Connectivity Guide

ManualsBrandsDell ManualsAccess PlatformsSmartFabric OS10

Table Of Contents

OS10 Enterprise Edition User Guide Release 10.4.3.0
Getting Started
- Supported Hardware
- Download OS10 image and license
- Installation using ONIE
  - Automatic installation
  - Manual installation
- Log into OS10
- Install OS10 license
- Zero-touch deployment
- Remote access
- CLI Basics
- Common commands
System management
- OS10 upgrade
  - Boot system partition
  - Upgrade commands
- System banners
- User session management
  - User session management commands
- Telnet server
  - Telnet commands
    - ip telnet server enable
    - ip telnet server vrf
- Simple Network Management Protocol
- System clock
  - System Clock commands
- Network Time Protocol
- Dynamic Host Configuration Protocol
Interfaces
- Ethernet interfaces
- Unified port groups
- Z9264F-ON port-group profiles
- L2 mode configuration
- L3 mode configuration
- Fibre Channel interfaces
- Management interface
- VLAN interfaces
- User-configured default VLAN
- VLAN scale profile
- Loopback interfaces
- Port-channel interfaces
  - Create port-channel
  - Add port member
  - Minimum links
  - Assign Port Channel IP Address
  - Remove or disable port-channel
  - Load balance traffic
  - Change hash algorithm
- Configure interface ranges
- Switch-port profiles
  - S4148-ON Series port profiles
  - S4148U-ON port profiles
- Configure breakout mode
- Breakout auto-configuration
- Forward error correction
- Energy-efficient Ethernet
  - Enable energy-efficient Ethernet
  - Clear EEE counters
  - View EEE status/statistics
  - EEE commands
- View interface configuration
- Digital optical monitoring
  - Enable DOM and DOM traps
- Interface commands
  - channel-group
  - default vlan-id
  - description (Interface)
  - duplex
  - enable dom
  - enable dom traps
  - feature auto-breakout
  - fec
  - interface breakout
  - interface ethernet
  - interface loopback
  - interface mgmt
  - interface null
  - interface port-channel
  - interface range
  - interface vlan
  - link-bundle-utilization
  - mode
  - mode l3
  - mtu
  - port mode Eth
  - port-group
  - profile
  - scale-profile vlan
  - show interface
  - show inventory media
  - show link-bundle-utilization
  - show port-channel summary
  - show port-group
  - show switch-port-profile
  - show system
  - show vlan
  - shutdown
  - speed (Fibre Channel)
  - speed (Management)
  - switch-port-profile
  - switchport access vlan
  - switchport mode
  - switchport trunk allowed vlan
Fibre Channel
- Terminology
- Virtual fabric
- Fibre Channel zoning
- F_Port on Ethernet
- Pinning FCoE traffic to a specific port of a port-channel
- Multi-hop FIP-snooping bridge
- Configuration guidelines
- F_Port commands
- NPG commands
- F_Port and NPG commands
- FIP-snooping commands
- FCoE commands
Layer 2
- 802.1X
- Far-end failure detection
- Link Aggregation Control Protocol
- Link Layer Discovery Protocol
- Media Access Control
- Multiple Spanning-Tree
- Rapid per-VLAN spanning-tree plus
- Rapid Spanning-Tree Protocol
- Virtual LANs
- Port monitoring
Layer 3
- Virtual routing and forwarding
- Bidirectional Forwarding Detection
- Border Gateway Protocol
- Equal cost multi-path
- IPv4 routing
- IPv6 routing
- Open shortest path first
- Object tracking manager
- Policy-based routing
- Virtual Router Redundancy Protocol
Multicast
- Important notes
- Configure multicast routing
- Unknown multicast flood control
  - Enable multicast flood control
- Multicast Commands
  - multicast snooping flood-restrict
- Internet Group Management Protocol
- Multicast Listener Discovery Protocol
  - MLD snooping
  - MLD snooping commands
- Protocol Independent Multicast
VXLAN
- VXLAN concepts
- VXLAN as NVO solution
- Configure VXLAN
- L3 VXLAN route scaling
- DHCP relay on VTEPs
- View VXLAN configuration
- VXLAN MAC addresses
- VXLAN commands
- VXLAN MAC commands
- Example: VXLAN with static VTEP
- BGP EVPN for VXLAN
- Controller-provisioned VXLAN
UFT modes
- Configure UFT modes
  - IPv6 extended prefix routes
- UFT commands
Security
- User re-authentication
- Password strength
- Role-based access control
- Assign user role
- Bootloader Protection
- Linuxadmin User Configuration
- RADIUS authentication
- RADIUS over TLS authentication
- TACACS+ authentication
- Unknown user role
- SSH server
- Virtual terminal line
  - Control access to VTY
- Enable AAA accounting
- Enable user lockout
- Limit concurrent login sessions
- Enable login statistics
- Privilege levels overview
  - Configure privilege levels for users
  - Configure enable password
- Audit log
- Security commands
  - aaa accounting
  - aaa authentication login
  - aaa re-authenticate enable
  - boot protect disable username
  - boot protect enable username password
  - clear logging audit
  - crypto ssh-key generate
  - disable
  - enable
  - enable password
  - ip access-class
  - ip radius source-interface
  - ip tacacs source-interface
  - ipv6 access-class
  - ip ssh server challenge-response-authentication
  - ip ssh server cipher
  - ip ssh server enable
  - ip ssh server hostbased-authentication
  - ip ssh server kex
  - ip ssh server mac
  - ip ssh server password-authentication
  - ip ssh server port
  - ip ssh server pubkey-authentication
  - ip ssh server vrf
  - line vty
  - logging audit enable
  - login concurrent-session limit
  - login-statistics enable
  - password-attributes
  - password-attributes max-retry lockout-period
  - privilege
  - radius-server host
  - radius-server host tls
  - radius-server retransmit
  - radius-server timeout
  - radius-server vrf
  - show boot protect
  - show crypto ssh-key
  - show ip ssh
  - show logging audit
  - show login-statistics
  - show privilege
  - show running-configuration privilege
  - show users
  - system-user linuxadmin disable
  - system-user linuxadmin password
  - tacacs-server host
  - tacacs-server timeout
  - tacacs-server vrf
  - username password role
  - username sshkey
  - username sshkey filename
  - userrole inherit
- X.509v3 certificates
  - X.509v3 concepts
  - Public key infrastructure
  - Manage CA certificates
  - Request and install host certificates
  - Self-signed certificates
  - Security profiles
  - Cluster security
  - X.509v3 commands
  - Example: Configure RADIUS over TLS with X.509v3 certificates
OpenFlow
- OpenFlow logical switch instance
- OpenFlow controller
- OpenFlow version 1.3
- OpenFlow use cases
- Configure OpenFlow
  - Establish TLS connection
- OpenFlow commands
- OpenFlow-only mode commands
Access Control Lists
- IP ACLs
- MAC ACLs
- Control-plane ACLs
  - Control-plane ACL qualifiers
- IP fragment handling
- L3 ACL rules
- Assign sequence number to filter
- Delete ACL rule
- L2 and L3 ACLs
- Assign and apply ACL filters
- Ingress ACL filters
- Egress ACL filters
- Clear access-list counters
- IP prefix-lists
- Route-maps
- Match routes
- Set conditions
- Continue clause
- ACL flow-based monitoring
- Enable flow-based monitoring
- View ACL table utilization report
  - Known behavior
- ACL logging
  - Important notes
- ACL commands
  - clear ip access-list counters
  - clear ipv6 access-list counters
  - clear mac access-list counters
  - deny
  - deny (IPv6)
  - deny (MAC)
  - deny icmp
  - deny icmp (IPv6)
  - deny ip
  - deny ipv6
  - deny tcp
  - deny tcp (IPv6)
  - deny udp
  - deny udp (IPv6)
  - description
  - ip access-group
  - ip access-list
  - ip as-path access-list
  - ip community-list standard deny
  - ip community–list standard permit
  - ip extcommunity-list standard deny
  - ip extcommunity-list standard permit
  - ip prefix-list description
  - ip prefix-list deny
  - ip prefix-list permit
  - ip prefix-list seq deny
  - ip prefix-list seq permit
  - ipv6 access-group
  - ipv6 access-list
  - ipv6 prefix-list deny
  - ipv6 prefix-list description
  - ipv6 prefix-list permit
  - ipv6 prefix-list seq deny
  - ipv6 prefix-list seq permit
  - mac access-group
  - mac access-list
  - permit
  - permit (IPv6)
  - permit (MAC)
  - permit icmp
  - permit icmp (IPv6)
  - permit ip
  - permit ipv6
  - permit tcp
  - permit tcp (IPv6)
  - permit udp
  - permit udp (IPv6)
  - remark
  - seq deny
  - seq deny (IPv6)
  - seq deny (MAC)
  - seq deny icmp
  - seq deny icmp (IPv6)
  - seq deny ip
  - seq deny ipv6
  - seq deny tcp
  - seq deny tcp (IPv6)
  - seq deny udp
  - seq deny udp (IPv6)
  - seq permit
  - seq permit (IPv6)
  - seq permit (MAC)
  - seq permit icmp
  - seq permit icmp (IPv6)
  - seq permit ip
  - seq permit ipv6
  - seq permit tcp
  - seq permit tcp (IPv6)
  - seq permit udp
  - seq permit udp (IPv6)
  - show access-group
  - show access-lists
  - show acl-table-usage detail
  - show ip as-path-access-list
  - show ip community-list
  - show ip extcommunity-list
  - show ip prefix-list
  - show logging access-list
- Route-map commands
  - continue
  - match as-path
  - match community
  - match extcommunity
  - match interface
  - match ip address
  - match ip next-hop
  - match ipv6 address
  - match ipv6 next-hop
  - match metric
  - match origin
  - match route-type
  - match tag
  - route-map
  - set comm-list add
  - set comm-list delete
  - set community
  - set extcomm-list add
  - set extcomm-list delete
  - set extcommunity
  - set local-preference
  - set metric
  - set metric-type
  - set next-hop
  - set origin
  - set tag
  - set weight
  - show route-map
Quality of service
- Configure quality of service
- Ingress traffic classification
  - Data traffic classification
  - Control-plane policing
- Egress traffic classification
- Policing traffic
- Mark Traffic
- Color traffic
- Modify packet fields
- Shaping traffic
- Bandwidth allocation
- Strict priority queuing
- Rate adjustment
- Buffer management
- Congestion avoidance
- Storm control
- RoCE for faster access and lossless connectivity
- QoS commands
Virtual Link Trunking
- Terminology
- VLT domain
- VLT interconnect
- Graceful LACP with VLT
- Configure VLT
- VRRP Optimized Forwarding
- Migrate VMs across data centers
- View VLT information
- VLT commands
Uplink Failure Detection
- Configure uplink failure detection
- Uplink failure detection on VLT
  - Sample configurations of UFD on VLT
- UFD commands
Converged data center services
- Priority flow control
- Enhanced transmission selection
- Data center bridging eXchange
- Internet small computer system interface
- Converged network DCB example
sFlow
- Enable sFlow
- Max-header size configuration
- Collector configuration
- Polling-interval configuration
- Sample-rate configuration
- Source interface configuration
- View sFlow information
- sFlow commands
Telemetry
- Telemetry terminology
- YANG-modeled telemetry data
- Configure telemetry
- View telemetry configuration
- Telemetry commands
- Example: Configure streaming telemetry
RESTCONF API
- Configure RESTCONF API
- CLI commands for RESTCONF API
- RESTCONF API tasks
  - View XML structure of CLI commands
  - RESTCONF API Examples
    - System
    - Interface
Troubleshoot OS10
- Diagnostic tools
- Password recovery
- Restore factory defaults
- SupportAssist
- Support bundle
  - Event notifications
  - generate support-bundle
- System monitoring
- Log into OS10 device
- Frequently asked questions
Support resources

OS10 Enterprise Edition User Guide

Release 10.4.3.0

March 2019

Rev. A01

Summary of content (1148 pages)

PAGE 1
OS10 Enterprise Edition User Guide Release 10.4.3.0 March 2019 Rev.
PAGE 2
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2018 - 2019 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
PAGE 3
Contents Chapter 1: Getting Started.......................................................................................................... 26 Supported Hardware........................................................................................................................................................ 26 Download OS10 image and license................................................................................................................................ 27 Installation using ONIE.......
PAGE 4
dir.................................................................................................................................................................................... 64 discard............................................................................................................................................................................64 do.............................................................................................................................................
PAGE 5
SNMP engine ID...........................................................................................................................................................97 SNMP groups and users............................................................................................................................................ 98 SNMP views.................................................................................................................................................................
PAGE 6
S4148-ON Series port profiles................................................................................................................................ 152 S4148U-ON port profiles..........................................................................................................................................153 Configure breakout mode..............................................................................................................................................
PAGE 7
switchport access vlan.............................................................................................................................................185 switchport mode........................................................................................................................................................ 185 switchport trunk allowed vlan.................................................................................................................................
PAGE 8
FIP-snooping commands...............................................................................................................................................235 feature fip-snooping.................................................................................................................................................235 fip-snooping enable..................................................................................................................................................
PAGE 9
Network connectivity device.................................................................................................................................. 281 LLDP-MED capabilities TLV.................................................................................................................................... 281 Network policies TLVs.............................................................................................................................................
PAGE 10
Setting spanning-tree link type for rapid state transitions............................................................................. 345 MAC flush optimization........................................................................................................................................... 345 RSTP commands....................................................................................................................................................... 346 Virtual LANs........................
PAGE 11
AS number migration.................................................................................................................................................416 Configure Border Gateway Protocol..................................................................................................................... 417 Enable BGP..................................................................................................................................................................
PAGE 12
Designated and backup designated routers....................................................................................................... 506 Link-state advertisements...................................................................................................................................... 507 Router priority............................................................................................................................................................
PAGE 13
Supported IGMP versions....................................................................................................................................... 594 Query interval.............................................................................................................................................................594 Last member query interval....................................................................................................................................
PAGE 14
show interface virtual-network............................................................................................................................. 667 show nve remote-vtep............................................................................................................................................ 668 show nve remote-vtep counters...........................................................................................................................668 show nve vxlan-vni.............
PAGE 15
Chapter 10: Security.................................................................................................................. 751 User re-authentication...................................................................................................................................................752 Password strength..........................................................................................................................................................
PAGE 16
login concurrent-session limit.................................................................................................................................776 login-statistics enable...............................................................................................................................................776 password-attributes..................................................................................................................................................
PAGE 17
OpenFlow protocol.................................................................................................................................................... 814 OpenFlow use cases.......................................................................................................................................................826 Configure OpenFlow.......................................................................................................................................................
PAGE 18
clear mac access-list counters.............................................................................................................................. 855 deny..............................................................................................................................................................................856 deny (IPv6)..............................................................................................................................................................
PAGE 19
seq deny icmp (IPv6)............................................................................................................................................... 882 seq deny ip..................................................................................................................................................................882 seq deny ipv6..........................................................................................................................................................
PAGE 20
set next-hop................................................................................................................................................................ 911 set origin....................................................................................................................................................................... 911 set tag..................................................................................................................................................
PAGE 21
pause............................................................................................................................................................................956 pfc-cos.........................................................................................................................................................................957 pfc-max-buffer-size....................................................................................................................................
PAGE 22
show queuing statistics........................................................................................................................................... 982 system qos..................................................................................................................................................................982 trust-map................................................................................................................................................................
PAGE 23
Uplink failure detection on VLT..................................................................................................................................1024 Sample configurations of UFD on VLT...............................................................................................................1026 UFD commands..............................................................................................................................................................1028 clear ufd-disable...
PAGE 24
sflow source-interface........................................................................................................................................... 1075 show sflow................................................................................................................................................................ 1075 Chapter 18: Telemetry ............................................................................................................. 1077 Telemetry terminology...........
PAGE 25
SupportAssist...................................................................................................................................................................1119 Configure SupportAssist......................................................................................................................................... 1119 Set company name..................................................................................................................................................
PAGE 26
1 Getting Started Dell EMC Networking OS10 Enterprise Edition is a network operating system (OS) supporting multiple architectures and environments. The networking world is moving from a monolithic stack to a pick-your-own-world. The OS10 solution allows disaggregation of the network functionality.
PAGE 27
NOTE: Starting from release 10.4.2.1, OS10 supports the S5148F-ON platform. Download OS10 image and license OS10 Enterprise Edition may come factory-loaded and is available for download from the Dell Digital Locker (DDL). A factoryloaded OS10 image includes a perpetual license. An OS10 image that you download has a 120-day trial license and requires a perpetual license to run beyond the trial period.
PAGE 28
● Generate a checksum for the downloaded OS10 binary image by running the md5sum command on the image file. Ensure that the generated checksum matches the checksum extracted from the .tar file. md5sum image_filename ● Copy the OS10 image file to a local server using the copy command. To install an OS10 Enterprise Edition image and license, see Installation using ONIE and Install OS10 license.
PAGE 29
For an ONIE-enabled switch, navigate to the ONIE boot menu. An ONIE-enabled switch boots up with pre-loaded diagnostics (DIAGs) and ONIE software. +--------------------------------------------------------+ |*ONIE: Install OS | | ONIE: Rescue | | ONIE: Uninstall OS | | ONIE: Update ONIE | | ONIE: Embed ONIE | | ONIE: Diag ONIE | +--------------------------------------------------------+ ● Install OS — Boots to the ONIE prompt and installs an OS10 image using the Automatic Discovery process.
PAGE 30
... Press or to enter setup. Welcome to GRUB! GNU GRUB version 2.02~beta2+e4a1fe391 OS10-B EDA-DIAG ONIE Booting `OS10-A' Loading OS10 ... [ 3.883826] kvm: already loaded the other module [ 3.967628] dummy-irq: no IRQ given. Use irq=N [ 3.973212] mic_init not running on X100 ret -19 [ 3.980168] esas2r: driver will not be loaded because no ATTO esas2r devices were found [ 4.021676] mtdoops: mtd device (mtddev=name/number) must be supplied [ 5.092316] i8042: No controller found [ 5.
PAGE 31
3. (Optional) Stop ONIE discovery if the device boots to ONIE: Install. $ onie-discovery-stop 4. Create a USB mount location on the system. $ mkdir /mnt/media 5. Identify the path to the USB drive. $ fdisk -l 6. Mount the USB media plugged in the USB port on the device. $ mount -t vfat usb-drive-path /mnt/media 7. Install the software from the USB, where /mnt/media specifies the path where the USB partition is mounted.
PAGE 32
After you install OS10 and log in, install the license to run OS10 Enterprise Edition beyond the trial period. For more information, see Download OS10 image and license. The OS10 license is installed in the /mnt/license directory. 1. Download the License.zip file from DDL as described in Download OS10 image and license. 2. Open the zip file and locate the license file in the Dell folder. Copy the license file to a local or remote workstation. 3. Install the license file from the workstation in EXEC mode.
PAGE 33
System Information --------------------------------------------------------Vendor Name : Dell Product Name : S3048ON Hardware Version : A01 Platform Name : x86_64-dell_s3000_c2338-r0 PPID : CN08YWFG282983APSU02 Service Tag : 7B900Q2 Product Base : Product Serial Number: Product Part Number : License Details ---------------Software : OS10-Enterprise Version : 10.4.3.0 License Type : PERPETUAL License Duration: Unlimited License Status : Active License location: /mnt/license/7B900Q2.
PAGE 34
● In the provisioning script, enter the file names for the IMG_FILE, CLI_CONFIG_FILE, and POST_SCRIPT_FILE variables as shown in ZTD provisioning script. ● If no file names are specified, OS10 immediately exits ZTD and returns to CLI configuration mode. ● If the download of any of the specified files fails, ZTD stops. OS10 exits ZTD and unlocks the CLI configuration mode. 2. If an OS10 image is specified for IMG_FILE, ZTD installs the software image in the standby partition.
PAGE 35
Protocol State : idle Reason : ZTD process completed successfully at Mon Jul 16 19:31:57 2018 ----------------------------------ZTD logs ZTD generates log messages about its current status. [os10:notify], %Dell EMC (OS10) %ZTD-IN-PROGRESS: Zero Touch Deployment applying post configurations. ZTD also generates failure messages. [os10:notify], %Dell EMC (OS10) %ZTD-FAILED: Zero Touch Deployment failed to download the image.
PAGE 36
○ Any of the IMG_FILE, CLI_CONFIG_FILE, and POST_SCRIPT_FILE entries are invalid or if specified, the files cannot be downloaded. For the IMG_FILE, CLI_CONFIG_FILE, and POST_SCRIPT_FILE files, you can specify HTTP, SCP, SFTP, or TFTP URLs.
PAGE 37
ntp server 129.6.15.32 ! ! logging server 10.22.0.99 Post-ZTD script As a general guideline, use a post-ZTD script to perform any additional functions required to configure and operate the switch. In the ZTD provisioning script, specify the post-ZTD script path for the POST_SCRIPT_FILE variable. You can use a script to notify an orchestration server that the ZTD configuration is complete. The server can then configure additional settings on the switch.
PAGE 38
Protocol State : idle Reason : ZTD process completed successfully at Mon Jul 16 19:31:57 2018 ----------------------------------OS10# show ztd-status ----------------------------------ZTD Status : disabled ZTD State : failed Protocol State : idle Reason : ZTD process failed to download post script file ----------------------------------● ZTD Status — Current operational status: enabled or disabled.
PAGE 39
1. Open an SSH session using the IP address of the device. You can also use PuTTY or a similar tool to access the device remotely. ssh admin@ip-address password: admin 2. Enter admin for both the default user name and password to log into OS10. You are automatically placed in EXEC mode. OS10# Remote access Linux shell ssh linuxadmin@ip-address password: linuxadmin Configure Management IP address To remotely access OS10, assign an IP address to the management port.
PAGE 40
Configure a management route to the network in CONFIGURATION mode. Repeat the command to configure multiple routes for the Management port. management route {ipv4-address/mask | ipv6-address/prefix-length} {forwarding-router-address | managementethernet} ● ipv4-address/mask — Enter an IPv4 network address in dotted-decimal format (A.B.C.D), then a subnet mask in / prefix-length format (/x). ● ipv6-address/prefix-length — Enter an IPv6 address in x:x:x:x::x format with the prefix length in /x format.
PAGE 41
User accounts OS10 defines two categories of user accounts — use admin for both the username and password to log into the CLI, or use linuxadmin to log into the Linux shell. NOTE: You cannot delete the default admin and linuxadmin usernames. Key CLI features Consistent command names Commands that provide the same type of function have the same name, regardless of the portion of the system on which they are operating.
PAGE 42
under the show system command, and all commands that display information about the routing table are grouped under the show ip route command. CLI command categories There are several broad groups of CLI commands available: copy Copies files from one location on a device to another, from a device to a remote system, or from a remote system to a device. configure Enters CONFIGURATION mode to configure routing protocols, interfaces, network management, and user access. exit Moves up one command mode.
PAGE 43
debug delete dir discard exit generate help image kill-session license location-led lock move no ping ping6 reload show start support-assist-activity system terminal traceroute unlock validate write ztd Debug command Perform a file delete operation on local file system Show the list of files for the specified system folder Discard candidate configuration Exit from the CLI Command to generate executed functionality Display available commands Image commands Kill a CLISH session License and digital fulfillmen
PAGE 44
management monitor no ntp nve openflow password-attributes policy-map qos-map radius-server parameters rest route-map router scale-profile sflow snmp-server spanning-tree support-assist system tacacs-server communication parameters track trust uplink-state-group username userrole virtual-network vlt-domain vrrp wred management interface commands Create a session for monitoring traffic To delete / disable commands in config mode Configure NTP Create a Network Virtualization Edge (NVE) instance Configure Ope
PAGE 45
ip ipv6 iscsi lacp license link-bundle-utilization the bundle lldp load-balance logging login mac monitor network-policy ntp nve parser-tree policy-map port-channel processes qos queuing route-map running-configuration sessions sflow snmp spanning-tree startup-configuration storm-control support-assist switch-operating-mode system tech-support terminal trace track uplink-state-group uptime users and show the session id version virtual-network vlan vlt vrrp ztd-status show IP commands Display IPv6 neighbor
PAGE 46
● Enter show system from EXEC mode to view the system status information. OS10# show system Node Id MAC Number of MACs Up Time : : : : 1 34:17:eb:f2:9a:c4 256 2 days 05:57:17 -- Unit 1 -Status System Identifier Down Reason Digital Optical Monitoring System Location LED Required Type Current Type Hardware Revision Software Version Physical Ports BIOS System CPLD Master CPLD Slave CPLD : : : : : : : : : : up 1 unknown disable off S4048 S4048 X01 10.4.3.0 48x10GbE, 6x40GbE : 3.21.0.
PAGE 47
control-plane copy-file crypto diag diff discovered-expanders dot1x environment errdisable eula-consent evpn exec-timeout fcoe file fips hardware hash-algorithm hosts image interface inventory ip ipv6 iscsi lacp license link-bundle-utilization the bundle lldp load-balance logging login mac monitor network-policy ntp nve parser-tree policy-map port-channel processes qos queuing route-map running-configuration sessions sflow snmp spanning-tree startup-configuration storm-control support-assist switch-operatin
PAGE 48
OS10 offers the show candidate-configuration compressed and show running-configuration compressed commands that display interface-related configuration in a compressed manner. These commands group similar looking configuration. The compression is done only for interface-related configuration (VLAN and physical interfaces).
PAGE 49
interface breakout 1/1/6 map 40g-1x interface breakout 1/1/7 map 40g-1x interface breakout 1/1/8 map 40g-1x interface breakout 1/1/9 map 40g-1x interface breakout 1/1/10 map 40g-1x interface breakout 1/1/11 map 40g-1x interface breakout 1/1/12 map 40g-1x interface breakout 1/1/13 map 40g-1x interface breakout 1/1/14 map 40g-1x interface breakout 1/1/15 map 40g-1x interface breakout 1/1/16 map 40g-1x interface breakout 1/1/17 map 40g-1x interface breakout 1/1/18 map 40g-1x interface breakout 1/1/19 map 40g-1
PAGE 50
Lock configuration changes OS10# lock Unlock configuration changes OS10# unlock Change to transaction-based configuration mode To change to Transaction-Based Configuration mode for a session, enter the start transaction command. 1. Change to Transaction-Based Configuration mode in EXEC mode. start transaction 2. Enable, for example, an interface from INTERFACE mode. interface ethernet 1/1/1 no shutdown 3. Save the configuration.
PAGE 51
filepath} running-configuration OS10# copy scp://root:calvin@10.11.63.120/tmp/qaz.txt running-configuration Restore startup configuration The startup configuration file, startup.xml, is stored in the config system folder. To create a backup version, copy the startup configuration to a remote server or the local config: or home: directories. To restore a backup configuration, copy a local or remote file to the startup configuration and reload the switch.
PAGE 52
Type Boot Type Active Standby Next-Boot ------------------------------------------------------------------Node-id 1 Flash Boot [A] 10.2.9999E [B] 10.2.9999E [B] standby Filter show commands You can filter show command output to view specific information, or start the command output at the first instance of a regular expression or phrase. display-xml Displays in XML format.
PAGE 53
--------------------------------------------------------------------------------Eth 1/1/1 up 40G A 1 Eth 1/1/2 up 40G A 1 Eth 1/1/3 up 40G A 1 Eth 1/1/4 up 40G A 1 Eth 1/1/5 up 40G A 1 Eth 1/1/6 up 40G A 1 Eth 1/1/7 up 40G A 1 Eth 1/1/8 up 40G A 1 Eth 1/1/9 up 40G A 1 Eth 1/1/10 up 40G A 1 Eth 1/1/11 up 40G A 1 Eth 1/1/12 up 40G A 1 Eth 1/1/13 up 40G A 1 Eth 1/1/14 up 40G A 1 Eth 1/1/15 up 40G A 1 Eth 1/1/16 up 40G A 1 Eth 1/1/17 up 40G A 1 Eth 1/1/18 up 40G A 1 Eth 1/1/19 up 40G A 1 Eth 1/1/20 up 40G A 1 E
PAGE 54
View alias information in detail. Displays the entire alias value.
PAGE 55
! interface ethernet1/1/1 no shutdown switchport access vlan 1 View alias output for mTest with different values OS10(config)# mTest ethernet 1/1/10 OS10(config)# interface ethernet 1/1/10 OS10(conf-if-eth1/1/10)# no shutdown OS10(conf-if-eth1/1/10)# show configuration ! interface ethernet1/1/10 no shutdown switchport access vlan 1 Modify existing multi-line alias OS10(config)# alias mTest OS10(config-alias-mTest)# line 4 "exit" View the commands saved in the multi-line alias OS10(config-alias-mTest)# show
PAGE 56
Number of config aliases : 1 Number of local aliases : 0 Delete alias OS10(config)# no alias mTest Batch mode Create and run a batch file to execute a sequence of multiple commands. A batch file is an unformatted text file that contains two or more commands. Store the batch file in the home directory. Use vi or any other editor to create the batch file, then use the batch command to execute the file. To execute a series of commands in batch mode (non-interactive processing), use the batch command.
PAGE 57
Build Time: 2019-02-18T17:06:10-0800 System Type: S4048-ON Architecture: x86_64 Up Time: 2 days 05:58:01 User admin logged out at session 10 admin@OS10:/opt/dell/os10/bin$ ● Use the -B option along with a batch file to execute a series of commands. configure terminal router bgp 100 neighbor 100.1.1.1 remote-as 104 no shutdown Execute the batch file. admin@OS10:/opt/dell/os10/bin$ clish -B ~/batch_cfg.txt New user admin logged in at session 15 Verify the BGP configuration executed by the batch file.
PAGE 58
○ no untagged ● Port-channel Interface mode: ○ channel-member ○ no channel-member ● Enable the feature to configure commands in an OS9 environment in CONFIGURATION mode. OS10(config)# feature config-os9-style OS10(config)# exit OS10# show running-configuration compressed interface breakout 1/1/28 map 10g-4x feature config-os9-style ● After you enable this feature, you can use the OS9 format of commands only in the new session. This configuration does not take effect in the current session.
PAGE 59
Eth 1/1/9 up 40G A 1 Eth 1/1/10 up 40G A 1 Eth 1/1/11 up 40G A 1 Eth 1/1/12 up 40G A 1 Eth 1/1/13 up 40G A 1 Eth 1/1/14 up 40G A 1 Eth 1/1/15 up 40G A 1 Eth 1/1/16 up 40G A 1 Eth 1/1/17 up 40G A 1 Eth 1/1/18 up 40G A 1 Eth 1/1/19 up 40G A 1 Eth 1/1/20 up 40G A 1 Eth 1/1/21 up 40G A 1 Eth 1/1/22 up 40G A 1 Eth 1/1/23 up 40G A 1 Eth 1/1/24 up 40G A 1 Eth 1/1/25 up 40G A 1 Eth 1/1/26 up 40G A 1 Eth 1/1/27 up 40G A 1 Eth 1/1/28 up 40G A 1 Eth 1/1/29 up 40G A 1 Eth 1/1/30 up 40G A 1 Eth 1/1/31 up 40G A 1 Eth 1/1
PAGE 60
batch Executes a series of commands in a file in batch, non-interactive, processing. Syntax batch /home/username/filename Parameters ● username — Enter the user name that was used to copy the command file. ● filename — Enter the name of a batch command file. Default Not configured Command Mode EXEC Usage Information Use this command to create a batch command file on a remote machine. Copy the command file to the home directory on your switch. This command executes commands in batch mode.
PAGE 61
Example Example (configuration) Supported Releases OS10# commit OS10(config)# do commit 10.2.0E or later configure Enters CONFIGURATION mode from EXEC mode. Syntax configure {terminal} Parameters terminal — Enters CONFIGURATION mode from EXEC mode. Default Not configured Command Mode EXEC Usage Information Enter conf t for auto-completion. Example Supported Releases OS10# configure terminal OS10(config)# 10.2.
PAGE 62
CAUTION: Dell EMC Networking recommends that you avoid using a copy command to download an OS10 image to the switch. The downloaded image occupies a large amount of disk space. Use the image download command to download an OS10 image. When using the scp and sftp options, always enter an absolute file path instead of a path relative to the home directory of the user account; for example, enter: copy config://startup.xml scp://dellos10:password@10.1.1.1/home/dellos10/ backup.
PAGE 63
Default Not configured Command Mode ALIAS Usage Information To use special characters in the input parameter value, enclose the string in double quotes. The no version of this command removes the default value. Example Supported Releases OS10(config)# alias mTest OS10(config-alias-mTest)# default 1 "ethernet 1/1/1" 10.4.0E(R1) or later delete Removes or deletes the startup configuration file.
PAGE 64
Command Mode ALIAS Usage Information ● To use special characters as a part of the description string, enclose the string in double quotes. ● Spaces between characters are not preserved after entering this command unless you enclose the entire description in quotation marks, for example, “text description.” ● Enter a text string after the description command to overwrite any previous text strings that you configured as the description. ● The no version of this command removes the description.
PAGE 65
Usage Information Example Supported Releases None OS10# discard 10.2.0E or later do Executes most commands from all CONFIGURATION modes without returning to EXEC mode. Syntax do command Parameters command — Enter an EXEC-level command. Default Not configured Command Mode INTERFACE Usage Information None Example Supported Releases OS10(config)# interface ethernet 1/1/7 OS10(conf-if-eth1/1/7)# no shutdown OS10(conf-if-eth1/1/7)# do show running-configuration ...
PAGE 66
exit Returns to the next higher command mode. Syntax exit Parameters None Default Not configured Command Mode All Usage Information None Example Supported Releases OS10(conf-if-eth1/1/1)# exit OS10(config)# 10.2.0E or later hostname Sets the system host name. Syntax hostname name Parameters name — Enter the host name of the switch, up to 64 characters. Default OS10 Command Mode CONFIGURATION Usage Information The host name is used in the OS10 command-line prompt.
PAGE 67
Command Mode EXEC Usage Information Use this command to install the Enterprise Edition license file. For more information, see Download OS10 image and license. OS10 requires a perpetual license to run beyond the 120-day trial period. The license file is installed in the /mnt/license directory. Example Supported Releases OS10# license install scp://user:userpwd/10.1.1.10/CFNNX42-NOSEnterpriseLicense.lic License installation success. 10.3.
PAGE 68
management route Configures an IPv4/IPv6 static route the Management port uses. Repeat the command to configure multiple management routes. Syntax management route {ipv4-address/mask | ipv6-address/prefix-length} {forwarding-router-address | managementethernet} Parameters ● ipv4-address/mask — Enter an IPv4 network address in dotted-decimal format (A.B.C.D), then a subnet mask in prefix-length format (/xx).
PAGE 69
no Disables or deletes commands in EXEC mode. Syntax no [alias | debug | support-assist-activity | terminal] Parameters ● ● ● ● Default Not configured Command Mode EXEC Usage Information Use this command in EXEC mode to disable or remove a configuration. Use the no ? in CONFIGURATION mode to view available commands. Example Supported Releases alias — Remove an alias definition. debug — Disable debugging. support-assist-activity — SupportAssist-related activity. terminal — Reset terminal settings.
PAGE 70
govlt Config goint Config mTest Config shconfig Local showint Local shver Local Number of config aliases : 3 Number of local aliases : 3 Example (brief — displays the first 10 characters of the alias value)) OS10# show alias brief Name Type ------govlt Config goint Config mTest Config shconfig showint shver Local Local Local Value ----"vlt-domain..." "interface ..." line 1 "interface ..." line 2 "no shutdow..." line 3 "show confi..." default 1 "ethernet" default 2 "1/1/1" "show runni..." "show inter...
PAGE 71
---------------------------------------------------------------------------------Node-id 1 Flash Boot [A] 10.4.3E [B] 10.4.3E [A] activ Example (detail) Supported Releases OS10# show boot detail Current system image information detail: ========================================== Type: Node-id 1 Boot Type: Flash Boot Active Partition: A Active SW Version: 10.4.3E Active SW Build Version: 10.4.3E.85 Active Kernel Version: Linux 4.9.
PAGE 72
● ● ● ● ● support-assist — (Optional) Current candidate support-assist configuration. system-qos — (Optional) Current candidate system-qos configuration. trust-map — (Optional) Current candidate trust-map configuration. users — (Optional) Current candidate users configuration. vlt — (Optional) Current candidate VLT domain configuration. Default Not configured Command Mode EXEC Usage Information None Example Example (compressed) 72 OS10# show candidate-configuration ! Version 10.2.
PAGE 73
ipv6 address autoconfig ! support-assist ! policy-map type application policy-iscsi ! class-map type application class-iscsi Supported Releases 10.2.0E or later show environment Displays information about environmental system components, such as temperature, fan, and voltage.
PAGE 74
Software version Product Base Product Serial Number Product Part Number : 10.4.3.
PAGE 75
Example OS10# show ipv6 management-route Destination ----------2001:34::0/64 2001:68::0/64 Supported Releases Gateway ------ManagementEthernet 1/1 2001:34::16 State ----Connected Active 10.2.2E or later show license status Displays license status information.
PAGE 76
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● as-path — (Optional) Current operating as-path configuration. bgp — (Optional) Current operating BGP configuration. class-map — (Optional) Current operating class-map configuration. community-list — (Optional) Current operating community-list configuration. compressed — (Optional) Current operating configuration in compressed format. control-plane — (Optional) Current operating control-plane configuration.
PAGE 77
interface ethernet1/1/4 switchport access vlan 1 no shutdown ! interface ethernet1/1/5 switchport access vlan 1 no shutdown ! interface ethernet1/1/6 switchport access vlan 1 no shutdown --more-Example (compressed) OS10# show running-configuration compressed username admin password $6$q9QBeYjZ$jfxzVqGhkxX3smxJSH9DDz7/3OJc6m5wjF8nnLD7/ VKx8SloIhp4NoGZs0I/UNwh8WVuxwfd9q4pWIgNs5BKH. aaa authentication local snmp-server contact http://www.dell.
PAGE 78
snmp-server location "United States" ip route 0.0.0.0/0 10.11.58.
PAGE 79
Command Mode EXEC Usage Information None Example OS10# show system Node Id MAC Number of MACs Up Time : : : : 1 34:17:eb:f2:9a:c4 256 2 days 05:57:17 -- Unit 1 -Status System Identifier Down Reason Digital Optical Monitoring System Location LED Required Type Current Type Hardware Revision Software Version Physical Ports BIOS System CPLD Master CPLD Slave CPLD : : : : : : : : : : up 1 unknown disable off S4048 S4048 X01 10.4.3.0 48x10GbE, 6x40GbE : 3.21.0.
PAGE 80
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Example (brief) 1/1/20 1/1/21 1/1/22 1/1/23 1/1/24 1/1/25 1/1/26 1/1/27 1/1/28 1/1/29 1/1/30 1/1/31 1/1/32 1/1/33 1/1/34 1/1/35 1/1/36 1/1/37 1/1/38 1/1/39 1/1/40 1/1/41 1/1/42 1/1/43 1/1/44 1/1/45 1/1/46 1/1/47 1/1/48 1/1/49 1/1/50 1/1/51 1/1/52 1/1/53 1/1/54 No No No No No No No No No No No No No No No No No No No No No No No No No No No No No Yes Yes Yes Yes Yes Ye
PAGE 81
show version Displays software version information. Syntax show version Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases TR2# show version Dell EMC Networking OS10 Enterprise Copyright (c) 1999-2019 by Dell Inc. All Rights Reserved. OS Version: 10.4.3.0 Build Version: 10.4.3.85 Build Time: 2019-02-18T17:06:10-0800 System Type: S4048-ON Architecture: x86_64 Up Time: 2 days 05:58:01 10.2.
PAGE 82
Example Supported Releases OS10# system bash admin@OS10:~$ pwd /config/home/admin admin@OS10:~$ exit OS10# 10.2.0E or later system-cli disable Disables system command. Syntax system-cli disable Parameters None Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command enables OS10 system command. Example Supported Releases OS10# configure terminal OS10(config)# system-cli disable 10.4.3.
PAGE 83
Usage Information Enter zero (0) for the terminal to display without pausing. Example Supported Releases OS10# terminal monitor 10.2.0E or later traceroute Displays the routes that packets take to travel to an IP address. Syntax traceroute [vrf {management | vrf-name}] host [-46dFITnreAUDV] [-f first_ttl] [-g gate,...
PAGE 84
Example Example (IPv6) Supported Releases OS10# traceroute www.dell.com traceroute to www.dell.com (23.73.112.54), 30 hops max, 60 byte packets 1 10.11.97.254 (10.11.97.254) 4.298 ms 4.417 ms 4.398 ms 2 10.11.3.254 (10.11.3.254) 2.121 ms 2.326 ms 2.550 ms 3 10.11.27.254 (10.11.27.254) 2.233 ms 2.207 ms 2.391 ms 4 Host65.hbms.com (63.80.56.65) 3.583 ms 3.776 ms 3.757 ms 5 host33.30.198.65 (65.198.30.33) 3.758 ms 4.286 ms 4.221 ms 6 3.GigabitEthernet3-3.GW3.SCL2.ALTER.NET (152.179.99.173) 4.428 ms 2.
PAGE 85
2 System management OS10 upgrade Provides information to upgrade the OS10 software image, see Upgrade commands. System banners Provides information about how to configure a system login and message of the day (MOTD) text banners, see System banners. User session management Provides information about how to manage the active user sessions, see User session management. Telnet server Provides information about how to set up Telnet TCP/IP connections on the switch, see Telnet server.
PAGE 86
6. (Optional) View the status of the current software install in EXEC mode. For the S5148F-ON platform, open a new SSH or Telnet session to check the status of the current software. show image status 7. Change the next boot partition to the standby partition in EXEC mode. Use the active parameter to set the next boot partition from standby to active. boot system standby 8. (Optional) Check whether the next boot partition has changed to standby in EXEC mode. show boot detail 9.
PAGE 87
Standby SW Version: Standby SW Build Version: Standby Build Date/Time: Next-Boot: 10.4.3E 10.4.3E.80 2019-02-17T15:36:08Z active[A] View boot summary OS10# show boot Current system image information: =================================== Type Boot Type Active Standby Next-Boot ----------------------------------------------------------------------------------Node-id 1 Flash Boot [A] 10.4.3E [B] 10.4.3E [A] active Upgrade commands boot system Sets the boot partition to use during the next reboot.
PAGE 88
image copy Copies the entire image in the active partition to the standby partition, a mirror image. Syntax image copy active-to-standby Parameters active-to-standby — Enter to copy the entire image in the active partition to the standby partition, a mirror image. Default Not configured Command Mode EXEC Usage Information Duplicate the active, running software image to the standby image location. Example Supported Releases OS10# image copy active-to-standby 10.2.
PAGE 89
Supported Releases 10.2.0E or later image install Installs a new image from a previously downloaded file or from a remote location. Syntax image install file-url Parameters ● file-url — Location of the image file: ○ ftp://userid:passwd@hostip:/filepath — Enter the path to install from a remote FTP server. ○ http[s]://hostip:/filepath — Enter the path to install from the remote HTTP or HTTPS server. ○ scp://userid:passwd@hostip:/filepath — Enter the path to install from a remote SCP file system.
PAGE 90
========================================== Type: Node-id 1 Boot Type: Flash Boot Active Partition: A Active SW Version: 10.4.3E Active SW Build Version: 10.4.3E.85 Active Kernel Version: Linux 4.9.110 Active Build Date/Time: 2019-02-18T09:06:10Z Standby Partition: B Standby SW Version: 10.4.3E Standby SW Build Version: 10.4.3E.80 Standby Build Date/Time: 2019-02-17T15:36:08Z Next-Boot: active[A] Supported Releases 10.2.0E or later show image status Displays image transfer and installation information.
PAGE 91
Example Supported Releases TR2# show version Dell EMC Networking OS10 Enterprise Copyright (c) 1999-2019 by Dell Inc. All Rights Reserved. OS Version: 10.4.3.0 Build Version: 10.4.3.85 Build Time: 2019-02-18T17:06:10-0800 System Type: S4048-ON Architecture: x86_64 Up Time: 2 days 05:58:01 10.2.0E or later System banners You can configure a system login and message of the day (MOTD) text banners. The system login banner displays before you log in.
PAGE 92
Have a nice day! % To delete a MOTD banner and reset it to the Dell EMC default MOTD banner, enter the no banner motd command. To disable MOTD banner display after login, enter the banner motd disable command. System banner commands banner login Configures a login banner that displays before you log in to the system. Syntax banner login delimiter banner-text banner-text ...
PAGE 93
by entering a line that contains only the delimiter character. Starting and ending double-quotes are not necessary. ● To delete a login banner and reset it to the Dell EMC default banner, enter the no banner motd command. To disable banner display before login, enter the banner motd disable command. Example Supported releases OS10(config)# banner motd % DellEMC S4148U-ON Today's tip: Press tab or spacebar for command completion. Have a nice day! % 10.4.1.
PAGE 94
Usage Information Example Supported Releases The no version of this command disables the timeout. OS10(config)# exec-timeout 300 OS10(config)# 10.3.1E or later kill-session Terminate a user session. Syntax kill-session session-ID Parameters session-ID — Enter the user session ID. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# kill-session 3 10.3.1E or later show sessions Displays the active management sessions.
PAGE 95
When you enable the Telnet server, connect to the switch using the IP address configured on the management or any front-panel port. The Telnet server configuration is persistent and is maintained after you reload the switch. To verify the Telnet server configuration, enter the show running-configuration command.
PAGE 96
Example Supported Releases OS10(config)# ip telnet server vrf management OS10(config)# ip telnet server vrf vrf-blue 10.4.0E(R1) or later Simple Network Management Protocol Network management stations use simple network management protocol (SNMP) to retrieve and modify software configurations for managed objects on an agent in network devices. A managed object is a datum of management information.
PAGE 97
Table 1. Standards MIBs (continued) Module Standard SFLOW-MIB RFC 3176 SNMP-FRAMEWORK-MIB RFC 3411 SNMP-MPD-MIB RFC 3412 SNMP-TARGET-MIB RFC 3413 SNMP-USER-BASED-SM-MIB RFC 3414 SNMP-VIEW-BASED-ACM-MIB RFC 3415 SNMPv2-MIB RFC 3418 TCP-MIB RFC 4022 UDP-MIB RFC 4113 Dell EMC Enterprise MIBs: Table 2.
PAGE 98
When you configure an SNMPv3 user, you can specify that a localized authentication and/or privacy key be generated. The localized password keys are generated using the engine ID of the switch. A localized key is more complex and provides greater privacy protection. The engine ID used to generate the password keys is unique to the switch. For this reason, you cannot copy and use localized SNMP security passwords on another switch.
PAGE 99
Generate SNMPv3 localized keys OS10(config)# snmp-server engineID local 80:00:02:b8:04:61:62:63 OS10(config)# snmp-server engineID remote 1.1.1.2 udp-port 432 0xabeecc Display localized keys OS10# show snmp-server engineID local Local default SNMP engineID: 80:00:02:b8:04:61:62:63 Configure SNMP views Configure a read-only, read-write, or notify view of the MIB tree structure in the SNMP agent on the switch. The oid-tree value specifies the OID in the MIB tree hierarchy at which a view starts.
PAGE 100
Configure SNMPv3 group OS10(config)# snmp-server group v3group 3 priv read readview write writeview notify alltraps Display SNMP groups OS10# show snmp-server group groupname : v2group version : 2c notifyview : GetsSets readview : readview groupname version security level notifyview readview writeview : : : : : : v3group 3 priv alltraps readview writeview Configure SNMP users Configure user access to the SNMP agent on the switch using group membership.
PAGE 101
Authentication Protocol Privacy Protocol : MD5 : AES SNMP commands SNMP traps: Enable SNMP notifications to send to network management host devices. show snmp community Displays the SNMP communities configured on the switch. Syntax show snmp community Parameters None Defaults None Command Mode EXEC Usage Information To configure an SNMP community, use the snmp-server community command.
PAGE 102
show snmp group Displays the SNMP groups configured on the switch, including SNMP views and security models. Syntax show snmp group Parameters None Defaults None Command Mode EXEC Usage Information To configure an SNMP group, use the snmp-server group command.
PAGE 103
Usage Information Example Supported Releases Use the show snmp view command to verify the OID starting point for SNMP views in MIB trees. To configure an SNMP view, use the snmp-server view command. OS10# show snmp view view name OID excluded : readview : 1.3.6.5 : True 10.4.2.0 or later snmp-server community Configures an SNMP user community.
PAGE 104
snmp-server enable traps Enables SNMP traps on a switch. Syntax snmp-server enable traps [notification-type] [notification-option] Parameters ● notification-type notification-option — Enter an SNMP notification type, and optionally, a notification option for the type. Table 3. Notification types and options Notification type Notification option entity — Enable entity change traps. None envmon — Enable SNMP environmental monitor traps. ○ fan — Enable fan traps.
PAGE 105
● remote-engineID — Enter the engine ID that identifies the SNMP agent on a remote device, 0x followed by a hexadecimal string). Defaults The local engine ID is generated using the MAC address of the management Ethernet interface. Command Mode CONFIGURATION Usage Information The local engine ID is used to generate the localized keys for the authentication and privilege passwords. These passwords authenticate SNMP users and encrypt SNMP messages.
PAGE 106
notification access to the SNMP agent. To configure an SNMPv3 user's authentication and privacy settings, use the snmp-server user command. Enter an access acl-name value to limit access to the SNMP agent on the switch to only ACLallowed users. A read-view provides read-only access to the SNMP agent. A read-write view allows read-write access. A notify-view allows SNMP notifications to be sent to group members. The no snmp-server group group-name command deletes an SNMP group.
PAGE 107
An SNMP host does not acknowledge the trap messages and notifications received from the SNMP agent. SNMP hosts send an acknowledgement when receiving informs. The no version of this command disables the local agent from sending SNMP traps, informs, or notifications to a host receiver. Example — Send SNMP traps to host OS10(config)# snmp-server host 1.1.1.1 traps version 3 priv user01 udpport 32 entity lldp Example — Send SNMP informs to host OS10(config)# snmp-server host 1.1.1.
PAGE 108
● ● ● ● ○ md5 — Generate an authentication key using the MD5 algorithm. ○ sha — Generate an authentication key using the SHA algorithm. ○ auth-password — Enter a text string used to generate the authentication key that identifies the user (32 alphanumeric characters maximum). For an encrypted password, you can enter the encrypted string instead of plain text. priv — (SNMPv3 only) Configure encryption for SNMPv3 messages sent to the user: ○ aes — Encrypt messages using AES 128-bit algorithm.
PAGE 109
Parameters ● view-name — Enter the name of a read-only, read-write, or notify view. A maximum of 32 characters. ● oid-tree — Enter the SNMP object ID at which the view starts in 12-octet dotted-decimal format. ● included — (Optional) Include the MIB family in the view. ● excluded — (Optional) Exclude the MIB family from the view. Defaults Not configured Command Mode CONFIGURATION Usage Information The oid-tree value specifies the OID in the MIB tree hierarchy at which a view starts.
PAGE 110
Enter Minutes offset from UTC, ranging from 0 to 59. Set time and date OS10# clock set 13:00:00 2018-08-30 View system time and date OS10# show clock 2018-08-30T13:01:01.45+00:00 Set time zone OS10(config)# clock timezone IST 5 30 View system time and date with time zone configured OS10# show clock 2018-08-30T13:01:01.57+05:30 System Clock commands clock set Sets the system time.
PAGE 111
Usage Information Example Supported Releases Universal time coordinated (UTC) is the time standard based on Greenwich Mean time. To set the time zone for the system clock, enter the difference of hours between UTC and your time zone. OS10(config)# clock timezone IST 5 30 10.3.0E or later show clock Displays the current system clock settings.
PAGE 112
NOTE: OS10 supports both NTP server and client roles. Enable NTP NTP is disabled by default. To enable NTP, configure an NTP server where the system synchronizes. To configure multiple servers, enter the command multiple times. Multiple servers may impact CPU resources. ● Enter the IP address of the NTP server where the system synchronizes in CONFIGURATION mode.
PAGE 113
Broadcasts Receive broadcasts of time information and set interfaces within the system to receive NTP information through broadcast. NTP is enabled on all active interfaces by default. If you disable NTP on an interface, the system drops any NTP packets sent to that interface. 1. Set the interface to receive NTP packets in INTERFACE mode. ntp broadcast client 2. Disable NTP on the interface in INTERFACE mode.
PAGE 114
● The number must match in the ntp trusted-key command. ● The key is an encrypted string. 3. Define a trusted key in CONFIGURATION mode, from 1 to 4294967295. This number must match the number in the ntp trusted-key command. ntp trusted-key number 4. Configure an NTP server in CONFIGURATION mode. ntp server {hostname | ipv4-address | ipv6-address} [key keyid] [prefer] ● hostname — Enter the keyword to see the IP address or host name of the remote device. ● ipv4-address — Enter an IPv4 address in A.B.C.
PAGE 115
Figure 1. Sample NTP configuration To create this sample NTP configuration, perform the following steps: 1. Configure the NTP server using the following steps: a. Create a non-default VRF instance and assign an interface to that VRF.
PAGE 116
OS10(config)# interface OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(config)# ethernet 1/1/1 no switchport ip vrf forwarding red ip address 10.0.0.2/24 exit b. Configure NTP server IP in NTP client. OS10(config)# ntp server 10.0.0.1 OS10(config)# do show running-configuration ntp ntp server 10.0.0.1 OS10(config)# c. Configure NTP in red VRF instance.
PAGE 117
system peer mode: leap indicator: stratum: log2 precision: root delay: root dispersion: reference ID: reference time: system jitter: clock jitter: clock wander: broadcast delay: symm. auth. delay: OS10# client 00 11 -24 0.991 1015.099 10.0.0.1 dbc7b087.5d47aaa6 0.000000 0.462 0.003 -50.000 0.000 Sat, Nov 5 2016 1:12:39.364 5. Verify NTP server (10.0.0.1) is connected to NTP master(11.0.0.2) running in red VRF.
PAGE 118
ntp authenticate-key Configures the authentication key for trusted time sources. Syntax ntp authenticate-key number md5 [0 | 7] key Parameters ● ● ● ● ● Default 0 Command Mode CONFIGURATION Usage Information The authentication number must be the same as the number parameter configured in the ntp trusted-key command. Use the ntp authenticate command to enable NTP authentication. Example Supported Releases number — Enter the authentication key number, from 1 to 4294967295.
PAGE 119
ntp enable vrf Enables NTP for the management or non-default VRF instance. Syntax ntp enable vrf {management | vrf vrf-name} Parameters ● management — Enter the keyword to enable NTP for the management VRF instance. ● vrf vrf-name — Enter the keyword then the name of the VRF to enable NTP for that non-default VRF instance. Defaults Disabled Command Mode CONFIGURATION Usage Information The no version of this command disables NTP for the management VRF instance.
PAGE 120
Example Supported Releases OS10(config)# ntp server eureka.com 10.2.0E or later ntp source Configures an interface IP address to include in NTP packets. Syntax ntp source interface Parameters interface — Set the interface type: ● ethernet node/slot/port[:subport] — Enter the Ethernet interface information. ● port-channel id-number — Enter the port-channel number, from 1 to 128. ● vlan vlan-id — Enter the VLAN number, from 1 to 4093.
PAGE 121
Default Not configured Command Mode EXEC Usage Information ● (none) — One or more of the following symbols displays: ○ * — Synchronized to this peer. ○ # — Almost synchronized to this peer. ○ + — Peer was selected for possible synchronization. ○ - — Peer is a candidate for selection. ○ ~ — Peer is statically configured. ● remote — Remote IP address of the NTP peer. ● ref clock — IP address of the remote peer reference clock. ● st — Peer stratum, the number of hops away from the external time source.
PAGE 122
precision: root distance: root dispersion: reference ID: reference time: system flags: jitter: stability: broadcastdelay: authdelay: -22 0.00000 s 1.28647 s [73.78.73.84] 00000000.00000000 Mon, Jan 1 1900 0:00:00.000 monitor ntp kernel stats 0.000000 s 0.000 ppm 0.000000 s 0.
PAGE 123
Figure 2. Client and Server Messaging DHCP server Network device offering configuration parameters to the client. DHCP client Network device requesting configuration parameters from the server. Relay agent Intermediary network device that passes DHCP messages between the client and the server when the server is not on the same subnet as the host. Packet format and options The DHCP server listens on port 67 and transmits to port 68. The DHCP client listens on port 68 and transmits to port 67.
PAGE 124
DHCP Option Description ● 8 — DHCPINFORM Parameter request list 55 — Parameters the server requires for DHCP clients.
PAGE 125
DHCP server automatic address allocation OS10(config)# ip dhcp server OS10(config-dhcp)# pool Dell OS10(config-dhcp-Dell)# default-router 20.1.1.1 OS10(config-dhcp-Dell)# network 20.1.1.0/24 OS10(config-dhcp-Dell)# range 20.1.1.2 20.1.1.8 Show running configuration OS10(conf-dhcp-Dell)# do show running-configuration ... ! ip dhcp server ! pool Dell network 20.1.1.0/24 default-router 20.1.1.1 range 20.1.1.2 20.1.1.
PAGE 126
Hostname resolution You have two choices for hostname resolution — domain name server (DNS) or NetBIOS Windows internet naming service (WINS). Both DHCP and WINS clients query IP servers to compare host names to IP addresses. 1. Enable DHCP server-assigned dynamic addresses on an interface in DHCP mode. ip dhcp server 2. Create in IP address pool and enter the name in DHCP mode. pool name 3. Create a domain and enter the domain name in DHCP mode. domain-name name 4.
PAGE 127
1. Create an address pool in DHCP mode. pool name 2. Enter the client IP address in DHCP mode. host address 3. Enter the client hardware address in DHCP mode. hardware-address hardware-address Configure manual binding OS10(config)# ip dhcp server OS10(conf-dhcp)# pool static OS10(conf-dhcp-static)# host 20.1.1.
PAGE 128
1. Enter the INTERFACE CONFIGURATION mode corresponding to the interface on which you want to configure a DHCP client. CONFIGURATION OS10(config)#interface interface-name interface 2/1/1 2. Assign the interface to the non-default VRF instance. INTERFACE CONFIGURATION OS10(config-inf)#ip vrf forwarding vrf-name ip vrf forwarding vrf-test 3. Configure the DHCP client on the interface that you have assigned to the non-default VRF instance.
PAGE 129
Configuring a DHCP relay agent on an non-default VRF instance To configure DHCP relay agent on an interface corresponding to a non-default VRF instance: 1. Enter the INTERFACE CONFIGURATION mode. CONFIGURATION OS10(config)#interface interface-name interface 2/1/1 2. Configure the DHCP relay agent on the interface that is part of the non-default VRF instance. Specify the name of the non-default VRF instance on which you want to run the relay agent.
PAGE 130
2. Add names to complete unqualified host names corresponding to a non-default VRF instance. ip domain-list vrf vrf-name name Configure local system domain name and list OS10(config)# OS10(config)# OS10(config)# OS10(config)# OS10(config)# OS10(config)# ip ip ip ip ip ip domain-name domain-list domain-list domain-list domain-list domain-list ntengg.
PAGE 131
disable Disables the DHCP server. Syntax disable Parameters None Default Disabled Command Mode DHCP Usage Information The no version of this command enables the DHCP server. Example Supported Releases OS10(conf-dhcp)# no disable 10.2.0E or later dns-server address Assigns a DNS server to clients based on the address pool. Syntax dns-server address [address2...address8] Parameters ● address — Enter the DNS server IP address that services clients on the subnet in A.B.C.D or A::B format.
PAGE 132
hardware-address Configures the client hardware address for manual configurations. Syntax hardware-address nn:nn:nn:nn:nn:nn Parameters nn:nn:nn:nn:nn:nn — Enter the 48-bit hardware address. Default Not configured Command Mode DHCP-POOL Usage Information The client hardware address is the MAC address of the client machine to which to lease a static IP address from. Example Supported Releases OS10(conf-dhcp-static)# hardware-address 00:01:e8:8c:4d:0a 10.2.
PAGE 133
ip helper-address Configure the DHCP server address. Forwards UDP broadcasts received on an interface to the DHCP server. You can configure multiple helper addresses per interface by repeating the same command for each DHCP server address. Syntax ip helper-address address [vrf vrf-name] Parameters ● address — Enter the IPv4 address to forward UDP broadcasts to the DHCP server in A.B.C.D format. ● vrf vrf-name — (Optional) Enter vrf and then the name of the VRF through which the host address is reached.
PAGE 134
Command Mode DHCP-POOL Usage Information The no version of this command removes the lease configuration. Example Example (Infinite) Supported Releases OS10(conf-dhcp-Dell)# lease 2 5 10 OS10(conf-dhcp-Dell)# lease infinite 10.2.0E or later netbios-name-server address Configures a NetBIOS WINS server which is available to DHCP clients. Syntax netbios-name-server ip-address [address2...address8] Parameters ip-address — Enter the address of the NetBIOS WINS server. address2...
PAGE 135
network Configures a range of IPv4 or IPv6 addresses in the address pool. Syntax network address/mask Parameters address/mask — Enter a range of IP addresses and subnet mask in A.B.C.D/x or A::B/x format. Default Not configured Command Mode DHCP-POOL Usage Information Use this command to configure a range of IPv4 or IPv6 addresses. Example Supported Releases OS10(config-dhcp-Dell)# network 20.1.1.1/24 10.2.0E or later pool Creates an IP address pool name.
PAGE 136
Supported Releases 10.4.1 or later show ip dhcp binding Displays the DHCP binding table with IPv4 addresses. Syntax show ip dhcp binding Parameters None Default Not configured Command Mode EXEC Usage Information Use this command to view the DHCP binding table. Example OS10# show ip dhcp binding IP Address Hardware address Lease expiration Hostname +----------------------------------------------------11.1.1.
PAGE 137
Parameters ● vrf vrf-name — (Optional) Enter vrf and then the name of the VRF to configure the domain corresponding to that VRF. ● server-name — (Optional) Enter the server name the default domain uses. Default Not configured Command Mode CONFIGURATION Usage Information This domain appends to incomplete DNS requests. The no version of this command returns the value to the default. Example Supported Releases OS10(config)# ip domain-name jay dell.com 10.2.
PAGE 138
show hosts Displays the host table and DNS configuration. Syntax show hosts [vrf vrf-name] Parameters vrf vrf-name — Enter vrf then the name of the VRF to display DNS host information corresponding to that VRF. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show hosts Default Domain Name : dell.com Domain List : abc.com Name Servers : 1.1.1.
PAGE 139
3 Interfaces You can configure and monitor physical interfaces (Ethernet), port-channels, and virtual local area networks (VLANs) in Layer 2 (L2) or Layer 3 (L3) modes. Table 4.
PAGE 140
Figure 4. S4148U-ON unified port groups To enable Ethernet interfaces in a unified port group: 1. Configure a unified port group in CONFIGURATION mode. Enter 1/1 for node/slot. The port-group range depends on the switch. port-group node/slot/port-group 2. Activate the unified port group for Ethernet operation in PORT-GROUP mode. To activate a unified port group in Fibre Channel mode, see Fibre Channel interfaces. The available options depend on the switch.
PAGE 141
NOTE: The configuration steps to enable Ethernet interfaces on a Z9264F-ON port group are different than that of the S4100-ON series. Follow the procedure described in this section to configure breakout interfaces on a Z9264F-ON switch. Each pair of odd and even numbered ports is configured as a port group. For example: hybrid-group port-group1/1/1 profile restricted port-group1/1/2 restricted port-group1/1/3 restricted . . .
PAGE 142
Configure restricted port-group profile OS10(config)# port-group 1/1/2 OS10(conf-pg-1/1/2)# profile restricted OS10(conf-pg-1/1/2)# port 1/1/3 mode Eth 25g-4x OS10(conf-pg-1/1/2)# exit OS10(config)# interface ethernet 1/1/3:2 OS10(conf-if-eth1/1/3:2)# View the interface OS10(config)# interface ethernet 1/1/3:2 OS10(conf-if-eth1/1/3:2)# show configuration ! interface ethernet1/1/3:2 no shutdown L2 mode configuration Each physical Ethernet interface uses a unique MAC address.
PAGE 143
1. Remove a port from L2 switching in INTERFACE mode. no switchport 2. Configure L3 routing in INTERFACE mode. Add secondary to configure backup IP addresses. ip address address [secondary] 3. Enable the interface for L3 traffic transmission in INTERFACE mode. no shutdown L3 interface configuration OS10(config)# interface OS10(conf-if-eth1/1/9)# OS10(conf-if-eth1/1/9)# OS10(conf-if-eth1/1/9)# ethernet 1/1/9 no switchport ip address 10.10.1.
PAGE 144
● 32g-4x — Split a unified port group into four 32 GFC interfaces. Each 4x-32GE breakout interface has a rate limit of 25G. 3. Return to CONFIGURATION mode. exit 4. Enter FC Interface mode to enable data transmission. Enter a single interface, a hyphen-separated range, or multiple interfaces separated by commas. interface fibrechannel node/slot/port[:subport] 5. (Optional) Reconfigure the interface speed in INTERFACE mode. speed {8 | 16 | 32 | auto} 6. Apply vfabric configuration on the interface.
PAGE 145
Management interface The Management interface provides OOB management access to the network device. You can configure the Management interface, but the configuration options on this interface are limited. You cannot configure gateway addresses and IP addresses if it appears in the main routing table. Proxy ARP is not supported on this interface. 1. Configure the Management interface in CONFIGURATION mode. interface mgmt 1/1/1 2. By default, DHCP client is enabled on the Management interface.
PAGE 146
Reconfigure default VLAN OS10# show vlan Q: A - Access (Untagged), T - Tagged NUM Status Description * 1 up Eth1/1/1-1/1/25,1/1/29,1/1/31-1/1/54 Q Ports A OS10(config)# interface vlan 10 Sep 19 17:28:10 OS10 dn_ifm[932]: Node.1-Unit.1:PRI:notice [os10:notify], %Dell EMC (OS10) %IFM_ASTATE_UP: Interface admin state up :vlan10 OS10(conf-if-vl-10)# exit OS10(config)# default vlan-id 10 Sep 19 17:28:15 OS10 dn_ifm[932]: Node.1-Unit.
PAGE 147
● Enter the Loopback interface number to view the configuration in EXEC mode. show interface loopback number ● Enter the Loopback interface number to delete a Loopback interface in CONFIGURATION mode. no interface loopback number View Loopback interface OS10# show interface loopback 4 Loopback 4 is up, line protocol is up Hardware is unknown. Interface index is 102863300 Internet address is 120.120.120.
PAGE 148
Create port-channel OS10(config)# interface port-channel 10 Add port member When you add an interface to a port-channel: ● The administrative status applies to the port-channel. ● The port-channel configuration is applied to the member interfaces. ● A port-channel operates in either L2 (default) or L3 mode. To place a port-channel in L2 mode, use the switchport mode command. To place a port-channel in L3 mode and remove L2 configuration before you configure an IP address, use the no switchport command.
PAGE 149
For the port channel to go down operationally on both sides when the minimum links criteria is not met, you must configure minimum links on both sides of the port channel. Enter the number of links in a LAG that must be in oper up status in PORT-CHANNEL mode, from 1 to 32, default 1.
PAGE 150
● Select one or more methods of load balancing and replace the default IP 4-tuple method of balancing traffic over a port-channel in CONFIGURATION mode. OS10(config)# load-balancing ingress-port Ingress port configurations tcp-udp-selection TCP-UDP port for load-balancing configurations ip-selection IPV4 load-balancing configurations ipv6-selection IPV6 load-balancing configurations mac-selection MAC load-balancing configurations ○ ingress-port [enable] — Enables the ingress port configuration.
PAGE 151
View the configuration OS10(conf-range-eth1/1/1-1/1/5)# show configuration ! interface ethernet1/1/1 no shutdown switchport access vlan 1 ! interface ethernet1/1/2 no shutdown switchport access vlan 1 ! interface ethernet1/1/3 no shutdown switchport access vlan 1 ! interface ethernet1/1/4 no shutdown switchport access vlan 1 ! interface ethernet1/1/5 no shutdown switchport access vlan 1 Configure range of VLANs OS10(config)# interface range vlan 1-100 OS10(conf-range-vl-1-100)# Configure range of port chann
PAGE 152
NOTE: After you change the switch-port profile, do not immediately back up and restore the startup file without using the write memory command and reloading the switch using the reload command. Otherwise, the new profile does not take effect.
PAGE 153
1GE mode: 1GE is supported only on SFP+ ports; 1GE is not supported on QSFP+ and QSFP28 ports 25-26. Breakout interfaces: Use the interface breakout command in Configuration mode to configure 4x10G, 4x25G, and 2x50G breakout interfaces. To view the ports that belong to each port group, use the show port-group command. S4148U-ON port profiles S4148U-ON port profiles determine the available front-panel unified and Ethernet ports and supported breakout interfaces.
PAGE 154
● QSFP28 ports in 2x16GFC mode support 32GFC oversubscription. SFP+ port groups in 2x16GFC mode do not support 32GFC oversubscription. 2x16GFC mode activates subports 1 and 3. ● QSFP28 ports in 4x16GFC mode support 32GFC oversubscription. Breakout interfaces: ● To configure breakout interfaces on a unified port, use the mode {FC | Eth} command in Port-Group Configuration mode. The mode {FC | Eth} command configures a unified port to operate at line rate and guarantees no traffic loss.
PAGE 155
RJ-45 ports and ports that are members of a port group do not support breakout auto-configuration. Breakout autoconfiguration is disabled by default.
PAGE 156
LineSpeed 100G, Auto-Negotiation on FEC is cl91-rs, Current FEC is cl91-rs Flowcontrol rx off tx off ARP type: ARPA, ARP Timeout: 60 Last clearing of "show interface" counters: 00:00:17 Queuing strategy: fifo Input statistics: 7 packets, 818 octets 2 64-byte pkts, 0 over 64-byte pkts, 5 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 7 Multicasts, 0 Broadcasts, 0 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output statistics: 15 packets, 1330 oct
PAGE 157
Disable EEE OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no eee Clear EEE counters You can clear EEE counters on physical Ethernet interfaces globally or per interface.
PAGE 158
Eth ... Eth Eth Eth ... Eth 1/1/1 off 0 0 0 0 1/1/47 1/1/48 1/1/49 on on n/a 0 0 0 0 0 0 0 0 1/1/52 n/a EEE commands clear counters interface eee Clears all EEE counters. Syntax clear counters interface eee Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# clear counters interface eee Clear all eee counters [confirm yes/no]:yes 10.3.
PAGE 159
Usage Information Example (Enable EEE) Example (Disable EEE) Supported Releases To disable EEE, use the no version of this command. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# eee OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# no eee 10.3.0E or later show interface eee Displays the EEE status for all interfaces.
PAGE 160
Supported Releases 10.3.0E or later show interface ethernet eee Displays the EEE status for a specified interface. Syntax show interface ethernet node/slot/port[:subport] eee Parameters node/slot/port[:subport]—Enter the interface information. Default Not configured Command Mode EXEC Example OS10# show interface ethernet 1/1/48 eee Port EEE Status Speed Duplex --------------------------------------------Eth 1/1/48 on up 1000M Supported Releases 10.3.
PAGE 161
● mgmt node/slot/port — Display Management interface information. ● port-channel id-number — Display port-channel interface information, from 1 to 128. ● vlan vlan-id — Display the VLAN interface information, from 1 to 4093. View interface information OS10# show interface Ethernet 1/1/1 is up, line protocol is down Hardware is Eth, address is 00:0c:29:66:6b:90 Current address is 00:0c:29:66:6b:90 Pluggable media present, QSFP+ type is QSFP+ 40GBASE CR4 Wavelength is 64 Receive power reading is 0.
PAGE 162
0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 Collisions, 0 wred drops Rate Info(interval 30 seconds): Input 0 Mbits/sec, 0 packets/sec, 0% of line rate Output 0 Mbits/sec, 0 packets/sec, 0% of line rate Time since last interface status change: 02:46:35 --more-View specific interface information OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# show configuration ! interface ethernet1/1/1 ip address 1.1.1.
PAGE 163
Ethernet 1/1/18 Ethernet 1/1/19 Ethernet 1/1/20 Ethernet 1/1/21 Ethernet 1/1/22 Ethernet 1/1/23 Ethernet 1/1/24 Ethernet 1/1/25 Ethernet 1/1/26 Ethernet 1/1/27 Ethernet 1/1/28 Ethernet 1/1/29 Ethernet 1/1/30 Ethernet 1/1/31 Ethernet 1/1/32 Management 1/1/1 Vlan 1 Vlan 10 Vlan 20 Vlan 30 unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned 10.16.153.
PAGE 164
Table 5.
PAGE 165
SET media 1/1/21 high threshold crossed, 82.00:78.00 Aug 03 06:35:47 OS10 dn_eqm[9135]: [os10:alarm], %Dell EMC (OS10) %EQM_MEDIA_VOLTAGE_HIGH: Media high voltage threshold crossed major warning SET media 1/1/21 high threshold crossed, 6.00:3.63 In this example, the threshold for high temperature is 78.00, but the current temperature is 82.00.
PAGE 166
default vlan-id Reconfigures the VLAN ID of the default VLAN. Syntax default vlan-id vlan-id Parameters vlan-id — Enter the default VLAN ID number, from 1 to 4093. Default VLAN1 Command Mode CONFIGURATION Usage Information By default, VLAN1 serves as the default VLAN for switching untagged L2 traffic on OS10 ports in Trunk or Access mode. If you use VLAN1 for network-specific data traffic, reconfigure the VLAN ID of the default VLAN.
PAGE 167
Example Supported Releases OS10(conf-if-eth1/1/7)# description eth1/1/7 10.2.0E or later duplex Configures Duplex mode on the Management port. Syntax duplex {full | half | auto} Parameters ● full — Set the physical interface to transmit in both directions. ● half — Set the physical interface to transmit in only one direction. ● auto — Set the port to auto-negotiate speed with a connected device.
PAGE 168
Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command disables the DOM traps. Example OS10# configure terminal OS10(config)# snmp-server enable traps dom temperature OS10# configure terminal OS10(config)# no snmp-server enable traps dom temperature Supported Releases 10.4.3.0 or later feature auto-breakout Enables front-panel Ethernet ports to automatically detect SFP media and autoconfigure breakout interfaces.
PAGE 169
Supported Releases 10.3.0E or later interface breakout Splits a front-panel Ethernet port into multiple breakout interfaces. Syntax interface breakout node/slot/port map {100g-1x | 40g-1x | 25g-4x | 10g-4x | 25g-4x} Parameters ● ● ● ● ● Default Not configured Command Mode CONFIGURATION Usage Information ● Each breakout interface operates at the configured speed; for example, 10G or 25G. ● The no interface breakout node/slot/port command resets a port to its default speed: 40G or 100G.
PAGE 170
Command Mode CONFIGURATION Usage Information The no version of this command deletes the Loopback interface. Example Supported Releases OS10(config)# interface loopback 100 OS10(conf-if-lo-100)# 10.2.0E or later interface mgmt Configures the Management port. Syntax interface mgmt node/slot/port Parameters node/slot/port — Enter the physical port interface information for the Management interface. Default Enabled Command Mode CONFIGURATION Usage Information You cannot delete a Management port.
PAGE 171
Command Mode CONFIGURATION Usage Information The no version of this command deletes the interface. Example Supported Releases OS10(config)# interface port-channel 10 OS10(conf-if-po-10)# 10.2.0E or later interface range Configures a range of Ethernet, port-channel, or VLAN interfaces for bulk configuration. Syntax interface range {ethernet node/slot/port[:subport]-node/slot/ port[:subport],[...]} | {port-channel IDnumber-IDnumber,[ ...]} | vlan vlanID-vlanID,[...
PAGE 172
Example Supported Releases OS10(config)# interface vlan 10 OS10(conf-if-vl-10)# 10.2.0E or later link-bundle-utilization Configures link-bundle utilization. Syntax link-bundle-utilization trigger-threshold value Parameters value — Enter the percentage of port-channel bandwidth that triggers traffic monitoring on portchannel members, from 0 to 100.
PAGE 173
● ● ● ● QSFP28-DD port groups 1 to 9 operate in 8x25GE fabric-expander mode (FEM). QSFP28-DD port groups 10 to 12 operate in 2x100GE mode. QSFP28 port groups 13 and 14 operate in 1x100GE mode. Unified port groups 15 and 16 operate in ethernet 1x100GE mode. Command Mode PORT-GROUP Usage Information ● The mode {FC | Eth} command configures a port group to operate at line rate and guarantees no traffic loss. ● To configure oversubscription on a FC interface, use the speed command.
PAGE 174
● Port-channels ○ All members must have the same link MTU value and the same IP MTU value. ○ The port channel link MTU and IP MTU must be less than or equal to the link MTU and IP MTU values you configure on the channel members. For example, if the members have a link MTU of 2100 and an IP MTU 2000, the port channel’s MTU values cannot be higher than 2100 for link MTU or 2000 bytes for IP MTU. ● VLANS ○ All members of a VLAN must have same IP MTU value. ○ Members can have different link MTU values.
PAGE 175
Parameters ● node/slot — Enter 1/1 for node/slot when you configure a port group. ● port-group — Enter the port-group number, from 1 to 16. The available port-group range depends on the switch. Default Not configured Command mode CONFIGURATION Usage information Enter PORT-GROUP mode to: ● Configure unified ports in Fibre Channel or Ethernet mode and break out interfaces with a specified speed. ● Break out an MX9116n QSFP28-DD or QSFP28 port group into multiple interfaces with a specified speed.
PAGE 176
Defaults Not configured Command Mode CONFIGURATION Usage Information Use the VLAN scale profile when you scale the number of VLANs so that the switch consumes less memory. Enable the scale profile before you configure VLANs on the switch. The scale profile globally applies L2 mode on all VLANs you create and disables L3 transmission. The no version of the command disables L2 VLAN scaling. To enable L3 routing traffic on a VLAN, use the mode L3 command.
PAGE 177
Output statistics: 0 packets, 0 octets 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 Collisions, 0 wreddrops Rate Info(interval 299 seconds): Input 0 Mbits/sec, 0 packets/sec, 0% of line rate Output 0 Mbits/sec, 0 packets/sec, 0% of line rate Time since last interface status change: 3 weeks 1 day 20:30:38 --more-Example (port channel) OS10# show interface port-cha
PAGE 178
1/1/9 1/1/10 1/1/11 1/1/12 1/1/13 1/1/14 1/1/15 1/1/16 1/1/17 1/1/18 ... Supported Releases Not Present Not Present Not Present Not Present Not Present Not Present SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ 10GBASE 10GBASE 10GBASE 10GBASE SR SR SR SR AK60QJN AL30KWM AQ22DMB AQM146U false true true true 10.2.0E or later show link-bundle-utilization Displays information about the link-bundle utilization.
PAGE 179
Group Port-Channel Type Protocol Member Ports 22 port-channel22 (U) Eth STATIC 1/1/10(P) 1/1/11(P) 1/1/12(P) 1/1/13(P) 1/1/14(P) 1/1/15(P) 1/1/16(P) 1/1/17(P) 1/1/18(P) 1/1/19(P) 23 port-channel23 (D) Eth STATIC OS10(config)# interface range e1/1/12-1/1/13,1/1/15,1/1/17-1/1/18 OS10(conf-range-eth1/1/12-1/1/13,1/1/15,1/1/17-1/1/18)# no channel-group OS10(conf-range-eth1/1/12-1/1/13,1/1/15,1/1/17-1/1/18)# do show portchannel summary Flags: D - Down U - member up but inactive P - member up and active U - Up (p
PAGE 180
port-group1/1/15 port-group1/1/16 Example: Z9264F-ON Supported Releases Eth 100g-1x Eth 100g-1x 43 44 OS10(config)# show port-group hybrid-group profile port-group1/1/1 restricted port-group1/1/2 restricted port-group1/1/3 restricted port-group1/1/4 restricted port-group1/1/5 restricted port-group1/1/6 restricted port-group1/1/7 restricted port-group1/1/8 restricted - Ports 1/1/1 1/1/2 1/1/3 1/1/4 1/1/5 1/1/6 1/1/7 1/1/8 1/1/9 1/1/10 1/1/11 1/1/12 1/1/13 1/1/14 1/1/15 Mode Eth 10g-4x Eth
PAGE 181
Parameters None Defaults DOM disabled Command Mode EXEC Usage Information None Example OS10# show system Node Id : 1 MAC : 90:b1:1c:f4:aa:b2 Number of MACs : 129 Up Time : 02:08:43 -- Unit 1 -Status : up System Identifier : 1 Down Reason : user-triggered Digital Optical Monitoring : disable Supported Releases 10.4.3.0 or later show vlan Displays the current VLAN configuration. Syntax show vlan [vlan-id] Parameters vlan-id — (Optional) Enter a VLAN ID, from 1 to 4093.
PAGE 182
on the interface. The shutdown and description commands are the only commands that you can configure on an interface that is a port-channel member. Example Supported Releases OS10(config)# interface ethernet 1/1/7 OS10(conf-if-eth1/1/7)# no shutdown 10.2.0E or later speed (Fibre Channel) Configures the transmission speed of a Fibre Channel interface.
PAGE 183
Example Supported Releases OS10(conf-if-ma-1/1/1)# speed auto 10.3.0E or later switch-port-profile Configures a port profile on the switch. The port profile determines the available front-panel ports and breakout modes. Syntax switch-port-profile node/unit profile Parameters ● node/unit — Enter switch information. For a standalone switch, enter 1/1. ● profile — Enter the name of a platform-specific profile.
PAGE 184
QSFP28 unified ports 26 and 30 operate in Ethernet 40GE mode by default and support 4x10G breakouts. QSFP28 ports 26 and 30 support 1x32GFC, 2x16GFC, and 4x8GFC in FC mode. ￭ QSFP+ Ethernet ports operate at 40GE by default and support 4x10G breakouts. ￭ SFP+ Ethernet ports operate at 10GE. ○ profile-2 — SFP+ unified ports (1-24), QSFP28 unified ports (25-26 and 29-30), QSFP+ Ethernet ports (27-28), and SFP+ Ethernet ports (31-54) are enabled. ￭ SFP+ unified ports operate in Ethernet 10GE mode by default.
PAGE 185
switchport access vlan Assigns access VLAN membership to a port in L2 Access or Trunk mode. Syntax switchport access vlan vlan-id Parameters vlan vlan-id — Enter the VLAN ID number, from 1 to 4093. Default VLAN 1 Command Mode INTERFACE Usage Information This command enables L2 switching for untagged traffic and assigns a port interface to default VLAN1. Use this command to change the assignment of the access VLAN that carries untagged traffic.
PAGE 186
Parameters vlan-id-list — Enter the VLAN numbers of the tagged traffic that the L2 trunk port can carry. Comma-separated and hyphenated VLAN number ranges are supported. Default None Command Mode INTERFACE Usage Information Use the no version of this command to remove the configuration. Example OS10(conf-if-eth1/1/2)# switchport trunk allowed vlan 1000 OS10(conf-if-eth1/1/2)# no switchport trunk allowed vlan 1000 Supported Releases 186 Interfaces 10.2.
PAGE 187
4 Fibre Channel OS10 switches with Fibre Channel (FC) ports operate in one of the following modes: Direct attach (F_Port), NPIV Proxy Gateway (NPG), or FIP Snooping Bridge (FSB). In the FSB mode, you cannot use the FC ports. F_Port Fibre Channel fabric port (F_Port) is the switch port that connects the FC fabric to a node. S4148U-ON switches support F_Port. Enable Fibre Channel F_Port mode globally using the feature fc domain-ID domain-ID command in CONFIGURATION mode.
PAGE 188
Terminology ENode End Node or FCoE node FC Fibre Channel FC ID A 3-byte address used by FC to identify the end points FC Map A 3-byte prefix configured per VLAN, used to frame FCoE MAC address FCF Fibre Channel Forwarder FCoE Fibre Channel over Ethernet FCoE MAC Unique MAC address used to identify an FCoE session. This is a combination of FC ID and FC Map.
PAGE 189
7. Apply the vfabric to FC interfaces using the vfabric fabric-ID command in FC INTERFACE mode.
PAGE 190
To configure a vfabric in NPG mode: 1. Configure a vfabric using the vfabric fabric-ID command in CONFIGURATION mode. The switch enters vfabric CONFIGURATION mode. 2. Associate a VLAN ID to the vfabric with the vlan vlan-ID command. 3. Add FCoE parameters with the fcoe {fcmap fc-map | fcf-priority fcf-priority-value | fka-advperiod adv-period | vlan-priority vlan-priority-value | keep-alive} command. 4. (Optional) Add a name to the vfabric using the name vfabric-name command. 5.
PAGE 191
1. (Optional) Create an FC alias using the fc alias alias-name command in CONFIGURATION mode. The switch enters Alias CONFIGURATION mode. 2. Add members to the alias using the member {wwn wwn-ID | fc-id fc-id} command in Alias CONFIGURATION mode. You can add a maximum of 255 unique members. 3. Create a zone using the fc zone zone-name command in CONFIGURATION mode. The switch enters Zone CONFIGURATION mode. 4.
PAGE 192
member hba1 member hba2 OS10# show fc zoneset active vFabric id: 100 Active Zoneset: set ZoneName ZoneMember ================================================ hba2 *20:01:00:0e:1e:e8:e4:99 20:35:78:2b:cb:6f:65:57 50:00:d3:10:00:ec:f9:05 50:00:d3:10:00:ec:f9:1b 50:00:d3:10:00:ec:f9:1f hba1 *10:00:00:90:fa:b8:22:19 *21:00:00:24:ff:7b:f5:c8 OS10# show fc zoneset set ZoneSetName ZoneName ZoneMember ========================================================== set hba1 21:00:00:24:ff:7b:f5:c8 10:00:00:90:fa:b8:22:
PAGE 193
The FC sessions form between FC nodes and FCoE sessions happen between Ethernet nodes. To form FC or FCoE sessions, the fabric login request and reply must traverse the switch through the same port. The fabric login request initiated from the server through the switch reaches the SAN Fabric. The login accept response is hashed out to any of the ports in the port-channel. If the server receives the response on a different port than where the request was sent, the server keeps retrying the request.
PAGE 194
Sample FSB configuration on VLT network 1. Enable the FIP snooping feature globally. OS10(config)# feature fip-snooping 2. Create the FCoE VLAN. OS10(config)#interface vlan 1001 OS10(conf-if-vl-1001)# fip-snooping enable 3. Configure the VLTi interface. OS10(config)# interface ethernet 1/1/27 OS10(conf-if-eth1/1/27)# no shutdown OS10(conf-if-eth1/1/27)# no switchport 4. Configure the VLT. OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.151.
PAGE 195
OS10(config)# policy-map type network-qos PFC OS10(config-pmap-network-qos)# class fcoematch OS10(config-pmap-c-nqos)# pause OS10(config-pmap-c-nqos)# pfc-cos 3 7. Create uplink and downlink port-channels, and configure the FCF facing port.
PAGE 196
Version : 2.0 Local System MAC address : 50:9a:4c:d3:cf:70 Primary priority : 32768 VLT MAC address : 50:9a:4c:d3:cf:70 IP address : fda5:74c8:b79e:1::2 Delay-Restore timer : 90 seconds Peer-Routing : Disabled Peer-Routing-Timeout timer : 0 seconds VLTi Link Status port-channel1000 : up VLT Peer Unit ID System MAC Address Status IP Address Version ---------------------------------------------------------------------------------1 50:9a:4c:d3:e2:f0 up fda5:74c8:b79e:1::1 2.
PAGE 197
2. Create the FC zones. OS10(config)# fc zone zoneA OS10(config-fc-zone-zoneA)# member wwn 10:00:00:90:fa:b8:22:19 <> OS10(config-fc-zone-zoneA)# member wwn 21:00:00:24:ff:7b:f5:c8 <> 3. Create the FC zoneset. OS10(config)# fc zoneset zonesetA OS10(conf-fc-zoneset-zonesetA)# member zoneA 4. Create the vfabric VLAN. OS10(config)# interface vlan 1001 5. Create vfabric and activate the FC zoneset.
PAGE 198
OS10(conf-if-eth1/1/10)# OS10(conf-if-eth1/1/10)# OS10(conf-if-eth1/1/10)# OS10(conf-if-eth1/1/10)# OS10(conf-if-eth1/1/10)# no shutdown channel-group 10 mode active no switchport service-policy input type network-qos PFC priority-flow-control mode on View configuration Name server entries: OS10# show fc ns switch brief Total number of devices = 2 Intf# Domain port-channel10(Eth 1/1/9) 1 20:00:f4:e9:d4:a4:7d:c3 fibrechannel1/1/26 1 21:00:00:24:ff:7c:ae:0e FC-ID 01:00:00 Enode-WWPN 20:01:f4:e9:d4:a4:7d:c
PAGE 199
OS10(conf-if-po-10)# switchport trunk allowed vlan 1001,10 OS10(conf-if-po-10)# fip-snooping port-mode fcf OS10(config)# interface port-channel 20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# switchport access vlan 1 OS10(conf-if-po-20)# switchport trunk allowed vlan 1001,10 6. Apply the PFC configuration on downlink and uplink interfaces. In addition, include the interfaces to the port-channel and configure one of the interfaces as pinned-port.
PAGE 200
Pinned port status: OS10# show fcoe pinned-port Interface pinned-port FCoE Status ----------------- ---------------- ----------------Po 10 Eth 1/1/1 Up Po 20 Eth 1/1/3 Up Sample FC Switch configuration on non-VLT network 1. Enable the F_PORT mode. OS10(config)# feature fc domain-id 1 2. Create the FC zones.
PAGE 201
OS10(conf-if-eth1/1/9)# service-policy input type network-qos PFC OS10(conf-if-eth1/1/9)# priority-flow-control mode on OS10(config)# interface ethernet 1/1/10 OS10(conf-if-eth1/1/10)# no shutdown OS10(conf-if-eth1/1/10)# channel-group 10 mode active OS10(conf-if-eth1/1/10)# no switchport OS10(conf-if-eth1/1/10)# service-policy input type network-qos PFC OS10(conf-if-eth1/1/10)# priority-flow-control mode on View configuration Name server entries: OS10# show fc ns switch brief Total number of devices = 2 In
PAGE 202
NOTE: Port-pinning is not supported on ENodes connected to an FSB switch that is in FCF-transit mode. You cannot view the ENodes or session information using the show commands. Clear virtual link frames When an FSB clears an FCoE session for some reason, the other devices in the network, such as the ENode, FCF, and transit switches, are not informed and considers the session to be intact. FSB drops the FCoE data corresponding to the cleared session.
PAGE 203
b. Enable DCBX. L2switch(config)# dcbx enable c. Create a VLAN for FCoE traffic to pass through. L2switch(config)# interface vlan 777 d. Create class-maps. L2switch(config)# class-map type network-qos c3 L2switch(config-cmap-nqos)# match qos-group 3 L2switch(config)# class-map type queuing q0 L2switch(config-cmap-queuing)# match queue 0 L2switch(config-cmap-queuing)# exit L2switch(config)# class-map type queuing q3 L2switch(config-cmap-queuing)# match queue 3 L2switch(config-cmap-queuing)# exit e.
PAGE 204
a. Disable flow control on the interfaces connected to CNA1, L2 switch, and FSB2. FSB1(config)# interface ethernet 1/1/31 FSB1(conf-if-eth1/1/31)# no flowcontrol receive FSB1(conf-if-eth1/1/31)# no flowcontrol transmit FSB1(config)# interface ethernet 1/1/5 FSB1(conf-if-eth1/1/5)# no flowcontrol receive FSB1(conf-if-eth1/1/5)# no flowcontrol transmit FSB1(config)# interface ethernet 1/1/2 FSB1(conf-if-eth1/1/2)# no flowcontrol receive FSB1(conf-if-eth1/1/2)# no flowcontrol transmit b.
PAGE 205
i.
PAGE 206
e. Create class-maps. FSB2(config)# class-map type network-qos c3 FSB2(config-cmap-nqos)# match qos-group 3 FSB2(config)# class-map type queuing q0 FSB2(config-cmap-queuing)# match queue 0 FSB2(config-cmap-queuing)# exit FSB2(config)# class-map type queuing q3 FSB2(config-cmap-queuing)# match queue 3 FSB2(config-cmap-queuing)# exit f. Create policy-maps.
PAGE 207
4. Configure the FCF. The following configuration assumes that the FCF is in F-Port mode. a. Disable flow control on the interface connected to FSB2. FCF(config)# interface ethernet 1/1/13 FCF(conf-if-eth1/1/13)# no flowcontrol receive FCF(conf-if-eth1/1/13)# no flowcontrol transmit b. Enable Fiber Channel F-Port mode globally. FCF(config)# feature fc domain-id 2 c. Create zones.
PAGE 208
j. Apply vfabric on FSB2 and target connected interfaces. FCF(config)# interface ethernet 1/1/13 FCF(conf-if-eth1/1/13)# no shutdown FCF(conf-if-eth1/1/13)# switchport access vlan 1 FCF(conf-if-eth1/1/13)# vfabric 2 FCF(config)# interface fibrechannel 1/1/3 FCF(conf-if-fc1/1/3)# description target_connected_port FCF(conf-if-fc1/1/3)# no shutdown FCF(conf-if-fc1/1/3)# vfabric 2 k. Apply QoS configurations on the interface connected to FSB2.
PAGE 209
-------------------------------------------------------------------------------------------------------------32:03:cf:45:00:00 Eth 1/1/31 14:18:77:20:86:ce Eth 1/1/2 777 0e:fc:00:05:00:05 05:00:05 33:00:55:2c:cf:55:00:00 23:00:55:2c:cf:55:00:00 f4:e9:d4:f9:fc:40 Eth 1/1/5 14:18:77:20:86:ce Eth 1/1/2 777 0e:fc:00:02:01:00 02:01:00 20:01:f4:e9:d4:a4:7d:c3 20:00:f4:e9:d4:a4:7d:c3 ● To verify the name server entries on the FCF, use the show fc ns switch brief command.
PAGE 210
● VLT is configured between FSB1 and FSB2, and requires port-pinning for VLT port channels configured between access FSBs and core FSBs. The port modes are: ○ Directly-connected CNA ports—ENode ○ Ports connected to FSB3 and FSB4—FCF ● VLT is configured between FSB3 and FSB4, and requires port-pinning for VLT port channels configured between access and core FSBs.
PAGE 211
4. Create class-maps. FSB1(config)# class-map type network-qos c3 FSB1(config-cmap-nqos)# match qos-group 3 FSB1(config)# class-map type queuing q0 FSB1(config-cmap-queuing)# match queue 0 FSB1(config-cmap-queuing)# exit FSB1(config)# class-map type queuing q3 FSB1(config-cmap-queuing)# match queue 3 FSB1(config-cmap-queuing)# exit 5. Create policy-maps.
PAGE 212
FSB1(conf-if-eth1/1/31)# switchport access vlan 1 FSB1(conf-if-eth1/1/31)# switchport trunk allowed vlan 1001 FSB1(config)# interface port-channel 10 FSB1(conf-if-po-10)# switchport mode trunk FSB1(conf-if-po-10)# switchport access vlan 1 FSB1(conf-if-po-10)# switchport trunk allowed vlan 1001-1002 11. Apply QoS configurations on the interfaces connected to FSB2 and CNA-1. Configure the interface connected to FSB2 as pinned-port.
PAGE 213
FSB2(config-cmap-queuing)# match queue 3 FSB2(config-cmap-queuing)# exit 5. Create policy-maps. FSB2(config)# policy-map type network-qos nqpolicy FSB2(config-pmap-network-qos)# class c3 FSB2(config-pmap-c-nqos)# pause FSB2(config-pmap-c-nqos)# pfc-cos 3 FSB2(config)# policy-map type queuing ets_policy FSB2(config-pmap-queuing)# class q0 FSB2(config-pmap-c-que)# bandwidth percent 30 FSB2(config-pmap-c-que)# class q3 FSB2(config-pmap-c-que)# bandwidth percent 70 6. Create a qos-map.
PAGE 214
11. Apply QoS configurations on the interfaces connected to FSB4 and CNA-2. Configure the interface connected to FSB4 as pinned-port.
PAGE 215
FSB3(config-pmap-c-nqos)# pause FSB3(config-pmap-c-nqos)# pfc-cos 3 FSB3(config)# policy-map type queuing ets_policy FSB3(config-pmap-queuing)# class q0 FSB3(config-pmap-c-que)# bandwidth percent 30 FSB3(config-pmap-c-que)# class q3 FSB3(config-pmap-c-que)# bandwidth percent 70 6. Create a qos-map. FSB3(config)# qos-map traffic-class tc-q-map1 FSB3(config-qos-map)# queue 3 qos-group 3 FSB3(config-qos-map)# queue 0 qos-group 0-2,4-7 7. Configure port channel.
PAGE 216
FSB3(conf-if-eth1/1/45)# qos-map traffic-class tc-q-map1 FSB3(conf-if-eth1/1/45)# service-policy input type network-qos nqpolicy FSB3(conf-if-eth1/1/45)# service-policy output type queuing ets_policy FSB3(config)# interface ethernet 1/1/36 FSB3(conf-if-eth1/1/36)# flowcontrol receive off FSB3(conf-if-eth1/1/36)# priority-flow-control mode on FSB3(conf-if-eth1/1/36)# ets mode on FSB3(conf-if-eth1/1/36)# trust-map dot1p default FSB3(conf-if-eth1/1/36)# qos-map traffic-class tc-q-map1 FSB3(conf-if-eth1/1/36)#
PAGE 217
FSB4(config-pmap-c-que)# class q3 FSB4(config-pmap-c-que)# bandwidth percent 70 6. Create a qos-map. FSB4(config)# qos-map traffic-class tc-q-map1 FSB4(config-qos-map)# queue 3 qos-group 3 FSB4(config-qos-map)# queue 0 qos-group 0-2,4-7 7. Configure port channel. FSB4(config)# interface port-channel 10 FSB4(conf-if-po-10)# no shutdown FSB4(conf-if-po-10)# vlt-port-channel 1 8. Configure VLTi interface member links.
PAGE 218
FCF1 configuration 1. Enable Fiber Channel F-Port mode globally. FCF1(config)# feature fc domain-id 2 2. Create zones. FCF1(config)# fc zone zoneA FCF1(config-fc-zone-zoneA)# member wwn 23:05:22:11:0d:64:67:11 FCF1(config-fc-zone-zoneA)# member wwn 50:00:d3:10:00:ec:f9:00 3. Create zoneset. FCF1(config)# fc zoneset zonesetA FCF1(conf-fc-zoneset-setA)# member zoneA 4. Create a vfabric VLAN. FCF1(config)# interface vlan 1001 5. Create vfabric and activate the zoneset.
PAGE 219
FCF1(conf-if-eth1/1/45)# FCF1(conf-if-eth1/1/45)# FCF1(conf-if-eth1/1/45)# FCF1(conf-if-eth1/1/45)# FCF1(conf-if-eth1/1/45)# ets mode on trust-map dot1p default qos-map traffic-class tc-q-map1 service-policy input type network-qos nqpolicy service-policy output type queuing ets_policy 11. Apply vfabric on the interfaces connected to FSB3 and the target.
PAGE 220
FCF2(config-pmap-c-nqos)# pause FCF2(config-pmap-c-nqos)# pfc-cos 3 FCF2(config)# policy-map type queuing ets_policy FCF2(config-pmap-queuing)# class q0 FCF2(config-pmap-c-que)# bandwidth percent 30 FCF2(config-pmap-c-que)# class q3 FCF2(config-pmap-c-que)# bandwidth percent 70 9. Create a qos-map. FCF2(config)# qos-map traffic-class tc-q-map1 FCF2(config-qos-map)# queue 3 qos-group 3 FCF2(config-qos-map)# queue 0 qos-group 0-2,4-7 10. Apply QoS configurations on the interface connected to FSB4.
PAGE 221
Enodes Sessions : 1 : 1 FSB2 FSB2# show fcoe sessions Enode MAC Enode Interface FCF MAC FCF interface VLAN FCoE MAC FC-ID PORT WWPN PORT WWNN -----------------------------------------------------------------------------------------------------------------------------------------------00:0e:1e:f1:f1:84 Eth 1/1/1 14:18:77:20:80:ce Po 10(Eth 1/1/44:1)1002 0e:fc:00:02:01:00 02:01:00 20:01:00:0e:1e:f1:f1:84 20:00:00:0e:1e:f1:f1:84 FSB2# show fcoe fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
PAGE 222
00:0e:1e:f1:f1:84 0e:fc:00:02:01:00 Po 10(Eth 1/1/37) 14:18:77:20:80:ce Eth 1/1/42 02:01:00 20:01:00:0e:1e:f1:f1:84 20:00:00:0e:1e:f1:f1:84 1002 FSB4# show fcoe fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
PAGE 223
● Before you disable the F_Port and NPG features, delete the mode-specific configurations. When you disable FSB, the system automatically removes the configurations. F_Port commands The following commands are supported on F_Port mode: fc alias Creates an FC alias. After creating the alias, add members to the FC alias. An FC alias can have a maximum of 255 unique members. Syntax fc alias alias-name Parameters alias-name — Enter a name for the FC alias.
PAGE 224
Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the FC zoneset. Example Supported Releases OS10(config)# fc zoneset set OS10(conf-fc-zoneset-set)# member hba1 10.3.1E or later feature fc Enables the F_Port globally. Syntax feature fc domain-id domain-id Parameters domain-id — Enter the domain ID of the F_Port, from 1 to 239.
PAGE 225
Parameters ● alias-name — Enter the FC alias name. ● wwn-ID — Enter the WWN name. ● fc-id — Enter the FC ID name. Defaults Not configured Command Mode Zone CONFIGURATION Usage Information The no version of this command removes the member from the zone. Example Supported Releases OS10(config)# fc zone hba1 OS10(config-fc-zone-hba1)# member wwn 10:00:00:90:fa:b8:22:19 OS10(config-fc-zone-hba1)# member wwn 21:00:00:24:ff:7b:f5:c8 10.3.1E or later member (zoneset) Adds zones to an existing zoneset.
PAGE 226
show fc interface-area-id mapping Displays the FC ID to interface mapping details. Syntax show fc interface-area-id mapping Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show fc interface-area-id mapping Intf Name FC-ID Status ================================================== ethernet1/1/40 0a:02:00 Active 10.4.1.0 or later show fc ns switch Displays the details of the FC NS switch parameters.
PAGE 227
show fc zone Displays the FC zones and the zone members. Syntax show fc zone [zone-name] Parameters zone-name — Enter the FC zone name.
PAGE 228
50:00:d3:10:00:ec:f9:1f 20:35:78:2b:cb:6f:65:57 vFabric id: 100 Active Zoneset: set ZoneName ZoneMember ============================================== hba2 20:01:00:0e:1e:e8:e4:99 20:35:78:2b:cb:6f:65:57 50:00:d3:10:00:ec:f9:05 50:00:d3:10:00:ec:f9:1b 50:00:d3:10:00:ec:f9:1f hba1 Example (active zoneset) *10:00:00:90:fa:b8:22:19 *21:00:00:24:ff:7b:f5:c8 21:00:00:24:ff:7f:ce:ee 21:00:00:24:ff:7f:ce:ef OS10# show fc zoneset active vFabric id: 100 Active Zoneset: set ZoneName ZoneMember ====================
PAGE 229
Usage Information Example Supported Releases A default zone advertises a maximum of 255 members in the registered state change notification (RSCN) message. The no version of this command disables access between the FC nodes in the absence of an active zoneset. OS10(config)# vfabric 100 OS10(conf-vfabric-100)# zone default-zone permit 10.3.1E or later zoneset activate Activates an existing zoneset. You can activate only one zoneset in a vfabric.
PAGE 230
feature fc npg Enables the NPG mode globally. Syntax feature fc npg Parameters None Defaults Disabled Command Mode CONFIGURATION Usage Information You can enable only one of the following at a time: F_Port, NPG, or FSB. The no version of this command disables NPG mode. Example Supported Releases OS10(config)# feature fc npg 10.4.0E(R1) or later show npg devices Displays the NPG devices connected to the switch.
PAGE 231
clear fc statistics Clears FC statistics for specified vfabric or fibre channel interface. Syntax clear fc statistics [vfabric vfabric-ID | interface fibrechannel] Parameters ● vfabric-ID — Enter the vfabric ID. ● fibrechannel — Enter the fibre channel interface name. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# clear fc statistics vfabric 100 OS10# clear fc statistics interface fibrechannel1/1/25 10.4.1.
PAGE 232
Defaults Not configured Command Mode Vfabric CONFIGURATION Usage Information The no version of this command removes the vfabric name.. Example Supported Releases OS10(config)# vfabric 100 OS10(conf-vfabric-100)# name test_vfab 10.3.1E or later show fc statistics Displays the FC statistics. Syntax show fc statistics {vfabric vfabric-ID | interface fibrechannel} Parameters ● vfabric-ID — Enter the vfabric ID. ● fibrechannel — Enter the Fibre Channel interface name.
PAGE 233
Usage Information Example Supported Releases None OS10# show fc switch Switch Mode : FPORT Switch WWN : 10:00:14:18:77:20:8d:cf 10.3.1E or later show running-config vfabric Displays the running configuration for the vfabric.
PAGE 234
Switch Zoning Parameters ========================================== Default Zone Mode: Deny Active ZoneSet: zoneset5 ========================================= Members fibrechannel1/1/25 port-channel10(Eth 1/1/9) Supported Releases 10.3.1E or later vfabric Configures a vfabric. Syntax vfabric fabric-ID Parameters fabric-ID — Enter the fabric ID, from 1 to 255. Defaults Not configured Command Mode CONFIGURATION Usage Information Enable the F_Port or NPG feature before configuring a vfabric.
PAGE 235
vlan Associates an existing VLAN ID to the vfabric to carry traffic. Syntax vlan vlan-ID Parameters vlan-ID — Enter an existing VLAN ID. Defaults Not configured Command Mode Vfabric CONFIGURATION Usage Information Create the VLAN ID before associating it to the vfabric. Do not use spanned VLAN as vfabric VLAN. The no version of this command removes the VLAN ID from the vfabric.
PAGE 236
fip-snooping enable Enables FIP snooping on a specified VLAN. Syntax fip-snooping enable Parameters None Defaults Disabled Command Mode VLAN INTERFACE Usage Information Enable FIP snooping on a VLAN only after enabling the FIP snooping feature globally using the feature fip-snooping command. OS10 supports FIP snooping on a maximum of 12 VLANs. The no version of this command disables FIP snooping on the VLAN.
PAGE 237
You cannot disable FIP snooping when the port mode is set to a non-default value (enode-transit, fcf, or fcf-transit). If you want to change the port mode from one value to another, you can directly use the fip-snooping port mode command. You do not have to explicitly use the no form of the command. The no version of this command resets the port mode to ENode. Example Supported Releases OS10(config)# interface ethernet 1/1/32 OS10(conf-if-eth1/1/32)# fip-snooping port-mode fcf 10.4.0E(R1) or later10.4.3.
PAGE 238
Supported Releases 10.4.0E(R1) or later fcoe-pinned-port Marks a port as a pinned port in the port-channel. This configuration is supported on FSB, Ethernet LAG in NPG, and F_Port mode. It is not supported on a VLTi LAG. Syntax fcoe-pinned-port Parameters node/slot/port[:subport]—Enter the interface type details. Defaults Disabled Command Mode Port-channel INTERFACE Usage Information You can configure only single port per port-channel.
PAGE 239
Example Supported Releases OS10(config)# fcoe priority-bits 0x08 10.4.0E(R3) or later lldp tlv-select dcbxp-appln fcoe Enables FCoE application TLV for an interface. Syntax lldp tlv-select dcbxp-appln fcoe Parameter None Default Enabled Command Mode INTERFACE Usage Information The default priority value advertised in FCoE application TLV is 3. If the PFC configuration in an interface matches 3, then the FCoE application TLV is advertised as 3. Otherwise, FCoE application TLV is not advertised.
PAGE 240
Parameters fcf-mac-address — (Optional) Enter the MAC address of the FCF. This option displays details of the specified FCF. Default Not configured Command Mode EXEC Usage Information None Example OS10# show fcoe fcf FCF MAC FCF Interface of Enodes FCF Mode -------------------------------- -------00:0c:84:a8:00:00 Eth 1/1/36 F 00:0d:84:a8:01:02 Eth 1/1/37 FT Supported Releases VLAN FC-MAP FKA_ADV_PERIOD ------ ------- -------------- No. 777 0e:fc:00 8000 0 778 0e:fc:01 8000 0 10.4.
PAGE 241
Usage Information Example Supported Releases None Enode MAC Enode Interface FCF MAC FCF interface VLAN FCoE MAC FC-ID PORT WWPN aa:bb:cc:00:00:00 Po 20(Eth 1/1/3) aa:bb:cd:00:00:00 Po 10(Eth 1/1/1) 100 0e:fc:00:01:00:01 01:00:01 31:00:0e:fc:00:00:00:00 21:00:0e:fc:00:00:00:00 aa:bb:cc:00:00:00 Po 20(Eth 1/1/3) aa:bb:cd:00:00:00 Po 10(Eth 1/1/1) 100 0e:fc:00:01:00:02 01:00:02 31:00:0e:fc:00:00:00:00 21:00:0e:fc:00:00:00:00 10.4.
PAGE 242
Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show fcoe system Mode: FIP Snooping Bridge CVL Status: Enabled FCOE VLAN List (Operational) FCFs Enodes Sessions : : : : 1, 100 1 2 17 10.4.0E(R1) or later show fcoe vlan Displays details of FIP-snooping VLANs.
PAGE 243
5 Layer 2 802.1X Verifies device credentials before sending or receiving packets using the Extensible Authentication Protocol (EAP), see 802.1X Commands. Link Aggregation Control Protocol (LACP) Exchanges information between two systems and automatically establishes a link aggregation group (LAG) between the systems, see LACP Commands.
PAGE 244
The authentication process involves three devices: ● Supplicant — The device attempting to access the network performs the role of supplicant. Regular traffic from this device does not reach the network until the port associated to the device is authorized. Before that, the supplicant can only exchange 802.1x messages (EAPOL frames) with the authenticator.
PAGE 245
EAP over RADIUS 802.1X uses RADIUS to transfer EAP packets between the authenticator and the authentication server. EAP messages are encapsulated in RADIUS packets as an attribute of type, length, value (TLV) format — the type value for EAP messages is 79. Configure 802.1X You can configure and enable 802.1X on a port in a single process. OS10 supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP. All platforms support RADIUS as the authentication server.
PAGE 246
Enable 802.1X 1. Enable 802.1X globally in CONFIGURATION mode. dot1x system-auth-control 2. Enter an interface or a range of interfaces in INTERFACE mode. interface range 3. Enable 802.1X on the supplicant interface only in INTERFACE mode. dot1x port-control auto Configure and verify 802.
PAGE 247
Identity retransmissions If the authenticator sends a Request Identity frame but the supplicant does not respond, the authenticator waits 30 seconds and then retransmits the frame. There are several reasons why the supplicant might fail to respond — the supplicant maybe booting when the request arrived, there may be a physical layer problem, and so on. 1.
PAGE 248
The Request Identity Retransmit interval is for an unresponsive supplicant. You can configure the interval for a maximum of 10 times for an unresponsive supplicant. 1. Configure the amount of time that the authenticator waits to retransmit a Request Identity frame after a failed authentication in INTERFACE mode from 1 to 65535, default 60 seconds.
PAGE 249
● Place a port in the auto, force-authorized (default), or force-unauthorized state in INTERFACE mode. dot1x port-control {auto | force-authorized | force-unauthorized} Configure and verify force-authorized state OS10(conf-range-eth1/1/7-1/1/8)# dot1x port-control force-authorized OS10(conf-range-eth1/1/7-1/1/8)# do show dot1x interface ethernet 1/1/7 802.
PAGE 250
Tx Period: Quiet Period: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: 120 seconds 120 seconds 30 seconds 30 seconds 3600 seconds 5 MULTI_HOST Initialize Initialize View interface running configuration OS10(conf-range-eth1/1/7-1/1/8)# do show running-configuration interface ...
PAGE 251
View interface running configuration OS10(conf-range-eth1/1/7-1/1/8)# do show running-configuration interface ...
PAGE 252
Example Supported Releases OS10(conf-range-eth1/1/7-1/1/8)# dot1x max-req 4 10.2.0E or later dot1x port-control Controls the 802.1X authentication performed on the interface. Syntax dot1x port-control {force-authorized | force-unauthorized | auto} Parameters ● force-authorized — Disables 802.1X authentication on the interface and allows all traffic on the interface without authentication.
PAGE 253
Usage Information Example Supported Releases The no version of this command resets the value to the default. OS10(conf-range-eth1/1/7-1/1/8)# dot1x timeout quiet-period 120 10.2.0E or later dot1x timeout re-authperiod Sets the number of seconds between re-authentication attempts. Syntax dot1x timeout re-authperiod seconds Parameters re-authperiod seconds — Enter the number of seconds for the 802.1X re-authentication timeout, from 1 to 65535.
PAGE 254
Usage Information Example Supported Releases The no version of this command resets the value to the default. OS10(conf-range-eth1/1/7-1/1/8)# dot1x timeout supp-timeout 45 10.2.0E or later dot1x timeout tx-period Sets the number of seconds that the device waits for a response to an EAP-request/identity frame from the supplicant before retransmitting the request. Syntax dot1x timeout tx-period seconds Parameters tx-period seconds — Enter the number of seconds for the 802.
PAGE 255
Usage Information Example Example (when dot1x is not enabled globally) Supported Releases Use this command to view the dot1x interface configuration for a specific interface. OS10# show dot1x interface 802.1x information on ethernet1/1/1 ------------------------------------Dot1x Status: Enable 802.1x information on ethernet1/1/2 ------------------------------------Dot1x Status: Enable 802.1x information on ethernet1/1/3 ------------------------------------Dot1x Status: Enable 802.
PAGE 256
FEFD helps detect far-end failure when the following problems occur: ● Only one side receives packets although the physical layer (L1) of the link is up on both sides. ● Transceivers are not connected to the correct ports. FEFD states FEFD comprises the following four states: ● Idle—FEFD is disabled. ● Unknown—Shown when FEFD is enabled and changes to bi-directional after successful handshake with the peer. Also shown if the peer goes down in normal mode.
PAGE 257
Table 7. FEFD state changes Local event (User intervention ) Configured FEFD mode Local state Local admin (Show display) State (Result) (Result) Local line protocol Remote state Status (Show display) (Result) Remote admin state Remote line protocol status (Result) Shutdown(us Normal er configuration) Admin Shutdown Down Down Line protocol is down. Up Down Shutdown(us Aggressive er configuration) Admin Shutdown Down Down Line protocol is down.
PAGE 258
● Configure FEFD Aggressive mode globally using the fefd-global mode aggressive command in CONFIGURATION mode. OS10(Config)# fefd-global mode aggressive 2. (Optional) Configure the FEFD interval using the fefd-global interval command in CONFIGURATION mode and enter the interval in seconds. The range is from 3 to 255 seconds. OS10(Config)# fefd-global interval 20 3. (Optional) Disable FEFD on a specific interface if required using the fefd disable command in INTERFACE mode.
PAGE 259
eth1/1/4 eth1/1/5 eth1/1/6 eth1/1/7 NA NA NA NA NA NA NA NA Idle Idle Idle Idle (Not (Not (Not (Not running) running) running) running) The following is a sample output of FEFD information for an interface: rt-maa-s4248FBL-3# show fefd ethernet 1/1/1 FEFD is globally 'ON', interval is 15 seconds, mode is Normal. INTERFACE MODE INTERVAL STATE ============================================================ eth1/1/1 NA NA Idle (Not running) FEFD Commands debug fefd Enables debugging of FEFD.
PAGE 260
To unconfigure FEFD on an interface, use either the no fefd command or the no fefd mode command. To return to the default FEFD interval, use the no fefd interval command. Example OS10(conf-if-eth1/1/9)# fefd OS10(conf-if-eth1/1/9)# fefd mode aggressive OS10(conf-if-eth1/1/9)# fefd mode interval 10 Supported Releases 10.4.3.0 or later fefd-global Configures FEFD globally.
PAGE 261
Usage Information Example If you do not enter the interface name, this command resets the error-disabled state of all interfaces because FEFD is set to Aggressive mode. OS10# fefd reset OS10# fefd reset ethernet 1/1/2 Supported Releases 10.4.3.0 or later show fefd Displays FEFD information globally or for a specific interface. Syntax show fefd [interface] Parameters ● (Optional) interface—Enter the interface information.
PAGE 262
Link Aggregation Control Protocol Group Ethernet interfaces to form a single link layer interface called a LAG or port-channel. Aggregating multiple links between physical interfaces creates a single logical LAG, which balances traffic across the member links within an aggregated Ethernet bundle and increases the uplink bandwidth. If one member link fails, the LAG continues to carry traffic over the remaining links. For information about LAG load balancing and hashing, see Load balancing.
PAGE 263
Configure LACP OS10(config)# lacp system-priority 65535 OS10(config)# interface range ethernet 1/1/7-1/1/8 OS10(conf-range-eth1/1/7-1/1/8)# lacp port-priority 4096 OS10(conf-range-eth1/1/7-1/1/8)# lacp rate fast Verify LACP configuration OS10(conf-range-eth1/1/7-1/1/8)# do show running-configuration ... ! interface ethernet1/1/7 lacp port-priority 4096 lacp rate fast no shutdown ! interface ethernet1/1/8 lacp port-priority 4096 lacp rate fast no shutdown ! ...
PAGE 264
Configure LACP timeout OS10(conf-if-eth1/1/29)# lacp rate fast View port status OS10# show lacp port-channel Port-channel 20 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address f8:b1:56:00:02:33 Partner System ID: Priority 4096, Address 10:11:22:22:33:33 Actor Admin Key 20, Oper Key 20, Partner Oper Key 10 LACP LAG ID 20 is an aggregatable link A - Active LACP, B - Passive LACP, C - Short Timeout, D - Long Timeout E - Aggregatable Link, F - Individual Link, G - IN_SYNC, H - OUT_OF_SYNC, I
PAGE 265
OS10(conf-if-eth1/1/30)# OS10(conf-if-eth1/1/30)# OS10(conf-if-eth1/1/30)# OS10(conf-if-eth1/1/31)# OS10(conf-if-eth1/1/31)# no switchport channel-group 1 mode active interface ethernet 1/1/31 no switchport channel-group 1 mode active Alpha verify LAG port configuration OS10# show lacp port-channel Port-channel 1 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 34:17:eb:f2:c7:c4 Partner System ID: Priority 32768, Address 34:17:eb:f2:9b:c4 Actor Admin Key 1, Oper Key 1, Partner Oper Ke
PAGE 266
Output 0 Mbits/sec, 1 packets/sec, 0% of line rate Time since last interface status change : 01:25:29 Verify LAG 1 OS10# show interface port-channel 1 Port-channel 1 is up,line protocol is up Hardware address is Current address is Interface index is 85886081 Minimum number of links to bring Port-channel up is 1 Internet address is not set Mode of IPv4 Address Assignment : not set Lag MTU is 1500 ,IP MTU bytes Linespeed AUTO Members in this channel ethernet1/1/29 ethernet1/1/30 ethernet1/1/31 ARP type: ARPA
PAGE 267
Verify LAG membership OS10# show lacp interface ethernet 1/1/29 Interface ethernet1/1/29 is up Channel group is 1 port channel is po1 PDUS sent: 17 PDUS rcvd: 11 Marker sent: 0 Marker rcvd: 0 Marker response sent: 0 Marker response rcvd: 0 Unknown packetse rcvd: 0 Illegal packetse rcvd: 0 Local Port: MAC Address=74:e6:e2:f5:b5:80 System Identifier=32768,32768 Port Identifier=32768,32768 Operational key=1 LACP_Activity=passive LACP_Timeout=Long Timeout(30s) Synchronization=IN_SYNC Collecting=true Distributin
PAGE 268
● If all the ports in a port-channel have same port priority, the switch internally compares the interface names by base name, module number, port number, and then selects the lowest one to be active. For example, Ethernet 1 is less than Ethernet 2 and hence Ethernet 1 becomes active. ● In a VLT network, if the interface name is the same on both the VLT peers, then the port in switch with lower system MAC address becomes active.
PAGE 269
In the above scenario, LACP fallback works as follows: 1. The ToR/server boots up. 2. The switch detects the link that is up and checks fallback enabled status. If fallback is enabled, the device waits for the time-out period for any LACP BPDUs. If there are no LACP BPDUs received within the time period, then the LAG enters into fallback mode and adds the first operationally UP port to the port-channel instead of placing it in an inactive state. 3. Now the ToR/server has one port up and active.
PAGE 270
In the above scenario, LACP fallback works as follows: 1. The ToR/server boots up. 2. One of the VLT peers takes care of controlling the LACP fallback mode. All events are sent to the controlling VLT peer for deciding the port that should be brought up and then the decision is passed on to peer devices. 3. The controlling VLT peer can decide to bring up one of the ports in either the local port-channel or in the peer VLT port-channel. 4.
PAGE 271
Usage Information Example Supported Releases When you delete the last physical interface from a port-channel, the port-channel remains. Configure these attributes on an individual member port. If you configure a member port with an incompatible attribute, OS10 suspends that port in the port-channel. The member ports in a port-channel must have the same setting for link speed capability and duplex capability. The no version of this command removes the interface from the port-channel.
PAGE 272
lacp fallback preemption Enables or disables LACP fallback port preemption. Syntax lacp fallback preemption {enable | disable} Parameters ● enable—Enables preemption on the port-channel. ● disable—Disables preemption on the port-channel. Default Enabled Command Mode Port-channel INTERFACE Usage Information When you enable preemption, the fallback port election preempts the already elected fallback port and elects a new fallback port.
PAGE 273
Parameters max-bundle-number — Enter the maximum bundle size (1 to 32). Default 32 Command Mode INTERFACE Usage Information The no version of this command resets the maximum bundle size to the default value. Example Supported Releases OS10(conf-if-po-10)# lacp max-bundle 10 10.2.0E or later lacp port-priority Sets the priority for the physical interfaces for LACP. Syntax lacp port-priority priority Parameters priority — Enter the priority for the physical interfaces (0 to 65535).
PAGE 274
Default 32768 Command Mode CONFIGURATION Usage Information Each device that runs LACP has an LACP system priority value. LACP uses the system priority with the MAC address to form the system ID and also during negotiation with other systems. The system ID is unique for each device. The no version of this command resets the system priority to the default value. Example Supported Releases OS10(config)# lacp system-priority 32768 10.2.
PAGE 275
example, Port Identifier=0x8000,0x101, where the port priority value is 0x8000 and the port number value is 0x101. Example OS10# show lacp interface ethernet 1/1/129 Invalid Port id, Max.
PAGE 276
Partner System ID: 00:01:e8:8a:fd:9e Partner Port: 178 Partner Port Priority: 32768 Partner Oper Key: 1 Partner Oper State:aggregation synchronization collecting distributing defaulted expired Supported Releases 10.2.0E or later show lacp port-channel Displays information about LACP port-channels. Syntax show lacp port-channel [interface port-channel channel-number] Parameters ● interface port-channel — (Optional) Enter the interface port-channel.
PAGE 277
Example OS10# show lacp system-identifier Actor System ID: Priority 32768, Address 90:b1:1c:f4:9b:8a Supported Releases 10.2.0E or later Link Layer Discovery Protocol Link layer discovery protocol (LLDP) enables a local area network (LAN) device to advertise its system and receive system information from adjacent LAN devices. ● LLDP is enabled by default on OS10 interfaces. ● An LLDP-enabled interface supports up to eight neighbors. An OS10 switch supports a maximum of 250 neighbors per system.
PAGE 278
3 — Time-to-live Number of seconds that the recipient LLDP agent considers the information associated with this MAP identifier to be valid. — Optional Includes sub-types of TLVs that advertise specific configuration information. These sub-types are management TLVs, IEEE 802.1, IEEE 802.3, and TIA-1057 organization-specific TLVs. Optional TLVs OS10 supports basic TLVs, IEEE 802.1, and 802.3 organizationally-specific TLVs, and TIA-1057 organizationally-specific TLVs.
PAGE 279
Table 9. 802.1x organizationally-specific TLVs (Type – 127, OUI – 00-80-C2) TLV Subtype Description Link aggregation 7 Indicates whether the link associated with the port on which the LLDPDU is transmitted is aggregated. Also indicates whether the link is currently aggregated and provides the aggregated port identifier if the link is aggregated. Port VLAN ID 1 Untagged VLAN to which a port belongs. Protocol identity 4 Not supported. Table 10. 802.
PAGE 280
Table 11. iDRAC organizationally-specific TLVs; Subtypes used in iDRAC custom TLVs (Type – 127, OUI – 0xF8-0xB1-0x56) (continued) TLV Subtype Description IOM slot label 11 Slot label of the IOM device. For example, A1, B1, A2, B2, and so on (applicable only to blade servers). IOM port number 12 Port number of the NIC. For example, 1, 2, 3, and so on. Table 12.
PAGE 281
Table 14. Solution ID TLVs (Type – 127, OUI – 0xF8-0xB1-0x56) (continued) TLV Subtype Description Product part number 24 Indicates the product part number. Media endpoint discovery LLDP-MED provides additional organizationally-specific TLVs to allow endpoint devices and network-connectivity devices to advertise their characteristics and configuration information.
PAGE 282
LLDP-MED capabilities Bit 0 LLDP-MED capabilities Bit 1 Network policy Bit 2 Location ID Bit 3 Extended power via MDI-PSE Bit 4 Extended power via MDI-PD Bit 5 Inventory Bits 6-15 Reserved LLDP-MED device types 0 Type not defined 1 Endpoint class 1 2 Endpoint class 2 3 Endpoint class 3 4 Network connectivity 5-255 Reserved Network policies TLVs A network policy in the context of LLDP-MED is a device’s VLAN configuration and associated L2 and L3 configurations.
PAGE 283
7 — Streaming video Used for broadcast- or multicast-based video content distribution and similar applications supporting streaming video services that require specific network policy treatment. 8 — Video signaling Used only if video control packets use a separate network policy than the video data. 9-255 — Reserved — Define network policies You can manually define LLDP-MED network policies. LLDP commands that you configure in CONFIGURATION mode are global and affect all interfaces.
PAGE 284
Configure LLDPDU intervals OS10(config)# lldp holdtime-multiplier 2 OS10(config)# do show lldp timers LLDP Timers: Holdtime in seconds: 60 Reinit-time in seconds: 2 Transmit interval in seconds: 30 Disable and re-enable LLDP By default, LLDP is enabled for each interface and globally. You can disable LLDP on an interface or globally. If you disable LLDP globally, LLDP is disabled on all interfaces irrespective of whether LLDP is previously enabled or disabled on an interface.
PAGE 285
Disable and re-enable LLDP on management ports By default, LLDP is enabled on management ports. You can disable or enable the following LLDP configurations on management ports. 1. Disable the LLDPDU transmit or receive. no lldp transmit no lldp receive 2. Disable LLDP TLVs.
PAGE 286
Configure advertise TLVs OS10(conf-if-eth1/1/3)# lldp tlv-select basic-tlv system-name OS10(conf-if-eth1/1/1)# lldp tlv-select dot3tlv macphy-config max-framesize OS10(conf-if-eth1/1/3)# lldp tlv-select dot1tlv link-aggregation Network policy advertisement LLDP-MED is enabled on all interfaces by default. Configure OS10 to advertise LLDP-MED TLVs from configured interfaces. Define LLDP-MED network policies before applying the policies to an interface. Attach only one network policy per interface.
PAGE 287
Configure fast start repeat count OS10(config)# lldp med fast-start-repeat-count 5 View LLDP configuration ● View the LLDP configuration in EXEC mode. show running-configuration ● View LLDP error messages in EXEC mode. show lldp errors ● View LLDP timers in EXEC mode. show lldp timers ● View the LLDP traffic in EXEC mode.
PAGE 288
Total Total Total Total Total Total Med Med Med Med Med Med Frames In : Frames Discarded : TLVS Discarded : Capability TLVS Discarded: Policy TLVS Discarded : Inventory TLVS Discarded : 0 0 0 0 0 0 Adjacent agent advertisements ● View brief information about adjacent devices in EXEC mode. show lldp neighbors ● View all information that neighbors are advertising in EXEC mode. show lldp neighbors detail ● View all interface-specific information that neighbors are advertising in EXEC mode.
PAGE 289
Location Identification, Extended Power via MDI - PD, Inventory Management Device Class: Endpoint Class 3 Network Policy: Application: voice, Tag: Tagged, Vlan: 50, L2 Priority: 6, DSCP Value: 46 Inventory Management: H/W Revision : 12.1.1 F/W Revision : 10.1.9750B S/W Revision : 10.1.9750B Serial Number : B11G152 Manufacturer : Dell Model : S6010-ON Asset ID : E1001 Power-via-MDI: Power Type: PD Device Power Source: Local and PSE Power Priority: Low Power required: 6.
PAGE 290
Parameters None Default Not configured Command Mode EXEC Usage Information The counter default value resets to zero for all physical interfaces. Example Supported Releases OS10# clear lldp counters 10.2.0E or later clear lldp table Clears LLDP neighbor information for all interfaces. Syntax clear lldp table Parameters None Default Not configured Command Mode EXEC Usage Information Neighbor information clears on all interfaces. Example Supported Releases OS10# clear lldp table 10.2.
PAGE 291
Command Mode CONFIGURATION Usage Information Hold time is the amount of time in seconds that a receiving system waits to hold the information before discarding it. Formula: Hold Time = (Updated Frequency Interval) X (Hold Time Multiplier). The no version of this command resets the value to the default. Example Supported Releases OS10(config)# lldp holdtime-multiplier 2 10.2.
PAGE 292
Parameters ● number — Enter a network policy index number, from 1 to 32. ● app — Enter the type of applications available for the network policy: ○ voice — Voice network-policy application. ○ voice-signaling — Voice-signaling network-policy application. ○ guest-voice — Guest voice network-policy application. ○ guestvoice-signaling — Guest voice signaling network policy application. ○ softphone-voice — SoftPhone voice network-policy application.
PAGE 293
Default Enabled Command Mode INTERFACE Usage Information None Example Supported Releases OS10(conf-if-eth1/1/3)# lldp med tlv-select network-policy 10.2.0E or later lldp port-description-tlv advertise Specifies whether to advertise the interface description or the port id in the port description TLV. Syntax lldp port-description-tlv advertise [description | port-id] Parameters ● description—Advertise interface description. ● port-id—Advertise port id.
PAGE 294
Default 2 seconds Command Mode CONFIGURATION Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(config)# lldp reinit 5 10.2.0E or later lldp timer Configures the rate in seconds at which LLDP packets send to the peers. Syntax lldp timer seconds Parameters seconds — Enter the LLDP timer rate in seconds, from 5 to 254.
PAGE 295
lldp tlv-select dot1tlv Enables or disables the dot.1 TLVs to transmit in LLDP packets. Syntax lldp tlv-select dot1tlv { port-vlan-id | link-aggregation} Parameters ● port-vlan-id — Enter the port VLAN ID. ● link-aggregation — Enable the link aggregation TLV. Default Enabled Command Mode INTERFACE Usage Information The lldp tlv-select dot1tlv link-aggregation command advertises link aggregation as a dot1 TLV in the LLDPDUs. The no version of this command disables TLV transmissions.
PAGE 296
show lldp interface Displays the LLDP information advertised from a specific interface. Syntax show lldp interface ethernet node/slot/port[:subport] [med | local—device] Parameters ● ethernet node/slot/port[:subport] — Enter the Ethernet interface information. ● med — Enter the interface to view the MED information. ● local-device — Enter the interface to view the local-device information.
PAGE 297
Total Input Queue Overflows: 0 Total Table Overflows: 0 Supported Release 10.2.0E or later show lldp med Displays the LLDP MED information for all the interfaces. Syntax show lldp med Parameters None Default Not configured Command Mode EXEC Usage Information Use the show lldp interface command to view MED information for a specific interface.
PAGE 298
Parameters ● detail — View LLDP neighbor detailed information. ● interface ethernet node/slot/port[:subport] — Enter the Ethernet interface information. Command Mode EXEC Usage Information This command status information includes local port ID, remote host name, remote port ID, and remote node ID.
PAGE 299
Usage Information Example Supported Releases None OS10# show lldp timers LLDP Timers: Holdtime in seconds: 120 Reinit-time in seconds: 6 Transmit interval in seconds: 30 10.2.0E or later show lldp tlv-select interface Displays the TLVs enabled for an interface. Syntax show lldp tlv-select interface ethernet node/slot/port[:subport] Parameters ethernet node/slot/port[:subport] — Enter the Ethernet interface information, from 1 to 253.
PAGE 300
Total TLVS Unrecognized Total TLVs Discarded Example (Interface) : 0 : 0 OS10# show lldp traffic interface ethernet 1/1/2 LLDP Traffic Statistics: Total Frames Out : 45 Total Entries Aged : 1 Total Frames In : 33 Total Frames Received In Error : 0 Total Frames Discarded : 0 Total TLVS Unrecognized : 0 Total TLVs Discarded : 0 LLDP MED Traffic Statistics: Total Med Frames Out : Total Med Frames In : Total Med Frames Discarded : Total Med TLVS Discarded : Total Med Capability TLVS Discarded: Total Med Polic
PAGE 301
Learned MAC address entries are subject to aging. Set the aging timer to zero (0) to disable MAC aging. For any dynamic entry, if no packet arrives on the device with the MAC address as the source or destination address within the timer period, the address is removed from the table. ● Enter an aging time (in seconds) in CONFIGURATION mode, from 0 to 1000000, default 1800.
PAGE 302
Dynamic Address Count : Static Address (User-defined) Count : Total MAC Addresses in Use: 4 1 5 Clear MAC Address Table You can clear dynamic address entries that in the MAC address table maintains. ● Clear the MAC address table of dynamic entries in EXEC mode. clear mac address-table dynamic [[all] [address mac_addr] [vlan vlan-id] [interface {ethernet type node/slot/port[:subport] | port-channel number}] ○ ○ ○ ○ ○ all — (Optional) Clear all dynamic entries.
PAGE 303
mac address-table aging-time Configures the aging time for entries in the L2 address table. Syntax mac address-table aging-time seconds Parameters seconds — Enter the aging time for MAC table entries in seconds, from 0 to 1000000. Default 1800 seconds Command Mode CONFIGURATION Usage Information Set the aging timer to zero (0) to disable MAC address aging for all dynamic entries. The aging time counts from the last time that the device detected the MAC address.
PAGE 304
● interface — Set the interface type: ○ ethernet node/slot/port[:subport] — Displays MAC address table information for a physical interface. ○ port-channel channel-number — Displays MAC address table information for a portchannel interface, from 1 to 128. ● static — (Optional) Displays static MAC address table entries only. ● vlan vlan-id — (Optional) Displays VLAN information only, from 1 to 4093.
PAGE 305
Configuring MST is a four-step process: 1. 2. 3. 4. Enable MST, if the current running spanning tree protocol (STP) version is not MST. (Optional) Map the VLANs to different instances to achieve load balancing. Ensure the same region name is configured in all the bridges running MST. (Optional) Configure the revision number. Configure MSTP When you enable MST globally, all L2 physical, port-channel, and VLAN interfaces automatically assign to MSTI zero (0).
PAGE 306
1. Enter an instance number in CONFIGURATION mode. spanning tree mst configuration 2. Enter the MST instance number in MULTIPLE-SPANNING-TREE mode, from 0 to 63. instance instance-number 3. Enter the VLAN and IDs to participate in the MST instance in MULTIPLE-SPANNING-TREE mode, from 1 to 4096.
PAGE 307
ethernet1/1/25 128.356 128 200000000 BLK 0 32768 90b1.1cf4.a523 128.356 ethernet1/1/26 128.360 128 200000000 BLK 0 32768 90b1.1cf4.a523 128.360 ethernet1/1/27 128.364 128 200000000 BLK 0 32768 90b1.1cf4.a523 128.364 ethernet1/1/28 128.368 128 200000000 BLK 0 32768 90b1.1cf4.a523 128.368 ethernet1/1/29 128.372 128 200000000 BLK 0 32768 90b1.1cf4.a523 128.372 ethernet1/1/30 128.376 128 200000000 BLK 0 32768 90b1.1cf4.a523 128.376 ethernet1/1/31 128.380 128 200000000 BLK 0 32768 90b1.1cf4.a523 128.
PAGE 308
● Name — A mnemonic string you assign to the region. The default is the system MAC address. ● Revision — A 2-byte number. The default is 0. ● VLAN-to-instance mapping — Placement of a VLAN in an MSTI. Region name or revision You can change the MSTP region name or revision. ● Change the region name in MULTIPLE-SPANNING-TREE mode. A maximum of 32 characters. name name ● Change the region revision number in MULTIPLE-SPANNING-TREE mode, from 0 to 65535, default 0.
PAGE 309
OS10(config)# spanning-tree mst max-age 10 OS10(config)# spanning-tree mst max-hops 30 View MSTP parameter values OS10# show spanning-tree active Spanning tree enabled protocol msti with force-version mst MSTI 0 VLANs mapped 1,31-4093 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 3417.4455.667f Root Bridge hello time 2, max age 20, forward delay 15, max hops 20 Bridge ID Priority 32768, Address 90b1.1cf4.
PAGE 310
EdgePort Forward traffic EdgePort allows the interface to forward traffic approximately 30 seconds sooner as it skips the Blocking and Learning states. The spanning-tree bpduguard enable command causes the interface hardware to shut down when it receives a BPDU. CAUTION: Configure EdgePort only on links connecting to an end station. EdgePort can cause loops if you enable it on an interface connected to a network.
PAGE 311
out of the Loop-Inconsistent or blocking state and transitions to an appropriate state determined by STP. Enabling loop guard on a per-port basis enables it on all VLANs configured on the port. If you disable loop guard on a port, it moves to the Listening state. If you enable BPDU filter and BPDU guard on the same port, the BPDU filter configuration takes precedence. Root guard and Loop guard are mutually exclusive. Configuring one overwrites the other from the active configuration. 1.
PAGE 312
Link type is point-to-point (auto) Boundary: NO bpdu filter : Enable bpdu guard : bpduguard shutdown-onviolation :enable RootGuard: enable LoopGuard disable Bpdus (MRecords) sent 134, received 138 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID -----------------------------------------------------------------ethernet1/1/4 128.272 128 500 BLK 500 32769 90b1.1cf4.a911 128.
PAGE 313
Example configuration OS10(config)# errdisable detect cause bpduguard OS10(config)# errdisable recovery interval 45 OS10(config)# errdisable recovery cause bpduguard View detect and recovery details OS10# show errdisable detect Error-Disable Cause Detect Status ----------------------------------------------bpduguard Enabled OS10# show errdisable recovery Error-Disable Recovery Timer Interval: 300 seconds Error-Disable Reason Recovery Status --------------------------------------------------bpduguard Enabled
PAGE 314
The show spanning-tree {brief | details | active} command displays the following information: Flush Interval 200 centi-sec, Flush Invocations 32 Flush Indication threshold 2 To clear MAC addresses: ● RSTP invokes a port-based MAC flush to clear the MAC address table entry for that port. ● MSTP invokes (VLAN-list associated to the instance, port) based flush to clear the MAC address table entry for that instance, port.
PAGE 315
When the detect cause option is enabled, the port is shut down whenever there is a BPDU guard violation. When the option is disabled, the port is not shut down but moved to BLOCKING state whenever there is a BPDU guard violation. In this case, the port is operationally DOWN in spanning-tree mode and when the recovery timer expires, the port is UP irrespective of the recovery cause configuration. The no version of the command disables the detect cause option.
PAGE 316
instance Configures MST instances and one or multiple VLANs mapped to the MST instance. Syntax instance instance-number {vlan vlan-range} Parameters ● instance — Enter an MST instance value, from 0 to 63. ● vlan range — Enter a VLAN range value, from 1 to 4093. Default Not configured Command Mode MULTIPLE-SPANNING-TREE Usage Information By default, all VLANs map to MST instance zero (0) unless you are using the vlan range command to map the VLANs to a non-zero instance.
PAGE 317
spanning-tree bpdufilter Enables or disables BPDU filtering on an interface. Syntax spanning-tree bpdufilter {enable | disable} Parameters ● enable — Enables the BPDU filter on an interface. ● disable — Disables the BPDU filter on an interface. Default Disabled Command Mode INTERFACE Usage Information Use the enable parameter to enable BPDU filtering. Example Supported Releases OS10(conf-if-eth1/1/4)# spanning-tree bpdufilter enable 10.2.
PAGE 318
spanning-tree guard Enables or disables loop guard or root guard on an interface. Syntax spanning-tree guard {loop | root | none} Parameters ● loop — Enables loop guard on an interface. ● root — Enables root guard on an interface. ● none — Sets the guard mode to none. Default Not configured Usage Information Root guard and loop guard configurations are mutually exclusive. Configuring one overwrites the other from the active configuration.
PAGE 319
If the timer is set to a non-zero value, instance-based flushing occurs based on the MAC flush threshold value. The no version of this command resets the flush-interval timer to the default value. Example OS10(config)# spanning-tree mac-flush-timer 500 OS10(config)# no spanning-tree mac-flush-timer Supported Releases 10.4.3.0 or later spanning-tree mode Enables an STP type: RSTP, Rapid-PVST+, or MST. Syntax spanning-tree mode {rstp | mst | rapid-pvst} Parameters ● rstp — Sets STP mode to RSTP.
PAGE 320
spanning-tree msti Configures the MSTI, cost, and priority values for an interface. Syntax spanning-tree msti instance {cost cost | priority value} Parameters ● msti instance — Enter the MST instance number, from 0 to 63. ● cost cost — (Optional) Enter a port cost value, from 1 to 200000000.
PAGE 321
Command Mode CONFIGURATION Usage Information The no version of this command enables spanning tree on the specified MST instance. Example Supported Releases OS10(config)# spanning-tree mst 10 disable 10.4.0E(R1) or later spanning-tree mst force-version Configures a forced version of STP to transmit BPDUs. Syntax spanning-tree mst force-version {stp | rstp} Parameters ● stp — Forces the version for the BPDUs transmitted by MST to STP.
PAGE 322
Usage Information Example Supported Releases Dell EMC recommends increasing the hello-time for large configurations, especially configurations with multiple ports. The no version of this command resets the value to the default. OS10(config)# spanning-tree mst hello-time 5 10.2.0E or later spanning-tree mst mac-flush-threshold Configures the mac-flush threshold value for a specific instance.
PAGE 323
Default 20 Command Mode CONFIGURATION Usage Information A device receiving BPDUs waits until the max-hops value expires before discarding it. When a device receives the BPDUs, it decrements the received value of the remaining hops and uses the resulting value as remaining-hops in the BPDUs. If the remaining MSTP 1333 hops reach zero, the device discards the BPDU and ages out any information that it holds for the port. The command configuration applies to all common IST (CIST) in the MST region.
PAGE 324
Recovery Time left Interface Errdisable Cause (seconds) --------------------------------------------------------------------ethernet 1/1/1:1 bpduguard 273 ethernet 1/1/2 bpduguard 4 port-channel 12 bpduguard 45 Supported Releases 10.4.2.0 or later show spanning-tree mst Displays MST configuration information. Syntax show spanning-tree mst configuration Parameters None Default Not configured Command Mode EXEC Usage Information Enable MSTl before using this command.
PAGE 325
MSTI 0 VLANs mapped 1-99,101-199,301-4093 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 90b1.1cf4.9b8a Root Bridge hello time 2, max age 20, forward delay 15, max hops 20 Bridge ID Priority 32768, Address 90b1.1cf4.9b8a We are the root of MSTI 0 Configured hello time 2, max age 20, forward delay 15, max hops 20 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------------------------------------------------------------ethernet1/1/1 132.
PAGE 326
Rapid per-VLAN spanning-tree plus RPVST+ is an RSTP to create a single topology per VLAN. RPVST+ is enabled by default, provides faster convergence, and runs on the default VLAN (VLAN 1). Configuring Rapid-PVST+ is a four-step process: 1. 2. 3. 4. Ensure the interfaces are in L2 mode. Place the interfaces in VLANs. By default, switchport interfaces are members of the default (VLAN1). Enable Rapid-PVST+. This step is only required if another variation of STP is present.
PAGE 327
Enable RPVST+ By default, RPVST+ is enabled and creates an instance only after you add the first member port to a VLAN. To participate in RPVST+, port-channel or physical interfaces must be a member of a VLAN. Add all physical and port-channel interfaces to the default VLAN (VLAN1). ● Enable Rapid-PVST+ mode in CONFIGURATION mode.
PAGE 328
Name PortID Prio Cost Sts Cost Bridge ID PortID --------------------------------------------------------------------ethernet1/1/5 128.276 128 500 FWD 0 4097 90b1.1cf4.a523 128.276 ethernet1/1/6 128.280 128 500 FWD 0 4097 90b1.1cf4.a523 128.280 Interface Name Role PortID Prio Cost Sts Cost Link-type Edge -------------------------------------------------------------ethernet1/1/5 Desg 128.276 128 500 FWD 0 AUTO No ethernet1/1/6 Desg 128.
PAGE 329
Root assignment RPVST+ assigns the root bridge according to the lowest bridge ID. Assign one bridge as the root bridge and the other as a secondary root bridge. ● Configure the device as the root or secondary root in CONFIGURATION mode. spanning-tree vlan vlan-id root {primary | secondary} ○ vlan-id — Enter the VLAN ID number, from 1 to 4093. ○ primary — Enter the bridge as primary or root bridge. The primary bridge value is 24576. ○ secondary — Enter the bridge as secondary or secondary root bridge.
PAGE 330
○ If no BPDU is received from a remote device which was sending BPDUs, loop guard places the port in the LoopInconsistent Blocking state and no traffic forwards on the port. ● When used in a PVST+ network, STP loop guard performs per-port or per port-channel at a VLAN level. If no BPDUs are received on a port-channel interface, the port or port-channel transitions to a Loop-Inconsistent or Blocking state only for this VLAN. Global parameters All non-root bridges accept the timer values on the root bridge.
PAGE 331
RPVST allows (VLAN, port) based flush until the number of calls sent is equal to the MAC flush threshold value that is configured. When the number of calls sent exceeds the configured threshold, RPVST ignores further (VLAN, port) based flush and starts the MAC flush timer. When the timer starts, the system blocks further flush. When the timer expires for that specific instance, the system triggers VLAN-based flushing. By default, the MAC flush threshold value is set to 5.
PAGE 332
show spanning-tree vlan Displays RPVST+ status and configuration information by VLAN ID. Syntax show spanning-tree vlan vlan-id Parameters vlan vlan-id — Enter the VLAN ID number, from 1 to 4093. Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show spanning-tree Spanning tree enabled protocol rapid-pvst VLAN 1 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32769, Address 74e6.e2f5.
PAGE 333
spanning-tree bpduguard Enables or disables the BPDU guard on an interface. Syntax spanning-tree bpduguard {enable | disable} Parameters ● enable — Enables the BPDU guard filter on an interface. ● disable — Disables the BPDU guard filter on an interface. Default Disabled Command Mode INTERFACE Usage Information BPDU guard prevents a port from receiving BPDUs. If the port receives a BPDU, it is placed in the Error-Disabled state.
PAGE 334
Supported Releases 10.2.0E or later spanning-tree link-type Sets the spanning-tree link type for faster convergence. Syntax spanning-tree link-type {auto | point-to-point | shared} Parameters ● auto — Enter the keyword to sets the link type based on the duplex setting of the interface. ● point-to-point—Specifies that the interface is a point-to-point or full-duplex link. ● shared—Specifies that the interface is a half-duplex medium.
PAGE 335
Parameters ● rstp — Sets STP mode to RSTP. ● mst — Sets STP mode to MST. ● rapid-pvst — Sets STP mode to RPVST+. Default RPVST+ Command Mode CONFIGURATION Usage Information All STP instances stop in the previous STP mode, and restart in the new mode. You can also change to RSTP/MST mode. Example (RSTP) OS10(config)# spanning-tree mode rstp Example (MST) Supported Releases OS10(config)# spanning-tree mode mst 10.2.0E or later spanning-tree port Sets the port type as the EdgePort.
PAGE 336
Example Supported Releases OS10(conf-if-eth1/1/4)# spanning-tree vlan 10 cost 1000 10.2.0E or later spanning-tree vlan disable Disables spanning tree on a specified VLAN. Syntax spanning-tree vlan vlan-id disable Parameters vlan-id — Enter the VLAN ID number, from 1 to 4093. Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command enables spanning tree on the specified VLAN. Example Supported Releases OS10(config)# spanning-tree vlan 100 disable 10.4.
PAGE 337
Example Supported Releases OS10(config)# spanning-tree mst force-version 10.2.0E or later spanning-tree vlan hello-time Sets the time interval between generation and transmission of RPVST BPDUs. Syntax spanning-tree vlan vlan-id hello-time seconds Parameters ● vlan-id — Enter the VLAN ID number, from 1 to 4093. ● seconds — Enter a hello-time interval value in seconds, from 1 to 10.
PAGE 338
Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree vlan 10 max-age 10 10.2.0E or later spanning-tree vlan priority Sets the priority value for RPVST+. Syntax spanning-tree vlan vlan-id priority priority value Parameters priority priority value — Enter a bridge-priority value in increments of 4096, from 0 to 61440.
PAGE 339
● secondary — Designate the bridge as the secondary or secondary root bridge. Default Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree vlan 1 root primary 10.2.0E or later Rapid Spanning-Tree Protocol Rapid Spanning-Tree Protocol (RSTP) is similar to STP, but provides faster convergence and interoperability with devices configured with STP and MSTP. RSTP is disabled by default.
PAGE 340
View all port participating in RSTP OS10# show spanning-tree Spanning tree enabled protocol rstp with force-version rstp Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 3417.4455.667f Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 90b1.1cf4.
PAGE 341
Interface Name Role PortID Prio Cost Sts Cost Link-type Edge ------------------------------------------------------------------------ethernet1/1/1 Disb 128.260 128 200000000 BLK 0 AUTO No ethernet1/1/2 Disb 128.264 128 200000000 BLK 0 AUTO No ethernet1/1/3 Disb 128.268 128 200000000 BLK 0 AUTO No ethernet1/1/4 Disb 128.272 128 200000000 BLK 0 AUTO No ethernet1/1/5:1 Disb 128.
PAGE 342
Interface Name Role PortID Prio Cost Sts Cost Link-type Edge ---------------------------------------------------------ethernet1/1/1 Altr 128.244 128 500 BLK 0 AUTO No ethernet1/1/2 Altr 128.248 128 500 BLK 0 AUTO No ethernet1/1/3 Root 128.252 128 500 FWD 0 AUTO No ethernet1/1/4 Altr 128.256 128 500 BLK 0 AUTO No Interface parameters Set the port cost and port priority values on interfaces in L2 mode. Port cost Value based on the interface type. The previous table lists the default values.
PAGE 343
View bridge priority and root bridge assignment OS10# show spanning-tree active Spanning tree enabled protocol rstp with force-version rstp Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 3417.4455.667f Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 36864, Address 90b1.1cf4.
PAGE 344
CPU that are later dropped. To prevent further reception of BPDUs, configure a port to shut down using the shutdown command. The port can only resume operation from the Shutdown state after manual intervention. Root guard Avoids bridging loops and preserves the root bridge position during network transitions. STP selects the root bridge with the lowest priority value.
PAGE 345
Link type is point-to-point (auto) Boundary: NO bpdu filter : Enable bpdu guard : bpduguard shutdown-onviolation :enable RootGuard: enable LoopGuard disable Bpdus (MRecords) sent 134, received 138 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID -----------------------------------------------------------------ethernet1/1/4 128.272 128 500 BLK 500 32769 90b1.1cf4.a911 128.
PAGE 346
RSTP is single instance and hence MAC flush optimization is not required. However, to enable this feature, configure the MAC flush timer to a non-zero value. This configuration is applied globally and applies for RSTP, MSTP, and RPVST. This configuration is retained when you change the STP mode. For RSTP, the threshold is set to a higher value (65,535) because RSTP does not require this optimization. Even when this feature is enabled, the global flush is invoked only after the flush count reaches 65,535.
PAGE 347
Interface Name Role PortID Prio Cost Sts Cost Link-type Edge -----------------------------------------------------------ethernet1/1/1 Altr 128.244 128 500 BLK 0 AUTO No ethernet1/1/2 Altr 128.248 128 500 BLK 0 AUTO No ethernet1/1/3 Root 128.252 128 500 FWD 0 AUTO No ethernet1/1/4 Altr 128.256 128 500 BLK 0 AUTO No Supported Releases 10.2.0E or later show spanning-tree interface Displays spanning-tree interface information for Ethernet and port-channels.
PAGE 348
Supported Releases 10.2.0E or later spanning-tree bpduguard Enables or disables the BPDU guard on an interface. Syntax spanning-tree bpduguard {enable | disable} Parameters ● enable — Enables the BPDU guard filter on an interface. ● disable — Disables the BPDU guard filter on an interface. Default Disabled Command Mode INTERFACE Usage Information BPDU guard prevents a port from receiving BPDUs. If the port receives a BPDU, it is placed in the Error-Disabled state.
PAGE 349
Example Supported Releases OS10(conf-if-eth1/1/4)# spanning-tree guard root 10.2.0E or later spanning-tree link-type Sets the spanning-tree link type for faster convergence. Syntax spanning-tree link-type {auto | point-to-point | shared} Parameters ● auto — Enter the keyword to sets the link type based on the duplex setting of the interface. ● point-to-point—Specifies that the interface is a point-to-point or full-duplex link. ● shared—Specifies that the interface is a half-duplex medium.
PAGE 350
spanning-tree mode Enables an STP type: RSTP, Rapid-PVST+, or MST. Syntax spanning-tree mode {rstp | mst | rapid-pvst} Parameters ● rstp — Sets STP mode to RSTP. ● mst — Sets STP mode to MST. ● rapid-pvst — Sets STP mode to RPVST+. Default RPVST+ Command Mode CONFIGURATION Usage Information All STP instances stop in the previous STP mode, and restart in the new mode. You can also change to RSTP/MST mode.
PAGE 351
spanning-tree rstp forward-time Configures a time interval for the interface to wait in the Blocking state or Learning state before moving to the Forwarding state. Syntax spanning-tree rstp forward-time seconds Parameters seconds — Enter the number of seconds an interface waits in the Blocking or Learning States before moving to the Forwarding state, from 4 to 30.
PAGE 352
Supported Releases 10.4.0E(R1) or later spanning-tree rstp max-age Configures the time period the bridge maintains configuration information before refreshing the information by recomputing the RSTP topology. Syntax max-age seconds Parameters seconds — Enter a maximum age value in seconds, from 6 to 40. Default 20 seconds Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# spanning-tree rstp max-age 10 10.2.
PAGE 353
● Increase security by isolating ports into different VLANs ● Ease network management Default VLAN All interface ports are administratively up in L2 mode and are automatically placed in the default VLAN as untagged interfaces. When you assign a port to a non-default VLAN in Trunk mode, the interface remains an untagged member of the default VLAN and a tagged member of the new VLAN.
PAGE 354
When you delete a VLAN using the no interface vlan vlan-id command, any interfaces assigned to that VLAN are assigned to the default VLAN as untagged interfaces. To configure a port-based VLAN, enter INTERFACE-VLAN mode for VLAN-related configuration tasks and create a VLAN. To enable the VLAN, assign member interfaces in L2 mode. 1. Create a VLAN and enter the VLAN number in INTERFACE mode, from 1 to 4093. interface vlan vlan-id 2. Delete a VLAN in CONFIGURATION mode.
PAGE 355
1. Configure a port in INTERFACE mode. interface ethernet node/slot/port[:subport] 2. Set the interface to Switchport mode as access in INTERFACE mode. switchport mode access 3. Enter the VLAN number for the untagged port in INTERFACE mode. switchport access vlan vlan-id Configure port in Access mode OS10(config)# interface ethernet 1/1/9 OS10(config-if-eth1/1/9)# switchport mode access OS10(config-if-eth1/1/9)# switchport access vlan 604 Show running configuration OS10# show running-configuration ...
PAGE 356
! ... Assign IP address You can assign an IP address to each VLAN to make it a L3 VLAN. All the ports in that VLAN belong to that particular IP subnet. The traffic between the ports in different VLANs route using the IP address. Configure the L3 VLAN interface to remain administratively UP or DOWN using the shutdown and no shutdown commands. This provisioning only affects the L3 traffic across the members of a VLAN and does not affect the L2 traffic.
PAGE 357
Flowcontrol rx off tx off ARP type: ARPA, ARP Timeout: 240 Last clearing of "show interface" counters Queueing strategy: fifo Time since last interface status change: View VLAN configuration You can view configuration information related to VLANs using show commands. ● View the VLAN status and configuration information in EXEC mode. show vlan ● View the VLAN interface configuration in EXEC mode. show interfaces vlan ● View the VLAN interface configuration for a specific VLAN ID in EXEC mode.
PAGE 358
Internet address is not set MTU 1532 bytes LineSpeed auto Flowcontrol rx off tx off ARP type: ARPA, ARP Timeout: 240 Last clearing of "show interface" counters Queueing strategy: fifo Time since last interface status change: View interface configuration for specific VLAN OS10# show interface vlan 320 Vlan 320 is up, line protocol is up Address is , Current address is Interface index is 69209184 Internet address is not set MTU 1532 bytes LineSpeed auto Flowcontrol rx off tx off ARP type: ARPA, ARP Timeout: 2
PAGE 359
show vlan Displays VLAN configurations. Syntax show vlan vlan-id Parameters vlan-id — (Optional) Enter a VLAN ID number, from 1 to 4093. Default Not configured Command Mode EXEC Usage Information Use this command to view VLAN configuration information for a specific VLAN ID.
PAGE 360
4. Enter the destination of traffic in MONITOR-SESSION mode. destination interface interface-type Create monitoring session OS10(config)# monitor session 1 OS10(conf-mon-local-1)# Configure source and destination port, and traffic direction OS10(conf-mon-local-1)# source interface ethernet 1/1/7-1/1/8 rx OS10(conf-mon-local-1)# destination interface ethernet1/1/1 OS10(conf-mon-local-1)# no shut View configured monitoring sessions In the State field, true indicates that the port is enabled.
PAGE 361
Configure any network device with source and destination ports. Enable the network device to function in an intermediate transport session for a reserved VLAN for multiple remote port monitoring sessions. You can enable and disable individual monitoring sessions. Consider the following when configuring a RPM session: ● A remote port monitoring session mirrors monitored traffic by prefixing the reserved VLAN tag to monitored packets to transmit using the reserved VLAN.
PAGE 362
4. Enable the monitoring interface in MONITOR-SESSION mode. no shut Create remote monitoring session OS10(config)# monitor session 10 type rpm-source OS10(conf-mon-rpm-source-10)# Configure source and destination port, and traffic direction OS10(conf-mon-rpm-source-10)# source interface vlan 10 rx OS10(conf-mon-rpm-source-10)# destination remote-vlan 100 OS10(conf-mon-rpm-source-10)# no shut View monitoring session OS10(conf-mon-rpm-source-10)# do show monitor session all S.
PAGE 363
2. Configure source port in MONITOR-SESSION mode. source interface interface-type {both | rx | tx} 3. Configure source and destination IP addresses, and protocol type in MONITOR-SESSION mode. source-ip source ip-address destination-ip destination ip-address [gre-protocol protocol-value] 4. Configure TTL and DSCP values in MONITOR-SESSION mode. ip {ttl ttl-number | dscp dscp-number} 5. Enable the monitoring interface in MONITOR-SESSION mode.
PAGE 364
3. Create an access list in CONFIGURATION mode. ip access-list access-list-name 4. Define access-list rules using seq, permit, and deny statements in CONFIG-ACL mode. ACL rules describe the traffic to monitor. seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte]] [fragments] [threshold-in-msgs count] [capture session session-id] 5. Return to CONFIGURATION mode. exit 6. Apply the flow-based monitoring ACL to the monitored source port in CONFIGURATION mode.
PAGE 365
Table 15. RPM on VLT scenarios (continued) Scenario Recommendation 1. Create a RPM VLAN ! interface vlan 100 no shutdown remote-span ! 2. Create an L2 ACL for the RPM VLAN - RPM session and attach it to VLTi LAG interface. ! mac access-list rpm seq 10 permit any any capture session 10 vlan 100 ! interface ethernet 1/1/1 no shutdown switchport access vlan 1 mac access-group rpm in ! 3. Create a flow-based RPM session on the peer VLT device to monitor the VLTi LAG interface as the source.
PAGE 366
Table 15. RPM on VLT scenarios (continued) Scenario Recommendation Mirror a VLT LAG of the ToR, or any port in the ToR to any orphan port in the VLT device. Configure VLT nodes as intermediate devices. The packet analyzer connects to the ToR switch. — Mirror a VLT LAG to any orphan port on the same VLT device. If the packet analyzer directly connects to the VLT peer The packet analyzer connects to the local VLT device through where the source session is configured, use local port the orphan port.
PAGE 367
destination Sets the destination where monitored traffic is sent to. The monitoring session can be local or RPM. Syntax destination {interface interface-type | remote-vlan vlan-id} Parameters interface-type — Enter the interface type for a local monitoring session. ● ethernet node/slot/port[:subport] — Enter the Ethernet interface information as the destination. ● port-channel id-number — Enter a port-channel number as the destination, from 1 to 128.
PAGE 368
● DSCP: 0 Command Mode MONITOR-SESSION (ERPM) Usage Information The no version of this command removes the configured TTL and DSCP values. Example Supported Releases OS10(conf-mon-erpm-source-10)# OS10(conf-mon-erpm-source-10)# ip ttl 16 ip DSCP 63 10.4.0E(R1) or later monitor session Creates a session for monitoring traffic with port monitoring.
PAGE 369
---------------------------------------------------------------------------------1 ethernet1/1/1 remote-ip both port 11.11.11.1 11.11.11.11 0 255 35006 Example (all sessions) Supported Releases OS10# show monitor session all S.Id Source Destination Dir Mode Source IP Dest IP DSCP TTL Gr ---------------------------------------------------------------------------------1 ethernet1/1/1 remote-ip both port 11.11.11.1 11.11.11.
PAGE 370
Default Not configured Command Mode MONITOR-SESSION Usage Information None Example OS10(config)# monitor session 1 OS10(conf-mon-local-1)# source interface ethernet 1/1/7 rx OS10(config)# monitor session 5 type rpm-source OS10(conf-mon-rpm-source-5)# source interface ethernet 1/1/10 rx OS10(config)# monitor session 10 type erpm-source OS10(conf-mon-erpm-source-10)# source interface ethernet 1/1/5 rx Supported Releases 10.2.
PAGE 371
6 Layer 3 Bidirectional forwarding detection (BFD) Provides rapid failure detection in links with adjacent routers (see BFD commands). Border Gateway Protocol (BGP) Provides an external gateway protocol that transmits inter-domain routing information within and between autonomous systems (see BGP Commands). Equal Cost Multi- Provides next-hop packet forwarding to a single destination over multiple best paths (see ECMP Path (ECMP) Commands).
PAGE 372
You can enable various services in both management or default VRF instances. The services supported in the management and default VRF instances are: Table 16.
PAGE 373
management route ip-address mask managementethernet or management route ipv6-address prefix-length managementethernet You can also configure the management route to direct traffic to a physical interface. For example: management route 10.1.1.5/24 ethernet 1/1/4 or management route 2::/64 ethernet 1/1/2. ● Configure a static entry in the IPv6 neighbor discovery.
PAGE 374
Assigning a loopback interface to a non-default VRF instance After creating a non-default VRF instance you can associate a loopback interface to the VRF instance that you created. To assign a loopback interface to a non-default VRF, perform the following steps: 1. Enter the loopback interface that you want to assign to a non-default VRF instance. CONFIGURATION interface loopback 5 2. Assign the interface to a non-default VRF.
PAGE 375
1. Enter the management VRF instance. CONFIGURATION ip vrf management 2. Assign the management interface back to the default VRF instance. CONFIGURATION VRF no interface management Deleting a non-default VRF instance Before deleting a non-default VRF instance, ensure all the dependencies and associations corresponding to that VRF instance are first removed or disabled.
PAGE 376
Figure 6. Setup VRF Interfaces Router 1 ip vrf blue ! ip vrf orange ! ip vrf green ! interface ethernet 1/1/1 no ip address no switchport no shutdown ! interface ethernet1/1/2 no shutdown no switchport ip vrf forwarding blue ip address 20.0.0.1/24 ! interface ethernet1/1/3 no shutdown no switchport ip vrf forwarding orange ip address 30.0.0.1/24 ! interface ethernet1/1/4 no shutdown no switchport ip vrf forwarding green ip address 40.0.0.
PAGE 377
! interface vlan128 mode L3 no shutdown ip vrf forwarding blue ip address 1.0.0.1/24 ! interface vlan192 mode L3 no shutdown ip vrf forwarding orange ip address 2.0.0.1/24 ! ! interface vlan256 mode L3 no shutdown ip vrf forwarding green ip address 3.0.0.1/24 ! ip route vrf green 30.0.0.0/24 3.0.0.1 Router 2 ip vrf blue ! ip vrf orange ! ip vrf green ! interface ethernet 1/1/1 no ip address no switchport no shutdown ! interface ethernet1/1/5 no shutdown no switchport ip vrf forwarding blue ip address 21.0.
PAGE 378
Router 1 show command output OS10# show ip vrf VRF-Name blue Interfaces Eth1/1/2 Vlan128 default Mgmt1/1/1 Vlan1,24-25,200 green Eth1/1/4 Vlan256 orange Eth1/1/3 Vlan192 OS10# show ip route vrf blue Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, * - candidate default, + - summary route, > - non-active route Gateway of las
PAGE 379
OS10# show ip route vrf blue Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, * - candidate default, + - summary route, > - non-active route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change ------------------------------------------------------------------------------C 21.0.0.0/24 via 21.0.0.
PAGE 380
Limitations ● In VLT scenarios, the resolved ARP entry for the leaked route is not synced between the VLT peers. The ARP entry resolved in the source VRF is programmed into the leaked VRF when the leaked route configuration is active. ● During downgrade from 10.4.2, the leaked route configuration is restored. However, the routes remain inactive in the destination VRF instance. ● During downgrade from 10.4.2, the update-source-if command is not restored.
PAGE 381
S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, * - candidate default, + - summary route, > - non-active route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change --------------------------------------------------------------------------------------------------S 120.0.0.0/24 Direct,VRF1 ethernet1/1/1 1/0 00:00:05 C 140.0.0.
PAGE 382
1. Enter the VRF from which you want to leak routes using route targets. CONFIGURATION ip vrf source-vrf-name ip vrf VRF-A 2. Configure the IP prefix. CONFIGURATION ip prefix-list prefix-list-name {permit | deny} ip-address ip prefix-list abc permit 20.0.0.0/24 or ip prefix-list abc deny 20.0.0.0/24 3. Configure the route-map. CONFIGURATION route-map route-map-name route-map xyz 4. Associate the prefix list to the route-map.
PAGE 383
VRF commands interface management Adds a management interface to the management VRF instance. Syntax interface management Parameters None Default Not configured Command Mode VRF CONFIGURATION Usage Information The no version of this command removes the management interface from the management VRF instance. Example Supported Releases OS10(config)# ip vrf management OS10(conf-vrf)# interface management 10.4.
PAGE 384
Command Mode CONFIGURATION Usage Information The no version of this command removes the domain name from the management or non-default VRF instance. Example Supported Releases OS10(config)# ip domain-name vrf management dell.com or OS10(config)# ip domain-name vrf blue dell.com 10.4.0E(R1) or later ip vrf Create a non-default VRF instance. Syntax ip vrf vrf-name Parameters ● vrf-name—Enter the name of the non-default VRF that you want to create.
PAGE 385
ip host vrf Configures a host name for the management VRF instance or a non-default VRF instance and maps the host name to an IPv4 or IPv6 address. Syntax ip host vrf {management | vrf-name} hostname {IP-address | Ipv6–address} Parameters ● management—Enter the keyword management to configure a host name for the management VRF instance. ● vrf-name—Enter the name of the non-default VRF instance to configure a host name for that VRF instance. ● hostname—Enter the host name.
PAGE 386
Command Mode CONFIGURATION Usage Information The no version of this command removes the name server from the management or non-default VRF instance. Example Supported Releases OS10(config)# ip name-server vrf management or OS10(config)# ip name-server vrf blue 10.4.0E(R1) or later ip route-import Imports an IPv4 static route into a VRF instance from another VRF instance.
PAGE 387
ipv6 route-import Imports an IPv6 static route into a VRF instance from another VRF instance. Syntax [no] ipv6 route-import route-target Parameters ● route-target — Enter the route-target of the VRF instance. Default Not configured Command Mode VRF CONFIG Usage Information You can import IPv6 routes corresponding only to a non-default or a default VRF instance. You cannot import IPv6 routes that belong to a management VRF instance into another VRF instance.
PAGE 388
Example Supported Releases OS10(config)# ip scp vrf management OS10(config)# ip scp vrf vrf-blue 10.4.0E(R1) or later ip sftp vrf Configures an SFTP client for the management or non-default VRF instance. Syntax ip sftp vrf {management | vrf vrf-name} Parameters ● management — Enter the keyword to configure an SFTP client for a management VRF instance. ● vrf vrf-name — Enter the keyword then the name of the VRF to configure an SFTP client for that non-default VRF instance.
PAGE 389
Usage Information Example Supported Releases Enter the ip vrf management command only in non-transaction-based configuration mode. Do not use transaction-based mode. The no version of this command removes the management VRF instance configuration. OS10(config)# ip vrf management OS10(conf-vrf)# 10.4.0E(R1) or later show hosts vrf Displays the host table in the management or non-default VRF instance.
PAGE 390
Eth1/1/1-1/1/2 Vlan1 management OS10# show ip vrf management VRF-Name Interfaces management Supported Releases 10.4.0E(R1) or later update-source-ip Configures a source IP interface for any leaked route in a VRF instance. Syntax update-source-ip interface interface-id To undo this configuration, use the no update-source-ip command. Parameters ● interface interface-id — Enter the loopback interface identifier. The range is from 0 to 16383.
PAGE 391
● The active router starts the BFD session. Both routers can be active in the same session. ● The passive router does not start a session. It only responds to a request for session initialization from the active router. A BFD session can occur in Asynchronous and Demand modes. However, OS10 BFD supports only Asynchronous mode. ● In Asynchronous mode, both systems send periodic control messages at a specified interval to indicate that their session status is Up.
PAGE 392
2. When the passive system receives a control packet, it changes its session state to Init and sends a response to indicate its state change. The response includes its session ID in the My Discriminator field and the session ID of the remote system in the Your Discriminator field. 3. The active system receives the response from the passive system and changes its session state to Up. It then sends a control packet to indicate this state change. Discriminator values exchange, and transmit intervals negotiate.
PAGE 393
1. Configure the global BFD session parameters in CONFIGURATION mode. bfd interval milliseconds min_rx milliseconds multiplier number role {active | passive} ● interval milliseconds — Enter the time interval for sending control packets to BFD peers, from 100 to 1000; default 200. Dell EMC recommends using more than 100 milliseconds. ● min_rx milliseconds — Enter the maximum waiting time for receiving control packets from BFD peers, from 100 to 1000; default 200.
PAGE 394
When you configure a BFD session with a BGP neighbor, you can: ● Establish a BFD session with a specified BGP neighbor using the neighbor ip-address and bfd commands. ● Establish BFD sessions with all neighbors discovered by BGP using the bfd all-neighbors command. For example: Router 1 OS10(conf)# bfd enable OS10(conf)# router bgp 1 OS10(config-router-bgp-1)# neighbor 2.2.4.
PAGE 395
Configure BFD for BGP OS10 supports BFD sessions with IPv4 or IPv6 BGP neighbors using the default VRF. When you configure BFD for BGP, you can enable BFD sessions with all BGP neighbors discovered by BGP or with a specified neighbor. 1. Configure BFD session parameters and enable BFD globally on all interfaces in CONFIGURATION mode as described in Configure BFD globally. bfd interval milliseconds min_rx milliseconds multiplier number role {active | passive} bfd enable 2.
PAGE 396
OS10(config-router-bgp-4)# bfd all-neighbors interval 200 min_rx 200 multiplier 6 role active BFD for BGP single-neighbor configuration OS10(conf)# bfd interval 200 min_rx 200 multiplier 6 role active OS10(conf)# bfd enable OS10(conf)# router bgp 1 OS10(config-router-bgp-1)# neighbor 150.150.1.
PAGE 397
Last read 00:24:31 seconds Hold time is 180, keepalive interval is 60 seconds Configured hold time is 180, keepalive interval is 60 seconds Fall-over disabled Neighbor is using Global level BFD Configuration Received 784 messages 1 opens, 0 notifications, 0 updates 783 keepalives, 0 route refresh requests Sent 780 messages 2 opens, 0 notifications, 0 updates 778 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Ca
PAGE 398
CONFIGURATION Mode 2. Enter ROUTER-OSPF mode router ospf ospf-instance CONFIGURATION Mode 3. Establish sessions with all OSPFv2 neighbors. bfd all-neighbors ROUTER-OSPF Mode 4. Enter INTERFAC E CONFIGURATION mode. interface interface-name CONFIGURATION Mode 5. Establish BFD sessions with OSPFv2 neighbors corresponding to a single OSPF interface.
PAGE 399
ip vrf forwarding red ip address 30.1.1.1/24 ip ospf 200 area 0.0.0.0 ! router ospf 200 vrf red bfd all-neighbors log-adjacency-changes router-id 2.3.3.1 ! In this example OSPF is enabled in non-default VRF red. BFD is enabled globally at the router OSPF level and all the interfaces associated with this VRF OSPF instance inherit the global BFD configuration. However, this global BFD configuration does not apply to interfaces in which the interface level BFD configuration is already present.
PAGE 400
1. Enable BFD Globally. 2. Establish sessions with OSPFv3 neighbors. Establishing BFD sessions with OSPFv3 neighbors To establish BFD sessions with OSPFv3 neighbors: 1. Enable BFD globally bfd enable CONFIGURATION Mode 2. Enter ROUTER-OSPF mode router ospfv3 ospfv3-instance CONFIGURATION 3. Establish sessions with all OSPFv3 neighbors. bfd all-neighbors ROUTER-OSPFv3 Mode 4. Enter INTERFAC E CONFIGURATION mode. interface interface-name CONFIGURATION Mode 5.
PAGE 401
Changing OSPFv3 session parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role. Configure these parameters for all OSPFv3 sessions or all OSPFv3 sessions on a particular interface. If you change a parameter globally, the change affects all OSPFv3 neighbors sessions.
PAGE 402
2. Configure static routes on both routers on the system (either local or remote). Configure static route in such a way that the next-hop interfaces point to each other. 3. Configure BFD for static route using the ip route bfd command Establishing BFD Sessions for IPv4 Static Routes Sessions are established for all neighbors that are the next hop of a static route. To establish a BFD session, use the following command. Establish BFD sessions for all neighbors that are the next hop of a static route.
PAGE 403
CONFIGURATION Mode NOTE: By default, OSPF uses the following BFD parameters for it's neighbors: min_tx = 200 msec, min_rx = 200 msec, multiplier = 3, role = active. The values are configured in milliseconds Establishing BFD Sessions for IPv6 Static Routes in a non-default VRF instance To establish a BFD session for IPv6 static routes in a non-default VRF instance, use the following command. Establish BFD sessions for all neighbors that are the next hop of a static route.
PAGE 404
ROUTER-BGP mode to specify the neighbor. Use the template template-name command in ROUTER-BGP mode to specify a BGP template. Use the no bfd command in ROUTER-NEIGHBOR mode to disable BFD sessions with a neighbor. ● Use the bfd all-neighbors command to configure L3 protocol-specific BFD parameters for all BFD sessions between discovered neighbors. The BFD parameters you configure override the global session parameters configured with the bfd interval command.
PAGE 405
bfd disable Ignores the configured bfd all-neighbors settings and disables BFD for a specified neighbor. Syntax bfd disable Parameters None Default Not configured Command Mode ROUTER-NEIGHBOR Usage Information Use the neighbor ip-address command in ROUTER-BGP mode to specify a neighbor. Use the bfd disable command to disable BFD sessions with the neighbor. Example Supported releases OS10(conf)# router bgp 1 OS10(config-router-bgp-1)# neighbor 10.1.1.
PAGE 406
The BFD role is active. Command Mode CONFIGURATION Usage Information Use the bfd interval command to configure global BFD session settings. To configure the BFD parameters used in sessions established with neighbors discovered by an L3 protocol, use the bfd all-neighbors command. To remove the configured global settings and return to the default values, enter the no version of the command. Example Supported releases OS10(config)# bfd interval 250 min_rx 300 multiplier 4 role passive 10.4.1.
PAGE 407
● interval milliseconds — Enter the time interval for sending control packets to BFD peers, from 100 to 1000. You cannot configure a value that is less than 100 milliseconds. ● min_rx milliseconds — Enter the maximum waiting time for receiving control packets from BFD peers, from 100 to 1000. Dell EMC recommends using more than 100 milliseconds.
PAGE 408
Example Supported releases OS10(config)# ip route bfd interval 250 min_rx 250 multiplier 4 role active 10.4.2E or later ipv6 route bfd Enables or disables BFD on IPv6 static routes. Syntax ipv6 route bfd [vrf vrf-name] [interval millisec min_rx min_rx multiplier role {active | passive}] To disable BFD on a IPv6 static route, use the no ipv6 route bfd command. Parameters ● vrf vrf-name — Enter the keyword VRF followed by the name of the VRF to configure static route in that VRF.
PAGE 409
---------------------------------------------------------------------------LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult VRF Clients ---------------------------------------------------------------------------* 150.150.1.2 150.150.1.1 vlan10 up 1000 1000 5 default bgp OS10# show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 2 Local Addr: 150.150.1.2 Local MAC Addr: 90:b1:1c:f4:ab:fd Remote Addr: 150.150.1.
PAGE 410
The Internet Assigned Numbers Authority (IANA) identifies each network with a unique AS number (ASN). AS numbers 64512 through 65534 are reserved for private purposes. AS numbers 0 and 65535 cannot be used in a live environment. IANA assigns valid AS numbers in the range of 1 to 64511. Multihomed AS Maintains connections to more than one other AS. This group allows the AS to remain connected to the Internet if a complete failure occurs to one of their connections.
PAGE 411
Connect Router waits for the TCP connection to complete and transitions to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active Router resets the ConnectRetry timer to zero and returns to the Connect state. OpenSent Router sends an Open message and waits for one in return after a successful OpenSent transition.
PAGE 412
Multiprotocol BGP Multiprotocol BGP (MBGP) is an extension to BGP that supports multiple address families—IPv4 and IPv6. MBGP carries multiple sets of unicast and multicast routes depending on the address family. You can enable the MBGP feature on a per router, per template, and/or a per peer basis. The default is the IPv4 unicast routes.
PAGE 413
6. Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths, and prefer the path with the lowest IGP metric to the BGP next-hop. 7. The system deems the paths as equal and only performs the following steps if the criteria are not met: ● Configure the IBGP multipath or EBGP multipath using the maximum-path command. ● The paths being compared were received from the same AS with the same number of AS in the AS Path but with different next-hops.
PAGE 414
One AS assigns the MED a value. Other AS uses that value to decide the preferred path. Assume that the MED is the only attribute applied and there are two connections between AS 100 and AS 200. Each connection is a BGP session. AS 200 sets the MED for its Link 1 exit point to 100 and the MED for its Link 2 exit point to 50. This sets up a path preference through Link 2. The MEDs advertise to AS 100 routers so they know which is the preferred path. MEDs are nontransitive attributes.
PAGE 415
Best path selection Best path selection selects the best route out of all paths available for each destination, and records each selected route in the IP routing table for traffic forwarding. Only valid routes are considered for best path selection. BGP compares all paths, in the order in which they arrive, and selects the best paths. Paths for active routes are grouped in ascending order according to their neighboring external AS number.
PAGE 416
Advertise cost As the default process for redistributed routes, OS10 supports IGP cost as MED. Both auto-summarization and synchronization are disabled by default.
PAGE 417
The Local-AS does not prepend the updates with the AS number received from the EBGP peer if you use the no prepend command. If you do not select no prepend, the default, the Local-AS adds to the first AS segment in the AS-PATH. If you use an inbound route-map to prepend the AS-PATH to the update from the peer, the Local-AS adds first. If Router B has an inbound route-map applied on Router C to prepend 65001 65002 to the AS-PATH, these events take place on Router B: ● Receive and validate the update.
PAGE 418
1. Assign an AS number, and enter ROUTER-BGP mode from CONFIGURATION mode, from 1 to 65535 for 2-byte, 1 to 4294967295 for 4-byte. Only one AS number is supported per system. If you enter a 4-byte AS number, 4-byte AS support is enabled automatically. router bgp as-number 2. Enter a neighbor in ROUTER-BGP mode. neighbor ip-address 3. Add a remote AS in ROUTER-NEIGHBOR mode, from 1 to 65535 for 2-byte or 1 to 4294967295 for 4-byte. remote-as as-number 4. Enable the BGP neighbor in ROUTER-NEIGHBOR mode.
PAGE 419
BGP state established, in this state for 00:03:11 Last read 01:08:40 seconds, hold time is 180, keepalive interval is 60 seconds Received 11 messages 3 opens, 1 notifications, 3 updates 4 keepalives, 0 route refresh requests Sent 14 messages 3 opens, 1 notifications, 0 updates 10 keepalives, 0 route refresh requests Minimum time between advertisement runs is 0 seconds Description: n1_abcd Capabilities received from neighbor for IPv4 Unicast: MULTIPROTO_EXT(1)ROUTE_REFRESH(2)CISCO_ROUTE_REFRESH(128) Capabili
PAGE 420
Configure BGP OS10# configure terminal OS10(config)# router bgp 100 OS10(config-router-bgp-100)# vrf blue OS10(config-router-vrf)# neighbor 5.1.1.1 OS10(config-router-neighbor)# remote-as 1 OS10(config-router-neighbor)# description n1_abcd OS10(config-router-neighbor)# exit OS10(config-router-vrf)# template t1 OS10(config-router-template)# description peer_template_1_abcd Configure Dual Stack OS10 supports dual stack for BGPv4 and BGPv6.
PAGE 421
IPv6: OS10(config-router-bgp-100)# address-family ipv6 unicast OS10(configure-router-bgpv6-af)# 3. Change the administrative distance for BGP. IPv4: OS10(configure-router-bgpv4-af)# distance bgp 21 200 200 IPv6: OS10(configure-router-bgpv6-af)# distance bgp 21 201 250 The example below provides the configuration for non-default VRF.
PAGE 422
● To add an IBGP neighbor, configure the as-number parameter with the same BGP as-number configured in the router bgp as-number command. 8. Assign a peer-template with a peer-group name from which to inherit to the neighbor in ROUTER-NEIGHBOR mode. inherit template template-name 9. Enable the neighbor in ROUTER-BGP mode. no shutdown When you add a peer to a peer group, it inherits all the peer group configured parameters.
PAGE 423
100.5.1.1 100.6.1.1 64802 64802 376 376 325 327 04:28:25 04:26:17 1251 1251 View running configuration OS10# show running-configuration bgp ! router bgp 64601 bestpath as-path multipath-relax bestpath med missing-as-worst non-deterministic-med router-id 100.0.0.8 ! template leaf_v4 description peer_template_1_abcd ! address-family ipv4 unicast distribute-list leaf_v4_in in distribute-list leaf_v4_out out route-map set_aspath_prepend in ! neighbor 100.5.1.
PAGE 424
6. (Optional) Add a text description for the template in ROUTER-TEMPLATE mode. description text 7. Assign a peer-template with a peer-group name from which to inherit to the neighbor in ROUTER-NEIGHBOR mode. inherit template template-name 8. Enable the neighbor in ROUTER-BGP mode. neighbor ip-address 9. Enable the peer-group in ROUTER-NEIGHBOR mode. no shutdown When you add a peer to a peer group, it inherits all the peer group configured parameters.
PAGE 425
4. Enable BGP fast fall-Over in ROUTER-NEIGHBOR mode. fall-over Configure neighbor fall-over OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 3.1.1.1 OS10(config-router-neighbor)# remote-as 100 OS10(config-router-neighbor)# fall-over OS10(config-router-neighbor)# no shutdown Verify neighbor fall-over on neighbor OS10(config-router-neighbor)# do show ip bgp neighbors 3.1.1.1 BGP neighbor is 3.1.1.1, remote AS 100, local AS 100 internal link BGP version 4, remote router ID 3.3.3.
PAGE 426
! neighbor 60.1.1.2 inherit template bgppg no shutdown ! neighbor 32.1.1.2 remote-as 100 no shutdown ! template bgppg fall-over remote-as 102 Configure password You can enable message digest 5 (MD5) authentication with a password on the TCP connection between two BGP neighbors. Configure the same password on both BGP peers. When you configure MD5 authentication between two BGP peers, each segment of the TCP connection is verified and the MD5 digest is checked on every segment sent on the TCP connection.
PAGE 427
remote-as 10 no shutdown OS10(config-router-neighbor)# do show running-configuration bgp ! router bgp 10 ! template pass password 9 f785498c228f365898c0efdc2f476b4b27c47d972c3cd8cd9b91f518c14ee42d ! neighbor 11.1.1.
PAGE 428
View fast external fallover configuration OS10(config)# do show running-configuration bgp ! router bgp 300 ! neighbor 3.1.1.1 remote-as 100 no shutdown ! neighbor 3::1 remote-as 100 no shutdown ! address-family ipv6 unicast activate OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# show configuration ! interface ethernet1/1/1 ip address 3.1.1.
PAGE 429
%Dell EMC (OS10) %BGP_NBR_BKWD_STATE_CHG: Backward state change occurred Hold Time expired for Nbr:3.1.1.3 VRF:default Apr 27 01:39:03 OS10 dn_sm[2065]: Node.1-Unit.1:PRI:alert [os10:event], %Dell EMC (OS10) %BGP_NBR_BKWD_STATE_CHG: Backward state change occurred Hold Time expired for Nbr:3::3 VRF:default Passive peering When you enable a peer-template, the system sends an OPEN message to initiate a TCP connection.
PAGE 430
3. Return to ROUTER-BGP mode. exit 4. Enter a template name to assign to the peer-groups in ROUTER-BGP mode. A maximum of 16 characters. template template-name 5. Enter a local-as number for the peer in ROUTER-TEMPLATE mode. local-as as number [no prepend] 6. Add a remote AS in ROUTER-TEMPLATE mode (1 to 65535 for 2 bytes, 1 to 4294967295 for 4 bytes). remote-as as-number Allow external routes from neighbor OS10(config)# router bgp 10 OS10(conf-router-bgp-10)# neighbor 32.1.1.
PAGE 431
dampening ! neighbor 17.1.1.
PAGE 432
Additional paths The add-path command is disabled by default. 1. Assign an AS number in CONFIGURATION mode. router bgp as-number 2. Enter a neighbor and IP address (A.B.C.D) in ROUTER-BGP mode. neighbor ip-address 3. Enter Address Family mode in ROUTER-NEIGHBOR mode. address-family {[ipv4 | ipv6] [unicast]) 4. Allow the specified neighbor to send or receive multiple path advertisements in ROUTER-BGP mode.
PAGE 433
2. Change the LOCAL_PREF value for routes meeting the criteria of this route map in ROUTE-MAP mode, then return to CONFIGURATION mode. set local-preference value exit 3. Enter ROUTER-BGP mode. router bgp as-number 4. Enter the neighbor to apply the route map configuration in ROUTER-BGP mode. neighbor {ip-address} 5. Apply the route map to the neighbor’s incoming or outgoing routes in ROUTER-BGP-NEIGHBOR-AF mode. route-map map-name {in | out) 6.
PAGE 434
3. Return to ROUTER-BGP mode. exit 4. Assign a weight value to the peer-group in ROUTER-BGP mode. template template name 5. Set a weight value for the route in ROUTER-TEMPLATE mode. weight weight Modify weight attribute OS10(config)# router bgp 10 OS10(config-router-bgp-10)# neighbor OS10(config-router-neighbor)# weight OS10(config-router-neighbor)# exit OS10(config-router-bgp-10)# template OS10(config-router-template)# weight 10.1.1.
PAGE 435
6. Create a route-map, and assign a filtering criteria in ROUTER-BGP-TEMPLATE-AF mode. route-map map-name {in | out} Filter BGP route OS10(config)# router bgp 102 OS10(conf-router-bgp-102)# neighbor 40.1.1.
PAGE 436
1. Assign an AS number in CONFIGURATION mode. router bgp as-number 2. Enter Address Family mode in ROUTER-BGP mode. address-family {[ipv4 | ipv6] [unicast]} 3. Aggregate address in ROUTER-BGPv4-AF mode. aggregate-address ip-address/mask Configure aggregate routes OS10(config)# router bgp 105 OS10(conf-router-bgp-105)# address-family ipv4 unicast OS10(conf-router-bgpv4-af)# aggregate-address 3.3.0.
PAGE 437
OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-65501)# neighbor 3.1.1.2 OS10(conf-router-neighbor)# remote-as 65504 OS10(conf-router-neighbor)# no shutdown OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-65501)# end OS10# show running-configuration bgp ! router bgp 65501 confederation identifier 100 confederation peers 65502 65503 65504 ! neighbor 1.1.1.2 remote-as 65502 no shutdown ! neighbor 2.1.1.2 remote-as 65503 no shutdown ! neighbor 3.1.1.
PAGE 438
Configure values to reuse or restart route OS10(config)# router bgp 102 OS10(conf-router-bgp-102)# address-family ipv4 unicast OS10(conf-router-bgpv4-af)# dampening 2 2000 3000 10 View dampened (nonactive) routes OS10# show ip bgp flap-statistics BGP local router ID is 13.176.123.
PAGE 439
resetting the TCP connection. After configuring soft-reconfiguration, use the clear ip bgp command to make the neighbor use soft reconfiguration. When you enable soft-reconfiguration for a neighbor and you execute the clear ip bgp soft in command, the update database stored in the router replays and updates are re-evaluated. With this command, the replay and update process triggers only if a route-refresh request is not negotiated with the peer.
PAGE 440
Supported Releases 10.2.0E or later add-path Allows the system to advertise multiple paths for the same destination without replacing previous paths with new ones. Syntax add-path {both path count | receive | send path count} Parameters ● both path count — Enter the number of paths to advertise to the peer, from 2 to 64. ● receive — Receive multiple paths from the peer. ● send path count — Enter the number of multiple paths to send multiple to the peer, from 2 to 64.
PAGE 441
advertisement-interval Sets the minimum time interval for advertisement between the BGP neighbors or within a BGP peer group. Syntax advertisement-interval seconds Parameters seconds—Enter the time interval value in seconds between BGP advertisements, from 1 to 600. Default EBGP 30 seconds, IBGP 5 seconds Command Mode ROUTER-NEIGHBOR Usage Information The time interval applies to all peer group members of the template in ROUTER-TEMPLATE mode.
PAGE 442
not add the as-set parameter to the aggregate because the aggregate flaps to track changes in the AS_PATH. The no version of this command disables the aggregate-address configuration. Example Supported Releases OS10(conf-router-bgpv4-af)# aggregate-address 6.1.0.0/16 summary-only 10.3.0E or later allowas-in Configures the number of times the local AS number can appear in the BGP AS_PATH path attribute before the switch rejects the route.
PAGE 443
as-notation Changes the AS number notation format and requires four-octet-assupport. Syntax as-format {asdot | asdot+ | asplain} Parameters ● asdot — Specify the AS number notation in asdot format. ● asdot+ — Specify the AS number notation in asdot+ format. ● asplain — Specify the AS number notation in asplain format.
PAGE 444
Parameters ● confed — Compare MED among BGP confederation paths. ● missing-as-worst — Treat missing MED as the least preferred path. Default Disabled Command Mode ROUTER-BGP Usage Information Before you apply this command, use the always-compare-med command. The no version of this command resets the MED comparison influence. NOTE: To configure these settings for a non default VRF instance, you must first enter the ROUTER-CONFIG-VRF sub mode using the following commands: 1.
PAGE 445
Command Mode EXEC Usage Information None. Example Supported Releases OS10# clear ip bgp 1.1.15.4 10.3.0E or later clear ip bgp * Resets BGP sessions. The soft parameter, BGP soft reconfiguration, clears policies without resetting the TCP connection. Syntax clear ip bgp * [vrf vrf-name] [ipv4 unicast | ipv6 unicast | soft [in | out]] Parameters ● * — Enter to clear all BGP sessions.
PAGE 446
clear ip bgp flap-statistics Clears all or specific IPv4 or IPv6 flap counts of prefixes. Syntax clear ip bgp [vrf vrf-name] [ipv4–address | ipv6–address] flap-statistics [ipv4–prefix | ipv6–prefix] Parameters ● vrf vrf-name — (OPTIONAL) Enter vrf then the name of the VRF to clear flap statistics information. ● ipv4–address — (Optional) Enter an IPv4 address to clear the flap counts of the prefixes learned from the given peer. ● ipv6–address — (Optional) Enter an IPv6 address to clear the flap counts.
PAGE 447
Parameters ● identifier as-num —Enter an AS number, from 0 to 65535 for 2 bytes, 1 to 4294967295 for 4 bytes, or 0.1 to 65535.65535 for dotted format. ● peers as-number—Enter an AS number for peers in the BGP confederation, from 1 to 4294967295. Default Not configured Command Mode ROUTER-BGP Usage Information Configure your system to accept 4-byte formats before entering a 4-byte AS number. All routers in the Confederation must be 4-byte or 2-byte identified routers.
PAGE 448
cluster-id Assigns a cluster ID to a BGP cluster with multiple route reflectors. Syntax cluster-id {number | ip-address} Parameters ● number—Enter a route reflector cluster ID as a 32-bit number, from 1 to 4294967295. ● ip-address—Enter an IP address as the route-reflector cluster ID. Default Router ID Command Mode ROUTER-BGP Usage Information If a cluster contains only one route reflector, the cluster ID is the route reflector’s router ID.
PAGE 449
Supported Releases 10.3.0E or later description Configures a description for the BGP neighbor or for peer template. Syntax description text Parameters text — Enter a description for the BGP neighbor or peer template. Default None Command Mode ROUTER-BGP-NEIGHBOR ROUTER-BGP-TEMPLATE Usage Information Example Supported Releases The no version of this command removes the description. OS10# configure terminal OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 8.8.8.
PAGE 450
default-originate Configures the default route to a BGP peer or neighbor. Syntax default—originate [route-map route-map-name] Parameters route-map route-map-name—(Optional) Enter a route-map name. A maximum of 140 characters. Default Enabled Command Mode ROUTER-BGP-NEIGHBOR-AF ROUTER-TEMPLATE-AF Usage Information Example Supported Releases The no version of this command removes the default route.
PAGE 451
Non-default VRF OS10(config-router-bgp-100)# vrf blue OS10(config-router-bgp-100-vrf)# address-family ipv4 OS10(configure-router-bgpv4-vrf-af)# distance bgp 21 OS10(config-router-bgp-100-vrf)# address-family ipv6 OS10(configure-router-bgpv6-vrf-af)# distance bgp 21 Supported Releases unicast 200 200 unicast 201 250 10.4.2.0 or later distribute-list Distributes BGP information through an established prefix list.
PAGE 452
ebgp-multihop Allows EBGP neighbors on indirectly connected networks. Syntax ebgp-multihop hop count Parameters hop count — Enter a value for the number of hops, from 1 to 255. Default 1 Command Mode ROUTER-NEIGHBOR Usage Information This command avoids installation of default multihop peer routes to prevent loops and creates neighbor relationships between peers. Networks indirectly connected are not valid for best path selection. The no version of this command removes multihop session.
PAGE 453
Whenever either address becomes unreachable — no active route exists in the routing table for peer IPv6 destinations or local address — BGP brings down the session with the peer. The no version of this command disables fall-over. Example Supported Releases OS10(conf-router-neighbor)# fall-over 10.3.0E or later fast-external-fallover Resets BGP sessions immediately when a link to a directly connected external peer fails.
PAGE 454
listen Enables peer listening and sets the prefix range for dynamic peers. Syntax listen ip-address [limit count] Parameters ● ip-address—Enter the BGP neighbor IP address. ● limit count—(Optional) Enter a maximum dynamic peer count, from 1 to 4294967295. Default Not configured Command Mode ROUTER-TEMPLATE Usage Information Enables a passive peering session for listening. The no version of this command disables a passive peering session.
PAGE 455
1. Enter the ROUTER BGP mode using the router bgp as-number command. 2. From the ROUTER BGP mode, enter the ROUTER BGP VRF mode using the vrf vrf-name command. Example Supported Releases OS10(conf-router-bgp-10)# log-neighbor-changes 10.3.0E or later maximum-paths Configures the maximum number of equal-cost paths for load sharing. Syntax maximum-paths [ebgp number | ibgp number] maxpaths Parameters ● ebgp—Enable multipath support for external BGP routes.
PAGE 456
Example Supported Releases OS10(conf-router-bgp-neighbor-af)# maximum-prefix 20 100 warning-only 10.3.0E or later neighbor Creates a remote peer for the BGP neighbor and enters BGP Neighbor mode. Syntax neighbor ip address Parameters ip address — Enter the IP address of the neighbor in dotted decimal format. Default Not configured Command Mode CONFIG-ROUTER-BGP Usage Information Create a remote peer with the BGP neighbor. Always enter the IP address of a BGP peer with this command.
PAGE 457
Command Mode ROUTER-BGP Usage Information Paths compare in the order they arrive. OS10 uses this method to choose different best paths from a set of paths, depending on the order they are received from the neighbors. MED may or may not be compared between adjacent paths. When you change the path selection from deterministic to nondeterministic, the path selection for the existing paths remains deterministic until you use the clear ip bgp command to clear the existing paths.
PAGE 458
Usage Information You can enter the password either as plain text or in encrypted format. The password provided in ROUTER-NEIGHBOR mode takes preference over the password in ROUTER-TEMPLATE mode. The no version of this command disables authentication. Example OS10(conf-router-neighbor)# password abcdell OS10(conf-router-neighbor)# password 9 f785498c228f365898c0efdc2f476b4b27c47d972c3cd8cd9b91f518c14ee42d Supported Releases 10.3.
PAGE 459
Defaults None Command Modes CONFIG-ROUTER-NEIGHBOR CONFIG-ROUTER-TEMPLATE Usage Information Example Supported Releases The no version of this command removes the remote AS. OS10(config)# router bgp 300 OS10(config-router-bgp-300)# template ebgppg OS10(config-router-template)# remote-as 100 10.4.1.0 or later remove-private-as Removes private AS numbers from receiving outgoing updates.
PAGE 460
Supported Releases 10.4.1.0 or later route-reflector-client Configures a neighbor as a member of a route-reflector cluster. Syntax route-reflector-client Parameters None Default Not configured Command Mode ROUTER-TEMPLATE Usage Information The device configures as a route reflector, and the BGP neighbors configure as clients in the routereflector cluster. The no version of this command removes all clients of a route reflector—the router no longer functions as a route reflector.
PAGE 461
1. Enter the ROUTER BGP mode using the router bgp as-number command. 2. From the ROUTER BGP mode, enter the ROUTER BGP VRF mode using the vrf vrf-name command. Example Supported Releases OS10(conf-router-bgp-10)# router-id 10.10.10.40 10.3.0E or later send-community Sends a community attribute to a BGP neighbor or peer group. Syntax send-community {extended | standard} Parameters ● extended — Enter an extended community attribute. ● standard — Enter a started community attribute.
PAGE 462
show ip bgp Displays information that BGP neighbors exchange. Syntax show ip bgp [vrf vrf-name] ip-address/mask Parameters ● vrf vrf-name — (OPTIONAL) Enter vrf and then the name of the VRF to view route information corresponding to that VRF. ● ip-address/mask — Enter the IP address and mask in A.B.C.D/x format. Default Not configured Command Mode EXEC Usage Information None Example OS10# show ip bgp 1.1.1.0/24 BGP routing table entry for 1.1.1.
PAGE 463
Supported Releases 10.3.0E or later show ip bgp flap-statistics Displays BGP flap statistics on BGP routes. Syntax show ip bgp [vrf vrf-name] flap-statistics Parameters None Default Not configured Command Mode EXEC Usage Information ● vrf vrf-name — (OPTIONAL) Enter vrf and then the name of the VRF to view flap statistics on BGP routes corresponding to that VRF. ● Network — Displays the network ID where the route is flapping.
PAGE 464
Neighbor 80.1.1.2 Supported Releases AS 800 MsgRcvd 8 MsgSent Up/Down 4 00:01:10 State/Pfx 5 10.3.0E or later show ip bgp ipv6 unicast Displays route information for BGP IPv6 routes. Syntax show ip bgp [vrf vrf-name] ipv6 unicast [neighbors] {ip-address/mask | summary} | multicast {ip-address/mask | neighbors} [denied-routes] Parameters ● vrf vrf-name — (OPTIONAL) Enter vrf then the name of the VRF to view IPv6 unicast information corresponding to that VRF.
PAGE 465
● BGP state — Displays the neighbor’s BGP state and the amount of time in hours:minutes: seconds it has been in that state. ● Last read — Displays the information included in the last read: ○ Last read is the time in hours:minutes:seconds that the router read a message from its neighbor. ○ Hold time is the number of seconds configured between messages from its neighbor. ○ Keepalive interval is the number of seconds between keepalive messages to help ensure that the TCP session is still alive.
PAGE 466
*>55:0:0:1::/64 192:168:1::1 0 0 0 100i *>55:0:0:2::/64 192:168:1::1 0 0 0 100i *>55:0:0:3::/64 192:168:1::1 0 0 0 100i *>55:0:0:4::/64 192:168:1::1 0 0 0 100i *>55:0:0:5::/64 192:168:1::1 0 0 0 100i *>55:0:0:6::/64 192:168:1::1 0 0 0 100i *>55:0:0:7::/64 192:168:1::1 0 0 0 100i *>55:0:0:8::/64 192:168:1::1 0 0 0 100i *>55:0:0:9::/64 192:168:1::1 0 0 0 100i *>172:16:1::/64 192:168:1::1 0 0 0 100? Total number of prefixes: 11 OS10# Example received-
PAGE 467
Total number of prefixes: 10 OS10# Supported Releases 10.3.0E or later show ip bgp peer-group Displays information on BGP peers in a peer-group. Syntax show ip bgp [vrf vrf-name] peer-group peer-group-name Parameters ● vrf vrf-name — (OPTIONAL) Enter vrf to view information on BGP peers in a peer group corresponding to that VRF. ● peer-group-name — (Optional) Enter the peer group name to view information about that peergroup only.
PAGE 468
Command Mode EXEC Usage Information ● ● ● ● ● Neighbor—Displays the BGP neighbor address. AS—Displays the AS number of the neighbor MsgRcvd—Displays the number of BGP messages that the neighbor received. MsgSent—Displays the number of BGP messages that the neighbor sent. Up/Down—Displays the amount of time that the neighbor is in the Established stage. If the neighbor has never moved into the Established stage, the word never displays.
PAGE 469
show ipv6 route Displays information about IPv6 BGP routing table entries. Syntax show ipv6 route Parameters None Default Not configured Command Mode EXEC Usage Information This command displays information about IPv6 BGP routing table entries. Example Supported Releases OS10# show ipv6 route 10.4.2.0 or later soft-reconfiguration inbound Enables soft-reconfiguration for a neighbor.
PAGE 470
2. From the ROUTER BGP mode, enter the ROUTER BGP VRF mode using the vrf vrf-name command. Example Supported Releases OS10(conf-router-bgp-10)# template solar OS10(conf-router-bgp-template)# 10.3.0E or later timers Adjusts BGP keepalive and holdtime timers. Syntax timers keepalive holdtime Parameters ● keepalive—Enter the time interval, in seconds, between keepalive messages sent to the neighbor routers, from 1 to 65535.
PAGE 471
Parameters number—Enter a number as the weight for routes, from 1 to 4294967295. Default 0 Command Mode ROUTER-BGP-NEIGHBOR Usage Information The path with the highest weight value is preferred in the best-path selection process. The no version of this command resets the value to the default. Example Supported Releases OS10(conf-router-bgp-neighbor)# weight 4096 10.3.
PAGE 472
Resilient hashing To increase bandwidth and for load balancing, traffic distributes across the next hops of an ECMP group or member ports of a port channel. OS10 uses a hash algorithm to determine a hash key. The egress port in a port channel or the next hop in an ECMP group is selected based on the hash key modulo the number of ports in a port channel or next hops in an ECMP group, respectively.
PAGE 473
Examples Normal traffic flow without resilient hashing Traffic flow with resilient hashing enabled When you enable resilient hashing for ECMP groups, the flow-map table is created with 64 paths (the OS10 default maximum number of ECMP paths) and traffic is equally distributed. In the following example, traffic 1 maps to next hop 'A'; traffic 2 maps to next hop 'C'; and traffic 3 maps to next hop 'B.
PAGE 474
Member link is added However, when a new member link is added, resilient hashing completes minimal remapping for better load balancing, as shown: Important notes ● Resilient hashing on port channels applies only for unicast traffic. ● For resilient hashing on ECMP groups, the ECMP path must be in multiples of 64. Before you enable resilient hashing, ensure that the maximum ECMP path is set to a multiple of 64. You can configure this value using the ip ecmp-group maximum-paths command.
PAGE 475
Maximum ECMP groups and paths The maximum number of ECMP groups supported on the switch depends on the maximum ECMP paths configured on the switch. To view the maximum number of ECMP groups and paths, use the show ip ecmp-group details command. OS10# show ip ecmp-group details Maximum Number of ECMP Groups : 256 Maximum ECMP Path per Group : 64 Next boot configured Maximum ECMP Path per Group : 64 The default value for the maximum number of ECMP paths per group is 64.
PAGE 476
Parameters NOTE: The S5148F-ON platform supports only the crc parameter. ● ● ● ● ● ● ● ● ● ● ● ● ● ● ecmp—Enables the ECMP hash configuration. lag—Enables the LAG hash configuration for Layer 2 (L2) only. seed—Changes the hash algorithm seed value to get a better hash value. seed-value—Enter a hash algorithm seed value, from 0 to 4294967295. crc—Enables the cyclic redundancy check (CRC) polynomial for hash computation.
PAGE 477
link-bundle-utilization trigger-threshold Configures a threshold value to trigger traffic monitoring distribution on an ECMP link bundle. Syntax link-bundle-utilization trigger-threshold value Parameters value — Enter a link bundle trigger threshold value, from 0 to 100. Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command disables the configuration. Example Supported Releases OS10(config)# link-bundle-utilization trigger-threshold 80 10.2.
PAGE 478
● TCP/UDP parameters: l4-destination-port l4-source-port The no version of this command resets the value to the default. Example (Ingress) OS10(config)# load-balancing ingress-port enable Example (IP Selection) OS10(config)# load-balancing ip-selection destination-ip source-ip Supported Releases 10.2.0E or later show enhanced-hashing resilient-hashing Displays the status of the enhanced-hashing command.
PAGE 479
show ip ecmp-group details Displays the number of ECMP groups and paths. Syntax show ip ecmp-group details Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# show ip ecmp-group details Maximum Number of ECMP Groups : 256 Maximum ECMP Path per Group : 64 Next boot configured Maximum ECMP Path per Group : 64 10.4.3.0 or later show load-balance Displays the global traffic load-balance configuration.
PAGE 480
You need to configure IPv4 routing for IP hosts to communicate with one another in the same network, or in different networks. Assign interface IP address You can assign primary and secondary IP addresses to a physical or logical interface to enable IP communication between the system and hosts connected to a specific interface. Assign one primary address and secondary IP addresses to each interface. By default, all ports are in the default VLAN—VLAN 1. 1.
PAGE 481
0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 Collisions, 0 wreddrops Rate Info(interval 299 seconds): Input 0 Mbits/sec, 0 packets/sec, 0% of line rate Output 0 Mbits/sec, 0 packets/sec, 0% of line rate Time since last interface status change: 3 weeks 1 day 20:54:37 Configure static routing You can configure a manual or static route for open shortest path first (
PAGE 482
1. Configure an IP address and MAC address mapping for an interface in INTERFACE mode. ip arp ip-address mac address ● ip-address—IP address in dotted decimal format in A.B.C.D format. ● mac address—MAC address in nnnn.nnnn.nnnn format These entries do not age, and you can only remove them manually. To remove a static ARP entry, use the no arp ipaddress command. Configure static ARP entries OS10(config)# interface ethernet 1/1/6 OS10(conf-if-eth1/1/6)# ip arp 10.1.1.
PAGE 483
clear ip route Clears the specified routes from the IP routing table. Syntax clear ip route [vrf vrf-name] {* | A.B.C.D/mask} Parameters ● vrf vrf-name — (Optional) Enter the keyword vrf and then the name of the VRF to clear the routes corresponding to that VRF. ● *—Clear the entire IP routing table. This option refreshes all the routes in the routing table. Traffic flow is affected for all the routes in the switch. ● A.B.C.D/mask —Specify the IP route to remove from the IP routing table.
PAGE 484
Supported Releases 10.3.0E or later ip arp Configures static ARP and maps the IP address of the neighbor to a MAC address. Syntax ip arp mac-address Parameters mac-address — Enter the MAC address of the IP neighbor in A.B.C.D format. Default Not configured Command Mode INTERFACE Usage Information Do not use Class D (multicast) or Class E (reserved) IP addresses. Zero MAC addresses (00:00:00:00:00:00) are invalid. The no version of this command disables the IP ARP configuration.
PAGE 485
Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes a static route configuration. Example OS10(config)# ip route 200.200.200.0/24 10.1.1.2 OS10(config)# ip route 200.200.200.0/24 interface null 0 Supported Releases 10.2.0E or later show ip arp Displays the ARP table entries for a specific IP address or MAC address, static, dynamic, and a summary of all ARP entries.
PAGE 486
Example (Dynamic) Supported Releases OS10# show ip arp dynamic Address Hardware address Interface Egress Interface --------------------------------------------------------------------------------192.168.2.2 90:b1:1c:f4:a6:e6 ethernet1/1/49:1 ethernet1/1/49:1 193.168.2.3 54:bf:64:e6:d4:c5 vlan4000 port-channel1000 10.2.0E or later show ip route Displays IP route information.
PAGE 487
Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, * - candidate default, + - summary route, > - non-active route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change --------------------------------------------------------------------------------------------------C 140.0.0.0/24 via 140.0.0.
PAGE 488
Global IPv6 address: 2020::1/64 ...
PAGE 489
As an alternative to stateless autoconfiguration, you can enable a network host to obtain IPv6 addresses using a DHCP server via stateful autoconfiguration using the ipv6 address dhcp command. A DHCPv6 server uses a prefix pool to configure a network address on an interface. The interface ID automatically generates. Manally configured addresses An interface can have multiple IPv6 addresses. To configure an IPv6 address in addition to the link-local address, use the ipv6 address ipv6-address/mask command.
PAGE 490
The router redirect functionality in the NDP is similar to IPv4 router redirect messages. NDP uses ICMPv6 redirect messages (Type 137) to inform nodes that a better router exists on the link. Neighbor Discovery The IPv6 NDP determines if neighboring IPv6 devices are reachable and receives the IPv6 addresses of IPv6 devices on local links. Using the link-layer and global prefixes of neighbor addresses, OS10 performs stateless autoconfiguration of IPv6 addresses on interfaces.
PAGE 491
● lifetime {preferred-lifetime seconds | infinite} — (Optional) Sets AdvPreferredLifetime in seconds for the prefix in the radvd.conf file. IPv6 addresses generated from the prefix using stateless autoconfiguration remain preferred for the configured lifetime. The default is 14400 seconds (4 hours). The infinite setting allows addresses that are autoconfigured using the prefix to be preferred with no time limit. By default, all prefixes configured in IPv6 addresses on an interface are advertised.
PAGE 492
○ next-hop — Enter the next-hop IPv6 address in x:x:x:x::x format. ○ interface interface — Enter the interface type then the slot/port or number information. ○ route-preference — (Optional) Enter a route-preference range, from 1 to 255. After you configure a static IPv6 route, configure the forwarding router’s address on the interface. The IPv6 neighbor interface must have an IPv6 address configured.
PAGE 493
View IPv6 static information OS10# show ipv6 route static Codes: C - connected S - static B - BGP, IN - internal BGP, EX - external BGP O - OSPF,IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, > - non-active route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change -----------------------------------------------------------------S 2111:dddd:eee::22/12via 2001:db86:fff::2 ethernet1/1/1 1/1 00
PAGE 494
Default Not configured Command Mode EXEC Usage Information This command does not remove the static routes from the routing table. Example Supported Releases OS10# clear ipv6 route * 10.3.0E or later ipv6 address Configures a global unicast IPv6 address on an interface. Syntax ipv6 address ipv6–address/prefix-length Parameters ipv6-address/prefix-length — Enter a full 128-bit IPv6 address with the network prefix length, including the 64-bit interface identifier.
PAGE 495
ipv6 address dhcp Enables DHCP client operations on the interface. Syntax ipv6 address dhcp Parameters None Defaults None Command Mode INTERFACE Usage Information The no version of this command disables DHCP operations on the interface. Example Supported Releases OS10(config)# interface mgmt 1/1/1 OS10(conf-if-ma-1/1/1)# ipv6 address dhcp 10.3.0E or later ipv6 enable Enables and disables IPv6 forwarding on an interface configured with an IPv6 address.
PAGE 496
Supported Releases 10.4.0E(R1) or later ipv6 address link-local Configures a link-local IPv6 address on the interface to use instead of the link-local address that is automatically configured with stateless autoconfiguration. Syntax ipv6 address ipv6-prefix link-local Parameters ipv6-prefix — Enter an IPv6 prefix in x:x::y/mask format. Defaults None Command Mode INTERFACE Usage Information ● An interface can have only one link-local address.
PAGE 497
Defaults Duplicate address discovery is enabled on an interface. Command Mode INTERFACE Usage Information ● An OS10 switch sends a neighbor solicitation message to determine if an autoconfigured IPv6 unicast link-local address is unique before assigning it to an interface. If the process of duplicate address discovery (DAD) detects a duplicate address in the network, the link-local address does not configure. Other IPv6 addresses are still active on the interface.
PAGE 498
ipv6 nd max-ra-interval Sets the maximum time interval between sending RA messages. Syntax ipv6 nd max-ra-interval seconds Parameters ● max-ra-interval seconds — Enter a time interval in seconds, from 4 to 1800. Defaults 600 seconds Command Mode INTERFACE Usage Information The no version of this command restores the default time interval used to send RA messages. Example Supported Releases OS10(config)# interface ethernet 1/2/3 OS10(conf-if-eth1/2/3)# ipv6 nd max-ra-interval 300 10.4.
PAGE 499
ipv6 nd prefix Configures the IPv6 prefixes that are included in messages to neighboring IPv6 routers. Syntax ipv6 nd prefix {ipv6-prefix | default} [no-advertise] [no autoconfig] [no-rtr-address] [off-link] [lifetime {valid-lifetime seconds | infinite} {preferred-lifetime seconds | infinite}] Parameters ● ipv6-prefix — Enter an IPv6 prefix in x:x::y/mask format to include the prefix in RA mesages. Include prefixes that are not already in the subnets on the interface.
PAGE 500
ipv6 nd ra-lifetime Sets the lifetime of the default router in RA messages. Syntax ipv6 nd ra-lifetime seconds Parameters ● ra-lifetime seconds — Enter a lifetime value in milliseconds, from 0 to 9000 milliseconds. Defaults Three times the max-ra-interval value Command Mode INTERFACE Usage Information The no version of this command restores the default lifetime value. 0 indicates that this router is not used as the default router.
PAGE 501
ipv6 nd send-ra Enables sending ICMPv6 RA messages. Syntax ipv6 nd send-ra Parameters None Defaults RA messages are disabled. Command Mode INTERFACE Usage Information ● Using ICMPv6 RA messages, the Neighbor Discovery Protocol (NDP) advertises the IPv6 addresses of IPv6-enabled interfaces and learns of any address changes in IPv6 neighbors.
PAGE 502
ipv6 unreachables Enables generating error messages on an interface for IPv6 packets with unreachable destinations. Syntax ipv6 unreachables Parameters None Defaults ICMPv6 unreachable messages are not sent. Command Mode INTERFACE Usage Information ● By default, when no matching entry for an IPv6 route is found in the IPv6 routing table, the packet drops and no error message is sent.
PAGE 503
show ipv6 route Displays IPv6 routes. Syntax show ipv6 route [vrf vrf-name] [all | bgp | connected | static | A::B/mask | summary] Parameters ● vrf vrf-name — (Optional) Enter vrf then the name of the VRF to display IPv6 routes corresponding to that VRF. If you do not specify this option, routes corresponding to the default VRF display. ● all—(Optional) Displays all routes including nonactive routes. ● bgp—(Optional) Displays BGP route information.
PAGE 504
Supported Releases 10.2.0E or later show ipv6 interface brief Displays IPv6 interface information. Syntax show ipv6 interface brief Parameters brief — Displays a brief summary of IPv6 interface information. Defaults None Command Mode EXEC Usage Information Use the do show ipv6 interface brief command to view IPv6 interface information in other modes.
PAGE 505
Areas, networks, and neighbors The backbone of the network is Area 0, also called Area 0.0.0.0, the core of any AS. All other areas must connect to Area 0. An OSPF backbone distributes routing information between areas. It consists of all area border routers and networks not wholly contained in any area and their attached routers. The backbone is the only area with a default area number. You configure all other areas Area ID. If you configure two nonbackbone areas, you must enable the B bit in OSPF.
PAGE 506
Backbone router A backbone router (BR) is part of the OSPF Backbone, Area 0, and includes all ABRs. The BR includes routers connected only to the backbone and another ABR, but are only part of Area 0—shown as Router I in the example. Area border router Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to. It may keep multiple copies of the link state database.
PAGE 507
DRs and BDRs are configurable. If you do not define the DR or BDR, OS10 assigns them per the protocol. To determine which routers are the DR and BDR, OSPF looks at the priority of the routers on the segment. The default router priority is 1. The router with the highest priority is elected DR. If there is a tie, the router with the higher router ID takes precedence. After the DR is elected, the BDR is elected the same way. A router with a router priority set to zero cannot become a DR or BDR.
PAGE 508
OSPF route limit OS10 supports up to 16,000 OSPF routes. Within this range, the only restriction is on intra-area routes that scale only up to 1000 routes. Other OSPF routes can scale up to 16 K. Shortest path first throttling Use shortest path first (SPF) throttling to delay SPF calculations during periods of network instability. In an OSPF network, a topology change event triggers an SPF calculation that is performed after a start time.
PAGE 509
View OSPFv2 SPF throttling OS10(config-router-ospf-100)# do show ip ospf Routing Process ospf 100 with ID 12.1.1.1 Supports only single TOS (TOS0) routes It is Flooding according to RFC 2328 SPF schedule delay 1200 msecs, Hold time between two SPFs 2300 msecs Convergence Level 0 Min LSA origination 0 msec, Min LSA arrival 1000 msec Min LSA hold time 5000 msec, Max LSA wait time 5000 msec Number of area in this router is 1, normal 1 stub 0 nssa 0 Area (0.0.0.
PAGE 510
6. Enable OSPFv2 on an interface in INTERFACE mode. ip ospf process-id area area-id ● process-id—Enter the OSPFv2 process ID for a specific OSPF process, from 1 to 65535. ● area-id—Enter the OSPFv2 area ID as an IP address (A.B.C.D) or number, from 1 to 65535. Enable OSPFv2 configuration OS10(config)# router ospf 100 OS10(conf-router-ospf-100)# exit OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no shutdown OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# ip address 11.1.1.
PAGE 511
Enable OSPFv2 configuration OS10(config)# ip vrf vrf-blue OS10(config-vrf-blue)# router ospf 100 vrf-blue OS10(conf-router-ospf-100)# exit OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# no shutdown OS10(conf-if-eth1/1/2)# no switchport OS10(conf-if-eth1/1/2)# ip vrf forwarding vrf-blue OS10(conf-if-eth1/1/1)# ip address 11.1.1.1/24 OS10(conf-if-eth1/1/1)# ip ospf 100 area 0.0.0.
PAGE 512
2. Configure an area as a stub area in ROUTER-OSPF mode. area area-id stub [no-summary] ● area-id—Enter the OSPF area ID as an IP address in A.B.C.D format or number, from 1 to 65535. ● no-summary—(Optional) Enter to prevent an ABR from sending summary LSA to the stub area. Configure stub area OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# area 10.10.5.1 stub View stub area configuration OS10# show ip ospf Routing Process ospf 10 with ID 130.6.196.
PAGE 513
You can disable a passive interface using the no ip ospf passive command. Fast convergence Fast convergence sets the minimum origination and arrival LSA parameters to zero (0), allowing rapid route calculation. A higher convergence level can result in occasional loss of OSPF adjacency. Convergence level 1 meets most convergence requirements. The higher the number, the faster the convergence, and the more frequent the route calculations and updates.
PAGE 514
2. Change the cost associated with OSPF traffic on the interface in INTERFACE mode, from 1 to 65535. The default depends on the interface speed. ip ospf cost 3. Change the time interval, from 1 to 65535, that the router waits before declaring a neighbor dead in INTERFACE mode. The default time interval is 40. The dead interval must be four times the hello interval and must be the same on all routers in the OSPF network. ip ospf dead-interval seconds 4.
PAGE 515
○ route-map map-name—Enter the name of a configured route map.
PAGE 516
When you enable graceful restart, the restarting device retains the routes learned by OSPF in the forwarding table. To re-establish OSPF adjacencies with neighbors, the restart OSPF process sends a grace LSA to all neighbors. In response, the helper router enters Helper mode and sends an acknowledgement back to the restarting device. OS10 supports graceful restart Helper mode. Use the graceful-restart role helper-only command to enable Helper mode in ROUTER OSPF mode.
PAGE 517
● Are the OSPF routes included in the routing table in addition to the OSPF database? ● Are you able to ping the IPv4 address of adjacent router interface? Troubleshooting OSPF with show commands ● View a summary of all OSPF process IDs enabled in EXEC mode. show running-configuration ospf ● View summary information of IP routes in EXEC mode. show ip route summary ● View summary information for the OSPF database in EXEC mode.
PAGE 518
area nssa Defines an area as a NSSA. Syntax area area-id nssa [default-information-originate | no-redistribution | nosummary] Parameters ● area-id — Enter the OSPF area ID as an IP address in A.B.C.D format or number, from 1 to 65535. ● no-redistribution — (Optional) Prevents the redistribute command from distributing routes into the NSSA. Use no-redistribution command only in an NSSA ABR. ● no-summary — (Optional) Ensures that no summary LSAs are sent to the NSSA.
PAGE 519
Example Supported Releases OS10(config)# router ospf 10 OS10(conf-router-ospf-10)# area 10.10.1.5 stub 10.2.0E or later auto-cost reference-bandwidth Calculates default metrics for the interface based on the configured auto-cost reference bandwidth value. Syntax auto-cost reference-bandwidth value Parameters value — Enter the reference bandwidth value to calculate the OSPF interface cost in megabits per second, from 1 to 4294967.
PAGE 520
Usage Information Example Supported Releases This command clears the OSPF traffic statistics in a specified instance or in all the configured OSPF instances, and resets them to zero. OS10# clear ip ospf 10 vrf vrf-test statistics 10.4.0E(R1) or later default-information originate Generates and distributes a default external route information to the OSPF routing domain. Syntax default-information originate [always] Parameters always — (Optional) Always advertise the default route.
PAGE 521
NOTE: Only select higher convergence levels following consultation with Dell EMC Technical Support. The no version of this command disables the fast-convergence configuration. Example Supported Releases OS10(conf-router-ospf-10)# fast-converge 3 10.2.0E or later graceful-restart Enables Helper mode during a graceful or hitless restart.
PAGE 522
Usage Information Example Supported Releases To exchange OSPF information, all neighboring routers in the same network must use the same authentication key. The no version of this command deletes the authentication key. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# ip ospf authentication-key sample 10.3.0E or later ip ospf cost Changes the cost associated with the OSPF traffic on an interface.
PAGE 523
Usage Information All routers in a network must have the same hello time interval between the hello packets. The no version of the this command resets the value to the default. NOTE: When you configure hello-interval for OSPF, the OSPF dead-interval value is implicitly set to a value four times greater than the hello-interval value. Example Supported Releases OS10(conf-if-vl-10)# ip ospf hello-interval 30 10.2.
PAGE 524
Default Broadcast Command Mode INTERFACE Usage Information The no version of this command resets the value to the default. Example Supported Releases OS10(conf-if-eth1/1/1)# ip ospf network broadcast 10.2.0E or later ip ospf passive Configures an interface as a passive interface and suppresses both receiving and sending routing updates to the passive interface.
PAGE 525
Parameters seconds — Enter a value in seconds as the interval between retransmission, from 1 to 3600. Default 5 seconds Command Mode INTERFACE Usage Information Set the time interval to a number large enough to avoid unnecessary retransmission. The no version of this command resets the value to the default. Example Supported Releases OS10(conf-if-eth1/1/6)# ip ospf retransmit-interval 20 10.2.
PAGE 526
Command Mode ROUTER-OSPF Usage Information Routers in the network do not prefer other routers as the next intermediate hop after they calculate the shortest path. The no version of this command disables the maximum metric advertisement configuration. Example Supported Releases OS10(conf-router-ospf-10)# max-metric router-lsa 10.2.0E or later maximum-paths Enables forwarding of packets over multiple paths.
PAGE 527
router-id Configures a fixed router ID for the OSPF process. Syntax router-id ip-address Parameters ip-address — Enter the IP address of the router as the router ID. Default Not configured Command Mode ROUTER-OSPF Usage Information Configure an arbitrary value in the IP address format for each router. Each router ID must be unique. Use the fixed router ID for the active OSPF router process. Changing the router ID brings down the existing OSPF adjacency.
PAGE 528
It is an Autonomous System Boundary Router It is Flooding according to RFC 2328 Convergence Level 0 Min LSA origination 0 msec, Min LSA arrival 1000 msec Min LSA hold time 5000 msec, Max LSA wait time 5000 msec Number of area in this router is 1, normal 1 stub 0 nssa 0 Area (0.0.0.0) Number of interface in this area is 3 SPF algorithm executed 38 times Area ranges are Supported Releases 10.2.0E or later show ip ospf asbr Displays all the ASBR visible to OSPF.
PAGE 529
Example OS10# show ip ospf 10 database OSPF Router with ID (111.2.1.1) (Process ID 10) Router (Area 0.0.0.0) Link ID count 111.2.1.1 111.111.111.1 111.111.111.2 112.2.1.1 112.112.112.1 112.112.112.2 ADV Router Age Seq# Checksum 111.2.1.1 111.111.111.1 111.111.111.2 112.2.1.1 112.112.112.1 112.112.112.
PAGE 530
Link State ID: 8.1.1.1 Advertising Router: 2.2.2.2 LS Seq Number: 0x80000001 Checksum: 0xB595 Length: 28 Network Mask: /0 TOS: 0 Metric: 0 Supported Releases 10.2.0E or later show ip ospf database external Displays information about the AS external Type 5 LSAs. Syntax show ip ospf [process-id] [vrf vrf-name] database external Parameters ● process-id—(Optional) Displays AS external Type 5 LSA information for a specified OSPF process ID.
PAGE 531
show ip ospf database network Displays information about network Type 2 LSA information. Syntax show ip ospf [process-id] [vrf vrf-name] database network Parameters ● process-id — (Optional) Displays network Type2 LSA information for a specified OSPF process ID. If you do not enter a process ID, this command applies only to the first OSPF process. ● vrf vrf-name — (Optional) Displays network Type2 LSA information for a specified OSPF process ID corresponding to a VRF.
PAGE 532
● ● ● ● ● ● ● ● ● Example LS Type — Displays the LS type. Link State ID — Identifies the router ID. Advertising Router — Identifies the advertising router’s ID. LS Seq Number — Identifies the LS sequence number. This identifies old or duplicate LSAs. Checksum — Displays the Fletcher checksum of an LSA’s complete contents. Length — Displays the LSA length in bytes. Network Mask—Identifies the network mask implemented on the area. TOS—Displays the ToS options. The only option available is zero.
PAGE 533
Length: 36 Network Mask: /24 Metric Type: 2 TOS: 0 Metric: 20 Forward Address: 0.0.0.0 External Route Tag: 0 LS age: 65 Options: (No TOS-Capability, No DC, No Type 7/5 translation) LS type: NSSA External Link State ID: 14.1.1.0 Advertising Router: 2.2.2.2 LS Seq Number: 0x80000001 Checksum: 0xA303 Length: 36 Network Mask: /24 Metric Type: 2 TOS: 0 Metric: 20 Forward Address: 0.0.0.0 External Route Tag: 0 Supported Releases 10.2.
PAGE 534
Opaque Type: 8 Opaque ID: 65794 !! ! Supported Releases 10.2.0E or later show ip ospf database opaque-as Displays information about the opaque-as Type 11 LSAs. Syntax show ip ospf [process-id] opaque—as Parameters process-id — (Optional) Displays opaque-as Type 11 LSA information for a specified OSPF process ID. If you do not enter a process ID, this command applies only to the first OSPF process.
PAGE 535
Command Mode EXEC Usage Information ● ● ● ● ● ● ● ● ● ● Example LS Age — Displays the LS age. Options — Displays the optional capabilities available on the router. LS Type — Displays the LS type. Link State ID — Identifies the router ID. Advertising Router — Identifies the advertising router’s ID. LS Seq Number — Identifies the LS sequence number. This identifies old or duplicate LSAs. Checksum — Displays the Fletcher checksum of an LSA’s complete contents. Length — Displays the LSA length in bytes.
PAGE 536
Router (Area 0.0.0.0) LS age: 1419 Options: (No TOS-capability, No DC, E) LS type: Router Link State ID: 111.2.1.1 Advertising Router: 111.2.1.1 LS Seq Number: 0x8000000d Checksum: 0x9bf2 Length: 60 AS Boundary Router Number of Links: 3 Link connected to: a Transit Network (Link ID) Designated Router address: 110.1.1.2 (Link Data) Router Interface address: 110.1.1.1 Number of TOS metric: 0 TOS 0 Metric: 1 Link connected to: a Transit Network (Link ID) Designated Router address: 111.1.1.
PAGE 537
Summary Network (Area 0.0.0.0) LS age: 623 Options: (No TOS-capability, No DC) C: Summary Network Link State ID: 115.1.1.0 Advertising Router: 111.111.111.1 LS Seq Number: 0x800001e8 Checksum: 0x4a67 Length: 28 Network Mask: /24 TOS: 0 Metric: 0 Supported Releases 10.2.0E or later show ip ospf interface Displays the configured OSPF interfaces. You must enable OSPF to display output.
PAGE 538
Usage Information Example Supported Releases Displays the cost metric for each neighbor and interfaces. OS10# show ip ospf 10 routes Prefix Cost Nexthop Interface 110.1.1.0 1 0.0.0.0 vlan3050 111.1.1.0 1 0.0.0.0 vlan3051 111.2.1.0 1 0.0.0.0 vlan3053 Area 0.0.0.0 0.0.0.0 0.0.0.0 Type intra-area intra-area intra-area 10.2.0E or later show ip ospf statistics Displays OSPF traffic statistics.
PAGE 539
0 Supported Releases version-mismatch 0 area-mismatch 0 10.2.0E or later show ip ospf topology Displays routers that directly connect to OSPF areas. Syntax show ip ospf [process-id] [vrf vrf-name] topology Parameters ● process-id — (Optional) Displays OSPF process information. If you do not enter a process ID, this applies only to the first OSPF process. ● vrf vrf-name — (Optional) Displays the routers in the directly connected OSPF areas in the configured VRF.
PAGE 540
timers lsa arrival Configures the LSA acceptance intervals. Syntax timers lsa arrival arrival-time Parameters arrival-time — Set the interval between receiving the LSA in milliseconds, from 0 to 600,000. Default 1000 milliseconds Command Mode ROUTER-OSPF Usage Information Setting the LSA arrival time between receiving the LSA repeatedly ensures that the system gets enough time to accept the LSA. The no version of this command resets the value to the default.
PAGE 541
Number of interface in this area is 1 SPF algorithm executed 1 times Supported Releases 10.4.0E(R1) or later timers throttle lsa all Configures the LSA transmit intervals. Syntax timers lsa all [start-interval | hold-interval | max-interval] Parameters ● start-interval — Sets the minimum interval between initial sending and re-sending the same LSA in milliseconds, from 0 to 600,000. ● hold-interval — Sets the next interval to send the same LSA in milliseconds.
PAGE 542
5. Enable the OSPFv3 on an interface in INTERFACE mode. ipv6 ospfv3 process-id area area-id ● process-id — Enter the OSPFv3 process ID for a specific OSPFv3 process, from 1 to 65535. ● area-id — Enter the OSPF area ID as an IP address in A.B.C.D format or number, from 1 to 65535.
PAGE 543
VRF instance to another without removing these existing Layer3 or OSPF configurations, these configurations do not take effect in the new VRF instance. Consider a scenario where the OSPF instance 100 is configured on the default VRF instance and the OSPF instance 200 is configured on the non-default VRF instance named VRF-Red. The interface eth1/1/1 on the default VRF instance is attached to an OSPF process 100 area 1.
PAGE 544
ipv6 ospf 65 area 0.0.0.2 ! router ospfv3 65 area 0.0.0.2 stub no-summary OS10# show ipv6 ospf database OSPF Router with ID (199.205.134.103) (Process ID 65) Router Link States (Area 0.0.0.2) ADV Router Age Seq# Fragment ID Link count Bits ------------------------------------------------------------------199.205.134.103 32 0x80000002 0 1 202.254.156.15 33 0x80000002 0 1 B Net Link States (Area 0.0.0.2) ADV Router Age Seq# Link ID Rtr count ---------------------------------------------------------202.254.
PAGE 545
ip address 10.10.10.1/24 no switchport no shutdown ipv6 ospf 100 area 0 ipv6 ospf passive !! ! Interface OSPFv3 Parameters Interface parameter values must be consistent across all interfaces to avoid routing errors. For example, set the same time interval for the hello packets on all routers in the OSPF network to prevent misconfiguration of OSPF neighbors. 1. Enter the interface to change the OSPFv3 parameters in CONFIGURATION mode. interface interface-name 2.
PAGE 546
Configure default route OS10(config)# router ospfv3 100 OS10(config-router-ospf-100)# default-information originate always View default route configuration OS10(config-router-ospf-100)# show configuration ! router ospfv3 100 default-information originate always OSPFv3 IPsec authentication and encryption Unlike OSPFv2, OSPFv3 does not have authentication fields in its protocol header to provide security.
PAGE 547
To delete an IPsec authentication policy, use the no ipv6 ospf authentication ipsec spi number or no ipv6 ospf authentication null command.
PAGE 548
○ ○ ○ ○ ipsec spi number — Enter a unique security policy index (SPI) value, from 256 to 4294967295. md5 — Enable message digest 5 (MD5) authentication. sha1 — Enable secure hash algorithm 1 (SHA1) authentication. key — Enter the text string used in the authentication type. All OSPFv3 routers in the area share the key to exchange information. Only a non-encrypted key is supported. For MD5 authentication, the non-encrypted key must be 32 plain hex digits.
PAGE 549
● ● ● ● ● ● Are adjacencies established correctly? Are the interfaces configured for L3 correctly? Is the router in the correct area type? Are the OSPF routes included in the OSPF database? Are the OSPF routes included in the routing table in addition to the OSPF database? Are you able to ping the link-local IPv6 address of adjacent router interface? Troubleshooting OSPFv3 with show Commands ● View a summary of all OSPF process IDs enabled in EXEC mode.
PAGE 550
Supported Releases 10.4.0E(R1) or later area encryption Configures encryption for an OSPFv3 area. Syntax area area-id encryption ipsec spi number esp encryption-type key authentication-type key Parameters ● area area-id — Enter an area ID as a number or IPv6 prefix. ● ipsec spi number — Enter a unique security policy index number, from 256 to 4294967295. ● esp encryption-type — Enter the encryption algorithm used with ESP (3DES, DES, AES-CBC, or NULL).
PAGE 551
Supported Releases 10.3.0E or later auto-cost reference-bandwidth Calculates default metrics for the interface based on the configured auto-cost reference bandwidth value. Syntax auto-cost reference-bandwidth value Parameters value — Enter the reference bandwidth value to calculate the OSPFv3 interface cost in megabits per second, from 1 to 4294967.
PAGE 552
Example Supported Releases OS10# clear ipv6 ospf 100 statistics 10.4.0E(R1) or later default-information originate Generates and distributes a default external route information to the OSPFv3 routing domain. Syntax default-information originate [always] Parameters always — (Optional) Always advertise the default route. Defaults Disabled Command Mode ROUTER-OSPFv3 Usage Information The no version of this command disables the distribution of default route.
PAGE 553
Command Mode INTERFACE Usage Information ● Before you enable IPsec authentication on an OSPFv3 interface, you must enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area. ● The SPI value must be unique to one IPsec authentication or encryption security policy on the router. You cannot configure the same SPI value on another interface even if it uses the same authentication or encryption algorithm.
PAGE 554
ipv6 ospf encryption Configures OSPFv3 encryption on an IPv6 interface. Syntax ipv6 ospf encryption {ipsec spi number esp encryption-type key authentication-type key | null} Parameters ● ipsec spi number — Enter a unique security policy index number, from 256 to 4294967295. ● esp encryption-type — Enter the encryption algorithm used with ESP (3DES, DES, AES-CBC, or NULL). For AES-CBC, only the AES-128 and AES-192 ciphers are supported. ● key — Enter the text string used in the encryption algorithm.
PAGE 555
ipv6 ospf network Sets the network type for the interface. Syntax ipv6 ospf network {point-to-point | broadcast} Parameters ● point-to-point — Sets the interface as part of a point-to-point network. ● broadcast — Sets the interface as part of a broadcast network. Default Broadcast Command Mode INTERFACE Usage Information The no version of this command resets the value to the default.
PAGE 556
Example Supported Releases OS10(config)# interface ethernet 1/1/6 OS10(conf-if-eth1/1/6)# ipv6 ospf priority 4 10.3.0E or later log-adjacency-changes Enables logging of syslog messages about changes in the OSPFv3 adjacency state. Syntax log-adjacency-changes Parameters None Default Disabled Command Mode ROUTER-OSPFv3 Usage Information The no version of this command resets the value to the default.
PAGE 557
Command Mode ROUTER-OSPFv3 Usage Information When an OSPFv3 redistributes, the process is not completely removed from the BGP configuration. The no version of this command disables the redistribute configuration. Example Example (Connected) Supported Releases OS10(config)# router ospfv3 100 OS10(config-router-ospfv3-100)# redistribute bgp 4 route-map dell1 OS10((config-router-ospfv3-100)# redistribute connected route-map dell2 10.3.
PAGE 558
show ipv6 ospf Displays OSPFv3 instance configuration information. Syntax show ipv6 ospf [instance-number] Parameters instance-number — (Optional) View OSPFv3 information for a specified instance number, from 1 to 65535. Default None Command Mode EXEC Usage Information None Example Supported Releases OS10# show ipv6 ospf Routing Process ospfv3 200 with ID 1.1.1.
PAGE 559
Example Supported Releases OS10# show ipv6 ospf database OSPF Router with ID (10.0.0.2) (Process ID 200) Router Link States (Area 0.0.0.0) ADV Router Age Seq# Fragment ID Link count Bits ------------------------------------------------------------------1.1.1.1 1610 0x80000144 0 1 B 2.2.2.2 1040 0x8000013A 0 1 10.0.0.2 1039 0x80000002 0 1 Net Link States (Area 0.0.0.0) ADV Router Age Seq# Link ID Rtr count ---------------------------------------------------------2.2.2.
PAGE 560
show ipv6 ospf neighbor Displays a list of OSPFv3 neighbors connected to the local router. Syntax show ipv6 ospf [vrf vrf-name] neighbor Parameters ● vrf vrf-name — Enter the keyword vrf followed by the name of the VRF to display a list of OSPFv3 neighbors in that VRF. Default Not configured Command Mode EXEC Usage Information ● ● ● ● ● ● Example Supported Releases Neighbor ID—Displays the neighbor router ID. Pri—Displays the priority assigned neighbor.
PAGE 561
mtu-mismatch 0 nbr-ignored 0 resource-err 0 bad-lsa-len 0 lsa-bad-type 0 lsa-bad-len 0 lsa-bad-cksum 0 hello-tmr-mismatch 0 dead-ivl-mismatch 0 options-mismatch 0 nbr-admin-down 0 own-hello-drop 0 self-orig 0 wrong-length 0 version-mismatch 0 area-mismatch 0 Supported Releases 10.4.0E(R1) or later timers spf (OSPFv3) Enables shortest path first (SPF) throttling to delay an SPF calculation when a topology change occurs.
PAGE 562
Object tracking manager OTM allows you to track the link status of Layer 2 (L2) interfaces, and the reachability of IPv4 and IPv6 hosts. You can increase the availability of the network and shorten recovery time if an object state goes Down. Object tracking monitors the status of tracked objects and communicates any changes made to interested client applications. OTM client applications are virtual router redundancy protocol (VRRP) and policy-based routing (PBR).
PAGE 563
When the link-level status goes down, the tracked resource status is also considered Down. If the link-level status goes up, the tracked resource status is also considered Up. For logical interfaces such as port-channels or VLANs, the link-protocol status is considered Up if any physical interface under the logical interface is Up.
PAGE 564
3. Configure the time delay used before communicating a change in the status of a tracked route in OBJECT TRACKING mode. delay [up seconds] [down seconds] 4. Track the host by checking the reachability periodically in OBJECT TRACKING mode. reachability-refresh interval 5. View the tracking configuration and the tracked object status in EXEC mode. show track object-id Configure IPv4 host tracking OS10 (conf-track-1)# track 2 OS10 (conf-track-2)# ip 1.1.1.
PAGE 565
View brief object tracking information OS10# show track brief TrackID Resource Parameter Status LastChange --------------------------------------------------------------------------------1 line-protocol ethernet1/1/1 DOWN 2017-02-03T08:41:25Z1 2 ipv4-reachablity 1.1.1.
PAGE 566
Supported Releases 10.3.0E or later interface line-protocol Configures an object to track a specific interface's line-protocol status. Syntax interface interface line-protocol Parameters interface — Enter the interface information: ● ethernet — Physical interface. ● port-channel — Enter the port-channel identifier. ● vlan — Enter the VLAN identifier. ● loopback — Enter the Loopback interface identifier. ● mgmt — Enter the Management interface.
PAGE 567
Example Supported Releases OS10(config)# track 200 OS10(conf-track-200)# ipv6 10::1 reachability 10.3.0E or later reachability-refresh Configures a polling interval for reachability tracking. Syntax reachability-refresh interval Parameters interval — Enter the polling interval value. A maximum of 3600 seconds. Defaults 0 seconds Command Mode CONFIGURATION Usage Information Set the interval to 0 to disable the refresh.
PAGE 568
Parameters object-id — Enter the object ID to track. A maximum of 500. Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes the tracked object from an interface. Example Supported Releases OS10# track 100 10.3.0E or later Policy-based routing PBR provides a mechanism to redirect IPv4 and IPv6 data packets based on the policies defined to override the switch’s forwarding decisions based on the routing table.
PAGE 569
Set address to match route-map You can set an IPv4 or IPv6 address to match a route-map. 1. Enter the IPv4 or IPv6 address to match and specify the access-list name in Route-Map mode. match {ip | ipv6} address access-list-name 2. Set the next-hop IP address in Route-Map mode. set {ip | ipv6} next-hop ip-address Apply match and set parameters to IPv4 route-map OS10(conf-route-map)# route-map map1 OS10(conf-route-map)# match ip address acl5 OS10(conf-route-map)# set ip next-hop 10.10.10.
PAGE 570
ethernet1/1/3 vlan100 abc abc Verify IPv6 PBR configuration OS10# show ipv6 policy abc Interface Route-map ------------------------ethernet1/1/1 abc ethernet1/1/3 abc vlan100 abc View current PBR statistics show route-map pbr-sample pbr-statistics route-map pbr-sample, permit, sequence 10 Policy routing matches: 84 packets Policy-based routing per VRF Configure PBR per VRF instance for both IPv4 and IPv6 traffic flows.
PAGE 571
{ip | ipv6} policy route-map route-map-name 7. View the route-map information. show route-map OS10(conf-if-vl-40)# do show route-map route-map test, permit, sequence 10 Match clauses: ip address (access-lists): acl1 Set clauses: ip vrf red next-hop 1.1.1.1 track-id 200 Sample configuration Consider a scenario where traffic from source IP address 1.1.1.1 ingresses through VLAN40 that is part of VRF RED. The egress interface for this traffic is also on the same VRF RED with IP address 4.4.4.4, as shown.
PAGE 572
Track route reachability Track IPv4 or IPv6 reachablility using object tracking. To configure tracking over the routes that are reachable through a VRF instance: 1. Configure object tracking. track track-id OS10(config)# track 200 2. Configure reachability of the next-hop address through the VRF instance. ip ip-address reachablility vrf vrf-name OS10(conf-track-200)# OS10(conf-track-200)# ip 1.1.1.1 reachability vrf red OS10(conf-track-200)#exit 3. Configure the route-map.
PAGE 573
● Create an ACL and define what should be enabled for PBR processing. ip access-list TEST-ACL seq 10 permit tcp any any eq 80 seq 20 permit tcp any any eq 443 seq 30 permit tcp any any eq 21 seq 40 permit icmp any any ● Create an ACL and define what should be excluded from PBR processing. ip access-list TEST-ACL-DENY seq 10 deny tcp 10.99.0.0/16 10.0.0.0/8 eq 80 seq 20 deny tcp 10.99.0.0/16 10.0.0.0/8 eq 443 seq 30 deny tcp 10.99.0.0/16 10.0.0.0/8 eq 21 seq 40 deny icmp 10.99.0.0/16 10.0.0.
PAGE 574
ip vrf red next-hop 1.1.1.1 track-id 200 ! PBR commands clear route-map pbr-statistics Clears all PBR counters. Syntax clear route-map [map-name] pbr-statistics Parameters map-name—Enter the name of a configured route-map. A maximum of 140 characters. Defaults None Command Mode EXEC Usage Information None Example Supported Releases OS10# clear route-map map1 pbr-statistics 10.3.0E or later match address Matches the access-list to the route-map.
PAGE 575
Supported Releases 10.3.0E or later route-map pbr-statistics Enables counters for PBR statistics. Syntax route-map [map-name] pbr-statistics Parameters map-name—Enter the name of a configured route-map. A maximum of 140 characters. Defaults Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# route-map map1 pbr-statistics 10.3.0E or later set next-hop Sets an IPv4 or IPv6 next-hop address for policy-based routing.
PAGE 576
Command Mode ROUTE-MAP Usage Information You must configure next-hop IP address tracking and PBR next-hop with the same VRF instance. For next-hop reachability in the same VRF instance, you must configure both PBR per VRF and object tracking. Missing either the next-hop IP address tracking or PBR next-hop configuration in a VRF instance results in an erroneous configuration. However, the system does not display an error message indicating problems in the configuration.
PAGE 577
VRRP: ● Provides a virtual default routing platform ● Provides load balancing ● Supports multiple logical IP subnets on a single LAN segment ● Enables simple traffic routing without the single point of failure of a static default route ● Avoids issues with dynamic routing and discovery protocols ● Takes over a failed default router: ○ Within a few seconds ○ With a minimum of VRRP traffic ○ Without any interaction from hosts Configuration VRRP specifies a master, or active, router that owns the next-hop IP
PAGE 578
on the interface and the interface goes down, the VRRP group's priority decreases. The lowered priority of the VRRP group triggers an election and Router B becomes the master router. See Interface/object tracking for more information. Create virtual router VRRP uses the VRID to identify each virtual router configured. Before using VRRP, you must configure the interface with the primary IP address and enable it.
PAGE 579
Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP group (VRID). A VRRP group does not transmit VRRP packets until you assign the virtual IP address to the VRRP group. To activate a VRRP group on an interface, configure at least one virtual IP address for a VRRP group. The virtual IP address is the IP address of the virtual router and does not require an IP address mask. You can configure up to 10 virtual IP addresses on a single VRRP group (VRID).
PAGE 580
switchport access vlan 1 --more-View VRRP information When the VRRP process completes initialization, the State field contains either master or backup. OS10# show vrrp brief Interface Group Priority Preemption State Master-addr Virtual addr(s) ---------------------------------------------------------------------------ethernet1/1/1 IPv4 10 100 true master 10.1.1.8 10.1.1.8 View VRRP group 1 OS10# show vrrp 1 Interface : ethernet1/1/1 IPv4 VRID : 1 Primary IP Address : 10.1.1.
PAGE 581
OS10(conf-if-eth1/1/1)# ip vrf forwarding vrf-test OS10(conf-if-eth1/1/1)# ip address 10.1.1.1/24 OS10(conf-if-eth1/1/1)# vrrp-group 10 OS10(conf-eth1/1/1-vrid-10)# virtual-address 10.1.1.8 Before removing an interface from a VRF, delete the configured VRRP groups from the interface associated with the VRF. If you do not delete the configured VRRP groups, these groups remain active on the default VRF resulting in duplicate virtual IP address configurations.
PAGE 582
simple—text text — Enter the keyword and a simple text password.
PAGE 583
Advertisement interval By default, the master router transmits a VRRP advertisement to all members of the VRRP group every one second, indicating it is operational and is the master router. If the VRRP group misses three consecutive advertisements, the election process begins and the backup virtual router with the highest priority transitions to master.
PAGE 584
For a virtual group, track the line-protocol state of any interface using the interface command. Enter an interface type and node/slot/port[:subport] information, or VLAN number: ● ethernet — Physical interface, from 1 to 48 ● vlan — VLAN interface, from 1 to 4093 For a virtual group, track the status of a configured object using the track command and the object number. You can also configure a tracked object for a VRRP group with this command before you create the tracked object.
PAGE 585
interface mgmt1/1/1 no shutdown ! support-assist ! track 10 interface ethernet1/1/7 line-protocol To associate a track object with a VRRP group, use the track command inside VRRP GROUP CONFIGURATION mode. VRRP commands advertise-interval Sets the time interval between VRRP advertisements. Syntax advertise-interval [seconds | centisecs centisecs] Parameters ● seconds — Set the advertise interval in seconds, from 1 to 255.
PAGE 586
Command Mode INTERFACE-VRRP Usage Information VRRP uses preempt to determine what happens after a VRRP backup router becomes the master. With preempt enabled by default, VRRP switches to a backup if that backup router comes online with a priority higher than the new master router. If you disable preempt, VRRP switches only if the master fails. The no version of this command disables preemption. Example Supported Releases OS10(conf-eth1/1/5-vrid-254)# preempt 10.2.
PAGE 587
Primary IP Address : 10::1 State : master-state Virtual MAC Address : 00:00:5e:00:02:01 Version : version-3 Priority : 200 Preempt : Hold-time : Authentication : no-authentication Virtual IP address : 10::1 master-transitions : 1 advertise-rcvd : 0 advertise-interval-errors : 0 ip-ttl-errors : 0 priority-zero-pkts-rcvd : 0 priority-zero-pkts-sent : 0 invalid-type-pkts-rcvd : 0 address-list-errors : 0 pkt-length-errors : 0 Supported Releases 10.2.
PAGE 588
Supported Releases 10.2.0E or later virtual-address Configures up to 10 virtual router IP addresses in the VRRP group. Set at least one virtual IP address for the VRRP group to start sending VRRP packets. Syntax virtual-address ip-address1 [ip-address2...ip-address10] Parameters ● ip-address1 — Enter the IP address of a virtual router in A.B.C.D format. The IP address must be on the same subnet as the interface’s primary IP address. ● ip-address2...
PAGE 589
Usage Information Example Example (VLAN) Supported Releases The VRRP group only becomes active and sends VRRP packets when you configure a virtual IP address. When you delete the virtual address, the VRRP group stops sending VRRP packets. The no version of this command removes the vrrp-group configuration. OS10(conf-if-eth1/1/5)# vrrp-group 254 OS10(conf-if-vl-10)# vrrp-group 5 10.2.0E or later vrrp-ipv6-group Assigns a VRRP group identification number to an IPv6 interface.
PAGE 590
7 Multicast Multicast is a technique that allows networking devices to send data to a group of interested receivers in a single transmission. For instance, this technique is widely used for streaming videos. Multicast allows you to more efficiently use network resources, specifically for bandwidth-consuming services such as audio and video transmission.
PAGE 591
Unknown multicast flood control The unknown multicast flood control feature enables the system to forward unknown multicast packets only to a multicast router (mrouter). When you enable multicast snooping, OS10 forwards multicast frames, whose destination is already learned, to their intended recipients. When the system receives multicast frames whose destination is not known, it floods the frames for all ports on the specific VLAN. All hosts that receive these multicast frames must process them.
PAGE 592
Enable multicast flood control Multicast flood control is enabled on OS10 by default. If it is disabled, use the following procedure to enable multicast flood control: 1. Configure IGMP snooping. To know how to configure IGMP snooping, see the IGMP snooping section. 2. Configure MLD snooping. To know how to configure MLD snooping, see the MLD Snooping section. 3. Enable the multicast flood control feature.
PAGE 593
For multicast flood restrict to be effective on a VLAN, IGMP snooping and MLD snooping must be enabled at both global and VLAN levels. To disable multicast snooping flood control, use the no multicast snooping flood-restrict command. Example Supported Releases OS10(config)# multicast snooping flood-restrict 10.4.3.0 or later Internet Group Management Protocol Internet Group Management Protocol (IGMP) is a communications protocol that establishes multicast group memberships using IPv4 networks.
PAGE 594
Supported IGMP versions IGMP has three versions. Version 3 obsoletes and is backwards-compatible with version 2; version 2 obsoletes version 1. OS10 supports the following IGMP versions: ● Router—IGMP versions 2 and 3. The default is version 3. ● Host—IGMP versions 1, 2, and 3. In IGMP version 2, the host expresses interest in a particular group membership (*, G).
PAGE 595
IGMP immediate leave reduces leave latency by enabling a router to immediately delete the group membership on an interface after receiving a leave message. Immediate leave does not send group-specific or group-and-source queries before deleting the entry. To configure IGMP immediate leave: OS10# configure terminal OS10# interface vlan14 OS10(conf-if-vl-14)# ip igmp immediate-leave Select an IGMP version OS10 enables IGMP version 3 by default.
PAGE 596
To view IGMP groups: OS10# show ip igmp groups Total Number of Groups: 100 IGMP Connected Group Membership Group Address Interface Mode 225.1.1.1 vlan121 IGMPv2-Compat 225.1.1.2 vlan121 IGMPv2-Compat 225.1.1.3 vlan121 IGMPv2-Compat 225.1.1.4 vlan121 IGMPv2-Compat 225.1.1.5 vlan121 IGMPv2-Compat 225.1.1.6 vlan121 IGMPv2-Compat 225.1.1.7 vlan121 IGMPv2-Compat 225.1.1.8 vlan121 IGMPv2-Compat 225.1.1.9 vlan121 IGMPv2-Compat 225.1.1.10 vlan121 IGMPv2-Compat 225.1.1.11 vlan121 IGMPv2-Compat 225.1.1.
PAGE 597
IGMP snooping configuration OS10(config)# ip igmp snooping enable OS10(config)# interface vlan 100 OS10(conf-if-vl-100)# ip igmp snooping mrouter interface ethernet 1/1/32 OS10(conf-if-vl-100)# ip igmp snooping querier OS10(conf-if-vl-100)# ip igmp version 3 OS10(conf-if-vl-100)# ip igmp snooping fast-leave OS10(conf-if-vl-100)# ip igmp snooping query-interval 60 OS10(conf-if-vl-100)# ip igmp snooping query-max-resp-time 10 OS10(conf-if-vl-100)# ip igmp snooping last-member-query-interval 1000 View IGMP sno
PAGE 598
Parameters vrf vrf-name—Enter the keyword vrf, then the name of the VRF. Default None Command Mode EXEC Usage Information None Example Supported Releases OS10# clear ip igmp groups 10.4.3.0 or later ip igmp immediate-leave Enables IGMP immediate leave. Syntax ip igmp immediate-leave Parameters None Default None Command Mode INTERFACE Usage Information The querier sends some group-specific queries when it receives a leave message before deleting the group from the membership database.
PAGE 599
ip igmp query-interval Changes the frequency of IGMP general queries sent by the querier. Syntax ip igmp query-interval seconds Parameters seconds—Enter the amount of time in seconds to configure the time interval for IGMP general queries. The range is from 1 to 18000. Default 60 seconds Command Mode INTERFACE Usage Information None Example Supported Releases OS10# configure terminal OS10# interface vlan12 OS10(conf-if-vl-12)# ip igmp query-interval 60 10.4.3.
PAGE 600
ip igmp snooping Enables IGMP snooping on the specified VLAN interface. Syntax ip igmp snooping Parameters None Default Depends on the global configuration. Command Mode VLAN INTERFACE Usage Information When you enable IGMP snooping globally, the configuration applies to all VLAN interfaces. You can disable IGMP snooping on specified VLAN interfaces. The no version of this command disables IGMP snooping on the specified VLAN interface.
PAGE 601
ip igmp snooping mrouter Configures multicast router port on the specified VLAN interface. Syntax ip igmp snooping mrouter interface interface—type Parameters interface—type—Enter the interface type details. The interface must be a member of the VLAN. Default Not configured Command Mode VLAN INTERFACE Usage Information The no version of this command removes the multicast router configuration from the VLAN member port.
PAGE 602
ip igmp query-max-resp-time Configures the maximum time for responding to a query advertised in IGMP queries. Syntax ip igmp snooping query-max-resp-time query-response-time Parameters query-response-time—Enter the query response time in seconds, ranging from 1 to 25. Default 10 seconds Command Mode VLAN INTERFACE Usage Information The no version of this command resets the query response time to default value.
PAGE 603
● Uptime—Displays the amount of time the group has been operational. ● Expires—Displays the amount of time until the entry expires ● Last reporter—Displays the IP address of the last host to be a member of the IGMP group Example Supported Releases OS10# show ip igmp groups Total Number of Groups: 100 IGMP Connected Group Membership Group Address Interface Mode Reporter 225.1.1.1 vlan121 IGMPv2-Compat 225.1.1.2 vlan121 IGMPv2-Compat 225.1.1.3 vlan121 IGMPv2-Compat 225.1.1.4 vlan121 IGMPv2-Compat 225.1.1.
PAGE 604
IGMP joins count: 100 IGMP querying router is 121.1.1.2 Supported Releases 10.4.3.0 or later show ip igmp snooping groups Displays IGMP snooping group membership details. Syntax show ip igmp snooping groups [detail | [vlan vlan-id [detail | ipaddress]]] Parameters ● vlan-id—(Optional) Enter the VLAN ID, from 1 to 4093. ● detail—(Optional) Enter detail to display the IGMPv3 source information. ● ip-address—(Optional) Enter the IP address of the multicast group.
PAGE 605
Group Address Expires 225.1.0.0 00:01:30 Member-ports 225.1.0.1 00:01:30 Member-ports 225.1.0.2 00:01:30 Member-ports 225.1.0.3 00:01:30 Member-ports 225.1.0.4 00:01:30 Member-ports 225.1.0.5 00:01:30 Member-ports 225.1.0.6 00:01:30 Member-ports 225.1.0.7 00:01:30 Member-ports 225.1.0.8 00:01:30 Member-ports 225.1.0.9 00:01:30 Member-ports 225.1.0.
PAGE 606
port-channel51 Include --more-- <> Example (with VLAN) 1d:20:26:07 00:01:41 OS10# show ip igmp snooping groups vlan 3041 detail Interface vlan3041 Group 232.11.0.0 Source List 101.41.0.21 Member Port Mode Uptime port-channel51 Include 1d:20:26:07 ethernet1/1/51:1 Include 1d:20:26:05 ethernet1/1/52:1 Include 1d:20:26:08 Expires 00:01:41 00:01:46 00:01:46 Interface vlan3041 Group 232.11.0.1 Source List 101.41.0.
PAGE 607
IGMP snooping fast-leave is disabled on this interface IGMP snooping querier is enabled on this interface Vlan3032 is up, line protocol is up IGMP version is 3 IGMP snooping is enabled on interface IGMP snooping query interval is 60 seconds IGMP snooping querier timeout is 130 seconds IGMP snooping last member query response interval is 1000 ms IGMP Snooping max response time is 10 seconds IGMP snooping fast-leave is disabled on this interface IGMP snooping querier is enabled on this interface Vlan3033 is u
PAGE 608
show ip igmp snooping mrouter Displays the multicast router ports details. Syntax show ip igmp snooping mrouter [vlan vlan-id] Parameters vlan-id—(Optional) Enter the VLAN ID, from 1 to 4093.
PAGE 609
● Enable MLD snooping globally with the ipv6 mld snooping enable command in the CONFIGURATION mode. This command enables both MLDv2 and MLDv1 snooping on all VLAN interfaces. ● (Optional) You can disable MLD snooping on specific VLAN interfaces using the no ipv6 mld snooping command in the VLAN INTERFACE mode. ● (Optional) Multicast flood control is enabled by default. To disable the multicast flood restrict feature, use the no multicast snooping flood-restrict command in CONFIGURATION mode.
PAGE 610
00:01:56 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 ff0e:225:2::1 vlan3532 MLDv1-Compat 00:01:56 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 ff0e:225:2::2 vlan3532 MLDv1-Compat 00:01:56 Member-ports :port-channel41,ethernet1/1/51,ethernet1/1/52 --more-<> OS10# show ipv6 mld snooping interface vlan 3031 Vlan3031 is up, line protocol is up MLD version is 2 MLD snooping is enabled on interface MLD snooping query interval is 60 seconds MLD snooping querier timeou
PAGE 611
ipv6 mld snooping enable Enables MLD snooping globally. Syntax ipv6 mld snooping enable Parameters None Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command disables the MLD snooping. Example Supported Releases OS10(config)# ipv6 mld snooping enable 10.4.1.0 or later ipv6 mld snooping fast-leave Enables fast leave in MLD snooping for specified VLAN.
PAGE 612
ipv6 mld snooping mrouter Configures the specified VLAN member port as a multicast router interface. Syntax ipv6 mld snooping mrouter interface interface—type Parameters interface—type—Enter the interface type details. The interface should be a member of the VLAN. Default Not configured Command Mode VLAN INTERFACE Usage Information The no version of this command removes the multicast router configuration from the VLAN member port.
PAGE 613
ipv6 mld query-max-resp-time Configures the maximum time for responding to a query advertised in MLD queries. Syntax ipv6 mld snooping query-max-resp-time query-response-time Parameters query-response-time—Enter the query response time in seconds, ranging from 1 to 25. Default 10 seconds Command Mode VLAN INTERFACE Usage Information The no version of this command resets the query response time to default value.
PAGE 614
00:01:52 Member-ports ff0e:225:1::1 00:01:52 Member-ports ff0e:225:1::2 00:01:52 Member-ports ff0e:225:1::3 00:01:52 Member-ports ff0e:225:1::4 00:01:52 Member-ports ff0e:225:1::5 00:01:52 Member-ports ff02::2 00:01:47 ff0e:225:2:: 00:01:56 Member-ports ff0e:225:2::1 00:01:56 Member-ports ff0e:225:2::2 00:01:56 Member-ports --more-Example (with VLAN) Example (with VLAN and multicast IP address) Supported Releases :port-channel41,ethernet1/1/51,ethernet1/1/52 vlan3531 MLDv1-Compat :port-channel41,ethernet
PAGE 615
Command Mode EXEC Usage Information None Example OS10# show ipv6 mld snooping groups detail Interface vlan3041 Group ff02::2 Source List -Member Port Mode Uptime port-channel31 Exclude 2d:11:57:08 Expires 00:01:44 Interface vlan3041 Group ff3e:232:b:: Source List 2001:101:29::1b Member Port Mode port-channel31 Include ethernet1/1/51:1 Include ethernet1/1/52:1 Include Uptime 2d:11:50:17 2d:11:50:36 2d:11:50:36 Expires 00:01:42 00:01:38 00:01:25 Uptime 2d:11:50:17 2d:11:50:36 2d:11:50:36 Expires 00
PAGE 616
Supported Releases 10.4.1.0 or later show ipv6 mld snooping interface Displays the details of MLD snooping interfaces. Syntax show ipv6 mld snooping interface [vlan vlan-id] Parameters vlan-id—(Optional) Enter the VLAN ID, ranging from 1 to 4093. Default Not configured Command Mode EXEC Usage Information The multicast flood control feature is not available on the S4248FB-ON, S4248FBL-ON, and S5148-ON devices.
PAGE 617
Protocol Independent Multicast Protocol independent multicast (PIM) is a group of multicast routing protocols that provides one-to-many and many-to-many transmission of information. PIM uses routing information from other routing protocols and does not depend on any specific unicast routing protocol. PIM uses any unicast routing protocol that is deployed in the network. OS10 supports the following PIM modes: ● PIM sparse mode (PIM-SM) ● PIM source specific multicast (PIM-SSM) PIM terminology Table 19.
PAGE 618
PIM-SM uses shared trees with the root node being the rendezvous point (RP). All multicast sources use the RP to route the traffic to the receiver. The last hop router (LHR) sends an (*,G) join message towards the RP. The designated router connected to the first hop router (FHR) encapsulates multicast data that comes from the multicast source in PIM control messages and sends it via unicast to the RP as PIM register messages. The RP sends an (S, G) join towards the source.
PAGE 619
2. Enable PIM-SSM for the range of addresses using the ip pim ssm-range command. OS10(config)# ip pim ssm-range ssm-1 You can use the show ip pim ssm-range command to view the groups added in PIM-SSM configuration. OS10# show ip pim ssm-range Group Address / MaskLen 236.0.0.0 / 8 Expiry timers for S, G entries You can configure expiry timers for S, G entries globally. The S, G entries expire in 210 seconds by default.
PAGE 620
Usage Information When you run this command on a node, all multicast routes from the PIM tree information base (TIB), the entire multicast route table, and all the entries in the data plane are deleted. Example Supported Releases OS10# clear ip pim vrf vrf1 tib 10.4.3.0 or later ip multicast-routing Enables IP multicast forwarding. Syntax ip multicast-routing [vrf vrf-name] Parameters vrf vrf-name—Enter the keyword vrf, then the name of the VRF to enable IP multicast forwarding on the specified VRF.
PAGE 621
Parameters seconds—Enter the amount of time, in seconds, the router waits before sending a PIM hello packet out of each PIM-enabled interface, from 2 to 18000. Default 30 seconds Command Mode INTERFACE CONFIGURATION Usage Information Use the no form of the command to return the frequency of PIM router query messages to the default value. Example Supported Releases OS10# configure terminal OS10(config)# interface vlan 1 OS10(conf-if-vl-1)# ip pim query-interval 20 10.4.3.
PAGE 622
Example OS10# configure terminal OS10(config)# interface vlan 2 OS10(conf-if-vl-2)# ip address 1.1.1.2/24 OS10(conf-if-vl-2)# ip pim sparse-mode Supported Releases 10.4.3.0 or later ip pim sparse-mode sg-expiry-timer Enables expiry timers globally for all sources. Syntax ip pim [vrf vrf-name] sparse-mode sg-expiry-timer seconds Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. ● seconds—Enter the number of seconds the S, G entries are retained.
PAGE 623
Default None Command Mode EXEC Usage Information The show ip pim interface command displays the following: ● Address—IP addresses of the IP PIM-enabled interfaces ● Interface—Interface type with slot/port information or VLAN/Port Channel ID ● Version/Mode—PIM version number and mode; v2 for PIM version 2 and S for PIM sparse mode ● Nbr Count—Active neighbor count on the PIM-enabled interface ● Query interval—Query interval for router query messages on that interface ● DR priority—Designated router prio
PAGE 624
Command Mode EXEC Usage Information This command displays the following: ● Neighbor address—IP addresses of the PIM neighbor ● Interface—Interface type with slot/port information or VLAN/Port Channel ID of the PIM neighbor ● Uptime/expires—Amount of time that the PIM neighbor has been up ● Version—PIM version number; v2 for PIM version 2 ● DR priority/Mode—Designated router priority value and mode.
PAGE 625
Parameters vrf vrf-name—Enter the keyword vrf, then the name of the VRF. Default None Command Mode EXEC Usage Information None Example Supported Releases OS10# show ip pim ssm-range Group Address / MaskLen 224.1.1.1 / 32 10.4.3.0 or later show ip pim summary Displays information about PIM-SM operation. Syntax show ip pim [vrf vrf-name] summary Parameters vrf vrf-name—Enter the keyword vrf, then the name of the VRF.
PAGE 626
show ip pim tib Displays the PIM tree information base (TIB). Syntax show ip pim [vrf vrf-name] tib [group-address [source-address]] Parameters ● vrf vrf-name—Enter the keyword vrf, then the name of the VRF. ● group-address—Enter the group address in dotted-decimal format (A.B.C.D). ● source-address—Enter the source address in dotted-decimal format (A.B.C.D).
PAGE 627
Usage Information Example Supported Releases Use static mroutes to control the reachability of the multicast sources. If a PIM-registered multicast source is reachable using static mroute as well as a unicast route, PIM examines the distance of each route. The route with shorter distance is the one that PIM selects for reachability. OS10# show ip rpf RPF information for 101.1.1.10 RPF interface: vlan103 RPF neighbor: 2.1.1.1 RPF route/mask: 101.1.1.0/255.255.255.
PAGE 628
FHR(conf-if-eth1/1/17)# FHR(conf-if-eth1/1/17)# no switchport FHR(conf-if-eth1/1/17)# ip address 2.2.2.2/24 FHR(conf-if-eth1/1/17)# ip pim sparse-mode FHR(conf-if-eth1/1/17)# ip ospf 1 area 0 FHR(conf-if-eth1/1/17)# exit FHR(config)# router ospf 1 FHR(config-router-ospf-1)# exit FHR(config)# ip pim rp-address 192.168.1.25 group-address 224.0.0.0/4 FHR(config)# FHR# configure terminal FHR(config)# interface ethernet 1/1/48 FHR(conf-if-eth1/1/48)# no switchport FHR(conf-if-eth1/1/48)# ip address 22.1.1.
PAGE 629
RP# RP# configure terminal RP(config)# router ospf 1 RP(config-router-ospf-1)# end The show ip pim interface command displays the PIM-enabled interfaces in RP. RP# show ip pim interface Address Interface Ver/Mode Nbr Count Query Intvl DR Prio DR --------------------------------------------------------------------------------------------------3.3.3.1 ethernet1/1/31 v2/S 1 30 1 3.3.3.2 1.1.1.2 ethernet1/1/43 v2/S 1 30 1 1.1.1.
PAGE 630
1 1.1.1.1 1 15.1.1.1 1 2.2.2.2 ethernet1/1/26:1 1.1.1.2 vlan2001 15.1.1.1 v2/S 1 30 v2/S 0 30 The show ip pim neighbor command displays the PIM neighbor of LHR and the interface to reach the neighbor. LHR# show ip pim neighbor Neighbor Address Interface Uptime/Expires Ver DR Prio/Mode ---------------------------------------------------------------------------------------------2.2.2.2 ethernet1/1/17 00:02:58/00:01:24 v2 1 / DR S 1.1.1.
PAGE 631
The show ip igmp groups command output displays the IGMP database. LHR# show ip igmp groups Total Number of Groups: 1 IGMP Connected Group Membership Group Address Interface Expires Last Reporter 224.1.1.1 vlan2001 00:01:59 15.1.1.
PAGE 632
R1# configure terminal R1(config)# interface port-channel 11 R1(conf-if-po-11)# no switchport R1(conf-if-po-11)# ip vrf forwarding red R1(conf-if-po-11)# end R1# configure terminal R1(config)# interface ethernet 1/1/6 R1(conf-if-eth1/1/6)# no ip vrf forwarding R1(conf-if-eth1/1/6)# no switchport R1(conf-if-eth1/1/6)# channel-group 11 R1(conf-if-eth1/1/6)# end R1# configure terminal R1(config)# interface ethernet 1/1/7 R1(conf-if-eth1/1/7)# no switchport R1(conf-if-eth1/1/7)# interface ethernet 1/1/7 R1(conf
PAGE 633
R2(config)# interface vlan 2001 R2(conf-if-vl-2001)# ip vrf forwarding red R2(conf-if-vl-2001)# end R2# configure terminal R2(config)# interface ethernet 1/1/40:1 R2(conf-if-eth1/1/40:1)# no ip vrf forwarding R2(conf-if-eth1/1/40:1)# switchport mode trunk R2(conf-if-eth1/1/40:1)# switchport trunk allowed vlan 2001 R2(conf-if-eth1/1/40:1)# end R2# configure terminal R2(config)# interface port-channel 11 R2(conf-if-po-11)# no switchport R2(conf-if-po-11)# ip vrf forwarding red R2(conf-if-po-11)# end R2# confi
PAGE 634
Verify the configuration To verify the configuration, use the following show commands on R1: The show ip pim vrf red neighbor command displays the PIM neighbor of R1 and the interface through which the neighbor is reached. R1# show ip pim vrf red neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority / Mode -----------------------------------------------------------------------------------------------------------193.1.1.
PAGE 635
The show ip pim vrf red neighbor command displays the PIM neighbor of R2 and the interface through which the neighbor is reached. R2# show ip pim vrf red neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority / Mode ------------------------------------------------------------------------193.1.1.1 port-channel11 02:34:15/00:01:29 v2 1/ S The show ip pim vrf red ssm-range command displays the specified multicast address range. R2# show ip pim vrf red ssm-range Group Address / MaskLen 224.1.1.
PAGE 636
Multicast VRF sample configuration This section describes how to configure IPv4 multicast in a non-default VRF instance using the topology shown in the following illustration. Perform the following configuration on each of the nodes, R1, R2, R3, and R4.
PAGE 637
R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# R1(conf-if-eth1/1/6)# no ip vrf forwarding no switchport channel-group 11 end R1# configure terminal R1(config)# interface ethernet 1/1/7 R1(conf-if-eth1/1/7)# no switchport R1(conf-if-eth1/1/7)# interface ethernet 1/1/7 R1(conf-if-eth1/1/7)# ip vrf forwarding red R1(conf-if-eth1/1/7)# ip address 201.1.1.
PAGE 638
R2(conf-vrf)# end R2# configure terminal R2(config)# interface vlan 1001 R2(conf-if-vl-1001)# ip vrf forwarding red R2(conf-if-vl-1001)# end R2# configure terminal R2(config)# interface ethernet 1/1/21:4 R2(conf-if-eth1/1/21:4)# switchport mode trunk R2(conf-if-eth1/1/21:4)# switchport trunk allowed vlan 1001 R2(conf-if-eth1/1/21:4)# end R2# configure terminal R2(config)# interface ethernet 1/1/12:1 R2(conf-if-eth1/1/12:1)# no switchport R2(conf-if-eth1/1/12:1)# ip vrf forwarding red R2(conf-if-eth1/1/12:1)
PAGE 639
R3(conf-if-eth1/1/12)# switchport trunk allowed vlan 1001 R3(conf-if-eth1/1/12)# end R3# configure terminal R3(config)# interface port-channel 12 R3(conf-if-po-12)# no switchport R3(conf-if-po-12)# ip vrf forwarding red R3(conf-if-po-12)# end R3# configure terminal R3(config)# interface ethernet 1/1/5 R3(conf-if-eth1/1/5)# no ip vrf forwarding R3(conf-if-eth1/1/5)# no switchport R3(conf-if-eth1/1/5)# channel-group 12 R3(conf-if-eth1/1/5)# end R3# configure terminal R3(config)# interface vlan 1001 R3(conf-if
PAGE 640
R3(config)# ip pim vrf red rp-address 182.190.168.224 group-address 224.0.0.
PAGE 641
R4(conf-if-po-12)# end R4# configure terminal R4(config)# interface Lo0 R4(conf-if-lo-0)# ip vrf forwarding red R4(conf-if-lo-0)# ip address 4.4.4.
PAGE 642
--------------------------------224.1.1.1 182.190.168.224 R1# show ip pim vrf red rp mapping Group(s) : 224.0.0.0/4, Static RP : 182.190.168.224, v2 R1# show ip pim vrf red mcache PIM Multicast Routing Cache Table (201.1.1.1, 224.1.1.1) Incoming interface : ethernet1/1/7 Outgoing interface list : port-channel11 Rendezvous point (R3) R3# show ip pim vrf red neighbor Neighbor Address Interface Uptime/Expires Ver DR Priority / Mode ---------------------------------------------------------------------------192.
PAGE 643
--------------------------------224.1.1.1 182.190.168.224 R3# show ip pim vrf red tib PIM Multicast Routing Table Flags: S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register Flag, T - SPT-bit set, J - Join SPT, K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 224.1.1.1), uptime 00:04:41, expires 00:00:00, RP 182.190.168.224, flags: S Incoming interface: Null, RPF neighbor 0.0.0.
PAGE 644
K - Ack-Pending state Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 224.1.1.1), uptime 00:05:44, expires 00:00:15, RP 182.190.168.224, flags: SCJ Incoming interface: port-channel12, RPF neighbor 194.1.1.1 Outgoing interface list: vlan2001 Forward/Sparse 00:05:44/Never (201.1.1.1, 224.1.1.1), uptime 00:02:58, expires 00:00:31, flags: CT Incoming interface: port-channel11, RPF neighbor 193.1.1.
PAGE 645
The behavior is the same with first hop router (FHR) as well, where PIM registration is initiated by DR. The PIM join could be sent to the DR or the non-DR FHR node. If the incoming multicast traffic reaches the node which receives the PIM join, it routes the packet towards the RP. If the incoming multicast traffic reaches the peer VLT node that has not received the PIM join, it switches the packet over the VLTi link to the other node, which will route the packet towards the RP.
PAGE 646
Source on VLT VLAN—traffic forwarded to nonDR In the following illustration, the source is in VLT VLAN (VLAN 11) and traffic is forwarded to the non-designated router (R1). Traffic flow: 1. R4: Traffic from source is switched to VLT LAG towards the non-designated router (R1). 2. R1: Traffic is switched to ICL through VLAN 11. 3. R2: a. The (S, G) entry is created. b. Traffic is routed to VLAN 12, VLAN 13, and VLAN 14. c. Traffic is routed to ICL through VLAN 13. 4. Traffic floods on VLAN 13.
PAGE 647
Traffic flow: 1. R3: Traffic from source is routed to R2. 2. R2: a. The (S1, G) entry is created. b. Traffic is routed to VLAN 11, VLAN 13, and VLAN 14. c. Traffic is routed to ICL through VLAN 11 as well as VLAN 13. 3. Traffic floods on VLAN 13. VLT LAG down on one side In the following illustration, VLT LAG is down on one side.
PAGE 648
Traffic flow: 1. R3: Traffic from source is routed to R2. 2. R2: a. The (S1, G) entry is created. b. Traffic is routed to VLAN 11, VLAN 13, and VLAN 14. c. Traffic is routed to ICL through VLAN 11 as well as VLAN 13. 3. Traffic floods on VLAN 13. Source on spanned non-VLT VLAN In the following illustration, the source is connected to a router in a spanned non-VLT VLAN.
PAGE 649
Traffic flow: 1. R1: Traffic floods to ICL through VLAN 13. 2. R2: a. The (S1, G) entry is created. b. Traffic is routed to VLAN 11, VLAN 12, and VLAN 14. c. Traffic is routed to ICL through VLAN 11.
PAGE 650
8 VXLAN A virtual extensible LAN (VXLAN) extends Layer 2 (L2) server connectivity over an underlying Layer 3 (L3) transport network in a virtualized data center. A virtualized data center consists of virtual machines (VMs) in a multi-tenant environment. OS10 supports VXLAN as described in RFC 7348. VXLAN provides a L2 overlay mechanism on an existing L3 network by encapsulating the L2 frames in L3 packets.
PAGE 651
Bridge domain A L2 domain that receives packets from member interfaces and forwards or floods them to other member interfaces based on the destination MAC address of the packet. OS10 supports two types of bridge domains: simple VLAN and virtual network. ● Simple VLAN: A bridge domain a VLAN ID represents. Traffic on all member ports is assigned with the same VLAN ID. ● Virtual network: A bridge domain a virtual network ID (VNID) represents.
PAGE 652
6. Advertise the local VXLAN source IP address to remote VTEPs. 7. (Optional) Configure VLT. Configure source IP address on VTEP When you configure a switch as a VXLAN tunnel endpoint (VTEP), configure a Loopback interface, whose IP address is used as the source IP address in encapsulated packet headers. Only a Loopback interface assigned to a network virtualization edge (NVE) instance is used as a source VXLAN interface.
PAGE 653
All broadcast, multicast, and unknown unicast (BUM) traffic received on access interfaces replicate and are sent to all configured remote VTEPs. Each packet contains the VXLAN VNI in its header. By default, MAC learning from a remote VTEP is enabled and unknown unicast packets flood to all remote VTEPs. To configure additional remote VTEPs, re-enter the remote-vtep ip-address command. 4. Return to VIRTUAL-NETWORK mode. exit 5. Return to CONFIGURATION mode.
PAGE 654
Configure untagged access ports Add untagged access ports to the VXLAN overlay network using either a switch-scoped VLAN or port-scoped VLAN. Only one method is supported. ● To use a switch-scoped VLAN to add untagged member ports to a virtual network: 1. Assign a VLAN to a virtual network in VLAN Interface mode. interface vlan vlan-id virtual-network vn-id exit 2. Configure port interfaces as access members of the VLAN in Interface mode.
PAGE 655
1. Create a non-default VRF instance for overlay routing in Configuration mode. For multi-tenancy, create a VRF instance for each tenant. ip vrf tenant-vrf-name exit 2. Configure the anycast gateway MAC address all VTEPs use in all VXLAN virtual networks in Configuration mode. When a VM sends an Address Resolution Protocol (ARP) request for the anycast gateway IP address in a VXLAN virtual network, the nearest VTEP responds with the configured anycast MAC address.
PAGE 656
The following tables show how to use anycast gateway IP and MAC addresses in a data center with three virtual networks and multiple VTEPs: ● Globally configure an anycast MAC address for all VTEPs in all virtual networks. For example, if you use three VTEP switches in three virtual networks: Table 20. MAC address for all VTEPs Virtual network VTEP Anycast gateway MAC address VNID 11 VTEP 1 00.11.22.33.44.55 VTEP 2 00.11.22.33.44.55 VTEP 3 00.11.22.33.44.55 VTEP 1 00.11.22.33.44.55 VTEP 2 00.
PAGE 657
2. Configure the MTU value on L3 underlay network-facing interfaces in Interface mode to be at least 50 bytes higher than the MTU on the server-facing links to allow for VXLAN encapsulation. The range is from 1312 to 9216. mtu value 3. Return to CONFIGURATION mode.
PAGE 658
OS10 supports preset profiles to re-allocate the number of resources reserved for overlay ARP entries. The number of entries reserved for each preset mode differs according to OS10 switch. Table 22.
PAGE 659
Setting Current Next-boot Mode Next-hop Entries default-overlay-routing 8192 default-overlay-routing 8192 Next-hop Entries 57344 57344 L3 RIF Entries 2048 2048 L3 RIF Entries 14336 14336 DHCP relay on VTEPs Dynamic Host Configuration Protocol (DHCP) clients on hosts in the overlay communicate with a DHCP server using a DHCP relay on the VTEP switch. In OS10, DHCP relay is supported on VTEPs only if you locate the DHCP server in the underlay network.
PAGE 660
View the VXLAN virtual-network port OS10# show virtual-network interface ethernet 1/1/1 Interface Vlan Virtual-network ethernet1/1/1 100 1000 ethernet1/1/1 200 2000 ethernet1/1/1 300 3000 View the VXLAN virtual-network VLAN OS10# show virtual-network vlan 100 Vlan Virtual-network Interface 100 1000 ethernet1/1/1,ethernet1/1/2 100 5000 ethernet1/1/2 View the VXLAN virtual-network VLANs OS10# show vlan Codes: * - Default VLAN, M - Management VLAN, R - Remote Port Mirroring VLANs, @ – Attached to Virtual Netwo
PAGE 661
-----------------------------------------------------101 101 44.44.44.44 11.11.11.11,22.22.22.22,33.33.33.33 102 102 44.44.44.44 11.11.11.11,22.22.22.22,33.33.33.33 103 103 44.44.44.44 11.11.11.11,22.22.22.22,33.33.33.33 104 104 44.44.44.44 11.11.11.11,22.22.22.22,33.33.33.33 View VXLAN routing between virtual networks The show ip arp vrf and show ipv6 neighbors vrf command output displays information about IPv4 and IPv6 neighbors learned in a non-default VRF on the switch.
PAGE 662
NOTE: The existing show mac address-table and clear mac-address table commands do not display and clear MAC addresses in a virtual-network bridge domain even when access ports in a switch-scoped VLAN are assigned to a VXLAN virtual network. Display VXLAN MAC addresses Table 23.
PAGE 663
Table 23. Display VXLAN MAC addresses (continued) Command Description interface ethernet node/slot/port:subport: Displays the number of MAC addresses learned on the specified interface. interface port-channel number: Displays the number of MAC addresses learned on the specified port channel. vn-id: Displays the number of MAC addresses learned on the specified virtual network.
PAGE 664
VXLAN commands hardware overlay-routing-profile Configures the number of reserved ARP table entries for VXLAN overlay routing.
PAGE 665
Example Supported releases OS10(config)# interface virtual-network 10000 OS10(config-if-vn-10000)# ip vrf forwarding tenant1 OS10(config-if-vn-10000)# ip address 10.1.0.1/16 OS10(config-if-vn-10000)# no shutdown 10.4.3.0 or later ip virtual-router address Configures an anycast gateway IP address for a VXLAN virtual network. Syntax Parameters ip virtual-router address ip-address address ipaddress Enter the IP address of the anycast L3 gateway.
PAGE 666
Parameters ethernet node/slot/ port[:subport ] Assign the specified interface to a virtual network. port-channel number Assign the specified port channel to a virtual network. untagged Assign untagged traffic on an interface or port channel to a virtual network. vlan-tag vlan-id Assign tagged traffic on the specified VLAN to a virtual network.
PAGE 667
Example Supported releases OS10(config-vn-vxlan-vni)# remote-vtep 20.20.20.1 OS10(config-vn-vxlan-vni-remote-vtep)# exit OS10(config-vn-vxlan-vni)# remote-vtep 30.20.20.1 10.4.2.0 or later show hardware overlay-routing-profile mode Displays the number of hardware resources available for overlay routing in different profiles. Syntax Parameters show hardware overlay-routing-profile mode [all] all View the number of tenant entries available in each hardware partition for overlay routing profiles.
PAGE 668
Interface index is 66 Internet address is 12.12.12.2/24 Mode of IPv4 Address Assignment: MANUAL Interface IPv6 oper status: Enabled Link local IPv6 address: fe80::1618:77ff:fe25:6eb9/64 MTU 1532 bytes, IP MTU 1500 bytes ARP type: ARPA, ARP Timeout: 60 Last clearing of "show interface" counters: 10:24:21 Queuing strategy: fifo Input statistics: 89 packets, 10056 octets Output statistics: 207 packets, 7376 octets Time since last interface status change: 10:23:21 Supported releases 10.4.3.
PAGE 669
Usage information Example Supported releases Use this command to display input and output statistics for VXLAN traffic on a remote VTEP. A VTEP is identified by its IP address. Use the clear nve remote-vtep [ip-address] counters command to clear VXLAN packet statistics. OS10# show nve remote-vtep counters Peer Input (Packets/Bytes) 10.10.10.10 857/8570 20.20.20.20 457/3570 Output (Packets/Bytes) 257/23709 277/13709 10.4.2.
PAGE 670
Source Interface: loopback100(222.222.222.222) Remote-VTEPs (flood-list): 55.55.55.55(DP),77.1.1.1(DP) Supported releases 10.4.2.0 or later show virtual-network counters Displays packet statistics for virtual networks. Syntax show virtual-network [vn-id] counters Parameters vn-id Enter a virtual-network ID, from 1 to 65535. Default Not configured Command mode EXEC Usage information Use this command to monitor the packet throughput on virtual networks, including VXLANs.
PAGE 671
Supported releases 10.4.2.0 or later show virtual-network interface Displays the VXLAN virtual networks and server VLANs where a port is assigned. Syntax Parameters show virtual-network interface {ethernet node/slot/port:subport | portchannel number} interface ethernet node/slot/ port[:subport ] Enter the port information for an Ethernet interface. interface port-channel number Enter a port-channel number, from 1 to 128.
PAGE 672
show vlan (virtual network) Displays the VLANs assigned to virtual networks. Syntax show vlan Parameters None Default Not configured Command mode EXEC Usage information Use this command to display the VLAN port interfaces that transmit VXLAN packets over a virtual network.
PAGE 673
virtual-network Creates a virtual network for VXLAN tunneling. Syntax Parameters virtual-network vn-id vn-id Enter the virtual-network ID, from 1 to 65535. Default Not configured Command mode CONFIGURATION Usage information The virtual network operates as a L2 bridging domain. To add a VXLAN to the virtual network, use the vxlan-vni command. The no version of this command removes the configured virtual network. Example Supported releases OS10(config)# virtual-network 1000 OS10(config-vn)# 10.4.2.
PAGE 674
VXLAN MAC commands clear mac address-table dynamic nve remote-vtep Clears all MAC addresses learned from a remote VTEP. Syntax clear mac address-table dynamic nve remote-vtep ip-address Parameters remote-vtep ip-address Clear MAC addresses learned from the specified remote VTEP. Default Not configured Command mode EXEC Usage information To display the MAC addresses learned from a remote VTEP, use the show mac address-table nve remote-vtep command.
PAGE 675
Example Supported releases OS10# clear mac address-table dynamic virtual-network 10.4.2.0 or later show mac address-table count extended Displays the number of MAC addresses learned on all VLANs and VXLAN virtual networks. Syntax Parameters show mac address-table count extended [interface {ethernet node/slot/ port:subport | port-channel number}] interface ethernet node/slot/ port[:subport ] Display the number of MAC addresses learned on all VLANs and VXLANs on the specified interface.
PAGE 676
Static Address (User-defined) Count : Total MAC Addresses in Use: 0 1 OS10# show mac address-table count nve remote-vtep 32.1.1.1 MAC Entries for all vlans : Dynamic Address Count : 2 Static Address (User-defined) Count : 0 Total MAC Addresses in Use: 2 Supported releases 10.4.2.0 or later show mac address-table count virtual-network Displays the number of MAC addresses learned on virtual networks.
PAGE 677
Parameters address macaddress Display only information about the specified MAC address. interface ethernet node/slot/ port[:subport ] Display only MAC addresses learned on the specified interface. interface port-channel number Display only MAC addresses learned on the specified port channel. static Display only static MAC addresses. dynamic Display only dynamic MAC addresses. Default Not configured Command mode EXEC Usage information By default, MAC learning from a remote VTEP is enabled.
PAGE 678
Example OS10# show mac address-table nve remote-vtep 32.1.1.1 Virtual-Network VNI MAC Address Type Remote-VTEP --------------------------------------------------------------10000 9999 00:00:00:00:00:77 dynamic VxLAN(32.1.1.1) 20000 19999 00:00:00:00:00:88 dynamic VxLAN(32.1.1.1) OS10# show mac address-table nve vxlan-vni 9999 Virtual-Network VNI MAC Address Type Remote-VTEP --------------------------------------------------------------10000 9999 00:00:00:00:00:77 dynamic VxLAN(32.1.1.
PAGE 679
Supported releases 10.4.2.0 or later Example: VXLAN with static VTEP This example uses a typical Clos leaf-spine topology with static VXLAN tunnel endpoints (VTEPs) in VLT dual-homing domains. The individual switch configuration shows how to set up an end-to-end VXLAN. The underlay IP network routes advertise using OSPF. ● On VTEPs 1 and 2, access ports are assigned to the virtual network using a switch-scoped VLAN configuration.
PAGE 680
Do not configure the same IP address for the router ID and the source loopback interface in Step 2. OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 172.16.0.1 OS10(config-router-ospf-1)# exit 2. Configure a Loopback interface OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# ip ospf 1 area 0.0.0.0 OS10(conf-if-lo-0)# exit 3.
PAGE 681
OS10(conf-if-eth1/1/6)# no switchport OS10(conf-if-eth1/1/6)# exit 7. Configure upstream network-facing ports OS10(config)# interface OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# OS10(conf-if-eth1/1/1)# ethernet1/1/1 no shutdown no switchport mtu 1650 ip address 172.16.1.0/31 ip ospf 1 area 0.0.0.
PAGE 682
9. Configure overlay IP routing Create the tenant VRF OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure the anycast L3 gateway MAC address for all VTEPs OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing with an anycast gateway IP address for each virtual network OS10(config)# interface virtual-network 10000 OS10(config-if-vn-10000)# ip vrf forwarding tenant1 OS10(config-if-vn-10000)# ip address 10.1.0.231/16 OS10(config-if-vn-10000)# ip virtual-router address 10.1.0.
PAGE 683
5. Assign a switch-scoped VLAN to a virtual network OS10(config)# interface OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config)# interface OS10(config-if-vl-100)# OS10(config-if-vl-100)# OS10(config-if-vl-100)# vlan100 virtual-network 10000 no shutdown exit vlan200 virtual-network 20000 no shutdown exit 6.
PAGE 684
OS10(config)# interface port-channel20 OS10(conf-if-po-20)# vlt port-channel 20 OS10(conf-if-po-20)# exit Configure VLTi member links OS10(config)# interface OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# ethernet1/1/3 no shutdown no switchport exit OS10(config)# interface OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# OS10(conf-if-eth1/1/4)# ethernet1/1/4 no shutdown no switchport exit Configure a VLT domain OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.
PAGE 685
Do not configure the same IP address for the router ID and the source loopback interface in Step 2. OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 172.18.0.1 OS10(config-router-ospf-1)# exit 2. Configure a Loopback interface OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.2.1/32 OS10(conf-if-lo-0)# ip ospf 1 area 0.0.0.0 OS10(conf-if-lo-0)# exit 3.
PAGE 686
OS10(config)# virtual-network 20000 OS10(config-vn-20000)# member-interface port-channel 20 untagged OS10(config-vn-20000)# exit NOTE: This step shows how to add access ports using port-scoped VLAN-to-VNI mapping. You can also add access ports using a switch-scoped VLAN-to-VNI mapping. However, you cannot use both methods at the same time; you must use either a port-scoped or switch-scoped VLAN-to-VNI mapping. 8.
PAGE 687
Configure a VLT domain OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.150.
PAGE 688
4. Configure VXLAN virtual networks with a static VTEP OS10(config)# virtual-network 10000 OS10(config-vn-10000)# vxlan-vni 10000 OS10(config-vn-vxlan-vni)# remote-vtep OS10(config-vn-vxlan-vni-remote-vtep)# OS10(config-vn-vxlan-vni)# exit OS10(config-vn-10000)# exit OS10(config)# virtual-network 20000 OS10(config-vn-20000)# vxlan-vni 20000 OS10(config-vn-vxlan-vni)# remote-vtep OS10(config-vn-vxlan-vni-remote-vtep)# OS10(config-vn-vxlan-vni)# exit OS10(config-vn-20000)# exit 192.168.1.1 exit 192.168.1.
PAGE 689
OS10(conf-if-eth1/1/2)# ip ospf 1 area 0.0.0.0 OS10(conf-if-eth1/1/2)# exit 9.
PAGE 690
Configure an anycast L3 gateway for all VTEPs in all virtual networks OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing with an anycast gateway IP address for each virtual network OS10(config)# interface virtual-network 10000 OS10(config-if-vn-10000)# ip vrf forwarding tenant1 OS10(config-if-vn-10000)# ip address 10.1.0.234/16 OS10(config-if-vn-10000)# ip virtual-router address 10.1.0.
PAGE 691
OS10(conf-if-eth1/1/1)# exit OS10(config)# interface OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# OS10(conf-if-eth1/1/2)# ethernet1/1/2 no shutdown no switchport ip address 172.17.2.1/31 ip ospf 1 area 0.0.0.0 exit OS10(config)# interface OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# OS10(conf-if-eth1/1/3)# ethernet1/1/3 no shutdown no switchport ip address 172.18.2.1/31 ip ospf 1 area 0.0.0.
PAGE 692
Table 25. Differences between Static VXLAN and VXLAN BGP EVPN Static VXLAN VXLAN BGP EVPN To start sending and receiving virtual-network traffic to and from a remote VTEP, manually configure the VTEP as a member of the virtual network. No manual configuration is required. Each remote VTEP is automatically learned as a member of a virtual network from the EVPN routes received from the remote VTEP. After a remote VTEP address is learned, VXLAN traffic is sent to, and received from, the VTEP.
PAGE 693
Leaf nodes are typically top-of-rack (ToR) switches in a data center network. They act as the VXLAN tunnel endpoints and perform VXLAN encapsulation and decapsulation. Leaf nodes also participate in the MP-BGP EVPN to support control plane and data plane functions. Control plane functions include: ● Initiate and maintain route adjacencies using any routing protocol in the underlay network. ● Advertise locally learned routes to all MP-BGP EVPN peers.
PAGE 694
You can auto-generate or manually configure the RT import and export for each EVI. In auto-EVI mode, RT auto-generates. In manual EVI configuration mode, you can auto-generate or manually configure the RT. The RT consists of a 2-octet type and a 6-octet value. If you auto-configure a RT, the encoding format is different for a 2-byte and 4-byte AS number (ASN): ● For a 2-byte ASN, the RT type is set to 0200 (Type 0 in RFC 4364). The RT value is encoded in the format described in section 5.1.2.
PAGE 695
g. Assign the BGP neighbor to an autonomous system in ROUTER-BGP-NEIGHBOR mode. remote-as as-number h. Enable the peer session with the BGP neighbor in ROUTER-BGP-NEIGHBOR mode. no shutdown i. Return to ROUTER-BGP mode. exit For each BGP peer session in the overlay network: a. Configure the BGP peer using its Loopback IP address on the VTEP in ROUTER-BGP mode. neighbor loopback-ip-address b. Assign the BGP neighbor Loopback address to the autonomous system in ROUTER-BGP-NEIGHBOR mode.
PAGE 696
OS10(config-router-neighbor-af)# exit OS10(config-router-bgp-neighbor)# exit ● On each spine switch, disable sender-side loop detection to leaf switch neighbors in ROUTER-BGP-NEIGHBOR-AF mode. OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit m.
PAGE 697
Display the EVPN instance configuration OS10# show evpn evi 1 EVI : 65447, State : up Bridge-Domain : Route-Distinguisher : Route-Targets : Inclusive Multicast : (Virtual-Network)100, (VNI)100 1:110.111.170.102:65447(auto) 0:101:268435556(auto) both 110.111.170.107 Display the VXLAN overlay for the EVPN instance OS10# show VXLAN-VNI 100001 100010 evpn EVI 1 2 vxlan-vni Virtual-Network-Instance 1 2 Display the BGP neighbors in the EVPN instances OS10# show ip bgp neighbors 110.111.170.
PAGE 698
*> Route distinguisher: 110.111.170.107:64536 [3]:[0]:[32]:[110.111.170.107]/152 110.111.170.107 0 100 0 100 101 ? Display the EVPN routes for host MAC addresses OS10# show evpn mac Type -(lcl): Local (rmt): remote EVI 50 50 Mac-Address 00:00:00:aa:aa:aa 00:00:00:cc:cc:cc Type rmt lcl Seq-No 0 0 Interface/Next-Hop 55.1.1.3 ethernet1/1/8:1 Seq-No 0 0 Interface/Next-Hop 55.1.1.
PAGE 699
BGP EVPN with VLT OS10 supports BGP EVPN operation between VLT peers that you configure as VTEPs. For more information about configurations and best practices to set up VLT for VXLAN, see Configure VXLAN — Configure VLT. This information also applies to BGP EVPN for VXLAN. Dell EMC recommends configuring iBGP peering for the IPv4 address family between the VTEPs in a VLT pair on a dedicated L3 VLAN that is used when connectivity to the underlay L3 network is lost.
PAGE 700
Figure 11. BGP EVPN in VLT domain VXLAN BGP commands activate (l2vpn evpn) Enables the exchange of L2 VPN EVPN address family information with a BGP neighbor or peer group. Syntax activate Parameters None Default Not configured Command Mode ROUTER-BGP-NEIGHBOR-AF Usage Information Use this command to exchange L2 VPN EVPN address information for VXLAN host-based routing with a BGP neighbor. The IPv4 unicast address family is enabled by default.
PAGE 701
Example Supported Releases OS10(conf-router-neighbor)# address-family l2vpn evpn unicast OS10(conf-router-bgp-neighbor-af)# activate 10.2.0E or later address-family l2vpn evpn Configures the L2 VPN EVPN address family for VXLAN host-based routing to a BGP neighbor.
PAGE 702
Default Enabled Command Mode ROUTER-BGP-NEIGHBOR-AF Usage Information This command helps detect routing loops, based on the AS path before it starts advertising routes. To configure a neighbor to accept routes use the neighbor allowas-in command. The no version of this command disables sender-side loop detection for that neighbor. Example (IPv4) Example (IPv6) Supported Releases OS10(conf-router-bgp-102)# neighbor 3.3.3.
PAGE 703
5.5.5.5 6.6.6.6 4294967295 4294967295 4947 2413 8399 7310 01:10:39 05:51:56 11514 504 OS10# show ip bgp l2vpn evpn neighbors BGP neighbor is 3.3.3.3, remote AS 4294967295, local AS 4294967295 internal link BGP version 4, remote router ID 3.3.3.
PAGE 704
● For a 4-byte autonomous system: ○ The RD auto-configures as Type 1 from the overlay network source IP address and the autogenerated EVI index. ○ The RT auto-configures as Type 2 from the 4-byte AS and the 2-byte EVI—Type encoded as 0x0202. Example Supported releases OS10(config)# evpn OS10(config-evpn)# auto-evi 10.4.2.0 or later evi Creates an EVPN instance (EVI) in EVPN mode. Syntax evi id Parameters id Enter the EVPN instance ID, from 1 to 65535.
PAGE 705
Parameters A.B.C.D: [1-65535] Manually configure the RD with a 4-octet IPv4 address then a 2-octet-number, from 1-65535. auto Configure the RD to automatically generate. Default Not configured Command mode EVPN-EVI Usage information A RD maintains the uniqueness of an EVPN route between different EVPN instances. The RD autoconfigures as Type 1 from the overlay network source IP address and the auto-generated EVPN instance ID.
PAGE 706
show evpn evi Displays the configuration settings of EVPN instances. Syntax show evpn evi [id] Parameters id — (Optional) Enter the EVPN instance ID, from 1 to 65535. Default Not configured Command mode EXEC Usage information Use this command to verify EVPN instance status, associated VXLAN virtual networks and the RD and RT values the BGP EVPN routes use in the EVI. The status of integrated routing and bridging (IRB) and the VRF used for EVPN traffic also display.
PAGE 707
Local MAC Address Count : Remote MAC Address Count : 1 2 OS10# show evpn mac evi 811 next-hop 80.80.1.8 count EVI 811 next-hop 80.80.1.8 MAC Entries : Remote MAC Address Count : 2 Supported releases 10.4.2.0 or later show evpn mac-ip Displays the BGP EVPN Type 2 routes used for host MAC-IP address binding.
PAGE 708
106 106 14:18:77:25:6f:84 14:18:77:25:6f:84 lcl lcl 0 0 16.16.16.2 2001:16::16:2 OS10# show evpn mac-ip evi 104 Type EVI 104 104 104 104 -(lcl): Local (rmt): remote Mac-Address 14:18:77:25:4d:b9 14:18:77:25:4d:b9 14:18:77:25:6e:b9 14:18:77:25:6e:b9 Type rmt rmt lcl lcl Seq-No 0 0 0 0 Host-IP Interface/Next-Hop 14.14.14.1 95.0.0.3 2001:14::14:1 95.0.0.3 14.14.14.
PAGE 709
show evpn vxlan-vni Displays the VXLAN overlay network for EVPN instances. Syntax show evpn vxlan-vni [vni] Parameters vni — (Optional) Enter the VXLAN virtual-network ID, from 1 to 16,777,215. Default Not configured Command mode EXEC Usage information Use this command to verify the VXLAN virtual network and bridge domain used by an EVPN instance. Example OS10# show evpn vxlan-vni VXLAN-VNI 100 Supported releases EVI 65447 Bridge-Domain 65447 10.4.2.
PAGE 710
Figure 12. VXLAN BGP EVPN use case VTEP 1 Leaf Switch 1. Configure a Loopback interface for the VXLAN underlay using same IP address as the VLT peer OS10(config)# interface loopback0 OS10(conf-if-lo-0)# no shutdown OS10(conf-if-lo-0)# ip address 192.168.1.1/32 OS10(conf-if-lo-0)# exit 2.
PAGE 711
3. Configure VXLAN virtual networks OS10(config)# virtual-network 10000 OS10(config-vn)# vxlan-vni 10000 OS10(config-vn-vxlan-vni-10000)# exit OS10(config-vn)# exit OS10(config)# virtual-network 20000 OS10(config-vn)# vxlan-vni 20000 OS10(config-vn-vxlan-vni-20000)# exit OS10(config-vn)# exit 4.
PAGE 712
OS10(configure-router-bgpv4-af)# redistribute connected OS10(configure-router-bgpv4-af)# exit 8. Configure eBGP for the IPv4 point-to-point peering OS10(config-router-bgp-100)# neighbor 172.16.1.
PAGE 713
12. Configure VLT Configure a dedicated L3 underlay path to reach the VLT Peer in case of a network failure OS10(config)# interface vlan4000 OS10(config-if-vl-4000)# no shutdown OS10(config-if-vl-4000)# ip address 172.16.250.0/30 OS10(config-if-vl-4000)# ip 1 area 0.0.0.
PAGE 714
Configure routing on the virtual networks OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network10000 ip vrf forwarding tenant1 ip address 10.1.0.231/16 ip virtual-router address 10.1.0.
PAGE 715
OS10(config)# interface port-channel20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# switchport access vlan 200 OS10(conf-if-po-20)# exit OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# ethernet1/1/6 no shutdown channel-group 20 mode active no switchport exit 6.
PAGE 716
OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-neighbor-af)# no activate OS10(config-router-neighbor-af)# exit OS10(config-router-bgp-neighbor)# address-family l2vpn evpn OS10(config-router-neighbor-af)# activate OS10(config-router-neighbor-af)# allowas-in 1 OS10(config-router-neighbor-af)# exit OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor 172.202.0.
PAGE 717
OS10(conf-vlt-1)# vlt-mac aa:bb:cc:dd:ee:ff OS10(conf-vlt-1)# exit Configure UFD with uplink VLT ports and downlink network ports OS10(config)# uplink-state-group OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# OS10(conf-uplink-state-group-1)# 1 enable downstream ethernet1/1/1-1/1/2 upstream port-channel10 upstream port-channel20 exit Configure iBGP IPv4 peering between VLT peers OS10(config)# router bgp 100 OS10(config-ro
PAGE 718
OS10(config-vn-vxlan-vni-10000)# exit OS10(config-vn)# exit OS10(config)# virtual-network 20000 OS10(config-vn)# vxlan-vni 20000 OS10(config-vn-vxlan-vni-20000)# exit OS10(config-vn)# exit 4. Configure unused VLAN ID for untagged membership OS10(config)# virtual-network untagged-vlan 4000 5.
PAGE 719
9. Configure eBGP for the IPv4 point-to-point peering OS10(config-router-bgp-100)# neighbor 172.18.1.1 OS10(config-router-neighbor)# remote-as 101 OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# address-family ipv4 unicast OS10(config-router-bgp-neighbor-af)# allowas-in 1 OS10(config-router-bgp-neighbor-af)# exit OS10(config-router-neighbor)# no shutdown OS10(config-router-neighbor)# exit OS10(config-router-bgp-100)# neighbor 172.18.2.
PAGE 720
OS10(config-evpn)# evi 2000 OS10(config-evpn-evi)# vni 20000 OS10(config-evpn-evi)# rd auto OS10(config-evpn-evi)# route-target both auto OS10(config-evpn-evi)# exit OS10(config-evpn)# exit 13.
PAGE 721
14. Configure IP routing in the overlay network Create the tenant VRF OS10(config)# ip vrf tenant1 OS10(conf-vrf)# exit Configure an anycast gateway MAC address OS10(config)# ip virtual-router mac-address 00:01:01:01:01:01 Configure routing on the virtual networks OS10(config)# interface OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-10000)# virtual-network10000 ip vrf forwarding tenant1 ip address 10.1.0.233/16 ip virtual-router address 10.
PAGE 722
OS10(conf-if-eth1/1/5)# channel-group 10 mode active OS10(conf-if-eth1/1/5)# no switchport OS10(conf-if-eth1/1/5)# exit OS10(config)# interface port-channel20 OS10(conf-if-po-20)# no shutdown OS10(conf-if-po-20)# switchport mode trunk OS10(conf-if-po-20)# exit OS10(config)# interface OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# OS10(conf-if-eth1/1/6)# ethernet1/1/6 no shutdown channel-group 20 mode active no switchport exit 6.
PAGE 723
10. Configure a Loopback interface for BGP EVPN peering different from the VLT peer IP address OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.19.0.1/32 OS10(conf-if-lo-1)# exit 11. Configure BGP EVPN peering OS10(config)# router bgp 100 OS10(config-router-bgp-100)# neighbor 172.201.0.
PAGE 724
OS10(config-if-vl-4000)# ip address 172.16.250.
PAGE 725
OS10(conf-if-vn-10000)# exit OS10(config)# interface OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-10000)# OS10(conf-if-vn-20000)# OS10(conf-if-vn-20000)# virtual-network20000 ip vrf forwarding tenant1 ip address 10.2.0.234/16 ip virtual-router address 10.2.0.100 no shutdown exit Spine Switch 1 1.
PAGE 726
OS10(conf-router-neighbor)# address-family ipv4 unicast OS10(conf-router-neighbor-af)# no sender-side-loop-detection OS10(conf-router-neighbor-af)# exit OS10(conf-router-neighbor)# exit OS10(conf-router-bgp-101)# exit 4. Configure a Loopback interface for BGP EVPN peering OS10(config)# interface loopback1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 172.202.0.1/32 OS10(conf-if-lo-1)# exit 5.
PAGE 727
Spine Switch 2 1.
PAGE 728
OS10(conf-if-lo-1)# ip address 172.202.0.1/32 OS10(conf-if-lo-1)# exit 5. Configure BGP EVPN peer sessions OS10(config)# router bgp 101 OS10(conf-router-bgp-101)# neighbor 172.16.0.
PAGE 729
The following shows the integration of physical and virtual components in controller-provisioned VXLAN environment: The NSX controller communicates with the OS10 VTEP using the OVSDB management protocol over an Secure Sockets Layer (SSL) connection. Establishing the communication between the controller and VTEP involves generating the SSL certificate at a VTEP and copying the certificate to the NSX controller.
PAGE 730
● The OS10 VTEP sends MAC addresses addition or deletion events at the VXLAN access port to the NSX controller through OVSDB protocol. The controller then propagates the information to the other VTEPs so that the VTEPs program their forwarding tables accordingly. Steps to configure controller-provisioned VXLAN To 1. 2. 3. 4. 5. configure the NSX controller, follow these steps on each OS10 VTEP: Assign an IPv4 address to a Loopback interface.
PAGE 731
● add the interface as a member of any VLAN ● remove the interface from the controller configuration if the interface has active port-scoped VLAN (Port,VLAN) pairs configured by the controller To assign an interface to be managed by the OVSDB controller: 1. Configure an interface from CONFIGURATION mode. OS10(config)# interface ethernet 1/1/1 2. Configure L2 trunking in INTERFACE mode. OS10(config-if-eth1/1/1)# switchport mode trunk 3.
PAGE 732
Since VTEP relies on service nodes to replicate BUM traffic, we need a mechanism to monitor the connectivity between the VTEP and the service nodes. BFD can be used monitors the connectivity between the VTEP and service nodes, and detects failures. The NSX controller provides parameters, such as the minimum TX and RX interval, and the multiplier, to initiate the BFD session between the VTEP and the service nodes. To establish a BFD session, enable the BFD on both the controller and the VTEP.
PAGE 733
● Show output with details about the replicators available for the VNID. OS10# show nve replicators vnid 10009 Codes: * - Active Replicator BFD Status:Enabled Replicators State ----------------------2.2.2.3 Up 2.2.2.2* Up *— indicates the replicator to which the VTEP sends the BUM traffic for the specific VNID. Configure and control VXLAN from VMware vCenter You can configure and control VXLAN from the VMware vCenter GUI. Complete the following steps: 1.
PAGE 734
If successfully establishing connectivity between the VTEP and the NSX controller, the console displays the current connection status between the controller and the management IP address of the VTEP. 3. Create a logical switch. You can create a logical network that acts as the forwarding domain for virtualized and nonvirtualized server workloads on the physical and virtual infrastructure. The following steps configure the logical switch for NSX controller management. a.
PAGE 735
4. Create a logical switch port that provides a logical connection point for a VM interface (VIF) and a L2 gateway connection to an external network. 5. (Optional) Enable or disable BFD globally. The following steps enable or disable BFD configuration in the controller. a. Click Service Definitions from the left navigation pane. b. Click the Hardware Devices tab. c. Click the Edit button in the BFD Configuration. d.
PAGE 736
After you configure a VMware NSX controller on a server VM, connect to the controller from the VXLAN gateway switch. For more information about the NSX controller configuration in the VTEP, see Configure a connection to an OVSDB controller. For more information about NSX controller configuration, see the NSX User Guide from VMware. Example: VXLAN with a controller configuration This example shows a simple NSX controller and an hardware OS10 VTEP deployed in VXLAN environment.
PAGE 737
● Configure the NSX controller in VMware vCenter. For more information about configuring the NSX controller using the GUI, see the Configure and control VXLAN from the VMware vCenter. You must configure an OS10 VTEP with the controller configuration so that the VTEP can communicate with the NSX controller. The NSX controller handles configurations and control plane operations in the VXLAN environment. VTEP 1 1. Configure the OSPF protocol in the underlay.
PAGE 738
3. Create an NVE instance and configure a Loopback interface as the VXLAN source tunnel interface. OS10(config)# nve OS10(config-nve)# source-interface loopback 1 4. Specify the NSX controller reachability information. OS10(config-nve)# controller ovsdb OS10(config-nve-ovsdb)# ip 10.16.140.182 port 6640 ssl OS10(config-nve-ovsdb)# max-backoff 10000 OS10(config-nve-ovsdb)# exit 5. Assign interfaces to be managed by the controller.
PAGE 739
----------------------13.0.0.5 Up 13.0.0.3 Up 13.0.0.2 Up To view the remote VTEP status, use the show nve remote-vtep command. OS10# show nve remote-vtep IP Address: 13.0.0.2, State: up, Encap: VxLAN VNI list: ,6000 IP Address: 13.0.0.3, State: up, Encap: VxLAN VNI list: ,6000 IP Address: 13.0.0.5, State: up, Encap: VxLAN VNI list: ,6000 IP Address: 202.0.0.
PAGE 740
VNI list: ,6000 IP Address: 13.0.0.5, VNI list: ,6000 IP Adress: 200.0.0.1, VNI list: 6000 State: up, Encap: VxLAN State: up, Encap: Vxlan VXLAN Controller commands controller ovsdb Changes the mode to CONFIGURATION-NVE-OVSDB from where you can configure the controller parameters. Syntax controller ovsdb Parameters None Default None Command mode CONFIGURATION-NVE Usage information The controller configuration initiates the OVSDB service on the OS10 switch.
PAGE 741
max-backoff Configures a time interval, in milliseconds (ms). This is the duration the switch waits between the connection attempts to the controller. Syntax max-backoff interval Parameters interval—Enter the amount of time, in ms. This is the duration the switch waits between the connection attempts to the controller, from 1000 to 180000 ms.
PAGE 742
Usage information Example Supported releases This command is available only for the sysadmin and secadmin roles. This command generates the SSL certificate and restarts the OVSDB server to start using the newly generated certificate. OS10# nve controller ssl-key-generate 10.4.3.0 or later show nve controller Displays information about the controller and the controller-managed interfaces.
PAGE 743
bGwgaWQ6MGVlZmUwYWMtNGJjOC00MmVmLTkzOTEtN2RlMmMwY2JmMTJjMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsMlD4c4fWwy+5t6VScjizlkFsNzE BOK5PJyI3B6ReRK/J14Fdxio1YmzG0YObjxiwjpUYEsqPL3Nvh0f10KMqwqJVBdf 6sXWHUVw+9A7cIfRh0aRI+HIYyUC4YD48GlnVnaCqhxYaA0tcMzJm4r2k7AjwJUl 0pDXiqS3uJwGmfxlhvmFio8EeHM/Z79DkBRD6FUMwacAnb3yCIKZH50AWq7qRmmG NZOgYUT+8oaj5tO/hEQfDYuv32E5z4d3FhiBJMFT86T4YvpJYyJkiKmaQWInkthL V3VxEMXI5vJQclMhwYbKfPB4hh3+qdS5o+uVco76CVrcWi7rO3XmsBkbnQIDAQAB MA0GCSqGSIb3DQEBDQUAA4IBAQATuFVD20GcHD8zdpYf0YaP4b6TuonUz
PAGE 744
Default None Command mode EXEC Usage information This command is available only for netadmin, sysadmin, and secadmin roles.
PAGE 745
------------ ------------------------------478ec8ca-9c5a-4d29-9069-633af6c48002 [] false 1000 {} {state=BACKOFF} "ssl:10.16.140.171:6640" 52f2b491-6372-43e0-98ed-5c4ab0ca8542 [] true 1000 {} {sec_since_connect="37831", sec_since_disconnect="37832", state=ACTIVE} "ssl:10.16.140.173:6640" 7b8a7e36-6221-4297-b85e-51f910abcb5c [] true 1000 {} {sec_since_connect="87", sec_since_disconnect="99", state=ACTIVE} "ssl:10.16.140.172:6640" OS10# Supported releases 10.4.3.
PAGE 746
9 UFT modes A switch in a Layer 2 (L2) network may require a larger MAC address table size, while a switch in a Layer 3 (L3) network may require a larger routing table size. Unified forwarding table (UFT) offers the flexibility to configure internal L2/L3 forwarding table sizes. OS10 supports several UFT modes for the forwarding tables. By default, OS10 selects a UFT mode that provides a reasonable size for all tables.
PAGE 747
Table 30. UFT Modes — Table Size for Z9264F-ON UFT Mode L2 MAC Table Size L3 Host Table Size L3 Routes Table Size Scaled-l2–switch 270336 8192 32768 Scaled-l3–hosts 8192 270336 32768 Scaled-l3–routes 8192 8192 262144 Default 139264 139264 32768 Table 31.
PAGE 748
L3 Host Entries L3 Route Entries : : 147456 32768 212992 98304 View UFT information for all modes OS10# show hardware forwarding-table mode all Mode default scaled-l2 scaled-l3-routes L2 MAC Entries 163840 294912 32768 L3 Host Entries 147456 16384 16384 L3 Route Entries 32768 32768 131072 scaled-l3-hosts 98304 212992 98304 IPv6 extended prefix routes IPv6 addresses that contain prefix routes with mask between /64 to /128 are called as IPv6 extended prefix routes.
PAGE 749
Syntax hardware forwarding-table mode {scaled-l2 | scaled-l3-routes | scaled-l3hosts} Parameters ● scaled-l2 —Enter the L2 MAC address table size. ● scaled-l3-routes — Enter the L3 routes table size. ● scaled-l3-hosts — Enter the L3 hosts table size. Defaults The default parameters vary according to the platform. See UFT modes on page 746. Command Mode CONFIGURATION Usage Information Configure the sizes of internal L2 and L3 forwarding tables for your requirements of the network environment.
PAGE 750
L2 MAC Entries L3 Host Entries L3 Route Entries Supported Releases : : : 163840 147456 32768 98304 212992 98304 10.3.0E or later show hardware forwarding-table mode all Displays table sizes for the hardware forwarding table modes.
PAGE 751
10 Security Authentication, authorization, and accounting (AAA) services secure networks against unauthorized access. In addition to local authentication, OS10 supports remote authentication dial-in user service (RADIUS) and terminal access controller access control system (TACACS+) client/server authentication systems. For RADIUS and TACACS+, an OS10 switch acts as a client and sends authentication requests to a server that contains all user authentication and network service access information.
PAGE 752
User re-authentication To prevent users from accessing resources and performing tasks for which they are not authorized, OS10 allows you to require users to re-authenticate by logging in again when an authentication method or server changes, such as: ● Adding or removing a RADIUS server using the radius-server host command ● Adding or removing an authentication method using the aaa authentication login {console | default} {local | group radius | group tacacs+} command You can enable this feature so that use
PAGE 753
The OS10 RBAC model provides separation of duty as well as greater security. It places some limitations on each role’s permissions to allow you to partition tasks. For greater security, only some user roles can view events, audits, and security system logs. Assign user role To limit OS10 system access, assign a role when you configure each user. ● Enter a user name, password, and role in CONFIGURATION mode. username username password password role role ○ username username — Enter a text string.
PAGE 754
boot protect disable username OS10# boot protect disable username root ● To display information about the current list of users configured for bootloader protection, use the show boot protect command. show boot protect (when disabled) OS10# show boot protect Boot protection disabled show boot protect (when enabled) OS10# show boot protect Boot protection enabled Authorized users: root linuxadmin admin Linuxadmin User Configuration OS10 supports two factory default users, the admin and linuxadmin.
PAGE 755
To disable or lock the linuxadmin user, enter CONFIGURATION mode and execute the command system-user linuxadmin disable. OS10(config)# system-user linuxadmin disable OS10(config)# Enabling or unlocking the linuxadmin user: To enable or unlock the linuxadmin user, enter CONFIGURATION mode and execute the command no system-user linuxadmin disable.
PAGE 756
OS10(config)# radius-server timeout 10 OS10(config)# ip radius source-interface mgmt 1/1/1 Configure RADIUS server for non-default VRFs OS10(config)# ip vrf blue OS10(conf-vrf)# exit OS10(config)# radius-server vrf blue View RADIUS server configuration OS10# show running-configuration ... radius-server host 1.2.4.5 key 9 3a95c26b2a5b96a6b80036839f296babe03560f4b0b7220d6454b3e71bdfc59b radius-server retransmit 10 radius-server timeout 10 ip radius source-interface mgmt 1/1/1 ...
PAGE 757
Configure RADIUS over TLS authentication server OS10(config)# radius-server host 1.2.4.5 tls security-profile radius-prof key radsec OS10(config)# radius-server retransmit 10 OS10(config)# radius-server timeout 10 TACACS+ authentication Configure a TACACS+ authentication server by entering the server IP address or host name. You must also enter a text string for the key used to authenticate the OS10 switch on a TACACS+ host. The Transmission Control Protocol (TCP) port entry is optional.
PAGE 758
3a95c26b2a5b96a6b80036839f296babe03560f4b0b7220d6454b3e71bdfc59b ip tacacs source-interface loopback 2 ... Delete TACACS+ server OS10# no tacacs-server host 1.2.4.5 Unknown user role When a RADIUS or TACACS+ server authenticates a user, it may return an unknown user role, or the role may be missing. In these cases, OS10 assigns the netoperator role and associated permissions to the user by default. You can reconfigure the default assigned role.
PAGE 759
● Password-less login is disabled by default. To enable, use the username sshkey or username sshkey filename commands. ● Configure the list of cipher algorithms using the ip ssh server cipher cipher-list command. ● Configure Key Exchange algorithms using the ip ssh server kex key-exchange-algorithm command. ● Configure hash message authentication code (HMAC) algorithms using the ip ssh server mac hmac-algorithm command.
PAGE 760
Apply the access lists to the VTY line with the {ip | ipv6} access-class access-list-name command. Example OS10(config)# ip access-list permit10 OS10(config-ipv4-acl)# permit ip 172.16.0.0 255.255.0.
PAGE 761
Configure user lockout OS10(config)# password-attributes max-retry 4 lockout period 360 Limit concurrent login sessions To avoid an unlimited number of active sessions on a switch for the same user ID, you can limit the number of console and remote connections. Log in from a console connection by cabling a terminal emulator to the console serial port on the switch. Log in to the switch remotely through a virtual terminal line (VTY), such as Telnet and SSH.
PAGE 762
To display information about user logins, use the show login-statistics command. Enable login statistics OS10(config)# login-statistics enable To disable login statistics, use the no login-statistics enable command. Privilege levels overview Providing terminal access control to a switch is one method of securing the device and network. To increase security, you can allow users to access a subset of commands using privilege levels.
PAGE 763
Privilege mode CLI mode line line-vty ● priv-lvl—Enter the keyword and then the privilege number, from 2 to 14. ● command-string—Enter the specific command. 2. Create a user name and password and assign a privilege level. CONFIGURATION username username password password role role [ priv-lvl privilege-level] ● username username—Enter a text string. A maximum of 32 alphanumeric characters; one character minimum. ● password password—Enter a text string.
PAGE 764
Privilege mode CLI mode Exec exec configure class-map, DHCP, logging, monitor, openflow, policy-map, QOS, support-assist, telemetry, CoS, Tmap, UFD, VLT, VN, VRF, WRED, or alias interface Ethernet, FC, loopback, mgmt, null, port-group, lag, breakout, range, port-channel, VLAN route-map route-map router router-bgp, router-ospf line line-vty ● priv-lvl—Enter the keyword and then the privilege number, from 2 to 14. ● command-string—Enter the specific command.
PAGE 765
● Display audit log entries in EXEC mode. By default, 24 entries are displayed, starting with the oldest event. Enter reverse to display entries starting with the most recent events. You can change the number of entries displayed. show logging audit [reverse] [number] Clear audit log ● Clear all events in the audit log in CONFIGURATION mode. clear logging audit Example OS10(config)# logging audit enable OS10(config)# exit OS10# show logging audit 4 <14>1 2019-02-14T13:15:06.
PAGE 766
Command Mode CONFIGURATION Usage Information You can enable the recording of accounting events in both the syslog and on TACACS+ servers. The no version of the command disables AAA accounting. Example Supported Releases OS10(config)# aaa accounting commands all console start-stop logging group tacacs+ 10.4.1.0 or later aaa authentication login Configures the AAA authentication method used for console, and SSH and Telnet logins.
PAGE 767
○ Adding or removing an authentication method with the aaa authentication [local | radius] command. ● The no version of the command disables user re-authentication. Example Supported Releases OS10(config)# aaa re-authenticate enable 10.4.0E(R1) or later boot protect disable username Allows you to disable bootloader protection.
PAGE 768
Usage Information To display the contents of the audit log, use the show logging audit command. Example Supported Releases OS10# clear logging audit Proceed to clear all audit log messages [confirm yes/no(default)]:yes 10.4.3.0 or later crypto ssh-key generate Regenerate public keys used in SSH authentication. Syntax crypto ssh-key generate {rsa bits | ecdsa bits | ed25519} Parameters ● rsa bits — Regenerates the RSA key with the specified bit size (2048, 3072, or 4096; default 2048).
PAGE 769
enable Enables a specific privilege level. Syntax enable privilege-level Parameters ● privilege-level—Enter the configured privilege level, from 0 to 15. Defaults 15 Command Mode Exec Usage Information Dell EMC Networking recommends configuring a password for privilege level 15 using the enable password command. If you do not configure a password for a level, you can switch to that level without entering a password, unless a password is configured for a highest intermediate level.
PAGE 770
Supported Releases 10.4.3.0 or later ip access-class Filters connections based on an IPv4 access list in virtual terminal line. Syntax ip access-class access-list-name Parameters access-list-name—Enter the access list name. Default Not configured Command Mode LINE VTY CONFIGURATION Usage Information The no version of this command removes the filter. Example Supported Releases OS10(config)# line vty OS10(config-line-vty)# ip access-class deny10 10.4.
PAGE 771
● port-channel channel-id — Enter a port-channel ID, from 1 to 28. ● vlan vlan-id — Enter a VLAN ID, from 1 to 4093. Default Not configured. Command Mode CONFIGURATION Usage Information By default, no source interface is configured. OS10 selects the source IP address as the IP address of the interface from which a packet is sent to the TACACS+ server. The no version of this command removes the configured source interface.
PAGE 772
Parameters cipher-list — Enter the list of cipher algorithms separated by space. The following is the list of cipher algorithms the SSH server supports: ● 3des-cbc ● aes128-cbc ● aes192-cbc ● aes256-cbc ● aes128-ctr ● aes192-ctr ● aes256-ctr ● aes128-gcm@openssh.com ● aes256-gcm@openssh.com ● blowfish-cbc ● cast128-cbc ● chacha20-poly1305@opens Default ● ● ● ● ● ● Command Mode CONFIGURATION Usage Information The no version of this command removes the configuration.
PAGE 773
Command Mode CONFIGURATION Usage Information The no version of this command disables the host-based authentication. Example Supported Releases OS10(config)# ip ssh server hostbased-authentication 10.3.0E or later ip ssh server kex Configure the list of Key Exchange algorithms in the SSH server. Syntax ip ssh server kex key-exchange-algorithm Parameters key-exchange-algorithm — Enter the list of Key Exchange algorithms separated by space.
PAGE 774
● ● ● ● ● ● ● ● ● ● ● umac-64@openssh.com umac-128@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com hmac-ripemd160-etm@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com Default ● ● ● ● ● ● ● ● ● ● hmac-sha1 hmac-sha2-256 hmac-sha2-512 umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.
PAGE 775
Default 22 Command Mode CONFIGURATION Usage Information The no version of this command removes the configuration. Example Supported Releases OS10(config)# ip ssh server port 255 10.3.0E or later ip ssh server pubkey-authentication Enable public key authentication in an SSH server. Syntax ip ssh server pubkey-authentication Parameters None Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command disables the public key authentication.
PAGE 776
Default Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# line vty OS10(config-line-vty)# 10.4.0E(R1) or later logging audit enable Enable the recording of configuration and security events in the audit log. Syntax logging audit enable Parameters None Defaults Not configured Command Mode CONFIGURATION Usage Information Audit log entries are saved locally and sent to configured Syslog servers.
PAGE 777
Parameters None Default Disabled Command Mode CONFIGURATION Usage Information Only the sysadmin and secadmin roles have access to this command. When enabled, user login information, including the number of successful and failed logins, role changes, and the last time a user logged in, displays after a successful login. The no login-statistics enable command disables login statistics. Example Supported Releases OS10(config)# login-statistics enable 10.4.
PAGE 778
Parameters ● max-retry number — (Optional) Sets the maximum number of consecutive failed login attempts for a user before the user is locked out, from 0 to 16. ● lockout-period minutes — (Optional) Sets the amount of time that a user ID is prevented from accessing the system after exceeding the maximum number of failed login attempts, from 0 to 43,200. Default ● Maximum retries: 3 — A maximum of three failed login attempts is supported. ● Lockout period: 0 — No lockout period is configured.
PAGE 779
Supported Releases 10.4.3.0 or later radius-server host Configures a RADIUS server and the key used to authenticate the switch on the server. Syntax radius-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] Parameters ● hostname — Enter the host name of the RADIUS server. ● ip-address — Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server.
PAGE 780
Usage Information For RADIUS over TLS authentication, configure the radsec shared key on the server and OS10 switch. The show running-configuration output displays both the unencrypted and encrypted key in encrypted format. Configure global settings for the timeout and retransmit attempts allowed on a RADIUS over TLS servers using the radius-server retransmit and radius-server timeout commands. The no version of this command removes a RADIUS server from RADIUS over TLS communication.
PAGE 781
Parameters ● management — Enter the keyword to configure the RADIUS server for the management VRF instance. ● vrf-name — Enter the keyword then the name of the VRF to configure the RADIUS server for that non-default VRF instance. Defaults Not configured Command Mode CONFIGURATION Usage Information Use this command to associate RADIUS servers with a VRF. If you do not configure a VRF on the RADIUS server list, the servers are on the default VRF. RADIUS server lists and VRFs have one-to-one mapping.
PAGE 782
Example Supported Releases OS10# show crypto ssh-key rsa ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCogJtArA0fHJkFpioGaAcp+vrDQFC3l3XFHtd41wXY9kM0Ar+37y OzkjNIN1/8Ok+8aJtCoJKbcYaduMjmhVNrNUW5TUXoCnp1XNRpkJzgS7Lt47yi86rqrTCAQW4eSYJIJs4 +4ql9b4MF2D3499Ofn8uS82Mjtj0Nl01lbTbP3gsF4YYdBWaFqp root@OS10 10.4.1.0 or later show ip ssh Displays the SSH server information.
PAGE 783
Usage Information Only the sysadmin and secadmin roles can display the audit log. Enter reverse to display entries starting with the most recent events. You can change the number of entries displayed. Audit log records are not displayed on the console as they occur. They are saved in the audit log and forwarded to any configured Syslog servers. Example OS10# show logging audit 4 <14>1 2019-02-14T13:15:06.283337+00:00 OS10 audispd - - - Node.1-Unit.
PAGE 784
Role changed since last login Failures since last login Time-frame in days Failures in time period Successes in time period Last Login Time Last Login Location : : : : : : : False 0 25 0 1 2017-11-01T15:42:07Z 1001:10:16:210::4001 Supported Releases 10.4.0E(R1) or later show privilege Displays your current privilege level. Syntax show privilege Parameters None Defaults Not configured Command Mode EXEC Example Supported Releases OS10# show privilege Current privilege level is 15. 10.4.3.
PAGE 785
Example OS10# show users Index Line Privilege ----- -------------1 pts/0 2 pts/1 Supported Releases User Role ----- ----- Application Idle Login-Time Location ----------- ---- ----------- -------- admin sysadmin bash netad netadmin bash >24h 2018-09-08 T06:51:37Z 10.14.1.91 [ssh] 15 >24h 2018-09-08 T06:54:33Z 10.14.1.91 [ssh] 10 10.2.0E or laterUpdated the command to display the privilege levels of all users on OS10 version 10.4.3.0 or later.
PAGE 786
Parameters ● hostname — Enter the host name of the TACACS+ server. ● ip-address — Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the TACACS+ server. ● key 0 authentication-key — Enter an authentication key in plain text. A maximum of 42 characters. ● key 9 authentication-key — Enter an authentication key in encrypted format. . A maximum of 128 characters. ● authentication-key — Enter an authentication in plain text. . A maximum of 42 characters. It is not necessary to enter 0 before the key.
PAGE 787
Usage Information Use this command to associate TACACS servers with a VRF instance. If you do not configure a VRF in the TACACS server list, the servers are on the default VRF instance. TACACS server lists and VRFs have one-to-one mapping. When you remove the VRF instance, the TACACS server lists are also removed automatically. The no version of this command resets the value to the default. Example Supported Releases [no] tacacs-server management [no] tacacs-server vrf red 10.4.3.
PAGE 788
Supported Releases 10.2.0E or laterIntroduced the priv-lvl command on OS10 release 10.4.3.0 or later username sshkey Enables SSH password-less login using the public key for a remote client. The remote client is not prompted to enter a password. Syntax username user_name sshkey sshkey_string Parameters ● user_name — Enter the user name of the remote client.
PAGE 789
role sysadmin username user10 sshkey filename /test_file.txt Supported Releases 10.4.1.0 or later userrole inherit Reconfigures the default netoperator role and permissions that OS10 assigns by default to a RADIUS or TACACS+authenticated user with an unknown user role or privilege level. You can also configure an unknown RADIUS or TACACS+ user role to inherit permissions from an existing OS10 role.
PAGE 790
● Provide assurance of trusted, provable identities (when using certificates digitally signed by a trusted CA). ● Provide security and confidentiality in switch-server communications in addition to user authentication. For example, you can download and install a X.509v3 certificate to enable public-key authentication in RADIUS over TLS authentication, also called as RadSec.
PAGE 791
● The intermediate CA downloads and installs the CA certificate. Afterwards, the intermediate CA can sign certificates for hosts in the network and for other intermediate CAs that are lower in the PKI hierarchy. ● The root and intermediate CA certificates, but not the corresponding private keys, are made publicly available on the network for network hosts to download. ● Whenever possible, store private keys offline or in a location restricted from general access. 3.
PAGE 792
-------------------------------------Dell_rootCA1.crt OS10# show crypto ca-certs Dell_rootCA1.
PAGE 793
9e:0e:7b:de:15:3c:f1:33:e8:2d:3f:92:f0:f2:4e:7a:7f:e2: a5:2e:04:3a:2f:3b:1b:05:71:39:70:6d:a4:6e:8f:25:31:0e: 2c:8a:7e:b4:30:7c:38:2f:48:df:19:56:42:4f:be:5f:d3:02: 70:18:7e:76:66:ca:13:1c:e3:9c:4d:aa:d3:67:96:be:d9:49: 5c:69:10:75:26:53:f7:50:39:06:15:d1:3a:87:47:f6:92:a2: d4:91:35:29:b7:4b:ea:56:4c:13:5e:32:7f:c7:3f:4c:46:67: 54:8d:67:60:38:98:75:da:24:f2:64:b9:24:a1:e3:5b:42:66: 4c:c7:cb:ee:c3:ca:bd:87:1b:7a:fc:35:53:2d:74:68:db:a7: 47:db:03:a3:30:52:af:67:7f:54:a4:de:60:ca:ae:94:43:f8: 98:85:fc:18:9b:b1
PAGE 794
If you do not specify the cert-file option, you are prompted to fill in the other parameter values for the certificate interactively; for example: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value; if you enter '.', the field will be left blank.
PAGE 795
○ If you enter fips after using the key-file private option in the crypto cert generate request command, a FIPS-compliant private key is stored in a hidden location in the internal file system that is not visible to users. If the certificate installation is successful, the file name of the host certificate and its common name are displayed. Use the filename to configure the certificate in a security profile (crypto security-profile command).
PAGE 796
Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e7:81:4b:4a:12:8d:ce:88:e6:73:3f:da:19:03: c6:56:01:19:b2:02:61:3f:5b:1e:33:28:a1:ed:e3: 85:bc:56:fb:18:d5:16:2e:a0:e7:3a:f9:34:b4:df: 37:97:93:a9:b9:94:b2:9f:69:af:fa:31:77:68:06: 89:7b:6d:fc:91:14:4a:c8:7b:23:93:f5:44:5a:0a: 3f:ce:9b:af:a6:9b:49:29:fd:fd:cb:34:40:c4:02: 30:95:37:28:50:d8:81:fb:1f:83:88:d9:1f:a3:0e: 49:a1:b3:df:90:15:d4:98:2b:b2:38:98:6e:04:aa: bd:92:1b:98:48:4d:08:49:69:41:4e:6a:ee:63:d8: 2a:9f:e6:15:e2:1d:c3:89:f5:f0:
PAGE 797
If you do specify the cert-file option, you are prompted to enter the other parameter values for the certificate interactively; for example: You are about to be asked to enter information that will be incorporated in your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value; if you enter '.', the field will be left blank.
PAGE 798
| Installed FIPS certificates | -------------------------------------OS10# show crypto cert DellHost.pem ------------ Non FIPS certificate ----------------Certificate: Data: Version: 3 (0x2) Serial Number: 245 (0xf5) Signature Algorithm: sha256WithRSAEncryption Issuer: emailAddress = admin@dell.com Validity Not Before: Feb 11 20:10:12 2019 GMT Not After : Feb 11 20:10:12 2020 GMT Subject: emailAddress = admin@dell.
PAGE 799
3. Use the security profile to configure X.509v3-based service; for example, to configure RADIUS over TLS authentication using an X.
PAGE 800
CommonName = GeoTrust Universal CA IssuerName = GeoTrust Universal CA 2. Generate a CSR, copy the CSR to a CA server, download the signed certificate, and install the host certificate. OS10# crypto cert generate request cert-file home://s4048-001.csr key-file home:// tsr6.key cname "Top of Rack 6" altname "IP:10.0.0.6 DNS:tor6.dell.com" email admin@dell.com organization "Dell EMC" orgunit Networking locality "Santa Clara" state California country US length 1024 Processing certificate ...
PAGE 801
Example Supported releases OS10# crypto security-profile secure-radius-profile OS10(config-sec-profile)# certificate Dell_host1 10.4.3.0 or later cluster security-profile Creates a security profile for a cluster application. Syntax cluster security-profile profile-name Parameters profile-name — Enter the name of the security profile, up to 32 characters.
PAGE 802
crypto ca-cert install Installs a certificate from a Certificate Authority that is copied to the switch. Syntax crypto ca-cert install ca-cet-filepath [filename] Parameters ● ca-cert-filepath — Enter the local path where the downloaded CA certificate is stored; for example, home://CAcert.pem or usb://CA-cert.pem. ● filename — (Optional) Enter the filename that the CA certificate is stored under in the OS10 trust store directory. Enter the filename in the filename.crt format.
PAGE 803
[organization organization-name] [orgunit unit-name] [cname common-name] [email email-address] [validity days] [length length] [altname alt-name] Parameters ● request — Create a certificate signing request to copy to a CA. ● self-signed — Create a self-signed certificate. ● cert-file cert-path — (Optional) Enter the local path where the self-signed certificate or CSR will be stored. You can enter a full path or a relative path; for example, flash://certs/ s4810-001-request.csr or usb://s4810-001.crt.
PAGE 804
Organization Name (eg, company) []:Starfleet Command Organizational Unit Name (eg, section) []:NCC-1701A Common Name (eg, YOUR name) [hostname]:S4148-001 Email Address []:scotty@starfleet.com If the system is in FIPS mode (crypto fips enable command), the CSR and private key are generated using approved algorithms from a cryptographic library that has been validated against the FIPS 140-2 standard.
PAGE 805
It is possible to store a certificate in either FIPS mode or non-FIPS mode on the switch, but not in both modes, using the crypto cert install command and the optional fips option. You must ensure that certificates installed in FIPS mode are compliant with the FIPS 140-2 standard. Example Supported releases OS10# crypto cert install cert-file home://Dell_host1_CA1.pem key-file home://Dell_host1_CA1.key Processing certificate ... Certificate and keys were successfully installed as "Dell_host1_CA1.
PAGE 806
Issuer: C = US, ST = California, L = Santa Clara, O = Dell EMC, OU = Networking, CN = Dell_rootCA1 Validity Not Before: Jul 25 18:49:22 2018 GMT Not After : Jul 22 18:49:22 2028 GMT Subject: C = US, ST = California, O = Dell EMC, OU = Networking, CN = Dell_interCA1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:b8:46:93:86:27:af:3e:fb:a7:bd:c1:25:76:fd: 50:87:02:de:98:2b:95:2e:b0:49:e4:5c:7c:db:83: b9:e7:3d:e3:61:63:e9:e1:e9:6f:a4:eb:b8:06:bf: 57:b7:bb:17:d1:
PAGE 807
Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = California, O = Dell EMC, OU = Networking, CN = Dell_interCA1 Validity Not Before: Jul 25 19:11:19 2018 GMT Not After : Jul 22 19:11:19 2028 GMT Subject: C = US, ST = California, L = Santa Clara, O = Dell EMC, OU = Networking, CN = Dell_host1_CA1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e7:81:4b:4a:12:8d:ce:88:e6:73:3f:da:19:03: c6:56:01:19:b2:02:61:3f:5b:1e:33:28:a1:ed:e3: 85:bc:56:fb:18
PAGE 808
email admin@dell.com organization "Dell EMC" orgunit Networking locality "santa Clara" state California country US length 1024 Processing certificate ... Successfully created CSR file /home/admin/tor6-csr.pem and key OS10# copy home://tor6-csr.pem scp://CAadmin:secret@172.11.222.1/s4048-001-csr.pem OS10# copy scp://CAadmin:secret@172.11.222.1/s4048-001.crt usb://s4048-001-crt.pem OS10# crypto cert install crt-file usb://s4048-001-crt.pem key-file usb://s4048-001crt.
PAGE 809
11 OpenFlow Switches implement the control plane and data plane in the same hardware. Software-defined network (SDN) decouples the software (control plane) from the hardware (data plane). A centralized SDN controller handles the control plane traffic and hardware configuration for data plane flows. The SDN controller is the "brain" of an SDN.
PAGE 810
OpenFlow logical switch instance In OpenFlow-only mode, you can configure only one logical switch instance. After you enable OpenFlow mode, create a logical switch instance. The logical switch instance is disabled by default. When the logical switch instance is enabled, the OpenFlow application starts the connection with the configured controller. When you create an OpenFlow logical switch instance, all the physical interfaces are automatically added to it.
PAGE 811
Table 35. Supported fields Fields Support match_fields Supported priority Supported counters Supported instructions Supported timeouts Supported cookie Not supported Group table Not supported Meter table Not supported Instructions Each flow entry contains a set of instructions that execute when a packet matches the entry. Table 36.
PAGE 812
Table 37. Supported action sets (continued) Action set Support qos Not supported group Not supported output Supported Action types An action type associates with each packet. Table 38.
PAGE 813
Table 39.
PAGE 814
OpenFlow protocol The OpenFlow protocol supports three message types, each with multiple subtypes: ● Controller-to-switch ● Asynchronous ● Symmetric Controller-to-switch Table 40. Supported controller-to-switch types Controller-to-switch types Supported/Not supported Feature request Supported Configuration get Supported Configuration set Supported Modify-state Supported Read-state Supported Packet-out Supported Barrier Supported Role-request Supported Asynchronous Table 41.
PAGE 815
Table 43. Supported modes (continued) Modes Supported/Not supported Number of logical switches One Supported controllers REST APIs on ● RYU ● ONOS Flow table modification messages Table 44. Supported messages Flow table modification messages Supported/Not supported OFPFC_ADD=0 Supported OFPFC_MODIFY=1 Supported OFPFC_MODIFY_STRICT=2 Supported OFPFC_DELETE=3 Supported OFCPC_DELETE_STRICT=4 Supported Message types Table 45.
PAGE 816
Table 45.
PAGE 817
Table 46.
PAGE 818
Action structures Table 47.
PAGE 819
Multipart message types Table 49.
PAGE 820
Table 49. Supported message types (continued) Message type description Request/Reply Body Message Table features OFPMP_TABLE_FEATURES ● The request body is = 12 empty or contains an array of struct ofp_table_features that includes the controller's desired view of the switch.
PAGE 821
Table 51. Supported properties (continued) Property type Supported/Not supported OFPTFPT_WRITE_SETFIELD_MISS = 13 Not supported OFPTFPT_APPLY_SETFIELD = 14 Supported OFPTFPT_APPLY_SETFIELD_MISS = 15 Not supported Group configuration Table 52.
PAGE 822
Table 55. Supported reasons (continued) Flow-removed reasons Supported/Not supported OFPRR_DELETE = 2 Supported OFPRR_GROUP_DELETE = 3 Not supported Error types from switch to controller Table 56.
PAGE 823
Table 56.
PAGE 824
Table 56.
PAGE 825
Table 56.
PAGE 826
Table 56.
PAGE 827
With dynamic learning in an OpenFlow network, the OpenFlow switch receives a packet that does not match the flow table entries and sends the packet to the SDN controller to process it. The controller identifies the path the packet has to traverse and updates the flow table with a new entry. The controller also decides the caching time of the flow table entries. Configure OpenFlow Ensure IP connectivity between the switch and the controller.
PAGE 828
4. Configure the OpenFlow controller to establish a connection with the logical switch instance. OS10 (config-openflow-switch)# controller ipv4 ip-address port port-id OS10 (config-openflow-switch)# controller ipv4 10.1.1.1 port 6633 where a.b.c.d is the IP address of the controller and port 6633 is for OpenFlow communication. 5. Enter the no shutdown command to enable the logical switch instance.
PAGE 829
Default TCP. The default port number is 6653. Command Mode OPENFLOW SWITCH CONFIGURATION Usage Information If you specify the security tls option, the OpenFlow application looks for the following certificates and private key in the following locations specified for certificate-based authentication. For information about obtaining certificates and installing them on the switch and the controller, see Establish TLS connection between the switch and the controller.
PAGE 830
OS10 (config-openflow-switch)# dpid-mac-address 00:00:00:00:00:0a OS10 (config-openflow-switch)# Supported Releases 10.4.1 or later in-band-mgmt Configures the front-panel ports as the management interface that the SDN controller connects to. Syntax in-band-mgmt interface ethernet node/slot/port[:subport] Parameters node/slot/port[:subport]—Enter the physical port information.
PAGE 831
mode openflow-only Enables OpenFlow-only mode on the switch. Syntax mode openflow-only Parameters None Default None Command Mode OPENFLOW CONFIGURATION Usage Information Use this command to enable OpenFlow-only mode. This command reloads the switch and boots to OpenFlow-only mode. This command deletes all L2 and L3 configurations. However, the system management and AAA configurations are retained. The no form of this command prompts you to reload the switch.
PAGE 832
Command Mode OPENFLOW SWITCH CONFIGURATION Usage Information None Example OS10 OS10 OS10 OS10 Supported Releases (config)# openflow (config-openflow)# switch of-switch-1 (config-openflow-switch)# probe-interval 20 (config-openflow-switch)# 10.4.1 or later protocol-version Specifies protocol version the logical switch interface uses. Syntax protocol-version version Parameters version—Choose from one of the following: ● negotiate—Enter the keyword to negotiate versions 1.0 or 1.
PAGE 833
rate-limit packet_in Configures the maximum packet rate for the controller connection, and the maximum packets permitted in a burst sent to the controller in a second. Syntax rate-limit packet_in controller-packet-rate [burst maximum-packets-tocontroller] Parameters ● controller-packet-rate—Rate in packets per second for the controller OpenFlow channel connection, from 100 to 268000000 seconds. The default is 0 seconds, disabled.
PAGE 834
Switch mode : openflow-only Match fields : Layer-1 : in-port Layer-2 : eth-src, eth-dst, eth-type, vlan-id, vlan-pcp Layer-3 : ipv4-src, ipv4-dst, ip-protocol, ip-dscp, ip-ecn Layer-4 : tcp-src, tcp-dst, udp-src, udp-dst, icmpv4-type, icmpv4code Instructions : apply-actions, write-actions Actions : output, set-field Set field actions : eth-src, eth-dst, vlan-id, vlan-pcp, ip-dscp TLS parameters : certificate identifying trustworthy controller : /config/etc/opt/ dell/os10/openflow/cacert.
PAGE 835
show openflow ports Displays the OpenFlow ports for a specific logical switch instance. Syntax show openflow switch logical-switch-name ports Parameters logical-switch-name—Enter the name of the logical switch instance to view port information.
PAGE 836
NONE ethernet1/1/21 NONE ethernet1/1/22 NONE ethernet1/1/23 NONE ethernet1/1/24 NONE ethernet1/1/25 COPPER ethernet1/1/26 COPPER ethernet1/1/27 NONE ethernet1/1/28 NONE ethernet1/1/29 NONE ethernet1/1/30 NONE ethernet1/1/31 NONE ethernet1/1/32 NONE Supported Releases 81 PORT_UP(CLI) LINK_DOWN 0MB FD NO 85 PORT_UP(CLI) LINK_DOWN 0MB FD NO 89 PORT_UP(CLI) LINK_DOWN 0MB FD NO 93 PORT_UP(CLI) LINK_DOWN 0MB FD NO 97 PORT_UP(CLI) LINK_DOWN 0MB FD NO 101 PORT_UP(CLI) LINK_DOWN 0MB
PAGE 837
Supported Releases 10.4.1 or later show openflow switch controllers Displays OpenFlow controllers for a specific logical switch instance. Syntax show openflow switch logical-switch-name controllers Parameters logical-switch-name—Enter the name of the logical switch instance to query. Default None Command Mode EXEC Usage Information None Example OS10# show openflow switch of-switch-1 controllers Logical switch name: of-switch-1 Total Controllers: 1 Controller: 1 Target: 10.16.208.
PAGE 838
Supported Releases 10.4.1 or later OpenFlow-only mode commands When you configure the switch to OpenFlow-only mode, only the following commands are available; all other commands are disabled. NOTE: ● The ntp subcommand under the interface command is not applicable when the switch is in OpenFlow mode. ● The ip and ipv6 subcommands under the interface command are applicable only when you configure the interface as the management port using the in-band-mgmt command.
PAGE 839
Table 57. Modes and CLI commands (continued) Mode Available CLI commands ntp openflow password-attributes policy-map radius-server rest scale-profile support-assist system tacacs-server trust username userrole EXEC All commands The following debug commands are not available: ● debug iscsi ● debug radius ● debug tacacs+ LAG INTERFACE CONFIGURATION LAG is not supported. LOOPBACK INTERFACE CONFIGURATION Loopback interface is not supported.
PAGE 840
12 Access Control Lists OS10 uses two types of access policies — hardware-based ACLs and software-based route-maps. Use an ACL to filter traffic and drop or forward matching packets. To redistribute routes that match configured criteria, use a route-map. ACLs ACLs are a filter containing criterion to match; for example, examine internet protocol (IP), transmission control protocol (TCP), or user datagram protocol (UDP) packets, and an action to take such as forwarding or dropping packets at the NPU.
PAGE 841
MAC ACLs MAC ACLs filter traffic on the header of a packet. This traffic filtering is based on: Source MAC packet address MAC address range—address mask in 3x4 dotted hexadecimal notation, and any to denote that the rule matches all source addresses. Destination MAC packet address MAC address range—address-mask in 3x4 dotted hexadecimal notation, and any to denote that the rule matches all destination addresses.
PAGE 842
○ IP_TYPE—IP type ○ IP_PROTOCOL—Protocols such as TCP, UDP, and so on ○ L4_DST_PORT—Destination port number ● IPv6 qualifiers: ○ DST_IPv6—Destination address ○ SRC_IPv6—Source address ○ IP_TYPE—IP Type; for example, IPv4 or IPv6 ○ IP_PROTOCOL—TCP, UDP, and so on ○ L4_DST_PORT—Destination port ● MAC qualifiers: ○ OUT_PORT—Egress CPU port ○ SRC_MAC—Source MAC address ○ DST_MAC—Destination MAC address ○ ETHER_TYPE—Ethertype ○ OUTER_VLAN_ID—VLAN ID ○ IP_TYPE—IP type ○ OUTER_VLAN_PRI—DOT1P value IP fragment han
PAGE 843
L3 ACL rules Use ACL commands for L3 packet filtering. TCP packets from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all others are denied. TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all TCP non-first fragments from host 10.1.1.1 are permitted. All other IP packets that are non-first fragments are denied.
PAGE 844
● Configure a drop or forward filter in IPV4-ACL mode. seq sequence-number {deny | permit | remark} {ip-protocol-number | icmp | ip | protocol | tcp | udp} {source prefix | source mask | any | host} {destination mask | any | host ip-address} [count [byte]] [fragments] Auto-generated sequence number If you are creating an ACL with only one or two filters, you can let the system assign a sequence number based on the order you configure the filters.
PAGE 845
L2 and L3 ACLs Configure both L2 and L3 ACLs on an interface in L2 mode. Rules apply if you use both L2 and L3 ACLs on an interface. ● L3 ACL filters packets and then the L2 ACL filters packets ● Egress L3 ACL filters packets Rules apply in order: ● Ingress L3 ACL ● Ingress L2 ACL ● Egress L3 ACL ● Egress L2 ACL NOTE: In ingress ACLs, L2 has a higher priority than L3 and in egress ACLs, L3 has a higher priority than L2. Table 58.
PAGE 846
seq seq seq seq seq seq seq seq seq seq 40 deny ip 20.1.2.0/24 200.1.2.0/24 count (0 packets) 50 permit ip 10.0.3.0 255.0.255.0 any count (0 packets) 60 deny ip 20.0.3.0 255.0.255.0 any count (0 packets) 70 permit tcp any eq 1000 100.1.4.0/24 eq 1001 count (0 packets) 80 deny tcp any eq 2100 200.1.4.0/24 eq 2200 count (0 packets) 90 permit udp 10.1.5.0/28 eq 10000 any eq 10100 count (0 packets) 100 deny tcp host 20.1.5.
PAGE 847
2. Return to CONFIGURATION mode. exit 3. Create the access-list in CONFIGURATION mode. ip access-list access-list-name 4. Create the rules for the access-list in ACCESS-LIST mode.
PAGE 848
● To permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8 le 12 ● To deny routes with a mask less than /24, enter deny x.x.x.x/x le 24 ● To permit routes with a mask greater than /20, enter permit x.x.x.
PAGE 849
○ If a route matches a prefix-list set to permit, the route is permitted and any set of actions apply View both IP prefix-list and route-map configuration OS10(conf-router-bgp-neighbor-af)# do show ip prefix-list ip prefix-list p1: seq 1 deny 10.1.1.0/24 seq 10 permit 0.0.0.0/0 le 32 ip prefix-list p2: seq 1 permit 10.1.1.0/24 seq 10 permit 0.0.0.
PAGE 850
● Enter the IP address in A.B.C.D format of the next-hop for a BGP route update in ROUTE-MAP mode. set ip next-hop address ● Enter an IPv6 address in A::B format of the next-hop for a BGP route update in ROUTE-MAP mode. set ipv6 next-hop address ● Enter the range value for the BGP route’s LOCAL_PREF attribute in ROUTE-MAP mode, from 0 to 4294967295. set local-preference range-value ● Enter a metric value for redistributed routes in ROUTE-MAP mode, from 0 to 4294967295.
PAGE 851
Flow-based mirroring Flow-based mirroring is a mirroring session in which traffic matches specified policies that mirrors to a destination port. Port-based mirroring maintains a database that contains all monitoring sessions, including port monitor sessions. The database has information regarding the sessions that are enabled or not enabled for flow-based monitoring. Flow-based mirroring is also known as policy-based mirroring. To enable flow-based mirroring, use the flow-based enable command.
PAGE 852
Enable flow-based monitoring OS10(config)# monitor session 1 type local OS10(conf-mon-local-1)# flow-based enable OS10(config)# ip access-list testflow OS10(conf-ipv4-acl)# seq 5 permit icmp any any capture session 1 OS10(conf-ipv4-acl)# seq 10 permit ip 102.1.1.
PAGE 853
510 512 6 FCOE 55 457 512 7 FCOE 55 457 512 8 ISCSI_SNOOPING 12 500 512 9 FREE 0 512 512 10 PBR_V6 1 511 512 11 PBR_V6 1 511 512 -----------------------------------------------------------------------------------------------------Service Pools -----------------------------------------------------------------------------------------------------App Allocated pools App group Configured rules Used rows Free rows Max rows -------------------------------------------------------------------------------------------
PAGE 854
Known behavior ● On the S4200-ON platform, the show acl-table-usage detail command output lists several hardware pools as available (FREE), but you will see an "ACL CAM table full" warning log when the system creates a new service pool. The system will not be able to create any new service pools. The existing groups, however, can continue to grow up to the maximum available pool space.
PAGE 855
ACL commands clear ip access-list counters Clears ACL counters for a specific access-list. Syntax clear ip access-list counters [access-list-name] Parameters access-list-name — (Optional) Enter the name of the IP access-list to clear counters. A maximum of 140 characters. Default Not configured Command Mode EXEC Usage Information If you do not enter an access-list name, all IPv6 access-list counters clear.
PAGE 856
count of packets matching an access list, clear the counters to start at zero. To view access-list information, use the show access-lists command. Example Supported Releases OS10# clear mac access-list counters 10.2.0E or later deny Configures a filter to drop packets with a specific IP address. Syntax deny [protocol-number | icmp | ip | tcp | udp] [A.B.C.D | A.B.C.D/x | any | host ip-address] [A.B.C.D | A.B.C.
PAGE 857
● ● ● ● ● ● ● ● ● ● ● ● ● ipv6 — (Optional) Enter the IPv6 address to deny. tcp — (Optional) Enter the TCP address to deny. udp — (Optional) Enter the UDP address to deny. A::B — Enter the IPv6 address in dotted decimal format. A::B/x — Enter the number of bits to match to the IPv6 address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ipv6-address — (Optional) Enter the keyword and the IPv6 address to use a host address only.
PAGE 858
deny icmp Configures a filter to drop all or specific Internet Control Message Protocol (ICMP) messages. Syntax deny icmp [A.B.C.D | A.B.C.D/x | any | host ip-address] [[A.B.C.D | A.B.C.D/x | any | host ip-address] [capture | count | dscp value | fragment | log] Parameters ● ● ● ● ● ● ● ● ● ● Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment.
PAGE 859
Example Supported Releases OS10(config)# ipv6 access-list ipv6test OS10(conf-ipv6-acl)# deny icmp any any capture session 1 10.2.0E or later deny ip Configures a filter to drop all or specific packets from an IPv4 address. Syntax deny ip [A.B.C.D | A.B.C.D/x | any | host ip-address] [[A.B.C.D | A.B.C.D/x | any | host ip-address] [capture | dscp value | fragment] Parameters ● A.B.C.D — Enter the IPv4 address in dotted decimal format. ● A.B.C.
PAGE 860
Supported Releases 10.2.0E or later deny tcp Configures a filter that drops Transmission Control Protocol (TCP) packets meeting the filter criteria. Syntax deny tcp [A.B.C.D | A.B.C.D/x | any | host ip-address [operator]] [[A.B.C.D | A.B.C.D/x | any | host ip-address [operator]] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● A.B.C.D — Enter the IPv4 address in A.B.C.D format. A.B.C.
PAGE 861
Parameters ● ● ● ● ● ● ● ● ● ● ● Default Not configured Command Mode IPV6-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter. A::B — Enter the IPv6 address in hexadecimal format separated by colons. A::B/x — Enter the number of bits to match to the IPv6 address. any — (Optional) Enter the keyword any to specify any source or destination IP address.
PAGE 862
● operator — (Optional) Enter a logical operator to match the packets on the specified port number. The following options are available: ○ eq — Equal to ○ gt — Greater than ○ lt — Lesser than ○ neq — Not equal to ○ range — Range of ports, including the specified port numbers. Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter.
PAGE 863
Usage Information OS10 cannot count both packets and bytes; when you use the count byte options, only bytes increment. The no version of this command removes the filter. The count, byte, and log options are not supported on the S5148F-ON platform. Example Supported Releases OS10(config)# ipv6 access-list ipv6test OS10(conf-ipv6-acl)# deny udp any any capture session 1 10.2.0E or later description Configures an ACL description.
PAGE 864
ip access-list Creates an IP access list to filter based on an IP address. Syntax ip access-list access-list-name Parameters access-list-name — Enter the name of an IPv4 access list. A maximum of 140 characters. Default Not configured Command Mode CONFIGURATION Usage Information None Example Supported Releases OS10(config)# ip access-list acl1 10.2.0E or later ip as-path access-list Create an AS-path ACL filter for BGP routes using a regular expression.
PAGE 865
● local-AS — BGP does not advertise this route to external peers. ● no-export — BGP does not advertise this route outside a BGP confederation boundary. ● internet — BGP does not advertise this route to an Internet community. Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the community list. Example Supported Release OS10(config)# ip community-list standard STD_LIST deny local-AS 10.3.
PAGE 866
Usage Information Example Supported Release The no version of this command removes the extended community list. OS10(config)# ip extcommunity-list standard STD_LIST deny 4byteasgeneric transitive 1.65534:40 10.3.0E or later ip extcommunity-list standard permit Creates an extended community list for BGP to permit access.
PAGE 867
● ● ● ● A.B.C.D/x — (Optional) Enter the source network address and mask in /prefix format (/x). ge — Enter to indicate the network address is greater than or equal to the range specified. le — Enter to indicate the network address is less than or equal to the range specified. prefix-len — Enter the prefix length. Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix-list.
PAGE 868
Example Supported Release OS10(config)# ip prefix-list seqprefix seq 65535 deny 10.10.10.1/16 ge 10 10.3.0E or later ip prefix-list seq permit Configures a filter to permit route filtering from a specified prefix list. Syntax ipv6 prefix-list [name] seq num permit A::B/x [ge | le} prefix-len Parameters ● ● ● ● ● ● Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix list.
PAGE 869
ipv6 access-list Creates an IP access list to filter based on an IPv6 address. Syntax ipv6 access-list access-list-name Parameters access-list-name — Enter the name of an IPv6 access list. A maximum of 140 characters. Default Not configured Command Mode CONFIGURATION Usage Information None Example Supported Release OS10(config)# ipv6 access-list acl6 10.2.0E or later ipv6 prefix-list deny Creates a prefix list to deny route filtering from a specified IPv6 network address.
PAGE 870
Supported Release 10.3.0E or later ipv6 prefix-list permit Creates a prefix-list to permit route filtering from a specified IPv6 network address. Syntax ipv6 prefix-list prefix-list-name permit {A::B/x [ge | le] prefix-len} Parameters ● ● ● ● ● Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix-list. Example Supported Release prefix-list-name — Enter the IPv6 prefix-list name.
PAGE 871
● ● ● ● A::B/x — Enter the IPv6 address and mask in /prefix format (/x). ge — Enter to indicate the network address is greater than or equal to the range specified. le — Enter to indicate the network address is less than or equal to the range specified. prefix-len — Enter the prefix length. Defaults Not configured Command Mode CONFIGURATION Usage Information The no version of this command removes the specified prefix-list.
PAGE 872
Example Supported Releases OS10(config)# mac access-list maclist 10.2.0E or later permit Configures a filter to allow packets with a specific IPv4 address. Syntax permit [protocol-number | icmp | ip | tcp | udp] [A.B.C.D | A.B.C.D/x | any | host ip-address] [A.B.C.D | A.B.C.D/x | any | host ip-address] [capture | count | dscp value | fragment | log] Parameters ● protocol-number — (Optional) Enter the protocol number identified in the IP header, from 0 to 255.
PAGE 873
● ● ● ● ● ● ● ● ● ● ● udp — (Optional) Enter the UDP address to permit. A::B — Enter the IPv6 address in hexadecimal format separated by colons. A::B/x — Enter the number of bits that must match the IPv6 address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ip-address — (Optional) Enter the IPv6 address to use a host address only. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes.
PAGE 874
permit icmp Configures a filter to permit all or specific ICMP messages. Syntax permit icmp [A.B.C.D | A.B.C.D/x | any | host ip-address] [[A.B.C.D | A.B.C.D/x | any | host ip-address] [capture | count | dscp value | fragment | log] Parameters ● ● ● ● ● ● ● ● ● ● Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter. A.B.C.
PAGE 875
Example Supported Releases OS10(config)# ipv6 access-list ipv6test OS10(conf-ipv6-acl)# permit icmp any any capture session 1 10.2.0E or later permit ip Configures a filter to permit all or specific packets from an IPv4 address. Syntax permit ip [A.B.C.D | A.B.C.D/x | any | host ip-address] [[A.B.C.D | A.B.C.
PAGE 876
Default Not configured Command Mode IPV6-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter. The count, byte, and log options are not supported on the S5148F-ON platform. Example Supported Releases OS10(conf-ipv6-acl)# permit ipv6 any any count capture session 1 10.2.0E or later permit tcp Configures a filter to permit TCP packets meeting the filter criteria.
PAGE 877
Supported Releases 10.2.0E or later permit tcp (IPv6) Configures a filter to permit TCP packets meeting the filter criteria. Syntax permit tcp [A::B | A::B/x | any | host ipv6-address [eq | lt | gt | neq | range]] [A::B | A:B/x | any | host ipv6-address [eq | lt | gt | neq | range]] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● A::B — Enter the IPv6 address in hexadecimal format separated by colons.
PAGE 878
● ● ● ● ● ● ● capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes filter processes. dscp value — (Optional) Permit a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged.
PAGE 879
● operator — (Optional) Enter a logical operator to match the packets on the specified port number. The following options are available: ○ eq — Equal to ○ gt — Greater than ○ lt — Lesser than ○ neq — Not equal to ○ range — Range of ports, including the specified port numbers. Default Not configured Command Mode IPV6-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter.
PAGE 880
● ● ● ● byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Permit a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. Default Not configured Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment.
PAGE 881
Supported Releases 10.2.0E or later seq deny (MAC) Assigns a sequence number to a deny filter in a MAC access list while creating the filter. Syntax seq sequence-number deny {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} {nn:nn:nn:nn:nn:nn [00:00:00:00:00:00] | any} [protocol-number | capture | cos | vlan] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● nn:nn:nn:nn:nn:nn — Enter the source MAC address.
PAGE 882
Command Mode IPV4-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter, or use the no seq sequence-number command if you know the filter’s sequence number. The count, byte, and log options are not supported on the S5148F-ON platform. Example Supported Releases OS10(config)# ip access-list egress OS10(conf-ipv4-acl)# seq 5 deny icmp any any capture session 1 log 10.2.
PAGE 883
● ● ● ● ● ● ● ● ● A.B.C.D/x — Enter the number of bits that must match the dotted decimal address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ip-address — (Optional) Enter the IPv4 address to use a host address only. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63.
PAGE 884
Supported Releases 10.2.0E or later seq deny tcp Assigns a filter to deny TCP packets while creating the filter. Syntax seq sequence-number deny tcp [A.B.C.D | A.B.C.D/x | any | host ip-address [operator]] [[A.B.C.D | A.B.C.D/x | any | host ip-address [operator] ] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A.B.C.
PAGE 885
seq deny tcp (IPv6) Assigns a filter to deny TCP packets while creating the filter. Syntax seq sequence-number deny tcp [A::B | A::B/x | any | host ipv6-address [operator]] [A::B | A:B/x | any | host ipv6-address [operator]] [ack | fin | psh | rst | syn | urg] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214.
PAGE 886
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.D/x — Enter the number of bits that must match the dotted decimal address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ip-address — (Optional) Enter the IPv4 address to use a host address only. ack — (Optional) Set the bit as acknowledgment. fin — (Optional) Set the bit as finish—no more data from sender. psh — (Optional) Set the bit as push.
PAGE 887
● ● ● ● ● capture — (Optional) Capture packets the filter processes. dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged. operator — (Optional) Enter a logical operator to match the packets on the specified port number.
PAGE 888
Example Supported Releases OS10(config)# ip access-list testflow OS10(conf-ipv4-acl)# seq 10 permit ip any any capture session 1 log 10.2.0E or later seq permit (IPv6) Assigns a sequence number to permit IPv6 packets, while creating a filter.
PAGE 889
○ protocol-number — (Optional) Enter the protocol number identified in the MAC header, from 600 to ffff. ○ capture — (Optional) Enter the capture packets the filter processes. ○ cos — (Optional) Enter the CoS value, from 0 to 7. ○ vlan — (Optional) Enter the VLAN number, from 1 to 4093. Default Not configured Command Mode MAC-ACL Usage Information The no version of this command removes the filter, or use the no seq sequence-number command if you know the filter’s sequence number.
PAGE 890
seq permit icmp (IPv6) Assigns a sequence number to allow ICMP messages while creating the filter. Syntax seq sequence-number permit icmp [A::B | A::B/x | any | host ipv6-address] [A::B | A:B/x | any | host ipv6-address] [capture | count | dscp value | fragment | log] Parameters ● sequence-number — Enter the sequence number to identify the route-map for editing and sequencing number, from 1 to 16777214. ● A::B — Enter the IPv6 address in hexadecimal format separated by colons.
PAGE 891
Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter, or use the no seq sequence-number command if you know the filter’s sequence number. The count, byte, and log options are not supported on the S5148F-ON platform. Example Supported Releases OS10(config)# ip access-list egress OS10(conf-ipv4-acl)# seq 5 permit ip any any capture session 1 log 10.2.
PAGE 892
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● A.B.C.D — Enter the IPv4 address in dotted decimal format. A.B.C.D/x — Enter the number of bits that must match the dotted decimal address. any — (Optional) Enter the keyword any to specify any source or destination IP address. host ip-address — (Optional) Enter the IPv4 address to use a host address only. operator — (Optional) Enter a logical operator to match the packets on the specified port number.
PAGE 893
● ● ● ● ● ● ● ● ● ● ● ● ○ lt — Lesser than ○ neq — Not equal to ○ range — Range of ports, including the specified port numbers. ack — (Optional) Set the bit as acknowledgment. fin — (Optional) Set the bit as finish—no more data from sender. psh — (Optional) Set the bit as push. rst — (Optional) Set the bit as reset. syn — (Optional) Set the bit as synchronize. urg — (Optional) Set the bit set as urgent. capture — (Optional) Capture packets the filter processes.
PAGE 894
● ● ● ● ● ● ● ● syn — (Optional) Set the bit as synchronize. urg — (Optional) Set the bit set as urgent. capture — (Optional) Capture packets the filter processes. count — (Optional) Count packets the filter processes. byte — (Optional) Count bytes the filter processes. dscp value — (Optional) Deny a packet based on the DSCP values, from 0 to 63. fragment — (Optional) Use ACLs to control packet fragments. log — (Optional) Enables ACL logging. Information about packets that match an ACL rule are logged.
PAGE 895
Default Not configured Command Mode IPV6-ACL Usage Information OS10 cannot count both packets and bytes; when you enter the count byte options, only bytes increment. The no version of this command removes the filter, or use the no seq sequence-number command if you know the filter’s sequence number. The count, byte, and log options are not supported on the S5148F-ON platform.
PAGE 896
show access-lists Displays IP, MAC, or IPv6 access-list information. Syntax show {ip | mac | ipv6} access-lists {in | out} access-list-name Parameters ● ● ● ● ● Default Not configured Command Mode EXEC Usage Information None Example (MAC In) Example (MAC Out) Example (IP In) Example (IP Out) Example (IPv6 In) 896 ip — View IP access list information. mac — View MAC access list information. ipv6 — View IPv6 access list information.
PAGE 897
Example (IPv6 Out) Example (IP In - Control-plane ACL) Example (IPv6 In - Control-plane ACL) Example (MAC In - Control-plane ACL) Supported Releases OS10# show ipv6 access-lists out Egress IPV6 access list bbb Active on interfaces : ethernet1/1/1 ethernet1/1/2 seq 10 permit any any Egress IPV6 access list ggg Active on interfaces : ethernet 1/1/1 seq 5 permit ipv6 11::/32 any OS10# show ip access-lists in Ingress IP access-list aaa-cp-acl Active on interfaces : control-plane data seq 10 permit ip any a
PAGE 898
1 SYSTEM_FLOW 98 414 512 2 SYSTEM_FLOW 98 414 512 3 USER_IPV4_ACL 4 508 512 4 USER_IPV4_ACL 4 508 512 5 FREE 0 512 512 6 USER_IPV6_ACL 4 508 512 7 USER_IPV6_ACL 4 508 512 8 USER_IPV6_ACL 4 508 512 9 USER_L2_ACL 4 508 512 10 USER_L2_ACL 4 508 512 11 FREE 0 512 512 ---------------------------------------------------------------------------------Service Pools ---------------------------------------------------------------------------------App Allocated pools App group Configured rules Used rows ---------------
PAGE 899
SYSTEM_FLOW Shared:3 G0 49 49 ---------------------------------------------------------------------------------Ingress ACL utilization - Pipe 3 Hardware Pools --------------------------------------------------------------------Pool ID App(s) Used rows Free rows Max rows --------------------------------------------------------------------0 SYSTEM_FLOW 98 414 512 1 SYSTEM_FLOW 98 414 512 2 SYSTEM_FLOW 98 414 512 3 USER_IPV4_ACL 0 512 512 4 USER_IPV4_ACL 0 512 512 5 FREE 0 512 512 6 USER_IPV6_ACL 0 512 51
PAGE 900
---------------------------------------------------------------------------------App Allocated pools App group Configured rules Used rows ---------------------------------------------------------------------------------USER_L2_ACL Shared:1 G3 1 2 USER_IPV4_ACL Shared:1 G2 2 3 USER_IPV6_ACL Shared:2 G4 1 2 PBR_V6 Shared:2 G10 1 1 SYSTEM_FLOW Shared:2 G0 49 49 ISCSI_SNOOPING Shared:1 G8 12 12 FCOE Shared:2 G6 55 55 -----------------------------------------------------------------
PAGE 901
show ip community-list Displays the configured IP community lists in alphabetic order. Syntax show ip community-list [name] Parameters name — (Optional) Enter the name of the standard IP community list. A maximum of 140 characters. Defaults None Command Mode EXEC Usage Information None Example Supported Releases OS10# show ip community-list Standard Community List hello deny local-AS permit no-export deny 1:1 10.3.
PAGE 902
Example Example (IPv6) Supported Releases OS10# show ip prefix-list ip prefix-list hello: seq 10 deny 1.2.3.4/24 seq 20 permit 3.4.4.5/32 OS10# show ipv6 prefix-list ipv6 prefix-list hello: seq 10 permit 1::1/64 seq 20 deny 2::2/64 10.3.0E or later show logging access-list Displays the ACL logging threshold and interval configuration.
PAGE 903
match as-path Configures a filter to match routes that have a certain AS path in their BGP paths. Syntax match as-path as-path-name Parameters as-path-name — Enter the name of an established AS-PATH ACL. A maximum of 140 characters. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes a match AS path filter. Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# match as-path pathtest1 10.3.
PAGE 904
match interface Configures a filter to match routes whose next-hop is the configured interface. Syntax match interface interface Parameters interface — Interface type: ● ethernet node/slot/port[:subport] — Enter the Ethernet interface information as the next-hop interface. ● port-channel id-number — Enter the port-channel number as the next-hop interface, from 1 to 128. ● vlan vlan-id —Enter the VLAN number as the next-hop interface, from 1 to 4093.
PAGE 905
Example Supported Releases OS10(config)# route-map bgp OS10(conf-route-map)# match ip next-hop prefix-list test100 10.3.0E or later match ipv6 address Configures a filter to match routes based on IPv6 addresses specified in IP prefix lists. Syntax match ipv6 address {prefix-list prefix-list | access-list} Parameters ● prefix-list — Enter the name of the configured prefix list. A maximum of 140 characters. ● access-list — Enter the name of the access group or list.
PAGE 906
Example Supported Releases OS10(conf-route-map)# match metric 429132 10.2.0E or later match origin Configures a filter to match routes based on the origin attribute of BGP. Syntax match origin {egp | igp | incomplete} Parameters ● egp — Match only remote EGP routes. ● igp — Match only on local IGP routes. ● incomplete — Match on unknown routes that are learned through some other means.
PAGE 907
Parameters tag-value — Enter the tag value to match with the tag number, from 0 to 4294967295. Default Not configured Command Mode ROUTE-MAP Usage Information The no version of this command deletes the match. Example Supported Releases OS10(conf-route-map)# match tag 656442 10.2.0E or later route-map Enables a route-map statement and configures its action and sequence number. Syntax route-map map-name [permit | deny | sequence-number] Parameters ● map-name — Enter the name of the route-map.
PAGE 908
set comm-list delete Remove communities in the specified list from the COMMUNITY attribute in a matching inbound or outbound BGP route. Syntax set comm-list {community-list-name} delete Parameters community-list-name — Enter the name of an established community list. A maximum of 140 characters. Defaults None‘ Command Mode ROUTE-MAP Usage Information Configure the community list you use in the set comm-list delete command so that each filter contains only one community.
PAGE 909
Usage Information Example Supported Releases In a route map, use this set command to add an extended list of communities that pass a permit statement to the EXTCOMMUNITY attribute of a BGP route sent or received from a BGP peer. Use the set extcomm-list delete command to delete an extended community list from a matching route. OS10(config)# route-map bgp OS10(conf-route-map)# set extcomm-list TestList add 10.4.
PAGE 910
Parameters value — Enter a number as the LOCAL_PREF attribute value, from 0 to 4294967295. Default Not configured Command Mode ROUTE-MAP Usage Information This command changes the LOCAL_PREF attribute for routes meeting the route map criteria. To change the LOCAL_PREF for all routes, use the bgp default local-preference command. The no version of this command removes the LOCAL_PREF attribute. Example Supported Releases OS10(conf-route-map)# set local-preference 200 10.2.
PAGE 911
sets the MED of the advertised routes to the IGP cost of the next hop of the advertised route. If the cost of the next hop changes, BGP is not forced to readvertise the route. ○ external — Reverts to the normal BGP rules for propagating the MED, the default. ○ internal — Sets the MED of a received route that is being propagated to an external peer equal to the IGP costs of the indirect next hop.
PAGE 912
Example Supported Releases OS10(conf-route-map)# set origin egp 10.2.0E or later set tag Sets a tag for redistributed routes. Syntax set tag tag-value Parameters tag-value — Enter a tag number for the route to redistribute, from 0 to 4294967295. Default Not configured Command Mode CONFIGURATION Usage Information The no version of this command deletes the set clause from a route map. Example Supported Releases OS10(conf-route-map)# set tag 23 10.2.
PAGE 913
Example Supported Releases OS10# show route-map route-map abc, permit, sequence 10 Match clauses: ip address (access-lists): hello as-path abc community hello metric 2 origin egp route-type external type-1 tag 10 Set clauses: metric-type type-1 origin igp tag 100 10.3.
PAGE 914
13 Quality of service Quality of service (QoS) reserves network resources for highly critical application traffic with precedence over less critical application traffic. QoS prioritizes different types of traffic and ensures quality of service. You can control the following traffic flow parameters: Delay, Bandwidth, Jitter, and Drop. Different QoS features control the traffic flow parameters, as the traffic traverses a network device from ingress to egress interfaces.
PAGE 915
Configuring QoS is a three-step process: 1. Create class-maps to classify the traffic flows. The following are the different types of class-maps: ● qos (default)—Classifies ingress data traffic. ● queuing —Classifies egress queues. ● control-plane—Classifies control-plane traffic. ● network-qos—Classifies traffic-class IDs for ingress buffer configurations. ● application —Classifies application-type traffic. The reserved policy-map policy-iscsi defines the actions for class-iscsi traffic. 2.
PAGE 916
Ingress traffic classification Ingress traffic can either be data or control traffic. By default, OS10 does not classify data traffic and assigns the default traffic class ID 0 to all data traffic. OS10 implicitly classifies all control traffic such as STP, OSPF, ICMP, and so on, and forwards the traffic to control plane applications. Data traffic classification You can classify the data traffic based on ACL or trust. ACL-based classification consumes significant amount of network processor resources.
PAGE 917
3 0-4 5 5-7 4. Apply the map on a specific interface or on system-qos, global level. ● Interface level OS10(conf-if-eth1/1/1)# trust-map dot1p dot1p-trust-map NOTE: In the interface level, the no version of the command returns the configuration to the system-qos level. If there is no configuration available at the system-qos level, the configuration returns to default mapping. ● System-qos level OS10(config-sys-qos)# trust-map dot1p dot1p-trust-map Configure default CoS trust map 1.
PAGE 918
Table 60. Default DSCP trust map (continued) DSCP values TC id Color 44-47 5 Y 48-51 6 G 52-55 6 Y 56-59 7 G 60-62 7 Y 63 7 R User–defined DCSP trust map Override the default mapping by creating a user-defined DSCP trust map. All the unspecified DSCP entries mapp to the default traffic class ID 0. Configure user–defined DSCP trust map 1. Create a DSCP trust map. OS10(config)# trust dscp-map dscp-trust-map OS10(config-tmap-dscp-map)# 2.
PAGE 919
● System-qos level OS10(config-sys-qos)# trust-map dscp default ACL based classification Classify the ingress traffic by matching the packet fields using ACL entries. Classify the traffic flows based on QoS-specific fields or generic fields, using IP or MAC ACLs. Create a class-map template to match the fields. OS10 allows matching any of the fields or all the fields based on the match type you configure in the class-map. Use the access-group match filter to match MAC or IP ACLs.
PAGE 920
● any IP (IPv4 or IPv6) precedence OS10(config-cmap-qos)# match ip-any precedence 2 ● Pre-defined IP access-list OS10(config-cmap-qos)# match ip access-group name ip-acl-1 ● Pre-defined IPv6 access-list OS10(config-cmap-qos)#match ipv6 access-group name ACLv6 ● Pre-defined MAC access-list OS10(config-cmap-qos)# match mac access-group name mac-acl-1 3. Create a qos-type policy-map to refer the classes to. OS10(config)# policy-map cos-policy 4.
PAGE 921
4. Attach the policy map to an interface or in system QoS mode. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# service-policy input type qos p1 or OS10(config)# system qos OS10(config-sys-qos)# service-policy input type qos p1 Control-plane policing Control-plane policing (CoPP) increases security on the system by protecting the route processor from unnecessary traffic and giving priority to important control plane and management traffic.
PAGE 922
class test_Remapped_6 set qos-group 6 police cir 300 pir 300 In release 10.4.2, ARP_REQ is mapped to queue 6, ICMPV6_RS and ICMPV6_NS are mapped to queue 5, and ISCSI is mapped to queue 0. By default, CoPP traffic towards the CPU is classified into different queues as shown below. Table 61. CoPP: Protocol mappings to queues - prior to release 10.4.
PAGE 923
Table 62. CoPP: Protocol mappings to queues, and default rate limits and buffer sizes - from release 10.4.
PAGE 924
4. Associate a policy-map with a class-map in POLICY-MAP mode. class class-name 5. Configure marking for a specific queue number in POLICY-MAP-CLASS-MAP mode, from 0 to 20. set qos-group queue-number 6. Configure rate policing on incoming traffic in POLICY-MAP-CLASS-MAP mode. police {cir committed-rate | pir peak-rate} ● cir committed-rate—Enter a committed rate value in pps, from 0 to 4000000. ● pir peak rate — Enter a peak-rate value in pps, from 0 to 40000000.
PAGE 925
View CMAP1 configuration OS10# show class-map type control-plane cmap1 Class-map (control-plane): cmap1 (match-any) View CoPP service-policy OS10# show policy-map type control-plane Service-policy(control-plane) input: pmap1 Class-map (control-plane): cmap1 set qos-group 6 police cir 200 bc 100 pir 200 be 100 View CoPP information OS10# show control-plane info Queue Min Rate Limit(in pps) Max Rate Limit(in pps) Protocols 0 600 1 1000 2 400 3 600 4 500 5 500 ICMPV6_NA 6 500 7 500 8 500 9 600 10 600 11 400 12
PAGE 926
Egress traffic classification Egress traffic is classified into different queues based on the traffic-class ID marked on the traffic flow. Set the traffic class ID for a flow by enabling trust or by classifying ingress traffic and mark it with a traffic class ID using a policy map. By default, the value of traffic class ID for all the traffic is 0. The order of precedence for a qos-map is: 1. Interface-level map 2. System-qos-level map 3. Default map Table 63.
PAGE 927
1. Create a queuing type class-map to match queue 5. OS10(config)# class-map type queuing q5 2. Define the queue to match. OS10(config-cmap-queuing)# match queue 5 Policing traffic Use policing to limit the rate of ingress traffic flow. The flow can be all the ingress traffic on a port or a particular flow assigned with a traffic class ID. In addition, use policing to color the traffic: ● When traffic arrives at a rate less than the committed rate, the color is green.
PAGE 928
2. Create a QoS type policy-map to mark it with a traffic class ID and assign it to the CoS flow. OS10(config)# policy-map cos3-TC3 OS10(config-pmap-qos)# class cmap-cos3 OS10(config-pmap-c-qos)# set qos-group 3 Color traffic You can select a traffic flow and mark it with a color. Color the traffic flow based on: ● Metering. See Policing traffic. ● Default trust. See Trust-based classification. ● DSCP, ECN capable traffic (ECT), or non-ECT capable traffic. Color traffic based on DSCP, ECT, or non-ECT 1.
PAGE 929
3. (Optional) Configure rate shaping on a specific queue by matching the corresponding qos-group in the class-map. If you do not configure the match qos-group command, rate shaping applies to all queues. match qos-group queue-number 4. Enter a minimum and maximum shape rate value in POLICY-MAP-QUEUEING-CLASS mode.
PAGE 930
Class-map (queuing): lunar bandwidth percent 80 Strict priority queuing OS10 uses queues for egress QoS policy types. Enable priorities to dequeue all packets from the assigned queue before servicing any other queues. When you assign more than one queue strict priority, the highest number queue receives the highest priority. You can configure strict priority to any number of queues. By default, all queues schedule traffic per WDRR.
PAGE 931
OS10(config)# policy-map type queuing solar OS10(conf-pmap-queuing)# class magnum OS10(conf-pmap-c-que)# priority OS10(conf-pmap-c-que)# exit OS10(conf-pmap-queuing)# exit OS10(config)# system qos OS10(conf-sys-qos)# service-policy output solar View QoS system OS10(conf-sys-qos)# do show qos system Service-policy (output)(queuing): solar Enable strict priority on interface OS10(config)# interface ethernet 1/1/5 OS10(conf-if-eth1/1/5)# service-policy output type queuing solar View policy-map OS10(conf-if-eth
PAGE 932
Buffer management OS10 devices distribute the total available buffer resources into two buffer pools at ingress direction and three buffer pools at egress direction of all physical ports. All ports in a system are allocated a certain amount of buffers from corresponding pools based on the configuration state of each priority-group or queue. The remaining buffers in the pool are shared across all similarly configured ports.
PAGE 933
Table 65. Default setting for LLFC (continued) Speed 10G 25G 40G 50G 100G Default Xon threshold 36KB 45KB 75KB 91KB 142KB Default Xoff threshold 9KB 9KB 9KB 9KB 9KB Default dynamic shared buffer threshold (alpha value) 9KB 9KB 9KB 9KB 9KB NOTE: The supported speed varies for different platforms.
PAGE 934
Deep Buffer mode NOTE: This feature is supported only on the S4200-ON series. OS10 provides the flexibility to configure the buffer mode based on your system requirements. The system memory contains a list of packet buffers and per packet information (PPI), which is used to enable statistics tagging, ingress shaping, PFC, and output logical interface stamping per multicast traffic. You can configure Deep Buffer mode to manage switch buffer availability.
PAGE 935
Next-boot Settings : Disabled The following is Deep Buffer mode status after saving the configuration in the startup configuration: OS10# show hardware deep-buffer-mode Deep Buffer Mode Configuration Status ------------------------------------------Current-boot Settings : Disabled Next-boot Settings : Enabled The following is Deep Buffer mode status after the switch reloads: OS10# show hardware deep-buffer-mode Deep Buffer Mode Configuration Status ------------------------------------------Current-boot
PAGE 936
6. Enable WRED/ECN on a port. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# random-detect wred_prof_1 7. Enable WRED/ECN on a service-pool. OS10(config)# system qos OS10(config-sys-qos)# random-detect pool 0 wred_prof_1 NOTE: On the S4200–ON Series platform, enable ECN globally only. Also, apply ECN configurations only at the queue level. You cannot configure ECN at the interface or service-pool levels.
PAGE 937
Storm control Traffic storms created by packet flooding or other reasons may degrade the performance of the network. The storm control feature allows you to control unknown unicast, multicast, and broadcast traffic on L2 and L3 physical interfaces. In the storm control unknown unicast configuration, both the unknown unicast and unknown multicast traffic are rate-limited.
PAGE 938
OS10 (config)# class-map type queuing Q3 OS10 (config)# match queue 3 6. Create a QoS map for ETS. OS10 (config)# qos-map traffic-class 2Q OS10(config-qos-map)# queue 0 qos-group 0-2, 4-7 OS10(config-qos-map)# queue 3 qos-group 3 7. Create a policy-map for PFC. OS10 (config)# policy-map type network-qos pfcdot1p3 OS10(config-pmap-network-qos)# class pfcdot1p3 OS10(config-pmap-c-nqos)# pause 8. Create an egress policy-map.
PAGE 939
1. Enter in to the INTERFACE mode and enter the no shutdown command. OS10# configure terminal OS10 (config)# interface ethernet 1/1/1 OS10 (conf-if-eth1/1/1)# no shutdown 2. Change the switch port mode to trunk mode. OS10 (conf-if-eth1/1/1)# switchport mode trunk 3. Change the access VLAN management. OOS10 (conf-if-eth1/1/1)# switchport access vlan 1 4. Specify the allowed VLANs on the trunk port. OS10 (conf-if-eth1/1/1)# switchport trunk allowed vlan 55 5. Apply the policy-map to the interface.
PAGE 940
The following examples show each device in this network and their respective configuration: SW1 configuration VXLAN configuration — SW1 OS10# configure terminal OS10(config)# interface vlan 3000 OS10(conf-if-vl-3000)# exit OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# exit OS10(config)# interface loopback 1 OS10(conf-if-lo-1)# ip address 1.1.1.1/32 OS10(conf-if-lo-1)# exit OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 8.8.8.
PAGE 941
OS10(config)# configure terminal OS10(config)# nve OS10(conf-nve)# source-interface loopback 1 OS10(conf-nve)# exit OS10(config)# virtual-network 5 OS10(conf-vn-5)# vxlan-vni 1000 OS10(conf-vn-vxlan-vni)# remote-vtep 2.2.2.
PAGE 942
WRED and ECN configuration — SW1 OS10# configure terminal OS10(config)# wred w1 OS10(config-wred)# random-detect ecn OS10(config-wred)# random-detect color green minimum-threshold 100 maximum-threshold 500 drop-probability 100 OS10(config-wred)# random-detect color yellow minimum-threshold 100 maximum-threshold 500 drop-probability 100 OS10(config-wred)# random-detect color red minimum-threshold 100 maximum-threshold 500 drop-probability 100 OS10(config-wred)# exit OS10(config)# class-map type queuing cq OS
PAGE 943
OS10(config-router-ospf-1)# router-id 9.9.9.
PAGE 944
OS10(config)# policy-map type network-qos llfc OS10(config-pmap-network-qos)# class llfc OS10(config-pmap-c-nqos)# pause buffer-size 120 pause-threshold 50 resume-threshold 12 OS10(config-pmap-c-nqos)# end OS10# configure terminal OS10(config)# interface range ethernet 1/1/1,1/1/20,1/1/31,1/1/32 OS10(conf-range-eth1/1/1,1/1/20,1/1/31,1/1/32)# flowcontrol transmit on OS10(conf-range-eth1/1/1,1/1/20,1/1/31,1/1/32)# flowcontrol receive on OS10(conf-range-eth1/1/1,1/1/20,1/1/31,1/1/32)# service-policy input typ
PAGE 945
VXLAN configuration — VLT peer 2 OS10(config)# configure terminal OS10(config)# interface vlan 3000 OS10(conf-if-vl-3000)# ip address 5.5.5.3/24 OS10(conf-if-vl-3000)# exit OS10(config)# interface vlan 200 OS10(conf-if-vl-200)# exit OS10(config)# interface loopback 1 OS10(conf-if-lo-1)# no shutdown OS10(conf-if-lo-1)# ip address 2.2.2.2/32 OS10(conf-if-lo-1)# exit OS10(config)# router ospf 1 OS10(config-router-ospf-1)# router-id 10.10.10.
PAGE 946
OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# service-policy input type network-qos p5 OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# trust-map dot1p t1 OS10(conf-range-eth1/1/1,1/1/20,1/1/11,1/1/12)# end LLFC configuration — VLT peer 2 Instead of PFC, you can configure LLFC as follows: OS10# configure terminal OS10(config)# class-map type network-qos llfc OS10(config-cmap-nqos)# match qos-group 0-7 OS10(config-cmap-nqos)# exit OS10(config)# policy-map type network-qos llfc OS10(config-pmap-network-qos)#
PAGE 947
NOS# NOS# configure terminal NOS(config)# interface ethernet 1/1/3 NOS(conf-if-eth1/1/3)# switchport mode trunk NOS(conf-if-eth1/1/3)# switchport trunk allowed vlan 200 NOS(conf-if-eth1/1/3)# end NOS# NOS# configure terminal NOS(config)# interface port-channel 2 NOS(conf-if-po-2)# switchport mode trunk NOS(conf-if-po-2)# switchport trunk allowed vlan 200 NOS(conf-if-po-2)# end PFC configuration — ToR device NOS# configure terminal NOS(config)# trust dot1p-map t1 NOS(config-tmap-dot1p-map)# qos-group 0 dot1p
PAGE 948
NOS(config-wred)# random-detect color red minimum-threshold 100 maximum-threshold 500 drop-probability 100 NOS(config-wred)# exit NOS(config)# class-map type queuing cq NOS(config-cmap-queuing)# match queue 5 NOS(config-cmap-queuing)# exit NOS(config)# policy-map type queuing pq NOS(config-pmap-queuing)# class cq NOS(config-pmap-c-que)# random-detect w1 NOS(config-pmap-c-que)# end NOS# configure terminal NOS(config)# interface range ethernet 1/1/1,1/1/2,1/1/3 NOS(conf-range-eth1/1/1,1/1/2,1/1/3)# flowcontro
PAGE 949
● Detecting microburst congestions ● Monitoring buffer utilization and historical trends ● Determining optimal sizes and thresholds for the ingress or egress shared buffers and headroom on a given port or queue based on real-time data NOTE: BST is not supported on the S4248F-ON and S5148F-ON platforms. After you disable BST, be sure to clear the counter using the clear qos statistics type buffer-statisticstracking command. QoS commands bandwidth Assigns a percentage of weight to the queue.
PAGE 950
Default Not configured Command Mode POLICY-MAP-QUEUEING POLICY-MAP-QOS POLICY-MAP-NQOS POLICY-MAP-CP POLICY-MAP-APPLICATION Usage Information If you define a class-map under a policy-map, the qos, queuing, or control-plane type is the same as the policy-map. You must create this map in advance. The only exception to this rule is when the policy-map type is trust, where the class type must be qos. Example Supported Releases OS10(conf-pmap-qos)# class c1 10.2.
PAGE 951
Command Mode EXEC Usage Information None Example Supported Releases OS10# clear interface ethernet 1/1/1 10.3.0E or later clear qos statistics Clears all QoS-related statistics in the system. Syntax clear qos statistics Parameters None Default Not configured Command Mode EXEC Usage Information None Example Supported Releases OS10# clear qos statistics 10.2.0E or later clear qos statistics type Clears all queue counters for control-plane, qos, and queueing.
PAGE 952
Example (BST) Supported Releases OS10# clear qos statistics type buffer-statistics-tracking 10.2.0E or later control-plane Enters CONTROL-PLANE mode. Syntax control-plane Parameters None Default Not configured Command Mode CONTROL-PLANE Usage Information If you attach an access-list to the class-map type of control-plane, the access-list ignores the permit and deny keywords.
PAGE 953
NOTE: In S5148F-ON, when receive is turned on, it enables decoding of both LLFC and PFC frames on that port. ● transmit — (Optional) Indicates the local port can send flow control packets to a remote device. ● on — (Optional) When used with receive, allows the local port to receive flow control traffic. When used with transmit, allows the local port to send flow control traffic to the remote device.
PAGE 954
● mac access-group name name — Enter an access-group name for the MAC access-list match criteria. A maximum of 140 characters. ● set dscp dscp-value — Enter a DSCP value for marking the DSCP packets, from 0 to 63. ● not — Enter the IP or CoS to negate the match criteria. ● vlan vlan-id — Enter a VLAN number for VLAN match criteria, from 1 to 4093. Default Not configured Command Mode CLASS-MAP Usage Information In a match-any class, you can enter multiple match criteria.
PAGE 955
Example Supported Releases OS10(conf-cmap-qos)# match ip-any dscp 17-20 10.2.0E or later match precedence Configures IP precedence values as a match criteria. Syntax match [not] {ip | ipv6 | ip-any} precedence precedence-list Parameters ● ● ● ● ● Default Not configured Command Mode CLASS-MAP Usage Information You cannot enter two match statements with the same filter-type. If you enter two match statements with the same filter-type, the second statement overwrites the first statement.
PAGE 956
Usage Information Example Supported Releases You cannot enter two match statements with the same filter-type. If you enter two match statements with the same filter-type, the second statement overwrites the first statement. OS10(conf-cmap-qos)# match vlan 100 10.2.0E or later mtu Calculates the buffer size allocation for matched flows. Syntax mtu size Parameters size — Enter the size of the buffer (1500 to 9216).
PAGE 957
Example (global and shared buffer) OS10(config)# policy-map type network-qos nqGlobalpolicy1 OS10(conf-cmap-nqos)# class CLASS-NAME OS10(conf-cmap-nqos-c)# pause buffer-size 45 pause-threshold 30 resumethreshold 30 OS10(config)# policy-map type network-qos nqGlobalpolicy1 OS10(conf-cmap-nqos)# class type network-qos nqclass1 OS10(conf-cmap-nqos-c)# pause buffer-size 45 pause-threshold 30 resumethreshold 10 Supported Releases 10.3.
PAGE 958
Example Supported Releases OS10(config-sys-qos)# pfc-max-buffer-size 2000 10.4.0E(R1) or later pfc-shared-buffer-size Changes the shared buffers size limit for priority flow-control enabled flows. Syntax pfc-shared-buffer-size buffer-size Parameters buffer-size — Enter the size of the priority flow-control buffer in KB, from 0 to 8911. Default 832 KB Command Mode SYSTEM-QOS Usage Information The no version of this command returns the value to the default.
PAGE 959
Parameters ● cir committed-rate — Enter a committed rate value in kilo bits per second, from 0 to 4000000. ● bc committed-burst-size — (Optional) Enter the committed burst size in packets for control plane policing and in KB for data packets, from 16 to 200000. ● pir peak-rate — Enter a peak-rate value in kilo bits per second, from 0 to 40000000. ● be peak-burst-size — (Optional) Enter a peak burst size in kilo bytes, from 16 to 200000.
PAGE 960
Command Mode POLICY-MAP-CLASS-MAP Usage Information If you use this command, bandwidth is not allowed. Only the egress QoS policy type supports this command. Example Supported Releases OS10(conf-pmap-que)# priority 10.2.0E or later priority-flow-control mode Enables or disables Priority Flow-Control mode on an interface. Syntax priority-flow-control mode [on] Parameters ● on — (Optional) Enables Priority Flow-Control mode.
PAGE 961
qos-group dscp Configures a DSCP trust map to the traffic class. Syntax qos-group tc-list [dscp values] Parameters ● qos-group tc-list — Enter the traffic single value class ID, from 0 to 7. ● dscp values — (Optional) Enter either single, comma-delimited, or a hyphenated range of DSCP values, from 0 to 63. Default 0 Command Mode TRUST-MAP Usage Information If the trust map does not define DSCP values to any traffic class, those flows map to the default traffic class 0.
PAGE 962
○ 3 = 1/16 ○ 4 = 1/8 ○ 5 = 1/4 ○ 6 = 1/2 ○ 7=1 ○ 8=2 ○ 9=4 ○ 10 = 8 ● static thresh-value — (Optional) Enter the static shared buffer threshold value in Bytes, from 1 to 65535. Default Not configured Command Mode POLICY-MAP-CLASS-MAP Usage Information Use the queue-len value parameter to set the minimum guaranteed queue length for a queue. The no version of this command returns the value to the default.
PAGE 963
Default 0 Command Mode TRUST-MAP Usage Information If the trust map does not define traffic class values to a queue, those flows map to the default queue 0. If some of the traffic class values are already mapped to an existing queue, you see an error. The no version of this command returns the value to the default. Example Supported Releases OS10(conf-tmap-tc-queue-qos)# queue 2 qos-group 5 10.3.0E or later random-detect (interface) Assigns a WRED profile to the specified interface.
PAGE 964
Parameters ● color-name — Enter the color of drop precedence for the WRED profile. The available options are green, yellow, and red. ● minimum-value — Enter the minimum threshold value for the specified color, from 1 to 12480. ● maximum-value — Enter the maximum threshold value for the specified color, from 1 to 12480. ● drop-rate — Enter the rate of drop precedence in percentage, from 0 to 100.
PAGE 965
random-detect pool Assigns a WRED profile to the specified global buffer pool. Syntax random-detect pool pool-value wred-profile-name Parameters ● pool-value — Enter the pool value, from 0 to 1. ● wred-profile-name — Enter the name of an existing WRED profile. Default Not configured Command Mode SYSTEM-QOS Usage Information The no version of this command removes the WRED profile from the interface.
PAGE 966
network-qos type policy-maps. When you configure interface-level policies and system-level policies, the interface-level policy takes precedence over the system-level policy. Example Supported Releases OS10(conf-if-eth1/1/7)# service-policy input type qos p1 10.2.0E or later set cos Sets a cost of service (CoS) value to mark L2 802.1p (dot1p) packets. Syntax set cos cos-value Parameters cos-value — Enter a CoS value, from 0 to 7.
PAGE 967
Usage Information This command supports only the qos or control-plane ingress policy type. When the class-map type is control-plane, the qos-group corresponds to CPU queues 0 to 11. When the class-map type is qos, the qos-group corresponds to data queues 0 to 7. Example Supported Releases OS10(conf-pmap-c-qos)# set qos-group 7 10.2.0E or later shape Shapes the outgoing traffic rate.
PAGE 968
Supported Releases 10.2.0E or later show control-plane buffers Displays the pool type, reserved buffer size, and the maximum threshold value for each of the CPU queues.
PAGE 969
Supported Releases 10.4.2 and later show control-plane buffer-stats Displays the control plane buffer statistics for each of the CPU queues. Syntax show control-plane buffer-stats Parameters None Default A predefined default profile exists.
PAGE 970
22 Supported Releases 0 0 0 0 10.4.2 and later show control-plane info Displays control-plane queue mapping and rate limits. Syntax show control-plane info Parameters None Default Not configured Command Mode EXEC Usage Information Monitors statistics for the control-plane and to troubleshoot CoPP.
PAGE 971
Usage Information Example Supported Releases None OS10# show control-plane statistics Queue Packets Bytes Dropped Packets 0 0 0 0 1 0 0 0 2 0 0 0 3 0 0 0 4 0 0 0 5 0 0 0 6 3 204 0 7 6 408 0 8 0 0 0 9 0 0 0 10 0 0 0 11 0 0 0 12 0 0 0 13 0 0 0 14 0 0 0 15 0 0 0 16 0 0 0 17 0 0 0 18 0 0 0 19 0 0 0 20 0 0 0 21 0 0 0 22 0 0 0 OS10# Dropped Bytes 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 10.2.
PAGE 972
------------------------------------------Current-boot Settings : Enabled Next-boot Settings Supported Releases : Enabled 10.4.3.0 or later show interface priority-flow-control Displays the priority flow-control, operational status, CoS bitmap, and statistics per port. Syntax show interface ethernet 1/1/1 priority-flow-control [details] Parameters details — (Optional) Displays all priority flow control information for an interface.
PAGE 973
flow-control-tx: Disabled Service-policy (Input)(qos): p1 Supported Releases 10.2.0E or later show policy-map Displays information on all existing policy-maps. Syntax show policy-map type {control-plane | qos | queuing | network-qos}] [policy-map-name] Parameters ● ● ● ● ● ● Default Not configured Command Mode EXEC Usage Information None Example Supported Releases type — Enter the policy-map type — qos, queuing, or control-plane. qos — Displays all policy-maps of qos type.
PAGE 974
show qos egress bufffers interface Displays egress buffer configurations. Syntax show qos egress buffers interface [interface node/slot/port[:subport]] Parameters ● interface — (Optional) Enter the interface type. ● node/slot/port[:subport] — (Optional) Enter the port information.
PAGE 975
Parameters ● interface — (Optional) Enter the interface type. ● node/slot/port[:subport] — (Optional) Enter the port information.
PAGE 976
Example Supported Releases OS10# show qos ingress buffers interface Interface : ethernet1/1/1 Speed : 0 Priority-grp Reserved Shared-buffer Shared-buffer XOFF XON no buffer-size mode threshold threshold threshold -----------------------------------------------------------------------------0 1 2 3 4 145152 98304 89088 5 6 7 10.3.0E or later show qos ingress buffer-statistics-tracking Displays ingress priority group-level peak buffer usage count in bytes for the given priority group on a given interface.
PAGE 977
Example Supported Releases OS10# show qos ingress buffer-stats interface ethernet 1/1/1 Interface : ethernet1/1/1 Speed : 0 Priority Used Total Used HDRM Group buffers buffers -----------------------------------------------0 0 0 1 0 0 2 0 0 3 0 0 4 0 0 5 0 0 6 0 0 7 0 0 10.3.0E or later show qos-rate-adjust Displays the status of the rate adjust limit for policing and shaping.
PAGE 978
show qos system Displays the QoS configuration applied to the system. Syntax show qos system Parameters None Default Not configured Command Mode EXEC Usage Information View and verify system-level service-policy configuration information. Example OS10# show qos system ETS Mode : off ECN Mode : off  shows whether the ECN is enabled globally or not Service-policy (Input) (qos) : policy1 Service-policy (Output)(queuing) : policy2 Supported Releases 10.4.1.
PAGE 979
Total lossy buffers Total shared lossy buffers Total used shared lossy buffers MMU 2 Total lossy buffers Total shared lossy buffers Total used shared lossy buffers MMU 3 Total lossy buffers Total shared lossy buffers Total used shared lossy buffers - 10597 - 10012 - 0 - 10597 - 9993 - 0 - 10597 - 9993 - 0 OS10# show qos system egress buffer All values are in kb Total buffers - 12187 Total lossless buffers - 0 Total shared lossless buffers - 0 Total used shared lossless buffers Total lossy buffers - 11567
PAGE 980
Default Not configured Command Mode EXEC Usage Information None Example (dot1p) 980 OS10# show qos maps type tc-queue queue-map1 Traffic-Class to Queue Map: queue-map1 Queue Traffic-Class -------------------------1 5 2 6 3 7 OS10# show qos maps type trust-map-dot1p dot1p-trustmap1 DOT1P Priority to Traffic-Class Map : dot1p-trustmap1 Traffic-Class DOT1P Priority ------------------------------0 2 1 3 2 4 3 5 4 6 5 7 6 1 OS10# show qos maps type trust-map-dscp dscp-trustmap1 DSCP Priority to Traffic-C
PAGE 981
0 0-7 1 8-15 2 16-23 3 24-31 4 32-39 5 40-47 6 48-55 7 56-63 Default Traffic-Class to Queue Map Traffic-Class Queue number ------------------------------0 0 1 1 2 2 3 3 4 4 5 5 6 6 7 7 OS10# Example (dscp) OS10# show qos trust-map dscp new-dscp-map new-dscp-map qos-group Dscp Id ------------------0 0-7 1 8-15 2 16-23 3 24-31 4 32-39 5 40-47 6 48-55 7 56-63 Supported Releases 10.3.0E or later show qos wred-profile Displays the details of WRED profile configuration.
PAGE 982
OS10# show qos wred-profile Profile Name | Green | Yellow | Red | -------------|-----------------------|---------------------|-----------------------------------| | MIN MAX DROP-RATE | MIN MAX DROP-RATE | MIN MAX DROP-RATE | WEIGHT | ECN| | KB KB % | KB KB % | KB KB % | | | -------------|-----------------------|-------------------- |--------------------|--------|-----| profile1 | 10 100 100 | | | | Off| -------------|-----------------------|---------------------|--------------------|--------|-----| profile2
PAGE 983
Usage Information None Example Supported Releases OS10(config)# system qos OS10(config-sys-qos)# 10.2.0E or later trust-map Configures trust map on an interface or on a system QoS. Syntax trust—map {dot1p | dscp} {default | trust-map-name} Parameters ● ● ● ● Default Disabled Command Mode INTERFACE dot1p — Apply dot1p trust map. dscp — Apply dscp trust map. default — Apply default dot1p or dscp trust map. trust-map-name — Enter the name of trust map.
PAGE 984
Supported Releases 10.3.0E or later trust dscp-map Creates a user-defined trust map for DSCP flows. Syntax trust dscp-map map-name Parameters map-name — Enter the name of the DSCP trust map. A maximum of 32 characters. Default Not configured Command Mode CONFIGURATION Usage Information If you enable trust, traffic obeys this trust map. default-dscp-trust is a reserved trust-map name. The no version of this command returns the value to the default.
PAGE 985
Usage Information Example Supported Releases Use the show qos maps type [tc-queue | trust-map-dot1p | trust-map-dscp] [string] command to view the current trust mapping. You must change the trust map only during no traffic flow. Verify the correct policy maps are applied. The no version of this command returns the value to the default. OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# trust-map dscp dscp-trustmap1 10.4.1.
PAGE 986
14 Virtual Link Trunking Virtual Link Trunking (VLT) is a Layer 2 (L2) aggregate protocol between end devices such as servers connected to different network devices. VLT reduces the role of Spanning Tree Protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distributions or core switches.
PAGE 987
Multicast IGMP snooping and MLD snooping are supported on VLT ports. NOTE: 802.1x and DHCP snooping are not supported on VLT ports. Terminology VLT domain The domain includes VLT peer devices, VLT interconnect, and all port-channels in the VLT connected to the attached devices. It is also the configuration mode that you must use to assign VLT global parameters. VLT interconnect The link between VLT peer switches used to synchronize operating states.
PAGE 988
● Traffic with an unknown destination MAC address, multicast, or broadcast traffic can cause flooding across the VLTi. ● MAC, ARP, IPv6 neighbors that are learned over VLANs on VLT peer nodes synchronize using VLTi. ● LLDP, flow control, port monitoring, and jumbo frame features are supported on a VLTi. Graceful LACP with VLT When a VLT node is reloaded, all its interfaces including VLT port-channel interfaces go down.
PAGE 989
With graceful LACP, VLT Peer A sends graceful LACP PDUs out to all VLT member ports, as shown: Virtual Link Trunking 989
PAGE 990
These PDUs notify ToR 1 to direct the traffic to VLT Peer B thereby minimizing traffic loss.
PAGE 991
Configure VLT Verify that both VLT peer devices are running the same OS version. For VRRP operation, configure VRRP groups and L3 routing on each VLT peer. Configure the following settings on each VLT peer device separately. 1. (Optional) To prevent loops in VLT domain, enable the STP globally using the spanning-tree mode {rstp | rapidpvst | mst} command. 2. Create a VLT domain by configuring the same domain ID on each peer using the vlt-domain command. 3.
PAGE 992
MSTP configuration When you enable Multiple Spanning Tree Protocol (MSTP) on VLT nodes, configure both VLT peer nodes in the same MST region to avoid network loops. Ensure that the VLAN-to-instance mappings, region name, and revision ID are same on both VLT peer nodes. To configure MSTP over VLT, follow these steps on both VLT peer nodes: 1. Enable MSTP. CONFIGURATION mode spanning-tree mode mst 2. Enter MST configuration mode. CONFIGURATION mode spanning tree mst configuration 3.
PAGE 993
Root-Guard: Disable, Loop-Guard: Disable Bpdus (MRecords) Sent: 387, Received: 16 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID --------------------------------------------------------------------------------------------------VFP(VirtualFabricPort) 0.1 0 1 FWD 0 32768 3417.ebf2.a8c4 0.
PAGE 994
Edge port: No (default) Link type: point-to-point (auto) Boundary: No, Bpdu-filter: Disable, Bpdu-Guard: Disable, Shutdown-on-Bpdu-Guardviolation: No Root-Guard: Disable, Loop-Guard: Disable Bpdus (MRecords) Sent: 11, Received: 7 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------------------------------------------------------------------------------VFP(VirtualFabricPort) 0.1 0 1 FWD 0 32768 0078.7614.6062 0.
PAGE 995
Designated root priority: 4097, address: 90:b1:1c:f4:a6:02 Designated bridge priority: 4097, address: 90:b1:1c:f4:a6:02 Designated port ID: 0.1, designated path cost: 0 Number of transitions to forwarding state: 1 Edge port: No (default) Link Type: Point-to-Point BPDU Sent: 202, Received: 42 Port 1 (VFP(VirtualFabricPort)) of vlan100 is designated Forwarding Port path cost 1, Port priority 0, Port Identifier 0.
PAGE 996
Peer 2 OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# no switchport OS10(conf-if-eth1/1/1)# exit OS10(config)# interface ethernet 1/1/2 OS10(conf-if-eth1/1/2)# no switchport OS10(conf-if-eth1/1/2)# exit OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# discovery-interface ethernet1/1/1 OS10(conf-vlt-1)# discovery-interface ethernet1/1/2 Configure VLT MAC address You can manually configure the VLT MAC address.
PAGE 997
Example configuration: OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination 10.16.151.110 vrf management interval 30 OS10(config)# vlt-domain 1 OS10(conf-vlt-1)# backup destination ipv6 1::1 vrf management interval 30 The following examples describe different cases where VLT backup link can be used: Support for new streams during VLTi failure When VLTi fails, MAC address learnt after the failure is not synchronized with VLT peers. This leads to continuous flooding of traffic instead of unicast.
PAGE 998
Prevention of loops during VLTi failure When VLTi is down, STP may fail to detect any loops in the system, which creates data loop in an L2 network. In the following illustration, STP is running in all the three switches. In the steady state, VLT peer 1 is elected as the root bridge. When VLTi is down, both the VLT nodes become primary. In this state, VLT peer 2 sends STP BPDU to TOR assuming that TOR sends BPDU to VLT peer 1.
PAGE 999
When VLT backup link is enabled, the secondary VLT peer identifies the node liveliness of primary through the backup link. If the primary VLT peer is alive, the secondary VLT peer brings down the VLT LAG ports. In this scenario, the STP opens up the orphan port and there is no loop in the system as shown in the following illustration. Configure VLT port-channel A VLT port-channel links an attached device and VLT peer switches, also known as a virtual link trunk.
PAGE 1000
Configure VLT LAG — peer 1 OS10(config)# interface port-channel 10 OS10(conf-if-po-10)# vlt-port-channel 1 Configure VLT LAG — peer 2 OS10(config)# interface port-channel 20 OS10(conf-if-po-20)# vlt-port-channel 1 VLT unicast routing VLT unicast routing enables optimized routing where packets destined for the L3 endpoint of the VLT peer are locally routed. IPv4 and IPv6 support VLT unicast routing. To enable VLT unicast routing, both VLT peers must be in L3 mode.
PAGE 1001
2. Configure VRRP on the L3 VLAN that spans both peers. 3. Repeat the steps on the VLT peer.
PAGE 1002
● ● ● ● ● ● ● ● Server racks, Rack 1 and Rack 2, are part of data centers DC1 and DC2, respectively. Rack 1 is connected to devices A1 and B1 in L2 network segment. Rack 2 is connected to devices A2 and B2 in L2 network segment. A VLT LAG is present between A1 and B1 as well as A2 and B2. A1 and B1 connect to core routers, C1 and D1 with VLT routing enabled. A2 and B2 connect to core routers, C2 and D2, with VLT routing enabled. The data centers are connected through a direct link or eVLT.
PAGE 1003
C1(conf-if-po-10)# switchport mode trunk C1(conf-if-po-10)# switchport trunk allowed vlan 100 C1(conf-if-po-10)# exit ● Add members to port channel 10: C1(config)# interface C1(conf-if-eth1/1/3)# C1(conf-if-eth1/1/3)# C1(config)# interface C1(conf-if-eth1/1/4)# C1(conf-if-eth1/1/4)# ethernet 1/1/3 channel-group 10 exit ethernet 1/1/4 channel-group 10 exit ● Configure OSPF on L3 side of core router: C1(config)# router ospf 100 C1(conf-router-ospf-100)# exit C1(config)# interface vlan 200 C1(conf-if-vl-200)
PAGE 1004
● Configure VLT port channel for VLAN 200: D1(config)# interface port-channel 20 D1(conf-if-po-20)# vlt-port-channel 20 D1(conf-if-po-20)# switchport mode trunk D1(conf-if-po-20)# switchport trunk allowed vlan 200 D1(conf-if-po-20)# exit ● Add members to port channel 20: D1(config)# interface D1(conf-if-eth1/1/5)# D1(conf-if-eth1/1/5)# D1(config)# interface D1(conf-if-eth1/1/6)# D1(conf-if-eth1/1/6)# ethernet 1/1/5 channel-group 20 exit ethernet 1/1/6 channel-group 20 exit Sample configuration of C2: ● Co
PAGE 1005
● Configure VRRP on L2 links between core routers: D2(config)# interface vlan 100 D2(conf-if-vl-100)# ip address 10.10.100.4/24 D2(conf-if-vl-100)# vrrp-group 10 D2(conf-vlan100-vrid-10)# virtual-address 10.10.100.
PAGE 1006
● View detailed information about VLT ports in EXEC mode. show vlt domain-id vlt-port-detail ● View the current configuration of all VLT domains in EXEC mode. show running-configuration vlt View peer-routing information OS10# show vlt 255 Domain ID Unit ID Role Version Local System MAC address Role priority VLT MAC address IP address Delay-Restore timer Peer-Routing Peer-Routing-Timeout timer VLTi Link Status port-channel1000 : : : : : : : : : : : 255 1 primary 2.
PAGE 1007
Peer-routing mismatch: VLT Unit ID Peer-routing ----------------------------* 1 Enabled 2 Disabled VLAN mismatch: VLT Unit ID Mismatch VLAN List ---------------------------------* 1 2 4 VLT VLAN mismatch: VLT ID : 1 VLT Unit ID Mismatch VLAN List -------------------------------* 1 1 2 2 VLT ID : 2 VLT Unit ID Mismatch VLAN List ---------------------------------* 1 1 2 2 View VLT port details * indicates the local peer OS10# show vlt 1 vlt-port-detail VLT port channel ID : 1 VLT Unit ID Port-Channel Status C
PAGE 1008
View VLT mismatch — Anycast MAC address not available on one of the peers show vlt 1 mismatch virtual-network Interface virtual-network Anycast-mac mismatch: VLT Unit ID Anycast-MAC ------------------------------------1 00:01:02:03:04:051 * 2 View VLT mismatch — Virtual network interface anycast IP address show vlt 1 mismatch virtual-network Interface virtual-network Anycast-IP mismatch: Virtual-network: 10 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.25 * 2 10.16.128.
PAGE 1009
1 * 2 ABSENT 10.16.128.30 VLT commands backup destination Configures the VLT backup link for heartbeat timers. Syntax backup destination {ip-address | ipv6 ipv6–address} [vrf management] [interval interval-time] Parameters ● ip-address — Enter the IPv4 address of the backup link. ● ipv6-address — Enter the IPv6 address of the backup link. ● vrf management — (Optional) Configure the management VRF instance for the backup IPv4 or IPv6 address.
PAGE 1010
discovery-interface Configures the interface to discover and connect to a VLT peer in the VLT interconnect (VLTi) link between peers. Syntax discovery-interface {ethernet node/slot/port[:subport]} Parameters ethernet — Enter the Ethernet interface information for the port on a VLT peer. You can also enter a range of interfaces separated by hyphens. Default None Command Mode VLT-DOMAIN Usage Information The VLT node discovery service auto-LAGs the discovery ports and creates VLTi interfaces.
PAGE 1011
Supported Releases 10.3.0E or later primary-priority Configures the priority when selecting the primary and secondary VLT peers during election. Syntax primary-priority value Parameters value — Enter a lower value than the priority value of the remote peer. The range is from 1 to 65535. The default value is 32768. Default 32768.
PAGE 1012
Edge port: No (default) Link type: point-to-point (auto) Boundary: No, Bpdu-filter: Disable, Bpdu-Guard: Disable, Shutdown-on-Bpdu-Guard-violation: No Root-Guard: Disable, Loop-Guard: Disable Bpdus (MRecords) Sent: 7, Received: 9 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID --------------------------------------------------------------------------------------------VFP(VirtualFabricPort) 0.1 0 1 BLK 0 4196 90b1.1cf4.a602 0.
PAGE 1013
BPDU Sent: 2714, Received: 1234 Port 2001 (VLT-LAG -1(vlt-portid-1)) of MSTI 0 is designated Forwarding Port path cost 200000, Port priority 128, Port Identifier 128.2001 Designated root priority: 32768, address: 34:17:44:55:66:7f Designated bridge priority: 32768, address: 90:b1:1c:f4:a5:23 Designated port ID: 128.2001, designated path cost: 0 Number of transitions to forwarding state: 1 Edge port: No (default) Link Type: Point-to-Point BPDU Sent: 2714, Received: 1234 Supported Releases 10.3.
PAGE 1014
Example Supported Releases OS10# show vlt 255 backup-link VLT Backup Link -----------------------Destination Peer Heartbeat status Heartbeat interval Heartbeat timeout : : : : 10.16.208.164 Up 1 3 10.3.1E or later show vlt mac-inconsistency Displays inconsistencies in dynamic MAC addresses learnt between VLT peers across spanned-vlans.
PAGE 1015
● vlt-vlan vlt-port-id — Display mismatches in VLT port configuration, from 1 to 4095. ● virtual-network — Display mismatches in virtual network configurations between VLT peers. Default Not configured Command Mode EXEC Usage Information The * in the mismatch output indicates a local node entry.
PAGE 1016
* 1 2 Example (mismatch — Virtual Network (VN) name not available in the peer) Example (mismatch of VLTi and VLAN) Example (mismatch of VN mode) Example (mismatch of port and VLAN list) 1 2 OS10# show vlt all mismatch virtual-network Virtual Network Name Mismatch: VLT Unit ID Mismatch Virtual Network List ---------------------------------------------------------------------------1 10,104 * 2 OS10# show vlt all mismatch virtual-network Virtual Network: 100 VLT Unit ID Configured VLTi-Vlans --------------
PAGE 1017
Example (Virtual network interface anycast IP address) show vlt 1 mismatch virtual-network Interface virtual-network Anycast-IP mismatch: Virtual-network: 10 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.25 * 2 10.16.128.20 Virtual-network: 20 VLT Unit ID Anycast-IP ------------------------------------1 10.16.128.26 * 2 10.16.128.
PAGE 1018
Parameters id — Enter the VLT domain ID, from 1 to 255. Default Not configured Command Mode EXEC Usage Information The * in the mismatch output indicates a local node entry. Example Supported Releases OS10# show vlt 1 role VLT Unit ID Role -----------------------* 1 primary 2 secondary 10.2.0E or later show vlt vlt-port-detail Displays detailed status information about VLT ports. Syntax show vlt id vlt-port-detail Parameters id — Enter a VLT domain ID, from 1 to 255.
PAGE 1019
Example Supported Releases OS10(config)# vlt-domain 1 10.2.0E or later vlt-port-channel Configures the ID used to map interfaces on VLT peers into a single VLT port-channel. Syntax vlt-port-channel vlt-lag-id Parameters vlt-lag-id — Enter a VLT port-channel ID, from 1 to 1024. Default Not configured Command Mode PORT-CHANNEL INTERFACE Usage Information Assign the same VLT port-channel ID to interfaces on VLT peers to create a VLT port-channel.
PAGE 1020
Default Enabled Command Mode VLAN INTERFACE Usage Information This command is applicable only for VLAN interfaces. In a non-VLT network, the backup VRRP gateway forwards L3 traffic. If you want to use VRRP groups on VLANs without VLT topology, disable the Active-Active functionality, to ensure that only the active VRRP gateway forwards L3 traffic. The no version of this command disables the configuration. Example Supported Releases 1020 OS10(conf-if-vl-10)# vrrp mode active-active 10.2.
PAGE 1021
15 Uplink Failure Detection Uplink failure detection (UFD) indicates the loss of upstream connectivity to servers connected to the switch. A switch provides upstream connectivity for devices, such as servers. If the switch loses upstream connectivity, the downstream devices also lose connectivity. However, the downstream devices do not generally receive an indication that the upstream connectivity was lost because connectivity to the switch is still operational. To solve this issue, use UFD.
PAGE 1022
Configure uplink failure detection Consider the following before configuring an uplink-state group: ● ● ● ● ● ● ● ● ● ● You can assign a physical port or a port channel to an uplink-state group. You can assign an interface to only one uplink-state group at a time. You can designate the uplink-state group as either an upstream or downstream interface, but not both. You can configure multiple uplink-state groups and operate them concurrently.
PAGE 1023
Configuration: 1. Create an uplink-state group in CONFIGURATION mode. uplink-state-group group-id 2. Configure the upstream and downstream interfaces in UPLINK-STATE-GROUP mode. upstream {interface-type | interface-range[ track-vlt-status ] | VLTi} downstream {interface-type | interface-range} 3. (Optional) Disable uplink-state group tracking in UPLINK-STATE-GROUP mode. no enable 4. (Optional) Provide a descriptive name for the uplink-state group in UPLINK-STATE-GROUP mode. name string 5.
PAGE 1024
Eth 1/1/5(Dwn) Eth 1/1/9:2(Dwn) Eth 1/1/9:3(Dwn) OS10#show uplink-state-group 1 detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled (NA): Not Available *: VLT port-channel, V: VLT status, P: Peer Operational status ^: Tracking status Uplink State Group : 1 Name: iscsi_group, Status: Enabled, Up Upstream Interfaces : eth1/1/35(Up) *po10(V:Up, ^P:Dwn) VLTi(NA) Downstream Interfaces : eth1/1/2(Up) *po20(V: Up,P: Up) OS10#show uplink-state-group 2 detail (Up): Interface up (Dwn): Interfa
PAGE 1025
Table 68. UFD on VLT network (continued) Event VLT action on primary node VLT action on secondary node UFD action VLTi Link is operationally up with heartbeat up No action VLT module sends VLT portchannel enable request to Interface Manager (IFM) for both uplink and downlink. UFD receives operationally up of upstream VLT portchannel and sends clear errordisable of downstream VLT port-channel to IFM. Reboot of VLT secondary peer No action After reboot, runs the delay restore timer.
PAGE 1026
Sample configurations of UFD on VLT The following examples show some of the uplink-state groups on VLT. In the following illustration, both the upstream and downstream members are part of VLT port-channels. The uplink-state group includes both the VLT port-channels as members. In the following example, the upstream member is part of VLT port-channel and the downstream member is an orphan port. The uplink-state group includes the VLT port-channel, VLT node, and the downstream port.
PAGE 1027
OS10 does not support adding a VLTi link member to the uplink-state group. You can add the VLTi link as upstream member to an uplink-state group using the upstream VLTi command. If the VLTi link is not available in the system, OS10 allows adding the VLTi link as an upstream member. In this case, UFD starts tracking the operational status of the VLTi link when the link is available. Until the VLTi link is available, the show uplink-state-group details command displays the status of the link as NA.
PAGE 1028
UFD commands clear ufd-disable Overrides the uplink-state group configuration and brings up the downstream interfaces. Syntax clear ufd-disable {interface interface-type | uplink-state-group group-id} Parameters ● interface-type — Enter the interface type. ● group-id — Enter the uplink state group ID, from 1 to 32. Default None Command Mode EXEC Usage Information This command manually brings up a disabled downstream interface that is in an UFD-disabled error state.
PAGE 1029
Example Supported Releases OS10(config)# uplink-state-group 1 OS10(conf-uplink-state-group-1)# downstream ethernet 1/1/1 10.4.0E(R3) or later downstream auto-recover Enables auto-recovery of the disabled downstream interfaces. Syntax downstream auto-recover Parameters None Default Enabled Command Mode UPLINK-STATE-GROUP Usage Information The no version of this command disables the auto-recovery of downstream interfaces.
PAGE 1030
Example Supported Releases OS10(config)# uplink-state-group 1 OS10(conf-uplink-state-group-1)# enable 10.4.0E(R3) or later name Configures a descriptive name for the uplink-state group. Syntax name string Parameters string — Enter a description for the uplink-state group. A maximum of 32 characters. Default Not configured Command Mode UPLINK-STATE-GROUP Usage Information The no version of this command removes the descriptive name.
PAGE 1031
Command Mode EXEC Usage Information None Example OS10# show uplink-state-group Uplink State Group: 9, Status: Enabled,down OS10# show uplink-state-group 9 Uplink State Group: 9, Status: Enabled,down OS10# Example (detail) OS10# show uplink-state-group detail (Up): Interface up (Dwn): Interface down Uplink State Group : Defer Time : Upstream Interfaces : Downstream Interfaces: Eth 1/1/4(Dwn) 1/1/9:3(Dwn) (Dis): Interface disabled 1 Status : Enabled,up Name : UFDGROUP1 10 second(s) Eth 1/1/7:1(Up)
PAGE 1032
uplink-state-group Creates an uplink-state group and enables upstream link tracking. Syntax uplink-state-group group-id Parameters group-id — Enter a unique ID for the uplink-state group, from 1 to 32. Default None Command Mode CONFIGURATION Usage Information The no version of this command removes the uplink-state group. Example Supported Releases OS10(config)# uplink-state-group 1 10.4.
PAGE 1033
16 Converged data center services OS10 supports converged data center services, including IEEE 802.1 data center bridging (DCB) extensions to classic Ethernet. DCB provides I/O consolidation in a data center network. Each network device carries multiple traffic classes while ensuring lossless delivery of storage traffic with best-effort for local area network (LAN) traffic and latency-sensitive scheduling of service traffic. ● 802.1Qbb — Priority flow control ● 802.
PAGE 1034
PFC configuration notes ● PFC is supported for 802.1p, dot1p priority traffic, from 0 to 7. FCoE traffic traditionally uses dot1p priority 3 — iSCSI storage traffic uses dot1p priority 4. ● Configure PFC for ingress traffic by using network-qos class and policy maps, see Quality of Service. PFC-enabled traffic queues are treated as lossless queues. Configure the same network-qos policy map on all PFC-enabled ports.
PAGE 1035
2. Apply the trust dot1p-map policy to ingress traffic in SYSTEM-QOS or INTERFACE mode. trust-map dot1p trust-policy—map-name Configure traffic-class-queue mapping Decide if you want to use the default traffic-class-queue mapping or configure a non-default traffic-class-to-queue mapping. Traffic Class : 0 Queue : 0 1 1 2 2 3 3 4 4 5 5 6 6 7 7 If you are using the default traffic-class-to-queue map, no further configuration steps are necessary. 1.
PAGE 1036
corresponds to traffic class 1. Enter a single value, a hyphen-separated range, or multiple qos-group values separated by commas in CLASS-MAP mode. class—map type network-qos class—map-name match qos-group {1-7} exit 2. (Optional) Repeat Step 1 to configure additional PFC traffic-class class-maps. NOTE: In the S5148F-ON, PFC is not supported on priority 0.
PAGE 1037
OS10(config)# system qos OS10(config-sys-qos)# service-policy input type qos pclass1 OS10(config-sys-qos)# exit OS10(config)# class-map type network-qos cc1 OS10(config-cmap-nqos)# match qos-group 3 OS10(config-cmap-nqos)# exit OS10(config)# class-map type network-qos cc2 OS10(config-cmap-nqos)# match qos-group 4 OS10(config-cmap-nqos)# exit OS10(config)# policy-map type network-qos pp1 OS10(config-pmap-network-qos)# class cc1 OS10(config-pmap-c-nqos)# pause buffer-size 30 pause-threshold 20 resume-threshol
PAGE 1038
6 - - - - 7 9360 static 12779520 - - View PFC system buffer configuration OS10# show qos system ingress buffer All values are in kb Total buffers Total lossless buffers Maximum lossless buffers Total shared lossless buffers Total used shared lossless buffers Total lossy buffers Total shared lossy buffers Total used shared lossy buffers - 12187 0 5512 0 11567 11192 0 OS10# show qos system egress buffer All values are in kb Total buffers - 12187 Total lossless buffers - 0 Total shared lossless b
PAGE 1039
Defaults The default ingress-buffer size reserved for PFC traffic classes, and the pause and resume thresholds, vary according to the interface type. The default egress buffer reserved for PFC traffic classes is 0 on all interface types. Table 69. Port defaults Port Speed 10G Port 25G Port 40G Port 100G Port PFC reserved ingress buffer 166 KB 195 KB 315.
PAGE 1040
pfc-shared-buffer-size Configures the amount of shared buffers available for PFC-enabled traffic on the switch. Syntax pfc-shared-buffer-size kilobytes Parameter kilobytes — Enter the total amount of shared buffers available to PFC-enabled dot1p traffic in kilobytes, from 0 to 7787. Default 832KB Command Mode SYSTEM-QOS Usage Information By default, the lossy ingress buffer handles all ingress traffic.
PAGE 1041
Usage Information Example Supported Releases To tune the amount of shared buffers available for the static limit of PFC traffic-class queues on the switch, use the pfc-shared-buffer-size command. The current amount of available shared buffers determines the dynamic queue-limit. OS10(config)# policy-map type network-qos pp1 OS10(conf-pmap-network-qos)# class cc1 OS10(conf-pmap-c-nqos)# queue-limit thresh-mode static 1024 10.3.
PAGE 1042
ETS configuration notes ● ETS is supported on Layer2 (L2) 802.1p priority (dot1p 0 to 7) and Layer 3 (L3) DSCP (0 to 63) traffic. FCoE traffic uses dot1p priority 3 — iSCSI storage traffic uses dot1p priority 4. ● Apply these maps and policies on interfaces: ○ Trust maps — OS10 interfaces do not honor the L2 and L3 priority fields in ingress traffic by default. Create a trust map to honor dot1p and DSCP classes of lossless traffic. A trust map does not change ingress dot1p and DSCP values in egress flows.
PAGE 1043
2. Configure a QoS map with trusted traffic-class (qos-group) to lossless-queue mapping in CONFIGURATION mode. Assign one or more qos-groups, from 0 to 7, to a specified queue in QOS-MAP mode. Enter multiple qos-group values in a hyphenated range or separated by commas. Enter multiple queue qos-group entries, if necessary. qos-map traffic-class queue-map-name queue {0-7} qos-group {0-7} exit 3. Apply the default trust map specifying that dot1p and dscp values are trusted in SYSTEM-QOS or INTERFACE mode.
PAGE 1044
Configure ETS OS10(config)# trust dot1p-map dot1p_map1 OS10(config-trust-dot1pmap)# qos-group 0 dot1p 0-3 OS10(config-trust-dot1pmap)# qos-group 1 dot1p 4-7 OS10(config-trust-dot1pmap)# exit OS10(config)# trust dscp-map dscp_map1 OS10(config-trust-dscpmap)# qos-group 0 dscp 0-31 OS10(config-trust-dscpmap)# qos-group 1 dscp 32-63 OS10(config-trust-dscpmap)# exit OS10(config)# qos-map traffic-class tc-q-map1 OS10(config-qos-tcmap)# queue 0 qos-group 0 OS10(config-qos-tcmap)# queue 1 qos-group 1 OS10(config-qo
PAGE 1045
ETS commands ets mode on Enables ETS on an interface. Syntax ets mode on Parameter None Default Disabled Command Mode INTERFACE Usage Information Enable ETS on all switch interfaces in SYSTEM-QOS mode or on an interface or interface range in INTERFACE mode. The no version of this command disables ETS. Example Supported Releases OS10(config-sys-qos)# ets mode on 10.3.
PAGE 1046
DCBX configuration notes ● To exchange link-level configurations in a converged network, DCBX is a prerequisite for using DCB features, such as PFC and ETS. DCBX is also deployed in topologies that support lossless operation for FCoE or iSCSI traffic. In these scenarios, all network devices must be DCBX-enabled so that DCBX is enabled end-to-end. ● DCBX uses LLDP to advertise and automatically negotiate the administrative state and PFC/ETS configuration with directly connected DCB peers.
PAGE 1047
Configure DCBX View DCBX configuration OS10# show lldp dcbx interface ethernet 1/1/15 E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Recommendation TLV disabled P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Application Priority for FCOE disabled I-Application priority for iSCSI enabled i-Application Priority for iSCSI disabled -----------------------------------------------------------------
PAGE 1048
View DCBX ETS TLV status OS10# show lldp dcbx interface ethernet 1/1/15 ets detail Interface ethernet1/1/15 Max Supported PG is 8 Number of Traffic Classes is 8 Admin mode is on Admin Parameters : -----------------Admin is enabled PG-grp Priority# Bandwidth TSA -----------------------------------------------0 0,1,2,3 70% ETS 1 4,5,6,7 30% ETS 2 0% SP 3 0% SP 4 0% SP 5 0% SP 6 0% SP 7 0% SP 15 0% SP Remote Parameters : ------------------Remote is enabled PG-grp Priority# Bandwidth TSA -----------------------
PAGE 1049
DCBX commands dcbx enable Enables DCBX globally on all port interfaces. Syntax dcbx enable Parameters None Default Disabled Command Mode CONFIGURATION Usage Information DCBX is disabled at a global level and enabled at an interface level by default. For DCBX to be operational, DCBX must be enabled at both the global and interface levels. Enable DCBX globally using the dcbx enable command to activate the exchange of DCBX TLV messages with PFC, ETS, and iSCSI configurations.
PAGE 1050
Command Mode INTERFACE Usage Information In Auto mode, a DCBX-enabled port detects an incompatible DCBX version on a peer device port and automatically reconfigures a compatible version on the local port. The no version of this command disables the DCBX version. Example Supported Releases OS10(conf-if-eth1/1/2)# dcbx version cee 10.3.0E or later lldp tlv-select dcbxp Enables and disables DCBX on a port interface.
PAGE 1051
Interface ethernet1/1/15 Port Role is Manual DCBX Operational Status is Enabled Is Configuration Source? FALSE Local DCBX Compatibility mode is IEEEv2.5 Local DCBX Configured mode is IEEEv2.5 Peer Operating version is IEEEv2.
PAGE 1052
7 0% SP Oper status is init ETS DCBX Oper status is Up State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled 5 Input Conf TLV Pkts, 2 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 5 Input Reco TLV Pkts, 2 Output Reco TLV Pkts, 0 Error Reco TLV Pkts Example (PFC detail) OS10# show lldp dcbx interface ethernet 1/1/15 pfc detail Interface ethernet1/1/15 Admin mode is on Admin is enabled, Priority list is 4,5,6,7 Remote is enabled, Priority list is 4,5,6,7 Remote Willing
PAGE 1053
In an iSCSI session, a switch connects CNA servers (iSCSI initiators) to a storage array (iSCSI targets) in a SAN or TCP/IP network. iSCSI optimization running on the switch uses dot1p priority-queue assignments to ensure that iSCSI traffic receives priority treatment. iSCSI configuration notes ● Enable iSCSI optimization so the switch auto-detects and auto-configures Dell EMC EqualLogic storage arrays directly connected to an interface.
PAGE 1054
1. Configure an interface or interface range to detect a connected storage device. interface ethernet node/slot/port:[subport] interface range ethernet node/slot/port:[subport]-node/slot/port[:subport] 2. Enable the interface to support a storage device that is directly connected to the port and not automatically detected by iSCSI. Use this command for storage devices that do not support LLDP.
PAGE 1055
OS10(config)# iscsi target port 3261 ip-address 10.1.1.
PAGE 1056
● If the iSCSI session does not receive control packets, but receives data packets on the VLT LAG. This happens when you enable iSCSI session monitoring after the iSCSI session starts. The information learnt about iSCSI sessions on VLT LAGs synchronizes with the VLT peers.
PAGE 1057
iscsi priority-bits Resets the priority bitmap advertised in iSCSI application TLVs. Syntax iscsi priority-bits {priority-bitmap} Parameter priority-bitmap — Enter a bitmap value for the dot1p priority advertised for iSCSI traffic in iSCSI application TLVs (0x1 to 0xff). Default 0x10 (dot1p 4) Command Mode CONFIGURATION Usage Information iSCSI traffic uses dot1p priority 4 in frame headers by default. Use this command to reconfigure the dot1p-priority bits advertised in iSCSI application TLVs.
PAGE 1058
Example Supported Releases OS10(config)# iscsi session-monitoring enable 10.3.0E or later iscsi target port Configures the TCP ports used to monitor iSCSI sessions with target storage devices. Syntax iscsi target port tcp-port1 [tcp-port2, ..., tcp-port16] [ip-address ipaddress] Parameters ● tcp-port — Enter one or more TCP port numbers, from 0 to 65535. Separate TCP port numbers with a comma. ● ip-address ip-address — (Optional) Enter the IP address in A.B.C.
PAGE 1059
Command Mode EXEC Usage Information This command output displays global iSCSI configuration settings. To view target and initiator information use the show iscsi session command. Example Supported Releases OS10# show iscsi iSCSI Auto configuration is Enabled iSCSI session monitoring is Enabled iSCSI COS qos-group 4 remark dot1p 4 Session aging time 15 Maximum number of connections is 100 Port IP Address -----------------------3260 860 3261 10.1.1.1 10.3.
PAGE 1060
show iscsi storage-devices Displays information about the storage arrays directly attached to OS10 ports. Syntax show iscsi storage-devices Parameters None Command Mode EXEC Usage Information The command output displays the storage device connected to each switch port and whether iSCSI automatically detects it.
PAGE 1061
OS10(config-cmap-nqos)# OS10(config-cmap-nqos)# OS10(config)# class-map OS10(config-cmap-nqos)# OS10(config-cmap-nqos)# OS10(config)# class-map OS10(config-cmap-nqos)# OS10(config-cmap-nqos)# match qos-group 5 exit type network-qos test6 match qos-group 6 exit type network-qos test7 match qos-group 7 exit OS10(config)# policy-map type network-qos test OS10(config-pmap-network-qos)# class test4 OS10(config-pmap-c-nqos)# pause OS10(config-pmap-c-nqos)# pfc-cos 4 OS10(config-pmap-c-nqos)# exit OS10(config-pm
PAGE 1062
OS10(config-pmap-queuing)# class cmap2 OS10(config-pmap-c-que)# bandwidth percent 70 OS10(config-pmap-c-que)# end OS10(config)# system qos OS10(config-sys-qos)# trust-map dot1p default 5. ETS configuration (interface and global) Apply the service policies with dot1p trust and ETS configurations to an interface or on all switch interfaces. Only one qos-map traffic-class map is supported on a switch.
PAGE 1063
8.
PAGE 1064
3 4 5 6 7 0% 0% 0% 0% 0% ETS ETS ETS ETS ETS Oper status is init ETS DCBX Oper status is Up State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled 2 Input Conf TLV Pkts, 27 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 2 Input Reco TLV Pkts, 27 Output Reco TLV Pkts, 0 Error Reco TLV Pkts 10. iSCSI optimization configuration (global) This example accepts the default settings for aging time and TCP ports used in monitored iSCSi sessions.
PAGE 1065
This example shows how to configure and verify different DCBX versions.
PAGE 1066
priority-flow-control mode on OS10(conf-if-eth1/1/53)# do show lldp dcbx interface ethernet 1/1/53 E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Recommendation TLV disabled P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Application Priority for FCOE disabled I-Application priority for iSCSI enabled i-Application Priority for iSCSI disabled ----------------------------------------------------
PAGE 1067
17 sFlow sFlow is a standard-based sampling technology embedded within switches and routers that monitors network traffic. It provides traffic monitoring for high-speed networks with many switches and routers.
PAGE 1068
● Disable sFlow in CONFIGURATION mode.
PAGE 1069
sflow enable ! Collector configuration Configure the IPv4 or IPv6 address for the sFlow collector. When you configure the collector, enter a valid and reachable IPv4 or IPv6 address. You can configure a maximum of two sFlow collectors. If you specify two collectors, samples are sent to both. The agent IP address must be the same for both the collectors.
PAGE 1070
0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected Polling-interval configuration The polling interval for an interface is the number of seconds between successive samples of counters sent to the collector. You can configure the duration for polled interface statistics. Unless there is a specific deployment need to configure a lower polling interval value, configure the polling interval to the maximum value.
PAGE 1071
● Disable packet sampling in CONFIGURATION mode. no sflow sample-rate ● View the sampling rate in EXEC mode.
PAGE 1072
OS10(config)# sflow source-interface vlan 10 View sFlow running configuration OS10# sflow sflow sflow sflow show running-configuration sflow enable all-interfaces source-interface vlan10 collector 5.1.1.1 agent-addr 4.1.1.1 6343 collector 6.1.1.1 agent-addr 4.1.1.1 6343 OS10(config)#show running-configuration interface vlan ! interface vlan1 no shutdown ! interface vlan10 no shutdown ip address 10.1.1.
PAGE 1073
sflow max-header-size 80 sflow polling-interval 30 sflow sample-rate 4096 sflow collector 10.16.150.1 agent-addr 10.16.132.67 6767 sflow collector 10.16.153.176 agent-addr 3.3.3.3 6666 ! interface ethernet1/1/1 sflow enable ! sFlow commands sflow collector Configures an sFlow collector IP address where sFlow datagrams are forwarded. You can configure a maximum of two collectors.
PAGE 1074
Example (interface) Example (interface range) Example (portchannel) Supported Releases OS10(config)# sflow enable OS10(config)# interface ethernet 1/1/1 OS10(conf-if-eth1/1/1)# sflow enable OS10(config)# sflow enable OS10(config)# interface range ethernet 1/1/1-1/1/10 OS10(conf-range-eth1/1/1-1/1/10)# sflow enable OS10(config)# sflow enable OS10(config)# interface range port-channel 1-10 OS10(conf-range-po-1-10)# sflow enable 10.3.
PAGE 1075
sflow sample-rate Configures the sampling rate. Syntax sflow sample-rate value Parameter value — Enter the packet sample rate, from 4096 to 65535. The default is 32768. Default 32768 Command Mode CONFIGURATION Usage Information Sampling rate is the number of packets skipped before the sample is taken. For example, if the sampling rate is 4096, one sample generates for every 4096 packets observed. The no version of the command resets the sampling rate to the default value.
PAGE 1076
Parameter interface type — (Optional) Enter either ethernet or port-channel for the interface type. Command Mode EXEC Usage Information OS10 does not support statistics for UDP packets dropped and samples received from the hardware.
PAGE 1077
18 Telemetry Network health relies on performance monitoring and data collection for analysis and troubleshooting. Network data is often collected with SNMP and CLI commands using the pull mode. In pull mode, a management device sends a get request and pulls data from a client. As the number of objects in the network and the metrics grow, traditional methods limit network scaling and efficiency. Using multiple management systems further limits network scaling.
PAGE 1078
Table 71. BGP peers YANG Container Minimum sampling interval (milliseconds) infra-bgp/peer-state/peer-status 0 Buffer statistics Table 72. Buffer statistics YANG Container Minimum sampling interval (milliseconds) base-qos/queue-stat 15000 base-qos/priority-group-stat 15000 base-qos/buffer-pool-stat 15000 base-qos/buffer-pool 15000 Device information Table 73.
PAGE 1079
System statistics Table 77. System statistics YANG Container Minimum sampling interval (milliseconds) system-status/current-status 15000 Configure telemetry NOTE: To set up a streaming telemetry collector, download and use the OS10 telemetry .proto files from the Dell EMC Support site. To enable the streaming of telemetry data to destinations in a subscription profile: 1. Enable telemetry on the switch. 2. Configure a destination group. 3.
PAGE 1080
1. Enter the destination group name in TELEMETRY mode. A maximum of 32 characters. OS10(conf-telemetry)# destination-group group-name 2. Enter the IPv4 or IPv6 address and transport-service port number in DESTINATION-GROUP mode. Only one destination is supported in the 10.4.3.0 release. You can enter a fully qualified domain name (FQDN) for ip-address. The destination domain name resolves to an IP address — see System domain name and list. OS10(conf-telemetry-dg-dest)# destination ip-address port-number 3.
PAGE 1081
View telemetry configuration Use the following show commands to display telemetry configuration. OS10# show telemetry Telemetry Status : enabled -- Telemetry Destination Groups -Group : dest1 Destination : 10.11.56.
PAGE 1082
View destination group OS10# show telemetry destination-group Telemetry Status : enabled -- Telemetry Destination Groups -Group : dest1 Destination : 10.11.56.
PAGE 1083
Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The connection 10.11.56.204:40001 is in connected state Verify telemetry in running configuration OS10# show running-configuration telemetry ! telemetry enable ! destination-group dest1 destination 10.11.56.
PAGE 1084
● domain-name — Enter the fully qualified domain name of the destination device. A maximum of 32 characters. ● port-number — Enter the transport-service port number to which telemetry data is sent on the destination device. Default Not configured Command mode DESTINATION-GROUP Usage information When you associate a destination group with a subscription, telemetry data is sent to the IP address and port specified by the destination command. In the 10.4.3.0 release, only one destination is supported.
PAGE 1085
enable Enables telemetry on the switch. Syntax enable Parameters None Default Telemetry is disabled. Command mode TELEMETRY Usage information Enter the no enable command to disable telemetry. Example Supported releases OS10(conf-telemetry)# enable 10.4.3.0 or later encoding Configures the encoding format used to stream telemetry data to a destination device. Syntax encoding format Parameters format — Enter the gpb (Google protocol buffer) encoding format in which data is streamed.
PAGE 1086
Example Supported releases OS10(conf-telemetry)# subscription-profile subscription-1 OS10(conf-telemetry-sp-subscription-1)# sensor-group bgp 30000 OS10(conf-telemetry-sp-subscription-1)# sensor-group environment 415000 10.4.3.0 or later sensor-group (telemetry) Configures a sensor group for streaming telemetry. NOTE: This command is not supported in release 10.4.3.0. Syntax sensor-group group-name Parameters group-name — Enter the name of the sensor group. A maximum of 32 characters.
PAGE 1087
show telemetry Displays the configured destination-group, sensor-group, and subscription profiles for streaming telemetry. Syntax show telemetry [destination-group [group-name] | sensor-group [group-name] | subscription-profile [profile-name]] Parameters ● destination-group — Display only destination groups or a specified group. ● sensor-group — Display only sensor groups or a specified group. ● subscription-profile — Display only subscription profiles or a specified profile.
PAGE 1088
Name : subscription-1 Destination Groups(s) : dest1 Sensor-group Sample-interval ----------------------------------bgp 300000 bgp-peer 0 buffer 15000 device 300000 environment 300000 interface 180000 lag 0 system 300000 Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The connection 10.11.56.204:40001 is in connected state Supported releases 10.4.3.
PAGE 1089
Usage information Example Supported releases A subscription profile associates destination groups with sensor groups, and specifies the data encoding format and transport protocol. Telemetry data is sent to the IP address and port specified in the destination groups. OS10(conf-telemetry)# subscription-profile subscription-1 OS10(conf-telemetry-sp-subscription-1)# 10.4.3.0 or later telemetry Enters Telemetry configuration mode to configure streaming telemetry.
PAGE 1090
Example: Configure streaming telemetry OS10(config)# telemetry OS10(conf-telemetry)# enable OS10(conf-telemetry)# destination-group dest1 OS10(conf-telemetry-dg-dest1)# destination 10.11.56.
PAGE 1091
bgp bgp-peer buffer device environment interface lag system 300000 0 15000 300000 300000 180000 0 300000 Encoding : gpb Transport : grpc TLS : disabled Source Interface : ethernet1/1/1 Active : true Reason : Connection summary: One or more active connections The connection 10.11.56.
PAGE 1092
19 RESTCONF API RESTCONF is a representational state transfer (REST)-like protocol that uses HTTPS connections. Use the OS10 RESTCONF API to set up the configuration parameters on OS10 switches using JavaScript Object Notation (JSON)-structured messages. Use any programming language to create and send JSON messages. The examples in this chapter use curl. The OS10 RESTCONF implementation complies with RFC 8040. You can use the RESTCONF API to configure and monitor an OS10 switch.
PAGE 1093
● ecdhe-rsa-with-aes-256-gcm-SHA384 rest https cipher-suite 4. Enable RESTCONF API in CONFIGURATION mode. rest api restconf RESTCONF API configuration OS10(config)# rest https server-certificate name OS10.dell.
PAGE 1094
Example Supported Releases OS10(config)# rest https cipher-suite dhe-rsa-with-aes-128-gcm-SHA256 dhe-rsa-with-aes-256-gcm-SHA384 ecdhe-rsa-with-aes-256-gcm-SHA384 10.4.1.0 or later rest https server-certificate Creates the SSL self-signed server certificate a RESTCONF HTTPS connection uses. Syntax rest https server-certificate name hostname Parameters name hostname — Enter the IP address or domain name of the OS10 switch. Default The OS10 switch domain name is used as the hostname.
PAGE 1095
● -k specifies a text file to read curl arguments from. The command line arguments found in the text file will be used as if they were provided on the command line. Use the IP address or URL of the OS10 switch when you access the OS10 RESTCONF API from a remote orchestration system. ● -H specifies an extra header to include in the request when sending HTTPS to a server. You can enter multiple extra headers. ● -d sends the specified data in an HTTPS request.
PAGE 1096
Reply: OS10(config)# do no debug cli netconf RESTCONF API Examples Some common RESTCONF API operations include configuring system hostname, and interfaces such as loopback interface. The examples in this section use curl commands to send the HTTPS request.
PAGE 1097
Example curl -X POST -k -u admin:admin "https://10.11.86.113/restconf/data/ interfaces" -H "accept: application/json" -H "Content-Type: application/json" -d '{"interface": [{"type": "iana-if-type:softwareLoopback", "enabled": true, "description":"loopback interface", "name":"loopback1"}]}' Configure a loopback interface IP address RESTCONF endpoint JSON content /restconf/data/interfaces/interface/loopback1 { } Parameters Example "dell-ip:ipv4":{ "address": { "primary-addr":"6.6.6.
PAGE 1098
20 Troubleshoot OS10 Critical workloads and applications require constant availability. Dell EMC Networking offers tools to help you monitor and troubleshoot problems before they happen.
PAGE 1099
809 1 457 1 457 1 457 1 457 304 65 S4048ON-PWR-2-UNKNOWN 410 55 S4048ON-FANTRAY-1 410 55 S4048ON-FANTRAY-2 410 55 S4048ON-FANTRAY-3 410 55 0T9FNW X01 TW-0T9FNW-28298-49Q-0041 AEIOU## 226 0MGDH8 X01 TW-0MGDH8-28298-49Q-0361 AEIOU## 226 0MGDH8 X01 TW-0MGDH8-28298-49Q-0360 AEIOU## 226 0MGDH8 X01 TW-0MGDH8-28298-49Q-0359 AEIOU## 226 Boot partition and image Display system boot partition and image information. ● View all boot information in EXEC mode.
PAGE 1100
819 snmp 30452 admin 1 root 2 root 3 root 5 root 7 root 8 root 10 root 11 root 12 root 13 root 14 root 15 root 16 root 17 root 19 root 20 root 21 root 22 root 23 root 24 root 25 root --more-- 20 20 20 20 20 0 20 20 20 20 20 rt rt rt rt 20 0 0 20 0 20 0 25 0 0 0 0 0 -20 0 0 0 0 0 0 0 0 0 0 -20 -20 0 -20 0 -20 5 52736 22076 112100 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6696 2524 5840 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4132 2100 3032 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 S R S S S S R S S S S S S
PAGE 1101
Capture packets from Ethernet interface $ tcpdump -i e101-003-0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on e101-003-0, link-type EN10MB (Ethernet), capture size 262144 bytes 01:39:22.457185 IP 3.3.3.1 > 3.3.3.4: ICMP echo request, id 5320, seq 26, length 64 01:39:22.457281 IP 3.3.3.1 > 3.3.3.
PAGE 1102
When you execute a traceroute, the output shows the path a packet takes from your device to the destination IP address. It also lists all intermediate hops (routers) that the packet traverses to reach its destination, including the total number of hops traversed. Check IPv4 connectivity OS10# ping 172.31.1.255 Type Ctrl-C to abort. Sending 5, 100-byte ICMP Echos to 172.31.1.255, timeout is 2 seconds: Reply to request 1 from 172.31.1.208 0 ms Reply to request 1 from 172.31.1.
PAGE 1103
View solution ID Dell EMC networking switches that are part of a larger solution require a solution identifier (ID). To view the solution ID including the product base, product serial number, and product part number, use the following show commands: View inventory OS10# show inventory Product : S6000-ON Description : S6000-ON 32x40GbE QSFP+ Interface Module Software version : 10.4.
PAGE 1104
Product Serial Number : APM001123456789 Product Part Number : 900-590-001 ----------------------------------------------------------------<> View diagnostics View system diagnostic information using show commands. Use the show hash-algorithm command to view the current hash algorithms configured for link aggregation group (LAG) and electronic commerce messaging protocol (ECMP).
PAGE 1105
Up Time : 2 days 05:57:17 -- Unit 1 -Status System Identifier Down Reason Digital Optical Monitoring System Location LED Required Type Current Type Hardware Revision Software Version Physical Ports BIOS System CPLD Master CPLD Slave CPLD : : : : : : : : : : up 1 unknown disable off S4048 S4048 X01 10.4.3.0 48x10GbE, 6x40GbE : 3.21.0.
PAGE 1106
location-led system Changes the location LED of the system. Syntax location-led system {node-id | node-id/unit-id} {on | off} Parameters ● node-id | node-id/unit-id — Enter the system ID. ● on | off — Set the system LED to be on or off. Default Not configured Command Mode EXEC Usage Information Use this command to change the location LED for the specified system ID. Example Supported Releases OS10# location-led system 1 on OS10# location-led system 1 off 10.3.
PAGE 1107
● -L — (Optional) Suppress the Loopback of multicast packets for a multicast target address. ● -m mark — (Optional) Tags the packets sent to ping a remote device. Use this option with policy routing. ● -M pmtudisc_option — (Optional) Enter the path MTU (PMTU) discovery strategy: ○ do prevents fragmentation, including local. ○ want performs PMTU discovery and fragments large packets locally. ○ dont does not set the Don’t Fragment (DF) flag.
PAGE 1108
ping6 Tests network connectivity to an IPv6 device. Syntax ping6 [vrf {management | vrf-name}] [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface] [-l preload] [-m mark] [-M pmtudisc_option] [-N nodeinfo_option] [-p pattern] [-Q tclass] [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline] [-W timeout] destination Parameters ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 1108 vrf management — (Optional) Pings an IPv6 address in the management VRF instance.
PAGE 1109
● -w deadline — (Optional) Enter the time-out value in seconds before the ping exits regardless of how many packets are sent or received. ● -W timeout — (Optional) Enter the time to wait for a response in seconds. This setting affects the time-out only if there is no response, otherwise ping waits for two round-trip times (RTTs). ● hop1 ... (Optional) Enter the IPv6 addresses of the pre-specified hops for the ping packet to take.
PAGE 1110
Boot Type: Active Partition: Active SW Version: Active SW Build Version: Active Kernel Version: Active Build Date/Time: Standby Partition: Standby SW Version: Standby SW Build Version: Standby Build Date/Time: Next-Boot: Supported Releases Flash Boot A 10.4.3E 10.4.3E.85 Linux 4.9.110 2019-02-18T09:06:10Z B 10.4.3E 10.4.3E.80 2019-02-17T15:36:08Z active[A] 10.2.0E or later show diag Displays diagnostic information for port adapters and modules.
PAGE 1111
show environment Displays information about environmental system components, such as temperature, fan, and voltage.
PAGE 1112
Command Mode EXEC Usage Information None Example OS10# show inventory Product Description Software version Product Base Product Serial Number Product Part Number : S4048ON : S4048-ON 48x10GbE, 6x40GbE QSFP+ Interface Module : 10.4.3.
PAGE 1113
rcu_bh 11 root rcuob/0 12 root rcuob/1 13 root migration/0 14 root watchdog/0 15 root watchdog/1 16 root migration/1 17 root ksoftirqd/1 19 root kworker/1:+ 20 root khelper 21 root kdevtmpfs 22 root 23 root khungtaskd 24 root writeback 25 root --more-- 20 0 0 0 0 S 0.0 0.0 0:00.00 20 0 0 0 0 S 0.0 0.0 0:00.00 rt 0 0 0 0 S 0.0 0.0 0:07.30 rt 0 0 0 0 S 0.0 0.0 0:02.18 rt 0 0 0 0 S 0.0 0.0 0:02.12 rt 0 0 0 0 S 0.0 0.0 0:04.98 20 0 0 0 0 S 0.0 0.0 0:03.
PAGE 1114
Up Time : 2 days 05:57:17 -- Unit 1 -Status System Identifier Down Reason Digital Optical Monitoring System Location LED Required Type Current Type Hardware Revision Software Version Physical Ports BIOS System CPLD Master CPLD Slave CPLD : : : : : : : : : : up 1 unknown disable off S4048 S4048 X01 10.4.3.0 48x10GbE, 6x40GbE : 3.21.0.
PAGE 1115
Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Eth Example (brief) 1/1/30 1/1/31 1/1/32 1/1/33 1/1/34 1/1/35 1/1/36 1/1/37 1/1/38 1/1/39 1/1/40 1/1/41 1/1/42 1/1/43 1/1/44 1/1/45 1/1/46 1/1/47 1/1/48 1/1/49 1/1/50 1/1/51 1/1/52 1/1/53 1/1/54 No No No No No No No No No No No No No No No No No No No Yes Yes Yes Yes Yes Yes BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOUT_1x1 BREAKOU
PAGE 1116
● vrf vrf-name — (Optional) Traces the route to an IP address in the specified VRF instance. ● host — Enter the host to trace packets from. ● -i interface — (Optional) Enter the IP address of the interface through which traceroute sends packets. By default, the interface is selected according to the routing table. ● -m max_ttl — (Optional) Enter the maximum number of hops, the maximum time-to-live value, that traceroute probes. The default is 30.
PAGE 1117
Password recovery You may need to recover a lost password. 1. Connect to the serial console port. The serial settings are 115200 baud, 8 data bits, and no parity. 2. Reboot or power up the system. 3. Press ESC at the Grub prompt to view the boot menu. The OS10-A partition is selected by default. +-------------------------------------------+ |*OS10-A | | OS10-B | | ONIE | +-------------------------------------------+ 4. Press e to open the OS10 GRUB editor. 5.
PAGE 1118
12. Reboot the system, then enter your new password. root@OS10:~# reboot -f Rebooting. [ 3466.946967] reboot: Restarting system BIOS Boot Selector for S5148F Primary BIOS Version 3.36.0.1-2 SMF Version: MSS 1.2.2, FPGA 0.1 Last POR=0x11, Reset Cause=0x55 Restore factory defaults To restore your system factory defaults, reboot the system to ONIE: Uninstall OS mode. CAUTION: Restoring factory defaults erases any installed operating system and requires a long time to erase storage.
PAGE 1119
Sent SIGTERM to all processes Sent SIGKILL tosd 4:0:0:0: [sda] Synchronizing SCSI cache Restarting system. machine restart SupportAssist By default, SupportAssist is enabled. SupportAssist sends troubleshooting data securely to Dell EMC Technical Support. SupportAssist does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. To disable SupportAssist, use the eula-consent support-assist reject command.
PAGE 1120
6. Trigger an activity immediately or at a scheduled time in SUPPORT-ASSIST mode. do support-assist activity full-transfer {start—now | schedule [hourly | daily | weekly | monthly | yearly]} Configure SupportAssist OS10(config)# support-assist OS10(conf-support-assist)# contact-company name Eureka OS10(conf-support-assist-Eureka)# exit OS10(conf-support-assist)# server url http://eureka.
PAGE 1121
3. (Optional) Configure street address information in SUPPORT-ASSIST mode. Use double quotes to add spaces within an address. Use the no street-address command to remove the configuration. street-address {address-line-1} [{address-line-2} {address-line-3}] 4. (Optional) Configure the territory and set the coverage in SUPPORT-ASSIST mode. Use the no territory command to remove the configuration.
PAGE 1122
○ yearly month number day number hour number min number — Enter the time to schedule a yearly task, from 1 to 12, 1 to 31, 0 to 23, and 0 to 59.
PAGE 1123
View EULA license OS10# show support-assist eula I accept the terms of the license agreement. You can reject the license agreement by configuring this command 'eula-consent support-assist reject.' By installing SupportAssist, you allow Dell to save your contact information (e.g. name, phone number and/or email address) which would be used to provide technical support for your Dell products and services. Dell may use the information for providing recommendations to improve your IT infrastructure.
PAGE 1124
contact-company Configures the company contact information. Syntax contact-company name Parameters name — Enter the contact company name. A maximum of 140 characters. Default Not configured Command Mode SUPPORT-ASSIST Usage Information You can enter only one contact-company. Use double quotes to enclose additional contact information. The no version of this command removes the configuration.
PAGE 1125
eula-consent Accepts or rejects the SupportAssist end-user license agreement (EULA). Syntax eula—consent {support-assist} {accept | reject} Parameters ● support-assist — Enter to accept or reject the EULA for the service. ● accept — Enter to accept the EULA-consent. ● reject — Enter to reject EULA-consent. Default Not configured Command Mode CONFIGURATION Usage Information If you reject the end-user license agreement, you cannot access Configuration mode.
PAGE 1126
Example Supported Releases OS10(conf-support-assist)# proxy-server ip 10.1.1.5 port 701 10.2.0E or later server url Configures the domain or IP address of the remote SupportAssist server. Syntax server url server-url-string Parameters server-url-string — Enter the domain or IP address of the remote SupportAssist server. To include a space, enter a space within double quotes. Default https://stor.g3.ph.dell.com Command Mode SUPPORT-ASSIST Usage Information Only configure one SupportAssist server.
PAGE 1127
receive related repair services from Dell, Inc. You further agree to allow Dell, Inc. to transmit and store the Collected Data from SupportAssist in accordance with these terms. You agree that the provision of SupportAssist may involve international transfers of data from you to Dell, Inc. and/or to Dell, Inc.'s affiliates, subcontractors or business partners. When making such transfers, Dell, Inc.
PAGE 1128
20:48:42 event-notification success 20:51:51 full-transfer success 20:30:52 Supported Releases Sep 12,2016 20:51:51 Sep 12,2016 Sep 12,2016 20:30:28 Sep 12,2016 10.2.0E or later source-interface Configures the interface used to connect to the SupportAssist server. Syntax source-interface interface Parameters interface: ● ethernet node/slot/port[:subport] — Enter a physical Ethernet interface. ● loopback number — Enter a Loopback interface, from 0 to 16383.
PAGE 1129
| monthly day number hour number min number | yearly month number day number}] Parameters ● start-now — Schedules the transfer to start immediately. ● hourly minute — Schedule an hourly task, from 0 to 59. ● daily — Schedule a daily task: ○ hour number — Enter the keyword and number of hours to schedule the daily task, from 0 to 23. ○ min number — Enter the keyword and number of minutes to schedule the daily task, from 0 to 59.
PAGE 1130
Support bundle The Support Bundle is based on the sosreport tool. Use the Support Bundle to generate an sosreport tar file that collects Linux system configuration and diagnostics information, as well as the show command output to send to Dell EMC Technical Support. To send Dell EMC Technical Support troubleshooting details about the Linux system configuration and OS10 diagnostics, generate an sosreport tar file. 1. Generate the tar file in EXEC mode. generate support-bundle 2.
PAGE 1131
Defaults None Command Mode EXEC Usage Information To send the tar file to Dell EMC Technical Support, use the dir supportbundle and copy supportbundle://sosreport-OS10-file-number.tar.gz tftp://serveraddress/path commands. Example Example (Enable Options) Supported Releases OS10# generate support-bundle OS10# generate support-bundle enable-all-plugin-options 10.2.0E or later System monitoring Monitor OS10 using system alarms and log information.
PAGE 1132
● Enter the minimum severity level for logging to terminal lines in CONFIGURATION mode. logging monitor severity ● Enter which server to use for syslog messages with the hostname or IP address in CONFIGURATION mode. logging server {hostname/ip-address severity} Disable system logging You can use the no version of any logging command to disable system logging. ● Disable console logging and reset the minimum logging severity to the default in CONFIGURATION mode.
PAGE 1133
airflow directions#003 Jun 1 05:02:10 %Node.1-Unit.1:PRI:OS10 %log-notice:NDM_SERVICE_UP: NDM Service Ready! Jun 1 05:02:10 %Node.1-Unit.
PAGE 1134
Configure Threshold level for link-bundle monitoring OS10(config)# link-bundle-trigger-threshold 10 View link-bundle monitoring threshold configuration OS10(config)# do show running-configuration link-bundle-trigger-threshold 10 ! ... Show link-bundle utilization OS10(config)# do show link-bundle-utilization Link-bundle trigger threshold - 10 Alarm commands alarm acknowledge Acknowledges an active alarm.
PAGE 1135
show alarms Displays all current active alarms in the system. Syntax show alarms Parameters None Default None Command Mode EXEC Usage Information None Example Supported Releases OS10# show alarms Sq No Severity ----- -------3 major * 4 Minor Name -----------------EQM_MORE_PSU_FAULT EQM_MORE_PSU_FAULT Timestamp ----------------------Sun 10-07-2018 18:39:47 Sun 10-07-2018 18:39:47 Source -----/psu/2 /psu/1 10.2.0E or later show alarms details Displays details about active alarms.
PAGE 1136
show alarms history Displays the history of all alarm events. Syntax show alarms history [summary] Parameters summary — Enter to view a summary of the alarm history.
PAGE 1137
State: raised ------------------------------------------Supported Releases 10.4.3E or later show alarms index Displays information about a specific alarm using the alarm ID. Syntax show alarms index alarm-id Parameters index alarm-id — Enter the keyword and the alarm ID to view specific information. Default Not configured Command Mode EXEC Usage Information Use the alarm-id to clear and view alarm details.
PAGE 1138
Type: Source: Name: Description: Raise-time: Ack-time: New: State: Example (Critical) 1081364 Node.1-Unit.1 EQM_THERMAL_WARN_CROSSED Sat 10-06-2018 0:1:5 Sun 10-07-2018 20:39:47 true raised OS10# show alarms severity critical Active-alarm details - 0 ------------------------------------------Sequence Number: 1 Severity: critical Type: 1081367 Source: Node.1-Unit.
PAGE 1139
Supported Releases 10.2.0E or later Logging commands clear logging Clears messages in the logging buffer. Syntax clear logging log-file Parameters None Default Not configured Command Mode EXEC Usage Information None Example OS10# clear logging log-file Proceed to clear the log file [confirm yes/no(default)]: Supported Releases 10.2.0E or later logging console Disables, enables, or configures the minimum severity level for logging to the console.
PAGE 1140
logging enable Enables system logging. Syntax logging enable Parameters None Default Enabled Command Mode CONFIGURATION Usage Information The no version of this command disables all logging. Example Supported Releases OS10(config)# logging enable 10.2.0E or later logging log-file Disables, enables, or sets the minimum severity level for logging to the log file.
PAGE 1141
● ● ● ● ● ● ● log-alert — Set to immediate action is needed. log-crit — Set to critical conditions. log-err — Set to error conditions. log-warning — Set to warning conditions. log-notice — Set to normal but significant conditions, the default. log-info — Set to informational messages. log-debug — Set to debug messages. Default Log-notice Command Mode CONFIGURATION Usage Information To reset the monitor severity to the default level, use the no logging monitor severity command.
PAGE 1142
Supported Releases 10.2.0E or later show logging Displays system logging messages by log file, process-names, or summary. Syntax show logging {log-file [process-name | line-numbers] | process-names} Parameters ● process-name — (Optional) Enter the process-name to use as a filter in syslog messages. ● line-numbers — (Optional) Enter the number of lines to include in the logging messages, from 1 to 65535.
PAGE 1143
Example Supported Releases OS10# show trace May 23 17:10:03 OS10 base_nas: [NETLINK:NHEVENT]:ds_api_linux_neigh.c:nl_to_nei gh_info:109, Operation:Add-NH family:IPv4(2) flags:0x0 state:Failed(32) if-idx:4 May 23 17:10:03 OS10 base_nas: [NETLINK:NHEVENT]:ds_api_linux_neigh.c:nl_to_nei gh_info:120, NextHop IP:192.168.10.
PAGE 1144
the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Dell EMC Network Operating System (OS10) *-* *-* Copyright (c) 1999-2017 by Dell Inc. All Rights Reserved. *-* *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*This product is protected by U.S.
PAGE 1145
See the Setup Guide shipped with your device or the platform-specific Installation Guide on the Dell EMC Support page at dell.com/support. Hardware What are the default console settings for ON-Series devices? ● Set the data rate to 115200 baud ● Set the data format to 8 bits, stop bits to 1, and no parity ● Set flow control to none How do I view the hardware inventory? Use the show inventory command to view complete system inventory.
PAGE 1146
How do I view summary information for the OSPF database? Use the show ip ospf database command. How do I view configuration of OSPF neighbors connected to the local router? Use the show ip ospf neighbor command. System management How can I view the current interface configuration? Use the show running-configuration command to view all currently configured interfaces. How can I view a list of all system devices? Use the show inventory command to view a complete list.
PAGE 1147
● % Warning: Not enough buffers are available, for lossy traffic. Expect lossy traffic drops, else reconfigure the pause buffers Monitoring How can I check if SupportAssist is enabled? Use the show support-assist status command to view current configuration information. How can I view a list of alarms? Use the show alarms details to view a list of all system alarms. How do I enable or disable system logging? Use the logging enable command or the logging disable command.
PAGE 1148
21 Support resources The Dell EMC Support site provides a range of documents and tools to assist you with effectively using Dell EMC devices. Through the support site you can obtain technical information regarding Dell EMC products, access software upgrades and patches, download available management software, and manage your open cases. The Dell EMC support site provides integrated, secure access to these services. To access the Dell EMC Support site, go to www.dell.com/support/.