-route-map)# match inactive-path-additive OS10(config-route-map)# exit OS10(config)# router bgp 100 OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(configure-router-bgpv4-af)# redistribute ospf 10 route-map redis-inactive-r outes Redistribute active and inactive IPv6 L2 VPN EVPN routes into BGP OS10# configure terminal OS10(config)# route-map redis-inacti
● confed—Selects the best path MED comparison of paths learned from BGP confederations. ● missing-as-best—Treats a path missing an MED as the most preferred one. ● missing-as-worst—Treats a path missing an MED as the least preferred one. Modify MED attributes OS10(config)# router bgp 100 OS10(conf-router-bgp-100)# always-compare-med OS10(conf-router-bgp-100)# bestpath med confed Local preference attribute You can change the value of the LOCAL_PREFERENCE attributes for all routes the router receives.
View route-map OS10(conf-route-map)# do show route-map route-map bgproutemap, permit, sequence 1 Match clauses: Set clauses: local-preference 500 metric 400 origin incomplete Weight attribute You can influence the BGP routing based on the weight value. Routes with a higher weight value have preference when multiple routes to the same destination exist. 1. Assign a weight to the neighbor connection in ROUTER-BGP mode. neighbor {ip-address} 2.
Route-map filters Filtering routes allows you to implement BGP policies. Use route-maps to control which routes the BGP neighbor or peer group accepts and advertises. 1. Enter the neighbor IP address to filter routes in ROUTER-BGP mode. neighbor ipv4-address 2. Enter Address Family mode in ROUTER-NEIGHBOR mode. address-family {[ipv4 | ipv6] [unicast]} 3. Create a route-map and assign a filtering criteria in ROUTER-BGP-NEIGHBOR-AF mode, then return to CONFIG-ROUTERBGP mode.
4. Assign a peer group template as part of the route-reflector cluster in ROUTER-BGP mode. template template-name 5. Configure the template as the route-reflector client in ROUTER-TEMPLATE mode. route-reflector-client When you enable a route reflector, the system automatically enables route reflection to all clients. To disable route reflection between all clients in this reflector, use the no bgp client-to-client reflection command in ROUTER-BGP mode.
Confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, Dell EMC recommends BGP confederations only for IBGP peering involving many IBGP peering sessions per router. When you configure BGP confederations, you break the AS into smaller sub-ASs. To devices outside your network, the confederations appear as one AS.
History entry Entry that stores information about a downed route. Dampened path Path that is no longer advertised. Penalized path Path that is assigned a penalty. 1. Enable route dampening in ROUTER-BGP mode. dampening [half-life | reuse | max-suppress-time] ● half-life — Number of minutes after which the penalty decreases (1 to 45, default 15). After the router assigns a penalty of 1024 to a route, the penalty decreases by half after the half-life period expires.
Timers To adjust the routing timers for all neighbors, configure the timer values using the timers command. If both the peers negotiate with different keepalive and hold time values, the final hold time value is the lowest values received. The new keepalive value is one-third of the accepted hold time value. ● Configure timer values for all neighbors in ROUTER-NEIGHBOR mode.
4. Clear all information or only specific details in EXEC mode. clear ip bgp {neighbor-address | * | interface interface-type} [soft in] ● * — Clears all peers. ● neighbor-address— Clears the neighbor with this IP address. ● interface interface-type— Clears an unnumbered neighbor. Soft-reconfiguration of IPv4 neighbor OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-bgp-neighbor-af)# soft-reconfiguration inbound OS10(conf-router-bgp-neighbor-af)# end OS10# clear ip bgp 10.2.1.
OS10(config-router-bgp-100-vrf)# address-family ipv4 unicast OS10(configure-router-bgpv4-vrf-af)# bgp redistribute-internal OS10(config)# router ospf 20 vrf dell OS10(config-router-ospf-20)# redistribute bgp 100 View BGP routes information Use the following commands to view all BGP routes that match any of the community filters for a default or nondefault VRF instance. ● View BGP routes that match a standard community number.
4. Configure soft-reconfiguration inbound for IPv6 AFI. OS10(config-router-template)# address-family ipv6 unicast OS10(config-router-bgp-template-af)# soft-reconfiguration inbound 5. Configure next-hop-self for IPv6 AFI. OS10(config-router-template)# address-family ipv6 unicast OS10(config-router-bgp-template-af)# next-hop-self 6. Apply the template to the BGP peers. OS10(config-router-bgp-100)# neighbor 1.1.1.
1. Configure a VLAN interface on which the BGP session has to be formed with VLT peers. Spine1(config)# interface vlan101 Spine1(conf-if-vl-101)# ip address 10.0.1.1/29 Spine1(conf-if-vl-101)# mtu 9216 Spine1(conf-if-vl-101)# exit 2. Configure port channel interfaces between Spine and VLT peers. Add it as part of the created VLAN.
Leaf1(config)# interface ethernet1/1/1 Leaf1(conf-if-eth1/1/1)# channel-group 1 mode active Leaf1(conf-if-eth1/1/1)# exit 4. Configure VLT port-channels with ToR 1 and ToR 2.
Leaf2(conf-if-vl-201)# mtu 9216 Leaf2(conf-if-vl-201)# exit Leaf2(config)# interface vlan301 Leaf2(conf-if-vl-301)# ip address 10.0.3.2/29 Leaf2(conf-if-vl-301)# mtu 9216 Leaf2(conf-if-vl-301)# exit 3. Configure VLT port-channel with Spine 1.
ToR1(conf-if-vl-201)# mtu 9216 ToR1(conf-if-vl-201)# exit 2. Configure a port channel interface between ToR1 and VLT peers. Add it as part of the above created VLAN.
ToR2(conf-if-vl-2001)# ip address 172.16.2.1/24 ToR2(conf-if-vl-2001)# exit ToR2(config)# interface ethernet1/1/3 ToR2(conf-if-eth1/1/3)# mtu 9216 ToR2(conf-if-eth1/1/3)# switchport mode trunk ToR2(conf-if-eth1/1/3)# switchport trunk allowed vlan 3001 ToR2(conf-if-eth1/1/3)# exit 4. Configure the iBGP neighbor with VLT peers and advertise the host subnet. ToR2(config)# router bgp 65201 ToR2(config-router-bgp-65201)# router-id 10.3.1.
1. Configure an IP address on leaf-facing interfaces.
2. Configure BGP neighbors. This example uses passive peering which simplifies neighbor configuration. Spine2(config)# router bgp 65101 Spine2(config-router-bgp-65101)# router-id 10.0.0.2 Spine2(config-router-bgp-65101)# template passive_v4_pod1 Spine2(config-router-template)# remote-as 65201 Spine2(config-router-template)# listen 10.2.1.
2. Configure an IP address on ToR-facing interfaces. Leaf2(config)# interface Leaf2(conf-if-eth1/1/1)# Leaf2(conf-if-eth1/1/1)# Leaf2(conf-if-eth1/1/1)# Leaf2(conf-if-eth1/1/1)# Leaf2(conf-if-eth1/1/1)# ethernet1/1/3 description Leaf2-ToR1 no switchport mtu 9216 ip address 10.4.1.0/31 exit 3. Configure BGP neighbors. Leaf2(config)# router bgp 65201 Leaf2(config-router-bgp-65201)# router-id 10.0.1.2 Leaf2(config-router-bgp-65201)# neighbor 10.1.1.
1. Configure an IP address on spine-facing interfaces. Leaf4(config)# interface Leaf4(conf-if-eth1/1/1)# Leaf4(conf-if-eth1/1/1)# Leaf4(conf-if-eth1/1/1)# Leaf4(conf-if-eth1/1/1)# Leaf4(conf-if-eth1/1/1)# Leaf4(config)# interface Leaf4(conf-if-eth1/1/2)# Leaf4(conf-if-eth1/1/2)# Leaf4(conf-if-eth1/1/2)# Leaf4(conf-if-eth1/1/2)# Leaf4(conf-if-eth1/1/2)# ethernet1/1/1 description Leaf4-Spine1 no switchport mtu 9216 ip address 10.1.2.
3. Configure BGP neighbors, and advertise the host subnet. ToR1(config)# router bgp 65301 ToR1(config-router-bgp-65301)# router-id 10.0.2.1 ToR1(config-router-bgp-65301)# address-family ipv4 unicast ToR1(configure-router-bgpv4-af)# network 172.16.1.0/24 ToR1(configure-router-bgpv4-af)# exit ToR1(config-router-bgp-65301)# neighbor 10.3.1.0 ToR1(config-router-neighbor)# remote-as 65201 ToR1(config-router-neighbor)# no shutdown ToR1(config-router-neighbor)# exit ToR1(config-router-bgp-65301)# neighbor 10.4.1.
BGP commands activate Enables the neighbor or peer group to be the current address-family identifier (AFI). Syntax activate Parameters None Default Not configured Command Mode ROUTER-BGP-NEIGHBOR-AF Usage Information This command exchanges IPv4 or IPv6 address family information with an IPv4, IPv6, and L2VPN neighbor. IPv4 unicast Address family is enabled by default. To activate IPv6 address family for IPv6 neighbor, use the activate command.
For BGP Unnumbered peers, MAA-S4048T-X01-7445(config-router-bgp-200)# template abc MAA-S4048T-X01-7445(config-router-template)# address-family ipv4 unicast MAA-S4048T-X01-7445(config-router-bgp-template-af)# add-path both 4 MAA-S4048T-X01-7445(config-router-bgp-200)# neighbor interface ethernet 1/1/20 MAA-S4048T-X01-7445(config-router-neighbor)#inherit template abc inherittype ibgp % Error: Add-path not supported over unnumbered peer Supported Releases 10.5.2.
Example (IPv4 Unicast) Example (IPv6 Unicast) Supported Releases OS10(config)# router bgp 3 OS10(conf-router-bgp-3)# address-family ipv4 unicast OS10(conf-router-bgpv4-af)# OS10(config)# router bgp 4 OS10(conf-router-bgp-4)# address-family ipv6 unicast OS10(conf-router-bgpv6-af)# 10.3.0E or later advertisement-interval Sets the minimum time interval for advertisement between the BGP neighbors or within a BGP peer group.
● summary-only — (Optional) Filters more specific routes from updates. ● advertise-map map-name — (Optional) Enter the map name to advertise. ● attribute-map route-map-name — (Optional) Enter the route-map name to set aggregate attributes. ● suppress-map route-map-name — (Optional) Enter the route-map name to conditionally filter specific routes from updates.
Usage Information After you use this command, use the clear ip bgp * and clear ip bgp vrf vrf-name commands to recompute the best path for default and nondefault VRF BGP instances, respectively. The no version of this command resets the value to the default. NOTE: To configure these settings for a nondefault VRF instance, first enter the ROUTER-CONFIGVRF sub mode using the following commands: 1. Enter the ROUTER BGP mode using the router bgp as-number command. 2.
bestpath as-path Configures the AS path selection criteria for best path computation. Syntax bestpath as-path {ignore | mutlipath-relax} Parameters ● ignore — Enter to ignore the AS PATH in BGP best path calculations. ● mutlipath-relax — Enter to include prefixes received from different AS paths during multipath calculation. Default Enabled Command Mode ROUTER-BGP Usage Information To enable load-balancing across different EBGP peers, configure the mutlipath-relax option.
Parameters ignore — Enter to ignore AS path for best-path computation. Default Enabled Command Mode ROUTER-BGP Usage Information If you do not receive the same router ID for multiple paths, select the path that you received first. If you received the same router ID for multiple paths, ignore the path information. The no version of this command resets the value to the default.
Parameters None Default Not configured Command Mode ROUTER-BGP Usage Information When an IGP protocol such as OSPF is configured to redistribute BGP, by default, only the eBGP routes are redistributed. You can use this command to enable redistribution of iBGP routes in addition to external BGP (eBGP) routes. This configuration is applicable only for IPv4 unicast and IPv6 unicast address family modes, and it is not applicable for L2 VPN EVPN address family.
clear ip bgp * Resets BGP sessions. The soft parameter, BGP soft reconfiguration, clears policies without resetting the TCP connection. Syntax clear ip bgp * [soft in] Parameters ● * — Enter to clear all BGP sessions. ● soft — (Optional) Enter to configure and activate policies without resetting the BGP TCP session — BGP soft reconfiguration. ● in — (Optional) Enter to activate only ingress (inbound) policies.
Command Mode EXEC Usage Information None Example (All Prefixes) Example (IPv4) Example (Given Prefix) Supported Releases OS10# clear ip bgp flap-statistics OS10# clear ip bgp 1.1.15.4 flap-statistics OS10# clear ip bgp flap-statistics 1.1.15.0/24 10.3.0E or later connection-retry-timer Configures the timer to retry the connection to BGP neighbor or peer group. Syntax connection-retry-timer retry-timer-value Parameters retry-timer-value — Enter the time interval in seconds, ranging from 10 to 65535.
NOTE: To configure these settings for a nondefault VRF instance, you must first enter the ROUTERCONFIG-VRF sub mode using the following commands: 1. Enter the ROUTER BGP mode using the router bgp as-number command. 2. From the ROUTER BGP mode, enter the ROUTER BGP VRF mode using the vrf vrf-name command. Example (Identifier) Example (Peers) Supported Releases OS10(conf-router-bgp-2)# confederation identifier 1 OS10(conf-router-bgp-2)# confederation peers 2 10.3.
1. Enter the ROUTER BGP mode using the router bgp as-number command. 2. From the ROUTER BGP mode, enter the ROUTER BGP VRF mode using the vrf vrf-name command. Example Supported Releases OS10(conf-router-bgp-10)# cluster-id 3.3.3.3 10.3.0E or later debug ip bgp Enables Border Gateway Protocol (BGP) debugging and displays messages related to processing of BGP.
default-metric Assigns a default-metric of redistributed routes to locally originated routes. Syntax default-metric number Parameters number — Enter a number as the metric to assign to routes from other protocols, from 1 to 4294967295. Default Disabled Command Mode ROUTER-BGP Usage Information Assigns a metric for locally-originated routes such as redistributed routes. After you redistribute routes in BGP, use this command to reset the metric value — the new metric does not immediately take effect.
● local-distance—Enter a number to assign to routes learned from networks listed in the network command, from 1 to 255. Defaults ● external-distance—20 ● internal-distance—200 ● local-distance—200 Command Modes ● CONFIG-ROUTER-BGP-ADDRESS-FAMILY ● CONFIG-ROUTER-BGP-VRF-ADDRESS-FAMILY Usage Information This command is used to configure administrative distance for eBGP route, iBGP route, and local BGP route.
Example OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-bgp-neighbor-af)# distribute-list inbgg in OS10(conf-router-template)# address-family ipv4 unicast OS10(conf-router-bgp-template-af)# distribute-list outbgg out Supported Releases 10.4.1.0 or later bgp default local-preference Changes the default local preference value for routes exchanged between internal BGP peers.
Usage Information To verify statistics of routes rejected, use the show ip bgp neighbors command. If routes are rejected, the session is reset. In the event of a failure, the existing BGP sessions flap. For updates received from EBGP peers, BGP ensures that the first AS of the first AS segment is always the AS of the peer, otherwise the update drops and the counter increments. The no version of this command turns off the default.
2. From the ROUTER BGP mode, enter the ROUTER BGP VRF mode using the vrf vrf-name command. Example Supported Releases OS10(conf-router-bgp-10)# fast-external-fallover 10.3.0E or later graceful-restart Enables graceful or hitless restart and configures the required parameters for the restart process.
Example (Nondefault VRF) Supported Releases OS10(config)# router bgp 100 OS10(config-router-bgp-100)# vrf red OS10(config-router-bgp-100-vrf)# no ibgp-ecmp-next-hop-self 10.5.2.3 or later inherit Configures a peer group template name that the auto-unnumbered interfaces use to inherit peer-group configuration. Syntax inherit {ibgp-template | ebgp-template} template-name Parameters ● ebgp-template—Enter an external BGP template to establish a BGP neighborship through this interface.
OS10(conf-if-eth1/1/1)# exit OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor interface ethernet 1/1/1 OS10(config-router-neighbor)# inherit template Group inherit-type ebgp OS10(config-router-neighbor)# no shutdown Supported Releases 10.2.0E or later ipv6 bgp unnumbered Configures an interface to be a BGP auto-unnumbered interface.
Example Supported Releases OS10(conf-router-template)# listen 1.1.0.0/16 limit 4 10.2.0E or later local-as Configures a local AS number for a peer. Syntax local-as as-number [no-prepend] [replace-as] Parameters ● as-number—Enter the local AS number, from 1 to 4294967295. ● no-prepend—(Optional) Enter so that local AS values are not prepended to the AS_PATH attribute. ● replace-as—(Optional) Enter so that globally configured AS values are not prepended to the AS_PATH attribute.
2. From the ROUTER BGP mode, enter the ROUTER BGP VRF mode using the vrf vrf-name command. Example Supported Releases OS10(conf-router-bgp-10)# log-neighbor-changes 10.3.0E or later maximum-paths Configures the maximum number of equal-cost paths for load sharing. Syntax maximum-paths [ebgp number | ibgp number] maxpaths Parameters ● ebgp—Enable multipath support for external BGP routes. ● ibgp—Enable multipath support for internal BGP routes. ● number—Enter the number of parallel paths, from 1 to 64.
Example MAA-S4048T-X01-7445(config-router-template)# address-family ipv4 unicast MAA-S4048T-X01-7445(config-router-bgp-template-af)# maximum-prefix 10 50 warning-only MAA-S4048T-X01-7445(config-router-template)# address-family ipv6 unicast MAA-S4048T-X01-7445(config-router-bgp-template-af)# maximum-prefix 20 100 Supported Releases 10.5.2.1 or Later neighbor Creates a remote IP or unnumbered peer and enters Neighbor Configuration mode.
OS10(config)# ipv6 nd min-ra-interval 3 OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no shutdown OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ipv6 nd send-ra OS10(conf-if-eth1/1/1)#ipv6 bgp unnumbered ebgp-template OS10(conf-if-eth1/1/1)#exit OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor unnumbered-auto OS10(config-router-neighbor)# no shutdown Supported Releases 10.3.
Supported Releases 10.5.2.1 or Later non-deterministic-med Compares paths in the order they arrive. Syntax non-deterministic-med Parameters None Default Disabled Command Mode ROUTER-BGP Usage Information Paths compare in the order they arrive. OS10 uses this method to choose different best paths from a set of paths, depending on the order they are received from the neighbors. MED may or may not be compared between adjacent paths.
password Configures a password for message digest 5 (MD5) authentication on the TCP connection between two neighbors. Syntax password {9 encrypted password-string| password-string} Parameters ● 9 encrypted password-string—Enter 9 then the encrypted password. ● password-string—Enter a password for authentication. A maximum of 128 characters. Default Disabled Command Mode ROUTER-NEIGHBOR ROUTER-TEMPLATE Usage Information Example You can enter the password either as plain text or in encrypted format.
Example (OSPF — IPv6) Supported Releases OS10(conf-router-bgp-102)# address-family ipv6 unicast OS10(conf-router-bgpv6-af)# redistribute ospf 1 10.2.0E or later remote-as Adds a remote AS to the specified BGP neighbor or peer group. Syntax remote-as as-number Parameters as-number — Specify AS number ranging from 1 to 65535 for 2 byte or 1 to 4294967295 for 4 byte.
● out— attaches the route-map as the outbound policy Defaults None Command Modes ROUTER-BGP-TEMPLATE-AF Usage Information Example The no version of this command deletes the route-map. OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-bgp-neighbor-af)# route-map bgproutemap in OS10(conf-router-template)# address-family ipv4 unicast OS10(conf-router-bgp-template-af)# route-map bgproutemap in Supported Releases 10.4.1.
router-id Assigns a user-given ID to a BGP router. Syntax router-id ip-address Parameters ip-address — Enter an IP address in dotted decimal format. Default First configured IP address or random number Command Mode ROUTER-BGP Usage Information Change the router ID of a BGP router to reset peer-sessions. The no version of this command resets the value to the default. By default, OS10 sets a loopback IP address as the router ID.
Usage Information Example (IPv4) Example (IPv6) Supported Releases This command helps detect routing loops, based on the AS path before it starts advertising routes. To configure a neighbor to accept routes use the neighbor allowas-in command. The no version of this command disables sender-side loop detection for that neighbor. OS10(conf-router-bgp-102)# neighbor 3.3.3.
The following displays the next hop as an unnumbered neighbor with ethernet1/1/1 as the connected interface. OS10# show ip bgp BGP local RIB : Routes to be Added , Replaced , Withdrawn BGP local router ID is 14.233.209.106 Status codes: s suppressed, S stale, d dampened, h history, * valid, > best Path source: I - internal, a - aggregate, c - confed-external, r - redistributed/network, S - stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *>r 31.1.1.0/24 0.0.0.
*>r *>r Supported Releases 10.1.1.0/24 30.1.1.0/24 0.0.0.0 0.0.0.0 0 0 100 100 32768 32768 ? ? 10.5.2.1 or later show ip bgp community-list Displays the BGP routes that match any of the standard community numbers from a standard community list. Syntax show ip bgp [vrf vrf-name] [{ipv4 | ipv6} unicast] [community-list community-list-name] Parameters ● vrf vrf-name—(Optional) Enter the name of the VRF to view routes that are related to a specific community list corresponding to that VRF.
Example OS10# show ip bgp dampened-paths BGP local router ID is 80.1.1.1 Status codes: s suppressed, S stale, d dampened, h history, * valid, > best Origin codes: i - IGP, e - EGP, ? - incomplete Network From Reuse Path d* 3.1.2.0/24 80.1.1.2 00:00:12 800 9 8 i d* 3.1.3.0/24 80.1.1.2 00:00:12 800 9 8 i d* 3.1.4.0/24 80.1.1.2 00:00:12 800 9 8 i d* 3.1.5.0/24 80.1.1.2 00:00:12 800 9 8 i d* 3.1.6.0/24 80.1.1.2 00:00:12 800 9 8 i Total number of prefixes: 5 Supported Releases 10.3.
Parameters ● vrf vrf-name—(Optional) Enter the keyword vrf and then the name of the VRF to view route information that matches the filter lists corresponding to that VRF. If the VRF name is not specified, this command displays BGP routes for default VRF. ● ipv4 unicast—(Optional) Displays information that is related only to IPv4 unicast routes. ● ipv6 unicast—(Optional) Displays information that is related only to IPv6 unicast routes.
*> 3.1.6.0/24 80.1.1.2 Total number of prefixes: 5 Supported Releases 1 00:00:11 00:00:00 800 9 8 i 10.3.0E or later show ip bgp ipv4 unicast Displays route information for BGP IPv4 routes.
*> 31.1.1.0/24 0 fe80::3617:ebff:fefd:dc5e 10 0 100 OS10# show ip bgp ipv4 unicast neighbors interface ethernet 1/1/1 received-routes BGP local router ID is 40.1.1.2 Status codes: D denied Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 41.1.1.0/24 fe80::3617:ebff:fef1:dc5e 0 0 10 0 OS10# show ip bgp ipv4 unicast neighbors interface ethernet 1/1/1 deniedroutes BGP local router ID is 40.1.1.
● interface interface-type — Displays BGP information that is learned through an unnumbered neighbor. ● summary — Displays IPv6 unicast summary information. ● advertised-routes — Displays the routes that are advertised to a neighbor. ● dampened-paths — Displays the suppressed routes that are received from a neighbor. ● flap-statistics — Displays the flap statistics of the route that are received from a neighbor. ● received-routes — Displays the routes that are received from a neighbor.
Summary information for unnumbered neighbors: OS10# show ip bgp ipv6 unicast summary BGP router identifier 89.101.17.125 local AS number 100 Neighbor AS MsgSent Up/Down State/Pfx ethernet1/1/1 200 19 00:15:34 0 MsgRcvd 19 OS10# show ip bgp ipv6 unicast BGP local RIB : Routes to be Added , Replaced , Withdrawn BGP local router ID is 14.233.209.
● Sent messages — Displays the number of BGP messages sent, the number of notifications or error messages, and the number of messages waiting in a queue for processing. ● Description — Displays the descriptive name that is configured for the BGP neighbor. This field is displayed only when the description is configured. ● Local host — Displays the peering address of the local router and the TCP port number. ● Foreign host — Displays the peering address of the neighbor and the TCP port number.
Next hop set to self Soft-reconfiguration inbound configured Allow local AS number 0 times in AS-PATH attribute Prefixes ignored due to: Martian address 0, Our own AS in AS-PATH 0 Invalid Nexthop 0, Invalid AS-PATH length 0 Wellknown community 0, Locally originated 0 For address family: IPv6 Unicast Max prefix set to 20 with threshold 10 warning only Next hop set to self Soft-reconfiguration inbound configured Allow local AS number 0 times in AS-PATH attribute Local host: 1.1.1.
Invalid Nexthop 0, Invalid AS-PATH length 0 Wellknown community 0, Locally originated 0 For address family: IPv6 Unicast Next hop set to self Allow local AS number 0 times in AS-PATH attribute Route map for incoming advertisements is filter_ipv6_intf_in Route map for outgoing advertisements is filter_ipv6_intf_out Prefixes ignored due to: Martian address 0, Our own AS in AS-PATH 0 Invalid Nexthop 0, Invalid AS-PATH length 0 Wellknown community 0, Locally originated 0 Local host: fe80::250:56ff:fe80:8d56, Lo
Status codes: D denied Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf D 55::/64 172:16:1::2 0 0 D 55:0:0:1::/64 172:16:1::2 0 0 D 55:0:0:2::/64 172:16:1::2 0 0 Total number of prefixes: 3 OS10# Example routes Example unnumbered neighbors Path 100 200 300 400i 100 200 300 400i 100 200 300 400i OS10# show ip bgp ipv6 unicast neighbors 172:16:1::2 routes BGP local router ID is 100.1.1.
Local host: fe80::76e6:e2ff:fef5:b281, Local port: 45926 Foreign host: fe80::76e6:e2ff:fef6:b81, Foreign port: 179 Example advertisedroutes from unnumbered neighbors Example received-routes from unnumbered neighbors Example routes from unnumbered neighbors Example deniedroutes from unnumbered neighbors Example Global AS OS10# show ip bgp neighbors interface ethernet 1/1/1 advertised-routes BGP local router ID is 40.1.1.
Default Not configured Command Mode EXEC Usage Information ● Peer-group — Displays the peer group name. Minimum time displays the time interval between BGP advertisements. ● Administratively shut — Displays the status of the peer group if you do not enable the peer group. If you enable the peer group, this line does not display. ● BGP version — Displays the BGP version supported. ● Description — Displays the descriptive name that is configured for the BGP peer template.
40.1.1.2 ethernet 1/1/1 OS10# show ip bgp peer-group bg1 summary BGP router identifier 14.233.209.106 local AS number 10 Neighbor AS MsgRcvd MsgSent State/Pfx 40.1.1.2 20 15 19 0 ethernet 1/1/1 0 Supported Releases 20 15 19 Up/Down 00:00:32 00:00:32 10.2.0E or later show ip bgp summary Displays the status of all BGP connections.
Supported Releases 10.2.0E or later show ip route Displays information about IPv4 BGP routing table entries. Syntax show ip route [vrf vrf-name] bgp Parameters ● vrf vrf-name — Enter vrf and then the name of the VRF to view information that is exchanged between BGP neighbors corresponding to that VRF Default Not configured Command Mode EXEC Usage Information This command displays information about IPv4 BGP routing table entries.
Usage Information Example This command displays information about IPv6 BGP routing table entries.
NOTE: Only the system administers (sysadmin) role is allowed to manage this configuration. NOTE: Before applying the soft-reconfiguration, you must clear all the BGP configurations at the VRF level. You must also clear the BGP configurations at template level using the clear ip bgp template command.
Example Supported Releases OS10(conf-router-bgp)# timers 30 90 10.3.0E or later update-source Enables using Loopback interfaces for TCP connections to stabilize BGP sessions. Syntax update—source loopback interface-id Parameters loopback interface-id — Specify a Loopback interface ID, from 0 to 16383.
Usage Information Example Supported Releases The path with the highest weight value is preferred in the best-path selection process. The no version of this command resets the value to the default. OS10(conf-router-bgp-neighbor)# weight 4096 10.3.0E or later Equal cost multi-path ECMP is a routing technique where next-hop packet forwarding to a single destination occurs over multiple best paths. When you enable ECMP, OS10 uses a hash algorithm to determine the next-hop.
IPV4 Load Balancing : Enabled IPV6 Load Balancing : Enabled MAC Load Balancing : Enabled TCP-UDP Load Balancing : Enabled Ingress Port Load Balancing : Enabled IPV4 FIELDS : source-ip destination-ip protocol vlan-id l4-destination-port l4-sourceport IPV6 FIELDS : source-ip destination-ip protocol vlan-id l4-destination-port l4-sourceport MAC FIELDS : source-mac destination-mac ethertype vlan-id TCP-UDP FIELDS: l4-destination-port l4-source-port Configuration notes Dell EMC PowerSwitch S4200–ON Series: The l
Examples Normal traffic flow without resilient hashing Traffic flow with resilient hashing enabled When you enable resilient hashing for ECMP groups, the flow-map table is created with 64 paths (the OS10 default maximum number of ECMP paths) and traffic is equally distributed. In the following example, traffic 1 maps to next hop 'A'; traffic 2 maps to next hop 'C'; and traffic 3 maps to next hop 'B.
Member link is added However, when a new member link is added, resilient hashing completes minimal remapping for better load balancing, as shown: Important notes ● Resilient hashing on port channels applies only for unicast traffic. ● For resilient hashing on ECMP groups, the ECMP path must be in multiples of 64. Before you enable resilient hashing, ensure that the maximum ECMP path is set to a multiple of 64. You can configure this value using the ip ecmp-group maximum-paths command.
Maximum ECMP groups and paths The maximum number of ECMP groups supported on the switch depends on the maximum ECMP paths configured on the switch. To view the maximum number of ECMP groups and paths, use the show ip ecmp-group details command. OS10# show ip ecmp-group details Maximum Number of ECMP Groups : 256 Maximum ECMP Path per Group : 64 Next boot configured Maximum ECMP Path per Group : 64 The default value for the maximum number of ECMP paths per group is 64.
● ● ● ● ● ● ● ● ● ● ● ● ● lag—Enables the LAG hash configuration for Layer 2 (L2) only. seed—Changes the hash algorithm seed value to get a better hash value. seed-value—Enter a hash algorithm seed value, from 0 to 4294967295. crc—Enables the cyclic redundancy check (CRC) polynomial for hash computation.
Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command disables the configuration. Example Supported Releases OS10(config)# link-bundle-utilization trigger-threshold 80 10.2.0E or later load-balancing Distributes or load balances incoming traffic using the default parameters in the hash algorithm.
Example (IP Selection) Supported Releases OS10(config)# load-balancing ip-selection destination-ip source-ip 10.2.0E or later show enhanced-hashing resilient-hashing Displays the status of the enhanced-hashing command. Syntax show enhanced-hashing resilient-hashing {lag | ecmp} Parameters lag | ecmp—Enter the keyword to view enhanced-hashing for a port channel or ECMP group.
Command Mode EXEC Usage Information None Example Supported Releases OS10# show ip ecmp-group details Maximum Number of ECMP Groups : 256 Maximum ECMP Path per Group : 64 Next boot configured Maximum ECMP Path per Group : 64 10.4.3.0 or later show load-balance Displays the global traffic load-balance configuration.
1. Enter the interface type information to assign an IP address in CONFIGURATION mode. interface interface ● ethernet—Physical interface ● port-channel—Port-channel ID number ● vlan—VLAN ID number ● loopback—Loopback interface ID ● mgmt—Management interface 2. Enable the interface in INTERFACE mode. no shutdown 3. Remove the interface from the default VLAN in INTERFACE mode. no switchport 4. Configure a primary IP address and mask on the interface in INTERFACE mode.
Configure static routing You can configure a manual or static route for open shortest path first (OSPF). ● Configure a static route in CONFIGURATION mode. ip route ip-prefix/mask {next-hop | interface interface [route-preference]} ○ ○ ○ ○ ○ ip-prefix—IPv4 address in dotted decimal in A.B.C.D format. mask—Mask in slash prefix-length format (/X). next-hop—Next-hop IP address in dotted decimal in A.B.C.D format.
These entries do not age, and you can only remove them manually. To remove a static ARP entry, use the no arp ipaddress command. Configure static ARP entries OS10(config)# interface ethernet 1/1/6 OS10(conf-if-eth1/1/6)# ip arp 10.1.1.5 08:00:20:b7:bd:32 View ARP entries OS10# show ip arp interface ethernet 1/1/6 Address Hardware address Interface Egress Interface -------------------------------------------------------------10.1.1.
● A.B.C.D/mask —Specify the IP route to remove from the IP routing table. This option refreshes all the routes in the routing table. Traffic flow is affected only for the specified route in the switch. Default Not configured Command Mode EXEC Usage Information This command does not remove the static routes from the routing table. Example Supported Releases OS10# clear ipv6 route 10.1.1.0/24 10.3.0E or later ip address Configure the IP address to an interface.
Default Not configured Command Mode INTERFACE Usage Information Do not use Class D (multicast) or Class E (reserved) IP addresses. Zero MAC addresses (00:00:00:00:00:00) are invalid. The no version of this command disables the IP ARP configuration. Example Supported Releases OS10(conf-if-eth1/1/6)# ip arp 10.1.1.5 08:00:20:b7:bd:32 10.2.0E or later ip arp gratuitous Enables an interface to receive or send gratuitous ARP requests and updates.
Parameters ● vrf vrf-name — (Optional) Enter vrf and then the name of the VRF to configure a static route corresponding to that VRF. Use this VRF option after the ip route keyword to configure a static route on that specific VRF. ● dest-ip-prefix — Enter the destination IP prefix in dotted decimal A.B.C.D format. ● mask — Enter the mask in slash prefix-length /x format. ● next-hop — Enter the next-hop IP address in dotted decimal A.B.C.D format.
1.1.1.2 1.1.1.3 1.1.1.5 1.1.1.6 Example (IP Address) 00:00:00:00:00:02 00:00:00:00:00:03 00:00:00:00:00:05 00:00:00:00:00:06 vlan100 vlan100 vlan100 vlan100 ethernet1/1/12 ethernet1/1/13 port-channel1000 port-channel1000 pv 10 pv 20 pv 10 OS10# show ip arp 192.168.2.2 Address Hardware address Interface Egress Interface -------------------------------------------------------------------192.168.2.
Command Mode EXEC Usage Information None Example OS10# show ip route Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, > - non-active route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change -----------------------------------------------------------------C 10.1.1.0/24 via 10.1.1.
● IPv6 stateless auto-configuration is disabled by default, except on the management interface. To enable autoconfiguration, use the ipv6 address autoconfig command in Interface mode. Autoconfiguration acquires a global IPv6 address using the network prefix in Router Advertisements. When IPv6 auto-configuration is enabled, IPv6 forwarding is disabled on the interface. To disable auto-configuration, use the no ipv6 address autoconfig command. IPv6 forwarding remains enabled.
IPv6 128-bit addresses are represented as a series of eight 16-bit hexadecimal fields separated by colons: x:x:x:x:x:x:x:x. 2001:0db8:0000:0000:0000:0000:1428:57a Leading zeros in each field are optional.
Configure IPv6 address OS10(config)# interface ethernet 1/1/8 OS10(conf-if-eth1/1/8)# ipv6 address 2001:dddd:0eee::4/64 Configure network prefix OS10(config)# interface ethernet 1/1/8 OS10(conf-if-eth1/1/8)# ipv6 address 2001:FF21:1:1::/64 eui64 Configure link-local address OS10(config)# interface ethernet 1/1/8 OS10(conf-if-eth1/1/8)# ipv6 address FE80::1/64 link-local Stateless autoconfiguration When an interface comes up, OS10 uses stateless autoconfiguration to generate a unique link-local IPv6 address
ICMPv6 RA messages are sent on a maximum of 256 interfaces. If the interfaces exceed this limit, the following error message is thrown in the system log: sendmsg: No buffer space available. ICMPv6 RA messages are not sent beyond 256 interfaces. Prerequisites To enable RA messages, the switch must be in Router mode with IPv6 forwarding enabled and stateless autoconfiguration disabled using the no ipv6 address autoconfig command. Enable router advertisement messages 1.
Configure neighbor discovery OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ipv6 nd mtu 1500 OS10(conf-if-eth1/1/1)# ipv6 nd send-ra Configure advertised IPv6 prefixes OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ipv6 nd prefix default lifetime infinite infinite OS10(conf-if-eth1/1/1)# ipv6 nd prefix 2002::/64 Duplicate address discovery To determine if an IPv6 unicast address is unique before assigning it to an interface, an OS10 switch sends a neighbor solicitation messa
Configure IPv6 static routing and view configuration OS10(config)# ipv6 route 2111:dddd:0eee::22/128 2001:db86:0fff::2 OS10(config)# do show ipv6 route static Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF,IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, > - non-active route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change ---------------------------
View IPv6 information To view IPv6 configuration information, use the show ipv6 route command. To view IPv6 address information, use the show address ipv6 command.
1. Enable IPv6 RA guard. OS10(config)# ipv6 nd ra-guard enable 2. Create an IPv6 RA guard policy. OS10(config)# ipv6 nd ra-guard policy ra-guard-test-policy 3. Configure the device role to apply the IPv6 RA guard policy to an interface. OS10(conf-ra_guard_policy_list)# device-role router 4. If this command is set to off, the system verifies the advertised managed configuration parameter is set to off in the RA packet and the other way round. If this flag is set to off, OS10 skips the validation process.
12. Configure the lifetime of the router. OS10(conf-ra_guard_policy_list)# router-lifetime 100 13. Apply the policy to an interface.
● If you configure the device role as a router, OS10 examines all the RA packets against the other policy parameters. The no form of this command removes the configuration. Examples OS10(conf-ra_guard_policy_list)# device-role router OS10(conf-ra_guard_policy_list)# device-role host Supported Releases 10.5.2.0 or later ipv6 nd ra-guard attach-policy Applies the RA guard policy to a specific interface. Syntax ipv6 nd ra-guard attach-policy policy-name vlan {all | vlan-id-1, vlanid-2...
Parameters None Default Disabled Command Mode CONFIGURATION Usage Information This command allows you to configure the IPv6 RA guard feature. The no form of this command disables IPv6 RA guard. Example Supported Releases OS10(config)# ipv6 nd ra-guard enable 10.5.2.0 or later ipv6 nd ra-guard logging enable Enables console logging for RA guard violation.
mtu Verifies the configured maximum transmission unit (MTU) value in the received RA packets. Syntax mtu value Parameters value—MTU value in bytes, from 1280 to 11982 bytes. Default None Command Mode RA GUARD POLICY LIST CONFIGURATION Usage Information The no form of this command removes the configuration. Example Supported Releases OS10(conf-ra_guard_policy_list)# mtu 1280 10.5.2.0 or later managed-config-flag Verifies the advertised managed configuration parameter.
NOTE: If you have configured the policy using the match ra command, but not configured the access lists or ACLs, the system bypasses the verification process. Generic ACL behavior applies when the policy is attached to interface. The no form of this command removes the configuration. Example Supported Releases OS10(conf-ra_guard_policy_list)# match ra ipv6-access-list test_access_list 10.5.2.0 or later other-config-flag Verifies other advertised configuration parameter.
Command Mode RA GUARD POLICY LIST CONFIGURATION Usage Information The no form of this command removes the configuration. Example Supported Releases OS10(conf-ra_guard_policy_list)# retrans-timer 100 10.5.2.0 or later router-lifetime Verifies the configured router lifetime value in the received RA packets. Syntax router-lifetime value Parameters value—Enter the router lifetime in seconds, from 0 to 9000.
● ● ● ● ● ● Example Supported Releases Hop limit MTU Other configuration parameter flag Reachability time Retransmission timer value Router preference value OS10(conf-ra_guard_policy_list)# show config ! ipv6 nd ra-guard policy test device-role router hop-limit maximum 254 mtu 1280 other-config-flag on reachable-time 100 retrans-timer 100 router-preference maximum medium 10.5.2.
ethernet1/1/4 vlan1 0 0 OS10# show ipv6 nd ra-guard statistics interface ethernet 1/1/3 Interface Vlan Pkts allowed Pkts dropped --------------------------------------------------------------------ethernet1/1/3 vlan10 0 4095 Supported Releases 10.5.2.0 or later show ipv6 nd ra-guard violation-details Displays the violation details of RA guard in the device.
IPv6 commands clear ipv6 neighbors Deletes all entries in the IPv6 neighbor discovery cache or neighbors of a specific interface. Static entries are not removed. Syntax clear ipv6 neighbors [vrf vrf-name] [ipv6-address | interface | virtualnetwork vn-id | all] Parameters ● vrf vrf-name — (Optional) Enter vrf then the name of the VRF to clear the neighbor corresponding to that VRF. If you do not specify this option, the neighbors in the default VRF clear.
ipv6 address Configures a global unicast IPv6 address on an interface. Syntax ipv6 address ipv6–address/prefix-length Parameters ipv6-address/prefix-length — Enter a full 128-bit IPv6 address with the network prefix length, including the 64-bit interface identifier. Defaults None Command Mode INTERFACE Usage Information An interface can have multiple IPv6 addresses.
Command Mode INTERFACE Usage Information The no version of this command disables DHCP operations on the interface. Example Supported Releases NOTE: Dell EMC Networking does not recommend configuring both a static IPv6 address and DHCPv6 on the same interface. OS10(config)# interface mgmt 1/1/1 OS10(conf-if-ma-1/1/1)# ipv6 address dhcp 10.3.0E or later ipv6 enable Enables and disables IPv6 forwarding on an interface configured with an IPv6 address.
ipv6 address link-local Configures a link-local IPv6 address on the interface to use instead of the link-local address that is automatically configured with stateless autoconfiguration. Syntax ipv6 address ipv6-prefix link-local Parameters ipv6-prefix — Enter an IPv6 prefix in x:x::y/mask format. Defaults None Command Mode INTERFACE Usage Information ● An interface can have only one link-local address.
Usage Information Example: Disable DAD Example: Enable DAD on link-local address Supported Releases ● An OS10 switch sends a neighbor solicitation message to determine if an autoconfigured IPv6 unicast link-local address is unique before assigning it to an interface. If the process of duplicate address discovery (DAD) detects a duplicate address in the network, the link-local address does not configure. Other IPv6 addresses are still active on the interface.
ipv6 nd max-ra-interval Sets the maximum time interval between sending RA messages. Syntax ipv6 nd max-ra-interval seconds Parameters ● max-ra-interval seconds—Enter a time interval in seconds, from 4 to 1800. Defaults 600 seconds Command Mode ● CONFIGURATION ● INTERFACE Usage Information If you are configuring auto-unnumbered BGP neighbors, use this command in CONFIGURATION mode. Dell EMC Networking recommends that you configure the maximum RA timer to four seconds autounnumbered BGP neighbors.
Example Supported Releases OS10(config)# interface ethernet 1/2/3 OS10(conf-if-eth1/2/3)# ipv6 nd other-config-flag 10.4.0E(R1) or later ipv6 nd prefix Configures the IPv6 prefixes that are included in messages to neighboring IPv6 routers.
Advertise prefix for which there is no interface address OS10(conf-if-eth1/1/1)# ipv6 nd prefix 2001:0db8:3000::/64 no-autoconfig Supported Releases 10.4.0E(R1) or later ipv6 nd ra-lifetime Sets the lifetime of the default router in RA messages. Syntax ipv6 nd ra-lifetime seconds Parameters ● ra-lifetime seconds — Enter a lifetime value in milliseconds, from 0 to 9000 milliseconds.
Example Supported Releases OS10(config)# interface ethernet 1/2/3 OS10(conf-if-eth1/2/3)# ipv6 nd retrans-timer 1000 10.4.0E(R1) or later ipv6 nd send-ra Enables sending ICMPv6 RA messages. Syntax ipv6 nd send-ra Parameters None Defaults RA messages are disabled. Command Mode INTERFACE Usage Information ● Using ICMPv6 RA messages, the Neighbor Discovery Protocol (NDP) advertises the IPv6 addresses of IPv6-enabled interfaces and learns of any address changes in IPv6 neighbors.
Example OS10(config)# ipv6 route 2111:dddd:0eee::22/128 2001:db86:0fff::2 OS10(config)# ipv6 route 2111:dddd:0eee::22/128 interface null 0 The following is a sample configuration for enabling BFD on a specific IPv6 static route: OS10(config)# ipv6 route 2111:dddd:0eee::22/128 2001:db86:0fff::2 bfd Supported Releases 10.2.0E or later ipv6 routing-header-type0 deny Configures IPv6 routing header Type 0 packet handling in hardware (fast-path) and kernel (slow-path).
Example Supported Releases OS10(config)# interface ethernet 1/2/3 OS10(conf-if-eth1/2/3)# ipv6 unreachables 10.4.0E(R1) or later show ipv6 neighbors Displays IPv6 discovery information. Entering the command without options shows all IPv6 neighbor addresses stored on the control processor (CP). Syntax show ipv6 neighbors [vrf vrf-name] [ipv6-address| interface interface] Parameters ● vrf vrf-name — (Optional) Enter vrf then the name of the VRF to display the neighbors corresponding to that VRF.
Default Not configured Command Mode EXEC Usage Information None Example (All) Example (Connected) Example (Summary) Supported Releases OS10# show ipv6 route all Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF,IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, > - non-active route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change ---------------
Interface admin/ IPV6 Address/ IPv6 Oper Name protocol Link-Local Address Status ============================================================ Management 1/1/1 up/up fe80::20c:29ff:fe54:c852/64 Enabled Vlan 1 up/up fe80::20c:29ff:fe54:c8bc/64 Enabled Ethernet 1/1/2 up/up fe80::20c:29ff:fe54:c853/64 100::1/64 1001:1:1:1:20c:29ff:fe54:c853/64 Enabled Ethernet 1/1/3 up/up fe80::4/64 3000::1/64 4000::1/64 Disabled Ethernet 1/1/4 up/up fe80::4/64 4::1/64 5::1/64 Enabled Supported Releases 10.2.
Areas, networks, and neighbors The backbone of the network is Area 0, also called Area 0.0.0.0, the core of any AS. All other areas must connect to Area 0. An OSPF backbone distributes routing information between areas. It consists of all area border routers and networks not wholly contained in any area and their attached routers. The backbone is the only area with a default area number. You configure all other areas Area ID. If you configure two nonbackbone areas, you must enable the B bit in OSPF.
Backbone router A backbone router (BR) is part of the OSPF Backbone, Area 0, and includes all ABRs. The BR includes routers connected only to the backbone and another ABR, but are only part of Area 0. Area border router Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to. It may keep multiple copies of the link state database.
router with the highest priority is elected DR. If there is a tie, the router with the higher router ID takes precedence. After the DR is elected, the BDR is elected the same way. A router with a router priority set to zero cannot become a DR or BDR. Link-state advertisements A link-state advertisement (LSA) communicates the router’s routing topology to all other routers in the network. Type 1—Router LSA Router lists links to other routers or networks in the same area.
OSPF route limit OS10 supports up to 16,000 OSPF routes. Within this range, the only restriction is on intra-area routes that scale only up to 1000 routes. Other OSPF routes can scale up to 16 K. Shortest path first throttling Use shortest path first (SPF) throttling to delay SPF calculations during periods of network instability. In an OSPF network, a topology change event triggers an SPF calculation that is performed after a start time.
View OSPFv2 SPF throttling OS10(config-router-ospf-100)# do show ip ospf Routing Process ospf 100 with ID 12.1.1.1 Supports only single TOS (TOS0) routes It is Flooding according to RFC 2328 SPF schedule delay 1200 msecs, Hold time between two SPFs 2300 msecs Convergence Level 0 Min LSA origination 0 msec, Min LSA arrival 1000 msec Min LSA hold time 5000 msec, Max LSA wait time 5000 msec Number of area in this router is 1, normal 1 stub 0 nssa 0 Area (0.0.0.
chosen to redistribute the inactive OSPF routes, OSPF removes the route learned from the peer and retains only the leaked route. To redistribute active and inactive IPv4/IPv6 routes from other unicast protocols into OSPF: 1. Configure a route-map to match the inactive-path-additive rule. route-map route-map-name match inactive-path-additive 2. Apply the route-map to the redistribute command.
2. Enter the interface information to configure the interface for OSPF in INTERFACE mode. interface ethernet node/slot/port[:subport] 3. Enable the interface in INTERFACE mode. no shutdown 4. Disable the default switchport configuration and remove it from an interface or a LAG port in INTERFACE mode. no switchport 5. Assign an IP address to the interface in INTERFACE mode. ip address ip-address/mask 6. Enable OSPFv2 on an interface in INTERFACE mode.
6. Associate the interface with the non-default VRF instance that you created earlier. ip vrf forwarding vrf-name 7. Assign an IP address to the interface. ip address ip-address/mask 8. Enable OSPFv2 on the interface. ip ospf process-id area area-id ● process-id—Enter the OSPFv2 process ID for a specific OSPF process, from 1 to 65535. ● area-id—Enter the OSPFv2 area ID as an IP address (A.B.C.D) or number, from 1 to 65535.
SPF algorithm executed 38 times Area ranges are Stub areas Type 5 LSAs are not flooded into stub areas. The ABR advertises a default route into the stub area where it is attached. Stub area routers use the default route to reach external destinations. 1. Enable OSPF routing and enter ROUTER-OSPF mode, from 1 to 65535. router ospf instance number 2. Configure an area as a stub area in ROUTER-OSPF mode. area area-id stub [no-summary] ● area-id—Enter the OSPF area ID as an IP address in A.B.C.
View passive interfaces OS10# show running-configuration !!! !! interface ethernet1/1/6 ip address 10.10.10.1/24 no switchport no shutdown ip ospf 100 area 0.0.0.0 ip ospf passive !! ! You can disable a passive interface using the no ip ospf passive command. Fast convergence Fast convergence sets the minimum origination and arrival LSA parameters to zero (0), allowing rapid route calculation. A higher convergence level can result in occasional loss of OSPF adjacency.
Disable fast convergence OS10(conf-router-ospf-65535)# no fast-converge Interface parameters To avoid routing errors, interface parameter values must be consistent across all interfaces. For example, set the same time interval for the hello packets on all routers in the OSPF network to prevent misconfiguration of OSPF neighbors. 1. To change the OSPFv2 parameters in CONFIGURATION mode, enter the interface. interface interface-name 2.
Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 150.1.1.1(Designated Router) Default route You can generate an external default route and distribute the default information to the OSPFv2 routing domain. ● Generate the default route using the default-information originate [always] command in ROUTER-OSPF mode.
OSPFv2 authentication You can enable OSPF authentication either with clear text or MD5. ● Set a clear text authentication scheme on the interface in INTERFACE mode. ip ospf authentication-key key ● Set MD5 authentication in INTERFACE mode.
● View summary information for the OSPF database in EXEC mode. show ip ospf database ● View the configuration of OSPF neighbors connected to the local router in EXEC mode. show ip ospf neighbor ● View routes that OSPF calculates in EXEC mode. show ip ospf routes View OSPF configuration OS10# show running-configuration ospf ! interface ethernet1/1/1 ip ospf 100 area 0.0.0.0 ! router ospf 100 log-adjacency-changes Debug OSPF Use the following procedures to debug OSPFv2 and OSPFv3.
area nssa Defines an area as a NSSA. Syntax area area-id nssa [default-information-originate | no-redistribution | nosummary] Parameters ● area-id — Enter the OSPF area ID as an IP address in A.B.C.D format or number, from 1 to 65535. ● no-redistribution — (Optional) Prevents the redistribute command from distributing routes into the NSSA. Use no-redistribution command only in an NSSA ABR. ● no-summary — (Optional) Ensures that no summary LSAs are sent to the NSSA.
OS10(config-router-ospfv3-10)# no area 1.1.1.1 range 101::/16 notadvertise OS10(config-router-ospfv3-10)# show configuration ! router ospfv3 10 area 1.1.1.1 range 101::/16 "no area 1.1.1.1 range 101::/16 not-advertise" re-allows route summarization to happen and only the summary route will be advertised. Supported Releases 10.2.0E or later area stub Defines an area as the OSPF stub area. Syntax area area-id stub [no-summary] Parameters ● area-id—Set the OSPF area ID as an IP address in A.B.C.
Parameters ● instance-number — Enter an OSPF instance number, from 1 to 65535. ● vrf vrf-name — Enter the keyword vrf followed by the name of the VRF to reset the OSPF process configured in that VRF. Default Not configured Command Mode EXEC Usage Information This command clears all entries in the OSPF routing table. Example Supported Releases OS10# clear ip ospf 3 vrf vrf-test process 10.2.0E or later clear ip ospf statistics Clears OSPF traffic statistics.
Parameters always — (Optional) Always advertise the default route. Defaults Disabled Command Mode ROUTER-OSPF Usage Information The no version of this command disables the distribution of default route. Example Supported Releases OS10(config)# router ospf 10 OS10(config-router-ospf-10)# default-information originate always 10.3.0E or later default-metric Assigns a metric value to redistributed routes for the OSPF process.
Parameters None Defaults Disabled Command Mode ROUTER-OSPF Usage Information The no version of this command disables Helper mode. Example Supported Releases OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# graceful-restart role helper-only 10.3.0E or later ip ospf area Attaches an interface to an OSPF area. Syntax ip ospf process-id area area-id Parameters ● process-id — Set an OSPF process ID for a specific OSPF process, from 1 to 65535.
Parameters cost — Enter a value as the OSPF cost for the interface, from 1 to 65335. Default Based on bandwidth reference Command Mode INTERFACE Usage Information if not configured, interface cost is based on the auto-cost command. This command configures OSPF over multiple vendors to ensure that all routers use the same cost. If you manually configure the cost, the calculated cost based on the reference bandwidth does not apply to the interface.
ip ospf message-digest-key Enables OSPF MD5 authentication and sends an OSPF message digest key on the interface. Syntax ip ospf message-digest-key keyid md5 key Parameters ● keyid — Enter an MD5 key ID for the interface, from 1 to 255. ● key — Enter a character string as the password. A maximum of 16 characters. Defaults Not configured Command Mode INTERFACE Usage Information All neighboring routers in the same network must use the same key value to exchange OSPF information.
Supported Releases 10.2.0E or later ip ospf passive Configures an interface as a passive interface and suppresses both receiving and sending routing updates to the passive interface. Syntax ip ospf passive Parameters None Default Not configured Command Mode INTERFACE Usage Information You must configure the interface before setting the interface to Passive mode. The no version of the this command disables the passive interface configuration.
Example Supported Releases OS10(conf-if-eth1/1/6)# ip ospf retransmit-interval 20 10.2.0E or later ip ospf transmit-delay Sets the estimated time required to send a link state update packet on the interface. Syntax ip ospf transmit-delay seconds Parameters seconds — Set the time in seconds required to send a link-state update, from 1 to 3600.
Supported Releases 10.2.0E or later maximum-paths Enables forwarding of packets over multiple paths. Syntax maximum—paths number Parameters number —Enter the number of paths for OSPF, from 1 to 128. Default 64 Command Mode ROUTER-OSPF Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# maximum-paths 1 10.2.
Parameters ip-address — Enter the IP address of the router as the router ID. Default Not configured Command Mode ROUTER-OSPF Usage Information Configure an arbitrary value in the IP address format for each router. Each router ID must be unique. Use the fixed router ID for the active OSPF router process. Changing the router ID brings down the existing OSPF adjacency. The new router ID becomes effective immediately. The no version of this command disables the router ID configuration.
Number of interface in this area is 3 SPF algorithm executed 38 times Area ranges are Supported Releases 10.2.0E or later show ip ospf asbr Displays all the ASBR visible to OSPF. Syntax show ip ospf [process-id] [vrf vrf-name] asbr Parameters ● process-id—(Optional) Displays information based on the process ID. ● vrf vrf-name — (Optional) Displays the ASBR router visible to the OSPF process configured in the specified VRF.
count 111.2.1.1 111.111.111.1 111.111.111.2 112.2.1.1 112.112.112.1 112.112.112.2 111.2.1.1 111.111.111.1 111.111.111.2 112.2.1.1 112.112.112.1 112.112.112.2 1281 1430 1430 1282 1305 1305 0x8000000d 0x8000021a 0x8000021a 0x8000000b 0x80000250 0x80000250 0x9bf2 0x515a 0x5552 0x0485 0xbab2 0xbeaa 3 1 1 3 1 1 Seq# 0x80000008 0x80000008 0x80000008 0x80000008 0x80000008 Checksum 0xd2b1 0x1b8f 0x198f 0x287c 0x267c Network (Area 0.0.0.0) Link ID 110.1.1.2 111.1.1.1 111.2.1.1 112.1.1.1 112.2.1.
Supported Releases 10.2.0E or later show ip ospf database external Displays information about the AS external Type 5 LSAs. Syntax show ip ospf [process-id] [vrf vrf-name] database external Parameters ● process-id—(Optional) Displays AS external Type 5 LSA information for a specified OSPF process ID. If you do not enter a process ID, this command applies only to the first OSPF process.
● vrf vrf-name — (Optional) Displays network Type2 LSA information for a specified OSPF process ID corresponding to a VRF. Default Not configured Command Mode EXEC Usage Information ● ● ● ● ● ● ● ● ● ● ● Example LS Age—Displays the LS age. Options—Displays optional capabilities. LS Type—Displays the LS type. Link State ID—Identifies the router ID. Advertising Router—Identifies the advertising router’s ID. LS Seq Number—Identifies the LS sequence number. This identifies old or duplicate LSAs.
● Network Mask—Identifies the network mask implemented on the area. ● TOS—Displays the ToS options. The only option available is zero. ● Metric—Displays the LSA metric. Example OS10# show ip ospf database nssa external OSPF Router with ID (2.2.2.2) (Process ID 100) NSSA External (Area 0.0.0.1) LS age: 98 Options: (No TOS-Capability, No DC, No Type 7/5 translation) LS type: NSSA External Link State ID: 0.0.0.0 Advertising Router: 1.1.1.
Options: (No TOS-Capability, No DC, No Type 7/5 translation) LS type: NSSA External Link State ID: 14.1.1.0 Advertising Router: 2.2.2.2 LS Seq Number: 0x80000001 Checksum: 0xA303 Length: 36 Network Mask: /24 Metric Type: 2 TOS: 0 Metric: 20 Forward Address: 0.0.0.0 External Route Tag: 0 Supported Releases 10.2.0E or later show ip ospf database opaque-area Displays information about the opaque-area Type 10 LSA.
show ip ospf database opaque-as Displays information about the opaque-as Type 11 LSAs. Syntax show ip ospf [process-id] opaque—as Parameters process-id — (Optional) Displays opaque-as Type 11 LSA information for a specified OSPF process ID. If you do not enter a process ID, this command applies only to the first OSPF process. Default Not configured Command Mode EXEC Usage Information ● ● ● ● ● ● ● ● ● ● Example LS Age — Displays the LS age.
● ● ● ● ● Example LS Seq Number — Identifies the LS sequence number. This identifies old or duplicate LSAs. Checksum — Displays the Fletcher checksum of an LSA’s complete contents. Length — Displays the LSA length in bytes. Opaque Type — Identifies the Opaque type field, the first 8 bits of the LS ID. Opaque ID — Identifies the Opaque type-specific ID, the remaining 24 bits of the LS ID. OS10# show ip ospf 100 database opaque-link OSPF Router with ID (1.1.1.
LS Seq Number: 0x8000000d Checksum: 0x9bf2 Length: 60 AS Boundary Router Number of Links: 3 Link connected to: a Transit Network (Link ID) Designated Router address: 110.1.1.2 (Link Data) Router Interface address: 110.1.1.1 Number of TOS metric: 0 TOS 0 Metric: 1 Link connected to: a Transit Network (Link ID) Designated Router address: 111.1.1.1 (Link Data) Router Interface address: 111.1.1.
Checksum: 0x4a67 Length: 28 Network Mask: /24 TOS: 0 Metric: 0 Supported Releases 10.2.0E or later show ip ospf interface Displays the configured OSPF interfaces. You must enable OSPF to display output. Syntax show ip ospf interface [process-id] [vrf vrf-name] interface or show ip ospf [process-id] [vrf vrf-name] interface [interface] Parameters ● process-id — (Optional) Displays information for an OSPF process ID. If you do not enter a process ID, this command applies only to the first OSPF process.
111.1.1.0 111.2.1.0 Supported Releases 1 1 0.0.0.0 0.0.0.0 vlan3051 vlan3053 0.0.0.0 0.0.0.0 intra-area intra-area 10.2.0E or later show ip ospf statistics Displays OSPF traffic statistics. Syntax ● show ip ospf [instance-number] [vrf vrf-name] statistics [interface interface] Parameters ● instance-number — (Optional) Enter an OSPF instance number, from 1 to 65535.
show ip ospf topology Displays routers that directly connect to OSPF areas. Syntax show ip ospf [process-id] [vrf vrf-name] topology Parameters ● process-id — (Optional) Displays OSPF process information. If you do not enter a process ID, this applies only to the first OSPF process. ● vrf vrf-name — (Optional) Displays the routers in the directly connected OSPF areas in the configured VRF.
Command Mode ROUTER-OSPF Usage Information Setting the LSA arrival time between receiving the LSA repeatedly ensures that the system gets enough time to accept the LSA. The no version of this command resets the value to the default. Example Supported Releases OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# timers lsa arrival 2000 10.2.0E or later timers spf Enables shortest path first (SPF) throttling to delay an SPF calculation when a topology change occurs.
timers throttle lsa all Configures the LSA transmit intervals. Syntax timers lsa all [start-interval | hold-interval | max-interval] Parameters ● start-interval — Sets the minimum interval between initial sending and re-sending the same LSA in milliseconds, from 0 to 600,000. ● hold-interval — Sets the next interval to send the same LSA in milliseconds. This is the time between sending the same LSA after the start-interval is attempted, from 1 to 600,000.
Enable OSPFv3 OS10(config)# router ospfv3 100 OS10(config-router-ospfv3-100)# exit OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no shutdown OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ipv6 ospf 300 area 0.0.0.0 Enable OSPFv3 in a non-default VRF instance 1. Create the non-default VRF instance in which you want to enable OSPFv3: ip vrf vrf-name CONFIGURATION Mode 2.
Assign Router ID You can assign a router ID for the OSPFv3 process. Configure an arbitrary value in the IP address format for each router. Each router ID must be unique. Use the fixed router ID for the active OSPFv3 router process. Changing the router ID brings down the existing OSPFv3 adjacency. The new router ID becomes effective immediately. ● Assign the router ID for the OSPFv3 process in ROUTER-OSPFv3 mode.
ADV Router Age Seq# Fragment ID Link count Bits ------------------------------------------------------------------199.205.134.103 32 0x80000002 0 1 202.254.156.15 33 0x80000002 0 1 B Net Link States (Area 0.0.0.2) ADV Router Age Seq# Link ID Rtr count ---------------------------------------------------------202.254.156.15 38 0x80000001 12 2 Inter Area Prefix Link States (Area 0.0.0.2) ADV Router Age Seq# Prefix ----------------------------------------------------------------202.254.156.
Interface OSPFv3 Parameters To avoid routing errors, interface parameter values must be consistent across all interfaces. For example, set the same time interval for the hello packets on all routers in the OSPF network to prevent misconfiguration of OSPF neighbors. 1. Enter the interface to change the OSPFv3 parameters in CONFIGURATION mode. interface interface-name 2. Change the cost associated with OSPFv3 traffic on the interface in INTERFACE mode, from 1 to 65535.
Default route You can generate an external default route and distribute the default information to the OSPFv3 routing domain. ● Generate the default route, using the default-information originate [always] command in ROUTER-OSPFv3 mode.
○ key — Enter the text string used in the authentication type. All neighboring OSPFv3 routers must share the key to exchange information. Only a non-encrypted key is supported. For MD5 authentication, the non-encrypted key must be 32 plain hex digits. For SHA-1 authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not supported. To delete an IPsec authentication policy, use the no ipv6 ospf authentication ipsec spi number or no ipv6 ospf authentication null command.
● Enable IPsec authentication for OSPFv3 packets in an area in Router-OSPFv3 mode. area area-id ○ ○ ○ ○ ○ authentication ipsec spi number {MD5 | SHA1} key area area-id — Enter an area ID as a number or IPv6 prefix. ipsec spi number — Enter a unique security policy index (SPI) value, from 256 to 4294967295. md5 — Enable message digest 5 (MD5) authentication. sha1 — Enable secure hash algorithm 1 (SHA1) authentication. key — Enter the text string used in the authentication type.
Troubleshoot OSPFv3 You can troubleshoot OSPFv3 operations and check questions for typical issues that interrupt a process.
hex digits. For SHA1 authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not supported. Example Supported Releases OS10(config-router-ospfv3-100)# area 1 authentication ipsec spi 400 md5 12345678123456781234567812345678 10.4.0E(R1) or later area encryption Configures encryption for an OSPFv3 area. Syntax area area-id encryption ipsec spi number esp encryption-type key authentication-type key Parameters ● area area-id — Enter an area ID as a number or IPv6 prefix.
Usage Information Example Supported Releases The no version of this command deletes a stub area. OS10(config)# router ospfv3 10 OS10(conf-router-ospfv3-10)# area 10.10.1.5 stub 10.3.0E or later auto-cost reference-bandwidth Calculates default metrics for the interface based on the configured auto-cost reference bandwidth value.
Default Not configured Command Mode EXEC Usage Information This command clears the OSPFv3 traffic statistics in a specified instance or in all the configured OSPFv3 instances, and resets them to zero. Example Supported Releases OS10# clear ipv6 ospf 100 statistics 10.4.0E(R1) or later debug ip ospfv3 Enables Open Shortest Path First version 3(OSPFv3) debugging and displays messages related to processing of OSPFv3.
Command Mode INTERFACE Usage Information The no version of this command removes an interface from an OSPFv3 area. Example OS10(config)# interface vlan 10 OS10(conf-if-vl-10)# ipv6 ospf 10 area 1 Supported Releases 10.3.0E or later ipv6 ospf authentication Configures OSPFv3 authentication on an IPv6 interface. Syntax ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} key} Parameters ● ● ● ● ● Default IPv6 OSPF authentication is not configured on an interface.
Example Supported Releases OS10(config)# interface vlan 10 OS10(conf-if-vl-10)# ipv6 ospf cost 10 10.3.0E or later ipv6 ospf dead-interval Sets the time interval since the last hello-packet was received from a router. After the interval elapses, the neighboring routers declare the router dead. Syntax ipv6 ospf dead-interval seconds Parameters seconds — Enter the dead interval value in seconds, from 1 to 65535.
Example OS10(config)# interface ethernet 1/1/6 OS10(conf-if-eth1/1/6)# ipv6 ospf encryption ipsec spi 500 esp des 1234567812345678 md5 12345678123456781234567812345678 OS10(config)# interface ethernet 1/1/5 OS10(conf-if-eth1/1/5)# ipv6 ospf encryption null Supported Releases 10.4.0E(R1) or later ipv6 ospf hello-interval Sets the time interval between hello packets sent on an interface.
Parameters ● point-to-point — Sets the interface as part of a point-to-point network. ● broadcast — Sets the interface as part of a broadcast network. Default Broadcast Command Mode INTERFACE Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ipv6 ospf network broadcast 10.3.
log-adjacency-changes Enables logging of syslog messages about changes in the OSPFv3 adjacency state. Syntax log-adjacency-changes Parameters None Default Disabled Command Mode ROUTER-OSPFv3 Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(config)# router ospfv3 100 OS10(config-router-ospfv3-100)# log-adjacency-changes 10.3.0E or later maximum-paths Enables forwarding of packets over multiple paths.
Example (Connected) OS10((config-router-ospfv3-100)# redistribute connected route-map dell2 Example (AS number notation in asdot+ format) OS10(config)# router ospfv3 100 OS10(config-router-ospfv3-100)# redistribute bgp 0.100 Supported Releases 10.3.0E or later router-id Configures a fixed router ID for the OSPFv3 process. Syntax router-id ip-address Parameters ip-address — Enter the IP address of the router as the router ID.
Default None Command Mode EXEC Usage Information None Example OS10# show ipv6 ospf Routing Process ospfv3 200 with ID 1.1.1.1 It is an Area Border Router Min LSA origination 5000 msec, Min LSA arrival 1000 Min LSA hold time 0 msec, Max LSA wait time 0 msec Number of area in this router is 2, normal 2 stub 0 Area (0.0.0.0) Number of interface in this area is 1 SPF algorithm executed 42 times Area (0.0.0.
● Dest RtrID—Displays the destination router ID. ● Interface—Displays the interface type. ● Prefix—Displays the prefix details. Example OS10# show ipv6 ospf database OSPF Router with ID (10.0.0.2) (Process ID 200) Router Link States (Area 0.0.0.0) ADV Router Age Seq# Fragment ID Link count Bits ------------------------------------------------------------------1.1.1.1 1610 0x80000144 0 1 B 2.2.2.2 1040 0x8000013A 0 1 10.0.0.2 1039 0x80000002 0 1 Net Link States (Area 0.0.0.
Transmit Delay is 1 sec, State BDR, Priority 1 BFD enabled(Interface level) Interval 300 Min_rx 300 Multiplier 3 Role Active Designated Router on this network is 2.2.2.2 Backup Designated router on this network is 10.0.0.2 (local) Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 2.2.2.2(Designated Router) Supported Releases 10.3.
rx-invalid 0 rx-invalid-bytes 0 rx-hello 0 rx-hello-bytes 0 rx-db-des 0 rx-db-des-bytes 0 rx-ls-req 0 rx-ls-req-bytes 0 rx-ls-upd 0 rx-ls-upd-bytes 0 rx-ls-ack 0 rx-ls-ack-bytes 0 Transmit Statistics tx-hello 1054 tx-hello-bytes 37944 tx-db-des 0 tx-db-des-bytes 0 tx-ls-req 0 tx-ls-req-bytes 0 tx-ls-upd 0 tx-ls-upd-bytes 0 tx-ls-ack 0 tx-ls-ack-bytes 0 Error packets (Receive statistics) bad-src 0 dupe-id 0 hello-err 0 mtu-mismatch 0 nbr-ignored 0 resource-err 0 bad-lsa-len 0 lsa-bad-type 0 lsa-bad-len 0 lsa
Number of area in this router is 1, normal 1 stub 0 nssa Area (0.0.0.1) Number of interface in this area is 1 SPF algorithm executed 2 times Supported Releases 10.4.0E(R1) or later Object tracking manager OTM allows you to track the link status of Layer 2 (L2) interfaces, and the reachability of IPv4 and IPv6 hosts. You can increase the availability of the network and shorten recovery time if an object state goes Down.
Interface tracking You can create an object that tracks the line-protocol state of an L2 interface, and monitors its operational up or down status. You can configure up to 500 objects. Each object is assigned a unique ID. When the link-level status goes down, the tracked resource status is also considered Down. If the link-level status goes up, the tracked resource status is also considered Up.
1. Configure object tracking in CONFIGURATION mode. track object-id 2. Enter the host IP address for reachability of an IPv4 or IPv6 route in OBJECT TRACKING mode. [ip | ipv6] host-ip-address reachability 3. Configure the time delay used before communicating a change in the status of a tracked route in OBJECT TRACKING mode. delay [up seconds] [down seconds] 4. Track the host by checking the reachability periodically in OBJECT TRACKING mode. reachability-refresh interval 5.
View tracked objects You can view the status of currently tracked L2 or L3 interfaces, or the IPv4 or IPv6 hosts. View brief object tracking information OS10# show track brief TrackID Resource Parameter Status LastChange --------------------------------------------------------------------------------1 line-protocol ethernet1/1/1 DOWN 2017-02-03T08:41:25Z1 2 ipv4-reachablity 1.1.1.
Example Supported Releases OS10(conf-track-100)# delay up 200 down 100 10.3.0E or later interface line-protocol Configures an object to track a specific interface's line-protocol status. Syntax interface interface line-protocol Parameters interface — Enter the interface information: ● ethernet — Physical interface. ● port-channel — Enter the port-channel identifier. ● vlan — Enter the VLAN identifier. ● loopback — Enter the Loopback interface identifier. ● mgmt — Enter the Management interface.
Usage Information None Example Supported Releases OS10(config)# track 200 OS10(conf-track-200)# ipv6 10::1 reachability 10.3.0E or later reachability-refresh Configures a polling interval for reachability tracking. Syntax reachability-refresh interval Parameters interval — Enter the polling interval value. A maximum of 3600 seconds. Defaults 0 seconds Command Mode CONFIGURATION Usage Information Set the interval to 0 to disable the refresh.
track Configures and manages tracked objects. Syntax track object-id Parameters object-id — Enter the object ID to track. A maximum of 500. Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes the tracked object from an interface. Example Supported Releases OS10# track 100 10.3.
Configure IPv6 access-list to match route-map OS10(config)# ipv6 access-list acl8 OS10(conf-ipv6-acl)# permit ipv6 10::10 any Set address to match route-map You can set an IPv4 or IPv6 address to match a route-map. 1. Enter the IPv4 or IPv6 address to match and specify the access-list name in Route-Map mode. match {ip | ipv6} address access-list-name 2. Set the next-hop IP address in Route-Map mode.
Verify IPv4 PBR configuration OS10# show ip policy abc Interface Route-map ----------------------ethernet1/1/1 abc ethernet1/1/3 abc vlan100 abc Verify IPv6 PBR configuration OS10# show ipv6 policy abc Interface Route-map ------------------------ethernet1/1/1 abc ethernet1/1/3 abc vlan100 abc View current PBR statistics show route-map pbr-sample pbr-statistics route-map pbr-sample, permit, sequence 10 Policy routing matches: 84 packets Policy-based routing per VRF Configure PBR per VRF instance for both IP
NOTE: If the next-hop is reachable on the specified VRF instance, the packet is redirected; otherwise, the packet follows the regular routing flow. 6. Apply the route-map to the interface. interface interface-type {ip | ipv6} policy route-map route-map-name 7. View the route-map information. show route-map OS10(conf-if-vl-40)# do show route-map route-map test, permit, sequence 10 Match clauses: ip address (access-lists): acl1 Set clauses: ip vrf red next-hop 1.1.1.
● Create a VLAN and assign an IP address to it which acts as the gateway for the hosts in the VM. OS10# configure terminal OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no shutdown OS10(conf-if-vl-100)# ip address 10.1.1.1/24 OS10(conf-if-vl-100)# exit ● Create another VLAN, and assign an IP address to it. OS10# configure terminal OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# no shutdown OS10(conf-if-vl-200)# ip address 10.2.1.1/24 OS10(conf-if-vl-200)# exit VLT configuration 1.
Apply the policy on the traffic ingress interface and the VLTi interfaces of both VLT peers. OS10(config)# ip access-list PBR-A2C OS10(conf-ipv4-acl)# permit ip 10.10.10.0/24 any OS10(config-ipv4-acl)# exit OS10(config)# route-map Map1 OS10(conf-route-map)# match ip address PBR-A2C OS10(conf-route-map)# set ip next-hop 10.10.20.
PBR configuration Apply the policy on the VLTi interfaces of both VLT peers. OS10(config)# ip access-list PBR-A2C OS10(conf-ipv4-acl)# permit ip 10.10.10.0/24 any OS10(conf-route-map)# route-map Map1 OS10(conf-route-map)# match ip address PBR-A2C OS10(conf-route-map)# set ip next-hop 10.10.20.10 OS10(conf-route-map)# exit OS10(config)# interface ethernet 1/1/4-1/1/6 OS10(conf-if-eth1/1/4-1/1/6)# ip policy route-map Map1 Sample configuration Consider a scenario where traffic from source IP address 1.1.1.
Track route reachability Track IPv4 or IPv6 reachablility using object tracking. To configure tracking over the routes that are reachable through a VRF instance: 1. Configure object tracking. track track-id OS10(config)# track 200 2. Configure reachability of the next-hop address through the VRF instance. ip ip-address reachablility vrf vrf-name OS10(conf-track-200)# OS10(conf-track-200)# ip 1.1.1.1 reachability vrf red OS10(conf-track-200)#exit 3. Configure the route-map.
● Create an ACL and define what should be enabled for PBR processing. ip access-list TEST-ACL seq 10 permit tcp any any eq 80 seq 20 permit tcp any any eq 443 seq 30 permit tcp any any eq 21 seq 40 permit icmp any any ● Create an ACL and define what should be excluded from PBR processing. ip access-list TEST-ACL-DENY seq 10 permit tcp 10.99.0.0/16 10.0.0.0/8 eq 80 seq 20 permit tcp 10.99.0.0/16 10.0.0.0/8 eq 443 seq 30 permit tcp 10.99.0.0/16 10.0.0.0/8 eq 21 seq 40 permit icmp 10.99.0.0/16 10.0.0.
route-map test, permit, sequence 10 Match clauses: ip address (access-lists): acl1 Set clauses: ip vrf red next-hop 1.1.1.1 track-id 200 ! PBR commands clear route-map pbr-statistics Clears all PBR counters. Syntax clear route-map [map-name] pbr-statistics Parameters map-name—Enter the name of a configured route-map. A maximum of 140 characters. Defaults None Command Mode EXEC Usage Information None Example Supported Releases OS10# clear route-map map1 pbr-statistics 10.3.
Example Supported Releases OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ip policy route-map map1 10.3.0E or later route-map pbr-statistics Enables counters for PBR statistics. Syntax route-map [map-name] pbr-statistics Parameters map-name—Enter the name of a configured route-map. A maximum of 140 characters. Defaults Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# route-map map1 pbr-statistics 10.3.
set next-hop track Tracks the next-hop IPv4 or IPv6 address object. Syntax set {ip | ipv6} vrf [vrf-name] next-hop address track track-id Parameters ● address—Enter an IPv4 or IPv6 address. ● vrf vrf-name — Enter the keyword then the name of the VRF to track the next-hop reachable through that VRF. ● track-id—(Optional) Enter the track ID of the PBR object.
Example Supported Releases OS10# show route-map map1 pbr-statistics 10.3.0E or later Virtual Router Redundancy Protocol VRRP allows you to form virtual routers from groups of physical routers on your local area network (LAN). These virtual routing platforms—master and backup pairs—provide redundancy during hardware failure. VRRP also allows you to easily configure a virtual router as the default gateway to all your hosts. It also avoids the single point of failure of a physical router.
The example shows a typical network configuration using VRRP. Instead of configuring the hosts on network 10.10.10.0 with the IP address of either Router A or Router B as the default router, the default router of all hosts is set to the IP address of the virtual router. When any host on the LAN segment requests Internet access, it sends packets to the IP address of the virtual router.
interface ethernet 1/1/5 ip address 10.10.10.1/24 ! vrrp-group 254 no shutdown ... Group version Configure a VRRP version for the system. Define either VRRPv2 — vrrp version 2 or VRRPv3 — vrrp version 3. ● Configure the VRRP version for IPv4 in INTERFACE mode. vrrp version Configure VRRP version 3 OS10(config)# vrrp version 3 1. Set the switch with the lowest priority to vrrp version 2. 2. Set the switch with the highest priority to vrrp version 3. 3. Set all switches from vrrp version 2 to vrrp version 3.
1. Configure a VRRP group in INTERFACE mode, from 1 to 255. vrrp-group vrrp-id 2. Configure virtual IP addresses for this VRRP ID in INTERFACE-VRRP mode. A maximum of 10 IP addresses. virtual-address ip-address1 [...ip-address10] Configure virtual IP address OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ip address 10.1.1.1/24 OS10(conf-if-eth1/1/1)# vrrp-group 10 OS10(conf-eth1/1/1-vrid-10)# virtual-address 10.1.1.
Configure virtual IP address in a VRF You can configure a VRRP group in a non-default VRF instance and assign a virtual address to this group. To configure VRRP under a specific VRF: 1. Create the non-default VRF in which you want to configure VRRP. ip vrf vrf-name CONFIGURATION Mode 2. In the VRF Configuration mode, enter the desired interface. interface interface-id VRF CONFIGURATION Mode 3. Remove the interface from L2 switching mode. no switchport INTERFACE CONFIGURATION Mode 4.
Set VRRP group priority OS10(config)# interface ethernet 1/1/5 OS10(conf-if-eth1/1/5)# vrrp-group 254 OS10(conf-eth1/1/5-vrid-254)# priority 200 Verify VRRP group priority OS10(conf-eth1/1/5-vrid-254)# do show vrrp 254 Interface : ethernet1/1/5 IPv4 VRID : 254 Primary IP Address : 10.1.1.1 State : master-state Virtual MAC Address : 00:00:5e:00:01:01 Version : version-3 Priority : 200 Preempt : Hold-time : Authentication : no-authentication Virtual IP address : 10.1.1.
You must configure all virtual routers in the VRRP group with the same settings. Configure all routers with preempt enabled or configure all with preempt disabled. 1. Create a virtual router for the interface with the VRRP identifier in INTERFACE mode, from 1 to 255. vrrp-group vrrp-id 2. Prevent any backup router with a higher priority from becoming the Master router in INTERFACE-VRRP mode.
Change advertisement interval OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# vrrp-group 1 OS10(conf-eth1/1/1-vrid-1)# advertise-interval centisecs 200 View running configuration OS10(conf-eth1/1/1-vrid-1)# do show running-configuration ! Version 10.1.9999P.2281 ! Last configuration change at Jul 26 12:22:33 2016 ! aaa authentication system:local ! interface ethernet1/1/1 ip address 10.1.1.
Configure interface tracking OS10(config)# track 10 OS10(conf-track-10)# interface ethernet 1/1/7 line-protocol View running configuration OS10(conf-track-10)# do show running-configuration ! Version 10.1.9999P.2281 ! Last configuration change at Jul 27 03:24:01 2016 ! aaa authentication system:local ! interface ethernet1/1/1 ip address 10.1.1.1/16 no switchport no shutdown ! vrrp-group 1 priority 200 virtual-address 10.1.1.
Default 1 second or 100 centisecs Command Mode INTERFACE-VRRP Usage Information Dell EMC recommends keeping the default setting for this command. If you change the time interval between VRRP advertisements on one router, change it on all routers. The no version of this command sets the VRRP advertisements timer interval back to its default value, 1 second or 100 centisecs. Example Supported Releases OS10(conf-eth1/1/6-vrid-250)# advertise-interval 120 centisecs 100 10.2.
Default 100 Command Mode INTERFACE-VRRP Usage Information To guarantee that a VRRP group becomes master, configure the priority of the VRRP group to the 254, which is the highest priority. OS10 does not support priority 255. The no version of this command resets the value to the default of 100. Example Supported Releases OS10(conf-eth1/1/5-vrid-254)# priority 200 10.2.0E or later show vrrp Displays VRRP group information.
● priority cost value — (Optional) Enter a cost value to subtract from the priority value, from 1 to 254. Default 10 Command Mode INTERFACE-VRRP Usage Information If you disable the interface, the cost value subtracts from the priority value and forces a new master election. This election process is applicable when the priority value is lower than the priority value in the backup virtual router. You can associate only one track object with a VRRP group.
Example Supported Releases OS10(conf-eth1/1/5-vrid-254)# virtual address 10.1.1.15 10.2.0E or later vrrp delay reload Sets the delay time for VRRP initialization after a system reboot. Syntax vrrp delay reload seconds Parameters seconds — Enter the number of seconds for the VRRP reload time, from 0 to 900. Default 0 Command Mode CONFIGURATION Usage Information VRRP delay reload time of zero seconds indicates no delays. This command configuration applies to all the VRRP configured interfaces.
Usage Information Example Supported Releases The VRRP group only becomes active and sends VRRP packets when you configure a virtual IP address. When you delete the virtual address, the VRRP group stops sending VRRP packets. The no version of this command removes the vrrp-ipv6–group configuration. OS10(conf-if-eth1/1/7)# vrrp-ipv6-group 250 10.2.0E or later vrrp version Sets the VRRP version for the IPv4 group. Syntax vrrp version {2 | 3} Parameters ● 2 — Set to VRRP version 2.
14 Multicast Multicast is a technique that allows networking devices to send data to a group of interested receivers in a single transmission. For instance, this technique is widely used for streaming videos. Multicast allows you to more efficiently use network resources, specifically for bandwidth-consuming services such as audio and video transmission.
● Simple Network Management Protocol (SNMP) MIB for Internet Group Management Protocol (IGMP) or Protocol Independent Multicast (PIM) NOTE: Layer 3 (L3) PIM and IGMP multicast is not supported on the S3048-ON switch. IGMP and Multicast Listener Discovery (MLD) snooping is supported on all switches. Configure multicast routing Multicast routing protocol is used for communication between multicast routers and enables the multicast routers to calculate the multicast distribution tree of the receiving hosts.
Usage Information Example Supported Releases After you enable IP multicast, enable IGMP and PIM on an interface. To do this, use the ip pim sparse-mode command in INTERFACE mode. The no form of the command disables IP multicast forwarding. OS10# configure terminal OS10(config)# ip multicast-routing 10.4.3.
Important notes ● OS10 systems cannot serve as an IGMP host or an IGMP version 1 querier. ● OS10 automatically enables IGMP on interfaces where you enable PIM sparse mode. Supported IGMP versions IGMP has three versions. Version 3 obsoletes and is backwards-compatible with version 2; version 2 obsoletes version 1. OS10 supports the following IGMP versions: ● Router—IGMP versions 2 and 3. The default is version 3. ● Host—IGMP versions 1, 2, and 3.
IGMP immediate leave If the IGMP querier does not receive a response to a group-specific or group-and-source query, it sends another query based on the configured querier robustness value. This value determines the number of times the querier sends the message. If the querier does not receive a response, it removes the group from the outgoing interface for the subnet.
database, use the ip igmp immediate-leave command. The no version of this command disables IGMP immediate leave. Example Supported Releases OS10# configure terminal OS10# interface vlan11 OS10(conf-if-vl-11)# ip igmp immediate-leave 10.4.3.0 or later ip igmp last-member-query-interval Changes the last member query interval, which is the maximum response time included in the group-specific queries sent in response to leave group messages.
Parameters seconds—Enter the amount of time in seconds, from 1 to 25. Default 10 seconds Command Mode INTERFACE Usage Information The IGMP query maximum response time value must be less than the IGMP query interval value. The no form of the command configures the default value. Example Supported Releases OS10# configure terminal OS10# interface vlan14 OS10(conf-if-vl-14)# ip igmp query-max-resp-time 20 10.4.3.0 or later ip igmp snooping enable Enables IGMP snooping globally.
Parameters None Default Disabled Command Mode VLAN INTERFACE Usage Information The fast leave option allows the IGMP snooping switch to remove an interface from the multicast group immediately on receiving the leave message. The no version of this command disables the fast leave functionality. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip igmp snooping fast-leave 10.4.1.
Parameters None Default Not configured Command Mode VLAN INTERFACE Usage Information The no version of this command disables IGMP querier on the VLAN interface.. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip igmp snooping querier 10.4.0E(R1) or later ip igmp snooping query-interval Configures time interval for sending IGMP general queries.
Default 3 Command Mode VLAN INTERFACE Usage Information The no version of this command resets the version number to the default value. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip igmp version 2 10.4.1.0 or later show ip igmp groups Displays the IGMP groups. Syntax show ip igmp [vrf vrf-name] groups [group-address [detail] | detail | interface-name [group-address [detail]]] Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF.
show ip igmp interface Displays information about all IGMP-enabled interfaces. Syntax show ip igmp [vrf vrf-name] interface name Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. ● interface name—Enter the keyword interface, then the interface name. Default None Command Mode EXEC Usage Information None Example OS10# show ip igmp interface Vlan103 is up, line protocol is up Internet address is 2.1.1.
Example Example (with VLAN) 1028 Multicast OS10# show ip igmp snooping groups Total Number of Groups: 480 IGMP Connected Group Membership Group Address Interface Mode Expires 225.1.0.0 vlan3031 IGMPv2-Compat 00:01:26 Member-ports :port-channel51,ethernet1/1/51:1,ethernet1/1/52:1 225.1.0.1 vlan3031 IGMPv2-Compat 00:01:26 Member-ports :port-channel51,ethernet1/1/51:1,ethernet1/1/52:1 225.1.0.2 vlan3031 IGMPv2-Compat 00:01:26 Member-ports :port-channel51,ethernet1/1/51:1,ethernet1/1/52:1 225.1.0.
00:01:30 Member-ports :port-channel51,ethernet1/1/51:1,ethernet1/1/52:1 225.1.0.9 vlan3031 IGMPv2-Compat 00:01:30 Member-ports :port-channel51,ethernet1/1/51:1,ethernet1/1/52:1 225.1.0.10 vlan3031 IGMPv2-Compat 00:01:30 --more-Example (with VLAN and multicast IP address) Example (with detail) Example (with VLAN) OS10# show ip igmp snooping groups vlan 3031 225.1.0.0 IGMP Connected Group Membership Group Address Interface Mode Expires 225.1.0.
ethernet1/1/51:1 ethernet1/1/52:1 Example (with PVLAN) Supported Releases Include Include 1d:20:27:34 1d:20:27:37 00:01:07 00:01:07 OS10#show ip igmp snooping groups private-vlan 100 Flags: P-Primary vlan, I-Isolated vlan, C-Community vlan Total Number of Groups: 1 IGMP Connected Group Membership Group Address Interface Mode Expires 225.1.1.1 vlan100 Exclude 00:01:51 Member-ports : port-channel11(I-vlan200),port-channel12(C-vlan300),port-channel13(Pvlan100) 10.4.
Member Port port-channel51 ethernet1/1/51:1 ethernet1/1/52:1 Mode Include Include Include Uptime 1d:20:26:07 1d:20:26:05 1d:20:26:08 Expires 00:01:41 00:01:46 00:01:46 Interface vlan3041 Group 232.11.0.1 Source List 101.41.0.21 Member Port Mode port-channel51 Include ethernet1/1/51:1 Include ethernet1/1/52:1 Include Uptime 1d:20:26:07 1d:20:26:05 1d:20:26:08 Expires 00:01:41 00:01:46 00:01:46 Uptime 1d:20:26:07 Expires 00:01:41 Interface vlan3041 Group 232.11.0.2 Source List 101.41.0.
show ip igmp snooping interface Displays IGMP snooping interfaces details. Syntax show ip igmp snooping interface [vlan vlan-id] Parameters vlan-id—(Optional) Enter the VLAN ID, from 1 to 4093. For a PVLAN domain, enter the VLAN ID of the primary VLAN, from 1 to 4093. Default Not configured Command Mode EXEC Usage Information The multicast flood control feature is not available on the S4248FB-ON and S4248FBL-ON devices.
IGMP IGMP IGMP IGMP IGMP IGMP snooping snooping snooping Snooping snooping snooping query interval is 60 seconds querier timeout is 130 seconds last member query response interval is 1000 ms max response time is 10 seconds fast-leave is disabled on this interface querier is enabled on this interface OS10# show ip igmp snooping interface vlan 3031 Vlan3031 is up, line protocol is up IGMP version is 3 IGMP snooping is enabled on interface IGMP snooping query interval is 60 seconds IGMP snooping querier tim
vlan3044 vlan3045 vlan3046 vlan3047 vlan3048 vlan3049 vlan3050 vlan3051 vlan3052 --more-- port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 port-channel31 <
Table 75. PIM terminology (continued) Terminology Definition (S, G) (S, G) refers to an entry in the PIM table for a source and group on the RP tree (RPT). (S, G, RPT) (S, G, RPT) refers to an entry in the RP tree. First hop router (FHR) The FHR is the router that is directly connected to the multicast source. Last hop router (LHR) The LHR is the last router in the multicast path and is directly connected to the multicast receiver. Intermediate router A PIM router that is not an FHR, RP, or LHR.
Root Path Tree (RTP) An RPT is the path between the RP and receivers (hosts) in a multicast group (see figure). The RPT is built by means of a PIM join message from a receiver DR. ● A receiver sends a request to join group (G) in an IGMP host membership report. A PIM sparse-mode router, the receiver DR, receives the report on a directly attached subnet and creates an RPT branch for the multicast group of interest.
Instead of continuing to use the SPT to the RP and the RPT toward the receiver, a direct SPT is created between the source and the receiver in the following way: 1. Once the receiver DR receives the first multicast packet from the source, the DR sends a PIM join message to its RPF neighbor. 2. The source DR receives the PIM join message, and an additional (S, G) state is created to form the SPT. 3.
PIM-SM sample configuration This section describes how to enable PIM-SM in the FHR, RP, and LHR nodes using the topology show in the following figure. To enable PIM-SM, perform the following configurations on each of the nodes (FHR, RP, and LHR): 1. Enable multicast routing globally in CONFIGURATION mode. ip multicast-routing 2. Enable PIM-SM on the required Layer 3 interfaces of the nodes in INTERFACE mode. ip pim sparse-mode 3. Configure an RP address on every multicast-enabled node in CONFIGURATION mode.
FHR(conf-if-eth1/1/48)# FHR(conf-if-eth1/1/48)# FHR(conf-if-eth1/1/48)# FHR(conf-if-eth1/1/48)# FHR(conf-if-eth1/1/48)# no ip ip ip switchport address 22.1.1.2/24 pim sparse-mode ospf 1 area 0 The show ip pim interface command displays the PIM-enabled interfaces in FHR. FHR# show ip pim interface Address Interface Ver/Mode Nbr Count Query Intvl DR Prio DR --------------------------------------------------------------------------------------------------2.2.2.2 ethernet1/1/17 v2/S 1 30 1 2.2.2.2 3.3.3.
1.1.1.2 RP# ethernet1/1/43 v2/S 1 30 1 1.1.1.2 The show ip pim neighbor command displays the PIM neighbor of RP and the interface to reach the neighbor. RP# show ip pim neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority/Mode ---------------------------------------------------------------------------------------------3.3.3.2 ethernet1/1/31 00:02:57/00:01:17 v2 1 / DR S 1.1.1.
2.2.2.2 1.1.1.2 ethernet1/1/17 ethernet1/1/29 00:02:58/00:01:24 00:07:49/00:01:31 v2 v2 1 1 / DR S / DR S LHR# show ip pim rp mapping Group(s) : 224.0.0.0/4, Static RP : 192.168.1.25, v2 The following show command output examples display the PIM states across all nodes after IGMP join and multicast traffic is received. PIM states in FHR node The show ip pim tib command output displays the PIM tree information base (TIB).
00:01:59 LHR# 15.1.1.10 LHR# show ip pim tib PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 224.1.1.1), uptime 00:00:05, expires 00:00:54, RP 192.168.1.25, flags: SCJ Incoming interface: ethernet1/1/29, RPF neighbor 1.1.1.2 Outgoing interface list: vlan2001 Forward/Sparse 00:00:05/Never (22.1.1.10, 224.1.1.
● PIM-SSM uses IGMPv3 because receivers subscribe to a source and group, the RP and shared tree are unnecessary; only SPTs are used. On OS10 systems, it is possible to use PIM-SM with IGMPv3 to achieve the same result, but PIM-SSM eliminates the unnecessary protocol overhead. Configure PIM-SSM To configure a group range for PIM-SSM: NOTE: The IP range, 232.0.0.0/8 is reserved for SSM. You do not have to explicitly configure this range. 1.
R1(config)# interface R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# R1(conf-if-eth1/1/7)# ethernet 1/1/7 no switchport interface ethernet 1/1/7 ip vrf forwarding red ip address 201.1.1.
R2(conf-if-po-11)# end R2# configure terminal R2(config)# interface ethernet 1/1/26:1 R2(conf-if-eth1/1/26:1)# no ip vrf forwarding R2(conf-if-eth1/1/26:1)# no switchport R2(conf-if-eth1/1/26:1)# channel-group 11 R2(conf-if-eth1/1/26:1)# end R2# configure terminal R2(config)# interface vlan 2001 R2(conf-if-vl-2001)# ip vrf forwarding red R2(conf-if-vl-2001)# ip address 208.1.1.
The show ip pim vrf red ssm-range command displays the specified multicast address range. R1# show ip pim vrf red ssm-range Group Address / MaskLen 224.1.1.0 / 24 The show ip pim vrf red tib command output displays the PIM tree information base (TIB).
The show ip pim vrf red mcache command output displays multicast route entries. R2# show ip pim vrf red mcache PIM Multicast Routing Cache Table (201.1.1.1, 224.1.1.1) Incoming interface : port-channel11 Outgoing interface list : vlan2001 Configure expiry timers for S, G entries You can configure expiry timers for S, G entries globally. The S, G entries expire in 210 seconds by default.
To view the RP for a multicast group range, use the show ip pim rp mapping command. OS10# show ip pim rp mapping PIM Group-to-RP Mappings Group(s): 230.1.1.1/32 RP:14.1.1.1, v2 Info source: 42.1.1.1, via bootstrap, priority 255 expires: 00:01:53 Group(s): 231.1.1.1/32 RP: 9.1.1.1, v2 Info source: 42.1.1.1, via bootstrap, priority 254 expires: 00:01:54 Configure dynamic RP using the BSR mechanism You can configure a subset of PIM routers within the domain as candidate BSRs (C-BSRs).
To configure dynamic RP using the BSR mechanism: 1. Configure a candidate BSR using the ip pim bsr-candidate command. OS10# configure terminal OS10(config)# interface ethernet 1/1/9 OS10(conf-if-eth1/1/9)# ip address 10.1.1.8/24 OS10(conf-if-eth1/1/9)# no shutdown OS10(conf-if-eth1/1/9)# exit OS10(config)# ip pim bsr-candidate ethernet 1/1/9 hash-mask-len 31 priority 255 To view the PIM candidate and elected BSR: OS10# show ip pim bsr-router This system is the Bootstrap Router (v2) BSR address: 10.1.1.
To view RP-mapping details: OS10# show ip pim rp mapping Group(s) : 225.1.1.0/24 RP : 10.1.2.8, v2 Info source: 10.1.1.8, via bootstrap, priority 0 expires: 00:00:00 4. (Optional) Configure the RP timers. OS10(config)# ip pim rp-candidate-timers loopback 10 advt-interval 10 hold-time 25 To view candidate RP details: OS10# show ip pim bsr-router This system is the Bootstrap Router (v2) BSR address: 10.1.1.
messages are forwarded to each router on the rendezvous point tree (RPT). Use PIM join filters to prevent the PIM-enabled routers from creating a multicast state and to limit multicast traffic in the network. When the join filter is applied on the downstream interface, the effect on the outgoing interface happens at the maximum of Join/Prune-HoldTime value.
NOTE: This feature does not filter Candidate-RP advertisements and is intended only to filter PIM Hello messages between PIM neighbors. Configure PIM neighbor filter Before you configure a PIM neighbor filter, enable multicast routing globally and PIM on the participating interfaces. For more information, see the ip multicast-routing and ip pim sparse-mode commands. To configure a neighbor filter that applies an ACL to the interface: 1. Configure an ACL in CONFIGURATION mode.
In this example, the register filter is configured in a nondefault VRF named vrf_dell. PIM commands clear ip pim rp-mapping Clears group-to-RP mapping entries from the RP mapping cache. Syntax clear ip pim [vrf vrf-name] rp-mapping [ip-address] Parameters ● vrf vrf-name—Enter vrf, then the name of the VRF to clear the PIM RP mapping entries corresponding to that VRF. If you do not specify the VRF name, the system clears the entries from the default VRF. ● ip-address—IP address of the RP.
ip multicast-routing Enables IP multicast forwarding. Syntax ip multicast-routing [vrf vrf-name] Parameters vrf vrf-name—Enter the keyword vrf, then the name of the VRF. Default None Command Mode CONFIGURATION Usage Information After you enable IP multicast, enable IGMP and PIM on an interface. To do this, use the ip pim sparse-mode command in INTERFACE mode. The no form of the command disables IP multicast forwarding.
Parameters ● ● ● ● ● Default ● Advertisement interval default is 60 s. Command Mode CONFIGURATION Usage Information Use this command to adjust the time interval between periodic BSR advertisements. The no form of the command resets the candidate BSR advertisement interval to the default value. Do not specify the parameters in the no form of the command.
Supported Releases 10.4.3.0 or later ip pim join-filter Enables filtering of join and prune messages on an interface. This command prevents the PIM-SM router from creating a state based on a multicast source or group. Syntax ip pim join-filter access-list-name Parameters access-list-name—Enter the name of the access list. You can specify the ACL name up to 140 characters.
Example Supported Releases OS10# configure terminal OS10(config)# ip access-list acl-neighbor-filter OS10(config-ipv4-acl)# permit ip 10.10.10.0/24 any OS10(config-ipv4-acl)# exit OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ip pim neighbor-filter acl-neighbor-filter 10.5.2.0 or later ip pim query-interval Changes the frequency of PIM router query messages.
ip pim rp-address Configures a static PIM RP address for a group. Syntax ip pim [vrf vrf-name] rp-address address {group-address group-address mask} [override] Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. ● rp-address address—Enter the keyword address, then the RP address in dotted-decimal format (A.B.C.D). ● group-address group-address mask—Enter the keyword group-address, then the groupaddress mask in dotted-decimal format (/xx) to assign the group address to the RP.
If you specify an access list, the C-RP advertises only the group range that the access list permits. The no form of the command removes the router from being a C-RP. You must specify the parameters with the no form of this command. Example Supported Releases OS10# configure terminal OS10(config)# ip pim vrf red rp-candidate loopback 10 priority 11 acl rp-grp 10.5.0 or later ip pim rp-candidate-timers Configures the time interval between periodic candidate RP advertisements.
● The interface is in Layer 3 mode. PIM-SM is enabled only on a Layer 3 interface. Before configuring PIM on the interface, use the no switchport command to change the interface from Layer 2 to Layer 3 mode. Use the no form of the command to disable PIM sparse mode. Example OS10# configure terminal OS10(config)# interface vlan 2 OS10(conf-if-vl-2)# ip address 1.1.1.2/24 OS10(conf-if-vl-2)# ip pim sparse-mode Supported Releases 10.4.3.
show ip pim bsr-router Displays information about the bootstrap router. Syntax show ip pim [vrf vrf-name] bsr-router Parameters vrf vrf-name—Enter the keyword vrf, then the name of the VRF. Default None Command Mode EXEC Usage Information None Example OS10# show ip pim bsr-router PIMv2 Bootstrap information BSR address: 101.0.0.1 BSR Priority: 199, Hash mask length: 31 Expires: 00:00:24 This system is a candidate BSR Candidate BSR address: 104.0.0.
Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. ● group-address—Enter the multicast group address in dotted-decimal format (A.B.C.D). ● source-address—Enter the multicast source address in dotted-decimal format (A.B.C.D). Default None Command Mode EXEC Usage Information This command provides details about the incoming and outgoing interfaces for multicast routes. Examples OS10# show ip pim mcache vlt PIM Multicast Routing Cache Table Flags: S - Synced (*, 225.1.1.
2.1.1.1 3.1.1.1 Supported Releases vlan103 vlan105 13:05:58/00:01:19 13:05:58/00:01:17 v2 v2 1 1 / S / S 10.4.3.0 or later show ip pim register-filter Displays the details of the register filter. Syntax show ip pim [vrf vrf-name] register-filter group-address source-address Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. ● group-address—Enter the group address to which the multicast traffic is destined.
225.1.1.11 225.1.1.12 225.1.1.13 171.1.1.1 171.1.1.1 171.1.1.1 OS10# show ip pim rp mapping PIM Group-to-RP Mappings Group(s): 230.1.1.1/32 RP:14.1.1.1, v2 Info source: 42.1.1.1, via bootstrap, priority 255 expires: 00:01:53 Group(s): 231.1.1.1/32 RP: 9.1.1.1, v2 Info source: 42.1.1.1, via bootstrap, priority 254 expires: 00:01:54 Supported Releases 10.4.3.0 or later show ip pim ssm-range Displays the non-default groups added using the SSM range feature.
100/100 (S,G) entries in PIM-TIB/MFC 100/0 (S,G,Rpt) entries in PIM-TIB/MFC Interface summary: 4 active PIM interfaces 1 active PIM neighbor 1 RPs 2 sources Message summary: 150/50 Joins/Prunes sent/received 0/0 Candidate-RP advertisements sent/received 6/4 BSR messages sent/received 0 Null Register messages received 0/50 Register-stop messages sent/received Data path event summary: 100 no-cache messages received 50 last-hop switchover messages received 0/0 pim-assert messages sent/received 0/0 register mes
Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 225.1.1.1), uptime 13:08:24, expires 00:00:12, RP 171.1.1.1, flags: SCJ Incoming interface: vlan105, RPF neighbor 3.1.1.1 Outgoing interface list: vlan121 Forward/Sparse 13:07:53/Never (101.1.1.10, 225.1.1.1), uptime 13:07:51, expires 00:06:09, flags: T Incoming interface: vlan103, RPF neighbor 2.1.1.1 Outgoing interface list: vlan121 Forward/Sparse 13:07:50/Never Supported Releases 10.4.3.
Sample configuration: Multicast VRF using PIM-SM This section describes how to configure IPv4 multicast in a non-default VRF instance using the topology shown in the following illustration. Perform the following configuration on each of the nodes, R1, R2, R3, and R4.
R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# no ip vrf forwarding no switchport channel-group 11 end R1# configure terminal R1(config)# interface ethernet 1/1/7 R1(conf-if-eth1/1/7)# no switchport R1(conf-if-eth1/1/7)# interface ethernet 1/1/7 R1(conf-if-eth1/1/7)# ip vrf forwarding red R1(conf-if-eth1/1/7)# ip address 201.1.1.
R2(conf-vrf)# end R2# configure terminal R2(config)# interface vlan 1001 R2(conf-if-vl-1001)# ip vrf forwarding red R2(conf-if-vl-1001)# end R2# configure terminal R2(config)# interface ethernet 1/1/21:4 R2(conf-if-eth1/1/21:4)# switchport mode trunk R2(conf-if-eth1/1/21:4)# switchport trunk allowed vlan 1001 R2(conf-if-eth1/1/21:4)# end R2# configure terminal R2(config)# interface ethernet 1/1/12:1 R2(conf-if-eth1/1/12:1)# no switchport R2(conf-if-eth1/1/12:1)# ip vrf forwarding red R2(conf-if-eth1/1/12:1)
R3(conf-if-eth1/1/12)# switchport trunk allowed vlan 1001 R3(conf-if-eth1/1/12)# end R3# configure terminal R3(config)# interface port-channel 12 R3(conf-if-po-12)# no switchport R3(conf-if-po-12)# ip vrf forwarding red R3(conf-if-po-12)# end R3# configure terminal R3(config)# interface ethernet 1/1/5 R3(conf-if-eth1/1/5)# no ip vrf forwarding R3(conf-if-eth1/1/5)# no switchport R3(conf-if-eth1/1/5)# channel-group 12 R3(conf-if-eth1/1/5)# end R3# configure terminal R3(config)# interface vlan 1001 R3(conf-if
R3(config)# ip pim vrf red rp-address 182.190.168.224 group-address 224.0.0.
R4(conf-if-po-12)# end R4# configure terminal R4(config)# interface Lo0 R4(conf-if-lo-0)# ip vrf forwarding red R4(conf-if-lo-0)# ip address 4.4.4.
--------------------------------224.1.1.1 182.190.168.224 R1# show ip pim vrf red rp mapping Group(s) : 224.0.0.0/4, Static RP : 182.190.168.224, v2 R1# show ip pim vrf red mcache PIM Multicast Routing Cache Table (201.1.1.1, 224.1.1.1) Incoming interface : ethernet1/1/7 Outgoing interface list : port-channel11 Rendezvous point (R3) R3# show ip pim vrf red neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority / Mode ---------------------------------------------------------------------------192.
--------------------------------224.1.1.1 182.190.168.224 R3# show ip pim vrf red tib PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 224.1.1.1), uptime 00:04:41, expires 00:00:00, RP 182.190.168.224, flags: S Incoming interface: Null, RPF neighbor 0.0.0.
(*, 224.1.1.1), uptime 00:05:44, expires 00:00:15, RP 182.190.168.224, flags: SCJ Incoming interface: port-channel12, RPF neighbor 194.1.1.1 Outgoing interface list: vlan2001 Forward/Sparse 00:05:44/Never (201.1.1.1, 224.1.1.1), uptime 00:02:58, expires 00:00:31, flags: CT Incoming interface: port-channel11, RPF neighbor 193.1.1.1 Outgoing interface list: vlan2001 Forward/Sparse 00:02:58/Never R4# show ip pim vrf red mcache PIM Multicast Routing Cache Table (*, 224.1.1.
route and takes the sources and receivers to the closest operating RP. This failover mechanism ensures that connectivity is maintained, and traffic disruption is minimal. NOTE: PIM Anycast RP is not supported on the S3048-ON switch. Configure PIM Anycast RP To configure PIM Anycast RP, enable PIM-SM and IGP on the participating Loopback interfaces. Also, configure Loopback interfaces with unique IP addresses on each of the RPs. To configure static Anycast RP: 1. Enter CONFIGURATION mode.
Info source: 192.10.2.2, via bootstrap, priority 192 expires: 00:02:15 View mismatch of PIM Anycast RP on VLT nodes To identify the configuration mismatch of PIM Anycast RP on VLT nodes, use the show vlt mismatch command. The following example shows PIM Anycast RP mismatch information for a specific VLT domain.
show ip pim rp mapping Displays the Anycast RP mapping information for a multicast group. Syntax show ip pim [vrf vrf-name] rp mapping Parameters vrf vrf-name—Enter the keyword vrf, then the name of the VRF to display Anycast RP information for a specific VRF. If VRF name is not specified, this command displays information for the default VRF. Default Not configured Command Mode EXEC Usage Information None Example OS10# show ip pim rp mapping Anycast-RP 100.1.1.1 members: 192.10.1.1* 192.10.2.
Spanned VLAN Any VLAN configured on both the VLT peer nodes is known as a spanned VLAN. The VLT interconnect (VLTi) port is automatically added as a member of the spanned VLAN. Any adjacent router connected to at least one VLT node on a spanned VLAN subnet is directly reachable from both the VLT peer nodes at the L3 level. ● Spanned VLAN L3 interface: If you enable PIM on each of the spanned VLAN L3 interfaces on both VLT nodes, the interface is a spanned VLAN L3 interface.
Sample configuration on core: core# configure terminal core(config)# ip multicast-routing core(config)# ip pim rp-address 103.0.0.3 group-address 224.0.0.0/4 core(config)# router ospf 100 core(config-router-ospf-100)# exit core(config)# interface ethernet 1/1/32:1 core(conf-if-eth1/1/32:1)# no shutdown core(conf-if-eth1/1/32:1)# no switchport core(conf-if-eth1/1/32:1)# ip address 16.0.0.
12.0.0.1 12.0.0.2 vlan12 vlan12 00:01:06/00:01:43 00:01:03/00:01:42 v2 v2 10 10 / S / S PIM states in core The output of the show ip pim tib command. core# show ip pim tib PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 225.1.1.1), uptime 00:04:16, expires 00:00:00, RP 103.0.0.
AG1(config)# interface ethernet 1/1/32:1 AG1(conf-if-eth1/1/32:1)# no shutdown AG1(conf-if-eth1/1/32:1)# no switchport AG1(conf-if-eth1/1/32:1)# ip address 16.0.0.1/24 AG1(conf-if-eth1/1/32:1)# flowcontrol receive off AG1(conf-if-eth1/1/32:1)# ip pim sparse-mode AG1(conf-if-eth1/1/32:1)# ip ospf 100 area 0.0.0.0 AG1(conf-if-eth1/1/32:1)# exit AG1(config)# interface vlan 11 AG1(conf-if-vlan-11)# no shutdown AG1(conf-if-vlan-11)# ip address 11.0.0.
The show ip igmp groups command output displays the IGMP database. AG1# show ip igmp groups Total Number of Groups: 1 IGMP Connected Group Membership Group Address Interface Expires Last Reporter 225.1.1.1 vlan11 00:01:53 0.0.0.0 Mode Uptime Exclude 00:01:55 The show ip pim tib command output displays the PIM tree information base (TIB).
The show ip pim mcache command displays the multicast route entries. AG1# show ip pim mcache PIM Multicast Routing Cache Table (*, 225.1.1.1) Incoming interface : vlan12 Outgoing interface list : vlan11 (16.0.0.10, 225.1.1.1) Incoming interface : vlan12 Outgoing interface list : vlan11 The show ip pim mcache vlt command displays multicast route entries. AG1# show ip pim mcache vlt PIM Multicast Routing Cache Table Flags: S - Synced (*, 225.1.1.
AG2(conf-if-vlan-12)# ip ospf 100 area 0.0.0.0 AG2(conf-if-vlan-12)# exit AG2(config)# interface vlan 13 AG2(conf-if-vlan-13)# no shutdown AG2(conf-if-vlan-13)# ip address 13.0.0.2/24 AG2(conf-if-vlan-13)# ip pim sparse-mode AG2(conf-if-vlan-13)# ip pim dr-priority 1000 AG2(conf-if-vlan-13)# ip ospf 100 area 0.0.0.0 AG2(conf-if-vlan-13)# ip ospf cost 4000 AG2(conf-if-vlan-13)# exit AG2(config)# interface loopback 102 AG2(conf-if-lo-102)# no shutdown AG2(conf-if-lo-102)# ip address 102.0.0.
Outgoing interface list: vlan11 Forward/Sparse 00:02:15/Never The show ip pim mcache command output displays multicast route entries. AG2# show ip pim mcache PIM Multicast Routing Cache Table (*, 225.1.1.1) Incoming interface : vlan12 Outgoing interface list : vlan11 AG2# show ip pim mcache vlt PIM Multicast Routing Cache Table Flags: S - Synced (*, 225.1.1.
Sample configuration on TOR: TOR# configure terminal TOR(config)# ip igmp snooping enable TOR(config)# interface vlan 11 TOR(conf-if-vlan-11)# no shutdown TOR(conf-if-vlan-11)# exit TOR(config)# interface port-channel 11 TOR(conf-if-po-11)# no shutdown TOR(conf-if-po-11)# switchport mode trunk TOR(conf-if-po-11)# switchport access vlan 1 TOR(conf-if-po-11)# switchport trunk allowed vlan 11 TOR(conf-if-po-11)# exit TOR(config)# interface ethernet 1/1/32:1 TOR(conf-if-eth1/1/32:1)# no shutdown TOR(conf-if-eth
show vlt inconsistency ip mcache Displays information about mismatched IIF routes between the local and peer VLT nodes. Syntax show vlt inconsistency ip mcache [vrf vrf-name] Parameters vrf vrf-name—(Optional) Enter the keyword then the name of the VRF to display information about mismatched IIF routes corresponding to that non-default VRF.
IPv4 multicast traffic reduction IGMP snooping IGMP snooping uses the information in IGMP packets to generate a forwarding table that associates ports with multicast groups. When switches receive multicast frames, they forward them to their intended receivers. OS10 supports IGMP snooping on virtual local area network (VLAN) interfaces. Effective with OS10 release 10.4.3.0, IGMP snooping is enabled by default. NOTE: OS10 supports IGMP snooping only with proxy reporting.
IGMP snooping configuration OS10(config)# ip igmp snooping enable OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip igmp snooping mrouter interface ethernet 1/1/32 OS10(conf-if-vl-100)# ip igmp snooping querier OS10(conf-if-vl-100)# ip igmp version 3 OS10(conf-if-vl-100)# ip igmp snooping fast-leave OS10(conf-if-vl-100)# ip igmp snooping query-interval 60 OS10(conf-if-vl-100)# ip igmp snooping query-max-resp-time 10 OS10(conf-if-vl-100)# ip igmp snooping last-member-query-interval 1000 View IGMP sno
For multicast flood control to work, you must enable both IGMP and MLD snooping on the system. By default, multicast flood control, IGMP snooping, and MLD snooping are enabled. NOTE: The Multicast flood control feature is not supported on the S4248FB-ON and S4248FBL-ON switches. The following describes a scenario where a multicast frame is flooded on all ports of all switches. The switches and hosts in the network need not receive these frames because they are not the intended destinations.
Enable multicast flood control Multicast flood control is enabled on OS10 by default. If it is disabled, use the following procedure to enable multicast flood control: 1. Configure IGMP snooping. To know how to configure IGMP snooping, see the IGMP snooping section. 2. Configure MLD snooping. To know how to configure MLD snooping, see the MLD Snooping section. 3. Enable the multicast flood control feature. OS10(config)# multicast snooping flood-restrict 4. Verify the configuration.
Multicast flood control commands multicast snooping flood-restrict Enables multicast snooping flood control for IGMP snooping and MLD snooping. Syntax multicast snooping flood-restrict The no version of this command disables multicast flood control. Parameters None Default Enabled Command Mode CONFIGURATION Usage Information Multicast snooping flood control, IGMP snooping, and MLD snooping are enabled by default.
Table 76. Full Switch Mode (continued) Scale Upgrade from 10.5.0.x or earlier to profile 10.5.2.1 or later VLAN configur ation Enabled Upgrade from 10.5.1.0 to 10.5.2.1 or later Restrictions snooping only on up to a maximum of 1024 VLAN instances. If the number of VLAN instances exceed 1024, multicast snooping is disabled.
IPv6 multicast traffic reduction Multicast Listener Discovery Protocol IPv6 networks use Multicast Listener Discovery (MLD) Protocol to manage multicast groups. OS10 supports MLDv1and MLDv2 to manage the multicast group memberships on IPv6 networks. MLD snooping MLD snooping enables switches to use the information in MLD packets and generate a forwarding table that associates ports with multicast groups. When switches receive multicast frames, they forward them to their intended receivers.
00:01:38 ff0e:225:1:: vlan3531 MLDv1-Compat 00:01:52 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 ff0e:225:1::1 vlan3531 MLDv1-Compat 00:01:52 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 ff0e:225:1::2 vlan3531 MLDv1-Compat 00:01:52 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 ff0e:225:1::3 vlan3531 MLDv1-Compat 00:01:52 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 ff0e:225:1::4 vlan3531 MLDv1-Compat 00:01:52 Member-ports :port-channel41,ethernet1/1/51
Parameters None Default Enabled Command Mode VLAN INTERFACE Usage Information When you enable MLD snooping globally, the configuration is applied to all the VLAN interfaces. You can disable the MLD snooping on specified VLAN interfaces. The no version of this command disables the MLD snooping on the specified VLAN interface. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# no ipv6 mld snooping 10.4.1.
Default 1000 milliseconds Command Mode VLAN INTERFACE Usage Information The no version of this command resets the last member query interval time to the default value. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ipv6 mld snooping last-member-query-interval 2500 10.4.1.0 or later ipv6 mld snooping mrouter Configures the specified VLAN member port as a multicast router interface.
Command Mode VLAN INTERFACE Usage Information The no version of this command resets the query interval to the default value. Example Supported Releases OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ipv6 mld snooping query-interval 120 10.4.1.0 or later ipv6 mld query-max-resp-time Configures the maximum time for responding to a query advertised in MLD queries.
Default Not configured Command Mode EXEC Usage Information The show ipv6 mld snooping groups command displays the primary VLAN information. ● Use the private-vlan keyword to view information about the secondary VLANs. ● Enter a primary VLAN ID to view MLD snooping group membership information learned on that PVLAN domain, including primary and its associated secondary VLANs.
Example (with VLAN and multicast IP address) Example (with PVLAN) OS10# show ipv6 mld snooping groups vlan 3531 ff0e:225:1:: MLD Connected Group Membership Group Address Interface Mode Expires ff0e:225:1:: vlan3531 MLDv1-Compat 00:01:30 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 OS10#show ipv6 mld snooping groups private-vlan 100 Flags: P-Primary vlan, I-Isolated vlan, C-Community vlan Total Number of Groups: 1 MLD Connected Group Membership Group Address Interface Mode Expires ff02::2 vla
Source List -Member Port port-channel31 Mode Exclude Uptime 2d:11:57:08 Expires 00:01:44 Interface vlan3041 Group ff3e:232:b:: Source List 2001:101:29::1b Member Port Mode port-channel31 Include ethernet1/1/51:1 Include ethernet1/1/52:1 Include Uptime 2d:11:50:17 2d:11:50:36 2d:11:50:36 Expires 00:01:42 00:01:38 00:01:25 Uptime 2d:11:50:17 2d:11:50:36 2d:11:50:36 Expires 00:01:29 00:01:25 00:01:38 Interface vlan3041 Group ff3e:232:b::1 Source List 2001:101:29::1b Member Port Mode port-channel31 Inc
show ipv6 mld snooping interface Displays the details of MLD snooping interfaces. Syntax show ipv6 mld snooping interface [vlan vlan-id] Parameters vlan-id—(Optional) Enter the VLAN ID, from 1 to 4093. For a PVLAN domain, enter the VLAN ID of the primary VLAN, from 1 to 4093. Default Not configured Command Mode EXEC Usage Information The multicast flood control feature is not available on the S4248FB-ON and S4248FBL-ON devices.
Example Supported Releases OS10# show ipv6 mld snooping mrouter vlan 11 Interface Router Ports Vlan 11 ethernet 1/1/32 10.4.1.0 or later show ipv6 mld snooping summary Displays the number of MLD-enabled snooping instances.
15 VXLAN A virtual extensible LAN (VXLAN) extends Layer 2 (L2) server connectivity over an underlying Layer 3 (L3) transport network in a virtualized data center. A virtualized data center consists of virtual machines (VMs) in a multi-tenant environment. OS10 supports VXLAN as described in RFC 7348. VXLAN provides a L2 overlay mechanism on an existing L3 network by encapsulating the L2 frames in L3 packets.
This feature is not supported on the following platforms: ● S3048-ON ● Z9332F-ON ● N3248TE-ON Configuration notes In a static VXLAN, overlay routing is supported on: ● ● ● ● ● S4100-ON Series S4200-ON Series S5200-ON Series S4048T-ON S6010-ON VXLAN concepts Network virtualization overlay (NVO) An overlay network extends L2 connectivity between server virtual machines (VMs) in a tenant segment over an underlay L3 IP network.
● You can map only one VLAN ID to a virtual network. ● Ideally suited for existing tenant VLANs that stretch over an IP fabric using VXLAN. Port-scoped VLAN A Port,VLAN pair that maps to a virtual network ID (VNID) in OS10. Assign an individual member interface to a virtual network either with an associated tagged VLAN or as an untagged member. Using a portscoped VLAN, you can configure: ● The same VLAN ID on different access interfaces to different virtual networks.
2. Configure an IP address on the Loopback interface in INTERFACE mode. The IP address allows the source VTEP to send VXLAN frames over the L3 transport network. ip address ip-address/mask 3. Return to CONFIGURATION mode. exit 4. Enter NVE mode from CONFIGURATION mode. NVE mode allows you to configure the VXLAN tunnel endpoint on the switch. nve 5. Configure the Loopback interface as the source tunnel endpoint for all virtual networks on the switch in NVE mode. source-interface loopback number 6.
1. Assign a VLAN to the virtual network in VLAN Interface mode. interface vlan vlan-id virtual-network vn-id 2. Configure port interfaces as trunk members of the VLAN in Interface mode. interface ethernet node/slot/port[:subport] switchport mode trunk switchport trunk allowed-vlan vlan-id exit The local physical ports assigned to the VLAN transmit packets over the virtual network.
2. Configure port interfaces as trunk members and remove the access VLAN in Interface mode. interface ethernet node/slot/port[:subport] switchport mode trunk no switchport access vlan exit 3. Assign the trunk interfaces as untagged members of the virtual network in VIRTUAL-NETWORK mode. You cannot use the reserved VLAN ID for a legacy VLAN or for tagged traffic on member interfaces of virtual networks.
network IP addresses in different subnets. If you do not assign the virtual-network interface to a tenant VRF, it is assigned to the default VRF. interface virtual-network vn-id ip vrf forwarding tenant-vrf-name ip address ip-address/mask no shutdown exit 4. Configure an anycast gateway IPv4 or IPv6 address for each virtual network in INTERFACE-VIRTUAL-NETWORK mode. This anycast IP address must be in the same subnet as the IP address of the virtual-network interface in Step 3.
Table 79. IP address on the virtual-network interface on each VTEP Virtual network VTEP Virtual-network IP address Anycast gateway IP address VNID 11 VTEP 1 10.10.1.201 10.10.1.254 VTEP 2 10.10.1.202 10.10.1.254 VTEP 3 10.10.1.203 10.10.1.254 VTEP 1 10.20.1.201 10.20.1.254 VTEP 2 10.20.1.202 10.20.1.254 VTEP 3 10.20.1.203 10.20.1.254 VTEP 1 10.30.1.201 10.30.1.254 VTEP 2 10.30.1.202 10.30.1.254 VTEP 3 10.30.1.203 10.30.1.
Configure the same VLTi VLAN ID on both VLT peers. You cannot use the ID of an existing VLAN on a VLT peer or the reserved untagged VLAN ID. You can use the VLTi VLAN ID to assign tagged or untagged access interfaces to a virtual network. virtual-network vn-id vlti-vlan vlan-id ● Although a VXLAN virtual network has no access port members that connect to downstream servers, you must configure a switch-scoped VLAN or VLTi VLAN.
Each overlay ARP entry requires a routing next-hop in the hardware to bind a destination tenant VM IP address to the corresponding tenant VM MAC address and VNI. Each virtual-network interface assigned to an IP subnet requires a routing interface in the hardware. OS10 supports preset profiles to re-allocate the number of resources reserved for overlay ARP entries. The number of entries reserved for each preset mode differs according to OS10 switch. Table 80.
● View the currently configured overlay routing profile; for example, in the S5200-ON series: show hardware overlay-routing-profile mode Overlay Setting Mode Next-hop Entries Current default-overlay-routing 8192 Next-boot default-overlay-routing 8192 Underlay Next-hop Entries 57344 57344 Overlay L3 RIF Entries 2048 2048 Underlay L3 RIF Entries 14336 14336 DHCP relay on VTEPs Dynamic Host Configuration Protocol (DHCP) clients in overlay communicate with a DHCP server using the DHCP relay on the VTEP swit
View the VXLAN virtual-network VLAN OS10# show virtual-network vlan 100 Vlan Virtual-network Interface 100 1000 ethernet1/1/1,ethernet1/1/2 100 5000 ethernet1/1/2 View the VXLAN virtual-network VLANs OS10# show vlan Codes: * - Default VLAN, M - Management VLAN, R - Remote Port Mirroring VLANs, @ – Attached to Virtual Network Q: A - Access (Untagged), T - Tagged NUM * 1 @ 100 @ 101 200 Status Description Q Ports up A Eth1/1/1-1/1/48 up T Eth1/1/2,Eth1/1/3 A Eth1/1/1 up T port-channel5 up T Eth1/1/11-1/1/15
The show nve remote-vtep counters command displays the packet counters and byte counter statistics for a specific remote VTEP. The counters for a remote VTEP include both the counters corresponding to the L2 VNI spanned with the VTEP as well as the EVPN-VRF L3 VNI spanned with the VTEP. OS10# show nve remote-vtep counters Remote-VTEP Input (Packets/Bytes) Output (Packets/Bytes) ---------------------------------------------------------------------10.10.10.10 857/8570 257/23709 20.20.20.
Gateway of last resort is not set Destination Gateway Dist/Metric Last Change --------------------------------------------------------------------------------C 1000:100:10:1::/64 via 1000:100:10:1::4 virtual-network60000 0/0 00:37:08 C 1000:100:10:21::/64 via 1000:100:10:21::4 virtual-network60032 0/0 00:37:07 C 1000:100:10:41::/64 via 1000:100:10:41::4 virtual-network60064 0/0 00:37:06 C 1000:100:10:61::/64 via 1000:100:10:61::4 virtual-network60096 0/0 00:37:05 VXLAN MAC addresses Use the show mac addres
Table 81. Display VXLAN MAC addresses (continued) Command Description remote-vtep ip-address: Displays MAC addresses learned on NVE from the specified remote VTEP. show mac address-table count virtual-network [dynamic | local | remote | static | interface {ethernet node/slot/port:subport | port-channel number} | vn-id] Displays the number of MAC addresses learned on all virtual networks (default). dynamic: Displays the number of dynamic MAC addresses learned on all or a specified virtual network.
Table 82. Clear VXLAN MAC addresses (continued) Command Description vn-id: Clears only the MAC addresses learned on the specified virtual network. vn-id address mac-address: Clears only the MAC address learned on the specified virtual network. clear mac address-table dynamic nve remote-vtep ip-address Clears all MAC addresses learned from the specified remote VTEP. VXLAN commands hardware overlay-routing-profile Configures the number of reserved ARP table entries for VXLAN overlay routing.
interface virtual-network Configures a virtual-network router interface. Syntax Parameters interface virtual-network vn-id virtualnetwork vn-id Enter a virtual-network ID, from 1 to 65535. Default Not configured Command mode CONFIGURATION Usage information Configure a virtual-network router interface to enable hosts connected to a virtual network to route traffic to hosts on another virtual network in the same VRF.
Usage information Example Supported releases Configure the same MAC address on all VTEPs so that the anycast gateway MAC address remains the same if a VM migrates to a different VTEP. Because the configured MAC address is automatically used for all VXLAN virtual networks, configure it in global Configuration mode. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 10.4.3.0 or later member-interface Assigns untagged or tagged VLAN traffic on a member interface to a virtual network.
remote-vtep Configures the IP address of a remote tunnel endpoint in a VXLAN network. Syntax remote-vtep ip-address Parameters ip-address — Enter the IP address of a remote virtual tunnel endpoint (VTEP). Default Not configured Command mode VIRTUAL-NETWORK VXLAN-VNI Usage information After you configure the remote VTEP, the VXLAN virtual network is enabled to start sending server traffic. You can configure multiple remote VTEPs.
show interface virtual-network Displays the configuration of virtual-network router interfaces and packet statistics. Syntax show interface virtual-network [vn-id] Parameters vn-id Enter a virtual-network ID, from 1 to 65535. Default Not configured Command mode EXEC Usage information Use this command to display the virtual-network IP address used for routing traffic in a virtual network. Traffic counters also display.
IP Address: 2.2.2.2, State: up, Encap: VxLAN VNI list: 10000(DP), 200(DP), 300(DP) Supported releases 10.4.2.0 or later show nve remote-vtep counters Displays VXLAN packet statistics for a remote VTEP. Syntax show nve remote-vtep [ip-address] counters Parameters ● ip-address — Enter IP address of a remote VTEP. Default Not configured Command mode EXEC Usage information Use this command to display input and output statistics for VXLAN traffic on a remote VTEP.
Parameters vn-id Enter a virtual-network ID, from 1 to 65535. Default Not configured Command mode EXEC Usage information Use this command to display the VNID, port members, source interface, and remote tunnel endpoints of a VXLAN virtual network.
interface port-channel number Enter a port-channel number, from 1 to 128. vlan vlan-id (Optional) Enter a VLAN ID, from 1 to 4093. Default Not configured Command mode EXEC Usage information Use this command to monitor the packet throughput on a port interface that is a member of a VXLAN virtual network. Assign a VLAN member interface to only one virtual network.
Parameters vlan vlan-id Enter a VLAN ID, from 1 to 4093. Default Not configured Command mode EXEC Usage information Use this command to verify the VXLAN virtual networks where a VLAN is assigned, including the port members connected to downstream servers. Example Supported releases OS10# show show virtual-network 100 Vlan Virtual-network Interface 100 1000 ethernet1/1/1,ethernet1/1/2 10.4.2.0 or later show vlan (virtual network) Displays the VLANs assigned to virtual networks.
● You cannot change the source interface if at least one VXLAN virtual network ID (VNID) is configured for the NVE instance. Use this command in NVE mode to override a previously configured value and reconfigure the source IP address. The no version of this command removes the configured value. Examples Supported releases OS10(config-nve)# source-interface loopback 1 10.4.2.0 or later virtual-network Creates a virtual network for VXLAN tunneling.
Parameters vni Enter the VXLAN ID for a virtual network, from 1 to 16,777,215. Default Not configured Command mode VIRTUAL-NETWORK Usage information This command associates a VXLAN ID number with a virtual network. The no version of this command removes the configured ID. Example Supported releases OS10(conf-vn-100)# vxlan-vni 100 OS10(config-vn-vxlan-vni)# 10.4.2.0 or later VXLAN MAC commands clear mac address-table dynamic nve remote-vtep Clears all MAC addresses learned from a remote VTEP.
local Clear only locally-learned MAC addresses. vn-id Clear learned MAC addresses on the specified virtual network, from 1 to 65535. vn-id local Clear locally learned MAC addresses on the specified virtual network, from 1 to 65535. vn-id address mac-address Clear only the MAC address entry learned in the specified virtual network. Enter the MAC address in EEEE.EEEE.EEEE format.
Parameters vxlan-vni vni Display MAC addresses learned on the specified VXLAN virtual network, from 1 to 16,777,215. remote-vtep ip-address Display MAC addresses learned from the specified remote VTEP. Default Not configured Command mode EXEC Usage information Use the clear mac address-table dynamic nve remote-vtep command to delete all MAC address entries learned from a remote VTEP.
Example Supported releases OS10# show mac address-table count virtual-network MAC Entries for all vlans : Dynamic Address Count : 8 Static Address (User-defined) Count : 0 Total MAC Addresses in Use: 8 10.4.2.0 or later show mac address-table extended Displays MAC addresses learned on all VLANs and VXLANs.
show mac address-table nve Displays MAC addresses learned on a VXLAN virtual network or from a remote VXLAN tunnel endpoint. Syntax show mac address-table nve {vxlan-vni vni | remote-vtep ip-address} Parameters vxlan-vni vni Display MAC addresses learned on the specified VXLAN virtual network, from 1 to 16,777,215. remote-vtep ip-address Display MAC addresses learned from the specified remote VTEP.
Command mode EXEC Usage information Use this command to verify the MAC addresses learned on VXLAN virtual networks. By default, MAC learning from a remote VTEP is enabled.
Figure 8. Static VXLAN use case VTEP 1 Leaf Switch 1. Configure the underlay OSPF protocol. Do not configure the same IP address for the router ID and the source loopback interface in Step 2. OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 172.16.0.1 OS10(config-router-ospf-1)# exit 2. Configure a Loopback interface. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# ip ospf 1 area 0.0.0.
3. Configure the Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 4. Configure VXLAN virtual networks with a static VTEP.
OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# no switchport mtu 1650 ip address 172.16.2.0/31 ip ospf 1 area 0.0.0.0 exit 8. Configure VLT Configure a dedicated L3 underlay path to reach the VLT Peer in case of network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.1/30 OS10(config-if-vl-4000)# ip ospf 1 area 0.0.0.
OS10(config-if-vn-10000)# ip address 10.1.0.231/16 OS10(config-if-vn-10000)# ip virtual-router address 10.1.0.100 OS10(config-if-vn-10000)# no shutdown OS10(config-if-vn-10000)# exit OS10(config)# interface virtual-network 20000 OS10(config-if-vn-20000)# ip vrf forwarding tenant1 OS10(config-if-vn-20000)# ip address 10.2.0.231/16 OS10(config-if-vn-20000)# ip virtual-router address 10.2.0.100 OS10(config-if-vn-20000)# no shutdown OS10(config-if-vn-20000)# exit VTEP 2 Leaf Switch 1.
OS10(conf-if-po-10)# switchport access vlan 200 OS10(conf-if-po-10)# exit OS10(config)# interface OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# ethernet1/1/5 no shutdown channel-group 10 mode active no switchport exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode access OS10(conf-if-po-20)# switchport access vlan 200 OS10(conf-if-po-20)# exit OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10
Configure a VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.2 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
4. Configure VXLAN virtual networks with a static VTEP. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# remote-vtep OS10(config-vn-vxlan-vni-remote-vtep)# OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# remote-vtep OS10(config-vn-vxlan-vni-remote-vtep)# OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 192.168.1.1 exit 192.168.1.
OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# no switchport mtu 1650 ip address 172.18.2.0/31 ip ospf 1 area 0.0.0.0 exit 9. Configure VLT Configure VLTi VLAN for the VXLAN virtual network.
Configure an anycast L3 gateway. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing with an anycast gateway IP address for each virtual network. OS10(config)# interface virtual-network 10000 OS10(config-if-vn-10000)# ip vrf forwarding tenant1 OS10(config-if-vn-10000)# ip address 10.1.0.233/16 OS10(config-if-vn-10000)# ip virtual-router address 10.1.0.
OS10(conf-if-po-10)# no switchport access vlan OS10(conf-if-po-10)# exit OS10(config)# interface OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# ethernet1/1/5 no shutdown channel-group 10 mode active no switchport exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# no switchport access vlan OS10(conf-if-po-20)# exit OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(co
OS10(conf-if-po-10)# exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# vlt port-channel 20 OS10(conf-if-po-20)# exit Configure VLTi member links. OS10(config)# interface OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# ethernet1/1/3 no shutdown no switchport exit OS10(config)# interface OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# ethernet1/1/4 no shutdown no switchport exit Configure a VLT domain.
OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# no switchport ip address 172.16.1.1/31 ip ospf 1 area 0.0.0.0 exit OS10(config)# interface OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# ethernet1/1/2 no shutdown no switchport ip address 172.17.1.1/31 ip ospf 1 area 0.0.0.
BGP EVPN for VXLAN Ethernet Virtual Private Network (EVPN) is a control plane for VXLAN that reduces flooding in the network and resolves scalability concerns. EVPN uses MP-BGP to exchange information between VTEPs. EVPN was introduced in RFC 7432 and is based on BGP MPLS-based VPNs. RFC 8365 describes VXLAN-based EVPN. The MP-BGP EVPN control plane provides protocol-based remote VTEP discovery, and MAC and ARP learning. This configuration reduces flooding related to L2 unknown unicast traffic.
Figure 9. BGP EVPN topology Leaf nodes Leaf nodes are typically top-of-rack (ToR) switches in a data center network. They act as the VXLAN tunnel endpoints and perform VXLAN encapsulation and decapsulation. Leaf nodes also participate in the MP-BGP EVPN to support control plane and data plane functions. Control plane functions include: ● Initiate and maintain route adjacencies using any routing protocol in the underlay network. ● Advertise locally learned routes to all MP-BGP EVPN peers.
The BGP EVPN running on each VTEP listens to the exchange of route information in the local overlay, encodes the learned routes as BGP EVPN routes, and injects them into BGP to advertise to the peers. Tunnel endpoints advertise as Type 3 EVPN routes. MAC/IP addresses advertise as Type 2 EVPN routes. EVPN instance An EVPN instance (EVI) spans across the VTEPs that participate in an Ethernet VPN. Each virtual-network tenant segment, that is advertised using EVPN, must associate with an EVI.
2. Configure BGP to advertise EVPN routes. 3. Configure EVPN, including the VNI, RD, and RT values associated with the EVPN instance. 4. Verify the BGP EVPN configuration. Configuration 1. Configure BGP to advertise EVPN routes. EVPN requires that you establish MP-BGP sessions between leaf and spine nodes in the underlay network.
d. Send an extended community attribute to the BGP neighbor in ROUTER-BGP-NEIGHBOR mode. send-community extended e. Enable the peer session with the BGP neighbor in ROUTER-BGP-NEIGHBOR mode. no shutdown f. Configure the L2 VPN EVPN address family for VXLAN host-based routing to the BGP peer in ROUTER-BGP-NEIGHBOR mode. address-family l2vpn evpn g. Enable the exchange of L2VPN EVPN addresses with the BGP peer in ROUTER-BGP-NEIGHBOR mode. activate h. Return to ROUTER-BGP mode. exit i.
b. Enable auto-EVI creation for overlay virtual networks in EVPN mode. Auto-EVI creation is supported only if BGP EVPN is used with 2-byte AS numbers and if at least one BGP instance is enabled with the EVPN address family. No further manual configuration is allowed in auto-EVI mode. auto-evi ● Manual EVI configuration mode a. Enable the EVPN control plane in CONFIGURATION mode. evpn b. Manually create an EVPN instance in EVPN mode. The range is from 1 to 65535. evi id c.
Received 311 messages 2 opens, 2 notifications, 3 updates 304 keepalives, 0 route refresh requests Sent 307 messages 4 opens, 0 notifications, 2 updates 301 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast: MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) 4_OCTET_AS(65) MP_L2VPN_EVPN Capabilities advertised to neighbor for IPv4 Unicast: MULTIPROTO_EX
You set up overlay routing by assigning a VRF to each tenant, creating a virtual-network interface, and assigning an IP subnet in the VRF to each virtual-network interface. The VTEP acts as the L3 gateway that routes traffic from one tenant subnet to another in the overlay before encapsulating it in the VXLAN header and transporting it over the underlay fabric. On virtual networks that associate with EVIs, EVPN IRB is enabled only after you create a virtual-network interface.
For a VXLAN BGP EVPN example that uses symmetric IRB and Type-5 route, see Example: VXLAN BGP EVPN — Symmetric IRB. Configure Symmetric IRB for VXLAN BGP EVPN Before you start 1. Follow the procedure in Configure VXLAN to: ● Configure the VXLAN overlay network. ● Enable routing for VXLAN virtual networks. Integrated Routing and Bridging (IRB) is automatically enabled. ● Enable an overlay routing profile with the number of reserved ARP table entries for VXLAN overlay routing. 2.
Route-Distinguisher : 1:110.111.170.195:10000(auto) Route-Targets : 0:10000:16787216(auto) both Inclusive Multicast : 110.111.170.107 IRB : Enabled(VRF-TENANT-1) OS10# show evpn evi 20000 EVI : 20000, State : up Bridge-Domain : Virtual-Network 20000, VNI 20000 Route-Distinguisher : 1:110.111.170.
*>r Route distinguisher: 3.3.3.3:65002 VNI:65002 [5]:[0]:[24]:[12.12.12.0]:[0.0.0.0]/224 3.3.3.3 0 100 0 100 101 ? *>r Route distinguisher: 4.4.4.4:101 VNI:101 [2]:[0]:[48]:[14:18:77:25:6f:4d]:[32]:[11.11.11.2]/224 4.4.4.4 0 100 32768 *>r Route distinguisher: 3.3.3.3:102 VNI:102 [2]:[0]:[48]:[14:18:77:25:8f:6d]:[32]:[12.12.12.1]/224 3.3.3.3 0 100 0 100 101 ? *> Route distinguisher: 3.3.3.3:101 [3]:[0]:[32]:[3.3.3.3]/152 3.3.3.3 0 100 0 100 101 ? *>r Route distinguisher: 4.4.4.
Figure 10. BGP EVPN in VLT domain VXLAN BGP commands activate (l2vpn evpn) Enables the exchange of L2 VPN EVPN address family information with a BGP neighbor or peer group. Syntax activate Parameters None Default Not configured Command Mode ROUTER-BGP-NEIGHBOR-AF Usage Information Use this command to exchange L2 VPN EVPN address information for VXLAN host-based routing with a BGP neighbor. The IPv4 unicast address family is enabled by default.
Example Supported Releases OS10(conf-router-neighbor)# address-family l2vpn evpn unicast OS10(conf-router-bgp-neighbor-af)# activate 10.2.0E or later address-family l2vpn evpn Configures the L2 VPN EVPN address family for VXLAN host-based routing to a BGP neighbor.
sender-side-loop-detection Enables the sender-side loop detection process for a BGP neighbor. Syntax sender-side-loop-detection Parameters None Default Enabled Command Mode ROUTER-BGP-NEIGHBOR-AF Usage Information This command helps detect routing loops, based on the AS path before it starts advertising routes. To configure a neighbor to accept routes use the neighbor allowas-in command. The no version of this command disables sender-side loop detection for that neighbor.
*> Route distinguisher: 110.111.170.107:64536 [3]:[0]:[32]:[110.111.170.107]/152 110.111.170.107 0 100 101 ? OS10# show BGP router Neighbor State/Pfx 3.3.3.3 4.4.4.4 5.5.5.5 6.6.6.6 0 100 ip bgp l2vpn evpn summary identifier 2.2.2.2 local AS number 4294967295 AS MsgRcvd MsgSent Up/Down 4294967295 4294967295 4294967295 4294967295 2831 2364 4947 2413 9130 9586 8399 7310 05:57:27 05:56:43 01:10:39 05:51:56 504 504 11514 504 OS10# show ip bgp l2vpn evpn neighbors BGP neighbor is 3.3.3.
Received 20 messages 1 opens, 0 notifications, 0 updates 19 keepalives, 0 route refresh requests Sent 20 messages 1 opens, 1 notifications, 0 updates 18 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast: MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) 4_OCTET_AS(65) MP_L2VPN_EVPN(1) Extended Next Hop Encoding (5) Capabilities advertised to neighbor
Supported releases 10.4.2.0 or later VXLAN EVPN commands advertise Advertises the IP prefixes learned from external networks and directly connected neighbors into EVPN. Syntax advertise {ipv4 | ipv6} {connected | static | ospf | bgp} [route-map mapname] Parameters ● ● ● ● ● ● ● Default None Command Mode EVPN-VRF Usage Information EVPN uses Type 5 route advertisements. To specify the types of learned routes to use in EVPN Type 5 advertisements in a tenant VRF, use the advertise command.
auto-evi Creates an EVPN instance automatically, including Route Distinguisher (RD) and Route Target (RT) values. Syntax auto-evi Parameters None Default Not configured Command mode EVPN Usage information In deployments running BGP with 2-byte or 4-byte autonomous systems, auto-EVI automatically creates EVPN instances when you create a virtual network on a VTEP in the overlay network.
Example 2 Supported releases OS10(config)# evpn OS10(config-evpn)# disable-rt-asn OS10(config-evpn)# evi 1001 OS10(config-evpn-evi-1001)# route-target auto OS10(config-evpn)# vrf BLUE OS10(config-evpn-vrf-BLUE)# vni 64001 OS10(config-evpn-vrf-BLUE)# route-target auto OS10(config-evpn-vrf-BLUE)# 10.5.1.0 or later evi Creates an EVPN instance (EVI) in EVPN mode. Syntax evi id Parameters id Enter the EVPN instance ID, from 1 to 65535.
Parameters A.B.C.D: [1-65535] Manually configure the RD with a 4-octet IPv4 address, then a 2-octet-number from 1 to 65535. auto Configure the RD to automatically generate. Default Not configured Command mode EVPN-EVI and EVPN-VRF Usage information A RD maintains the uniqueness of an EVPN route between different EVPN instances. Configure a route distinguisher in a tenant VRF used for EVPN symmetric IRB traffic.
Parameters value {import | export | both} Configure an RT import or export value, or both values in the format 2-octetASN:4-octet-number or 4-octet-ASN:2-octet-number. ● The 2-octet ASN or number is 1 to 65535. ● The 4-octet ASN or number is 1 to 4294967295. auto Configure the RT import and export values to automatically generate. asn4 (Optional) Advertises a 4-byte AS number in RT values.
show evpn evi Displays the configuration settings of EVPN instances. Syntax show evpn evi [id] Parameters id — (Optional) Enter the EVPN instance ID, from 1 to 65535. Default Not configured Command mode EXEC Usage information Use this command to verify EVPN instance status, associated VXLAN virtual networks and the RD and RT values the BGP EVPN routes use in the EVI. The status of integrated routing and bridging (IRB) and the VRF used for EVPN traffic also display.
Local MAC Address Count : Remote MAC Address Count : 1 2 OS10# show evpn mac evi 811 next-hop 80.80.1.8 count EVI 811 next-hop 80.80.1.8 MAC Entries : Remote MAC Address Count : 2 Supported releases 10.4.2.0 or later show evpn mac-ip Displays the BGP EVPN Type 2 routes used for host MAC-IP address binding.
106 106 14:18:77:25:6f:84 14:18:77:25:6f:84 lcl lcl 0 0 16.16.16.2 2001:16::16:2 OS10# show evpn mac-ip evi 104 Type EVI 104 104 104 104 -(lcl): Local (rmt): remote Mac-Address 14:18:77:25:4d:b9 14:18:77:25:4d:b9 14:18:77:25:6e:b9 14:18:77:25:6e:b9 Type rmt rmt lcl lcl Seq-No 0 0 0 0 Host-IP Interface/Next-Hop 14.14.14.1 95.0.0.3 2001:14::14:1 95.0.0.3 14.14.14.
show evpn vrf Displays the VRF instances used to forward EVPN routes in VXLAN overlay networks. Syntax show evpn vrf [vrf-name] Parameters vrf-name — (Optional) Enter the name of a non-default tenant VRF instance. Default Not configured Command mode EXEC Usage information Use this command to verify the tenant VRF instances used in EVPN instances to exchange BGP EVPN routes in VXLANs.
OS10# show evpn vrf l3-vni vrf_30 VRF : vrf_30, State : up L3-VNI : 3030 Route-Distinguisher : 1:80.80.1.1:3030(auto) Route-Targets : 0:200:268435557(auto) both Remote VTEP : 4.4.4.4 Supported releases 10.5.1.0 or later show evpn vxlan-vni Displays the VXLAN overlay network for EVPN instances. Syntax show evpn vxlan-vni [vni] Parameters vni — (Optional) Enter the VXLAN virtual-network ID, from 1 to 16,777,215.
vrf Creates a non-default VRF instance for EVPN symmetric IRB traffic. Syntax vrf vrf-name Parameters ● vrf-name — Enter the name of a non-default tenant VRF; 32 characters maximum. Default Not configured Command Mode EVPN Usage Information Configure a non-default VRF for symmetric IRB for each tenant VRF. The tenant VRF is created using the ip vrf command when you enable overlay routing with IRB; see Enable overlay routing between virtual networks.
Figure 11. VXLAN BGP EVPN use case VTEP 1 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface.
3. Configure VXLAN virtual networks. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4. Assign VLAN member interfaces to the virtual networks.
OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(config-router-bgp-af)# redistribute connected OS10(config-router-bgp-af)# exit 8. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.16.1.
12. Configure VLT. Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.0/31 OS10(config-if-vl-4000)# exit Configure the VLT port channel.
Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network 10000 ip vrf forwarding tenant1 ip address 10.1.0.231/16 ip virtual-router address 10.1.0.
OS10(conf-if-eth1/1/5)# exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# switchport access vlan 200 OS10(conf-if-po-20)# exit OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# ethernet1/1/6 no shutdown channel-group 20 mode active no switchport exit 6. Configure upstream network-facing ports.
OS10(config-router-neighbor)# update-source loopback1 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# no activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# activate OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor
OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports. OS10(config)# uplink-state-group OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# 1 enable downstream ethernet1/1/1-1/1/2 upstream port-channel10 upstream port-channel20 exit Configure iBGP IPv4 peering between VLT peers.
OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4. Configure unused VLAN ID for untagged membership. OS10(config)# virtual-network untagged-vlan 1000 5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 9. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.18.1.1 OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor 172.18.2.
OS10(config-evpn-evi-10000)# route-target auto OS10(config-evpn-evi-10000)# exit OS10(config-evpn)# evi 20000 OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn)# exit vni 20000 rd auto route-target auto exit 13. Configure VLT. Configure a VLTi VLAN for the virtual network.
Configure iBGP IPv4 peering between VLT peers. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.16.250.11 OS10(config-router-neighbor)# remote-as 100 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 14. Configure IP routing in the overlay network. Create the tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address.
5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 10. Configure a Loopback interface for BGP EVPN peering different from the VLT peer IP address. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.19.0.
Configure a VLTi VLAN for the virtual network. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vlti-vlan 100 OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(conf-vn-20000)# vlti-vlan 200 OS10(conf-vn-20000)# exit Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.
Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network 10000 ip vrf forwarding tenant1 ip address 10.1.0.234/16 ip virtual-router address 10.1.0.
OS10(conf-router-bgp-101)# neighbor 172.17.1.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.18.1.
OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-bgp-101)# neighbor 172.19.0.
OS10(conf-router-bgp-101)# neighbor 172.18.2.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.19.2.
OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# send-community extended OS10(conf-router-neighbor)# update-source loopback1 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit
64 bytes from 10.2.0.10: icmp_seq=4 ttl=63 time=0.944 ms 64 bytes from 10.2.0.10: icmp_seq=5 ttl=63 time=0.806 ms --- 10.2.0.10 ping statistics --5 packets transmitted, 5 received, 0% packet loss, time 4078ms rtt min/avg/max/mdev = 0.806/0.851/0.944/0.051 ms root@HOST-A:~# 5. Check connectivity between host A and host C. root@HOST-A:~# ping 10.1.0.20 -c 5 PING 10.1.0.20 (10.1.0.20) 56(84) bytes of 64 bytes from 10.1.0.20: icmp_seq=1 ttl=64 64 bytes from 10.1.0.20: icmp_seq=2 ttl=64 64 bytes from 10.1.0.
Figure 12. VXLAN BGP EVPN with multiple AS VTEP 1 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface.
3. Configure VXLAN virtual networks. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4. Assign VLAN member interfaces to the virtual networks.
OS10(config-router-bgp-99)# address-family ipv4 unicast OS10(config-router-bgp-af)# redistribute connected OS10(config-router-bgp-af)# exit 8. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-99)# neighbor 172.16.1.1 OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-99)# neighbor 172.16.2.
OS10(config-evpn-evi-20000)# route-target 100:20000 import OS10(config-evpn-evi-20000)#exit OS10(config-evpn)# 12. Configure VLT. Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.0/31 OS10(config-if-vl-4000)# exit Configure the VLT port channel.
Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network10000 ip vrf forwarding tenant1 ip address 10.1.0.231/16 ip virtual-router address 10.1.0.
OS10(config)# interface OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# OS10(conf-if-eth1/1/5)# ethernet1/1/5 no shutdown channel-group 10 mode active no switchport exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# switchport access vlan 200 OS10(conf-if-po-20)# exit OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# ethern
OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# no activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-99)# neighbor 172.202.0.
OS10(conf-if-eth1/1/4)# no switchport OS10(conf-if-eth1/1/4)# exit Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.2 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
2. Configure the Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure VXLAN virtual networks. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 4.
OS10(conf-if-eth1/1/1)# mtu 1650 OS10(conf-if-eth1/1/2)# ip address 172.18.2.0/31 OS10(conf-if-eth1/1/2)# exit 8. Configure eBGP. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# router-id 172.18.0.1 OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 9. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.18.1.
OS10(config-evpn-evi-10000)# rd 192.168.2.1:10000 OS10(config-evpn-evi-10000)# route-target 99:10000 import OS10(config-evpn-evi-10000)# route-target 100:10000 both OS10(config-evpn-evi-10000)#exit OS10(config-evpn)# evi 20000 OS10(config-evpn-evi-20000)# vni 20000 OS10(config-evpn-evi-20000)# rd 192.168.2.1:20000 OS10(config-evpn-evi-20000)# route-target 99:20000 import OS10(config-evpn-evi-20000)# route-target 100:20000 both OS10(config-evpn-evi-20000)#exit OS10(config-evpn)# 13. Configure VLT.
Configure iBGP IPv4 peering between VLT peers. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.16.250.11 OS10(config-router-neighbor)# remote-as 100 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 14. Configure IP routing in the overlay network. Create the tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address.
5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 10. Configure a Loopback interface for BGP EVPN peering different from the VLT peer IP address. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.19.0.1/32 OS10(conf-if-lo-1)# exit 11. Configure BGP EVPN peering. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.201.0.
OS10(conf-vn-20000)# vlti-vlan 200 OS10(conf-vn-20000)# exit Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.11/31 OS10(config-if-vl-4000)# exit Configure VLT port channels.
Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network10000 ip vrf forwarding tenant1 ip address 10.1.0.234/16 ip virtual-router address 10.1.0.
OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# exit 4. Configure a Loopback interface for BGP EVPN peering. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.201.0.1/32 OS10(conf-if-lo-1)# exit 5. Configure BGP EVPN peer sessions. OS10(config)# router bgp 101 OS10(conf-router-bgp-101)# neighbor 172.16.0.
Spine Switch 2 1. Configure downstream ports on the underlay links to the leaf switches.
OS10(conf-router-neighbor)# update-source loopback1 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-bgp-102)# neighbor 172.17.0.
2. Verify EVPN configurations and EVPN parameters. LEAF1# show evpn evi EVI : 10000, State : up Bridge-Domain : Route-Distinguisher : Route-Targets : Inclusive Multicast : IRB : EVI : 20000, State : up Bridge-Domain : Route-Distinguisher : Route-Targets : Inclusive Multicast : IRB : LEAF1# Virtual-Network 10000, VNI 10000 1:192.168.1.1:10000 0:99:10000 both, 0:100:10000 import 192.168.2.1 Enabled(tenant1) Virtual-Network 20000, VNI 20000 1:192.168.1.1:20000 0:99:10000 both, 0:100:10000 import 192.168.2.
rtt min/avg/max/mdev = 0.640/0.669/0.707/0.041 ms root@HOST-A:~# NOTE: Follow Steps 1 to 6 to check ping connectivity between combinations of other hosts, and between hosts through different virtual-network IP addresses. Example: VXLAN BGP EVPN — Centralized L3 gateway with asymmetric IRB The following VXLAN with BGP EVPN example uses a centralized Layer 3 gateway to perform virtual-network routing. It is based on the sample configuration in Example: VXLAN BGP EVPN — Multiple AS topology.
Figure 13. VXLAN BGP EVPN with centralized L3 gateway NOTE: This centralized L3 gateway example for VXLAN BGP EVPN uses the same configuration steps as in Example: VXLAN BGP EVPN — Multiple AS topology. Configure each spine and leaf switch as in the Multiple AS topology example, except: ● Because VTEPs 1 and 2 operate only in Layer 2 VXLAN mode, do not configure IP switching in the overlay network.
Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual networks. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network10000 ip vrf forwarding tenant1 ip address 10.1.0.233/16 ip virtual-router address 10.1.0.
S4048T-ON, S6010-ON, and the S4100-ON series, routing after decapsulation is performed only between virtual networks. You can connect an egress virtual network to a VLAN in an external router, which connects to the external network. In the following example, VLT domain 1 is a VLT VTEP. VLT domain 2 is the border leaf VLT VTEP pair. All virtual networks in the data center network are configured in all VTEPs with virtual-network IP and anycast IP gateway addresses.
Figure 14. VXLAN BGP EVPN with border leaf gateway NOTE: This border leaf gateway example for VXLAN BGP EVPN uses the same configuration steps as in Example: VXLAN BGP EVPN — Multiple AS topology. Configure each spine and leaf switch as in the Multiple AS topology example and add the following additional configuration steps on each VTEP. VTEP 1 Leaf Switch 1. Configure a dedicated VXLAN virtual network.
2. Configure routing on the virtual network. OS10(config)# interface virtual-network 500 OS10(conf-if-vn-10000)# ip vrf forwarding tenant1 OS10(conf-if-vn-10000)# ip address 10.5.0.231/16 3. Configure a static route for outbound traffic sent to the anycast MAC address of the dedicated virtual network. OS10(config)#ip route 0.0.0.0/0 10.5.0.100 VTEP 2 Leaf Switch 1. Configure a dedicated VXLAN virtual network.
5. Configure a static route for outbound traffic sent to VLAN 200. OS10(config)#ip route 0.0.0.0/0 10.10.0.3 VTEP 4 Leaf Switch 1. Configure a dedicated VXLAN virtual network. OS10(config)# virtual-network 500 OS10(config-vn-500)# vxlan-vni 500 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit 2. Configure an anycast gateway MAC address on the boder leaf VTEP. This MAC address must be different from the anycast gateway MAC address configured on non-border-leaf VTEPs.
VTEP 1 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface.
3. Configure the VXLAN virtual network. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit 4. Assign VLAN member interfaces to the virtual network. Use a switch-scoped VLAN-to-VNI mapping: OS10(config)# interface OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config-if-vl-100)# vlan100 virtual-network 10000 no shutdown exit 5. Configure access ports as VLAN members for a switch-scoped VLAN-to-VNI mapping.
OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# exit 9. Configure a Loopback interface for BGP EVPN peering different from the VLT peer IP address. OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.16.0.1/32 OS10(conf-if-lo-1)# exit 10. Configure BGP EVPN peering. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.201.0.
OS10(conf-if-eth1/1/3)# no switchport OS10(conf-if-eth1/1/3)# exit OS10(config)# interface OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# ethernet1/1/4 no shutdown no switchport exit Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.1 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
15. Configure advertisement of connected networks through EVPN type-5 routes. OS10(config)# evpn OS10(config-evpn)# vrf tenant1 OS10(config-evpn-vrf-tenant1)# advertise ipv4 connected OS10(config-evpn-vrf-tenant1)# exit VTEP 2 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using the same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2.
OS10(conf-if-eth1/1/2)# ip address 172.17.2.0/31 OS10(conf-if-eth1/1/2)# exit 7. Configure eBGP. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# router-id 172.17.0.1 OS10(config-router-bgp-100)# address-family ipv4 unicast OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 8. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.17.1.
11. Configure EVPN for the VXLAN virtual network. Configure the EVPN instance, RD, and RT using auto-EVI mode. OS10(config)# evpn OS10(config-evpn)# auto-evi OS10(config-evpn)# exit 12. Configure VLT. Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.1/31 OS10(config-if-vl-4000)# exit Configure the VLT port channel.
Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual network. OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network 10000 ip vrf forwarding tenant1 ip address 10.1.0.232/16 ip virtual-router address 10.1.0.100 no shutdown exit 14. Configure symmetric IRB.
OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# ethernet1/1/6 no shutdown channel-group 20 mode active no switchport exit 6. Add the access ports to the virtual network. OS10(config)# virtual-network 20000 OS10(config-vn-20000)# member-interface port-channel 20 untagged OS10(config-vn-20000)# exit 7. Configure upstream network-facing ports.
OS10(config-router-neighbor)# update-source loopback1 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# no activate OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# address-family l2vpn evpn OS10(config-router-bgp-neighbor-af)# activate OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor
Configure the VLT domain. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.3 OS10(conf-vlt-1)# discovery-interface ethernet1/1/3,1/1/4 OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ff:ee OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports.
OS10(conf-if-eth1/1/7)# switchport mode trunk OS10(conf-if-eth1/1/7)# switchport trunk allowed vlan 200 17. Configure advertisement of the connected networks via EVPN Type-5 routes. OS10(config)# evpn OS10(config-evpn)# vrf tenant1 OS10(config-evpn-vrf-tenant1)# advertise ipv4 connected OS10(config-evpn-vrf-tenant1)# exit 18. Configure BGP session with external router on the border-leaf VTEPs. OS10(config)# router bgp 100 OS10(config-router-bgp-100)# vrf tenant1 OS10(config-router-bgp-100-vrf)# neighbor 10.
VTEP 4 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.2.1/32 OS10(conf-if-lo-0)# exit 2. Configure the Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure the VXLAN virtual network.
OS10(configure-router-bgp-af)# redistribute connected OS10(configure-router-bgp-af)# exit 9. Configure eBGP for the IPv4 point-to-point peering. OS10(config-router-bgp-100)# neighbor 172.19.1.1 OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor 172.19.2.
OS10(config-evpn-evi-20000)# route-target auto OS10(config-evpn-evi-20000)# exit OS10(config-evpn)# exit 13. Configure VLT. Configure a VLTi VLAN for the virtual network. OS10(config)# virtual-network 20000 OS10(conf-vn-20000)# vlti-vlan 200 OS10(conf-vn-20000)# exit Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure. OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.
Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual network. OS10(config)# interface OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# virtual-network 20000 ip vrf forwarding tenant1 ip address 10.2.0.234/16 ip virtual-router address 10.2.0.100 no shutdown exit 15. Configure symmetric IRB.
With connected routes of virtual networks present in an individual VTEP advertised as type-5 routes, the border-leaf router has information about all the virtual networks present in the pod.
3. Configure eBGP IPv4 peer sessions on the P2P links. OS10(conf-router-bgp-101)# neighbor 172.16.1.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.17.1.
OS10(conf-router-bgp-101)# neighbor 172.18.0.
OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.17.2.0 OS10(conf-router-neighbor)# remote-as 100 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# neighbor 172.18.2.
OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# address-family l2vpn evpn OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# activate OS10(conf-router-neighbor-af)# exit OS10(conf-router-bgp-101)# neighbor 172.19.0.
4. Check connectivity between host A and host B. root@HOST-A:~# ping 10.2.0.20 -c 5 PING 10.2.0.10 (10.2.0.10) 56(84) bytes of 64 bytes from 10.2.0.10: icmp_seq=1 ttl=63 64 bytes from 10.2.0.10: icmp_seq=2 ttl=63 64 bytes from 10.2.0.10: icmp_seq=3 ttl=63 64 bytes from 10.2.0.10: icmp_seq=4 ttl=63 64 bytes from 10.2.0.10: icmp_seq=5 ttl=63 data. time=0.824 time=0.847 time=0.835 time=0.944 time=0.806 ms ms ms ms ms --- 10.2.0.
Example - VXLAN BGP EVPN symmetric IRB with unnumbered BGP peering The following BGP EVPN example uses a Clos leaf-spine topology with BGP over unnumbered interfaces. The following explains how the network is configured: ● External BGP (eBGP) over unnumbered interfaces is used to exchange both IPv4 routes and EVPN routes. ● You need not configure IP addresses on links that connect Spine and Leaf switches. BGP Unnumbered peering works without an IP address configuration on Spine-Leaf links.
● On leaf switches 1 and 2, access ports are assigned to a virtual network using a switch-scoped VLAN. EVPN for the overlay VXLAN is configured using auto-EVI mode. ● On leaf switches 3 and 4, access ports are assigned to a virtual network using a port-scoped VLAN. EVPN for the overlay VXLAN is configured using manual EVI mode with RT and RD values configured in auto mode.
OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-101)# neighbor interface ethernet1/1/4 OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit Spine Switch 2 configuration 1. Configure downstream ports as unnumbered interfaces.
OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit VTEP Leaf Switch 1 configuration 1. Configure a loopback interface for the VXLAN underlay using the same IP address as the VLT peer. OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2. Configure the loopback interface as the VXLAN source tunnel interface.
OS10(config-router-bgp-af)# redistribute connected OS10(config-router-bgp-af)# exit 8. Configure a BGP unnumbered neighbor over network facing ports. Use a template to simplify the configuration on multiple interfaces. These neighbors are configured to carry IPv4 address family (default) and L2VPN EVPN address family.
● Configure UFD with uplink VLT ports and downlink network ports. OS10(config)# uplink-state-group OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# 1 enable downstream ethernet1/1/1-1/1/2 upstream port-channel10 exit ● Configure iBGP unnumbered peering between VLT peers with both IPv4 and L2VPN EVPN address families.
2. Configure the loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback0 OS10(config-nve)# exit 3. Configure the VXLAN virtual network. OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# exit OS10(config-vn)# exit 4. Assign VLAN member interfaces to the virtual network. Use a switch-scoped VLAN-to-VNI mapping.
OS10(config-router-bgp-201)# neighbor interface ethernet1/1/2 OS10(config-router-neighbor)# inherit template ebgp_unified inherit-type ebgp OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit 9. Configure EVPN for the VXLAN virtual network. Configure the EVPN instances using Auto EVI mode and Disable ASN in the generated RT.
OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit 11. Configure IP routing in overlay network. ● Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit ● Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 ● Configure routing on the virtual network.
OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# no switchport access vlan OS10(conf-if-po-20)# exit OS10(config)# interface ethernet1/1/6 OS10(conf-if-eth1/1/6)# no shutdown OS10(conf-if-eth1/1/6)# channel-group 20 mode active OS10(conf-if-eth1/1/6)# exit 6. Add the access ports to the virtual network. OS10(config)# virtual-network 20000 OS10(config-vn-20000)# member-interface port-channel 20 untagged OS10(config-vn-20000)# exit 7.
NOTE: Use the disable-rt-asn command to autoderive RT that does not include the ASN in the RT value. This allows auto RT to be used even if the Clos leaf-spine design has separate ASN for each leaf node. Configure this command only when all the VTEPs are OS10 switches. 11. Configure VLT. ● Configure a VLTi VLAN for the virtual network.
● Create the tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit ● Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 ● Configure routing on the virtual network. OS10(config)# interface OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# virtual-network 20000 ip vrf forwarding tenant1 ip address 10.2.0.233/16 ip virtual-router address 10.2.0.100 no shutdown exit 13.
4. Configure an unused VLAN ID for untagged membership. OS10(config)# virtual-network untagged-vlan 1000 5. Configure access ports as VLAN members for a port-scoped VLAN-to-VNI mapping.
OS10(config-evpn)# evi 20000 OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn-evi-20000)# OS10(config-evpn)# exit vni 20000 rd auto route-target auto exit NOTE: Use the disable-rt-asn command to autoderive RT that does not include the ASN in the RT value. This allows auto RT to be used even if the Clos leaf-spine design has separate ASN for each leaf node. Configure this command only when all the VTEPs are OS10 switches. 11. Configure VLT.
OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit 12. Configure IP routing in the overlay network. ● Create a tenant VRF. OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit ● Configure an anycast gateway MAC address. OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 ● Configure routing on the virtual network.
Asymmetric to Symmetric IRB migration steps 1. Make the spines to send overlay traffic only to Leaf-2 by making Leaf-1 advertise VTEP IP with a higher metric in the underlay network. Leaf-1 configuration a. Configure route-map with prefix-list to set the metric higher for the VTEP IP. Leaf-1(config)# ip prefix-list vtep_ip seq 10 permit 10.10.10.
2. Spines would now send the overlay traffic destined to VLT domain 1 (Rack1) only to Leaf-2. 3. Configure Symmetric IRB mode in Leaf-2. Leaf-2 configuration a. Configure router-mac. Leaf-2(config)# evpn Leaf-2(config-evpn)# router-mac 02:10:10:10:10:10 b. Configure IP VRF with L3 VNI. Leaf-2(config-evpn)# vrf BLUE Leaf-2(config-evpn-vrf-VRF001)# vni 65001 c. Configure RT (auto or manual) and RD (optional, default is auto). Leaf-2(config-evpn-vrf-BLUE)# route-target auto d.
b. Default route configured in VTEPs pointing to border leaf using an intermediate VNI could be removed. Default route or external routes could now be advertised to the VTEPs from border leaf using advertise commands under EVPN-IPVRF mode. Example - Route leaking across VRFs in a VXLAN BGP EVPN symmetric IRB topology The following VXLAN with BGP EVPN example uses a Clos leaf-spine topology to show how to set up route leaking across VRF in a symmetric IRB topology.
● The individual switch configuration shows how to configure VRFs in the VTEPs and configure route leaking between VRFs. For other VXLAN and BGP EVPN configuration, see other examples and the VXLAN section. ● Route leaking is performed on the Border Leaf VTEP. ● There are three nondefault VRFs present in the network – Yellow, Green, and Red. ● Route leaking is done between: ○ VRF-Yellow and VRF-Green. ○ VRF-Yellow and VRF-Red.
2. Configure Layer 3 virtual-network interfaces with VRFs and IP addresses. OS10(config)# interface OS10(conf-if-vn-10001)# OS10(conf-if-vn-10001)# OS10(conf-if-vn-10001)# OS10(conf-if-vn-10001)# OS10(config)# interface OS10(conf-if-vn-20001)# OS10(conf-if-vn-20001)# OS10(conf-if-vn-20001)# virtual-network 10001 ip vrf forwarding Yellow ip address 10.1.0.2/24 ip virtual-router address 10.1.0.254 virtual-network 20001 ip vrf forwarding Green ip address 10.2.0.2/24 ip virtual-router address 10.2.0.254 3.
OS10(config-evpn-vrf-Red)# advertise ipv4 connected OS10(config-evpn-vrf-Red)# exit 4. Configure the border-leaf to advertise the default route into the EVPN in each VRF. From the other VTEPs, any traffic to an external network and also to networks which are not within the local VRF reaches the Border Leaf router using this default route. a.
OS10(conf-vrf)# ip route-import 1:1 OS10(conf-vrf)# exit OS10(config)# ip vrf Red OS10(conf-vrf)# ip route-export 3:3 route-map RouteMap_RedVrf_Export OS10(conf-vrf)# ip route-import 1:1 OS10(conf-vrf)# exit 7. (Optional) For advertising leaked routes from Yellow VRF only to an external router on the default VRF and not to an underlay network, use route-maps on spine-facing eBGP neighbors and also on the iBGP neighbor between the VLT peers.
OS10(config-evpn-vrf-Yellow)# advertise ipv4 connected OS10(config-evpn-vrf-Yellow)# exit OS10(config-evpn)# vrf Green OS10(config-evpn-vrf-Green)# vni 65002 OS10(config-evpn-vrf-Green)# route-target auto OS10(config-evpn-vrf-Green)# advertise ipv4 connected OS10(config-evpn-vrf-Green)# exit OS10(config-evpn)# vrf Red OS10(config-evpn-vrf-Red)# vni 65003 OS10(config-evpn-vrf-Red)# route-target auto OS10(config-evpn-vrf-Red)# advertise ipv4 connected OS10(config-evpn-vrf-Red)# exit 4.
● Yellow VRF and Red VRF.
C 10.1.0.0/24 via 10.1.0.3 virtual-network10001 0/0 00:47:11 B EV 10.1.0.1/32 via 192.168.0.1 200/0 00:48:55 B EV 10.1.0.2/32 via 192.168.0.1 200/0 00:48:55 B EV 10.2.0.0/24 via 192.168.0.1,Green 200/0 00:35:48 C 10.3.0.0/24 via 10.3.0.1,Red virtual-network30001 0/0 00:35:48 C 10.10.0.0/24 via 10.10.0.
Gateway of last resort is not set Destination Gateway Dist/ Metric Last Change --------------------------------------------------------------------------------------------------------B EX 10.1.0.0/24 via 10.10.0.1 20/0 00:13:49 via 10.10.0.2 B EX 10.1.0.1/32 via 10.10.0.1 20/0 00:14:22 via 10.10.0.2 B EX 10.1.0.2/32 via 10.10.0.1 20/0 00:14:24 via 10.10.0.2 C 10.10.0.0/24 via 10.10.0.3 vlan100 0/0 00:23:16 B EX 172.16.1.1/32 via 10.10.0.1 20/0 00:22:58 via 10.10.0.2 B EX 172.16.1.2/32 via 10.10.0.
The NSX controller communicates with an OS10 VTEP using the OVSDB management protocol over a Secure Sockets Layer (SSL) connection. Establishing the communication between the controller and VTEP involves generating the SSL certificate at a VTEP and copying the certificate to the NSX controller. After SSL authentication, a secure connection over SSL is established between the controller and the VTEP. The VTEP then receives and processes the configuration data from the controller.
● Only one mode of VxLAN provisioning is supported at a time: NSX controller-based, static VXLAN, or BGP EVPN. ● An OS10 switch does not send VXLAN access port statistics to the NSX controller. ● Controller-provisioned VXLAN is not supported on VTEPs configured as peers in a VLT domain. Only VTEPs in standalone mode are supported. Specify the controller reachability information In OS10 VTEP, the controller configuration command initializes a connection to an OVSDB-based controller.
4. Assign the interface to the controller. OS10(config-if-eth1/1/1)# nve-controller To view the controller information and the ports the controller manages, use the show nve controller command. OS10# show nve controller Management IP Gateway IP Max Backoff Configured Controller Controller Cluster IP 10.16.140.173 10.16.140.171 10.16.140.172 Port 6640 6640 6640 : : : : 10.16.140.29/16 55.55.5.5 1000 10.16.140.
NOTE: In controller-provisioned VXLAN, the VTEP establishes a BFD session with the service nodes using the controllerprovided parameters instead of the parameters configured at the VTEP. If BFD is not enabled in the VTEP, the VTEP uses IP reachability information to monitor connectivity to the service node. To view established sessions, use the show bfd neighbors command.
0pDXiqS3uJwGmfxlhvmFio8EeHM/Z79DkBRD6FUMwacAnb3yCIKZH50AWq7qRmmG NZOgYUT+8oaj5tO/hEQfDYuv32E5z4d3FhiBJMFT86T4YvpJYyJkiKmaQWInkthL V3VxEMXI5vJQclMhwYbKfPB4hh3+qdS5o+uVco76CVrcWi7rO3XmsBkbnQIDAQAB MA0GCSqGSIb3DQEBDQUAA4IBAQATuFVD20GcHD8zdpYf0YaP4b6TuonUzF0jwoV+ Qr9b4kOjEBGuoPdevX3AeV/dvAa2Q6o1iOBM5z74NgHizhr067pFP841Nv7DAVb7 cPHHSSTTSeeJjIVMh0kv0KkVefsYuI4r1jqJxu0GZgBinqehXxVKlceouLvwbhb1 MFYXN3lcE2AXR746q1VIc6stNkxf3nrlOpSDz3P4VOnbAnIrY+SvUVmAT0tdrowH 99y2AzoAxUHOdWsH8EjCFch7VilmCVVhyghXdfyl6lv/F6vMRwjc343Bp
3. Create a logical switch. You can create a logical network that acts as the forwarding domain for virtualized and nonvirtualized server workloads on the physical and virtual infrastructure. The following steps configure the logical switch for NSX controller management. a. Click Logical Switches from the left navigation pane. b. Click the green + icon under Logical Switches. The New Logical Switch dialog window opens. c. Enter a name and select Unicast as the replicate mode and click OK 4.
5. (Optional) Enable or disable BFD globally. The following steps enable or disable BFD configuration in the controller. a. Click Service Definitions from the left navigation pane. b. Click the Hardware Devices tab. c. Click the Edit button in the BFD Configuration. d. Check or clear the Enable BFD check box and provide the Probe interval, in milliseconds, if required. After you configure a VMware NSX controller on a server VM, connect to the controller from the VXLAN gateway switch.
To configure an NSX controller-provisioned VXLAN: ● Configure the controller and the interfaces to be managed by the controller, in the OS10 VTEPs ● Configure the NSX controller in VMware vCenter. For more information about configuring the NSX controller using the GUI, see the Configure and control VXLAN from the VMware vCenter. You must configure an OS10 VTEP with the controller configuration so that the VTEP can communicate with the NSX controller.
OS10(config-nve-ovsdb)# max-backoff 10000 OS10(config-nve-ovsdb)# exit 5. Assign interfaces to be managed by the controller. OS10(config)# interface ethernet 1/1/54:3 OS10(config-if-eth1/1/54:3)# switchport mode trunk OS10(config-if-eth1/1/54:3)# no switchport access vlan OS10(config-if-eth1/1/54:3)# nve-controller 6. (Optional) Enable BFD. OS10(config)# bfd enable VTEP 2 1. Configure the OSPF protocol in the underlay.
Gateway IP Max Backoff Configured Controller Controller Cluster IP 10.16.140.182 10.16.140.183 10.16.140.181 : 200.0.0.1 : 10000 : 10.16.140.181:6640 ssl (connected) Port 6640 6640 6640 Protocol ssl ssl ssl Connected true true true State ACTIVE ACTIVE ACTIVE Max-Backoff 10000 10000 10000 NVE Controller Ports ethernet1/1/54:3 To display the VNID, port members, source interface, and remote VTEPs of the VXLAN, use the show virtual-network command.
NVE Controller Ports ethernet1/1/25:3 To display the VNID, port members, source interface, and remote VTEPs of the VXLAN, use the show virtual-network command. OS10# show virtual-network Codes: DP - MAC-learn Dataplane, CP - MAC-learn Controlplane, UUD - Unknown-Unicast-Drop Virtual Network: 0 Members: Virtual Network: 6000 Members: VLAN 20: ethernet1/1/25:3 VxLAN Virtual Network Identifier: 6000 Source Interface: loopback1(202.0.0.1) Remote-VTEPs (flood-list): 13.0.0.
Example Supported releases OS10(config)# nve OS10(config-nve)# controller ovsdb 10.4.3.0 or later ip port ssl Configures the OVSDB controller reachability information such as IP address, port number, and the connection type of session, in the switch. Syntax ip ip-address port port-number ssl Parameters ● ip-address — Specify the IP address of the OVSDB controller to connect with. ● port-number — Specify the port number through which the connection to the OVSDB controller is made.
nve-controller Assigns the interfaces to be managed by the controller. Syntax nve-controller Parameters None Default None Command mode INTERFACE Usage information The interface must be in Switchport Trunk mode when adding the interface to the controller. If the interface is not in the Switchport Trunk mode, the system displays the following error message: % Error: Interface ethernet1/1/1, must be in switchport trunk for controller mode.
Management IP Gateway IP Max Backoff Configured Controller Controller Cluster IP Max-Backoff 10.16.140.173 10.16.140.171 10.16.140.172 : : : : 10.16.140.29/16 55.55.5.5 1000 10.16.140.172:6640 ssl (connected) Port Protocol Connected State 6640 6640 6640 ssl ssl ssl true false true ACTIVE BACKOFF ACTIVE NVE Controller Ports ethernet1/1/1:1 ethernet1/1/15 Supported releases 10.4.3.0 or later show nve controller ssl-certificate Displays the SSL certificate generated in the system.
Parameters None Default None Command mode EXEC Usage information When you specify the VNID, the output displays details about the service nodes available for the VNID. Example (without VNID) OS10# show nve replicators Codes: * - Active Replicator BFD Status:Enabled Replicators State ----------------------2.2.2.3 Up 2.2.2.
show ovsdb-tables mac-remote-ucast Displays information about remote MAC address entries including each MAC address, IP address, local switch name, and VNID. Syntax show ovsdb-tables mac-remote-ucast Parameters None Default None Command mode EXEC Usage information This command is available only for netadmin, sysadmin, and secadmin roles.
Parameters None Default None Command mode EXEC Usage information This command is available only for netadmin, sysadmin, and secadmin roles. Example OS10# show ovsdb-tables tunnel Count : 2 Tunnel table _uuid bfd_config_local bfd_params bfd_config_remote bfd_status local remote ------------------------------------ -----------------------------------------------------------------------8025d953-acf5-4091-9fa2-75d41953b397 {bfd_dst_ip="55.55.5.5", bfd_dst_mac="00:23:20:00:00:01"} {bfd_dst_ip="2.2.2.
16 UFT modes A switch in a Layer 2 (L2) network may require a larger MAC address table size, while a switch in a Layer 3 (L3) network may require a larger routing table size. Unified forwarding table (UFT) offers the flexibility to configure internal L2/L3 forwarding table sizes. OS10 supports several UFT modes for the forwarding tables. By default, OS10 selects a UFT mode that provides a reasonable size for all tables.
Table 88. UFT Modes — Table Size for Z9264F-ON UFT Mode L2 MAC Table Size L3 Host Table Size L3 Routes Table Size Scaled-l2–switch 270336 8192 32768 Scaled-l3–hosts 8192 270336 32768 Scaled-l3–routes 8192 8192 262144 Default 139264 139264 32768 Table 89.
L3 Host Entries L3 Route Entries : : 147456 32768 212992 98304 View UFT information for all modes OS10# show hardware forwarding-table mode all Mode default scaled-l2 scaled-l3-routes L2 MAC Entries 163840 294912 32768 L3 Host Entries 147456 16384 16384 L3 Route Entries 32768 32768 131072 scaled-l3-hosts 98304 212992 98304 IPv6 extended prefix routes IPv6 addresses that contain prefix routes with mask between /64 to /128 are called as IPv6 extended prefix routes.
Syntax hardware forwarding-table mode {scaled-l2 | scaled-l3-routes | scaled-l3hosts} Parameters ● scaled-l2 —Enter the L2 MAC address table size. ● scaled-l3-routes — Enter the L3 routes table size. ● scaled-l3-hosts — Enter the L3 hosts table size. Defaults The default parameters vary according to the platform. See UFT modes on page 1288. Command Mode CONFIGURATION Usage Information Configure the sizes of internal L2 and L3 forwarding tables for your requirements of the network environment.
Example Supported Releases OS10# show hardware forwarding-table mode Current Settings Mode default-mode L2 MAC Entries : 163840 L3 Host Entries : 147456 L3 Route Entries : 32768 Next-boot Settings scaled-l3-hosts 98304 212992 98304 10.3.0E or later show hardware forwarding-table mode all Displays table sizes for the hardware forwarding table modes.
17 Security Dell EMC SmartFabric OS10 has several security features to protect the usability and integrity of the data available in the switch. OS10 also has security features to the user network from attacks and restrict network traffic. Switch security Dell EMC SmartFabric OS10 has various inbuilt security features to secure the administrative access to the switch. User management OS10 controls the user access to the switch and what can they do after login based on the set roles and privileges.
The OS10 RBAC model provides separation of duty and greater security. It places limitations on each role’s permissions to allow you to partition tasks. For greater security, only some user roles can view events, audits, and security system logs. Assign user role To limit OS10 system access, assign a role when you configure each user. ● Enter a user name, password, and role in CONFIGURATION mode. username username password password role role ○ username username — Enter a text string.
OS10(config)# exit OS10# write memory The linuxadmin password configured from the CLI takes precedence across reboots over the password configured from the Linux shell. Verify the linuxadmin password using the show running-configuration command. OS10# show running-configuration system-user linuxadmin password $6$5DdOHYg5$JCE1vMSmkQOrbh31U74PIPv7lyOgRmba1IxhkYibppMXs1KM4Y.
● mode — Enter the privilege mode used to access CLI modes: ○ exec — Accesses EXEC mode. ○ configure — Accesses class-map, DHCP, logging, monitor, openflow, policy-map, QOS, support-assist, telemetry, CoS, Tmap, UFD, VLT, VN, VRF, WRED, and alias modes. ○ interface — Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range, port-channel, and VLAN modes. ○ route-map — Accesses route-map mode. ○ router — Accesses router-bgp and router-ospf modes.
○ exec — Accesses EXEC mode. ○ configure — Accesses class-map, DHCP, logging, monitor, openflow, policy-map, QOS, support-assist, telemetry, CoS, Tmap, UFD, VLT, VN, VRF, WRED, and alias modes. ○ interface — Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range, port-channel, and VLAN modes. ○ route-map — Accesses route-map mode. ○ router — Accesses router-bgp and router-ospf modes. ○ line — Accesses line-vty mode.
○ max-retry number — Sets the maximum number of consecutive failed login attempts for a user before the user is locked out, from 0 to 16; default 3. ○ lockout-period minutes — Sets the amount of time that a user ID is prevented from accessing the system after exceeding the maximum number of failed login attempts, from 0 to 43,200; default 5. NOTE: Dell Technologies recommends that you configure the lockout period to be a nonzero value. If you set this value to zero, no lockout period is configured.
and privilege-level passwords. To revert to the configured password-attributes settings, use the no service simplepassword command.
tacacs-server host 10.1.1.1 auth-port 7777 key 9 27ca79bf3cbf351708c8d19caf50815661dcd0638719a06c865e88090d03558b Configuration notes All Dell EMC PowerSwitches: ● Obscure password (service obscure-password) is enabled by default when upgrading to 10.5.2.0 or later if the setting is not changed before the upgrade. ● If the Obscure password configuration is explicitly disabled before the upgrade, it remains disabled after the upgrade as well. User management commands disable Lowers the privilege level.
enable password priv-lvl Sets a password for a privilege level. Syntax enable password encryption-type password-string priv-lvl privilege-level Parameters ● encryption-type — Enter the type of password encryption: ○ 0 — Use an unencrypted password. ○ sha-256 — Use a SHA-256 encrypted password. ○ sha-512 — Use a SHA-512 encrypted password. ● priv-lvl privilege-level — Enter a privilege number from 1 to 15.
Usage Information By default, the password you configure with the username password command must be at least nine alphanumeric characters. Use this command to increase password strength. When you enter the command, at least one parameter is required. When you enter the character-restriction parameter, at least one option is required. To reset parameters to their default values, use the no password-attributes command.
○ interface — Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range, port-channel, and VLAN modes. ○ route-map — Accesses route-map mode. ○ router — Accesses router-bgp and router-ospf modes. ○ line — Accesses line-vty mode. ● priv-lvl privilege-level — Enter the number of a privilege level, from 2 to 14. ● command-string — Enter the commands supported at the privilege level.
Usage Information Example Supported Releases Use service obscure-password command so that the text characters of passwords are not displayed in show command output. The command obscures the passwords that you configure for user names, NTP, BGP, SNMP, RADIUS servers, and TACACS+ servers. To disable the obscure passwords function, use the no service obscure-password command. OS10(config)# service obscure-password 10.5.0 or later show users Displays information for all users logged into OS10.
Example Supported Releases OS10# show running-configuration privilege privilege exec priv-lvl 3 configure privilege configure priv-lvl 4 "interface ethernet" enable password sha-512 $6$Yij02Phe2n6whp7b$ladskj0HowijIlkajg981 privlvl 12 10.4.3.0 or later system-user linuxadmin password Configures a password for the linuxadmin user.
Parameters ● default inherit — Reconfigure the default permissions assigned to an authenticated user with a missing or unknown role or privilege level. ● name inherit — Enter the name of the RADIUS or TACACS+ user role that inherits permissions from an OS10 user role; 32 characters maximum.
Default ● User name and password entries are in clear text. ● There is no default user role. ● The default privilege levels are level 1 for netoperator, and level 15 for sysadmin, secadmin, and netadmin. Command Mode CONFIGURATION Usage Information By default, the password must be at least nine alphanumeric characters. Only the following special characters are supported: ! # % & ' ( ) ; < = > [ ] * + - . / : ^ _ Enter the password in clear text.
○ local—Use the local username, password, and role entries configured with the username password role command. ○ group radius—Configure RADIUS servers using the radius-server host command. ○ group tacacs+—Configure TACACS+ servers using the tacacs-server host command. Configure user role on server If a console user logs in with RADIUS or TACACS+ authentication, the role you configured for the user on the RADIUS or TACACS+ server applies.
Table 92. OS10 user roles and privilege levels User role Default privilege level sysadmin 15 secadmin 15 netadmin 15 netoperator 1 Use the VSA Dell-group-name values when you create users on a Radius or TACACS+ server. For more information about privilege levels, see Privilege levels. For detailed information about how to configure vendor-specific attributes on a RADIUS or TACACS+ server, see the respective RADIUS or TACACS+ server documentation.
Configure global settings for the timeout and retransmit attempts that are allowed on RADIUS servers. By default, OS10 supports three RADIUS authentication attempts and times out after five seconds. No source interface is configured. The default VRF instance is used to contact RADIUS servers. NOTE: You cannot configure both a nondefault VRF instance (including management VRF) and a source interface at the same time for RADIUS authentication.
View RADIUS server configuration OS10# show running-configuration ... radius-server host 1.2.4.5 key 9 3a95c26b2a5b96a6b80036839f296babe03560f4b0b7220d6454b3e71bdfc59b radius-server retransmit 10 radius-server timeout 10 ip radius source-interface mgmt 1/1/1 ... Delete RADIUS server OS10# no radius-server host 1.2.4.5 RADIUS over TLS authentication Traditional RADIUS-based user authentication runs over UDP and uses the MD5 message-digest algorithm for secure communications.
AAA with TACACS+ authentication Configure a TACACS+ authentication server by entering the server IP address or host name. You must also enter a text string for the key used to authenticate the OS10 switch on a TACACS+ host. The Transmission Control Protocol (TCP) port entry is optional. TACACS+ provides greater data security by encrypting the entire protocol portion in a packet sent from the switch to an authentication server. RADIUS encrypts only passwords.
Delete TACACS+ server OS10# no tacacs-server host 1.2.4.5 TACACS as Primary Authentication The AAA authentication configuration must be present as one of the authentication methods. The following error message is displayed when you atempt to configure AAA authentication without first configuring the local authentication method: % Error: local authentication not configured After upgrading to 10.5.
● All configuration commands entered from a non-console session with the sysadmin user role are authorized using the configured TACACS+ servers. OS10(config)# aaa authorization config-commands role sysadmin default group tacacs+ Remove AAA authorization methods OS10(config)# no aaa authorization commands role sysadmin console Enable AAA accounting To record information about all user-entered commands, use the AAA accounting feature — not supported for RADIUS accounting.
Default AAA accounting is disabled. Command Mode CONFIGURATION Usage Information You can enable the recording of accounting events in both the syslog and on TACACS+ servers. Example Supported Releases The no version of the command disables AAA accounting. OS10(config)# aaa accounting commands all console start-stop logging group tacacs+ 10.4.1.0 or later aaa authentication login Configures the AAA authentication method for console, SSH, and Telnet logins.
● console — Configure authorization for console-entered commands. ● default — Configure authorization for non-console-entered commands and commands entered in non-console sessions, such as in SSH and VTY. ● local — Use the local username, password, and role entries configured with the username password role command for command authorization. ● group tacacs+ — Use the TACACS+ servers configured with the tacacs-server host command for command authorization.
tacacs-server host Configures a TACACS+ server and the key used to authenticate the switch on the server. Syntax tacacs-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] Parameters ● hostname — Enter the host name of the TACACS+ server. ● ip-address — Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the TACACS+ server. ● key 0 authentication-key — Enter an authentication key in plain text. A maximum of 42 characters.
● ip-address — Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server. ● key 0 authentication-key — Enter an authentication key in plain text. A maximum of 42 characters. ● key 9 authentication-key — Enter an authentication key in encrypted format. A maximum of 128 characters. ● authentication-key — Enter an authentication in plain text. A maximum of 42 characters. It is not necessary to enter 0 before the key.
Example Supported Releases OS10(config)# radius-server host 1.5.6.4 tls security-profile radiusadmin key radsec 10.4.3.0 or later radius-server retransmit Configures the number of authentication attempts allowed on RADIUS servers. Syntax radius-server retransmit retries Parameters retries — Enter the number of retry attempts, from 0 to 10. Default An OS10 switch retransmits a RADIUS authentication request three times.
The no version of this command removes the RADIUS server from the management VRF instance. Example Supported Releases OS10(config)# radius-server vrf management OS10(config)# radius-server vrf blue 10.4.0E(R1) or later tacacs-server vrf Creates an association between a TACACS server group and a VRF and source interface. Syntax tacacs-server vrf {management | vrf-name} Parameters ● management — Enter the keyword to associate TACACS servers to the management VRF instance.
ip tacacs source-interface Specifies the interface whose IP address is used as the source IP address for user authentication with a TACACS+ server. Syntax ip tacacs source-interface interface Parameters interface: ● ethernet node/slot/port[:subport] — Enter a physical Ethernet interface. ● loopback number — Enter a Loopback interface, from 0 to 16383. ● mgmt 1/1/1 — Enter the management interface. ● port-channel channel-id — Enter a port-channel ID, from 1 to 28.
Secure Boot OS10 secure boot verifies the authenticity and integrity of the OS10 image. Secure boot protects a system from malicious code being loaded and executed during the boot process. Using secure boot, you can validate the OS10 image during installation and on demand at any time.
After the switch reboots, the system applies the protected version of the startup configuration. If a protected version of the startup configuration file is not available, the system applies the default configuration. You can check the status of the secure boot operation using the show secure-boot status and show secure boot file-integrity-status commands.
Validate the OS10 kernel, system binaries, and startup configuration file You can validate the OS10 kernel binary image, system binary files, and startup configuration file at system startup and CLI execution using the secure-boot verify command in EXEC mode. OS10# secure-boot verify {kernel | file-system-integrity | startup-config} Enable secure boot in BIOS Refer Z9432F-ON platform installation guide to enable secure boot in BIOS.
To validate and install an image using the X.509v3 certificate and OS10 image signature, use the onie-nos-install command during a manual installation. For more information, see Manual installation; for example: $ onie-nos-install image_url pki signature_filepath certificate_filepath Or $ onie-nos-install image_url sha256 signature_filepath The OS10 image installer verifies the signature of the image files using hash-based authentication or digital signatures (PKIsigned).
OS10 kernel validation fails for both installed OS10 images If kernel validation fails for both installed images, the system enters GRUB mode. Use the secure-boot verify kernel command to check the kernel validation status. To recover from this validation failure: 1. Boot into ONIE. 2. Install a valid OS10 image using the onie-nos-install command. For more information, see Installation using ONIE.
boot protect enable username password Allows you to enable bootloader protection. Syntax boot protect enable username username password password Parameters ● username — Enter the username to provide access to bootloader protection. ● password — Enter a password for the specified username. Default Disabled Command Mode EXEC Usage Information You can enable bootloader protection by executing this command. You can configure a maximum of three username / password pairs for bootloader protection.
Example OS10# show secure-boot Certificate Key Id : Version Number : Serial Number : Signature Algorithm : Issuer : Widgits Pty Ltd Validity : GMT Certificate Key Id Version Number Serial Number Signature Algorithm Issuer Widgits Pty Ltd Validity GMT Supported Releases : : : : : pki-certificates 123 3 (0x2) 17154672033164819608 (0xee11a353271dfc98) sha256WithRSAEncryption C=IN, ST=Some-State, L=some-city, O=Internet Aug 1 11:45:39 2019 GMT - Jul 31 11:45:39 2020 124 3 (0x2) 17154672033164819608 (0xee1
secure-boot grub-key Allows you to switch between standard and auto-generated key options. Syntax secure-boot grub-key{standard | auto-generated} Parameters ● standard— The DELL EMC Networking recommended GPG key is used by GRUB to validate the OS10 kernel. The kernel is signed with the key during build time. ● auto-generated— The GPG keys are generated internally during OS10 installation and this key is used by the GRUB to validate the OS10 kernel.
secure-boot revoke key Revokes an installed key. Syntax secure-boot revoke key key-id Parameters key-id—key number of the installed key that is compromised. Default None Security and Access Sysadmin Command Mode EXEC Usage Information Use this command to revoke an installed key that is compromised. Example Supported Releases OS10# secure-boot revoke key 5 10.5.1.0 or later secure-boot protect startup-config Protects the startup config file and its hash value.
Example Supported Releases OS10# secure-boot enable 10.5.1.0 or later image verify Verifies the OS10 image file using sha256, PKI, or GPG signatures. Syntax image verify image-filepath {sha256 signature signature-filepath | gpg signature signature-filepath | pki signature signature-filepath public-key key-file} Parameters ● image-filepath—Enter the absolute path name of the OS10 image file. ● sha256 signature signature-filepath—Verify the SHA-256 cryptographic hash signature of the image file.
● sha256 signature signature-filepath—Verify the SHA-256 cryptographic hash signature of the image file. ● gpg signature signature-filepath—Verify the GNU privacy guard signature of the image file. ● pki signature signature-filepath public-key key-file—Verify the PKI-signed digital signature of the image file. Default None Security and Access Sysadmin Command Mode EXEC Usage Information This command is available only when you enable secure boot. This command is similar to the image install command.
Switch management access OS10 provides security to all management access through console, Telnet, SSH connections, and SNMP requests. SSH server In OS10, the secure shell server allows an SSH client to access an OS10 switch through a secure, encrypted connection. The SSH server authenticates remote clients using RADIUS challenge/response, a trusted host file, locally-stored passwords, and public keys. Configure SSH server ● The SSH server is enabled by default.
3. Display the SSH public keys in EXEC mode. show crypto ssh-key After you regenerate SSH public keys, disable and re-enable the SSH server to use the new public keys. Restarting the SSH server does not impact current OS10 sessions. RESTCONF API RESTCONF API allows to configure and monitor an OS10 switch using HTTP with the Transport Layer Security (TLS) protocol. For more information about RESTCONF API, see RESTCONF API.
If you log in to the switch after the maximum number of concurrent sessions are active, an error message displays. To log in to the system, close one of your existing sessions. OS10(config)# login concurrent-session limit 4 Too many logins for 'admin'. Last login: Wed Jan 31 20:37:34 2018 from 10.14.1.213 Connection to 10.11.178.26 closed. Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 4 vty 2 10.14.1.97 5 vty 3 10.14.1.
By default, SSH Client CLI command is disabled. User cannot access the ssh command. This command must be performd to enable the SSH CLI. You must execute the no ip ssh client enable command to disable the SSH command. 3. Initiate an SSH session. OS10# ssh 9.1.1.2 Connect remote switch whose IP address is as specified with port-id 22 (default port-id) and current session username (default username).
Parameters None Default Disabled Command Mode CONFIGURATION Usage Information The no version of this command disables the challenge response authentication. Example Supported Releases OS10(config)# ip ssh server challenge-response-authentication 10.3.0E or later ip ssh server cipher Configures the list of cipher algorithms in the SSH server. Syntax ip ssh server cipher cipher-list Parameters cipher-list — Enter a list of cipher algorithms. Separate entries with a blank space.
Usage Information The no version of this command disables the host-based authentication. Example Supported Releases OS10(config)# ip ssh server hostbased-authentication 10.3.0E or later ip ssh server kex Configures the key exchange algorithms used in the SSH server. Syntax ip ssh server kex key-exchange-algorithm Parameters key-exchange-algorithm — Enter the supported key exchange algorithms separated by a blank space.
● ● ● ● ● ● ● ● ● ● ● umac-64@openssh.com umac-128@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com hmac-ripemd160-etm@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com Default ● ● ● ● ● ● ● ● ● ● hmac-sha1 hmac-sha2-256 hmac-sha2-512 umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.
Command Mode CONFIGURATION Usage Information The no version of this command removes the configuration. Example Supported Releases OS10(config)# ip ssh server port 255 10.3.0E or later ip ssh server pubkey-authentication Enables public key authentication for the SSH server. Syntax ip ssh server pubkey-authentication Parameters None Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command disables the public key authentication.
Usage Information Example Use this command to view information about the established SSH sessions. OS10# show ip ssh SSH Server: Enabled -------------------------------------------------SSH Server Ciphers: chacha20-poly1305@openssh.com,aes128-ctr, aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256gcm@openssh.com SSH Server MACs: umac-64-etm@openssh.com,umac-128etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1etm@openssh.com,umac-64@openssh.com, umac-128@openssh.
○ aes256-gcm@openssh.com Following is the list of additional Ciphers supported in OS10 SSH Client CLI: ○ 3des-cbc ○ aes128-cbc ○ aes192-cbc ○ aes256-cbc ● -l username - (Optional) Enter the session username. If username is not specified, the current session username from which SSH client command is invoked is used to initiate an SSH session. ● -m HMAC-algorithm - (Optional) Enter the supported Host Message Authentication Code algorithm. You can issue multiple HMAC algorithms.
This command is available for all user-roles but it has to be enabled using the ip ssh client cli enable command which is accessible only for sysadmin and secadmin user roles . If you try to invoke the SSH command when the SSH command is disabled, an Unrecognized command error appears. Example OS10_Switch_1# ssh 9.1.1.2 The authenticity of host '9.1.1.2 (9.1.1.2)' can't be established. ECDSA key fingerprint is SHA256:43XxebRXcDxO8XBWFHcitZOFv/ h43VkRwSyczGWS4Og.
show crypto ssh-key Displays the current host public keys used in SSH authentication. Syntax show crypto ssh-key {rsa | ecdsa | ed25119} Parameters ● rsa — Displays the RSA public key. ● ecdsa — Displays the ECDSA public key. ● ed25519 — Displays the Ed25519 key. Default Not configured Command Mode EXEC Usage Information After you regenerate an SSH server key with a customized bit size, disable and re-enable the SSH server to use the new public keys.
Vsbr6oStnUZMydN5lDs4WE6G3XHEtWbcKrGTeAo1wEF0cenEgRRPzi3SMmYyzAHCCC8wS0 role sysadmin username test sshkey "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQBqJaDwgBgQX1PPPSEyx +F5DVG2RpBH4Zm1YQApE5YJsKlt6RpeOIT1wnJP/o54p1nCeMu38i7/zCLwuWt3XDVVMoSCb9Za 89hebQ+f6XyNs4aMpyUk5RmuZTXqwnebUUuP3nPw/Y4lKkZJafWx125Ma7IbwfUM5wGdBu76j8m vwsWvNxrnkOsweo7Anp67p8Lsg+KBUsx3q8Fpc986qQfdrcEFOO1WraJR8wzY1mbQw/C+Hm5Ap6 Nr6DoXMWqKdKUr7jfte8ThARYZD8dvZeyzhk3nykYRQ39mqjXnOyEOiDl1e21QUvI1cjcQPDXgF JUrKcc1yPiGUOH5" Supported Releases 10.4.1.
Parameters ● rsa bits — Regenerates the RSA key with the specified bit size: 2048, 3072, or 4096; default 2048. ● ecdsa bits — Regenerates the ECDSA key with the specified bit size: 256, 384, or 521; default 256. ● ed25519 — Regenerates the Ed25519 key with the default bit size.
Example Supported Releases OS10(config)# line vty OS10(config-line-vty)# 10.4.0E(R1) or later ipv6 access-class Filters connections in a virtual terminal line using an IPv6 access list. Syntax ipv6 access-class access-list-name Parameters access-list-name — Enter the access list name. Default Not configured Command Mode LINE VTY CONFIGURATION Usage Information The no version of this command removes the filter.
... Time-frame for statistics Role changed since last login Failures since last login Failures in time period Successes in time period OS10# : : : : : 25 days false 0 1 14 This feature is available only for the sysadmin and secadmin roles. ● Enable the display of login information in CONFIGURATION mode. login-statistics enable To display information about user logins, use the show login-statistics command.
User admin on console used cmd: 'crypto security-profile mltestprofile' - success <110>1 2019-02-14T13:15:21.794529+00:00 OS10 .clish 7412 - - Node.1-Unit.1:PRI [audit], User admin on console used cmd: 'exit' - success <110>1 2019-02-14T13:16:05.882555+00:00 OS10 .clish 7412 - - Node.1-Unit.1:PRI [audit], User admin on console used cmd: 'exit' - success OS10# show logging audit reverse 4 <110>1 2019-02-14T13:16:05.882555+00:00 OS10 .clish 7412 - - Node.1-Unit.
Role last Timeframe User Change Login #Fail #Success -------- ----- ----- -------------admin False 0 1 13 netadmin False 0 0 5 mltest False 0 0 1 Last Login Date/Time -----------------2017-11-02T16:02:44Z 2017-11-02T15:59:04Z 2017-11-01T15:42:07Z Location ---------in (00:00) 1001:10:16:210::4001 OS10# show login-statistics user mltest User : mltest Role changed since last login : False Failures since last login : 0 Time-frame in days : 25 Failures in time period : 0 Successes in time period : 1 Last Logi
User admin on console used cmd: 'crypto security-profile mltestprofile' - success <110>1 2019-02-14T13:15:21.794529+00:00 OS10 .clish 7412 - - Node.1-Unit.1:PRI [audit], User admin on console used cmd: 'exit' - success <110>1 2019-02-14T13:16:05.882555+00:00 OS10 .clish 7412 - - Node.1-Unit.1:PRI [audit], User admin on console used cmd: 'exit' - success OS10# show logging audit reverse 4 <110>1 2019-02-14T13:16:05.882555+00:00 OS10 .clish 7412 - - Node.1-Unit.
X.509v3 concepts Certificate A document that associates a network device with its public key. When exchanged between participating devices, certificates are used to validate device identity and the public key associated with the device. A PKI uses the following certificate types: ● CA certificate: The certificate of a CA that is used to sign host certificates. A CA certificate may be issued by other CAs or be self-signed. A self-signed CA certificate is called a root certificate.
5. Download and install a signed host certificate and private key from an intermediate CA on an OS10 switch. Then install them using the crypto cert install command. After you install the host certificate, OS10 applications use the certificate to secure communication with network devices. The private key is installed in the internal file system on the switch and cannot be exported or viewed. Manage CA certificates OS10 supports the download and installation of public X.
Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:cd:9d:ca:10:6b:b1:54:81:10:92:42:9f:6a:cb: 49:51:9d:46:10:cb:67:08:2b:75:2a:62:40:80:a3: f5:7d:58:67:f4:cc:c6:70:32:14:4c:f0:4d:cd:7e: 0d:5c:63:28:5e:6c:ad:9e:13:13:71:6d:9d:10:a9: a1:d8:6b:bd:a3:a0:5a:11:19:87:4d:3d:08:6f:10: 03:df:70:89:5f:b7:56:49:32:57:9c:28:5e:43:7f: ca:bc:41:c7:31:51:97:7f:73:b7:b0:c4:13:21:e6: 2c:4c:19:fd:35:0b:26:16:78:fc:c3:73:21:3a:06: f6:ec:87:3f:9f:5e:3a:0c:23:5e:13:4c:9e:5a:70: 18:d4:ad:cb:cf:47:c1:c6:50:a0:
1a:b6:00:71:4c:51:35:c8:95:e4:c6:7e:82:47:d3:25:64:a4: 0b:31:53:d0:e4:6b:97:98:21:4b:fc:e7:12:be:69:01:d8:b5: 74:f5:b6:39:22:8a:8c:39:23:0f:be:4b:0f:9a:01:ac:b8:5b: 12:cb:94:06:30:f5:74:45:20:af:ab:d6:af:21:0c:d8:62:84: 18:c2:cf:4f:be:73:c9:33 Delete CA server certificate OS10# crypto ca-cert delete Dell_rootCA1.
-------------------------------------| Automatically installed CDPs | -------------------------------------Example: Install CRL OS10# crypto crl install home://pki-regression/Network_Solutions_Certificate_ Authority.0.crl.pem Processing file ... issuer=C=US,O=Network Solutions L.L.C.,CN=Network Solutions Certificate Authority.0.crl.
Locality Name (eg, city) []:San Francisco Organization Name (eg, company) []:Starfleet Command Organizational Unit Name (eg, section) []:NCC-1701A Common Name (eg, YOUR name) [hostname]:S4148-001 Email Address []:scotty@starfleet.com The switch uses SHA-256 as the digest algorithm. The public key algorithm is RSA with a 2048-bit modulus. The KeyUsage bits of the certificate assert keyEncipherment (bit 2) and keyAgreement (bit 4). The keyCertSign bit (bit 5) is NOT set.
OS10# copy home://DellHost.pem DellHost.pem password: scp:///tftpuser@10.11.178.103:/tftpboot/certs/ Host certificate tip When administering a large number of switches, you may choose to not generate numerous CSRs for all switches. An alternate method to installing a host certificate on each switch is to generate both the private key file and CSR offline; for example, on the CA server. The CSR is signed by the CA, which generates both a certificate and key file.
2a:9f:e6:15:e2:1d:c3:89:f5:f0:d0:fb:c1:9c:46: 92:a9:37:b9:2f:a0:73:cf:e7:d1:88:96:b8:4a:84: 91:83:8c:f0:9a:e0:8c:6e:7a:fa:6e:7e:99:3a:c3: 2c:04:f9:06:8e:05:21:5f:aa:6e:9f:b7:10:37:29: 0c:03:14:a0:9d:73:1f:95:41:39:9b:96:30:9d:0a: cb:d0:65:c3:59:23:01:f7:f5:3a:33:b9:e9:95:11: 0c:51:f4:e9:1e:a5:9d:f7:95:84:9c:25:74:0c:21: 4f:8b:07:29:2f:e3:47:14:50:8b:03:c1:fb:83:85: dc:bb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME Netscape Comment: O
Common Name (eg, YOUR name) [hostname]:S4148-001 Email Address []:scotty@starfleet.com The switch uses SHA-256 as the digest algorithm. The public key algorithm is RSA with a 2048-bit modulus. NOTE: When using self-signed X.509v3 certificates with Syslog and RADIUS servers, configure the server to accept self-signed certificates. Syslog and RADIUS servers require mutual authentication, which means that the client and server must verify each other's certificates.
Not After : Feb 11 20:10:12 2020 GMT Subject: emailAddress = admin@dell.
Example: Security profile in RADIUS over TLS authentication OS10# show crypto cert -------------------------------------| Installed non-FIPS certificates | -------------------------------------dv-fedgov-s6010-1.
● Generating a CSR and installing a host certificate — see Request and install host certificates. 1. Install a trusted CA certificate. OS10# copy tftp://CAadmin:secret@172.11.222.1/GeoTrust_Universal_CA.crt home:// GeoTrust_Universal_CA.crt OS10# crypto ca-cert install home://GeoTrust_Universal_CA.crt Processing certificate ... Installed Root CA certificate CommonName = GeoTrust Universal CA IssuerName = GeoTrust Universal CA 2.
Remote user authentication with a password When you configure the switch for X.509v3 SSH authentication and remote authentication of users using RADIUS or TACACS+, and when connecting using SSH, the following sequence occurs: 1. Insert a CAC or PIV smart card into the card reader slot in your computer or keyboard. 2. Start an RFC 6187 X.509v3 compatible SSH client application, set authentication to smart card or CAC, and make a connection to the OS10 switch. 3.
2. Start an RFC 6187 X.509v3 compatible SSH client application, set authentication to smart card or CAC, and make a connection to the OS10 switch. 3. The SSH client application makes the initial connection to the switch, negotiates X.509v3 authentication, and validates the OS10 switch X.509v3 certificate. 4. The SSH client application prompts you to select the required authentication certificate from the CAC or PIV card. 5. The SSH client application prompts you to enter the PIN for the CAC or PIV card. 6.
● If all SSH login attempts present an X.509v3 certificate, disable the plain password authentication and SSH public key authentication in the SSH server. no ip ssh server password-authentication no ip ssh server pubkey-authentication ● If you enable the key-usage-check in the security profile but the user certificates uses a different name syntax than the user login names, configure the user certificate details to allow the SSH server to match the user certificate to the account.
Table 93. Security profile settings used by X.509v3 authentication (continued) Security profile setting Description include the client authentication purpose. key-usage-check is disabled by default in security profiles, but Dell Technologies recommend using X509v3 SSH authentication.
3. Configure an X.509v3 security profile. OS10# show crypto cert -------------------------------------| Installed non-FIPS certificates -------------------------------------s4048-001-csr.pem -------------------------------------| Installed FIPS certificates | -------------------------------------- | OS10# config terminal OS10(config)# crypto security-profile radius-admin OS10(config-sec-profile)# certificate s4048-001-csr OS10(config-sec-profile)# exit 4. Configure the RADIUS over TLS server.
Usage information Example Supported releases When you enable VLT or a fabric automation application, switches that participate in the cluster use secure channels to communicate with each other. OS10 installs a default X.509v3 certificate-key pair to establish secure channels between the peer devices in a cluster. If untrusted devices access the management or data ports on the switch, replace the default certificate-key pair with a custom X.
Installed Root CA certificate CommonName = GeoTrust Universal CA IssuerName = GeoTrust Universal CA Supported releases 10.4.3.0 or later crypto cdp add Installs a certificate distribution point (CDP) on the switch. Syntax crypto cdp add cdp-name cdp-url Parameters ● cdp-name — Enter a CDP name. ● cdp-name — Enter the HTTP URL used to reach the CDP.
Usage information Example Supported releases When you delete the system's certificate, you also delete the private key. Do not delete a host certificate that is used in a security profile. To display the currently installed host certificate and associated key, use the show crypto cert command. NOTE: A FIPS-compliant and non-FIPS certificate may have the same file name. To delete a FIPScompliant certificate, you must enter the fips parameter in the command. OS10# crypto cert delete Dell_host1_CA1.
Command mode EXEC Usage information Generate a CSR when you want a CA to sign a host certificate. Generate a self-signed certificate if you do not set up a CA and implement a certificate trust model in your network. If you enter the cert-file option, you must enter all the required parameters, including the local path where the certificate and private key are stored.
● fips — (Optional) Install the certificate-key pair as FIPS-compliant. Enter fips to install a certificate-key pair that a FIPS-aware application, such as RADIUS over TLS, uses. If you do not enter fips, the certificate-key pair is stored as a non-FIPS compliant pair.
Usage Information Example Before you use the crypto crl install command, copy a CRL to the home:// or usb:// directory. If you do not enter a CRL filename in the command, you can copy and paste it when prompted. Use the show crypto crl command to view the CRLs that are already installed on the switch. In the show output, the CRLs displayed under Manually installed CRLs are installed using the crypto crl install command. OS10# copy scp:///tftpuser@10.11.178.103:/crl_example_file.
Usage information Example Supported releases Create a security profile for a specific application on the switch, such as RADIUS over TLS. A security profile associates a certificate and private key pair using the certificate command. The no form of the command deletes the security profile. OS10# crypto security-profile secure-radius-profile OS10(config-sec-profile)# 10.4.3.0 or later peer-name-check Enables peer name checking in a security profile for certificates presented by external devices.
show crypto ca-certs Displays all CA certificates installed on the switch. Syntax show crypto ca-certs [filename] Parameters filename — (Optional) Enter the text filename of a CA certificate as shown in the show crypto ca-certs output. Enter the filename in the format filename.crt. Default Display all installed CA certificates. Command mode EXEC Usage information To delete a CA certificate, use the crypto ca-cert delete command. Enter the filename as shown in the show crypto ca-certs output.
show crypto cdp Displays a list of configured certificate distribution points (CDPs). Syntax show crypto cdp [cdp-name] Parameters ● cdp-name — (Optional) Display more detailed information by entering the CDP name displayed in show crypto cdp output. Default Not configured Command Mode EXEC Usage Information Use the show crypto cdp command to verify the CDPs installed on the switch and display the URL to reach a CDP. OS10 uses the URL to access the CDP and download new CRLs.
Serial Number: 4096 (0x1000) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = California, O = Dell EMC, OU = Networking, CN = Dell_interCA1 Validity Not Before: Jul 25 19:11:19 2018 GMT Not After : Jul 22 19:11:19 2028 GMT Subject: C = US, ST = California, L = Santa Clara, O = Dell EMC, OU = Networking, CN = Dell_host1_CA1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e7:81:4b:4a:12:8d:ce:88:e6:73:3f:da:19:03: c6:56:01:19:b2:02:61:3f:5b:1e:3
Example OS10# show crypto crl -------------------------------------| Manually installed CRLs | -------------------------------------COMODO_Certification_Authority.0.crl.pem -------------------------------------| Downloaded CRLs | -------------------------------------- OS10# show crypto crl COMODO_Certification_Authority.0.crl.
When you set the password-less option with X.509v3 authentication, the system authenticates only locally. Configuring remote authentication using RADIUS or TACAC+ has no effect when X.509v3 authentication when using the password-less option. X.509v3 authentication requires an SSH client that supports RFC 6187 X.509v3 SSH authentication. The no version of this command disables the X.509v3 authentication.
Port security Use the port security feature to restrict the number of workstations that can send traffic through an interface and to control MAC address movement. Port security is a package of the following sub features that provide added security to the system: 1. MAC address learning limit (MLL) 2. Sticky MAC 3. MAC address movement control Use the port security feature to define the number of workstations that can send traffic through an interface.
● Mac address move violation Mac address learning limit violation After the number of secure MAC address reaches the maximum configured, if an interface receives a frame with the source MAC address different from any of the learned MAC addresses, the system considers this as a MAC address learning limit violation. You can configure MAC address learning limit violation actions.
1. Enter the following command in INTERFACE mode: switchport port-security 2. Configure the number of secure MAC addresses that an interface can learn in INTERFACE PORT SECURITY mode: mac-learn {limit | no-limit} For the limit keyword, the range is from 1 to 3072. To enable the interface to learn the maximum number of MAC addresses that the hardware supports, use the no-limit keyword.
Permit MAC address movement Use the following command in INTERFACE PORT SECURITY mode: OS10(config-if-port-sec)#mac-move allow MAC address movement configuration example OS10# configure terminal OS10(config)#interface ethernet 1/1/1 OS10(config-if-eth1/1/1)#switchport port-security OS10(config-if-port-sec)#no disable OS10(config-if-port-sec)#mac-learn limit 100 OS10(config-if-port-sec)#mac-move allow Configure MAC address movement violation actions Use the following commands in INTERFACE PORT SECURITY mode:
● To automatically recover error-disabled interfaces that was caused by a MAC address learning limit violation, use the following command in CONFIGURATION mode: errdisable recovery cause mac-learn-limit violation ● To automatically recover error-disabled interfaces that was caused by a MAC address movement violation, use the following command in CONFIGURATION mode: errdisable recovery cause mac-move-violation ● Configure the recovery interval timer to delay the recovery of an error-disabled interface in CON
os10# show mac address-table secure VlanId 10 11 12 MAC Address 4c:76:25:e5:4f:51 4c:76:25:e5:4f:55 4c:76:25:e5:4f:59 static Type static static static Interface port-channel120 ethernet1/1/6 ethernet1/1/7 View the number of secure MAC addresses on the system ● To view the number of secure MAC addresses on the system, use the following command in EXEC mode: show mac address-table count [interface {ethernet slot/port:subport | port-channel number | vlan vlan-id}] View the number of secure MAC addresses on
Interface name : ethernet1/1/1 Port Security Port Status Mac-learn limit MaC-learn-limit-Violation Action Sticky Mac-move-allow Mac-move-violation Aging Total MAC Addresses Secure static MAC Addresses Sticky MAC Addresses Secure Dynamic MAC addresses :Enabled :Error-Disable :1024 :Shutdown :Enabled :Not Allowed :shutdown-both :Disbaled :10 :0 :10 :0 OS10# show switchport port-security interface port-channel 120 Interface name : port-channel 120 Port Security :Disabled Port Status : Up mac-learn limit
Port security commands clear mac address-table secure Clears sticky and dynamic secure MAC address entries from the MAC address table. Syntax clear mac address-table secure {{dynamic | sticky} {address mac_addr | vlan vlan-id | interface {ethernet node/slot/port[:subport] | port-channel channel-number}} | all} Parameters ● ● ● ● dynamic — Displays secure dynamic MAC address table entries. sticky — Displays secure sticky MAC address table entries.
Example Supported Releases OS10(config-if-port-sec)# errdisable recovery cause mac-learn-limitviolation 10.5.1.0 or later errdisable reset cause Resets the error disabled state of interfaces. Syntax errdisable reset cause {all | mac-learn-limit-violation | mac-moveviolation} Parameters ● all — Resets the error disabled state of all interfaces. ● mac-learn-limit-violation — Resets the error disabled state of interfaces that exceeded the maximum number of MAC addresses that it can learn.
mac-learn limit violation Configures MAC address learning limit violation actions. Syntax mac-learn limit violation {drop | forward | log | shutdown} Parameters ● drop — Drops the packet when an interface receives it from a new device after the learning limit is reached. ● forward — Forwards the packet when an interface receives it from a new device after the learning limit is reached.
Parameters ● drop — Drops the received packet when an interface detects the same MAC address that the system has already learned on a different interface. ● log — Displays a log message when an interface detects the same MAC address that the system has already learned on a different interface. ● shutdown-both — Shuts down both interfaces that learned the same MAC address.
show switchport port-security Displays port security information of interfaces. Syntax show switchport port-security [interface {ethernet node/slot/port[:subport] | port-channel port-channel-number}] Parameters ● interface — Displays the interface type: ○ ethernet node/slot/port[:subport] — Displays the port security information of an Ethernet interface. ○ port-channel channel-number — Displays the port security information of an Ethernet interface, from 1 to 128.
Secure static MAC Addresses Sticky MAC Addresses Secure Dynamic MAC addresses :0 :10 :0 OS10# show switchport port-security interface port-channel 120 Supported Releases Interface name : port-channel 120 Port Security Port Status mac-learning-limit Mac-learn-limit-Violation Action Sticky Mac-move-allow Mac-move-violation Aging Total MAC Addresses Secure static MAC Addresses Sticky MAC Addresses Secure Dynamic MAC addresses :Disabled : Up :1024 :Flood :Enabled :Allowed :shutdown-offending :Disabled :1
The no version of this command disables the port security feature on the system. Example Supported Releases OS10(config)# no switchport port-security 10.5.1.0 or later sticky Enables sticky MAC address learning or converts existing dynamic MAC addresses as sticky. Syntax sticky Parameters None Default Disabled Command Mode CONFIGURATION-PORT-SECURITY Usage Information This command enables sticky MAC address learning or converts existing dynamic MAC addresses as sticky.
● sticky — Displays secure sticky MAC address table entries. ● address — Displays a specific MAC address table entry. ● vlan vlan-id — Displays all entries based on the VLAN number from the address table, from 1 to 4093. ● interface — Displays the interface type: ○ ethernet node/slot/port[:subport] — Displays the Ethernet interface configuration from the address table. ○ port-channel channel-number — Displays the port-channel interface configuration from the address table, from 1 to 128.
MAC-move-violation Enabled Recovery Time Left Interface Errdisable Cause (seconds) -------------------------------------------------------------------------ethernet1/1/1:1 bpduguard 30 ethernet1/1/1:2 bpduguard 1 ethernet1/1/10 bpduguard/mac-learning-limit/mac-move 10 port-channel100 Mac-learning-limit 50 port-channel128 mac-move 49 Supported Releases 10.4.2.0 or later show mac address-table count Displays the number of entries in the MAC address table.
18 OpenFlow Switches implement the control plane and data plane in the same hardware. Software-defined network (SDN) decouples the software (control plane) from the hardware (data plane). A centralized SDN controller handles the control plane traffic and hardware configuration for data plane flows. The SDN controller is the "brain" of an SDN.
The ONOS controller does not encode the DSCP flow entry values that are matched according to the Openflow 1.0 specification. Hence when you install a flow entry in OpenFlow 1.0, that matches the IP DSCP, the ONOS controller sets an incorrect flow-entry encoding value for IP DSCP. OpenFlow logical switch instance In OpenFlow-only mode, you can configure only one logical switch instance. After you enable OpenFlow mode, create a logical switch instance. The logical switch instance is disabled by default.
Flow table An OpenFlow flow table consists of flow entries. Each flow table entry contains the following fields: Table 95. Supported fields Fields Support match_fields Supported priority Supported counters Supported instructions Supported timeouts Supported cookie Not supported Group table Not supported Meter table Not supported Instructions Each flow entry contains a set of instructions that execute when a packet matches the entry. Table 96.
Table 97. Supported action sets (continued) Action set Support decrement TTL Not supported set Supported (selective fields) qos Not supported group Not supported output Supported Action types An action type associates with each packet. Table 98.
Table 99.
Table 99. Supported counters (continued) Required/Optional Counter Bits Support Optional In-band packet count 64 Not supported Optional In-band byte count 64 Not supported Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● In the show interface vlan command output, the VLAN octet counters are not displayed accurately. ● If a packet hits two ACL tables, the counter with higher priority statistics gets incremented and the other actions are merged and applied.
Connection setup TCP Table 103. Supported modes Modes Supported/Not supported Connection interruption ● fail-secure-mode—Supported ● fail-standalone-mode—Not supported TLS encryption Supported Multiple controller Not supported Auxiliary connections Not supported Number of logical switches One Supported controllers REST APIs on ● RYU ● ONOS Flow table modification messages Table 104.
Table 105.
Table 106.
Table 106. Supported fields (continued) Flow match fields Supported/Not supported OFPXMT_OFB_TUNNEL_ID = 38 Not supported OFPXMT_OFB_IPV6_EXTHDR = 39 Not supported Action structures Table 107.
Table 108. Supported capabilities (continued) Capabilities Supported/Not supported OFPC_IP_REASM = 1 << 5 Not supported OFPC_QUEUE_STATS = 1 << 6 Not supported OFPC_PORT_BLOCKED = 1 << 8 Not supported Multipart message types Table 109.
Table 109.
Table 111. Supported properties (continued) Property type Supported/Not supported OFPTFPT_WRITE_ACTIONS_MISS = 5 Not supported OFPTFPT_APPLY_ACTIONS = 6 Supported OFPTFPT_APPLY_ACTIONS_MISS = 7 Not supported OFPTFPT_MATCH = 8 Supported OFPTFPT_WILDCARDS = 10 Supported OFPTFPT_WRITE_SETFIELD = 12 Supported OFPTFPT_WRITE_SETFIELD_MISS = 13 Not supported OFPTFPT_APPLY_SETFIELD = 14 Supported OFPTFPT_APPLY_SETFIELD_MISS = 15 Not supported Group configuration Table 112.
Flow-removed reasons Table 115. Supported reasons Flow-removed reasons Supported/Not supported OFPRR_IDLE_TIMEOUT = 0 Supported OFPRR_HARD_TIMEOUT = 1 Supported OFPRR_DELETE = 2 Supported OFPRR_GROUP_DELETE = 3 Not supported Error types from switch to controller Table 116.
Table 116.
Table 116.
Table 116.
Table 116.
Consider the case of dynamic learning of flows for bidirectional traffic. Flows are learnt as and when a packet arrives. With dynamic learning in an OpenFlow network, the OpenFlow switch receives a packet that does not match the flow table entries and sends the packet to the SDN controller to process it. The controller identifies the path the packet has to traverse and updates the flow table with a new entry. The controller also decides the caching time of the flow table entries.
iii. Configure the logical switch instance, of-switch-1. OS10# configure terminal OS10 (config)# openflow OS10 (config-openflow)# switch of-switch-1 4. Configure one or more OpenFlow controllers with either IPv4 or IPv6 addresses to establish a connection with the logical switch instance. You can configure up to eight OpenFlow controllers.
OpenFlow commands controller Configures an OpenFlow controller that the logical switch instance connects to. Syntax controller {ipv4 ipv4-address| ipv6 ipv6-address [port port-number] [security {none|tls}] Parameters ● ipv4 ipv4-address—Enter ipv4, then the IP address of the controller. ● ipv6 ipv6-address—Enter ipv6, then the IPv6 address of the controller. ● port port-number—Enter the keyword, then the port number, from 1 to 65,535. The default port is 6653.
OS10 OS10 OS10 OS10 Supported Releases (config-openflow-switch)# (config-openflow-switch)# (config-openflow-switch)# (config-openflow-switch)# controller controller controller controller ipv4 ipv4 ipv6 ipv6 10.1.23.12 port 6633 10.1.99.121 port 6633 2025::1 port 6633 2025::12 port 6633 10.4.1.0 or later dpid-mac-address Specifies the MAC address bits of the datapath ID (DPID) of the logical switch instance.
OS10 (config-openflow)# in-band-mgmt interface ethernet 1/1/1 OS10 (config-openflow)# no shutdown Supported Releases 10.4.1.0 or later max-backoff Configures the time interval, in seconds, that the logical switch instance waits after requesting a connection with the OpenFlow controller. Syntax max-backoff interval Parameters interval—Enter the amount of time, in seconds, that the logical switch instance waits after it attempts to establish a connection with the OpenFlow controller, from 1 to 65,535.
openflow Enters OPENFLOW configuration mode. Syntax openflow Parameters None Default None Command Mode CONFIGURATION Usage Information All OpenFlow configurations are performed in this mode. The no form of this command prompts a switch reload. If you enter yes, the system deletes all OpenFlow configurations and the switch returns to the normal mode after the reload. Example OS10# configure terminal OS10(config)# openflow OS10 (config-openflow)# Supported Releases 10.4.1.
Usage Information NOTE: Only use this command should be run when the logical switch instance is disabled. Use the shutdown command to disable the logical switch instance. After you run this command, enter the no shutdown command to enable the logical switch instance again. ● When you specify, negotiate, the switch negotiates versions 1.0 and 1.3 and selects the highest of the versions supported by the controller. The negotiation is based on the hello handshake described in the OpenFlow Specification 1.3.
Supported Releases 10.4.1.0 or later show openflow Displays general OpenFlow switch and the logical switch instance information. Syntax show openflow Parameters None Default None Command Mode EXEC Usage Information None Example OS10# show openflow Manufacturer : DELL Hardware Description : Software Description : Dell Networking OS10-Premium, Dell Networking Application Software Version: 10.4.
Total flows: 1 Flow: 0 Table ID: 0, Table: Ingress ACL TCAM table Flow ID: 0 Priority: 32768, Cookie: 0 Hard Timeout: 0, Idle Timeout: 0 Packets: 0, Bytes: 0 Match Parameters: In Port: ethernet1/1/1 EType: 0x800 SMAC: 00:0b:c4:a8:22:b0/ff:ff:ff:ff:ff:ff DMAC: 00:0b:c4:a8:22:b1/ff:ff:ff:ff:ff:ff VLAN id: 2/4095 VLAN PCP: 1 IP DSCP: 4 IP ECN: 1 IP Proto: 1 Src Ip: 10.0.0.1/255.255.255.255 Dst Ip: 20.0.0.1/255.255.255.
ethernet1/1/5:4 FIBER ethernet1/1/6 NONE ethernet1/1/7 NONE ethernet1/1/8 COPPER ethernet1/1/9 NONE ethernet1/1/10 NONE ethernet1/1/11 COPPER ethernet1/1/12 COPPER ethernet1/1/13 NONE ethernet1/1/14 NONE ethernet1/1/15 NONE ethernet1/1/16 NONE ethernet1/1/17 NONE ethernet1/1/18 NONE ethernet1/1/19 NONE ethernet1/1/20 NONE ethernet1/1/21 NONE ethernet1/1/22 NONE ethernet1/1/23 NONE ethernet1/1/24 NONE ethernet1/1/25 COPPER ethernet1/1/26 COPPER ethernet1/1/27 NONE ethernet1/1/28 NONE ethernet1/1/29 NONE ethe
Command Mode EXEC Usage Information None Example OS10# show openflow switch Logical switch name: of-switch-1 Internal switch instance ID: 0 Config state: true Signal Version: negotiate Data plane: secure Max backoff (sec): 8 Probe Interval (sec): 5 DPID: 90:b1:1c:f4:a5:23 Switch Name : of-switch-1 Number of buffers: 0 Number of tables: 1 Table ID: 0 Table name: Ingress ACL TCAM table Max entries: 1000 Active entries: 0 Lookup count: 0 Matched count: 0 Controllers: 10.16.208.
Supported Releases 10.4.1.0 or later switch Creates a logical switch instance or modifies an existing logical switch instance. Syntax switch logical-switch-name Parameters logical-switch-name—Enter the name of the logical switch instance that you want to create or modify, a maximum of 15 characters. OS10 supports only one instance of the logical switch. Default None Command Mode OPENFLOW CONFIGURATION Usage Information You must configure a controller for the logical switch instance.
Table 117.
Table 117. Modes and CLI commands (continued) Mode Available CLI commands ● debug tacacs+ LAG INTERFACE CONFIGURATION LAG is not supported. LOOPBACK INTERFACE CONFIGURATION Loopback interface is not supported. INTERFACE CONFIGURATION description end exit ip mtu negotiation ntp show shutdown VLAN INTERFACE CONFIGURATION 1428 OpenFlow VLAN is not supported.
19 Access Control Lists OS10 uses two types of access policies — hardware-based ACLs and software-based route-maps. Use an ACL to filter traffic and drop or forward matching packets. To redistribute routes that match configured criteria, use a route-map. ACLs ACLs are a filter containing criterion to match; for example, examine internet protocol (IP), transmission control protocol (TCP), or user datagram protocol (UDP) packets, and an action to take such as forwarding or dropping packets at the NPU.
To permit these packets, you must configure an explicit permit statement for the specific hosts or subnetworks with the deny rule having a lower priority to drop the rest of the packets. The deny ip any any and deny ipv6 any any rules are implicit. You do not have to configure them explicitly. MAC ACLs MAC ACLs filter traffic on the header of a packet.
Control-plane ACL qualifiers This section lists the supported control-plane ACL rule qualifiers. NOTE: OS10 supports only the qualifiers listed below. Ensure that you use only these qualifiers in ACL rules.
Deny second and subsequent fragments OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# deny ip any 10.1.1.1/32 fragments OS10(conf-ipv4-acl)# permit ip any 10.1.1.1/32 Permit all packets on interface OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# permit ip any 10.1.1.1/32 OS10(conf-ipv4-acl)# deny ip any 10.1.1.1/32 fragments L3 ACL rules Use ACL commands for L3 packet filtering. TCP packets from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all others are denied.
Assign sequence number to filter IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses. Traffic passes through the filter by filter sequence. Configure the IP ACL by first entering IP ACCESS-LIST mode and then assigning a sequence number to the filter. User-provided sequence number ● Enter IP ACCESS LIST mode by creating an IP ACL in CONFIGURATION mode.
For example, if you configured the following rules: deny ip 1.1.1.1/24 2.2.2.2/24 deny ip any any Using the no deny ip any any command deletes only the deny ip any any rule. To delete the deny ip 1.1.1.1/24 2.2.2.2/24 rule, you must explicitly use the no deny ip 1.1.1.1/24 2.2.2.2/24 command. NOTE: Wildcard option is not supported. ● You can no longer configure the same ACL rule multiple times using different sequence numbers.
2. Configure an IP address for the interface, placing it in L3 mode in INTERFACE mode. ip address ip-address 3. Apply an IP ACL filter to traffic entering or exiting an interface in INTERFACE mode. ip access-group access-list-name {in | out} Configure IP ACL OS10(config)# interface ethernet 1/1/28 OS10(conf-if-eth1/1/28)# ip address 10.1.2.
Apply ACL rules to access-group and view access-list OS10(config)# interface ethernet 1/1/28 OS10(conf-if-eth1/1/28)# ip access-group abcd in OS10(conf-if-eth1/1/28)# exit OS10(config)# ip access-list acl1 OS10(conf-ipv4-acl)# permit ip host 10.1.1.1 host 100.1.1.1 count Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● The following applications require ACL tables: VLT, iSCSI, L2 ACL, L3 v4 ACL, L3 v6 ACL, PBR v4, PBR v6, QoS L2, QoS L3, FCoE.
Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● You can create either Layer 2 ACL or Layer 3 ACL. You cannot create both the tables at a time. ● In egress L3 IPv4 ACL, the fragment, TCP flags, and DSCP fields are not supported. ● IPv6 user ACL table is not supported. ● In egress ACLs, L2 user table is utilized only for switched packets and L3 user table is utilized only for routed packets. ● In L2 user ACL, Ether type is not supported.
● ● ● ● To To To To deny only /8 prefixes, enter deny x.x.x.x/x ge 8 le 8 permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8 le 12 deny routes with a mask less than /24, enter deny x.x.x.x/x le 24 permit routes with a mask greater than /20, enter permit x.x.x.
Table 119. Multiple match commands under a single route-map (continued) Route-map clause deny Prefix list Incoming Route Action permit NO MATCH Continue with next route-map clause. deny MATCH Continue with next route-map clause. deny NO MATCH Continue with next route-map clause. permit MATCH The route is denied. permit NO MATCH Continue with next route-map clause. deny MATCH Continue with next route-map clause. deny NO MATCH Continue with next route-map clause.
○ vlan — Enter the VLAN ID number. Check match routes OS10(config)# route-map test permit 1 0S10(conf-route-map)# match tag 250000 OS10(conf-route-map)# set weight 100 Set conditions There is no limit to the number of set commands per route map, but keep the number of set filters in a route-map low. The set commands do not require a corresponding match command. ● Enter the IP address in A.B.C.D format of the next-hop for a BGP route update in ROUTE-MAP mode.
ACL flow-based monitoring Flow-based monitoring conserves bandwidth by selecting only the required flow to mirror instead of mirroring entire packets from an interface. This feature is available for L2 and L3 ingress traffic. Specify flow-based monitoring using ACL rules. Flow-based monitoring copies incoming packets that match the ACL rules applied on the ingress port and forwards, or mirrors them to another port.
2. Enable flow-based monitoring for the mirroring session in MONITOR-SESSION mode. flow-based enable 3. Define ACL rules that include the keywords capture session session-id in CONFIGURATION mode. The system only considers port monitoring traffic that matches rules with the keywords capture session. ip access-list 4. Apply the ACL to the monitored port in INTERFACE mode.
rows Max rows -----------------------------------------------------------------------------------------------------0 SYSTEM_FLOW 49 975 1024 1 SYSTEM_FLOW 49 975 1024 2 USER_IPV4_ACL 3 1021 1024 3 USER_L2_ACL 2 1022 1024 4 USER_IPV6_ACL 2 510 512 5 USER_IPV6_ACL 2 510 512 6 FCOE 55 457 512 7 FCOE 55 457 512 8 ISCSI_SNOOPING 12 500 512 9 FREE 0 512 512 10 PBR_V6 1 511 512 11 PBR_V6 1 511 512 -----------------------------------------------------------------------------------------------------Service Pools ---
App Allocated pools App group Configured rules Used rows Free rows Max rows -----------------------------------------------------------------------------------------------------USER_L2_ACL_EGRESS Shared:1 G1 1 2 254 256 USER_IPV4_EGRESS Shared:1 G0 1 2 254 256 USER_IPV6_EGRESS Shared:2 G2 1 2 254 256 Known behavior ● On the S4200-ON platform, the show acl-table-usage detail command output lists several hardware pools as available (FREE), but you will see an "ACL CAM table full" warning log when the system
By default, the interval is set to 5 minutes and logs are created every 5 minutes. During this interval, the system continues to examine the packets against the configured ACL rule and permits or denies traffic, but logging is halted temporarily. This value is configurable, and the range is from 1 to 10 minutes. For example, if you have configured a threshold value of 20 and an interval of 10 minutes, after an initial packet match is logged, the 20th packet that matches the ACE is logged.
Example Supported Releases OS10# clear ipv6 access-list counters 10.2.0E or later clear mac access-list counters Clears counters for a specific or all MAC access lists. Syntax clear mac access-list counters [access-list-name] Parameters access-list-name — (Optional) Enter the name of the MAC access list to clear counters. A maximum of 140 characters. Default Not configured Command Mode EXEC Usage Information If you do not enter an access-list name, all MAC access-list counters clear.
Example Supported Releases OS10(config)# ip access-list testflow OS10(conf-ipv4-acl)# deny udp any any 10.2.0E or later deny (IPv6) Configures a filter to drop packets with a specific IPv6 address. Syntax deny [protocol-number | icmp | ipv6 | tcp | udp] [A::B | A::B/x | any | host ipv6-address] [A::B | A::B/x | any | host ipv6-address] [capture | count | dscp value | fragment | log] Parameters ● protocol-number — (Optional) Enter the protocol number identified in the IP header, from 0 to 255.
○ protocol-number — (Optional) MAC protocol number identified in the header, from 600 to ffff. ○ capture — (Optional) Capture packets the filter processes. ○ cos — (Optional) CoS value, from 0 to 7. ○ count — (Optional) Count packets the filter processes. ○ vlan — (Optional) VLAN number, from 1 to 4093. Default Disabled Command Mode MAC-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment.
● ● ● ● ● ● ● ● ● A::B/x — Enter the number of bits to match to the IPv6 address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ipv6-address — (Optional) Enter the IPv6 address to use a host address only. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63.
Parameters ● A::B — (Optional) Enter the source IPv6 address from which the packet was sent and the destination address. ● A::B/x — (Optional) Enter the source network mask in /prefix format (/x) and the destination mask. ● any — (Optional) Set all routes which are subject to the filter: ○ capture — (Optional) Capture packets the filter processes. ○ count — (Optional) Count packets the filter processes. ○ byte — (Optional) Count bytes the filter processes.
Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases OS10(config)# ip access-list testflow OS10(conf-ipv4-acl)# deny tcp any any capture session 1 10.2.0E or later deny tcp (IPv6) Configures a filter that drops TCP IPv6 packets meeting the filter criteria.
Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.D/x — Enter the number of bits to match to the dotted decimal address.
● ● ● ● ● ● count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. operator — (Optional) Enter a logical operator to match the packets on the specified port number.
Usage Information Example Example (Control-plane ACL) Supported Releases Use this command in the CONTROL-PLANE mode to apply a control-plane ACL. Control-plane ACLs are only applied on the ingress traffic. By default, the control-plane ACL is applied to the front-panel ports as well as the management port.The no version of this command deletes the IPv4 ACL configuration.
Table 120. Special characters supported in regular expression (continued) Example Supported Release Character Supported/Not supported Pipe (|) Supported Plus (+) Supported Caret (^) Supported; use the caret (^) character to represent the beginning of a new line. Dollar ($) Supported Square brackets ([ ]) Supported Asterisk (*) Supported Dot (.) Supported Backslash (\) Supported; precede the character with a backslash(\). For example, enter \\.
Usage Information Example Supported Release The no version of this command removes the community list. OS10(config)# ip community-list standard STD_LIST deny local-AS 10.3.0E or later ip community–list standard permit Creates a standard community list for BGP to permit access. Syntax ip community-list standard name permit {aa:nn | no-advertise | local-as | no-export | internet} Parameters ● name — Enter the name of the standard community list used to identify one more permit groups of communities.
Supported Release 10.3.0E or later ip extcommunity-list standard permit Creates an extended community list for BGP to permit access. Syntax ip extcommunity-list standard name permit {4byteas-generic | rt | soo} Parameters ● name — Enter the name of the community list used to identify one or more permit groups of extended communities. Do not use the term none as the name of the extended community list. ● rt — Enter the route target. ● soo — Enter the route origin or site-of-origin.
Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix-list. Example Supported Release OS10(config)# ip prefix-list denyprefix deny 10.10.10.2/16 le 30 10.3.0E or later ip prefix-list permit Creates a prefix-list to permit route filtering from a specified network address. Syntax ip prefix-list name permit [A.B.C.
ip prefix-list seq permit Configures a filter to permit route filtering from a specified prefix list. Syntax ipv6 prefix-list [name] seq num permit A::B/x [ge | le} prefix-len Parameters ● ● ● ● ● ● Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix list. Example Supported Release name — Enter the name of the prefix list. num — Enter the sequence list number. A.B.C.
Parameters access-list-name — Enter the name of an IPv6 access list. A maximum of 140 characters. Default Not configured Command Mode CONFIGURATION Usage Information None Example Supported Release OS10(config)# ipv6 access-list acl6 10.2.0E or later ipv6 prefix-list deny Creates a prefix list to deny route filtering from a specified IPv6 network address.
ipv6 prefix-list permit Creates a prefix-list to permit route filtering from a specified IPv6 network address. Syntax ipv6 prefix-list prefix-list-name permit {A::B/x [ge | le] prefix-len} Parameters ● ● ● ● ● Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix-list. Example Supported Release prefix-list-name — Enter the IPv6 prefix-list name. A::B/x — Enter the IPv6 address to permit.
Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix-list. Example Supported Release OS10(config)# ipv6 prefix-list TEST seq 65535 permit AB10::1/128 ge 30 10.3.0E or later logging access-list mgmt burst Configures the burst size for control-plane ACL applied on the management interface. Syntax [no] logging access-list mgmt burst value Parameters value—Specify the burst size (maximum tokens), from 1 to 10.
Default Not configured Command Mode CONFIGURATION CONTROL-PLANE Usage Information Example Example (Control-plane ACL) Supported Releases Use this command in the CONTROL-PLANE mode to apply a control-plane ACL. Control-plane ACLs are only applied on the ingress traffic. By default, the control-plane ACL is applied to the front-panel ports. The no version of this command resets the value to the default.
● ● ● ● byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Permit a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment.
permit (MAC) Configures a filter to allow packets with a specific MAC address. Syntax permit {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} [protocol-number | capture | count [byte] | cos | vlan] Parameters ● nn:nn:nn:nn:nn:nn — Enter the MAC address. ● 00:00:00:00:00:00 — (Optional) Enter which bits in the MAC address must match. If you do not enter a mask, a mask of 00:00:00:00:00:00 applies.
Example Supported Releases OS10(config)# ip access-list testflow OS10(conf-ipv4-acl)# permit icmp any any capture session 1 10.2.0E or later permit icmp (IPv6) Configures a filter to permit all or specific ICMP messages.
Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter. Example Supported Releases OS10(conf-ipv4-acl)# permit ip any any capture session 1 10.2.0E or later permit ipv6 Configures a filter to permit all or specific packets from an IPv6 address.
● ● ● ● ● ● ● ● urg — (Optional) Set the bit set as urgent. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Permit a packet based on the DSCP values, 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged.
Supported Releases 10.2.0E or later permit udp Configures a filter that allows UDP packets meeting the filter criteria. Syntax permit udp [A.B.C.D | A.B.C.D/x | any | host ip-address [eq | lt | gt | neq | range]] [[A.B.C.D | A.B.C.D/x | any | host ip-address [eq | lt | gt | neq | range] ] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.
Parameters ● A::B — Enter the IPv6 address in hexadecimal format separated by colons. ● A::B/x — Enter the number of bits that must match the IPv6 address. ● any — (Optional) Enter the keyword any to specify any source or destination IP address. NOTE: The control-plane ACL supports only the eq operator. ● host ipv6-address — (Optional) Enter the keyword and the IPv6 address to use a host address only. ● ack — (Optional) Set the bit as acknowledgement.
seq deny Assigns a sequence number to deny IPv4 addresses while creating the filter. Syntax seq sequence-number deny [protocol-number | icmp | ip | tcp | udp] [A.B.C.D | A.B.C.D/x | any | host ip-address] [A.B.C.D | A.B.C.D/x | any | host ipaddress] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the ACL for editing and sequencing number, from 1 to 16777214. ● protocol-number — (Optional) Enter the protocol number, from 0 to 255.
● ● ● ● ● ● ● host ipv6-address — (Optional) Enter to use an IPv6 host address only. capture — (Optional) Enter to capture packets the filter processes. count — (Optional) Enter to count packets the filter processes. byte — (Optional) Enter to count bytes the filter processes. dscp value — (Optional) Enter to deny a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Enter to use ACLs to control packet fragments. log — (Optional) Enables ACL logging.
seq deny icmp Assigns a filter to deny ICMP messages while creating the filter. Syntax seq sequence-number deny icmp [A.B.C.D | A.B.C.D/x | any | host ip-address] [A.B.C.D | A.B.C.D/x | any | host ip-address] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.C.D — Enter the IPv4 address in dotted decimal format. ● A.B.C.
Usage Information Example Supported Releases OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter, or use the no seq sequence-number command if you know the filter’s sequence number. OS10(config)# ipv6 access-list ipv6test OS10(conf-ipv6-acl)# seq 10 deny icmp any any capture session 1 log 10.2.0E or later seq deny ip Assigns a sequence number to deny IPv4 addresses while creating the filter.
● ● ● ● ● ● ● host ip-address — (Optional) Enter the IPv6 address to use a host address only. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged.
Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter, or use the no seq sequence-number command if you know the filter’s sequence number. Example Supported Releases OS10(config)# ip access-list egress OS10(conf-ipv4-acl)# seq 10 deny tcp any any capture session 1 log 10.2.
Supported Releases 10.2.0E or later seq deny udp Assigns a filter to deny UDP packets while creating the filter. Syntax seq sequence-number deny udp [A.B.C.D | A.B.C.D/x | any | host ip-address [operator]] [[A.B.C.D | A.B.C.D/x | any | host ip-address [operator] ] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.C.
seq deny udp (IPv6) Assigns a filter to deny UDP packets while creating the filter. Syntax seq sequence-number deny udp [A::B | A::B/x | any | host ipv6-address [operator]] [A::B | A:B/x | any | host ipv6-address [operator]] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214.
● ● ● ● ● ● ● ● ● ● ● protocol-number — (Optional) Enter the protocol number, from 0 to 255. A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.D/x — Enter the number of bits that must match the dotted decimal address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ip-address — (Optional) Enter the IPv4 address to use a host address only. capture — (Optional) Capture packets the filter processes.
Supported Releases 10.2.0E or later seq permit (MAC) Assigns a sequence number to permit MAC addresses while creating a filter. Syntax seq sequence-number permit {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} [protocol-number | capture | cos | count [byte] | vlan] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing, from 1 to 16777214.
● dscp value — (Optional) Permit a packet based on the DSCP values, from 0 to 63. ● fragment — (Optional) Use ACLs to control packet fragments. ● log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment.
Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.C.D — Enter the IPv4 address in dotted decimal format. ● A.B.C.D/x — Enter the number of bits that must match the dotted decimal address. ● any — (Optional) Enter the keyword any to specify any source or destination IP address. ● host ip-address — (Optional) Enter the IPv4 address to use a host address only.
Supported Releases 10.2.0E or later seq permit tcp Assigns a sequence number to allow TCP packets while creating the filter. Syntax seq sequence-number permit tcp [A.B.C.D | A.B.C.D/x | any | host ip-address [operator]] [[A.B.C.D | A.B.C.D/x | any | host ip-address [operator] ] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.
seq permit tcp (IPv6) Assigns a sequence number to allow TCP IPv6 packets while creating the filter. Syntax seq sequence-number permit tcp [A::B | A::B/x | any | host ipv6-address [operator]] [A::B | A:B/x | any | host ipv6-address [operator]] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.D/x — Enter the number of bits that must match the dotted decimal address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ip-address — (Optional) Enter the IPv4 address to use a host address only. operator — (Optional) Enter a logical operator to match the packets on the specified port number.
● ● ● ● ● ● ● ● ● ● ● ● ○ neq — Not equal to ○ range — Range of ports, including the specified port numbers. ack — (Optional) Set the bit as acknowledgment. fin — (Optional) Set the bit as finish—no more data from sender. psh — (Optional) Set the bit as push. rst — (Optional) Set the bit as reset. syn — (Optional) Set the bit as synchronize. urg — (Optional) Set the bit set as urgent. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes.
Ingress IPV6 access list aaa on ethernet1/1/2 Egress IPV6 access list aaa on ethernet1/1/2 Example (Control-plane ACL - IP) OS10# show ip access-group aaa-cp-acl Ingress IP access-list aaa-cp-acl on control-plane data mgmt Example (Control-plane ACL - MAC) OS10# show mac access-group aaa-cp-acl Ingress MAC access-list aaa-cp-acl on control-plane data Example (Control-plane ACL - IPv6) OS10# show ipv6 access-group aaa-cp-acl Ingress IPV6 access-list aaa-cp-acl on control-plane data mgmt Supported Relea
Example (IP Out) Example (IPv6 In) Example (IPv6 Out) Example (IP In - Control-plane ACL) Example (IPv6 In - Control-plane ACL) Example (MAC In - Control-plane ACL) Supported Releases OS10# show ip access-lists out Egress IP access list aaaa Active on interfaces : ethernet1/1/1 ethernet1/1/2 seq 10 permit ip any any seq 20 permit tcp any any count (0 packets) seq 30 permit udp any any count bytes (0 bytes) OS10# show ipv6 access-lists in Ingress IPV6 access list bbb Active on interfaces : ethernet1/1
Parameters None Default None Command Mode EXEC Usage Information The hardware pool displays the ingress application groups (pools), the features mapped to each of these groups, and space available in each of the pools. The amount of space required to store a single ACL rule in a pool depends on th The service pool displays the amount of used and free space for each of the features. The number of ACL rules conf displayed in the configured rules column.
Ingress ACL utilization - Pipe 2 Hardware Pools ---------------------------------------------------------------------Pool ID App(s) Used rows Free rows Max rows ---------------------------------------------------------------------0 SYSTEM_FLOW 98 414 512 1 SYSTEM_FLOW 98 414 512 2 SYSTEM_FLOW 98 414 512 3 USER_IPV4_ACL 0 512 512 4 USER_IPV4_ACL 0 512 512 5 FREE 0 512 512 6 USER_IPV6_ACL 0 512 512 7 USER_IPV6_ACL 0 512 512 8 USER_IPV6_ACL 0 512 512 9 USER_L2_ACL 0 512 512 10 USER_L2_ACL 0 512 512 11 FREE 0 5
S6010-ON platform OS10# show acl-table-usage detail Ingress ACL utilization Hardware Pools ------------------------------------------------------------------Pool ID App(s) Used rows Free rows Max rows ------------------------------------------------------------------0 SYSTEM_FLOW 49 975 1024 1 SYSTEM_FLOW 49 975 1024 2 USER_IPV4_ACL 3 1021 1024 3 USER_L2_ACL 2 1022 1024 4 USER_IPV6_ACL 2 510 512 5 USER_IPV6_ACL 2 510 512 6 FCOE 55 457 512 7 FCOE 55 457 512 8 ISCSI_SNOOPING 12 500 512 9 FREE 0 512 512 10 PB
Parameters None Default None Command Mode EXEC Usage Information None Example OS10# show control-plane logging access-list mgmt Control plane Management ACL Logging Burst : 2 packets (default) Rate : 2 packets per minute (default) Supported Releases 10.5.2.1 or later show ip as-path-access-list Displays the configured AS path access lists. Syntax show ip as-path-access-list [name] Parameters name — (Optional) Specify the name of the AS path access list.
seq 10 permit 1::1/64 seq 20 deny 2::2/64 Supported Releases 10.3.0E or later show logging access-list Displays the ACL logging threshold and interval configuration. Syntax show logging access-list Parameters None Default None Command Mode EXEC Usage Information None Example Supported Releases OS10# show logging access-list ACL Logging Threshold : 10 Interval : 5 10.4.3.0 or later Route-map commands continue Configures the next sequence of the route map.
Command Mode ROUTE-MAP Usage Information The no version of this command deletes a match AS path filter. Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# match as-path pathtest1 10.3.0E or later match community Configures a filter to match routes that have a certain COMMUNITY attribute in their BGP path. Syntax match community community-list-name [exact-match] Parameters ● community-list-name — Enter the name of a configured community list.
Default None Command Mode ROUTE-MAP Usage Information You can use this command in ROUTE-MAP configuration mode in addition to the other match rules. The no version of this command deletes the match filter. Example Supported Releases OS10# configure terminal OS10(config)# route-map redis-inactive-routes OS10(config-route-map)# match inactive-path-additive 10.5.2.0 or later match interface Configures a filter to match routes whose next-hop is the configured interface.
match ip next-hop Configures a filter to match based on the next-hop IP addresses specified in IP prefix lists. Syntax match ip next-hop prefix-list prefix-list Parameters prefix-list — Enter the name of the configured prefix list. A maximum of 140 characters. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes the match. Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# match ip next-hop prefix-list test100 10.3.
match metric Configures a filter to match on a specific value. Syntax match metric metric-value Parameters metric-value — Enter a value to match the route metric against, from 0 to 4294967295. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes the match. Example Supported Releases OS10(conf-route-map)# match metric 429132 10.2.0E or later match origin Configures a filter to match routes based on the origin attribute of BGP.
Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# match route-type external type-1 10.3.0E or later match tag Configures a filter to redistribute only routes that match a specific tag value. Syntax match tag tag-value Parameters tag-value — Enter the tag value to match with the tag number, from 0 to 4294967295. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes the match.
Defaults None Command Mode ROUTE-MAP Usage Information In a route map, use this set command to add a list of communities that pass a permit statement to the COMMUNITY attribute of a BGP route sent or received from a BGP peer. Use the set comm-list delete command to delete a community list from a matching route. Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# set comm-list comlist1 add 10.4.
set extcomm-list add Add communities in the specified list to the EXTCOMMUNITY attribute in a matching inbound or outbound BGP route. Syntax set extcomm-list extcommunity-list-name add Parameter extcommunity-list-name — Enter the name of an established extcommunity list. A maximum of 140 characters.
Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# set extcommunity rt 10.10.10.2:325 10.3.0E or later set local-preference Sets the preference value for the AS path. Syntax set local-preference value Parameters value — Enter a number as the LOCAL_PREF attribute value, from 0 to 4294967295. Default Not configured Command Mode ROUTE-MAP Usage Information This command changes the LOCAL_PREF attribute for routes meeting the route map criteria.
Parameters ● type-1 — Adds a route to an existing community. ● type-2 — Sends a route in the local AS. ● external — Disables advertisement to peers. Default Not configured Command Mode ROUTE-MAP Usage Information ● BGP Affects BGP behavior only in outbound route maps and has no effect on other types of route maps. If the route map contains both a set metric-type and a set metric clause, the set metric clause takes precedence.
set origin Set the origin of the advertised route. Syntax set origin {egp | igp | incomplete} Parameters ● egp — Enter to add to existing community. ● igp — Enter to send inside the local-AS. ● incomplete — Enter to not advertise to peers. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes the set clause from a route map. Example Supported Releases OS10(conf-route-map)# set origin egp 10.2.
show route-map Displays the current route map configurations. Syntax show route-map [map-name] Parameters map-name — (Optional) Specify the name of a configured route map. A maximum of 140 characters.
20 Quality of service Enterprise networks carry various data traffic including voice and video traffic. To efficiently use the available network resources, Quality of Service (QoS) offers several features that help to: ● ● ● ● Allocate sufficient bandwidth for certain types of traffic, such as video traffic. Prioritize voice traffic. Transfer data reliably. Optimize performance. QoS defines how reliable, available, and efficient a network is. Availability determines the quality of a network.
Different QoS features control the traffic flow parameters, as the traffic traverses a network device from ingress to egress interfaces. Classification To prioritize traffic, you must first classify it. Classification is the process that differentiates one type of traffic from another and categorizes it in to different groups. OS10 groups network traffic into different traffic classes, from class 0 to 7 based on various parameters.
ACL-based classification consumes significant amount of network processor resources. Trust-based classification (CoS and DSCP) classifies traffic in a predefined way without using network processor resources. OS10 implicitly classifies all control traffic such as STP, OSPF, ICMP, and so on, and forwards the traffic to control plane applications. See Control-plane policing for more information. Data traffic classification You can classify the data traffic based on ACL or trust.
3 5 0-4 5-7 4. Apply the map on a specific interface or on system-qos, global level. ● Interface level OS10(conf-if-eth1/1/1)# trust-map dot1p example-dot1p-trustmap-name NOTE: In the interface level, the no version of the command returns the configuration to the system-qos level. If there is no configuration available at the system-qos level, the configuration returns to default mapping.
Table 122. Default DSCP trust map (continued) DSCP values Traffic class ID Color 52-55 6 Y 56-59 7 G 60-62 7 Y 63 7 R NOTE: You cannot modify the default DSCP trust map. User–defined DCSP trust map You can override the default mapping by creating a user-defined DSCP trust map. All the unspecified DSCP entries map to the default traffic class ID 0 and color G. Configure user–defined DSCP trust map 1. Create a DSCP trust map.
ACL-based classification Classify the ingress traffic by matching the packet fields using ACL entries. Classify the traffic flows based on QoS-specific fields or generic fields, using IP or MAC ACLs. Create a class-map template to match the fields. OS10 allows matching any of the fields or all the fields based on the match type you configure in the class-map. Use the access-group match filter to match MAC or IP ACLs. You can configure a maximum of four access-group filters in a class-map: ● ● ● ● 802.
or OS10(config)# system qos OS10(config-sys-qos)# trust-map dscp userdef-dscp 3. Create a class-map and attach it to a policy where trust is configured. This example uses 802.1p cos to define the match criteria. You can use dscp or other access group match filters. If the 802.1p traffic matches the defined criteria, the set qos-group 1 command assigns the traffic to TC 1.
For example, in release 10.4.1, the following policy configuration is applied on queue 5, which in 10.4.1 is mapped to ARP_REQ, ICMPV6_RS, ICMPV6_NS, and ISCSI protocols: policy-map type control-plane test ! class test set qos-group 5 police cir 300 pir 300 After upgrade to release 10.4.
Table 124. CoPP: Protocol mappings to queues, and default rate limits and buffer sizes - from release 10.4.
Configure control-plane policing Rate-limiting the protocol CPU queues requires configuring control-plane type QoS policies. ● Create QoS policies, class maps and policy maps, for the desired CPU-bound queue. ● Associate the QoS policy with a particular rate-limit. ● Assign the QoS service policy to control plane queues. By default, the peak information rate (pir) and committed information rate (cir) values are in packets per second (pps) for control plane.
Assign service-policy Rate controlling the traffic towards CPU requires configuring the control-plane type policy. To enable CoPP, apply the defined policy-map to CONTROL-PLANE mode. 1. Enter CONTROL-PLANE mode from CONFIGURATION mode. control-plane 2. Define aninput type service-policy and configure a name for the service policy in CONTROL-PLANE mode.
1. Create a control-plane type class-map. OS10(config)# class-map type control-plane example-cmap-protocol-queue-remap 2. Apply the match criteria by specifying the names of the protocols or applications. In this example, VRRP is re-mapped to queue 4. OS10(config-cmap-control-plane)# match vrrp NOTE: You cannot configure the same protocols or application groups under multiple class-maps within the same policy-map. 3. Create a control-plane type policy-map and add the class-map to the policy-map.
View CMAP1 configuration OS10# show class-map type control-plane example-copp-class-map-name Class-map (control-plane): example-copp-class-map-name (match-any) View CoPP service-policy OS10# show policy-map type control-plane Service-policy(control-plane) input: example-copp-policy-map-name Class-map (control-plane): example-copp-class-map-name set qos-group 2 police cir 100 bc 100 pir 100 be 100 View CoPP information OS10# show control-plane info Queue Min Rate Limit(in pps) Max Rate Limit(in pps) Protocol
Marking Traffic After you classify the ingress traffic, you can set the value or change an existing value (remarking) for CoS or DSCP. Marking sets the IP precedence or IP DSCP value for traffic at ingress. The switch then uses the new marking to process the traffic. Traffic class IDs identify the traffic flow when the traffic reaches egress for queue scheduling. Mark traffic 1. Create a QoS type class-map to match the traffic flow. OS10(config)# class-map cmap-cos3 OS10(config-cmap-qos)# match cos 3 2.
2. Define the set of traffic class values mapped to a queue. OS10(config-qos-map)# queue 3 qos-group 0-3 NOTE: For the Z9332F-ON platform, you must specify the type of queue. For example: OS10(config-qos-map)# queue 3 qos-group 0-3 type ucast 3. Verify the map entries. OS10# show qos maps type tc-queue Traffic-Class to Queue Map: tc-q-map Queue Traffic-Class -------------------------3 0-3 4. Apply the map on a specific interface or on a system-QoS global level.
2. Create a QoS type policy-map to define a policer. OS10(config)# policy-map example-interface-policer OS10(config-pmap-qos)# class example-cmap-all-traffic OS10(config-pmap-c-qos)#police cir 4000 pir 6000 3. Apply the QoS type policy-map to an interface. OS10(config)# interface ethernet 1/1/14 OS10(conf-if-eth1/1/14)# service-policy input type qos example-interface-policer Flow rate policing controls the rate of flow of traffic. Configure flow rate policing 1.
1. Create a QoS type class-map to match a traffic flow. OS10(config)# class-map cmap-dscp-3 OS10(config-cmap-qos)# match ip dscp 3 2. Modify the policy-map to update the DSCP field. OS10(config)# policy-map modify-dscp OS10(config-pmap-qos)# class cmap-dscp-3 OS10(config-pmap-c-qos)# set qos-group 3 OS10(config-pmap-c-qos)# set dscp 10 Shaping traffic Shaping allows you to control the speed of traffic that goes out of an interface.
3. Return to CONFIGURATION mode. exit 4. Create a queuing type policy-map and configure a policy-map name in CONFIGURATION mode. policy-map type queuing example-que-pmap-name 5. Configure a queuing class in POLICY-MAP mode. class example-que-cmap-name 6. Assign a bandwidth percent, from 1 to 100 to nonpriority queues in POLICY-MAP-CLASS-MAP mode.
3. Set the scheduler as strict priority in POLICY-MAP-CLASS-MAP mode. priority Apply policy-map 1. Apply the policy-map to the interface in INTERFACE mode or all interfaces in SYSTEM-QOS mode. system qos OR interface ethernet node/slot/port[:subport] 2. Enter the output service-policy in SYSTEM-QOS mode or INTERFACE mode.
● ● ● ● ● ● Destination MAC address—6 bytes Source MAC address—6 bytes Ethernet type/length—2 bytes Payload—variable Cyclic redundancy check—4 bytes Inter-frame gap—variable The rate adjustment feature is disabled by default. To enable rate adjustment, use the qos-rate-adjust value_of_rate_adjust command. For example: qos-rate-adjust 8 If you have configured WDRR and shaping on a particular queue, the queue can become congested.
2. Create policy-maps to define the policies for the classified traffic flows.
NOTE: For Underlay, Overlay VXLAN configuration, see the VXLAN chapter. The network ports and access ports must be VLAN-tagged interfaces for QoS settings to be applied based on dot1p priority. S1 Switch 1. Configure trust map with different dot1p priority values mapped to different traffic classes (queues).
S2 Switch 1. Configure trust map with different dot1p priority values mapped to different traffic classes (queues). OS10# configure terminal OS10(config)# trust dot1p-map TRUST_DOT1P_MAP OS10(config-tmap-dot1p-map)# qos-group 0 dot1p 0 OS10(config-tmap-dot1p-map)# qos-group 3 dot1p 3 OS10(config-tmap-dot1p-map)# end 2. Configure queuing at egress with bandwidth allocation of 65% for queue 3.
OS10(config-tmap-dot1p-map)# qos-group 3 dot1p 3 OS10(config-tmap-dot1p-map)# end 2. Configure queuing at egress with bandwidth allocation of 65% for queue 3. OS10# configure terminal OS10(config)# class-map type queuing CM_QUEUING_Q3 OS10(config-cmap-queuing)# match queue 3 OS10(config-cmap-queuing)# exit OS10(config)# policy-map type queuing PM_QUEUING OS10(config-pmap-queuing)# class CM_QUEUING_Q3 OS10(config-pmap-c-que)# bandwidth percent 65 OS10(config-pmap-c-que)# end 3.
OS10(config)# policy-map type queuing PM_QUEUING OS10(config-pmap-queuing)# class CM_QUEUING_Q3 OS10(config-pmap-c-que)# bandwidth percent 65 OS10(config-pmap-c-que)# end 3. Apply the dot1p trust map and queuing configuration at the system-qos level (global configuration).
0 1 2 3 4 5 6 7 0 0 0 101810039 0 0 0 0 0 0 0 26063369984 0 0 0 0 0 0 0 0 0 0 0 0 OS10# show queuing statistics interface ethernet Interface ethernet1/1/2 Queue Packets Bytes Dropped-Packets 0 46890036 12191361537 0 1 0 0 0 2 0 0 0 3 0 0 0 4 0 0 0 5 0 0 0 6 0 0 0 7 0 0 0 0 0 0 0 0 0 0 0 1/1/2 Dropped-Bytes 0 0 0 0 0 0 0 0 Example 2: Traffic classification and bandwidth allocation in VXLAN topology using CoS value on access ports and DSCP value on network ports This example describes how to configure Q
NOTE: For Underlay, Overlay VXLAN configuration, see the VXLAN chapter. L1 Switch 1. Configure class map and policy map for access port. Traffic with a CoS value of 3 is matched, assigned to qos-group 3, and marked with a DSCP value of 24.
OS10(config-pmap-c-qos)# exit OS10(config-pmap-qos)# exit 3. Configure queuing at egress with a bandwidth allocation of 65% for queue 3. OS10(config)# class-map type queuing CM_QUEUING_Q3 OS10(config-cmap-queuing)# match queue 3 OS10(config-cmap-queuing)# exit OS10(config)# policy-map type queuing PM_QUEUING OS10(config-pmap-queuing)# ! OS10(config-pmap-queuing)# class CM_QUEUING_Q3 OS10(config-pmap-c-que)# bandwidth percent 65 OS10(config-pmap-c-que)# exit OS10(config-pmap-queuing)# exit 4.
OS10(config)# policy-map type qos PM_QOS_NETWORK_PORT OS10(config-pmap-qos)# ! OS10(config-pmap-qos)# class CM_QOS_MATCH_DSCP24 OS10(config-pmap-c-qos)# set qos-group 3 OS10(config-pmap-c-qos)# set cos 3 OS10(config-pmap-c-qos)# exit OS10(config-pmap-qos)# exit 3. Configure queuing at egress with a bandwidth allocation of 65% for queue 3.
2. Configure class map and policy map for the network port. Traffic with a DSCP value of 24 is matched, assigned to qos-group 3, and marked with a CoS value of 3.
OS10(config-pmap-c-qos)# set qos-group 3 OS10(config-pmap-c-qos)# set dscp 24 OS10(config-pmap-c-qos)# exit OS10(config-pmap-qos)# exit 2. Configure class map and policy map for the network port. Traffic with a DSCP value of 24 is matched, assigned to qos-group 3, and marked with a CoS value of 3.
S1 Switch 1. Configure class map and policy map for the access port. Traffic with a DSCP value of 24 is matched and assigned to qos-group 3. OS10(config)# class-map type qos CM_QOS_MATCH_DSCP24 OS10(config-cmap-qos)# match ip dscp 24 OS10(config-cmap-qos)# exit OS10(config)# policy-map type qos PM_QOS_LEAF_PORT OS10(config-pmap-qos)# class CM_QOS_MATCH_DSCP24 OS10(config-pmap-c-qos)# set qos-group 3 OS10(config-pmap-c-qos)# exit OS10(config-pmap-qos)# exit 2.
3. Apply the queuing policy globally in the system-qos mode. OS10(config)# system qos OS10(config-sys-qos)# show configuration OS10(config-sys-qos)# service-policy output type queuing PM_QUEUING OS10(config-sys-qos)# exit 4. Apply QoS configuration on the leaf node-facing ports.
6 7 0 0 0 0 0 0 0 0 OS10# show queuing statistics interface ethernet 1/1/2 Interface ethernet1/1/2 Queue Packets Bytes Dropped-Packets Dropped-Bytes 0 55 4857 0 0 1 0 0 0 0 2 0 0 0 0 3 57904965 14823671040 0 0 4 0 0 0 0 5 0 0 0 0 6 0 0 0 0 7 0 0 0 0 ● Leaf node-facing port of S1 switch: OS10# show queuing statistics interface ethernet Interface ethernet1/1/21 Queue Packets Bytes Dropped-Packets 0 1711761863 519748332392 0 1 0 0 0 2 0 0 0 3 1143474565 345329318630 0 4 0 0 0 5 0 0 0 6 0 0 0 7 0 0 0 1/1/
● Reserved buffer—The system reserves a dedicated amount of buffer to a port or a priority group (at ingress) and a port or a queue (at egress). ● Shared buffer—Is the total available buffer space minus the reserved buffer space. Shared buffer is used for CPU control traffic and is dynamically allocated to the ports when memory space is needed. ● Alpha value—Is a configurable value from 0 to 10 that determines the dynamic shared buffer threshold, and maintains dynamic buffer space during congestion events.
Table 127. Default ingress buffers on the S4100-ON series platform Speed 10G 25G 40G 50G 100G Reserved buffers for PG 7 (default) 9KB 9KB 9KB 9KB 9KB The following lists the link-level flow control (LLFC) buffer settings for default priority group 7: Table 128.
Table 130. Default egress buffers on the S4100-ON series platform Speed 10G Reserved buffers 1664 bytes for each queue of a port (default) 25G 40G 50G 100G 1664 bytes 1664 bytes 1664 bytes 1664 bytes The default dynamic shared buffer threshold is 8. 1. Create a queuing type class-map to match the queue. OS10(config)# class-map type queuing example-cmap-eg-buffer OS10(config-cmap-queuing)# match queue 1 2.
Configure Deep Buffer mode By default, Deep Buffer mode is disabled. To configure Deep Buffer mode on a switch, enable the mode, save the configuration, and reload the switch for the feature to take effect. NOTE: Disable all the network QoS configurations; for example, PFC and LLFC, before configuring the Deep Buffer mode. To configure Deep Buffer mode: 1. Enable Deep Buffer mode in CONFIGURATION mode.
Congestion avoidance Congestion avoidance anticipates and takes necessary actions to avoid congestion. The following mechanisms avoid congestion: ● Tail drop—Packets are buffered at traffic queues. When the buffers are exhausted or reach the configured threshold, excess packets drop. By default, OS10 uses tail drop for congestion avoidance. ● Random early detection (RED)—In tail drop, different flows are not considered in buffer utilization.
2. Configure WRED threshold parameters for different colors in WRED CONFIGURATION mode. OS10(config-wred)# random-detect color yellow minimum-threshold 100 maximum-threshold 300 drop-probability 40 3. Configure the exponential weight value for the WRED profile in WRED CONFIGURATION mode. OS10(config-wred)# random-detect weight 4 4. Configure the ECN threshold parameters in WRED CONFIGURATION mode. OS10(config-wred)#random-detect ecn minimum-threshold 100 maximum-threshold 300 dropprobability 40 5.
RoCE for faster access and lossless connectivity Remote Direct Memory Access (RDMA) enables memory transfers between two computers in a network without involving the CPU of either computer. RDMA networks provide high bandwidth and low latency without appreciable CPU overhead for improved application performance, storage and data center utilization, and simplified network management. RDMA was traditionally supported only in an InfiniBand environment.
○ If the network is non-VLAN tagged, use the trust-map dscp default command or the user-defined trust-map dscp configuration. OS10 (config)# system qos OS10 (config-sys-qos)# trust-map dot1p default 5. Create a network-qos type class-map and policy-map for priority flow control (PFC). This configuration fine tunes the buffer settings for the particular priority.
7. Create a QoS map for ETS to map the lossy and lossless traffic to the respective queues. OS10 (config)# qos-map traffic-class 2Q OS10(config-qos-map)# queue 0 qos-group 0-2, 4-7 OS10(config-qos-map)# queue 3 qos-group 3 NOTE: On the Z9332F-ON platform, you must also specify the type of queue, whether it is a unicast or multicast queue.
e. Apply the qos-map for ETS configurations on the interface. OS10 (conf-if-eth1/1/1)# qos-map traffic-class 2Q f. Enable PFC on the interface. OS10 (conf-if-eth1/1/1)# priority-flow-control mode on ● For RoCEv2 (tagged L3 traffic): a. Create a VLAN. OS10(config)# interface vlan 55 OS10(conf-if-vl-55)# no shutdown b. Enter INTERFACE mode and enter the no shutdown command. OS10 (config)# interface ethernet 1/1/1 OS10 (conf-if-eth1/1/1)# no shutdown c.
● To view the PFC configuration, operational status, and statistics on the interface, use the show interface interface-name priority-flow-control details command: OS10(config)# show interface ethernet 1/1/15 priority-flow-control details ● To view the ECN markings on an interface, use the show queuing statistics interface interface-name wred command: OS10# show queuing statistics interface ethernet 1/1/1 wred ● To view any egress packet loss, use the show queuing statistics command: NOTE: There should not b
The following examples show each device in this network and their respective configuration: SW1 configuration VXLAN configuration — SW1 OS10# configure terminal OS10(config)# interface vlan 3000 OS10(conf-if-vl-3000)# exit OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# exit OS10(config)# interface loopback 1 OS10(conf-if-lo-1)# ip address 1.1.1.1/32 OS10(conf-if-lo-1)# exit OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 8.8.8.
OS10(config)# configure terminal OS10(config)# nve OS10(conf-nve)# source-interface loopback 1 OS10(conf-nve)# exit OS10(config)# virtual-network 5 OS10(conf-vn-5)# vxlan-vni 1000 OS10(conf-vn-vxlan-vni)# remote-vtep 2.2.2.
WRED and ECN configuration — SW1 OS10# configure terminal OS10(config)# wred w1 OS10(config-wred)# random-detect ecn OS10(config-wred)# random-detect color green minimum-threshold 100 maximum-threshold 500 drop-probability 100 OS10(config-wred)# random-detect color yellow minimum-threshold 100 maximum-threshold 500 drop-probability 100 OS10(config-wred)# random-detect color red minimum-threshold 100 maximum-threshold 500 drop-probability 100 OS10(config-wred)# exit OS10(config)# class-map type queuing cq OS
OS10(config-router-ospf-1)# router-id 9.9.9.
OS10(config)# policy-map type network-qos llfc OS10(config-pmap-network-qos)# class llfc OS10(config-pmap-c-nqos)# pause buffer-size 120 pause-threshold 50 resume-threshold 12 OS10(config-pmap-c-nqos)# end OS10# configure terminal OS10(config)# interface range ethernet 1/1/1,1/1/20,1/1/31,1/1/32 OS10(conf-range-eth1/1/1,1/1/20,1/1/31,1/1/32)# flowcontrol transmit on OS10(conf-range-eth1/1/1,1/1/20,1/1/31,1/1/32)# flowcontrol receive on OS10(conf-range-eth1/1/1,1/1/20,1/1/31,1/1/32)# service-policy input typ
VXLAN configuration — VLT peer 2 OS10(config)# configure terminal OS10(config)# interface vlan 3000 OS10(conf-if-vl-3000)# ip address 5.5.5.3/24 OS10(conf-if-vl-3000)# exit OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# exit OS10(config)# interface loopback 1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 2.2.2.2/32 OS10(conf-if-lo-1)# exit OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 10.10.10.
OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# service-policy input type network-qos p5 OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# trust-map dot1p t1 OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# end LLFC configuration — VLT peer 2 Instead of PFC, you can configure LLFC as follows: OS10# configure terminal OS10(config)# class-map type network-qos llfc OS10(config-cmap-nqos)# match qos-group 0-7 OS10(config-cmap-nqos)# exit OS10(config)# policy-map type network-qos llfc OS10(config-pmap-network-qos)#
NOS# NOS# configure terminal NOS(config)# interface ethernet 1/1/3 NOS(conf-if-eth1/1/3)# switchport mode trunk NOS(conf-if-eth1/1/3)# switchport trunk allowed vlan 200 NOS(conf-if-eth1/1/3)# end NOS# NOS# configure terminal NOS(config)# interface port-channel 2 NOS(conf-if-po-2)# switchport mode trunk NOS(conf-if-po-2)# switchport trunk allowed vlan 200 NOS(conf-if-po-2)# end PFC configuration — ToR device NOS# configure terminal NOS(config)# trust dot1p-map t1 NOS(config-tmap-dot1p-map)# qos-group 0 dot1p
NOS(config-wred)# random-detect color red minimum-threshold 100 maximum-threshold 500 drop-probability 100 NOS(config-wred)# exit NOS(config)# class-map type queuing cq NOS(config-cmap-queuing)# match queue 5 NOS(config-cmap-queuing)# exit NOS(config)# policy-map type queuing pq NOS(config-pmap-queuing)# class cq NOS(config-pmap-c-que)# random-detect w1 NOS(config-pmap-c-que)# end NOS# configure terminal NOS(config)# interface range ethernet 1/1/1,1/1/2,1/1/3 NOS(conf-range-eth1/1/1,1/1/2,1/1/3)# flowcontro
● Detecting microburst congestions ● Monitoring buffer utilization and historical trends ● Determining optimal sizes and thresholds for the ingress or egress shared buffers and headroom on a given port or queue based on real-time data NOTE: BST is not supported on the S4248F-ON platforms. After you disable BST, be sure to clear the counter using the clear qos statistics type buffer-statisticstracking command.
Eth 1/1/22 0 0, 1 0, 2 down Eth 1/1/23 0 0, 1 0, 2 down Eth 1/1/24 0 0, 1 0, 2 down Eth 1/1/25 3 0, 1 1, 3 up Eth 1/1/26 3 0, 1 1, 3 down Eth 1/1/27 3 0, 1 1, 3 down Eth 1/1/28 3 0, 1 1, 3 down Eth 1/1/29 0 0, 1 0, 2 down Eth 1/1/30 0 0, 1 0, 2 down Eth 1/1/31 0 0, 1 0, 2 down Eth 1/1/32 0 0, 1 0, 2 down Eth 1/1/33 1 2, 3 0, 2 up Eth 1/1/34 2 2, 3 1, 3 up View information for a single interface: OS10# show qos port-map details interface ethern
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/16 1/1/17:1 1/1/19:1 1/1/19:2 1/1/19:3 1/1/19:4 1/1/21:1 1/1/21:2 1/1/21:3 1/1/21:4 1/1/23 1/1/24 1/1/25:1 1/1/25:2 1/1/25:3 1/1/25:4 1/1/27:1 1/1/27:2 1/1/27:3 1/1/27:4 1/1/29:1 1/1/29:2 1/1/29:3 1/1/29:4 1/1/31 1/1/32
View information for a single interface: OS10# show qos port-map details interface ethernet 1/1/1 --------------------------------------------------------------------------Interface Port Pipe Ingress MMU Egress MMU Oper Status --------------------------------------------------------------------------Eth 1/1/1:1 0 0, 1 0, 2 up View information for a single interface: OS10# show qos port-map details interface ethernet 1/1/1 --------------------------------------------------------------------------Interface Po
The topology consists of two VTEPs with VTEP IPs 100.1.1.1 and 200.1.1.1 respectively. The VTEPs are connected with the Spine node via L3 direct uplinks. Each VTEP has two hosts connected to the access ports, which are part of VLAN 10 and 20 respectively. These two access ports are configured to be part of virtual-network 100 in the VTEP.
Use Case 2: QoS Policy to match incoming vlan and set dot1p priority Create a Class Map to match the vlan in the incoming traffic and a Policy Map to set dot1p priority of 5 and apply the same on the incoming access ports.
Create a Class Map to match the vlan in the incoming traffic and a Policy Map to set DSCP value of 30 and the desired outgoing Queue number and apply the same on the incoming access ports. This usecase describes Access to network flow.
Use Case 6: QoS Policy to match incoming DSCP and set new DSCP and outgoing Queue Create a Class Map to match the DSCP value in the incoming traffic and a Policy Map to set a new DSCP value of 30, dot1p value of 6 and the desired outgoing Queue number 6 and apply the same on the incoming access ports.
Dell# show running-config interface ethernet1/1/1 ! interface ethernet1/1/1 no shutdown switchport mode trunk service-policy input type qos match_dscp_set_dscp_queue The incoming traffic in port 1/1/1 is an IP traffic with VLAN 10 and dot1p 3 part of the VLAN header and DSCP value of 3 in the IP header. The Policy map match_dscp_set_dscp_queue is applied on the interface. This results in the following: The Encapsulated traffic flowing out of Port 1/1/3 has DSCP value of 30 and flowing out of Queue 6.
class match_dscp_set_dscp_queue set dscp 3 set cos 6 set qos-group 6 Dell# show running-config interface ethernet1/1/3 ! interface ethernet1/1/3 no shutdown switchport mode trunk service-policy input type qos match_dscp_set_dscp_queue The incoming encapsulated traffic arriving in port 1/1/3 has a DSCP value of 30 in the Outer IP header. This DSCP value is matched in the Class Map. The Policy map match_dscp_set_dscp_queue is applied on the network port.
Topology Description This topology consists of two VTEPs and a spine node to which the VTEP nodes are connected. The two VTEPs are as follows: ● VTEP 1 – VLT VTEP consisting of a primary node and secondary node with VTEP IP as 31.1.1.1. ● VTEP 2 – Standalone node with VTEP IP as 32.1.1.1. Each VTEP consists of a VRF (VRF GREEN) with two VNs in the VRF. Each VN is mapped to a corresponding Port-VLAN combination in the VTEP. In case of VTEP1, hosts are connected to the corresponding VLAN through the VLT LAG.
To enable Routing between virtual networks over a VxLAN domain, each virtual network needs to be configured with an IRB interface. This IRB interface consists of the IP address and the anycast addresses. These addresses correspond to the virtualnetwork and the VRF on which the virtual network is a part. Both IPv4 and IPv6 addresses are supported for virtual-network interfaces.
Remote-VTEP 32.1.1.1 Router's-MAC 00:bb:bb:bb:bb:bb VTEP-1-VLT-PRI# QoS configurations The below section describes the QoS configurations. The example considers to match a dot1p priority 3 from the incoming traffic and set a DSCP value of 5 for the mapped traffic. VTEP 1 to VTEP2 VTEP-1 (VLT Primary)- ACCESS to Network - Match dot1p set Dscp Create a class map and add a match rule to map dot1p priority 3.
Apply the policy map to the ingress interface. VTEP-1-VLT-SEC(config)# interface ethernet 1/1/25:1 VTEP-1-VLT-SEC(conf-if-eth1/1/25:1)# service-policy input type qos PMAP1 VTEP-1-VLT-SEC(conf-if-eth1/1/25:1)# Verify the configurations.
interface ethernet1/1/1:1 no shutdown no switchport ip address 11.1.1.4/31 flowcontrol receive on mtu 9216 service-policy input type qos PMAP1 VTEP 2 to VTEP1 In the reverse direction traffic from VTEP-2 to VTEP-1, the below example matches one DSCP value and sets another DSCP value to the traffic in the Ingress VTEP VTEP-2 and then matches the incoming DSCP value and set a dot1p value in the Egress VTEP VTEP-1.
QoS commands bandwidth Assigns a percentage of weight to the queue. Syntax bandwidth percent value Parameters percent value — Enter the percentage assignment of bandwidth to the queue, from 1 to 100. Default Not configured Command Mode POLICY-MAP CLASS-MAP Usage Information If you configure this command, you cannot use the priority command for the class. Example Supported Releases OS10(config-pmap-c-que)# bandwidth percent 70 10.2.
Usage Information If you define a class-map under a policy-map, the qos, queuing, or control-plane type is the same as the policy-map. You must create this map in advance. The only exception to this rule is when the policy-map type is trust, where the class type must be qos. Example Supported Releases OS10(conf-pmap-qos)# class c1 10.2.0E or later class-map Creates a QoS class-map that filters traffic to match packets to the corresponding policy created for your network.
clear qos statistics type Clears all queue counters, including PFC, for control-plane, qos, and queueing. Syntax clear qos statistics type {{qos | queuing | control-plane | bufferstatistics-tracking} [interface ethernet node/slot/port[:subport]]} Parameters ● ● ● ● qos—Clears qos type statistics. queuing—Clears queueing type statistics. control-plane—Clears control-plane type statistics. buffer-statistics-tracking—Clears the peak buffer usage count statistics on all interfaces and service pools.
control-plane-buffer-size Configures the buffer size for the CPU pool. Syntax control-plane-buffer-size size-of-buffer-pool Parameters size-of-buffer-pool—Enter the buffer size in KB, from 620 KB to 900 KB. Default None Command Mode SYSTEM-QOS Usage Information This command configures the buffer size of the CPU pool. The system allocates a buffer size for the CPU pool from the total system buffer.
Usage Information Applicable only for the S4200-ON series switches. Deep Buffer mode configuration takes effect only after you save it in the startup configuration and reboot the switch. The no version of this command disables Deep Buffer mode. Example Supported Releases OS10(config)# hardware deep-buffer-mode 10.4.3.0 or later match Configures match criteria for the QoS policy.
Supported Releases 10.2.0E or later match cos Matches a cost of service (CoS) value to L2 dot1p packets. Syntax match [not] cos cos-value Parameters ● cos-value — Enter a CoS value, from 0 to 7. ● not — Enter not to cancel the match criteria. Default Not configured Command Modes CLASS-MAP Usage Information You cannot have two match statements with the same filter-type. If you enter two match statements with the same filter-type, the second statement overwrites the first statement.
● ipv6 — Enter to use IPv6 as the match precedence rule. ● ip-any — Enter to use both IPv4 and IPv6 as the match precedence rule. ● precedence precendence-list — Enter a precedence-list value, from 0 to 7. Default Not configured Command Mode CLASS-MAP Usage Information You cannot enter two match statements with the same filter-type. If you enter two match statements with the same filter-type, the second statement overwrites the first statement.
Parameters size — Enter the size of the buffer (1500 to 9216). Default 9216 Command Mode POLICY-MAP-CLASS-MAP Usage Information The no version of this command returns the value to the default. Example Supported Releases OS10(conf-pmap-nqos-c)# mtu 2500 10.3.0E or later pause Enables a pause based on buffer limits for the port to start or stop communication to the peer.
Parameters cos-value — Enter a single, comma-delimited, or hyphenated range of CoS values for priority flowcontrol to enable, from 0 to 7. NOTE: The range 0-7 is invalid. All other ranges, including 0-6 and 1-7 are valid. Default Not configured Command Mode POLICY-MAP-CLASS-MAP Usage Information To configure link-level flow-control, do not configure pfc-cos for the matched class for this policy.
Example Supported Releases OS10(conf-sys-qos)# pfc-shared-buffer-size 2000 10.3.0E or later pfc-shared-headroom-buffer-size Configures the shared headroom size for absorbing the packets after pause frames generate.
policy-map Enters QoS POLICY-MAP mode and creates or modifies a QoS policy-map. Syntax policy-map policy-map-name [type {qos | queuing | control-plane | application | network-qos }] Parameters ● policy-map-name — Enter a class name for the policy-map. A maximum of 32 characters. ● type — Enter the policy-map type. ○ qos — Create a qos policy-map type. ○ queuing — Create a queueing policy-map type. ○ control-plane — Create a control-plane policy-map type.
you are not using a network-qos type policy for an interface. The no version of this command returns the value to the default. Example Supported Releases OS10(conf-if-eth1/1/2)# priority-flow-control mode on 10.3.0E or later qos-group dot1p Configures a dot1p trust map to the traffic class. Syntax qos-group tc-list [dot1p values] Parameters ● qos-group tc-list — Enter the traffic single value class ID, from 0 to 7.
Parameters map-name — Enter the name of the queue trust map. A maximum of 32 characters. Default Not configured Command Mode CONFIGURATION Usage Information If applied on the interface or system level, the traffic class routes all traffic to the mapped queue. The no version of this command returns the value to the default.
○ 3 = 1/16 ○ 4 = 1/8 ○ 5 = 1/4 ○ 6 = 1/2 ○ 7=1 ○ 8=2 ○ 9=4 ○ 10 = 8 ● static thresh-value — (Optional) Enter the static shared buffer threshold value in Bytes, from 1 to 65535. Default Not configured Command Mode POLICY-MAP-CLASS-MAP Usage Information Use the queue-len value parameter to set the minimum guaranteed queue length for a queue. The no version of this command returns the value to the default.
Default 0 Command Mode TRUST-MAP Usage Information If the trust map does not define traffic class values to a queue, those flows map to the default queue 0. If some of the traffic class values are already mapped to an existing queue, you see an error. The no version of this command returns the value to the default. Example Supported Releases OS10(conf-tmap-tc-queue-qos)# queue 2 qos-group 5 10.3.
random-detect (queue) Assigns a WRED profile to the specified queue. Syntax random-detect wred-profile-name Parameters wred-profile-name — Enter the name of an existing WRED profile. Default Not configured Command Mode PMAP-C-QUE Usage Information The no version of this command removes the WRED profile from the queue. Example Supported Releases OS10(config)# policy-map type queuing p1 OS10(config-pmap-queuing)# class c1 OS10(config-pmap-c-que)# random-detect test_wred 10.4.
Example Supported Releases OS10(config)# wred test_wred OS10(config-wred)# random-detect ecn 10.4.0E(R1) or later random-detect ecn Enables ECN for the system globally. Syntax random-detect ecn Default Not configured Command Mode SYSTEM QOS Usage Information The no version of this command disables ECN globally. NOTE: This command enables ECN globally and is supported only on the S4200–ON Series platform. In the SYSTEM QOS mode, this command is not available on other platforms.
Usage Information The no version of this command removes the weight factor from the WRED profile. Example Supported Releases OS10(config)# wred test_wred OS10(config-wred)# random-detect weight 10 10.4.0E(R1) or later service-policy Configures the input and output service policies.
Example Supported Releases OS10(conf-pmap-c-qos)# set cos 6 10.2.0E or later set dscp Sets the drop precedence for incoming packets based on their DSCP value and color map profile. Syntax set dscp dscp-value [color {red | yellow}] Parameters ● ● ● ● Default Not configured Command Mode POLICY-MAP-CLASS-MAP Usage Information This command supports only QoS ingress policy type.
● ● ● ● ● mbps — Enter the committed rate unit in megabits per second, from 0 to 40000. pps — Enter the committed rate unit in packets per second, from 1 to 268000000. burst-size — Enter the burst size in kilobites per packet, from 0 to 10000 or 1 to 1073000. max — Enter the maximum peak rate in kbps, mbps, or pps. max-burst-size — Enter the burst size in kilobites per packets, from 0 to 10000 or 1 to 1073000.
Example Supported Releases OS10# show control-plane buffers queue-number pool-type rsvd-buf-size threshold-mode threshold-value --------------------------------------------------------------------------0 lossy 1664 static 20800 1 lossy 1664 static 20800 2 lossy 1664 static 48880 3 lossy 9216 static 48880 4 lossy 1664 static 20800 5 lossy 1664 static 48880 6 lossy 1664 static 48880 7 lossy 1664 static 48880 8 lossy 1664 static 48880 9 lossy 9216 static 48880 10
Example OS10# show control-plane buffer-stats Queue TX TX pckts bytes Used reserved buffers Used shared buffers -----------------------------------------------------------------------0 0 0 0 0 Supported Releases 1 0 0 0 0 2 0 0 0 0 3 0 0 0 0 4 0 0 0 0 5 0 0 0 0 6 3 204 0 0 7 6 408 0 0 8 0 0 0 0 9 0 0 0 0 10 0 0 0 0 11 0 0 0 0 12 0 0 0 0 13 0 0 0 0 14 0 0 0 0 15 0 0 0 0 16 0 0 0 0 17 0 0 0 0 18 0 0 0 0 19 0 0
Usage Information Example Supported Releases Monitors statistics for the control-plane and to troubleshoot CoPP.
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 OS10# Supported Releases 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10.2.0E or later show hardware deep-buffer-mode Displays the status of Deep buffer mode in the current and next boot of the switch. Syntax show hardware deep-buffer-mode Parameters None Defaults Not configured Command Modes EXEC Usage Information Applicable only for the S4200-ON series switches.
show interface priority-flow-control Displays the priority flow-control, operational status, CoS bitmap, and statistics per port. Syntax show interface ethernet node/slot/port[:subport] priority-flow-control [details] Parameters details — (Optional) Displays all priority flow control information for an interface.
show policy-map Displays information on all existing policy-maps. Syntax show policy-map type {control-plane | qos | queuing | network-qos}] [policy-map-name] Parameters ● ● ● ● ● ● Default Not configured Command Mode EXEC Usage Information None Example Supported Releases type — Enter the policy-map type — qos, queuing, or control-plane. qos — Displays all policy-maps of qos type. queuing — Displays all policy-maps configured of queuing type.
Command Mode EXEC Usage Information None Example Supported Releases OS10# show qos egress buffers interface ethernet 1/1/1 Interface : ethernet1/1/1 Speed : 0 queue-number pool-type rsvd-buf-size threshold-mode threshold-value -----------------------------------------------------------------------0 lossy 1664 dynamic 8 1 lossy 1664 dynamic 8 2 lossy 1664 dynamic 8 3 lossless 0 static 12479488 4 lossy 1664 dynamic 8 5 lossy 1664 dynamic 8 6 lossy 1664 dynamic 8 7 lossy 1664 dynamic 8 10.3.
show qos egress buffer-stats interface Displays the buffers statistics for the egress interface. Syntax show qos egress buffer-stats interface [interface node/slot/port[:subport]] [detail] Parameters ● interface — (Optional) Enter the interface type. ● node/slot/port[:subport] — (Optional) Enter the port information. ● detail — Displays per MMU egress buffer statistics in platforms with multiple MMU instances such as Z9100-ON, Z9264F-ON.
show qos ingress buffers interface Displays interface buffer configurations. Syntax show qos ingress buffers interface [interface node/slot/port[:subport]] Parameters ● interface — (Optional) Enter the interface type. ● node/slot/port[:subport] — (Optional) Enter the port information.
buffer-statistics-tracking command to view the actual peak buffer utilization for the current configuration. Example Supported Releases OS10# show qos ingress buffer-statistics-tracking interface ethernet 1/1/1 Interface : ethernet1/1/1 Speed : 0 Priority Peak shared Peak HDRM Group buffers buffers -----------------------------------------------0 0 0 1 0 0 2 0 0 3 0 0 4 0 0 5 0 0 6 0 0 7 0 0 10.4.3.
show qos maps Displays the active system trust map. Syntax show qos maps type {tc-queue | trust-map-dot1p | trust-map dscp} trust-mapname Parameters ● ● ● ● Default Not configured Command Mode EXEC Usage Information None Example (dot1p) 1604 dot1p — Enter to view the dot1p trust map. dscp — Enter to view the DSCP trust map. tc-queue—Enter to view the traffic class to queue map. trust-map — Enter the name of the trust map.
Default Dot1p Priority to Traffic-Class Map Traffic-Class DOT1P Priority ------------------------------0 1 1 0 2 2 3 3 4 4 5 5 6 6 7 7 Default Dscp Priority to Traffic-Class Map Traffic-Class DSCP Priority ------------------------------0 0-7 1 8-15 2 16-23 3 24-31 4 32-39 5 40-47 6 48-55 7 56-63 Default Traffic-Class to Queue Map Traffic-Class Queue number ------------------------------0 0 1 1 2 2 3 3 4 4 5 5 6 6 7 7 OS10# Example (dscp) OS10# show qos trust-map dscp new-dscp-map new-dscp-map qos-group Dsc
Command Mode EXEC Usage Information The command applies to the Z9332F-ON only. The command provides priority-to-traffic-class and trafficclass-to-queue mapping, both default and user configured. The Type column displays the queue type corresponding to the traffic-class-to-queue map entry. For platforms other than Z9332F-ON, the Both displays in the Type column to indicate that the mapping applies to both unicast and multicast queues.
Eth 1/1/13 2 2, 3 1, 3 down Eth 1/1/14 2 2, 3 1, 3 down Eth 1/1/15 2 2, 3 1, 3 down Eth 1/1/16 2 2, 3 1, 3 down Eth 1/1/17 3 0, 1 1, 3 down Eth 1/1/18 3 0, 1 1, 3 down Eth 1/1/19 3 0, 1 1, 3 down Eth 1/1/20 3 0, 1 1, 3 down Eth 1/1/21 0 0, 1 0, 2 down Eth 1/1/22 0 0, 1 0, 2 down Eth 1/1/23 0 0, 1 0, 2 down Eth 1/1/24 0 0, 1 0, 2 down Eth 1/1/25 3 0, 1 1, 3 up Eth 1/1/26 3 0, 1 1, 3 down Eth 1/1/27 3 0, 1 1, 3 down Eth 1/1/28 3 0, 1
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1608 Quality of service 1/1/5:4 1/1/7:1 1/1/7:2 1/1/7:3 1/1/7:4 1/1/9:1 1/1/9:2 1/1/9:3 1/1/9:4 1/1/11:1 1/1/11:2 1/1/11:3 1/1/11:4 1/1/13:1 1/1/13:2 1/1/13:3 1/1/13:4 1/1/15 1/1/16 1/1/17:1 1/1/19:1 1/1/19:2 1/1/19:3 1/1
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth 1/1/51:3 1/1/51:4 1/1/53 1/1/54 1/1/55 1/1/56 1/1/57:1 1/1/57:2 1/1/57:3 1/1/57:4 1/1/59 1/1/60 1/1/61 1/1/62 1/1/63 1/1/64 1/1/65 1/1/66 3 3 3 3 3 3 2 2 2 2 2 2 2 2 3 3 2 1 0, 0, 0, 0, 0, 0, 2, 2, 2, 2, 2, 2, 2, 2, 0, 0, 2, 2, 1 1 1 1 1 1 3 3 3 3 3 3 3 3 1 1 3 3 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 2 down down down down down down down down down down down down down down down down
show qos service-pool buffer-statistics-tracking Displays service-pool level peak buffer usage count in bytes. Syntax show qos service-pool buffer-statistics-tracking [detail] Parameters detail—Displays service-pool level peak buffer utilization per memory management unit (MMU) instance in platforms with multiple MMU instances such as the Z9100-ON, Z9264F-ON.
Example OS10# show qos system ingress buffer All values are in kb Total buffers Total lossless buffers Maximum lossless buffers Total shared lossless buffers Total used shared lossless buffers Total lossy buffers Total shared lossy buffers Total used shared lossy buffers - 12187 0 5512 0 11567 11192 0 The following command is supported on platforms such as the Z9100-ON, Z9264F-ON: OS10# show qos system ingress buffer detail All values are in kb Total buffers Total lossless buffers Maximum lossless buffe
Total lossy buffers Total shared lossy buffers Total used shared lossy buffers MMU 2 Total lossy buffers Total shared lossy buffers Total used shared lossy buffers MMU 3 Total lossy buffers Total shared lossy buffers Total used shared lossy buffers Supported Releases - 10597 - 8484 - 0 - 10597 - 8484 - 0 - 10597 - 8484 - 0 10.3.0E or later show qos wred-profile Displays the details of WRED profile configuration.
show queuing statistics Displays QoS queuing statistics information. Syntax show queuing statistics interface ethernet node/slot/port[:subport] [wred | queue number] Parameters ● node/slot/port[:subport] — Enter the Ethernet interface information. ● queue number — Enter the QoS queue number, from 0 to 7. Default Not configured Command Mode EXEC Usage Information Use this command to view all queuing counters. WRED counters are available only at the port level.
system qos Enters SYSTEM-QOS mode to configure system-level QoS configurations. Syntax system qos Parameters None Default Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# system qos OS10(config-sys-qos)# 10.2.0E or later trust dot1p-map Creates a user-defined trust map for dot1p flows. Syntax trust dot1p-map map-name Parameters map-name — Enter the name of the dot1p trust map. A maximum of 32 characters.
trust-map Configures trust map on an interface or on a system QoS. Syntax trust—map {dot1p | dscp} {default | trust-map-name} Parameters ● ● ● ● Default Disabled Command Mode INTERFACE dot1p — Apply dot1p trust map. dscp — Apply dscp trust map. default — Apply default dot1p or dscp trust map. trust-map-name — Enter the name of trust map.
21 Virtual Link Trunking Virtual Link Trunking (VLT) is a Layer 2 aggregation protocol used between an end device such as a server and two or more connected network devices. VLT helps to aggregate ports terminating on multiple switches. OS10 currently supports VLT port channel terminations on two different switches. VLT: ● ● ● ● ● ● ● ● ● Provides node-level redundancy by using the same port channel terminating on multiple upstream nodes.
Optimized forwarding with VRRP To ensure the same behavior on both sides of the VLT nodes, VRRP requires state information coordination. VRRP Active-Active mode optimizes L3 forwarding over VLT. By default, VRRP ActiveActive mode is enabled on all the VLAN interfaces. VRRP Active-Active mode enables each peer to locally forward L3 packets, resulting in reduced traffic flow between peers over the VLTi link. Spanning-Tree Protocol VLT ports support RSTP, RPVST+, and MSTP.
● If the primary peer fails, the secondary peer takes the primary role. If the primary peer (with the lower priority) later comes back online, it is assigned the secondary role (there is no preemption). ● In a VLT domain, the peer network devices must run the same OS10 software version. NOTE: A temporary exception is allowed during the upgrade process. See the Dell EMC SmartFabric OS 10.5.0.x Release Notes for more information. ● Configure the same VLT domain ID on peer devices.
The following shows a scenario where VLT Peer A is being reloaded or going down: Until LACP convergence happens, the server continues to forward traffic to VLT Peer A resulting in traffic loss for a longer time interval.
These PDUs notify the server to direct the traffic to VLT Peer B hence minimizing traffic loss. Configure VLT Verify that both VLT peer devices are running the same operating system version. For VRRP operation, configure VRRP groups and L3 routing on each VLT peer. Configure the following settings on each VLT peer device separately: 1. To prevent loops in a VLT domain, Dell EMC Networking recommends enabling STP globally using the spanning-tree mode command.
NOTE: If a VLT peer is reloaded, it automatically becomes the secondary peer regardless of the VLT primary-priority setting. 4. Configure VLTi interfaces with the no switchport command. 5. Configure the VLTi interfaces on each peer using the discovery-interface command. After you configure both sides of the VLTi, the primary and secondary roles in the VLT domain are automatically assigned if primary priority is not configured. NOTE: Dell EMC recommends that you disable flow-control on discovery interfaces.
RPVST+ configuration Configure RPVST+ on both the VLT peers. This creates an RPVST+ instance for every VLAN configured in the system. With RPVST+ configured on both VLT nodes, OS10 supports a maximum of 128 VLANs. The RPVST+ instances in the primary VLT peer control the VLT port channels on both the primary and secondary peers. NOTE: RPVST+ is the default STP mode running on the switch. Use the following command only if you have another variant of the STP running on the switch.
RSTP configuration ● Enable RSTP on each peer node in CONFIGURATION mode.
instance instance-number vlan from-vlan-id — to-vlan-id 4. Configure the MST revision number, from 0 to 65535. MULTIPLE-SPANNING-TREE revision revision-number 5. Configure the MST region name. MULTIPLE-SPANNING-TREE name name-string The following example shows that both VLT nodes are configured with the same MST VLAN-to-instance mapping.
Number of transitions to forwarding state: 1 Edge port: No (default) Link Type: Point-to-Point BPDU Sent: 2714, Received: 1234 Port 2001 (VLT-LAG -1(vlt-portid-1)) of MSTI 0 is designated Forwarding Port path cost 200000, Port priority 128, Port Identifier 128.2001 Designated root priority: 32768, address: 34:17:44:55:66:7f Designated bridge priority: 32768, address: 90:b1:1c:f4:a5:23 Designated port ID: 128.
Peer 2 OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# exit OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# no switchport OS10(conf-if-eth1/1/2)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet1/1/1-1/1/2 Configure the VLT MAC address You can manually configure the VLT MAC address. Configure the same VLT MAC address on both the VLT peer switches to avoid any unpredictable behavior during a VLT failover.
Configure the VLT peer liveliness check The VLT peer liveliness mechanism checks for the availability of the peer node. The system sends periodic keep-alive messages to detect the liveliness of the peer node. You must use a different link other than the VLTi for the peer liveliness check. This link is referred to as the VLT backup link. NOTE: Dell EMC Networking recommends using the OOB management network connection for the VLT backup link.
Support for new streams during VLTi failure If the VLTi fails, MAC addresses that are learned after the failure are not synchronized with VLT peers. Thus, instead of unicast, the VLTi failure causes a continuous traffic flood. If the VLTi links fail, MAC and ARP synchronization does not happen, and it causes the system to flood L2 packets and drop L3 packets.
VLT Peer 2 is not synchronized with the MAC address of Host 2 because the VLTi link is down. When traffic from Host 1 is sent to VLT Peer 2, VLT Peer 2 floods the traffic. When the VLT backup link is enabled, the secondary VLT Peer 2 identifies the node liveliness through the backup link. If the primary is up, the secondary peer brings down VLT port channels. The traffic from Host 1 reaches VLT Peer 1 and then reaches the destination, Host 2.
Role of VLT backup link in the prevention of loops during VLTi failure When the VLTi is down, STP may fail to detect any loops in the system. This failure creates a data loop in an L2 network. As shown, STP is running in all three switches: In the steady state, VLT Peer 1 is elected as the root bridge. When the VLTi is down, both the VLT nodes become primary. In this state, VLT Peer 2 sends STP BPDU to TOR assuming that TOR sends BPDU to VLT Peer 1.
When the VLT backup link is enabled, the secondary VLT peer identifies the node liveliness of primary through the backup link. If the primary VLT peer is up, the secondary VLT peer brings down the VLT port channels. In this scenario, the STP opens up the orphan port and there is no loop in the system, as shown: Configure a VLT port channel A VLT port channel, also known as a virtual link trunk, links an attached device and VLT peer switches. OS10 supports a maximum of 128 VLT port channels per node. 1.
Configure VLT port channel — peer 1 OS10(config)# interface port-channel 20 OS10(conf-if-po-20)# vlt-port-channel 20 Configure VLT port channel — peer 2 OS10(config)# interface port-channel 20 OS10(conf-if-po-20)# vlt-port-channel 20 Configure VLT peer routing VLT peer routing enables optimized routing where packets destined for the L3 endpoint of the VLT peer are locally routed. VLT supports unicast routing of both IPv4 and IPv6 traffic. To enable VLT unicast routing, both VLT peers must be in L3 mode.
Migrate VMs across data centers with eVLT OS10 switches support movement of virtual machines (VMs) across data centers using VRRP Active-Active mode. Configure symmetric VRRP with the same VRRP group ID and virtual IP in VLANs stretched or spanned across data centers. VMs use the VRRP Virtual IP address of the VLAN as Gateway IP. As the VLAN configurations are symmetric across data centers, you can move the VMs from one data center to another.
● The core routers C1 and D1 in the local VLT domain connect to the core routers C2 and D2 in the remote VLT domain using VLT links. ● The core routers C1 and D1 in local VLT domain along with C2 and D2 in the remote VLT domain are part of an L3 cloud. ● The core routers C1, D1, C2, D2 are in a VRRP group with the same vrrp-group ID. When a virtual machine running in Server Rack 1 migrates to Server Rack 2, L3 packets for that VM are routed without interruption.
● Configure VLT port channel for VLAN 100: D1(config)# interface port-channel 10 D1(conf-if-po-10)# vlt-port-channel 10 D1(conf-if-po-10)# switchport mode trunk D1(conf-if-po-10)# switchport trunk allowed vlan 100 D1(conf-if-po-10)# exit ● Add members to port channel 10: D1(config)# interface D1(conf-if-eth1/1/3)# D1(conf-if-eth1/1/3)# D1(config)# interface D1(conf-if-eth1/1/4)# D1(conf-if-eth1/1/4)# ethernet 1/1/3 channel-group 10 exit ethernet 1/1/4 channel-group 10 exit ● Configure OSPF on L3 side of c
C2(conf-router-ospf-100)# exit C2(config)# interface vlan 200 C2(conf-if-vl-200)# ip ospf 100 area 0.0.0.
View VLT information To monitor the operation or verify the configuration of a VLT domain, use a VLT show command on primary and secondary peers. ● View detailed information about the VLT domain configuration in EXEC mode, including VLTi status, local and peer MAC addresses, peer-routing status, and VLT peer parameters. show vlt domain-id ● View the role of the local and remote VLT peer in EXEC mode. show vlt domain-id role ● View any mismatches in the VLT configuration in EXEC mode.
Configuring delay-restore port - non-VLT Following table shows how to configure delay-restore ports on an interface and with a timer value: Table 132. Configuring delay-restore port on an interface Step Command Description 1 OS10# configure terminal Enters Configuration mode. 2 OS10(config)# interface ethernet 1/1/1 Enters Interface configuration mode. 3 OS10(conf-if-eth1/1/1)# delay-restore-port enable Enables delay-restore port.
Table 134. Configuring delay-restore orphan ports Steps Command Description 1 OS10# configure terminal Enters Configuration mode. 2 OS10(config)# interface ethernet 1/1/1 Enters Interface configuration mode. 3 OS10(conf-if-eth1/1/1)# vlt delay-restore orphan-port enable Enables delay-restore orphan port. 4 OS10(conf-if-eth1/1/1)# exit Exits Interface configuration mode and enters Configuration mode. 5 OS10(conf)# vlt-domain 1 Enters VLT domain mode.
● ● ● ● ● When VLTi fails and the VLT heart-beat is down, both the VLT peers become primary (split brain). Ethernet1/1/1 in both the VLT peers are kept up. When VLTi recovers, election occurs. The port remains up in the peer elected as the primary node. In the secondary VLT peer, ethernet1/1/1 is brought down (since ignore vlti-failure configuration is disabled) and the delay-restore timer is started. A syslog indicating that the delay-restore timer has started is thrown on the console.
Table 136. Disable delay-restore orphan ports (continued) Steps Command Description 4 OS10(conf-if-eth1/1/1)# no vlt delay-restore orphan-port enable Disables delayrestore orphan port. The following table provides the behavior of orphan ports with different DROP configurations and events: Table 137.
When delay-restore port or delay-restore orphan port is enabled on an interface and the respective delay-restore timer is running, the port is immediately brought down. This is done to comply with the behavior of VLT ports (When a normal LAG is converted into a VLT LAG when delay-restore timer is running, the LAG is immediately brought down).
no shutdown Switch1# show port-channel summary Flags: D - Down I - member up but inactive P - member up and active U - Up (port-channel) F - Fallback Activated ----------------------------------------------------------------------Group Port-Channel Type Protocol Member Ports ----------------------------------------------------------------------1 port-channel1 (U) Eth DYNAMIC 1/1/47:1(P) 1/1/48:1(D) 1000 port-channel1000 (U) Eth STATIC 1/1/49(P) 1/1/50(P) Switch 2 Switch2# show running-configuration interfac
Switch4# show port-channel summary Flags: D - Down I - member up but inactive P - member up and active U - Up (port-channel) F - Fallback Activated -----------------------------------------------------------------------Group Port-Channel Type Protocol Member Ports -----------------------------------------------------------------------7 port-channel7 (U) Eth DYNAMIC 1/1/47:1(P) 1/1/47:2(P) 1000 port-channel1000 (U) Eth STATIC 1/1/62(P) 1/1/63(P) VLT commands backup destination Configures the VLT backup link
Example Supported Releases OS10(conf-vlt-1)# delay-restore 100 10.3.0E or later delay-restore-port enable Enables or disables delay-restore configuration at interface level. Syntax delay-restore-port enable To disable the delay-restore configuration, enter the no delay-restore-port enable command. Parameters None. Default Disabled Command Mode INTERFACE CONFIGURATION MODE Usage Information Use the range command to enable delay-restore-port on all interfaces or a selected range of interfaces.
delay-restore-port timeout Configures delay-restore port timer value. Syntax delay-restore-port timeout timeout-value To remove configured timer value and return to default, enter the no delay-restore-port timeout command. Parameters ● timeout timeout-value - Enter the keyword timeout followed by the timeout value. The range is from 1 to 1200.
peer-routing Enables optimized routing where packets destined for the L3 endpoint of the VLT peer are locally routed. Syntax peer-routing Parameters None Default Disabled Command Mode VLT-DOMAIN Usage Information The no version of this command disables peer routing. Example Supported Releases OS10(conf-vlt-1)# peer-routing 10.2.0E or later peer-routing-timeout Configures the delay after which, the system disables peer routing when the peer is not available.
● If the heartbeat is up and the VLTi link goes down between the VLT peers, both the VLT peers retain their primary and secondary roles. However, the VLT port channel on the secondary VLT peer shuts down. NOTE: When you configure a priority for VLT peers using this command, the configuration does not take effect immediately. The primary priority configuration comes into effect the next time election is triggered. Example Supported Releases OS10(conf-vlt-1)#primary-priority 2 10.4.1.
violation: No Root-Guard: Disable, Loop-Guard: Disable Bpdus (MRecords) Sent: 11, Received: 7 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID -----------------------------------------------------------------------------------------VFP(VirtualFabricPort) 0.1 0 1 FWD 0 32768 0078.7614.6062 0.
VLT-LAG -1(vlt-portid1) Example (MSTP information on VLT) 128.2001 128 2000000 FWD 0 32768 90b1.1cf4.a523 128.2001 OS10# show spanning-tree virtual-interface detail Port 1 (VFP(VirtualFabricPort)) of MSTI 0 is designated Forwarding Port path cost 0, Port priority 128, Port Identifier 128.1 Designated root priority: 32768, address: 34:17:44:55:66:7f Designated bridge priority: 32768, address: 90:b1:1c:f4:a5:23 Designated port ID: 128.
Supported Releases 10.5.2.0 or later show vlt Displays information on a VLT domain. Syntax show vlt domain-id delay-restore-orphan-port Parameter ● domain-id — Enter a VLT domain ID, from 1 to 255. ● delay-restore orphan-port - Enter the delay-restore orphan-port keyword to display the delay-restore orphan-port status. Default Not configured Command Mode EXEC Usage Information In the following example, the status of the VLT node should be up.
Delay-Restore Orphan-Port Ignore VLTi Fail enabled interfaces : Eth1/1/10 Po4 Supported Releases 10.2.0E or later show vlt domain-id delay restore orphan port Displays the delay restore orphan port information on a VLT domain. Syntax show vlt domain-id delay-restore-orphan-port Parameter ● domain-id — Enter a VLT domain ID, from 1 to 255. ● delay-restore orphan-port - Enter the delay-restore orphan-port keyword to display the delay-restore orphan-port status.
Supported Releases 10.5.2.0 or later show vlt backup-link Displays detailed status of the heartbeat Syntax show vlt domain-id backup-link Parameters domain-id — Enter the VLT domain ID. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show vlt 255 backup-link VLT Backup Link -----------------------Destination Peer Heartbeat status Heartbeat interval Heartbeat timeout : : : : 10.16.208.164 Up 1 3 10.3.
Supported Releases 10.5.2.1 or later show vlt error-disabled-ports Displays VLT ports that are in the error-disabled state. Syntax show vlt id error-disabled-ports Parameters id—Enter the VLT domain ID, from 1 to 255. Default Not configured Command Mode EXEC Usage Information Use this command to view VLT ports that are in error-disabled state. If the egress mask modification in the remote VLT peer is delayed or has failed, the ports go in to the error-disabled state.
Example OS10# show vlt-mac-inconsistency Checking Vlan 228 .. Found 7 inconsistencies ..
VLAN mismatch: No mismatch VLT VLAN mismatch: No mismatch Example (mismatch) OS10# show vlt 1 mismatch Peer-routing mismatch: VLT Unit ID Peer-routing --------------------------------* 1 Enabled 2 Disabled VLAN mismatch: No mismatch VLT VLAN mismatch: VLT ID : 1 VLT Unit ID Mismatch VLAN List ---------------------------------* 1 1 2 2 VLT ID : 2 VLT Unit ID Mismatch VLAN List ---------------------------------* 1 1 2 2 Example (mismatch peer routing) Example (mismatch VLAN) OS10# show vlt 1 mismatch peer
(VN) name not available in the peer) Example (mismatch of VLTi and VLAN) Example (mismatch of VN mode) Example (mismatch of port and VLAN list) VLT Unit ID Mismatch Virtual Network List ------------------------------------------1 10,104 * 2 OS10# show vlt all mismatch virtual-network Virtual Network: 100 VLT Unit ID Configured VLTi-Vlans ----------------------------------1 101 * 2 100 OS10# show vlt all mismatch virtual-network Virtual Network: 102 VLT Unit ID Configured Virtual Network Mode -----------
-------------------------1 10.16.128.25 * 2 10.16.128.20 Virtual-network: 20 VLT Unit ID Anycast-IP -------------------------1 10.16.128.26 * 2 10.16.128.30 Example (Anycast IP addresses not configured on one of the virtual networks on both peers) show vlt 1 mismatch virtual-network Interface virtual-network Anycast-IP mismatch: Virtual-network: 10 VLT Unit ID Anycast-IP -------------------------1 10.16.128.25 * 2 ABSENT Virtual-network: 20 VLT Unit ID Anycast-IP -------------------------1 ABSENT * 2 10.
VLT Unit ID Anycast-IPs -------------------------------------* 1 64::100, 64.6.7.88 2 100::100, 100.101.102.100 VLAN: 3000 VLT Unit ID Anycast-IPs --------------------------------* 1 100.101.102.100 2 Not configured VLAN: 4000 VLT Unit ID Anycast-IPs -------------------------------* 1 Not configured 2 Example (mismatch dhcprelay) 8.7.6.
Example (mismatch private-vlan vlanmode) Supported Releases OS10# show vlt 1 mismatch private-vlan vlan-mode Private VLAN mode mismatch: No mismatch 10.2.0E or later show vlt role Displays the VLT role of the local peer. Syntax show vlt id role Parameters id — Enter the VLT domain ID, from 1 to 255. Default Not configured Command Mode EXEC Usage Information The * in the mismatch output indicates a local mismatch.
vlt-domain Creates a VLT domain. Syntax vlt-domain domain-id Parameter domain-id — Enter a VLT domain ID on each peer, from 1 to 255. Default None Command Mode CONFIGURATION Usage Information Configure the same VLT domain ID on each peer. If a VLT domain ID mismatch occurs on VLT peers, the VLTi link between peers does not activate. The no version of this command disables VLT. Example Supported Releases OS10(config)# vlt-domain 1 10.2.
OS10(conf-if-po-1)# no vlt delay-restore orphan-port enable ENABLE ON RANGE OF ETHERNET INTERFACES/PORT-CHANNELS: OS10(config)# interface range ethernet 1/1/1-1/1/10 OS10(conf-range-eth1/1/1-1/1/10)# vlt delay-restore orphan-port enable OS10(config)# interface range port-channel 1-10 OS10(conf-range-po-1-10)# vlt delay-restore orphan-port enable Supported Releases 10.5.2 or later vlt delay-restore orphan-port ignore vlti-failure Considers or ignores VLTi failures for delay-restore orphan port.
Supported Releases 10.5.2 or later vlt-port-channel Configures the ID used to map interfaces on VLT peers into a single VLT port-channel. Syntax vlt-port-channel vlt-port-channel-id Parameters vlt-port-channel-id — Enter a VLT port-channel ID, from 1 to 128. Default Not configured Command Mode PORT-CHANNEL INTERFACE Usage Information Assign the same VLT port-channel ID to interfaces on VLT peers to create a VLT port-channel.
Default Enabled Command Mode VLAN INTERFACE Usage Information This command is applicable only for VLAN interfaces. In a non-VLT network, the backup VRRP gateway forwards L3 traffic. If you want to use VRRP groups on VLANs without VLT topology, disable the Active-Active functionality, to ensure that only the active VRRP gateway forwards L3 traffic. The no version of this command disables the configuration. Example Supported Releases 1664 OS10(conf-if-vl-10)# vrrp mode active-active 10.2.
22 Uplink Failure Detection Uplink failure detection (UFD) indicates the loss of upstream connectivity to servers connected to the switch. A switch provides upstream connectivity for devices, such as servers. If the switch loses upstream connectivity, the downstream devices also lose connectivity. However, the downstream devices do not generally receive an indication that the upstream connectivity was lost because connectivity to the switch is still operational. To solve this issue, use UFD.
Configure uplink failure detection Consider the following before configuring an uplink-state group: ● ● ● ● ● ● ● An uplink-state group is considered to be operationally up if it has at least one upstream interface in the Link-Up state. An uplink-state group is considered to be operationally down if it has no upstream interfaces in the Link-Up state. You can assign a physical port or a port channel to an uplink-state group. You can assign an interface to only one uplink-state group at a time.
● If you disable an uplink-state group, the downstream interfaces are not disabled, regardless of the state of the upstream interfaces. ● If you do not assign upstream interfaces to an uplink-state group, the downstream interfaces are not disabled. Configuration: 1. Create an uplink-state group in CONFIGURATION mode. uplink-state-group group-id 2. Configure the upstream and downstream interfaces in UPLINK-STATE-GROUP mode.
Eth 1/1/5(Dwn) Eth 1/1/9:2(Dwn) Eth 1/1/9:3(Dwn) OS10#show uplink-state-group 1 detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled (NA): Not Available *: VLT port-channel, V: VLT status, P: Peer Operational status ^: Tracking status Uplink State Group : 1 Name: iscsi_group, Status: Enabled, Up Upstream Interfaces : eth1/1/35(Up) *po10(V:Up, ^P:Dwn) VLTi(NA) Downstream Interfaces : eth1/1/2(Up) *po20(V: Up,P: Up) OS10#show uplink-state-group 2 detail (Up): Interface up (Dwn): Interfa
Table 138. UFD on VLT network (continued) Event VLT action on primary node VLT action on secondary node UFD action VLTi Link is operationally up with heartbeat up No action VLT module sends VLT portchannel enable request to Interface Manager (IFM) for both uplink and downlink. UFD receives operationally up of upstream VLT portchannel and sends clear errordisable of downstream VLT port-channel to IFM. Reboot of VLT secondary peer No action After reboot, runs the delay restore timer.
Sample configurations of UFD on VLT The following examples show some of the uplink-state groups on VLT. In the following illustration, both the upstream and downstream members are part of VLT port-channels. The uplink-state group includes both the VLT port-channels as members. In the following example, the upstream member is part of VLT port-channel and the downstream member is an orphan port. The uplink-state group includes the VLT port-channel, VLT node, and the downstream port.
OS10 does not support adding a VLTi link member to the uplink-state group. You can add the VLTi link as upstream member to an uplink-state group using the upstream VLTi command. If the VLTi link is not available in the system, OS10 allows adding the VLTi link as an upstream member. In this case, UFD starts tracking the operational status of the VLTi link when the link is available. Until the VLTi link is available, the show uplink-state-group details command displays the status of the link as NA.
UFD commands clear ufd-disable Overrides the uplink-state group configuration and brings up the downstream interfaces. Syntax clear ufd-disable {interface interface-type | uplink-state-group group-id} Parameters ● interface-type — Enter the interface type. ● group-id — Enter the uplink state group ID, from 1 to 32. Default None Command Mode EXEC Usage Information This command manually brings up a disabled downstream interface that is in an UFD-disabled error state.
Mode. See upstream CLI command for more information. The no version of this command removes the interface from the uplink-state group. Example Supported Releases OS10(config)# uplink-state-group 1 OS10(conf-uplink-state-group-1)# downstream ethernet 1/1/1 10.4.0E(R3) or later downstream auto-recover Enables auto-recovery of the disabled downstream interfaces.
Usage Information Example Supported Releases The no version of this command disables tracking of an uplink-state group. OS10(config)# uplink-state-group 1 OS10(conf-uplink-state-group-1)# enable 10.4.0E(R3) or later name Configures a descriptive name for the uplink-state group. Syntax name string Parameters string — Enter a description for the uplink-state group. A maximum of 32 characters.
● detail — Displays detailed information on the status of the uplink-state groups.
Supported Releases 10.4.0E(R3) or later uplink-state-group Creates an uplink-state group and enables upstream link tracking. Syntax uplink-state-group group-id Parameters group-id — Enter a unique ID for the uplink-state group, from 1 to 32. Default None Command Mode CONFIGURATION Usage Information The no version of this command removes the uplink-state group. Example Supported Releases OS10(config)# uplink-state-group 1 10.4.
23 Converged data center services OS10 supports converged data center services, including IEEE 802.1 data center bridging (DCB) extensions to classic Ethernet. DCB provides I/O consolidation in a data center network. Each network device carries multiple traffic classes while ensuring lossless delivery of storage traffic with best-effort for local area network (LAN) traffic and latency-sensitive scheduling of service traffic. ● 802.1Qbb — Priority flow control ● 802.
Configuration notes Dell EMC PowerSwitch S4200-ON Series: ● Provisioning PFC is not supported when deep buffer mode is enabled. ● Configure the traffic class ID to queue mapping policy on egress interfaces. ● You cannot enable PFC on all the physical interfaces, when you have split the ports to multiple breakout interfaces. For more information, see the 'PFC configuration notes' section in the Dell EMC SmartFabric OS10 User Guide.
● Apply the default trust map specifying that dot1p values are trusted in SYSTEM-QOS or INTERFACE mode. trust-map dot1p default Configure a non-default dot1p-priority-to-traffic class mapping 1. Configure a trust map of dot1p traffic classes in CONFIGURATION mode. A trust map does not modify ingress dot1p values in output flows. Assign a qos-group to trusted dot1p values in TRUST mode using 1-to-1 mappings. Dot1p priorities are 0 to 7.
Default TC-to-queue mapping format The following is the format for Z9332F-ON: Default Traffic-Class to Queue Map Traffic Class Queue Number --------------------------------------------0 0 0-2 0 1 1 3-5 1 2 2 6-7 2 3 3 4 4 5 5 6 6 7 7 Type Unicast Multicast Unicast Multicast Unicast Multicast Unicast Unicast Unicast Unicast Unicast The following is the default TC-to-Queue Mapping format: Default Traffic-Class to Queue Map Traffic-Class Queue number Type ---------------------------------------0 0 Both 1 1 B
4. (Optional) Configure the PFC shared buffer for lossless traffic. Create PFC dot1p traffic classes 1. Create a network-qos class map to classify PFC traffic classes in CONFIGURATION mode, from 1 to 7. Specify the traffic classes using the match qos-group command. QoS-groups map 1:1 to traffic classes 1 to 7; for example, qos-group 1 corresponds to traffic class 1. Enter a single value, a hyphen-separated range, or multiple qos-group values separated by commas in CLASS-MAP mode.
PFC is enabled on traffic classes with dot1p 3 and 4 traffic. The two traffic classes require different ingress queue processing. In the network-qos pp1 policy map, class cc1 uses customized PFC buffer size and pause frame settings; class cc2 uses the default settings.
3 - - - - 4 - - - - 5 - - - - 6 - - - - 7 9360 static 12779520 - - View PFC system buffer configuration OS10# show qos system ingress buffer All values are in kb Total buffers Total lossless buffers Maximum lossless buffers Total shared lossless buffers Total used shared lossless buffers Total lossy buffers Total shared lossy buffers Total used shared lossy buffers - 12187 0 5512 0 11567 11192 0 OS10# show qos system egress buffer All values are in kb Total buffers - 12187 Total
Parameters ● buffer-size kilobytes — Enter the reserved (guaranteed) ingress-buffer size in kilobytes for PFC dot1p traffic, from 0 to 7787. ● pause-threshold kilobytes — Enter the buffer threshold limit (in kilobytes) to send pause frames to a transmitting device to temporarily halt the data transmission, from 0 to 7787. ● resume-threshold kilobytes — Enter the threshold limit (in kilobytes) at which a request is sent to the transmitting device to resume sending traffic, from 0 to 7787.
Example (policymap) Supported Releases OS10(config)# policy-map type network-qos pp1 OS10(conf-pmap-network-qos)# class cc1 OS10(conf-pmap-c-nqos)# pfc-cos 3 10.3.0E or later pfc-shared-buffer-size Configures the number of shared buffers available for PFC-enabled traffic on the switch. Syntax pfc-shared-buffer-size kilobytes Parameter kilobytes — Enter the total amount of shared buffers available to PFC-enabled dot1p traffic in kilobytes, from 0 to 7787.
Parameters ● thresh-mode —Specifies the Buffer threshold mode. ● static kilobytes — Enter the static followed by the fixed shared-buffer limit available for PFC traffic-class queues in kilobytes, from 0 to 7787. The value of this parameter must be within the maximum amount tuned by the pfc-shared-buffer-size command. ● dynamic weight — Enter the dynamic followed by the weight value used to dynamically determine the shared-buffer limit available for PFC traffic-class queues, from 1 to 10.
Enhanced transmission selection ETS provides customized bandwidth allocation to 802.1p classes of traffic. Assign different amounts of bandwidth to Ethernet, FCoE, or iSCSI traffic classes that require different bandwidth, latency, and best-effort treatment during network congestion. ETS divides traffic into different priority groups using their 802.1p priority value.
number is used only internally to schedule classes of ingress traffic. Enter multiple dot1p and dscp values in a hyphenated range or separated by commas. trust dot1p-map dot1p-map-name qos-group {0-7} dot1p {0-7} exit trust dscp-map dscp-map-name qos-group {0-7} dscp {0-63} exit 2. Configure a QoS map with trusted traffic-class (qos-group) to lossless-queue mapping in CONFIGURATION mode. Assign one or more qos-groups, from 0 to 7, to a specified queue in QOS-MAP mode.
8. Apply the queuing policy to egress traffic in SYSTEM-QOS or INTERFACE mode. service-policy output type queuing policy—map-name 9. Enable ETS globally in SYSTEM-QOS mode or on an interface/interface range in INTERFACE mode. NOTE: If you have not enabled PFC on all the interfaces, this configuration at the global level is not required. Enable ETS on the specific interfaces.
View QoS maps: traffic-class to queue mapping OS10# show qos maps Traffic-Class to Queue Map: tc-q-map1 queue 0 qos-group 0 queue 1 qos-group 1 Traffic-Class to Queue Map: dot1p_map1 qos-group 0 dot1p 0-3 qos-group 1 dot1p 4-7 DSCP Priority to Traffic-Class Map : dscp_map1 qos-group 0 dscp 0-31 qos-group 1 dscp 32-63 ETS commands ets mode on Enables ETS on an interface.
DCBX configuration notes ● DCBX is a prerequisite for using DCB features, such as PFC and ETS, to exchange link-level configurations in a converged network. ● DCBX, when deployed in topologies, enables lossless operation for FCoE or iSCSI traffic. In these scenarios, all network devices in the topology must have DCBX-enabled. ● DCBX uses LLDP to advertise and automatically negotiate the administrative state and PFC or ETS configuration with directly connected DCB peers.
● OS10 supports DCBX versions CEE and IEEE2.5. ● If ETS and PFC are enabled, DCBX advertises ETS configuration, ETS recommendation, and PFC configuration. When you configure application-specific parameters such as FCoE or iSCSI to be advertised, DCBX advertises the respective Application Priority TLVs. ● A DCBX-enabled port operates only in a manual role. In this mode, the port operates only with user-configured settings and does not autoconfigure with DCB settings that are received from a DCBX peer.
Interface ethernet1/1/3 Port Role is Manual DCBX Operational Status is Disabled Reason: Port Shutdown Is Configuration Source? FALSE Local DCBX Compatibility mode is AUTO Local DCBX Configured mode is AUTO Peer Operating version is Not Detected Local DCBX TLVs Transmitted: erpfi 0 Input PFC TLV pkts, 0 Output PFC TLV pkts, 0 Error PFC 0 Input ETS Conf TLV Pkts, 0 Output ETS Conf TLV Pkts, 0 0 Input ETS Reco TLV pkts, 0 Output ETS Reco TLV pkts, 0 0 Input Appln Priority TLV pkts, 0 Output Appln Priority Prio
Priority TLV Pkts Total Total Total Total DCBX DCBX DCBX DCBX Frames transmitted 0 Frames received 0 Frame errors 0 Frames unrecognized 0
Local ISCSI PriorityMap is 0x10 Remote ISCSI PriorityMap is 0x10 220 Input TLV pkts, 350 Output TLV pkts, 0 Error pkts 71 Input Appln Priority TLV pkts, 80 Output Appln Priority TLV pkts, 0 Error Appln Priority TLV Pkts View DCBX ETS TLV status OS10# show lldp dcbx interface ethernet 1/1/15 ets detail Interface ethernet1/1/15 Max Supported PG is 8 Number of Traffic Classes is 8 Admin mode is on Admin Parameters : -----------------Admin is enabled PG-grp Priority# Bandwidth TSA ------------------------------
DCBX commands dcbx enable Enables DCBX globally on all interfaces. Syntax dcbx enable Parameters None Default Disabled Command Mode CONFIGURATION Usage Information DCBX is disabled at a global level and enabled at an interface level by default. For DCBX to be operational, DCBX must be enabled at both the global and interface levels. Enable DCBX globally using the dcbx enable command to activate the exchange of DCBX TLV messages with PFC, ETS, and iSCSI configurations.
Command Mode INTERFACE Usage Information In Auto mode, a DCBX-enabled port detects an incompatible DCBX version on a peer device port and automatically reconfigures a compatible version on the local port. The no version of this command disables the DCBX version. Example Supported Releases OS10(conf-if-eth1/1/2)# dcbx version cee 10.3.0E or later debug dcbx Enables DCBX debugging.
Supported Releases 10.3.0E or later show debug dcbx Displays the list of debug options that are enabled for DCBX. Syntax show debug dcbx Parameters None Command Mode EXEC Usage Information None Example OS10# show debug dcbx Dcbx debug settings: debug dcbx all no debug dcbx events interface mgmt debug dcbx pdu in interface ethernet 1/1/1 Supported Releases 10.5.1.0 or later show lldp dcbx Displays the DCBX configuration and PFC or ETS TLV status on an interface.
Peer Operating version is Not Detected Local DCBX TLVs Transmitted: erpfi 0 Input PFC TLV pkts, 0 Output PFC TLV pkts, 0 Error PFC pkts 0 Input ETS Conf TLV Pkts, 0 Output ETS Conf TLV Pkts, 0 Error ETS Conf TLV Pkts 0 Input ETS Reco TLV pkts, 0 Output ETS Reco TLV pkts, 0 Error ETS Reco TLV Pkts 0 Input Appln Priority TLV pkts, 0 Output Appln Priority TLV pkts, 0 Error Appln Priority TLV Pkts Total Total Total Total DCBX DCBX DCBX DCBX Frames transmitted 0 Frames received 0 Frame errors 0 Frames unrecogn
Interface ethernet1/1/15 Port Role is Manual DCBX Operational Status is Enabled Is Configuration Source? FALSE Local DCBX Compatibility mode is IEEEv2.5 Local DCBX Configured mode is IEEEv2.5 Peer Operating version is IEEEv2.
6 7 0% 0% SP SP Oper status is init ETS DCBX Oper status is Up State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled 5 Input Conf TLV Pkts, 2 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 5 Input Reco TLV Pkts, 2 Output Reco TLV Pkts, 0 Error Reco TLV Pkts Example (PFC detail) OS10# show lldp dcbx interface ethernet 1/1/15 pfc detail Interface ethernet1/1/15 Admin mode is on Admin is enabled, Priority list is 4,5,6,7 Remote is enabled, Priority list is 4,5,6,7 Remote
In an iSCSI session, a switch connects CNA servers (iSCSI initiators) to a storage array (iSCSI targets) in a SAN or TCP/IP network. iSCSI optimization running on the switch uses dot1p priority-queue assignments to ensure that iSCSI traffic receives priority treatment. iSCSI configuration notes ● Enable iSCSI optimization so the switch autodetects and autoconfigures Dell EMC EqualLogic storage arrays that are directly connected to an interface.
1. Configure an interface or interface range to detect a connected storage device. interface ethernet node/slot/port:[subport] interface range ethernet node/slot/port:[subport]-node/slot/port[:subport] 2. Enable the interface to support a storage device that is directly connected to the port and not automatically detected by iSCSI. Use this command for storage devices that do not support LLDP.
OS10(config)# iscsi target port 3261 ip-address 10.1.1.
● Starting from release 10.4.1.1, when you perform a fresh installation of OS10, iSCSI autoconfig is enabled and flowcontrol receive is set to on. However, when you upgrade from an earlier release to release 10.4.1.1 or later, the existing iSCSI configuration is retained and the flowcontrol receive could be set to on or off, depending on the iSCSI configuration before the upgrade.
Command Mode CONFIGURATION Usage Information iSCSI optimization automatically detects storage arrays and autoconfigures switch ports with the iSCSI parameters that are received from a connected device. The no version of this command disables iSCSI autodetection. Starting from release 10.4.1.1, when you perform a fresh installation of OS10, iSCSI autoconfig is enabled and flow control receive is set to on. However, when you upgrade from an earlier release to release 10.4.1.
iscsi session-monitoring enable Enables iSCSI session monitoring. Syntax iscsi session-monitoring enable Parameter None Default Disabled Command Mode CONFIGURATION Usage Information To configure the aging timeout in iSCSI monitoring sessions, use the iscsi aging time command. To configure the TCP ports that listen for connected storage devices in iSCSI monitoring sessions use the iscsi target port command. The no version of this command disables iSCSI session monitoring.
Example Supported Releases OS10(conf-if-eth1/1/1)# lldp tlv-select dcbxp-appln iscsi 10.3.0E or later show iscsi Displays the current configured iSCSI settings. Syntax show iscsi Parameters None Command Mode EXEC Usage Information This command output displays global iSCSI configuration settings. To view target and initiator information use the show iscsi session command.
Initiator:iqn.1991-05.com.microsoft:win-rlkpjo4jun2 Up Time:00:00:16:02(DD:HH:MM:SS) Time for aging out:29:23:59:35(DD:HH:MM:SS) ISID:400001370000 Initiator Initiator Target Target Connection IP Address TCP Port IP Address TCP Port ID ---------------------------------------------------------10.10.10.210 54835 10.10.10.40 3260 1 Supported Releases 10.3.0E or later show iscsi storage-devices Displays information about the storage arrays directly attached to OS10 ports.
2. PFC configuration (global) PFC is enabled on traffic classes with dot1p 4, 5, 6, and 7 traffic. All the traffic classes use the default PFC pause settings for shared buffer size and pause frames in ingress queue processing in the network-qos policy map. The trust-map dot1p default honors (trusts) all dot1p ingress traffic.
OS10(config-cmap-queuing)# match queue 1 OS10(config-cmap-queuing)# exit OS10(config)# policy-map type queuing pmap1 OS10(config-pmap-queuing)# class cmap1 OS10(config-pmap-c-que)# bandwidth percent 30 OS10(config-pmap-c-que)# exit OS10(config-pmap-queuing)# class cmap2 OS10(config-pmap-c-que)# bandwidth percent 70 OS10(config-pmap-c-que)# end OS10(config)# system qos OS10(config-sys-qos)# trust-map dot1p default 5.
Total Total Total Total DCBX DCBX DCBX DCBX Frames transmitted 0 Frames received 0 Frame errors 0 Frames unrecognized 0 8.
PG-grp Priority# Bandwidth TSA -----------------------------------------------0 0,1,2,3, 30% ETS 1 4,5,6,7 70% ETS 2 0% ETS 3 0% ETS 4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Oper status is init ETS DCBX Oper status is Up State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled 2 Input Conf TLV Pkts, 27 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 2 Input Reco TLV Pkts, 27 Output Reco TLV Pkts, 0 Error Reco TLV Pkts 10.
4 Input Appln Priority TLV pkts, 3 Output Appln Priority TLV pkts, 0 Error Appln Priority TLV Pkts 12. DCBX configuration (interface) This example shows how to configure and verify different DCBX versions.
trust-map dot1p default service-policy output type queuing pmap1 ets mode on qos-map traffic-class tmap2 trust-map dot1p tmap1 priority-flow-control mode on OS10(conf-if-eth1/1/53)# do show lldp dcbx interface ethernet 1/1/53 E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Recommendation TLV disabled P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Application Priority for FCOE disabled I-Applic
24 sFlow sFlow is a standard-based sampling technology embedded within switches and routers that monitors network traffic. It provides traffic monitoring for high-speed networks with many switches and routers.
● Enable sFlow in CONFIGURATION mode. sflow enable ● Disable sFlow in CONFIGURATION mode.
sflow collector 10.16.150.1 agent-addr 10.16.132.67 6767 max-datagram-size 800 sflow collector 10.16.153.176 agent-addr 3.3.3.3 6666 ! interface ethernet1/1/1 sflow enable ! Collector configuration Configure the IPv4 or IPv6 address for the sFlow collector. When you configure the collector, enter a valid and reachable IPv4 or IPv6 address. You can configure a maximum of two sFlow collectors. If you specify two collectors, samples are sent to both.
Global default extended maximum header size: 128 bytes Global extended information enabled: none 1 collector(s) configured Collector IP addr:4.4.4.1 Agent IP addr:1.1.1.1 UDP port:6343 VRF:RED 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected Polling-interval configuration The polling interval for an interface is the number of seconds between successive samples of counters sent to the collector. You can configure the duration for polled interface statistics.
● Set the sampling rate in CONFIGURATION mode, from 4096 to 65535. The default is 32768. sflow sample-rate sampling-size ● Disable packet sampling in CONFIGURATION mode. no sflow sample-rate ● View the sampling rate in EXEC mode.
OS10(config)# sflow source-interface loopback 1 OS10(config)# sflow source-interface vlan 10 View sFlow running configuration OS10# sflow sflow sflow sflow show running-configuration sflow enable all-interfaces source-interface vlan10 collector 5.1.1.1 agent-addr 4.1.1.1 6343 collector 6.1.1.1 agent-addr 4.1.1.1 6343 OS10(config)#show running-configuration interface vlan ! interface vlan1 no shutdown ! interface vlan10 no shutdown ip address 10.1.1.
If sFlow is enabled and the port channel does not have any member interfaces, you will see a message similar to the following: SFlow is not enabled (or) SFlow enabled and Port channel has no members ● View the sFlow running configuration in EXEC mode. OS10# show running-configuration sflow sflow enable sflow max-header-size 80 sflow polling-interval 30 sflow sample-rate 4096 sflow collector 10.16.150.1 agent-addr 10.16.132.67 6767 max-datagram-size 800 sflow collector 10.16.153.176 agent-addr 3.3.3.
sflow enable Enables sFlow on a specific interface or globally on all interfaces. Syntax sflow enable [all-interfaces] Parameters all-interfaces — (Optional) Enter to enable sFlow globally. Default Disabled Command Mode CONFIGURATION Usage Information The no version of this command to disables sFlow.
Usage Information Example Supported Releases The polling interval for an interface is the number of seconds between successive samples of counters sent to the collector. You can configure the duration for polled interface statistics. The no version of the command resets the interval time to the default value. OS10(conf)# sflow polling-interval 200 10.3.0E or later sflow sample-rate Configures the sampling rate.
Example (VLAN) Supported Releases OS10(config)# sflow source-interface vlan 10 10.4.1.0 or later show sflow Displays the current sFlow configuration for all interfaces or by a specific interface type. Syntax show sflow [interface type] Parameter interface type — (Optional) Enter either ethernet or port-channel for the interface type. Command Mode EXEC Usage Information OS10 does not support statistics for UDP packets dropped and samples received from the hardware.
25 Telemetry Network health relies on performance monitoring and data collection for analysis and troubleshooting. Network data is often collected with SNMP and CLI commands using the pull mode. In pull mode, a management device sends a get request and pulls data from a client. As the number of objects in the network and the metrics grow, traditional methods limit network scaling and efficiency. Using multiple management systems further limits network scaling.
Table 141. BGP peers YANG Container Minimum sampling interval (milliseconds) infra-bgp/peer-state/peer-status 0 Buffer statistics Table 142. Buffer statistics YANG Container Minimum sampling interval (milliseconds) base-qos/queue-stat 15000 base-qos/priority-group-stat 15000 base-qos/buffer-pool-stat 15000 base-qos/buffer-pool 15000 Device information Table 143.
System statistics Table 147. System statistics YANG Container Minimum sampling interval (milliseconds) system-status/current-status 15000 Configure telemetry NOTE: To set up a streaming telemetry collector, download and use the OS10 telemetry .proto files from the Dell EMC Support site. To enable the streaming of telemetry data to destinations in a subscription profile: 1. Enable telemetry on the switch. 2. Configure a destination group. 3.
1. Enter the destination group name in TELEMETRY mode. A maximum of 32 characters. OS10(conf-telemetry)# destination-group group-name 2. Enter the IPv4 or IPv6 address and transport-service port number in DESTINATION-GROUP mode. Only one destination is supported in the 10.4.3.0 release. You can enter a fully qualified domain name (FQDN) for ip-address. The destination domain name resolves to an IP address — see System domain name and list.
View telemetry configuration Use the following show commands to display telemetry configuration. OS10# show telemetry Telemetry Status : enabled -- Telemetry Destination Groups -Group : dest1 Destination : 10.11.56.
View destination group OS10# show telemetry destination-group Telemetry Status : enabled -- Telemetry Destination Groups -Group : dest1 Destination : 10.11.56.
Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The connection 10.11.56.204:40001 is in connected state Verify telemetry in running configuration OS10# show running-configuration telemetry ! telemetry enable ! destination-group dest1 destination 10.11.56.
ST=Spain/L=Valdepenias/O=Test/OU=Client/CN=localhost" openssl x509 -passin pass:1234 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt e. Remove passphrase from the client key. openssl rsa -passin pass:1234 -in client.key -out client.key NOTE: The collector hostname (securesrc) is added to the server key. f. Rename the file client.crt to os10host.crt, and client.key to os10host.key. Then, copy the ca.crt, os10host.crt and os10host.key files to the OS10 switch. g.
Example Supported releases OS10# debug telemetry 10.4.3.0 or later telemetry Enters Telemetry configuration mode to configure streaming telemetry. Syntax telemetry Parameters None Default Telemetry is disabled on the switch. Command mode CONFIGURATION Usage information Enable and disable streaming telemetry in Telemetry mode. Example Supported releases OS10(config)# telemetry OS10(conf-telemetry)# 10.4.3.0 or later enable Enables telemetry on the switch.
Example Supported releases OS10(conf-telemetry)# destination-group dest1 OS10(conf-telemetry-dg-dest1)# 10.4.3.0 or later destination Configures a destination management device that receives streaming telemetry. Syntax destination {ip-address | domain-name} port-number Parameters ● ip-address — Enter the IPv4 or IPv6 address of the destination device. You can enter a fully qualified domain name (FQDN). The destination domain name resolves to an IP address — see System domain name and list.
destination-group (subscription-profile) Assigns a destination group to a subscription profile for streaming telemetry. Syntax destination-group group-name Parameters group-name — Enter the name of the destination group. A maximum of 32 characters. Default Not configured Command mode SUBSCRIPTION-PROFILE Usage information A subscription profile associates destination groups and sensor groups. A destination group defines the destination servers to which streaming telemetry data is sent.
● oc-stp — Enter oc-stp to assign Openconfig STP statistics sensor group to the subscription profile. ● oc-system — Enter oc-system to assign Openconfig system statistics sensor group to the subscription profile. ● oc-vendor-ufd — Enter oc-vendor-ufd to assign vendor specific ufd statistics sensor group to the subscription profile. ● oc-vendor-vxlan — Enter oc-vendor-vxlan to assign vendor specific vxlan statistics sensor group to the subscription profile.
encoding Configures the encoding format used to stream telemetry data to a destination device. Syntax encoding format Parameters format — Enter the gpb (Google protocol buffer) encoding format in which data is streamed. Default None Command mode SUBSCRIPTION-PROFILE Usage information The no version of the command removes the configured encoding format from a subscription profile.
Default None Command mode SUBSCRIPTION-PROFILE Usage information The telemetry agent uses the source interface to derive the VRF instance and IP address used to communicate with destination devices. For gRPC transport, source interface configuration is optional. The no version of the command removes the configured source interface from a subscription profile.
Sensor Path : system-status/current-status Group : oc-bfd Sensor Path : openconfig-bfd/bfd Group : oc-bgp Sensor Path : openconfig-bgp/bgp/neighbors/neighbor Sensor Path : openconfig-bgp/bgp/rib/afi-safis/afi-safi Group : oc-buffer Sensor Path : openconfig-qos/qos/interfaces/interface Group : oc-device Sensor Path : openconfig-platform/components/component Sensor Path : openconfig-network-instance/network-instances/ networkinstance Group : oc-environment Sensor Path : openconfig-platform/components/componen
Sensor Path : base-pas/fan-tray Sensor Path : base-pas/fan Sensor Path : base-pas/led Sensor Path : base-pas/temperature Sensor Path : base-pas/temp_threshold Sensor Path : base-pas/media Sensor Path : base-pas/media-channel Group : interface Sensor Path : if/interfaces-state/interface/statistics Sensor Path : dell-base-if-cmn/if/interfaces-state/interface Group : lag Sensor Path : dell-base-if-cmn/if/interfaces Group : system Sensor Path : system-status/current-status Group : oc-bfd Sensor Path : openconfi
system 300000 Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The connection 10.11.56.
OS10(conf-telemetry-sp-subscription-1)# transport grpc no-tls OS10(conf-telemetry-sp-subscription-1)# source-interface ethernet 1/1/1 OS10(conf-telemetry-sp-subscription-1)# end OS10# show telemetry Telemetry Status : enabled -- Telemetry Destination Groups -Group : dest1 Destination : 10.11.56.
Sensor Path : vxlan/vxlan-state/remote-endpoint/stats Group : oc-vlan Sensor Path : openconfig-interfaces/interfaces/interface Group : oc-vrrp Sensor Path : openconfig-interfaces/interfaces/interface/subinterfaces/subinterface -- Telemetry Subscription Profiles -Name : subscription-1 Destination Groups(s) : dest1 Sensor-group Sample-interval ----------------------------------bgp 300000 bgp-peer 0 buffer 15000 device 300000 environment 300000 interface 180000 lag 0 system 300000 Encoding : gpb Transport : gr
26 RESTCONF API RESTCONF is a representational state transfer (REST)-like protocol that uses HTTPS connections. Use the OS10 RESTCONF API to set up the configuration parameters on OS10 switches using JavaScript Object Notation (JSON)-structured messages. Use any programming language to create and send JSON messages. The examples in this chapter use curl. The OS10 RESTCONF implementation complies with RFC 8040. You can use the RESTCONF API to configure and monitor an OS10 switch.
● ecdhe-rsa-with-aes-256-gcm-SHA384 rest https cipher-suite 4. Enable RESTCONF API in CONFIGURATION mode. rest api restconf RESTCONF API configuration OS10(config)# rest https server-certificate name OS10.dell.
Error {"ietf-restconf:errors":{"error":[{"error-type":"rpc","error-tag":"invalid-value","errorapp-tag":"data-invalid","error-path":"/classifier-entry","error-message":"unknown resource instance","error-info":{"bad-value":"/restconf/data/dell-diffservclassifier:classifier-entry=test","error-number":388}}]}} POST request curl -i -k -H "Accept: application/json" -H "Content-Type: application/ json" -u $USER_NAME:$PASSWORD -d '{"dell-diffserv-classifier:classifier-entry": [{"name":"test","mtype":"qos","match":"
Translated RESTCONF requests example Config command OS10# cli mode rest-translate Commands executed in this mode will not alter current system state.
Restconf request(s): curl -i -k -H "Accept: application/json" -u $USER_NAME:$PASSWORD -X GET https://$MGMT_IP/ restconf/data/dell-system-software:system-sw-state/sw-version curl -i -k -H "Accept: application/json" -u $USER_NAME:$PASSWORD -X GET https://$MGMT_IP/ restconf/data/dell-system:system-state/system-status Action/RPC based command OS10# cli mode rest-translate Commands executed in this mode will not alter current system state.
Do you want to proceed? [confirm yes/no]:yes REST-TRANSLATE-OS10# configure terminal CLI command: configure terminal Restconf request(s): curl -i -k -H "Accept: application/json" -u $USER_NAME:$PASSWORD -X GET https://$MGMT_IP/ restconf/data/dell-mgmt-cm:cms REST-TRANSLATE-OS10(config)# interface ethernet 1/1/1 CLI command: interface ethernet 1/1/1 Restconf request(s): curl -i -k -H "Accept: application/json" -H "Content-Type: application/ json" -u $USER_NAME:$PASSWORD -d '{"ietf-interfaces:interfaces":{"in
REST Token-Based Authentication Limitations The following limitations are applicable in 10.5.1: ● REST token authentication is disabled when FIPS mode is enabled. Acquire new token You can acquire a new token by calling the Login REST API. A successful Login API call using the basic authentication generates a new set of token. $ curl -X GET -k -u admin:admin -H "Content-Type: application/json" https://$TARGET/ login { "access_token": "abc.123.xyz", "token_type": "bearer", "refresh_token": "efg.456.
CLI commands for RESTCONF API rest api restconf Enables the RESTCONF API service on the switch. Syntax rest api restconf Parameters None Default RESTCONF API is disabled. Command Mode CONFIGURATION Usage Information ● After you enable the RESTCONF API, you can send curl commands in HTTPS requests from a remote device. ● The no version of the command disables the RESTCONF API. Example Supported Releases OS10(config)# rest api restconf 10.4.1.
Usage Information Example Supported Releases The no version of the command removes the host name from the SSL server certificate. OS10(config)# rest https server-certificate name 10.10.10.10 10.4.1.0 or later rest https session timeout Configures the timeout a RESTCONF HTTPS connection uses. Syntax rest https session timeout seconds Parameters seconds — Enter the switch timeout for an HTTPS request from a RESTCONF client, from 30 to 65535 seconds.
Usage Information Example Supported Releases This command disables translation of CLI command into equivalent RESTCONF requests in the current session. REST-TRANSLATE-OS10# no cli mode 10.5.1.0 or later show cli mode Display the current CLI session mode. Syntax show cli mode Parameters None Default None Command Mode Exec Usage Information This command displays the active mode of the current CLI session and also the file name where the RESTCONF requests are stored.
rest authentication token max-refresh Configures the maximum refresh time. Syntax rest authentication token max-refresh count Parameters count — Enter the refresh count limit, from 0 to 10. The count indicates the maximum number of times the tokens refresh. If you do not want to refresh, enter 0. Default 3 Command Mode CONFIGURATION Usage Information This command updates the maximum number of times the tokens refresh. The no version of the command resets the count to the default value.
● -u specifies the user name and password to use for server authentication. ● -k specifies a text file to read curl arguments from. The command line arguments found in the text file will be used as if they were provided on the command line. Use the IP address or URL of the OS10 switch when you access the OS10 RESTCONF API from a remote orchestration system. ● -H specifies an extra header to include in the request when sending HTTPS to a server. You can enter multiple extra headers.
merge stop-on-error set PAGE 1758JSON content { } Parameters "interface": [{ "type": "iana-if-type:softwareLoopback", "enabled": true, "description":"loopback interface", "name":"loopback1"}] ● type string —Enter iana-if-type:softwareLoopback for a loopback interface. ● enabled bool— Enter true to enable the interface; enter false to disable. ● description string — Enter a text string to describe the interface. A maximum of 80 alphanumeric characters.
27 Troubleshoot Dell EMC SmartFabric OS10 Critical workloads and applications require constant availability. Dell EMC Networking offers tools to help you monitor and troubleshoot problems before they happen.
* 1 S4148F-ON 985 006 10 1 S4148F-ON-PWR-1-AC 1 S4148F-ON-FANTRAY-1 1 S4148F-ON-FANTRAY-2 1 S4148F-ON-FANTRAY-3 1 S4148F-ON-FANTRAY-4 09H9MN X01 TW-09H9MN-28298-713-0026 06FKHH 0N7MH8 0N7MH8 0N7MH8 0N7MH8 A00 X01 X01 X01 X01 CN-06FKHH-28298-6B5-03NY TW-0N7MH8-28298-713-0101 TW-0N7MH8-28298-713-0102 TW-0N7MH8-28298-713-0103 TW-0N7MH8-28298-713-0104 9531XC2 198 Boot information Display system boot and image information. ● View all boot information in EXEC mode.
30452 admin 1 root 2 root 3 root 5 root 7 root 8 root 10 root 11 root 12 root 13 root 14 root 15 root 16 root 17 root 19 root 20 root 21 root 22 root 23 root 24 root 25 root --more-- 20 20 20 20 0 20 20 20 20 20 rt rt rt rt 20 0 0 20 0 20 0 25 0 0 0 0 -20 0 0 0 0 0 0 0 0 0 0 -20 -20 0 -20 0 -20 5 22076 112100 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2524 5840 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2100 3032 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 R S S S S R S S S S S S S S S S S S S S S S 6.1 0.0 0.
Use the Linux tcpdump command without parameters to view packets that flow through all interfaces. To write captured packets to a file, use the -w parameter. To read the captured file output offline, you can use open source software packages such as wireshark. Capture packets from Ethernet interface $ tcpdump -i e101-003-0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on e101-003-0, link-type EN10MB (Ethernet), capture size 262144 bytes 01:39:22.457185 IP 3.3.3.1 > 3.
Test network connectivity Use the ping and traceroute commands to test network connectivity. When you ping an IP address, you send packets to a destination and wait for a response. If there is no response, the destination is not active. The ping command is useful during configuration if you have problems connecting to a hostname or IP address. When you execute a traceroute, the output shows the path a packet takes from your device to the destination IP address.
Type Ctrl-C to abort. ----------------------------------------------Tracing the route to 3ffe:501:ffff:100:201:e8ff:fe00:4c8b, 64 hops max, 60 byte packets ----------------------------------------------Hops Hostname Probe1 Probe2 Probe3 1 3ffe:501:ffff:100:201:e8ff:fe00:4c8b 000.000 ms 000.000 ms 000.000 ms Faulty media This section describes the behavior of pluggable media that OS10 cannot read because of some hardware or mechanical fault.
Software version : 10.4.
View diagnostics View system diagnostic information using show commands. Use the show hash-algorithm command to view the current hash algorithms configured for the Link Aggregation Group (LAG) and Equal Cost MultiPath (ECMP) protocols.
Hardware Revision Software Version Physical Ports BIOS System CPLD Master CPLD Slave CPLD : X01 : 10.5.1.0 : 48x10GbE, 2x40GbE, 4x100GbE : 3.33.0.0-3 : 0.4 : 0.10 : 0.
Example Supported Releases OS10# location-led system 1 on OS10# location-led system 1 off 10.3.0E or later show boot Displays boot-related information. Syntax show boot [detail] Parameters detail — (Optional) Enter to display detailed information. Default Not configured Command Mode EXEC Usage Information Use the boot system command to set the boot image for the next reboot.
Example Supported Releases OS10# show diag 00:00.0 Host bridge: Intel Corporation Atom processor C2000 SoC Transaction Router (rev 02) 00:01.0 PCI bridge: Intel Corporation Atom processor C2000 PCIe Root Port 1 (rev 02) 00:02.0 PCI bridge: Intel Corporation Atom processor C2000 PCIe Root Port 2 (rev 02) 00:03.0 PCI bridge: Intel Corporation Atom processor C2000 PCIe Root Port 3 (rev 02) 00:04.0 PCI bridge: Intel Corporation Atom processor C2000 PCIe Root Port 4 (rev 02) 00:0e.
show hash-algorithm Displays hash algorithm information. Syntax show hash-algorithm Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show hash-algorithm LagAlgo - CRC EcmpAlgo - CRC 10.2.0E or later show inventory Displays system inventory information.
Command Mode EXEC Usage Information None Example OS10# show processes node-id 1 top - 09:19:32 up 5 days, 6 min, 2 users, load average: 0.45, 0.39, 0.34 Tasks: 208 total, 2 running, 204 sleeping, 0 stopped, 2 zombie %Cpu(s): 9.7 us, 3.9 sy, 0.3 ni, 85.8 id, 0.0 wa, 0.0 hi, 0.3 si, 0.0 st KiB Mem: 3998588 total, 2089416 used, 1909172 free, 143772 buffers KiB Swap: 399856 total, 0 used, 399856 free. 483276 cached Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 9 root 20 0 0 0 0 S 6.1 0.0 5:22.
PID USER COMMAND 1019 root base_nas OS10# Supported Releases PR 20 NI VIRT RES SHR S 0 1829416 256080 73508 S %CPU %MEM 6.6 6.4 TIME+ 1212:36 10.3.0E or later show system Displays system information. Syntax show system [brief | node-id] Parameters ● brief — View an abbreviated list of the system information. ● node-id — View the node ID number.
Example (nodeid) OS10# show system node-id 1 fanout-configured Interface Breakout capable Breakout state ----------------------------------------------------Eth 1/1/5 No BREAKOUT_1x1 Eth 1/1/6 No BREAKOUT_1x1 Eth 1/1/7 No BREAKOUT_1x1 Eth 1/1/8 No BREAKOUT_1x1 Eth 1/1/9 No BREAKOUT_1x1 Eth 1/1/10 No BREAKOUT_1x1 Eth 1/1/11 No BREAKOUT_1x1 Eth 1/1/12 No BREAKOUT_1x1 Eth 1/1/13 No BREAKOUT_1x1 Eth 1/1/14 No BREAKOUT_1x1 Eth 1/1/15 No BREAKOUT_1x1 Eth 1/1/16 No BREAKOUT_1x1 Eth 1/1/17 No BREAKOUT_1x1 Eth 1/1/
● vrf vrf-name — (Optional) Traces the route to an IP address in the specified VRF instance. ● host — Enter the host to trace packets from. ● -i interface — (Optional) Enter the IP address of the interface through which traceroute sends packets. By default, the interface is selected according to the routing table. ● -m max_ttl — (Optional) Enter the maximum number of hops for the maximum time-to-live value that traceroute probes. The default is 30.
Recover Linux password If you lose or forget your Linux administrator password, you can reconfigure it from the CLI using the system-user linuxadmin password {clear-text-password | hashed-password} command in CONFIGURATION mode. Save the password using the write memory command. For example: OS10(config)# system-user linuxadmin password Dell@Force10!@ OS10(config)# exit OS10# write memory For more information, see Linuxadmin user configuration.
9. Configure the password by using the /opt/dell/os10/bin/recover_linuxadmin_password.sh plainpassword command. Enter the linuxadmin password in plain text. root@OS10: /# /opt/dell/os10/bin/recover_linuxadmin_password.sh Dell@admin0!@ 10. Enter the sync command to save the new password. root@OS10: /# sync 11. Reboot the system, and then enter your new password. root@OS10: /# reboot -f Rebooting.[ 822.327073] sd 0:0:0:0: [sda] Synchronizing SCSI cache [ 822.340656] reboot: Restarting system [ 822.
5. At the linuxadmin prompt, enter sudo -i and the linuxadmin password to enter root mode. linuxadmin@s4048t-1:~$ sudo -i [sudo] password for linuxadmin: root@s4048t-1:~# 6. At the root mode prompt, enter the passwd username command to recover the password for the specified user name. Enter the new password twice; for example: root@s4048t-1:~# passwd admin New password: Retype new password: passwd: password updated successfully 7. Exit and log out from root mode and linuxadmin mode.
If it is not possible to restore your factory defaults with the installed OS, reboot the system from the Grub menu and select ONIE: Rescue. ONIE Rescue bypasses the installed operating system and boots the system into ONIE until you reboot the system. After ONIE Rescue completes, the system resets and boots to the ONIE console. 1. Restore the factory defaults on your system from the Grub menu using the ONIE: Uninstall OS command. To select which entry is highlighted, use the up and down arrow keys.
NOTE: When you upgrade from an earlier release (prior to Release 10.5.0.0), the switch does not retain the SupportAssist configuration. After the upgrade is complete, enable and configure SupportAssist again. You must reconfigure SupportAssist because the OS10 switch (starting from Release 10.5.0.0) connects to a different Dell EMC server, and you must accept the EULA and reconfigure the server again.
Or OS10(conf-support-assist)# server url https://domain username example-username password example-password 5. (Required) Configure the interface to connect to the SupportAssist server in SUPPORT-ASSIST mode. OS10(conf-support-assist)# source-interface interface 6. (Required) Configure the contact information for your company in SUPPORT-ASSIST mode. OS10(conf-support-assist)# contact-company name ExampleCompanyName OS10(conf-support-assist-ExampleCompanyName)# 7.
1. (Required) Enter the contact name in SUPPORT-ASSIST mode. OS10(config)# support-assist OS10(conf-support-assist)# contact-company name ExampleCompanyName OS10(conf-support-assist-ExampleCompanyName)# contact-person first firstname last lastname 2. (Required) Enter the email addresses in SUPPORT-ASSIST mode. OS10(conf-support-assist-ExampleCompanyName)# email-address primary email-address [alternate alternate-email-address] You can optionally configure an alternate email address. 3.
Set default activity schedule OS10(conf-support-assist)# no support-assist-activity full-transfer schedule View status View the SupportAssist configuration status, details, and EULA information using the following show commands: 1. View the SupportAssist activity in EXEC mode. show support-assist status 2. View the EULA license agreement in EXEC mode.
View EULA license OS10# show support-assist eula SUPPORTASSIST ENTERPRISE - SOFTWARE TERMS *** IMPORTANT INFORMATION - PLEASE READ CAREFULLY *** This SupportAssist Software ("Software") contains computer programs and other proprietary material and information, the use of which is governed by and expressly conditioned upon acceptance of this SupportAssist Enterprise Software Terms ("Agreement").
9 Fri Jun 30 05:13:37 UTC 2019 Full-transfer bundle upload failed due to communication error 10 Fri Jun 30 05:14:00 UTC 2019 Alert bundle upload failed due to communication error 11 Fri Jun 30 05:14:03 UTC 2019 Alert bundle uploaded to ESRS Server List of country names and codes This section provides a list of country codes that you must use in the address command. Table 150.
Table 150.
Table 150.
Table 150.
Table 150.
Table 150.
Table 150.
SupportAssist commands eula-consent Accepts or rejects the SupportAssist end-user license agreement (EULA). Syntax eula—consent {support-assist} {accept | reject} Parameters ● support-assist — Enter to accept or reject the EULA for the service. ● accept — Enter to accept the EULA-consent. ● reject — Enter to reject EULA-consent. Default Not configured Command Mode CONFIGURATION Usage Information If you reject the end-user license agreement, you cannot access the SupportAssist Configuration submode.
Usage Information Example This command displays the warranty information for the OS10 switch and the relevant service contracts.
Usage Information Example Supported Releases OS10(config)# support-assist OS10(conf-support-assist)# 10.2.0E or later support-assist-activity Schedules a time for data collection and transfer activity or performs on-demand data collection and managed file transfer.
Examples OS10# support-assist-activity full-transfer start-now OS10# support-assist-activity full-transfer schedule hourly min 59 OS10# support-assist-activity full-transfer schedule daily hour 23 min 59 OS10# support-assist-activity full-transfer schedule weekly day-of-week 1 hour 23 min 59 OS10# support-assist-activity full-transfer schedule monthly day 30 hour 23 min 59 OS10# support-assist-activity full-transfer schedule yearly month 12 day 31 hour 23 min 59 Supported Releases 10.2.
Examples OS10(conf-support-assist)# activity event-notification enable OS10(conf-support-assist)# activity full-transfer enable Supported Releases 10.2.0E or later contact-company Configures the company contact information. Syntax contact-company name company-name Parameters company-name—Enter the contact company name. Default Not configured Command Mode SUPPORT-ASSIST Usage Information You can enter only one contact company.
Default Not configured Command Mode SUPPORT-ASSIST Example Supported Releases OS10(conf-support-assist)# show configuration ! support-assist server url https://esrs3stg.emc.
Default None Command Mode EXEC Usage Information Use this command to view the EULA for SupportAssist.
Activity Schedule Schedule created on ---------------------------------------------------full-transfer None Never Activity Status : Activity Status last start last success ---------------------------------------------------------------------------full-transfer Success 2019-06-13 16:08:51 2019-06-13 16:15:19 event-notification Success 2019-06-13 16:04:35 2019-06-13 16:04:39 keep-alive Success 2019-06-13 18:00:00 2019-06-13 17:30:03 Server Status : Last KeepAlive Status Last KeepAlive Successful Last Keep
SupportAssist company commands address Configures the company address. Syntax address city name state name country name zipcode number Parameters ● ● ● ● Default Not configured Command Mode SUPPORT-ASSIST contact company sub-mode Usage Information Enter ? to view a list of supported country names and codes. You can also find this information at the following location: Country names and codes. The no version of this command removes the configuration.
Example Supported Releases OS10(conf-support-assist-ExampleCompanyName)# street-address "One Dell Way" "Suite 100" "Santa Clara" 10.2.0E or later territory Configures the place where the company is located. Syntax territory territory-name Parameters territory-name—Enter the territory where the company is located. Default Not configured Command Mode CONF-SUPPORT-ASSIST Usage Information The no version of this command removes the configuration.
Usage Information Example Supported Releases The no version of this command removes the configuration. OS10(conf-support-assist-ExampleCompanyName-FirstnameLastname)# phone primary 000-123-4567 10.2.0E or later preferred-method Configures a preferred method to contact an individual. Syntax preferred-method {email | phone | no-contact} Parameters ● email—Enter to select email as the preferred contact method. ● phone—Enter to select phone as the preferred contact method.
Use the delete supportbundle://sosreport-filename.tar.gz command to delete a generated support bundle. Event notifications Event notifications for the generate support-bundle command process at the start and end of the bundle they support, and reports either success or failure. Support bundle generation start event Apr 19 16:57:55: %Node.1-Unit.1:PRI:OS10 %log-notice:SUPPORT_BUNDLE_STARTED: generate support-bundle execution has started successfully:All Plugin options disabled Apr 19 16:57:55: %Node.1-Unit.
Example (Disable Options - IPv4) OS10# generate support-bundle disable-all-plugin-options scp:// xyz:pwd@10.1.1.1//home/user/xyz/ Example (Disable Options - IPv6) OS10# generate support-bundle disable-all-plugin-options scp:// xyz:pwd@[10::1]//home/user/xyz/ Example (Copy SoS report using SCP) OS10# generate support-bundle scp://xyz:pwd@10.1.1.1//home/user/xyz/ OS10# generate support-bundle scp://xyz:pwd@[10::1]//home/user/xyz/ Supported Releases 10.2.
● Stateful events—Events that are raised when the abnormal situation arises, and cleared when the situation returns to normal. These types of events are called alarms. Events can have one of the following severities: ● CRITICAL—A critical condition exists and requires immediate action. A critical event may trigger if one or more hardware components fail, or one or more hardware components exceed temperature thresholds. ● MAJOR—A major error had occurred and requires escalation or notification.
To delete a severity profile, use the delete command. You can delete all severity profiles except the default and active profiles. Configure custom severity profile To modify the severity of events or disable event notification: Your user account must have any one of the following privileges: System admin (sysadmin), security admin (secadmin), or network admin (netadmin). 1. Use the dir command to view the list of available severity profiles in the severity-profile:// partition.
When you copy the custom profile, you must update the name of the custom profile. You cannot use the same name as the default profile (default.xml) or the active profile (mySevProf.xml). 5. Apply the custom severity profile on the switch. OS10# event severity-profile mySevProf_1.xml NOTE: You must restart the switch for the changes to take effect. 6. Restart the switch. OS10# reload 7. Use the show event severity-profile command to view the custom profile that is active.
● Configure the remote syslog server in CONFIGURATION mode. logging server {ipv4–address | ipv6–address} [tcp | udp | tls] [port-number] [severity severity-level] [vrf {management | vrf-name] Note: The switch might temporarily stop printing the system messages for a time period after the following sequence of events: 1. Change the system clock to a future date and wait for the system messages to print. 2. Revert the date to the present date and wait for the system messages to print. 3. Reload the switch.
● ca-cert-filepath specifies the local path to the downloaded certificate; for example, home://CAcert.pem or usb://CA-cert.pem. ● filename specifies an optional filename that the certificate is stored under in the OS10 trust-store directory. Enter the filename in the filename.crt format. 2. Obtain an X.509v3 host certificate from the CA server: a. Create a private key and generate a certificate signing request for the switch. b. Copy the CSR file to the CA server for signing. c.
Example: Configure Syslog over TLS OS10# copy tftp://CAadmin:secret@172.11.222.1/cacert.pem home://cacert.pem OS10# crypto ca-cert install home://cacert.pem Processing certificate ... Installed Root CA certificate CommonName = Certificate Authority CA IssuerName = Certificate Authority CA OS10# show crypto ca-certs -------------------------------------| Locally installed certificates | -------------------------------------cacert.crt OS10# crypto cert generate request cert-file home://clientreq.
ent:Unit 1#003 Jun 1 05:02:09 %Node.1-Unit.1:PRI:OS10 %log-notice:EQM_PSU_DETECTED: Power Supp ly Unit present:PSU 1#003 Jun 1 05:02:09 %Node.1-Unit.1:PRI:OS10 %log-notice:EQM_PSU_DETECTED: Power Supp ly Unit present:PSU 2#003 Jun 1 05:02:09 %Node.1-Unit.1:PRI:OS10 %log-notice:EQM_FAN_TRAY_DETECTED: Fan t ray present:Fan tray 1#003 Jun 1 05:02:09 %Node.1-Unit.1:PRI:OS10 %log-notice:EQM_FAN_TRAY_DETECTED: Fan t ray present:Fan tray 2#003 Jun 1 05:02:09 %Node.1-Unit.
Link-bundle monitoring Monitoring link aggregation group (LAG) bundles allows the traffic distribution amounts in a link to look for unfair distribution at any given time. A threshold of 60% is an acceptable amount of traffic on a member link. Links are monitored in 15-second intervals for three consecutive instances. Any deviation within that time sends syslog and an alarm event generates. When the deviation clears, another syslog sends and a clear alarm event generates.
Usage Information Example Supported Releases Configures a severity profile to change the characteristics of events. If you configure a custom profile, the profile applies on top of the default profile. Restart the system for the changes to take effect. The system restart ensures that the existing stateful events are tagged appropriately based on the newly applied severity profile. Severity profiles are stored in the severity-profile:// partition.
100071 2019 100072 2019 Supported Releases warning EQM_FAN_FAULT_MINOR /psu/1/fan/1 critical EQM_FAN_FAULT_MAJOR /psu/1 Tue Jul 23 13:53:47 Tue Jul 23 13:53:47 10.2.0E or later show alarms details Displays details about active alarms. Syntax show alarms details Parameters None Default None Command Mode EXEC Usage Information The output of the show alarms details command indicates if an alarm is acknowledged or not.
show alarms sequence Displays information corresponding to the active alarm based on the sequence number that you specify. Syntax show alarms sequence sequence-number Parameters ● sequence-number — Enter the sequence number corresponding to the active alarm. Default None Command Mode EXEC Usage Information Use the show alarms command to view all active alarms. Use an active alarm sequence number to view detailed information about that alarm.
Example (Critical) OS10# show alarms severity critical Active-alarm details - 0 ------------------------------------------Sequence Number: 1 Severity: critical Type: 1081367 Source: Node.1-Unit.
show event history Displays the history of all events with the latest at the top of the output. Syntax show event history [summary] [reverse] [severity severity-name] [details] [sequence sequence-number] Parameters ● summary—Displays a summary of the event history. ● reverse—Displays a summary of the event history from the beginning, with the oldest event listed at the top of the output. ● severity—Displays event history for a given severity: CRITICAL, MAJOR, MINOR, WARNING, INFORMATIONAL.
Sequence Number: 2 Severity: informational Name: IFM_ASTATE_UP Description: Dummy Event Timestamp: Fri May 03 18:13:07 2019 Source: State: stateless ------------------------------------------Event History Details - 1 ------------------------------------------Sequence Number: 1 Severity: informational Name: IFM_ASTATE_UP Description: Dummy Event Timestamp: Fri May 03 18:13:05 2019 Source: State: stateless ------------------------------------------Example (summary) If the sequence number counter is not rolle
Logging commands clear logging Clears messages in the logging buffer. Syntax clear logging log-file Parameters None Default Not configured Command Mode EXEC Usage Information Example OS10# clear logging log-file Proceed to clear the log file [confirm yes/no(default)]: Supported Releases 10.2.0E or later logging console Disables, enables, or configures the minimum severity level for logging to the console.
logging enable Enables system logging. Syntax logging enable Parameters None Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command disables all logging. Example Supported Releases OS10(config)# logging enable 10.2.0E or later logging log-file Disables, enables, or sets the minimum severity level for logging to the log file.
● ● ● ● ● ● ● log-alert — Set to immediate action is needed. log-crit — Set to critical conditions. log-err — Set to error conditions. log-warning — Set to warning conditions. log-notice — Set to normal but significant conditions, the default. log-info — Set to informational messages. log-debug — Set to debug messages. Default Log-notice Command Mode CONFIGURATION Usage Information To reset the monitor severity to the default level, use the no logging monitor severity command.
○ log-debug — Debug messages ● vrf {management | vrf-name} — (Optional) Configure the logging server for the management or a specified VRF instance. Defaults System logging to a remote server is not configured. When configured, system messages are sent over UDP to port 514 on a remote logging server by default. System messages of severity-level log-notice and lower are sent.
dn_l2_services dn_dot1x dn_l3_core_serv dn_policy dn_qos dn_switch_res_m dn_ospfv3 dn_lacp dn_i3 dn_supportassis --More-Supported Releases 10.2.0E or later show trace Displays trace messages. Syntax show trace [number-lines] Parameters number-lines — (Optional) Enter the number of lines to include in log messages, from 1 to 65535. Default Enabled Command Mode EXEC Usage Information The output from this command is the /var/log/syslog file.
Supported Releases 10.2.0E or later Monitor CPU Utilization You can set CPU thresholds so that alarms are triggered when CPU utilization reaches the high or low threshold level. CPU utilization is monitored as a running average percentage over predefined intervals of five seconds, one minute, and five minutes. By default, this feature is enabled with a higher threshold value so that alarms do not generate frequently. When CPU utilization crosses the high threshold, a critical alarm triggers.
======================== CPUID 5Sec(%) 1Min(%) 5Min(%) ------------------------------------------Overall 9.09 8.58 9.09 PID 1387 955 959 1374 Supported Releases Process dn_sm dn_pas_svc dn_dot1x dn_lacp Runtime(s) 243346 243354 243354 243346 5sec(%) 1.4 0.6 0.2 0.2 1min(%) 1.4 0.6 0.2 0.2 5min(%) 1.4 0.6 0.2 0.2 10.5.2.0 or later show util-threshold cpu Displays the configured CPU utilization threshold values.
Example Supported Releases OS10(config)# util-threshold cpu 5min high 80 low 60 10.5.2.0 or later Monitor Memory Utilization You can set memory thresholds so that an alarm triggers when the system memory utilization reaches the high or low threshold level. By default, this feature is enabled with a higher threshold value so that alarms do not generate frequently. Memory utilization is monitored as a percentage of memory consumed in the overall system memory.
Supported Releases 10.5.2.0 or later show util-threshold memory Displays the configured memory utilization threshold values. Syntax show util-threshold memory Parameters None Defaults None Command Mode EXEC Usage Information This command displays the memory utilization thresholds that trigger alarms. When the memory exceeds the high or low configured threshold values, an alarm generated. To reconfigure the threshold values, use the util-threshold memory command.
CAUTION: Changing the system state from the Linux shell can result in undesired and unpredictable system behavior. Only use Linux shell commands to display system state and variables, or as instructed by Dell EMC Support. OS10 login: linuxadmin Password: linuxadmin >> only for first-time login Linux OS10 3.16.7-ckt20 #1 SMP Debian 3.16.
Although the default management route was configured during installation, you can use the route add default gw command from the Linux shell to configure the default management IP address for routing. SupportAssist requires the default management route is configured to work properly, as well as DNS configured and a route to a proxy server. How do I log into the OS10 shell as the system administration? Use linuxadmin as the username and password to enter OS10 at root level.
Layer 3 How do I view IPv6 interface information? Use the show ipv6 route summary command. How do I view summary information for all IP routes? Use the show running-configuration command. How do I view summary information for the OSPF database? Use the show ip ospf database command. How do I view configuration of OSPF neighbors connected to the local router? Use the show ip ospf neighbor command.
PFC cost of service error messages: ● % Error: Not enough buffers are available, to enable system-qos wide pause for all pfccos values in the policymap ● % Error: Not enough buffers are available, to enable system-qos wide pause for the pfccos values in the policymap ● % Error: Not enough buffers are available, to enable pause for all pfc-cos values in the policymap for this interface ● % Warning: Not enough buffers are available, for lossy traffic.
28 Support resources The Dell EMC Support site provides a range of documents and tools to assist you with effectively using Dell EMC devices. Through the support site you can obtain technical information regarding Dell EMC products, access software upgrades and patches, download available management software, and manage your open cases. The Dell EMC support site provides integrated, secure access to these services. To access the Dell EMC Support site, go to www.dell.com/support/.