FTOS Configuration Guide for the ExaScale System FTOS Version 8.4.1.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. Caution: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Information in this publication is subject to change without notice. © 2011 Dell Force10. All rights reserved.
About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Configuration Task List for System Log Management . . . . . . . . . . . . . . . . . . . . . . . .61 Disable System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Send System Messages to a Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Configure a Unix System as a Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Change System Logging Settings . . . . .
Link Trace Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88 Enable CFM SNMP Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89 Display Ethernet CFM Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91 8 802.3ah . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Configuring a Guest VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 Configuring an Authentication-Fail VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 Multi-Host Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122 Multi-Supplicant Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring BFD for IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 Configuring BFD for VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182 Configuring BFD for VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186 Configuring BFD for Port-Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Configuring Protocol Liveness . . . . . . . . . . . . . . .
www.dell.com | support.dell.com CAM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266 Microcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 CAM Profiling for ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269 Boot Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300 Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300 Enabling the Archive Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300 Archiving a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301 Viewing the Archive Directory . . .
www.dell.com | support.dell.com 18 Force10 Resilient Ring Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329 Ring Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 Multiple FRRP Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enabling GVRP on a Layer 2 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369 Configuring GVRP Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370 Configuring a GARP Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371 21 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Component Redundancy . . . . . .
www.dell.com | support.dell.com Disabling Multicast Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407 Specifying a Port as Connected to a Multicast Router . . . . . . . . . . . . . . . . . . . . . .407 Configuring the Switch as Querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408 Fast Convergence after MSTP Topology Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . .408 Designating a Multicast Router Interface . . . .
Configure MTU Size on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445 Port-pipes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446 Auto-Negotiation on Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447 View Advanced Interface Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com IPv6 Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .486 IPv6 Neighbor Discovery of MTU packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .486 Advertise Neighbor Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .487 QoS for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LACP Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .531 LACP Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .532 Monitor and Debugging LACP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534 Shared LAG State Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534 Configure Shared LAG State Tracking . . . . . . .
www.dell.com | support.dell.com Optional TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566 Management TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .566 TIA-1057 (LLDP-MED) Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .568 TIA Organizationally Specific TLVs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the Switch as a Querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594 Disable Multicast Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594 Specify a Port as Connected to a Multicast Router . . . . . . . . . . . . . . . . . . . . . . . . .594 Enable Snooping Explicit Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .595 Display the MLD Snooping Table . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Modify Global Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .622 Modify Interface Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .623 Configure an EdgePort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .625 Flush MAC Addresses after a Topology Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Designated and Backup Designated Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . .662 Link-State Advertisements (LSAs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .663 Virtual Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 Router Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .664 OSPF Cost . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com 36 PIM Dense-Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703 Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .703 Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .703 Refusing Multicast Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use PIM-SSM with IGMP version 2 Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .732 39 Power over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735 Configuring Power over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .736 Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .737 Enabling PoE on a Port . . . . . . . . . . . . . .
www.dell.com | support.dell.com Sample Configuration: Remote Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . .779 42 Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781 Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .782 Configure Private VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create WRED Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .816 Apply a WRED profile to traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .817 Configure WRED for Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .817 Display Default and Configured WRED Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . .817 Display WRED Drop Statistics . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Configuration Task List for AAA Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . .858 AAA Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .861 Privilege Levels Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .861 Configuration Task List for Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .862 RADIUS . . . . . . .
Rate-limit BPDUs on the C-Series and S-Series . . . . . . . . . . . . . . . . . . . . . . . . . .909 Debug Layer 2 Protocol Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .910 Provider Backbone Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .910 50 sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911 Overview . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Monitor Port-channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .941 Troubleshooting SNMP Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .942 52 SONET/SDH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943 Packet Over SONET (POS) Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54 Broadcast Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 977 Storm Control Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .977 Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .977 Broadcast Storm Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Configure NTP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1004 FTOS Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1007 Configuring time and date settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1007 Set daylight savings time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VRRP Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1042 VRRP Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1043 VRRP version 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1044 VRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Show hardware commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1089 Offline diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1090 Important points to remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1091 Offline configuration task list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Information files and logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1124 Trace logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1125 Automatic trace log updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1125 Save a trace log to a file on the flash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1125 Manual reload messages . .
| www.dell.com | support.dell.
3 About this Guide Objectives This guide describes the protocols and features supported by the Dell Force10 Operating System (FTOS) and provides configuration instructions and examples for implementing them. It supports the system platforms E-Series, C-Series, and S-Series. The E-Series ExaScale platform is supported with FTOS version 8.1.1.0. and later. Though this guide contains information on protocols, it is not intended to be a complete reference.
www.dell.com | support.dell.com Information Symbols Table 3-1, "Information Symbols," in About this Guide describes symbols contained in this guide. Table 3-1. Information Symbols Symbol Warning Description Note This symbol informs you of important operational information. FTOS Behavior This symbol informs you of an FTOS behavior. These behaviors are inherent to the Dell Force10 system or FTOS feature and are non-configurable.
4 Configuration Fundamentals The FTOS Command Line Interface (CLI) is a text-based interface through which you can configure interfaces and protocols. The CLI is largely the same for the E-Series, C-Series, and S-Series with the exception of some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
www.dell.com | support.dell.com CLI Modes Different sets of commands are available in each mode. A command found in one mode cannot be executed from another mode (with the exception of EXEC mode commands preceded by the command do; refer to The do Command). You can set user access rights to commands and command modes using privilege levels; for more information on privilege levels and security options, refer to Chapter 9, Security, on page 627.
CLI Modes in FTOS EXEC EXEC Privilege CONFIGURATION ARCHIVE AS-PATH ACL INTERFACE GIGABIT ETHERNET 10 GIGABIT ETHERNET INTERFACE RANGE LOOP BACK MANAGEMENT ETHERNET NULL PORT-CHANNEL SONET VLAN VRRP IP IPv6 IP COMMUNITY-LIST IP ACCESS-LIST STANDARD ACCESS-LIST EXTENDED ACCESS-LIST LINE AUXILLIARY CONSOLE VIRTUAL TERMINAL MAC ACCESS-LIST MONITOR SESSION MULTIPLE SPANNING TREE Per-VLAN SPANNING TREE PREFIX-LIST RAPID SPANNING TREE REDIRECT ROUTE-MAP ROUTER BGP ROUTER ISIS ROUTER OSPF ROUTER RIP SPANNING TREE
www.dell.com | support.dell.com Navigating CLI Modes The FTOS prompt changes to indicate the CLI mode. Table 4-1, "FTOS Command Modes," in Configuration Fundamentals lists the CLI mode, its prompt, and information on how to access and exit this CLI mode. You must move linearly through the command modes, with the exception of the end command which takes you directly to EXEC Privilege mode; the exit command moves you up one command mode level.
Table 4-1.
www.dell.com | support.dell.com The following example illustrates how to change the command mode from CONFIGURATION mode to PROTOCOL SPANNING TREE. FTOS(conf)#protocol spanning-tree 0 FTOS(config-span)# The do Command Enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, etc.) without returning to EXEC mode by preceding the EXEC mode command with the command do. The following example illustrates the do command.
interface GigabitEthernet 4/17 no ip address no shutdown Layer 2 protocols are disabled by default. Enable them using the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree. Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command: • Enter ? at the prompt or after a keyword to list the keywords available in the current mode.
www.dell.com | support.dell.com Entering and Editing Commands When entering commands: • • • • • • Table 4-2. 42 | The CLI is not case sensitive. You can enter partial CLI keywords. • You must enter the minimum number of letters to uniquely identify a command. For example, cl cannot be entered as a partial keyword because both the clock and class-map commands begin with the letters “cl.” clo, however, can be entered as a partial keyword because only one command begins with those three letters.
Command History FTOS maintains a history of previously-entered commands for each mode. For example: • • When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC mode commands. When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered CONFIGURATION mode commands.
www.dell.com | support.dell.com • find displays the output of the show command beginning from the first occurrence of specified text The following example shows this command used in combination with the command show linecard all. FTOS(conf)#do show linecard all | find 0 0 not present 1 not present 2 online online E48TB E48TB 3 not present 4 not present 5 online online E48VB E48VB 6 not present 7 not present • • display displays additional configuration information.
5 Getting Started This chapter contains the following major sections: • • • • • • Default Configuration Configure a Host Name Access the System Remotely Configure the Enable Password Configuration File Management File System Management When you power up the chassis, the system performs a Power-On Self Test (POST) during which Route Processor Module (RPM), Switch Fabric Module (SFM), and line card status LEDs blink green.
www.dell.com | support.dell.com -> 00:00:10: %RPM0-U:CP %RAM-6-ELECTION_ROLE: RPM0 is transitioning to Primary RPM.
Access the System Remotely You can configure the system to access it remotely by Telnet. The method for configuring the C-Series and E-Series for Telnet access is different from S-Series. • • The C-Series and E-Series have a dedicated management port and a management routing table that is separate from the IP routing table. The S-Series does not have a dedicated management port, but is managed from any port. It does not have a separate management routing table.
www.dell.com | support.dell.com Step Task Command Syntax Command Mode 3 Enable the interface. no shutdown INTERFACE Configure a Management Route Define a path from the system to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the system through the management port.
Access the S-Series Remotely The S-Series does not have a dedicated management port nor a separate management routing table. Configure any port on the S-Series to be the port through which you manage the system and configure an IP route to that gateway. Note: The S60 system uses management ports and should be configured similar to the C-Series and E-Series systems. Refer to Access the C-Series and E-Series Remotely Configuring the system for Telnet access is a three-step process: 1.
www.dell.com | support.dell.com To configure an enable password: Task Command Syntax Command Mode Create a password to access EXEC Privilege mode. enable [password | secret] [level level] [encryption-type] password CONFIGURATION level is the privilege level, is 15 by default, and is not required. encryption-type specifies how you are inputting the password, is 0 by default, and is not required. • • • 0 is for inputting the password in clear text.
. Table 5-1.
www.dell.com | support.dell.com core1#$//copy ftp://myusername:mypassword@10.10.10.10//FTOS/FTOS-EF-8.2.1.0.bin flash:// Destination file name [FTOS-EF-8.2.1.0.bin.bin]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 26292881 bytes successfully copied Save the Running-configuration The running-configuration contains the current system configuration. Dell Force10 recommends that you copy your running-configuration to the startup-configuration.
Task Command Syntax Command Mode Save the running-configuration to the startup-configuration on the internal flash of the primary RPM. Then copy the new startup-config file to the external flash of the primary RPM. copy running-config startup-config duplicate EXEC Privilege FTOS Behavior: If you create a startup-configuration on an RPM and then move the RPM to another chassis, the startup-configuration is stored as a backup file (with the extension .
www.dell.com | support.dell.
File System Management The Dell Force10 system can use the internal Flash, external Flash, or remote devices to store files. It stores files on the internal Flash by default but can be configured to store files elsewhere. To view file system information: Task Command Syntax Command Mode View information about each file system.
www.dell.com | support.dell.com View command history The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buffer. The system generates a trace message for each executed command. No password information is saved to the file. To view the command-history trace, use the show command-history command, as shown in the following example.
6 System Management System Management is supported on platforms: ces This chapter explains the different protocols or services used to manage the Dell Force10 system including: • • • • • • • • Configure Privilege Levels Configure Logging File Transfer Services Terminal Lines Lock CONFIGURATION mode Recovering from a Forgotten Password Recovering from a Forgotten Password on S-Series Recovering from a Failed Start Configure Privilege Levels Privilege levels restrict access to commands based on user or te
www.dell.com | support.dell.com Removing a command from EXEC mode Remove a command from the list of available commands in EXEC mode for a specific privilege level using the command privilege exec from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, followed by the first keyword of each command to be restricted.
Task Command Syntax Allow access to INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode. Specify all keywords in the command. privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword} Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. privilege {configure |interface | line | route-map | router} level level {command ||...
www.dell.com | support.dell.
Configure Logging FTOS tracks changes in the system using event and error messages. By default, FTOS logs these messages on: • • • the internal buffer console and terminal lines, and any configured syslog servers Disable Logging To disable logging: Task Command Syntax Command Mode Disable all logging except on the console. no logging on CONFIGURATION Disable logging to the logging buffer. no logging buffer CONFIGURATION Disable logging to terminal lines.
www.dell.com | support.dell.com Disable System Logging By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, console, and syslog servers. Enable and disable system logging using the following commands: Task Command Syntax Command Mode Disable all logging except on the console. no logging on CONFIGURATION Disable logging to the logging buffer. no logging buffer CONFIGURATION Disable logging to terminal lines.
Change System Logging Settings You can change the default system logging settings (severity level and the storage location). The default is to log all messages up to debug level. Task Command Syntax Command Mode Specify the minimum severity level for logging to the logging buffer. logging buffered level CONFIGURATION Specify the minimum severity level for logging to the console. logging console level CONFIGURATION Specify the minimum severity level for logging to terminal lines.
www.dell.com | support.dell.com 64 Display the Logging Buffer and the Logging Configuration Display the current contents of the logging buffer and the logging settings for the system using the show logging command from EXEC Privilege mode, as shown in the following example.
Configure a UNIX Logging Facility Level Facility is a message tag used to describe the application or process that submitted the log message. You can save system log messages with a UNIX system logging facility: Command Syntax Command Mode Purpose logging facility [facility-type] CONFIGURATION Specify one of the following parameters.
www.dell.com | support.dell.com Synchronize Log Messages You can configure a terminal line to hold all logs until all command inputs and outputs are complete so that log printing does not interfere when you are performing management tasks. Log synchronization also filters system messages for a specific line based on severity level and limits number of messages that are printed at once. Step 1 2 Task Command Syntax Command Mode Enter the LINE mode.
File Transfer Services You can configure the system to transfer files over the network using File Transfer Protocol (FTP). Configuration Task List for File Transfer Services The following list includes the configuration tasks for file transfer services: • • • Enable FTP server Configure FTP server parameters Configure FTP client parameters Enable FTP server To make the system an FTP server: Task Command Syntax Command Mode Make the system an FTP server.
www.dell.com | support.dell.com Display your FTP configuration using the command show running-config ftp from EXEC Privilege mode, as shown in the example in Enable FTP server. Configure FTP client parameters When the system will be an FTP client, configure FTP client parameters: Task Command Syntax Command Mode Specify a source interface. ip ftp source-interface interface CONFIGURATION Configure a password. ip ftp password password CONFIGURATION Enter username to use on FTP client.
seq 5 permit host 10.11.0.1 FTOS(config-std-nacl)#line vty 0 FTOS(config-line-vty)#show config line vty 0 access-class myvtyacl FTOS Behavior: Prior to FTOS version 7.4.2.0, in order to deny access on a VTY line, you must apply an ACL and AAA authentication to the line. Then users are denied access only after they enter a username and password. Beginning in FTOS version 7.4.2.0, only an ACL is required, and users are denied access before they are prompted for a username and password.
www.dell.com | support.dell.
Telnet to Another Network Device To telnet to another device: Task Command Syntax Command Mode Telnet to the peer RPM. You do not need to configure the management port on the peer RPM to be able to telnet to it. telnet-peer-rpm EXEC Privilege Telnet to a device with an IPv4 or IPv6 address. If you do not enter an IP address, FTOS enters a Telnet dialog that prompts you for one. • Enter an IPv4 address in dotted decimal format (A.B.C.D).
www.dell.com | support.dell.com R1#config ! Locks configuration mode exclusively. R1(conf)# If another user attempts to enter CONFIGURATION mode while a lock is in place, Message 1 appears on their terminal. Message 1 CONFIGURATION mode Locked Error % Error: User "" on line console0 is in exclusive configuration mode If any user is already in CONFIGURATION mode when while a lock is in place, Message 2 appears on their terminal.
Recovering from a Forgotten Password If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted for a password to re-enter. If you forget your password: Step Task Command Syntax Command Mode 1 Log onto the system via console. 2 Power-cycle the chassis by switching off all of the power modules and then switching them back on. 3 Abort bootup by sending the break signal when prompted.
www.dell.com | support.dell.com Recovering from a Forgotten Enable Password If you forget the enable password: Step Task Command Syntax Command Mode 1 Log onto the system via console. 2 Eject the secondary RPM if there is one. 3 Power-cycle the chassis by switching off all of the power modules and then switching them back on. 4 Abort bootup by sending the break signal when prompted. Refer to Abort bootup by sending the break signal when prompted..
Recovering from a Forgotten Password on S-Series If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted for a password to re-enter. If you forget your password: Step Task Command Syntax 1 Log onto the system via console. 2 Power-cycle the chassis by unplugging the power cord. 3 Abort bootup by sending the break signal when prompted.
www.dell.com | support.dell.com 76 Recovering from a Failed Start A system that does not start correctly might be attempting to boot from a corrupted FTOS image or from a incorrect location. To resolve the problem, you can restart the system and interrupt the boot process to point the system to another boot location by using the boot change command, as described below.
Very similar to the options of the boot change command, the boot system command is available in CONFIGURATION mode on the C-Series and E-Series to set the boot parameters that, when saved to the startup configuration file, are stored in NVRAM and are then used routinely: Task Command Syntax Command Mode Configure the system to routinely boot from the designated location. After entering rpm0 or rpm1, enter one of the three keywords and then the file-url.
| System Management www.dell.com | support.dell.
7 802.1ag 802.1ag is available only on platform: s Ethernet Operations, Administration, and Maintenance (OAM) is a set of tools used to install, monitor, troubleshoot and manage Ethernet infrastructure deployments. Ethernet OAM consists of three main areas: 1. Service Layer OAM: IEEE 802.1ag Connectivity Fault Management (CFM) 2. Link Layer OAM: IEEE 802.3ah OAM 3.
www.dell.com | support.dell.com There is a need for Layer 2 equivalents to manage and troubleshoot native Layer 2 Ethernet networks. With these tools, you can identify, isolate, and repair faults quickly and easily, which reduces operational cost of running the network. OAM also increases availability and reduces mean time to recovery, which allows for tighter service level agreements, resulting in increased revenue for the service provider.
These roles define the relationships between all devices so that each device can monitor the layers under its responsibility. Maintenance points drop all lower-level frames and forward all higher-level frames. Figure 7-2.
www.dell.com | support.dell.com Implementation Information • Since the S-Series has a single MAC address for all physical/LAG interfaces, only one MEP is allowed per MA (per VLAN or per MD level). Configure CFM Configuring CFM is a five-step process: 1. Configure the ecfmacl CAM region using the cam-acl command. Refer to Configure Ingress Layer 2 ACL Sub-partitions. 2. Enable Ethernet CFM. 3. Create a Maintenance Domain. 4. Create a Maintenance Association. 5. Create Maintenance Points. 6.
Create a Maintenance Domain Connectivity Fault Management (CFM) divides a network into hierarchical maintenance domains, as shown in Figure 7-1. Step Task Command Syntax Command Mode 1 Create maintenance domain. domain name md-level number Range: 0-7 ETHERNET CFM 2 Display maintenance domain information.
www.dell.com | support.dell.com Create Maintenance Points Domains are comprised of logical entities called Maintenance Points. A maintenance point is a interface demarcation that confines CFM frames to a domain. There are two types of maintenance points: • • Maintenance End Points (MEPs): a logical entity that marks the end-point of a domain Maintenance Intermediate Points (MIPs): a logical entity configured at a port of a switch that constitutes intermediate points of an Maintenance Entity (ME).
Create a Maintenance Intermediate Point Maintenance Intermediate Point (MIP) is a logical entity configured at a port of a switch that constitutes intermediate points of an Maintenance Entity (ME). An ME is a point-to-point relationship between two MEPs within a single domain. An MIP is not associated with any MA or service instance, and it belongs to the entire MD. Task Command Syntax CommandMode Create an MIP.
www.dell.com | support.dell.com Task Command Syntax Command Mode Display the MIP Database. show ethernet cfm mipdb EXEC Privilege MP Database Persistence Task Command Syntax Command Mode Set the amount of time that data from a missing MEP is kept in the Continuity Check Database.
3. Reception of CCM with an incorrect MEP ID or MAID, which indicates a configuration or cross-connect error. This could happen when different VLANs are cross-connected due to a configuration error. 4. Reception of a CCM with an MD level lower than that of the receiving MEP, which indicates a configuration or cross-connect error. 5. Reception of a CCM containing a port status/interface status TLV, which indicates a failed bridge or aggregated port.
www.dell.com | support.dell.com Linktrace Message and Response Linktrace Message and Response (LTM, LTR), also called Layer 2 Traceroute, is an administratively sent multicast frames transmitted by MEPs to track, hop-by-hop, the path to another MEP or MIP within the maintenance domain. All MEPs and MIPs in the same domain respond to an LTM with a unicast LTR. Intermediate MIPs forward the LTM toward the target MEP. Figure 7-4.
Task Command Syntax Command Mode Display the Link Trace Cache.
www.dell.com | support.dell.com Three values are given within the trap messages: MD Index, MA Index, and MPID. You can reference these values against the output of show ethernet cfm domain and show ethernet cfm maintenance-points local mep.
Display Ethernet CFM Statistics Task Command Syntax Command Mode Display MEP CCM statistics. show ethernet cfm statistics [domain {name | level} vlan-id vlan-id mpid mpid EXEC Privilege FTOS# show ethernet cfm statistics Domain Name: Customer Domain Level: 7 MA Name: My_MA MPID: 300 CCMs: Transmitted: LTRs: Unexpected Rcvd: LBRs: Received: Received Bad MSDU: Transmitted: Display CFM statistics by port.
| 802.1ag www.dell.com | support.dell.
8 802.3ah 802.3ah is available only on platform: s A metropolitan area network (MAN) is a set of LANs, geographically separated but managed by a single entity. If the distance is large—across a city, for example—connectivity between LANs is managed by a service provider. While LANs use Ethernet, service providers networks use an array of protocols (PPP and ATM), and a variety access technologies.
www.dell.com | support.dell.com Link Layer OAMPDUs Link Layer OAM is conducted using OAMPDUs, shown in Figure 8-1. OAM is a slow protocol and by requirement may transmit no more than 10 frames per second, transmits to a multicast destination MAC, and uses an Ethernet subtype. Figure 8-1.
Link Layer OAM Operational Modes When participating in EFM OAM, system may operate in active or passive mode. • • Active mode—Active mode systems initiate discovery. Once the Discovery process completes, they can send any OAMPDU while connected to a peer in Active mode, and a subset of OAMPDUs if the peer is in Passive mode (refer to Table 8-1, "Active Mode and Passive Mode Behaviors," in 802.3ah).
www.dell.com | support.dell.com Link Layer OAM Events Link Layer OAM defines a set of events that may impact link operation, and monitors the link for those events. If an event occurs, the detecting system notifies its peer. There are two types of events: • • Critical Link Events—There are three critical events; each has an associated flag which can be set in the OAMPDU when the event occurs. Critical link events are communicated to the peer using Remote Failure Indication.
Configure Link Layer OAM Configuring Link Layer OAM is a two-step process: 1. Enable Link Layer OAM. 2. Enable any or all of the following: a Link Performance Event Monitoring b Remote Failure Indication c Remote Loopback Related Configuration Tasks • • • Adjust the OAMPDU Transmission Parameters Display Link Layer OAM Configuration and Statistics Manage Link Layer OAM Enable Link Layer OAM Link Layer OAM is disabled by default.
www.dell.com | support.dell.com Task Command Syntax Command Mode Display Link Layer OAM sessions. show ethernet oam summary EXEC Privilege FTOS# show ethernet oam summary Output format : Symbols:* - Master Loopback State, # - Slave Loopback State Capability codes:L - Link Monitor, R - Remote Loopback U - Unidirection,V - Variable Retrieval LocalRemote InterfaceMAC AddressOUIModeCapability Gi6/1/10023.84ac.
Enable Error Monitoring The polling interval for Link Performance Monitoring is 100 milliseconds. Task Command Syntax Command Mode Start (or stop) Link Performance Monitoring on an interface. ethernet oam link-monitor on no ethernet oam link-monitor on Default: Enabled INTERFACE Enable (or disable) support for Link Performance Monitoring on an interface.
www.dell.com | support.dell.com Task Command Syntax Command Mode Specify the time period for symbol errors per second condition. ethernet oam link-monitor symbol-period window symbols Range: 1-65535 (times 1,000,000 symbols) Default: 10 (10,000,000 symbols) INTERFACE Frame Errors per Second Task Command Syntax Command Mode Specify the high threshold value for frame errors, or disable the high threshold.
Error Seconds per Time Period Task Command Syntax Command Mode Specify the high threshold value for frame error seconds per time period, or disable the high threshold. ethernet oam link-monitor frame-seconds threshold high {milliseconds | none} Range: 1-900 Default: None INTERFACE Specify the low threshold for frame error seconds per time period.
www.dell.com | support.dell.com Task Command Syntax Command Mode Block or disable an interface when a particular critical link event occurs. ethernet oam remote-failure {critical-event | dying-gasp | link-fault} action {error-block-interface | error-disable-interface} Default: Disabled INTERFACE Remote Loopback An active-mode device can place a passive peer into loopback mode by sending a Loopback Control OAMPDU.
Display Link Layer OAM Configuration and Statistics Task Command Syntax Command Mode Display Link Layer OAM status per interface.
www.dell.com | support.dell.
Manage Link Layer OAM Enable MIB Retrieval Support/Function IEEE 802.3ah defines the Link OAM MIB in Sec 30A.20, “OAM entity managed object class”; all of the objects described there are supported. Note that 802.3ah does not include the ability to set/write remote MIB variables. You must enable MIB retrieval support and the MIB retrieval function. Task Command Syntax Command Mode Enable MIB retrieval support and/or the MIB retrieval function.
| 802.3ah www.dell.com | support.dell.
9 802.1X 802.1X is supported on platforms: ces This chapter has the following sections: • • • • • • • • • • • • • • Protocol Overview Configuring 802.1X Important Points to Remember Enabling 802.
www.dell.com | support.dell.com End-user Device Dell Force10 switch EAP over LAN (EAPOL) RADIUS Server EAP over RADIUS fnC0033mp Figure 9-1 shows how EAP frames are encapsulated in Ethernet and Radius frames. Note: FTOS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP. * Figure 9-1.
• The authentication-server selects the authentication method, verifies the information provided by the supplicant, and grants it network access privileges. Ports can be in one of two states: • • Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in or out of the port. The authenticator changes the port state to authorized if the server can authenticate the supplicant. In this state, network traffic can be forwarded normally.
www.dell.com | support.dell.com Figure 9-2. 802.1X Authentication Process Supplicant Authentication Server Authenticator EAP over LAN (EAPOL) EAP over RADIUS Request Identity Response Identity Access Request Access Challenge EAP Request EAP Reponse Access Request Access {Accept | Reject} EAP {Sucess | Failure} EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579.
RADIUS Attributes for 802.1 Support Dell Force10 systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Table 9-1. 802.1X Supported RADIUS Attributes Attribute Name Description 1 User-Name The name of the supplicant to be authenticated. 4 NAS-IP-Address The IP address of the authenticator. 5 NAS-Port The physical port number by which the authenticator is connected to the supplicant.
www.dell.com | support.dell.com Important Points to Remember • • • • • FTOS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP. All platforms support only RADIUS as the authentication server. On all platforms, if the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary RADIUS server, if configured. 802.1X is not supported on port-channels or port-channel members.
To enable 802.1X: Step Task Command Syntax Command Mode 1 Enable 802.1X globally. dot1x authentication CONFIGURATION 2 Enter INTERFACE mode on an interface or a range of interfaces. interface [range] INTERFACE 3 Enable 802.1X on an interface or a range of interfaces. dot1x authentication INTERFACE Verify that 802.1X is enabled globally and at interface level using the command show running-config | find dot1x from EXEC Privilege mode, as shown in the example below.
www.dell.com | support.dell.com Configuring Request Identity Re-transmissions If the authenticator sends a Request Identity frame, but the supplicant does not respond, the authenticator waits 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator re-transmits are configurable.
Configuring a Quiet Period after a Failed Authentication If the supplicant fails the authentication process, the authenticator sends another Request Identity frame after 30 seconds by default, but this period can be configured. Note: The quiet period (dot1x quiet-period) is an transmit interval for after a failed authentication where as the Request Identity Re-transmit interval (dot1x tx-period) is for an unresponsive supplicant.
www.dell.com | support.dell.com Forcibly Authorizing or Unauthorizing a Port IEEE 802.1X requires that a port can be manually placed into any of three states: • ForceAuthorized is an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network. Placing the port in this state is same as disabling 802.1X on the port. ForceUnauthorized an unauthorized state.
Re-Authenticating a Port Periodic Re-Authentication After the supplicant has been authenticated and the port has been authorized, the authenticator can be configured to re-authenticate the supplicant periodically. If re-authentication is enabled, the supplicant is required to re-authenticate every 3600 seconds, but this interval can be configured. A maximum number of re-authentications can be configured as well.
www.dell.com | support.dell.com Configuring Timeouts If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default. The amount of time that the authenticator waits for a response can be configured. The timeout for the supplicant applies to all EAP frames except for Request Identity frames which are governed by the tx-period and max-eap-req configurations.
Dynamic VLAN Assignment with Port Authentication FTOS supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure: 1. The host sends a dot1x packet to the Dell Force10 system. 2. The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number. 3.
www.dell.com | support.dell.com Guest and Authentication-Fail VLANs Typically, the authenticator (Dell Force10 system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured, or the VLAN that the authentication server indicates in the authentication data. Note: Ports cannot be dynamically assigned to the default VLAN.
Configuring an Authentication-Fail VLAN If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of time (30 seconds by default, refer to Configuring a Quiet Period after a Failed Authentication). You can configure the maximum number of times the authenticator re-attempts authentication after a failure (3 by default), after which the port is placed in the Authentication-fail VLAN.
www.dell.com | support.dell.com Multi-Host Authentication Multi-Host Authentication is available on platforms: c et s 802.1x assumes that a single end-user is connected to a single authenticator port, as shown in Figure 9-6; this one-to-one mode of authentication is called Single-host mode. If multiple end-users are connected to the same port, a many-to-one configuration, only the first end-user to respond to the identity request is authenticated.
When Multi-host mode authentication is configured, the first client to respond to an identity request is authenticated, and subsequent responses are still ignored, but since the authenticator expects the possibility of multiple responses, no system log is generated. After the first supplicant is authenticated, all end-users attached to the authorized port are allowed to access the network.
www.dell.com | support.dell.com Task Command Syntax Command Mode Configure Single-host Authentication mode on a port. dot1x host-mode single-host INTERFACE FTOS(conf-if-gi-2/1)#dot1x port-control force-authorized FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.
During the authentication process, the Dell Force10 system is able to learn the MAC address of the device though the EAPoL frames, and the VLAN assignment from the RADIUS server. With this information it creates an authorized-MAC to VLAN mapping table per port. Then, the system can tag all incoming untagged frames with the appropriate VLAN-ID based on the table entries. Task Command Syntax Command Mode Enable Multi-Supplicant Authentication mode on a port.
www.dell.com | support.dell.com MAC Authentication Bypass MAC Authentication Bypass is supported on platforms: cs MAC Authentication Bypass (MAB) enables you to provide MAC-based security by allowing only known MAC addresses within the network using a RADIUS server. 802.1X-enabled clients can authenticate themselves using the 802.1X protocol. Other devices that do not use 802.1X—like IP phones, printers, and IP fax machines—still need connectivity to the network.
MAB in Single-host and Multi-Host Mode In single-host and multi-host mode, the switch attempts to authenticate a supplicant using 802.1X. If 802.1X times out because the supplicant does not respond to the Request Identity frame and MAB is enabled, the switch attempts to authenticate the first MAC it learns on the port. Subsequently, for single-host mode, traffic from all other MACs is dropped; for multi-host mode, all traffic from all other MACs is accepted.
www.dell.com | support.dell.com Step Task Command Syntax Command Mode 3 (Optional) Use MAB authentication only— do not use 802.1X authentication first. If MAB fails the port or the MAC address is blocked, the port is placed in the guest VLAN (if configured). 802.1x authentication is not even attempted. Re-authentication is performed using 802.1X timers. dot1x auth-type mab-only INTERFACE 4 Display the 802.1X and MAB configuration.
Dynamic CoS with 802.1X Dynamic CoS with 802.1X is supported on platforms: cs Class of Service (CoS) is a method of traffic management that groups similar types of traffic so that they are serviced differently. One way of classifying traffic is 802.1p, which uses the 3-bit Priority field in the VLAN tag to mark frames (other classification methods include ToS, ACL, and DSCP).
www.dell.com | support.dell.com FTOS Behavior: The following conditions are applied to the use of dynamic CoS with 802.1X authentication on C-Series and S-Series platforms: • In accordance with port-based QoS, incoming dot1p values can be mapped to only four priority values: 0, 2, 4, and 6. If the RADIUS server returns any other dot1p value (1, 3, 5, or 7), the value is not used and frames are forwarded on egress queue 0 without changing the incoming dot1p value.
10 IP Access Control Lists (ACL), Prefix Lists, and Route-maps IP Access Control Lists, Prefix Lists, and Route-maps are supported on platforms: ces Egress IP ACLs are supported on platform: e s ces Ingress IP ACLs are supported on platforms: Overview At their simplest, Access Control Lists (ACLs), Prefix lists, and Route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter discusses implementing IP ACLs, IP Prefix lists and Route-maps.
www.dell.com | support.dell.com IP Access Control Lists (ACLs) In the Dell Force10 switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet.
For information regarding E-Series ExaScale CAM-profile templates and their support of ACLs, refer to Chapter 14, Content Addressable Memory for ExaScale. The default CAM profile has 1K Layer 2 ingress ACL entries. If you need more memory for Layer 2 ingress ACLs, select the profile l2-ipv4-inacl. When budgeting your CAM allocations for ACLs and QoS configurations, remember that ACL and QoS rules might consume more than one CAM entry depending on complexity.
www.dell.com | support.dell.com User Configurable CAM Allocation User Configurable CAM Allocations are supported on platform c Allocate space for IPV6 ACLs on the C-Series by using the cam-acl command in CONFIGURATION mode. The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. Note that there are 16 FP blocks, but the System Flow requires 3 blocks that cannot be reallocated.
FTOS#test cam-usage service-policy input TestPolicy linecard all Linecard | Portpipe | CAM Partition | Available CAM | Estimated CAM per Port | Status -------------------------------------------------------------------------------------2 | 1 | IPv4Flow | 232 | 0 | Allowed 2 | 1 | IPv6Flow | 0 | 0 | Allowed 4 | 0 | IPv4Flow | 232 | 0 | Allowed 4 | 0 | IPv6Flow | 0 | 0 | Allowed FTOS# Implementing ACLs on FTOS One IP ACL can be assigned per interface with FTOS.
www.dell.com | support.dell.com Determine the order in which ACLs are used to classify traffic When you link class-maps to queues using the command service-queue, FTOS matches the class-maps according to queue priority (queue numbers closer to 0 have lower priorities). For example, in the example below , class-map cmap2 is matched against ingress packets before cmap1. ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.
• • If an explicit deny is configured, the second and subsequent fragments will not hit the implicit permit rule for fragments. Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with the fragments option and apply it to a loopback interface, the command is accepted, but the ACL entries are not actually installed the offending rule in CAM.
www.dell.com | support.dell.com Note the following when configuring ACLs with the fragments keyword. When an ACL filters packets it looks at the Fragment Offset (FO) to determine whether or not it is a fragment. FO = 0 means it is either the first fragment or the packet is a non-fragment. FO > 0 means it is dealing with the fragments of the original packet.
Step Command Syntax Command Mode Purpose 2 seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte] | log ] [order] [monitor] [fragments] CONFIG-STD-NACL Configure a drop or forward filter. The parameters are: • log and monitor options are supported on E-Series only. Note: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter.
www.dell.com | support.dell.com To configure a filter without a specified sequence number, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose 1 ip access-list standard access-list-name CONFIGURATION Create a standard IP ACL and assign it a unique name. 2 {deny | permit} {source [mask] | any | host ip-address} [count [byte] | log ] [order] [monitor] [fragments] CONFIG-STD-NACL Configure a drop or forward IP ACL filter.
Configure an extended IP ACL Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses. Since traffic passes through the filter in the order of the filter’s sequence, you can configure the extended IP ACL by first entering the IP ACCESS LIST mode and then assigning a sequence number to the filter.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose 2 seq sequence-number {deny | permit} tcp {source mask | any | host ip-address}} [count [byte] | log ] [order] [monitor] [fragments] CONFIG-EXT-NACL Configure an extended IP ACL filter for TCP packets. • log and monitor options are supported on E-Series only. When you use the log keyword, CP processor logs details about the packets that match.
Configure filters without sequence number If you are creating an extended ACL with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured. FTOS assigns filters in multiples of 5.
www.dell.com | support.dell.com Configuring Layer 2 and Layer 3 ACLs on an Interface Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode. If both L2 and L3 ACLs are applied to an interface, the following rules apply: • • • The packets routed by FTOS are governed by the L3 ACL only, since they are not filtered against an L2 ACL. The packets switched by FTOS are first filtered by the L3 ACL, then by the L2 ACL.
Assign an IP ACL to an Interface c and s Ingress and Egress IP ACL are supported on platform: e s Ingress IP ACLs are supported on platforms: To pass traffic through a configured IP ACL, you must assign that ACL to a physical interface, a port channel interface, or a VLAN. The IP ACL is applied to all traffic entering a physical or port channel interface and the traffic is either forwarded or dropped depending on the criteria and actions specified in the ACL.
www.dell.com | support.dell.com To view which IP ACL is applied to an interface, use the show config command in the INTERFACE mode or the show running-config command in the EXEC mode. FTOS(conf-if)#show conf ! interface GigabitEthernet 0/0 ip address 10.2.1.100 255.255.255.0 ip access-group nimule in no shutdown FTOS(conf-if)# Use only Standard ACLs in the access-class command to filter traffic on Telnet sessions.
FTOS(config-ext-nacl)#end FTOS#show ip accounting access-list ! Extended Ingress IP access list abcd on gigethernet 0/0 seq 5 permit tcp any any seq 10 deny icmp any any permit 1.1.1.2 Configuring Egress ACLs Layer 2 and Layer 3 ACLs are supported on platform e Egress ACLs are applied to line cards and affect the traffic leaving the system.
www.dell.com | support.dell.com Egress Layer 3 ACL Lookup for Control-plane IP Traffic By default, packets originated from the system are not filtered by egress ACLs. If you initiate a ping session from the system, for example, and apply an egress ACL to block this type of traffic on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and CPU-forwarded traffic.
Applying an ACL on Loopback Interfaces ACLs can be applied on Loopback interfaces supported on platform e To apply an ACL (standard or extended) for loopback, use these commands in the following sequence: Step Command Syntax Command Mode Purpose 1 interface loopback 0 CONFIGURATION Only loopback 0 is supported for the loopback ACL.
www.dell.com | support.dell.com IP Prefix Lists Prefix Lists are supported on platforms: ces IP prefix lists control routing policy. An IP prefix list is a series of sequential filters that contain a matching criterion (examine IP route prefix) and an action (permit or deny) to process routes. The filters are processed in sequence so that if a route prefix does not match the criterion in the first filter, the second filter (if configured) is applied.
Configuration Task List for Prefix Lists To configure a prefix list, you must use commands in the PREFIX LIST, the ROUTER RIP, ROUTER OSPF, and ROUTER BGP modes. Basically, you create the prefix list in the PREFIX LIST mode, and assign that list to commands in the ROUTER RIP, ROUTER OSPF and ROUTER BGP modes.
www.dell.com | support.dell.com Note the last line in the prefix list Juba contains a “permit all” statement. By including this line in a prefix list, you specify that all routes not matching any criteria in the prefix list are forwarded. To delete a filter, use the no seq sequence-number command in the PREFIX LIST mode. If you are creating a standard prefix list with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured.
Command example: show ip prefix-list detail FTOS>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 seq 5 deny 100.100.1.0/24 (hit count: 0) seq 6 deny 200.200.1.0/24 (hit count: 0) seq 7 deny 200.200.2.
www.dell.com | support.dell.com To view the configuration, use the show config command in the ROUTER RIP mode or the show running-config rip command in the EXEC mode. FTOS(conf-router_rip)#show config ! router rip distribute-list prefix juba out network 10.0.0.
IPv4 and IPv6 ACLs and prefixes and MAC ACLs can be resequenced. No CAM writes happen as a result of resequencing, so there is no packet loss; the behavior is like Hot-lock ACLs. Note: ACL Resequencing does not affect the rules or remarks or the order in which they are applied. It merely renumbers them so that new rules can be placed within the list as desired. Table 10-3. ACL Resequencing Example (Insert New Rules) seq 5 permit any host 1.1.1.1 seq 6 permit any host 1.1.1.2 seq 7 permit any host 1.1.1.
www.dell.com | support.dell.com The following example shows the resequencing of an IPv4 access-list beginning with the number 2 and incrementing by 2. FTOS(config-ext-nacl)# show config ! ip access-list extended test remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.
remark 8 this remark corresponds to permit ip any host 1.1.1.2 seq 8 permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.3 seq 12 permit ip any host 1.1.1.4 Route Maps Route-maps are supported on platforms: ces Like ACLs and prefix lists, route maps are composed of a series of commands that contain a matching criterion and an action, yet route maps can change the packets meeting the criterion. ACLs and prefix lists can only drop or forward the packet or traffic.
www.dell.com | support.dell.com Configuration Task List for Route Maps You configure route maps in the ROUTE-MAP mode and apply them in various commands in the ROUTER RIP and ROUTER OSPF modes.
interface GigabitEthernet 0/1 Set clauses: tag 35 level stub-area FTOS# To delete all instances of that route map, use the no route-map map-name command. To delete just one instance, add the sequence number to the command syntax . FTOS(conf)#no route-map zakho 10 FTOS(conf)#end FTOS#show route-map route-map zakho, permit, sequence 20 Match clauses: interface GigabitEthernet 0/1 Set clauses: tag 35 level stub-area FTOS# The following text shows an example of a route map with multiple instances.
www.dell.com | support.dell.com In the above route-map, if a route has any of the tag value specified in the match commands, then there is a match. Example 2 FTOS(conf)#route-map force permit 10 FTOS(config-route-map)#match tag 1000 FTOS(config-route-map)#match metric 2000 In the above route-map, only if a route has both the characteristics mentioned in the route-map, it is matched. Explaining further, the route must have a tag value of 1000 and a metric value of 2000. Only then is there a match.
Command Syntax Command Mode Purpose match interface interface CONFIG-ROUTE-MAP Match routes whose next hop is a specific interface. The parameters are: • For a Fast Ethernet interface, enter the keyword FastEthernet followed by the slot/port information. • For a 1-Gigabit Ethernet interface, enter the keyword gigabitEthernet followed by the slot/port information. • For a loopback interface, enter the keyword loopback followed by a number between zero (0) and 16383.
www.dell.com | support.dell.com To configure a set condition, use any or all of the following commands in the ROUTE-MAP mode: Command Syntax Command Mode Purpose set as-path prepend as-number [... as-number] CONFIG-ROUTE-MAP Add an AS-PATH number to the beginning of the AS-PATH set automatic-tag CONFIG-ROUTE-MAP Generate a tag to be added to redistributed routes.
In the following example, the redistribute command calls the route map static ospf to redistribute only certain static routes into OSPF. According to the route map static ospf, only routes that have a next hop of Gigabitethernet interface 0/0 and that have a metric of 255 will be redistributed into the OSPF backbone area. Note: When re-distributing routes using route-maps, the user must take care to create the route-map defined in the redistribute command under the routing protocol.
www.dell.com | support.dell.com Continue clause 164 Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more route-map modules are processed. If the continue command is configured at the end of a module, the next module (or a specified module) is processed even after a match is found. The following example shows a continue clause at the end of a route-map module.
11 Bidirectional Forwarding Detection Bidirectional Forwarding Detection is supported only on platforms: BFD is supported on E-Series ExaScale ce ex with FTOS 8.2.1.0 and later. Protocol Overview Bidirectional Forwarding Detection (BFD) is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms.
www.dell.com | support.dell.com How BFD Works Two neighboring systems running BFD establish a session using a three-way handshake. After the session has been established, the systems exchange control packets at agreed upon intervals. In addition, systems send a control packet anytime there is a state change or change in a session parameter; these control packets are sent without regard to transmit and receive intervals. Note: FTOS does not support multi-hop BFD sessions.
Version (4) IHL TOS Total Length Preamble Flags Start Frame Delimiter Frag Offset Destination MAC TTL (255) Source MAC Protocol Ethernet Type (0x8800) Header Checksum Version (1) State Range: 3784 Source Port Options Diag Code Dest IP Addr Padding Checksum UDP Packet Detect Mult My Discriminator Your Discriminator Random number generated by remote system to identify a session Required Min RX Interval Required Min Echo RX Interval Auth Type The minimum interval between Echo pac
www.dell.com | support.dell.com Table 11-1. BFD Packet Fields Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD sessions. Flag A bit that indicates packet function. If the poll bit is set, the receiving system must respond as soon as possible, without regard to its transmit interval. The responding system clears the poll bit and sets the final bit in its response.
BFD sessions BFD must be enabled on both sides of a link in order to establish a session. The two participating systems can assume either of two roles: • • Active—The active system initiates the BFD session. Both systems can be active for the same session. Passive—The passive system does not initiate a session. It only responds to a request for session initialization from the active system.
www.dell.com | support.dell.com handshake. At this point, the discriminator values have been exchanged, and the transmit intervals have been negotiated. 4. The passive system receives the control packet, changes its state to Up. Both systems agree that a session has been established. However, since both members must send a control packet—that requires a response—anytime there is a state change or change in a session parameter, the passive system sends a final response indicating the state change.
Important Points to Remember • • • • • • • • BFD for line card ports is hitless, but is not hitless for VLANs since they are instantiated on the RPM. BFD is supported on C-Series and E-Series only. FTOS supports a maximum of 100 sessions per BFD agent. Each linecard processor has a BFD Agent, so the limit translates to 100 BFD sessions per linecard (plus, on the E-Series, 100 BFD sessions on RP2, which handles LAG and VLANs). BFD must be enabled on both ends of a link.
www.dell.com | support.dell.com Enabling BFD globally BFD must be enabled globally on both routers, as shown in Figure 11-4. To enable BFD globally: Step 1 Task Command Syntax Command Mode Enable BFD globally. bfd enable CONFIGURATION Verify that BFD is enabled globally using the command show running bfd, as shown in the following example.
Step 3 Task Command Syntax Command Mode Identify the neighbor with which the interface will participate in the BFD session. bfd neighbor ip-address INTERFACE Verify that the session is established using the command show bfd neighbors, as shown in the following example. R1(conf-if-gi-4/24)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.1 RemoteAddr 2.2.2.
www.dell.com | support.dell.com When both interfaces are configured for BFD, log messages are displayed indicating state changes, as shown in Message 1. Message 1 BFD Session State Changes R1(conf-if-gi-4/24)#00:36:01: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Down for neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0) 00:36:02: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Up for neighbor 2.2.2.
Disabling and re-enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured. If BFD is disabled, all of the sessions on that interface are placed in an Administratively Down state (Message 2), and the remote systems are notified of the session state change (Message 3). To disable BFD on an interface: Step 1 Task Command Syntax Command Mode Disable BFD on an interface.
www.dell.com | support.dell.com Establishing sessions for static routes Sessions are established for all neighbors that are the next hop of a static route. Figure 11-5. Enabling BFD for Static Routes FTOS(config)# interface gigabitethernet 2/2 FTOS(conf-if-gi-2/2)# ip address 2.2.3.1/24 FTOS(conf-if-gi-2/2)# no shutdown FTOS(config)# interface gigabitethernet 2/1 FTOS(conf-if-gi-2/1)# ip address 2.2.2.2/24 FTOS(conf-if-gi-2/1)# no shutdown FTOS(conf-if-gi-2/1)# bfd neighbor 2.2.2.
To change parameters for static route sessions: Step 1 Task Command Syntax Command Mode Change parameters for all static route sessions. ip route bfd interval milliseconds min_rx milliseconds multiplier value role [active | passive] CONFIGURATION View session parameters using the command show bfd neighbors detail, as shown in the example in Changing physical port session parameters. Disabling BFD for static routes If BFD is disabled, all static route BFD sessions are torn down.
www.dell.com | support.dell.com Figure 11-6. Establishing Sessions with OSPF Neighbors FTOS(conf-if-gi-2/1)# ip address 2.2.2.2/24 FTOS(conf-if-gi-2/1)# no shutdown FTOS(conf-if-gi-2/1)# exit FTOS(config)# router ospf 1 FTOS(config-router_ospf )# network 2.2.2.0/24 area 0 FTOS(config-router_ospf )# bfd all-neighbors FTOS(conf-if-gi-2/2)# ip address 2.2.3.1/24 FTOS(conf-if-gi-2/2)# no shutdown FTOS(conf-if-gi-2/2)# exit FTOS(config)# router ospf 1 FTOS(config-router_ospf )# network 2.2.3.
Changing OSPF session parameters BFD sessions are configured with default intervals and a default role. The parameters that can be configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all OSPF sessions or all OSPF sessions on a particular interface; if you change a parameter globally, the change affects all OSPF neighbors sessions.
www.dell.com | support.dell.com Configuring BFD for IS-IS BFD for IS-IS is supported on platform: e When using BFD with IS-IS, the IS-IS protocol registers with the BFD manager on the RPM. BFD sessions are then established with all neighboring interfaces participating in IS-IS. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the IS-IS protocol that a link state change occurred. Configuring BFD for IS-IS is a two-step process: 1.
To establish BFD with all IS-IS neighbors: Step 1 Task Command Syntax Command Mode Establish sessions with all IS-IS neighbors. bfd all-neighbors ROUTER-ISIS To establish BFD with all IS-IS neighbors out of a single interface: Step 1 Task Command Syntax Command Mode Establish sessions with all IS-IS neighbors out of an interface. isis bfd all-neighbors INTERFACE View the established sessions using the command show bfd neighbors, as shown in the following example.
www.dell.com | support.dell.com To change parameters for IS-IS sessions on an interface: Step 1 Task Command Syntax Command Mode Change parameters for all IS-IS sessions out of an interface. isis bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] INTERFACE View session parameters using the command show bfd neighbors detail, as shown in the example in Changing physical port session parameters.
Related configuration tasks • • Changing VRRP session parameters. Establishing sessions with OSPF neighbors. Establishing sessions with all VRRP neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 11-8. Establishing Sessions with VRRP Neighbors VIRTUAL IP Address: 2.2.5.4 R1: BACKUP R2: MASTER 2/3 4/25 FTOS(config-if-range-gi-4/25)# ip address 2.2.5.
www.dell.com | support.dell.com To establish a session with a particular VRRP neighbor: Step 1 Task Command Syntax Command Mode Establish a session with a particular VRRP neighbor. vrrp bfd neighbor ip-address INTERFACE View the established sessions using the command show bfd neighbors, as shown in the following example.
To change parameters for all VRRP sessions: Step 1 Task Command Syntax Command Mode Change parameters for all VRRP sessions. vrrp bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] INTERFACE To change parameters for a particular VRRP session: Step 1 Task Command Syntax Command Mode Change parameters for a particular VRRP session.
www.dell.com | support.dell.com Configuring BFD for VLANs BFD on Dell Force10 systems is a Layer 3 protocol. Therefore, BFD is used with routed VLANs. BFD on VLANs is analogous to BFD on physical ports. If no routing protocol is enabled, and a remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet. If BFD is enabled, the local system removes the route when it stops receiving periodic control packets from the remote system.
View the established sessions using the command show bfd neighbors, as shown in the following example. R2(conf-if-vl-200)#bfd neighbor 2.2.3.2 R2(conf-if-vl-200)#do show bfd neighbors * Ad Dn C I O R V - Active session role Admin Down CLI ISIS OSPF Static Route (RTM) VRRP LocalAddr * 2.2.3.2 RemoteAddr 2.2.3.1 Interface State Rx-int Tx-int Mult Clients Vl 200 Up 100 100 3 C Changing session parameters BFD sessions are configured with default intervals and a default role.
www.dell.com | support.dell.com Configuring BFD for Port-Channels BFD on port-channels is analogous to BFD on physical ports. If no routing protocol is enabled, and a remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet. If BFD is enabled, the local system removes the route when it stops receiving periodic control packets from the remote system.
View the established sessions using the command show bfd neighbors, as shown in Establishing sessions with IS-IS neighbors. R2(conf-if-po-1)#bfd neighbors 2.2.2.1 R2(conf-if-po-1)#do show bfd neighors * Ad Dn C I O R V - Active session role Admin Down CLI ISIS OSPF Static Route (RTM) VRRP LocalAddr * 2.2.2.2 RemoteAddr 2.2.2.1 Interface State Rx-int Tx-int Mult Clients Po 1 Up 100 100 3 C Changing port-channel session parameters BFD sessions are configured with default intervals and a default role.
www.dell.com | support.dell.com Configuring Protocol Liveness Protocol Liveness is a feature that notifies the BFD Manager when a client protocol is disabled. When a client is disabled, all BFD sessions for that protocol are torn down. Neighbors on the remote system receive an Admin Down control packet and are placed in the Down state (Message 3).
12 Border Gateway Protocol IPv4 (BGPv4) Border Gateway Protocol IPv4 (BGPv4) version 4 (BGPv4) is supported on platforms: ces Platforms support BGP according to the following table: FTOS version Platform support 8.1.1.0 E-Series ExaScale ex 7.8.1.0 S-Series s 7.7.1.0. C-Series c pre-7.7.1.0 E-Series TeraScale et This chapter is intended to provide a general description of Border Gateway Protocol version 4 (BGPv4) as it is supported in the Force 10 Operating System (FTOS).
www.dell.com | support.dell.
A stub AS is one that is connected to only one other AS. A transit AS is one that provides connections through itself to separate networks. For example as seen in Figure 12-1, Router 1 can use Router 2 (the transit AS) to connect to Router 4. ISPs are always transiting ASs, because they provide connections from one network to another. The ISP is considered to be “selling transit service” to the customer network, so thus the term Transit AS.
www.dell.com | support.dell.com Figure 12-2. Full Mesh Examples 4 Routers 6 Routers 8 Routers The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible.
Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor. Establishing a session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies.
www.dell.com | support.dell.com Route Reflectors Route Reflectors reorganize the iBGP core into a hierarchy and allows some route advertisement rules. Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and its client peers form a route reflection cluster. Since BGP speakers announce only the best route for a given prefix, route reflector rules are applied after the router makes its best path decision.
Confederations Communities BGP communities are sets of routes with one or more common attributes. This is a way to assign common attributes to multiple routes at the same time. BGP Attributes Routes learned via BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination.
www.dell.com | support.dell.com Syste Note: In 8.4.1.5, the bgp bestpath as-path multipath-relax command is disabled by default, preventing BGP from load-balancing a learned route across two or more eBGP peers. To enable load-balancing across different eBGP peers, enable the bgp bestpath as-path multipath-relax command. A system error will result if the bgp bestpath as-path ignore command and the bgp bestpath as-path multipath-relax command are configured at the same time.
Best Path selection details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3. Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command. • Routes originated with the network or redistribute commands are preferred over routes originated with the aggregate-address command. 4.
www.dell.com | support.dell.com 13. Prefer the path originated from the neighbor with the lowest address. (The neighbor address is used in the BGP neighbor configuration, and corresponds to the remote peer used in the TCP connection with the local router.) After a number of best paths is determined, this selection criteria is applied to group’s best to determine the ultimate best path.
Multi-Exit Discriminators (MEDs) If two Autonomous Systems (AS) connect in more than one place, a Multi-Exit Discriminator (MED) can be used to assign a preference to a preferred path. The MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in Figure 12-4. One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this example, assume the MED is the only attribute applied.
www.dell.com | support.dell.com Origin The Origin indicates the origin of the prefix, or how the prefix came into BGP. There are three Origin codes: IGP, EGP, INCOMPLETE. • • • IGP indicated the prefix originated from information learned through an interior gateway protocol. EGP indicated the prefix originated from information learned from an EGP protocol, which NGP replaced. INCOMPLETE indicates that the prefix originated from an unknown source.
0x7128114 0x536a914 0x2ffe884 0 0 0 10 18508 3 18508 1 18508 209 3356 13845 i 209 701 6347 7781 i 701 3561 9116 21350 i Next Hop The Next Hop is the IP address used to reach the advertising router. For EBGP neighbors, the Next-Hop address is the IP address of the connection between the neighbors. For IBGP, the EBGP Next-Hop address is carried into the local AS. A Next Hop attribute is set when a BGP speaker advertises itself to another BGP speaker outside its local AS.
www.dell.com | support.dell.com BGP add-path in FTOS reduces the time taken for BGP convergence by advertising multiple paths to its peers for the same address prefix without new paths implicitly replacing the existing paths. An iBGP speaker that receives multiple paths from its peers should calculate the best path in its own. BGP add-path helps switchover to next new best path based on IGP convergence time when best path becomes unavailable.
Ignore Router-ID for some best-path calculations FTOS 8.3.1.0 and later allow you to avoid unnecessary BGP best-path transitions between external paths under certain conditions. The bgp bestpath router-id ignore command reduces network disruption caused by routing and forwarding plane changes and allows for faster convergence. 4-Byte AS Numbers FTOS Version 7.7.1 and later support 4-Byte (32-bit) format when configuring Autonomous System Numbers (ASNs).
www.dell.com | support.dell.com • • All AS Numbers between 0-65535 are represented as a decimal number when entered in the CLI as well as when displayed in the show command outputs. AS Numbers larger than 65535 are represented using ASPLAIN notation as well. 65546 is represented as 65546. ASDOT+ representation splits the full binary 4-byte AS number into two words of 16 bits separated by a decimal point (.): ..
BGP table version is 31571, local router ID is 172.30.1.57
www.dell.com | support.dell.com Figure 12-7. Local-AS Scenario Router A AS 100 Router C AS 300 Router B AS 200 Before Migration Router A AS 100 AS 100 Router C AS 300 Router B Local AS 200 After Migration, with Local-AS enabled When you complete your migration, and you have reconfigured your network with the new information you must disable this feature. If the “no prepend” option is used, the local-as will not be prepended to the updates received from the eBGP peer.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances FTOS BGP Management Information Base (MIB) support with many new SNMP objects and notifications (traps) defined in the draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell Force10 website, www.force10networks.com. Note: See the Dell Force10 iSupport webpage for the Force10-BGP4-V2-MIB and other MIB documentation.
www.dell.com | support.dell.com • • • • • • • • • • The f10BgpM2[Cfg]PeerReflectorClient field is populated based on the assumption that route-reflector clients are not in a full mesh if BGP client-2-client reflection is enabled and that the BGP speaker acting as reflector will advertise routes learned from one client to another client. If disabled, it is assumed that clients are in a full mesh, and there is no need to advertise prefixes to the other clients.
BGP Configuration To enable the BGP process and begin exchanging information, you must assign an AS number and use commands in the ROUTER BGP mode to configure a BGP neighbor. Defaults By default, BGP is disabled. By default, FTOS compares the MED attribute on different paths from within the same AS (the bgp always-compare-med command is not enabled). Note: In FTOS, all newly configured neighbors and peer groups are disabled.
www.dell.com | support.dell.
In BGP, neighbor routers or peers can be classified as internal or external. External BGP peers must be connected physically to one another (unless you enable the EBGP multihop feature), while internal BGP peers do not need to be directly connected. The IP address of an EBGP neighbor is usually the IP address of the interface directly connected to the router. First, the BGP process determines if all internal BGP peers are reachable, and then it determines which peers outside the AS are reachable.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose You must Configure Peer Groups before assigning it a remote AS. 3 neighbor {ip-address | peer-group-name} no shutdown CONFIG-ROUTER-BGP Enable the BGP neighbor. Note: When you change the configuration of a BGP neighbor, always reset it by entering the clear ip bgp command in EXEC Privilege mode. Enter show config in CONFIGURATION ROUTER BGP mode to view the BGP configuration.
For the router’s identifier, FTOS uses the highest IP address of the Loopback interfaces configured. Since Loopback interfaces are virtual, they cannot go down, thus preventing changes in the router ID. If no Loopback interfaces are configured, the highest IP address of any interface is used as the router ID. To view the status of BGP neighbors, use the show ip bgp neighbors command in EXEC Privilege mode as shown in the example below.
www.dell.com | support.dell.com Command example: show running-config bgp. R2#show running-config bgp ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.
Task Command Syntax Command Mode Enable ASDOT AS Number representation.Command example and output: bgp asnotation asdot bgp asnotation asdot CONFIG-ROUTER-BGP Enable ASDOT+ AS Number representation Command example and output: bgp asnotation asdot+. bgp asnotation asdot+ CONFIG-ROUTER-BGP Command example and output: bgp asnotation asplain. FTOS(conf-router_bgp)#bgp asnotation asplain FTOS(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.
www.dell.com | support.dell.com Configure Peer Groups To configure multiple BGP neighbors at one time, create and populate a BGP peer group. Another advantage of peer groups is that members of a peer groups inherit the configuration properties of the group and share same update policy. A maximum of 256 Peer Groups are allowed on the system. You create a peer group by assigning it a name, then adding members to the peer group. Once a peer group is created, you can configure route policies for it.
When you add a peer to a peer group, it inherits all the peer group’s configured parameters.
www.dell.com | support.dell.com To disable a peer group, use the neighbor peer-group-name shutdown command in the CONFIGURATION ROUTER BGP mode. The configuration of the peer group is maintained, but it is not applied to the peer group members. When you disable a peer group, all the peers within the peer group that are in ESTABLISHED state are moved to IDLE state. Use the show ip bgp peer-group command in EXEC Privilege mode to view the status of peer groups.
The BGP fast fall-over feature is configured on a per-neighbor or peer-group basis and is disabled by default.
www.dell.com | support.dell.com FTOS# Use the show ip bgp peer-group command to verify that fast fall-over is enabled on a peer-group. FTOS#sh ip bgp peer-group Peer-group test Fall-over enabled BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 100.100.100.
Step Command Syntax Command Mode Purpose 2 neighbor peer-group-name subnet subnet-number mask CONFIG-ROUTER-BGP Assign a subnet to the peer group. The peer group will respond to OPEN messages sent on this subnet. 3 neighbor peer-group-name no shutdown CONFIG-ROUTER-BGP Enable the peer group. 4 neighbor peer-group-name remote-as as-number CONFIG-ROUTER-BGP Create and specify a remote peer as a BGP neighbor.
www.dell.com | support.dell.com network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.
neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 allowas-in 9 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.2 no shutdown R2(conf-router_bgp)#R2(conf-router_bgp)# Enable graceful restart Use this feature to lessen the negative effects of a BGP restart.
www.dell.com | support.dell.com Command Syntax Command Mode Usage bgp graceful-restart [restart-time time-in-seconds] CONFIG-ROUTER-BGP Set maximum restart time for all peers. Default is 120 seconds. bgp graceful-restart [stale-path-time time-in-seconds] CONFIG-ROUTER-BGP Set maximum time to retain the restarting peer’s stale paths. Default is 360 seconds. bgp graceful-restart [role receiver-only] CONFIG-ROUTER-BGP Local router supports graceful restart as a receiver only.
0x4014154 0x4013914 0x5166d6c 0x5e62df4 0x3a1814c 0x567ea9c 0x6cc1294 0x6cc18d4 0x5982e44 0x67d4a14 0x559972c 0x59cd3b4 0x7128114 0x536a914 0x2ffe884 0x2ff7284 0x2ff7ec4 0x2ff8544 0x736c144 0x3b8d224 0x5eb1e44 0x5cd891c --More-- 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 2 26 75 2 1 162 2 31 2 10 3 1 99 4 3 1 10 1 9 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 701 701 209 701 209 209 209 701 209 701 209 209 209
www.dell.com | support.dell.com Regular Expressions as filters Regular expressions are used to filter AS paths or community lists. A regular expression is a special character used to define a pattern that is then compared with an input string. For an AS-path access list as shown in the commands above, if the AS path matches the regular expression in the access list, then the route matches the access list. The following example applies access list Eagle to routes inbound from BGP peer 10.5.5.2.
Expressions accepted in FTOS Table 12-4, "Regular Expressions," in Border Gateway Protocol IPv4 (BGPv4) lists the Regular As seen in Table 12-4. Regular Expressions Regular Expression Definition ^ (caret) Matches the beginning of the input string. Alternatively, when used as the first character within brackets [^ ] matches any number except the ones specified within the brackets. $ (dollar) Matches the end of the input string. . (period) Matches any single character, including white space.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose redistribute {connected | static} [route-map map-name] ROUTER BGP or CONF-ROUTER_BGPv6_AF Include, directly connected or user-configured (static) routes in BGP. Configure the following parameters: • map-name: name of a configured route map. redistribute isis [level-1 | level-1-2 | level-2] [metric value] ROUTER BGP or CONF-ROUTER_BGPv6_AF Include specific ISIS routes in BGP.
Configure IP community lists Within FTOS, you have multiple methods of manipulating routing attributes. One attribute you can manipulate is the COMMUNITY attribute. This attribute is an optional attribute that is defined for a group of destinations. In FTOS, you can assign a COMMUNITY attribute to BGP routers by using an IP Community list. After you create an IP Community list, you can apply routing decisions to all routers meeting the criteria in the IP Community list.
www.dell.com | support.dell.com Use these commands in the following sequence, starting in the CONFIGURATION mode to configure an IP extended community list. Step 1 2 Command Syntax Command Mode Purpose ip extcommunity-list extcommunity-list-name CONFIGURATION Create a extended community list and enter the EXTCOMMUNITY-LIST mode. {permit | deny} {{rt | soo} {ASN:NN | IPADDR:N} | regex REGEX-LINE} CONFIG-COMMUNITY-LIST Two types of extended communities are supported.
Use these commands in the following sequence, starting in the CONFIGURATION mode, To use an IP Community list or Extended Community List to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. Step Command Syntax Command Mode Purpose route-map map-name [permit | deny] [sequence-number] CONFIGURATION Enter the ROUTE-MAP mode and assign a name to a route map.
www.dell.com | support.dell.com If you want to remove or add a specific COMMUNITY number from a BGP path, you must create a route map with one or both of the following statements in the route map. Then apply that route map to a BGP neighbor or peer group. Use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose route-map map-name [permit | deny] [sequence-number] CONFIGURATION Enter the ROUTE-MAP mode and assign a name to a route map.
* i 3.0.0.0/8 *>i 4.2.49.12/30 * i 4.21.132.0/23 16422 i *>i 4.24.118.16/30 *>i 4.24.145.0/30 *>i 4.24.187.12/30 *>i 4.24.202.0/30 *>i 4.25.88.0/30 *>i 6.1.0.0/16 *>i 6.2.0.0/22 *>i 6.3.0.0/18 *>i 6.4.0.0/16 *>i 6.5.0.0/19 *>i 6.8.0.0/20 *>i 6.9.0.0/20 *>i 6.10.0.0/15 *>i 6.14.0.0/15 *>i 6.133.0.0/21 *>i 6.151.0.0/16 --More-- 195.171.0.16 195.171.0.16 195.171.0.16 100 100 100 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.
www.dell.com | support.dell.com Change LOCAL_PREFERENCE attribute In FTOS, you can change the value of the LOCAL_PREFERENCE attribute. Use the following command in the CONFIGURATION ROUTER BGP mode to change the default values of this attribute for all routes received by the router. Command Syntax Command Mode Purpose bgp default local-preference value CONFIG-ROUTER-BGP Change the LOCAL_PREF value. • value range: 0 to 4294967295 • Default is 100.
Change NEXT_HOP attribute You can change how the NEXT_HOP attribute is used. Use the following command in the CONFIGURATION ROUTER BGP mode to change the how the NEXT_HOP attribute is used. Command Syntax Command Mode Purpose neighbor {ip-address | peer-group-name} next-hop-self CONFIG-ROUTER-BGP Disable next hop processing and configure the router as the next hop for a BGP neighbor.
www.dell.com | support.dell.com Enable multipath By default, the software allows one path to a destination. You can enable multipath to allow up to 16 parallel paths to a destination. Use the following command in the CONFIGURATION ROUTER BGP mode to allow more than one path. Command Syntax Command Mode Purpose maximum-paths {ebgp | ibgp} number CONFIG-ROUTER-BGP Enable multiple parallel paths.
Use these commands in the following sequence, starting in the CONFIGURATION mode to filter routes using prefix lists. Step Command Syntax Command Mode Purpose ip prefix-list prefix-name CONFIGURATION Create a prefix list and assign it a name. 2 seq sequence-number {deny | permit} {any | ip-prefix [ge | le]} CONFIG-PREFIX LIST Create multiple prefix list filters with a deny or permit action.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose 2 {match | set} CONFIG-ROUTE-MAP Create multiple route map filters with a match or set action. Refer to the IP Access Control Lists (ACL), Prefix Lists, and Route-maps chapter for information on configuring route maps. 3 exit CONFIG-ROUTE-MAP Return to the CONFIGURATION mode. 4 router bgp as-number CONFIGURATION Enter ROUTER BGP mode.
Use the show config command in CONFIGURATION ROUTER BGP mode and show ip as-path-access-list command in EXEC Privilege mode to view which commands are configured. Include this filter permit .* in your AS-PATH ACL to forward all routes not meeting the AS-PATH ACL criteria. Configure BGP route reflectors BGP route reflectors are intended for Autonomous Systems with a large mesh and they reduce the amount of BGP control traffic.
www.dell.com | support.dell.com Aggregate routes FTOS provides multiple ways to aggregate routes in the BGP routing table. At least one specific route of the aggregate must be in the routing table for the configured aggregate to become active. Use the following command in the CONFIGURATION ROUTER BGP mode to aggregate routes.
Use the following commands in the CONFIGURATION ROUTER BGP mode to configure BGP confederations. Command Syntax Command Mode Purpose bgp confederation identifier as-number CONFIG-ROUTER-BGP Specifies the confederation ID. AS-number: 0-65535 (2-Byte) or 1-4294967295 (4-Byte) bgp confederation peers as-number [... as-number] CONFIG-ROUTER-BGP Specifies which confederation sub-AS are peers. AS-number: 0-65535 (2-Byte) or 1-4294967295 (4-Byte) All Confederation routers must be either 4-Byte or 2-Byte.
www.dell.com | support.dell.
To set dampening parameters via a route map, use the following command in CONFIGURATION ROUTE-MAP mode: Command Syntax Command Mode Purpose set dampening half-life reuse suppress max-suppress-time CONFIG-ROUTE-MAP Enter the following optional parameters to configure route dampening parameters: • half-life range: 1 to 45. Number of minutes after which the Penalty is decreased. After the router assigns a Penalty of 1024 to a route, the Penalty is decreased by half after the half-life period expires.
www.dell.com | support.dell.com Use the following command in EXEC and EXEC Privilege mode to view statistics on route flapping. Command Syntax Command Mode Purpose show ip bgp flap-statistics [ip-address [mask]] [filter-list as-path-name] [regexp regular-expression] EXEC EXEC Privilege View all flap statistics or for specific routes meeting the following criteria: • ip-address [mask]: enter the IP address and mask • filter-list as-path-name: enter the name of an AS-PATH ACL.
Timer values configured with the neighbor timers command override the timer values configured with the timers bgp command. When two neighbors, configured with different keepalive and holdtime values, negotiate for new values, the resulting values will be as follows: • • the lower of the holdtime values is the new holdtime value, and whichever is the lower value; one-third of the new holdtime value, or the configured keepalive value is the new keepalive value.
www.dell.com | support.dell.com To use soft reconfiguration (or soft reset) without preconfiguration, both BGP peers must support the soft route refresh capability, which is advertised in the open message sent when the peers establish a TCP session. To determine whether a BGP router supports this capability, use the show ip bgp neighbors command. If a router supports the route refresh capability, the following message is displayed: Received route refresh capability from peer.
• • If a set actions operation occurs in the first route map entry and then the same set action occurs with a different value in a subsequent route map entry, the last set of actions overrides the previous set of actions with the same set command. If the set community additive and set as-path prepend commands are configured, the communities and AS numbers are prepended.
www.dell.com | support.dell.com BGP Regular Expression Optimization BGP policies that contain regular expressions to match against as-paths and communities might take a lot of CPU processing time, thus affect BGP routing convergence. Also, show bgp commands that get filtered through regular expressions can to take a lot of CPU cycles, especially when the database is large.
Command Syntax Command Mode Purpose debug ip bgp {ip-address | peer-group-name} soft-reconfiguration EXEC Privilege Enable soft-reconfiguration debug. Enable soft-reconfiguration debug. To enhance debugging of soft reconfig, use the following command only when route-refresh is not negotiated to avoid the peer from resending messages: bgp soft-reconfig-backup In-BGP is shown via the show ip protocols command. FTOS displays debug messages on the console.
www.dell.com | support.dell.
ffffffff ffffffff ffffffff ffffffff 00130400 PDU[4] : len 19, captured 00:34:22 ago ffffffff ffffffff ffffffff ffffffff 00130400 [. . .] Outgoing packet capture enabled for BGP neighbor 20.20.20.
www.dell.com | support.dell.com PDU Counters FTOS version 7.5.1.0 introduces additional counters for various types of PDUs sent and received from neighbors. These are seen in the output of the command show ip bgp neighbor. Sample Configurations The following configurations are examples for enabling BGP and setting up some peer groups. These are not comprehensive directions. They are intended to give you a some guidance with typical configurations. You can copy and paste from these examples to your CLI.
Enable BGP - Router 1 R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int gig 1/21 R1(conf-if-gi-1/21)#ip address 10.0.1.21/24 R1(conf-if-gi-1/21)#no shutdown R1(conf-if-gi-1/21)#show config ! interface GigabitEthernet 1/21 ip address 10.0.1.21/24 no shutdown R1(conf-if-gi-1/21)#int gig 1/31 R1(conf-if-gi-1/31)#ip address 10.0.3.
www.dell.com | support.dell.com 192.168.128.2 192.168.128.3 R1# 99 100 4 5 5 4 4 1 0 0 0 00:00:32 0 00:00:09 Enable BGP - Router 2 R2# conf R2(conf)#int loop 0 R2(conf-if-lo-0)#ip address 192.168.128.2/24 R2(conf-if-lo-0)#no shutdown R2(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.2/24 no shutdown R2(conf-if-lo-0)#int gig 2/11 R2(conf-if-gi-2/11)#ip address 10.0.1.
BGP router identifier 192.168.128.2, local AS number 99 BGP table version is 1, main routing table version 1 1 network entrie(s) using 132 bytes of memory 3 paths using 204 bytes of memory BGP-RIB over all using 207 bytes of memory 2 BGP path attribute entrie(s) using 128 bytes of memory 2 BGP AS-PATH entrie(s) using 90 bytes of memory 2 neighbor(s) using 9216 bytes of memory Neighbor 192.168.128.1 192.168.128.
www.dell.com | support.dell.com ! router bgp 100 network 192.168.128.0/24 neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown R3(conf)#end R3#show ip bgp summary BGP router identifier 192.168.128.
BGP-RIB over all using 207 bytes of memory 2 BGP path attribute entrie(s) using 96 bytes of memory 2 BGP AS-PATH entrie(s) using 74 bytes of memory 2 neighbor(s) using 8672 bytes of memory Neighbor AS MsgRcvd 192.168.128.2 99 192.168.128.3 100 ! R1#show ip bgp neighbors 23 30 MsgSent TblVer InQ 24 29 1 1 0 0 OutQ Up/Down (0) 00:00:17 (0) 00:00:14 State/Pfx 1 1 BGP neighbor is 192.168.128.
www.dell.com | support.dell.
1 network entrie(s) using 132 bytes of memory 3 paths using 204 bytes of memory BGP-RIB over all using 207 bytes of memory 2 BGP path attribute entrie(s) using 128 bytes of memory 2 BGP AS-PATH entrie(s) using 90 bytes of memory 2 neighbor(s) using 9216 bytes of memory Neighbor 192.168.128.1 192.168.128.3 AS 99 100 MsgRcvd 140 138 MsgSent 136 140 TblVer 2 2 InQ 0 0 OutQ Up/Down State/Pfx (0) 00:11:24 1 (0) 00:18:31 1 R2#show ip bgp neighbor BGP neighbor is 192.168.128.
www.dell.com | support.dell.com R3#show ip bgp neighbor BGP neighbor is 192.168.128.1, remote AS 99, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
Last notification (len 21) received 00:12:01 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Local host: 192.168.128.2, Local port: 65464 Foreign host: 192.168.128.1, Foreign port: 179 BGP neighbor is 192.168.128.3, remote AS 100, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
www.dell.com | support.dell.
13 Content Addressable Memory Content Addressable Memory is supported on platforms c et s Note: Different platforms support varying levels of CAM adjustment. Be sure to read this chapter carefully prior to changing any CAM parameters. CAM configuration is for the E-Series ExaScale is documented separately in Chapter 14, Content Addressable Memory for ExaScale.
www.dell.com | support.dell.com Content Addressable Memory Content Addressable Memory (CAM) is a type of memory that stores information in the form of a lookup table. On Dell Force10 systems, the CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACL), flows, and routing policies. On Dell Force10 systems, there are one or two CAM (Dual-CAM) modules per port-pipe depending on the type of line card.
Table 13-1. CAM Profile Descriptions CAM Profile Description ipv6-extacl Provides IPv6 functionality. Available Microcodes: ipv6-extacl l2-ipv4-inacl Provides 32K entries for Layer 2 ingress ACLs and 28K entries for Layer 3 IPv4 ingress ACLs. Available Microcodes: default unified-default Maintains the CAM allocations for the and IPv4 FIB while allocating more CAM space for the Ingress and Egress Layer 2 ACL, and IPv4 ACL regions.
www.dell.com | support.dell.com 268 Microcode Microcode is a compiled set of instructions for a CPU. On Dell Force10 systems, the microcode controls how packets are handled. There is a default microcode, and several other microcodes are available, so that you can adjust packet handling according to your application. Specifying a microcode is mandatory when selecting a CAM profile (though you are not required to change it). Note: Not all CAM profiles and microcodes are available for all systems.
CAM Profiling for ACLs CAM Profiling for ACLs is supported on platform et only. Refer to Chapter 14, Content Addressable Memory for ExaScale for E-Series ExaScale ex CAM descriptions. The default CAM profile has 1K Layer 2 ingress ACL entries. If you need more memory for Layer 2 ingress ACLs, select the profile l2-ipv4-inacl. When budgeting your CAM allocations for ACLs and QoS configurations, remember that ACL and QoS rules might consume more than one CAM entry depending on complexity.
www.dell.com | support.dell.com Boot Behavior The profile and microcode loaded on the primary RPM determines the profile and microcode that is required on all other chassis components and is called the “chassis profile.” A profile mismatch condition exists if either the CAM profile or the microcode does not match. The following points describe line card boot behavior when the line card profile does not match the chassis profile. • • • • A microcode mismatch constitutes a profile mismatch.
EH Line Card with EG Chassis Profile—Card Problem R1#show linecard 1 brief -- Line card Status Next Boot Required Type (EH) Current Type (EH) Hardware Rev Num Ports Up Time FTOS Version Jumbo Capable 1 : : : -card problem - mismatch cam profile online E90MH - 90-port 10/100/1000Base-T line card with mini RJ-21 interfaces : E90MH - 90-port 10/100/1000Base-T line card with mini RJ-21 interfaces : : : : : Base - 0.3 PP0 - 1.1 90 0 sec 8.1.1.
www.dell.com | support.dell.com Select CAM Profiles A CAM profile is selected in CONFIGURATION mode. The CAM profile is applied to entire system, however, you must save the running-configuration to affect the change. All components in the chassis must have the same CAM profile and microcode. The profile and microcode loaded on the primary RPM determines the profile that is required on all other chassis components.
CAM Allocation User Configurable CAM Allocations is available on platforms: cs Allocate space for IPV4 ACLs and QoS regions, and IPv6 6 ACLs and QoS regions on the C-Series and S-Series by using the cam-acl command in CONFIGURATION mode. The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks.
www.dell.com | support.dell.com Test CAM Usage The test cam-usage command is supported on platforms ces This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs. Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy. Create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege mode to verify the actual CAM space required.
The command show running-config cam-profile shows the current profile and microcode. Note: If you select the CAM profile from CONFIGURATION mode, the output of this command does not reflect any changes until you save the running-configuration and reload the chassis.
www.dell.com | support.dell.com View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub-partitions) using the command show cam-usage from EXEC Privilege mode, as shown in the following example.
Table 13-5. IPv4Flow CAM Sub-partition Sizes Space Allocated (TeraScale) Space Allocated (ExaScale) QoS 2K 2K System Flow 5K 5K Trace Lists 1K 1K Partition You can re-configure the amount of space allocated for each type of entry. FTOS requires that you specify an amount of CAM space for all types and in the order shown in Table 13-5, "IPv4Flow CAM Sub-partition Sizes," in Content Addressable Memory..
www.dell.com | support.dell.
• Apply the Ingress Layer 2 ACL configuration to entire system by entering the command cam-l2acl from CONFIGURATION mode, however, you must save the running-configuration to affect the change. The amount of space that you can distribute to the sub-partitions is equal to the amount of CAM space that the selected CAM profile allocates to the Ingress Layer 2 ACL partition (refer to Table 13-1, "CAM Profile Descriptions," in Content Addressable Memory).
www.dell.com | support.dell.com L2Acl Pvst Qos L2pt Frrp : : : : : 14 50 12 13 5 [output omitted] FTOS(conf)#do copy run start File with same name already exist.
CAM Optimization CAM optimization is supported on platforms cs When this command is enabled, if a Policy Map containing classification rules (ACL and/or dscp/ ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only 1 FP entry will be used). When the command is disabled, the system behaves as described in this chapter.
www.dell.com | support.dell.com Troubleshoot CAM Profiling CAM Profile Mismatches The CAM profile on all cards must match the system profile. In most cases, the system corrects mismatches by copying the correct profile to the card, and rebooting the card. If three resets do not bring up the card, or if the system is running an FTOS version prior to 6.3.1.1, the system presents an error message. In this case, manually adjust the CAM configuration on the card to match the system configuration.
Content Addressable Memory | 283
| Content Addressable Memory www.dell.com | support.dell.
14 Content Addressable Memory for ExaScale This Content Addressable Memory for ExaScale chapter discusses CAM/SRAM profiles for the E-Series ExaScale ex platform. Refer to Chapter 13, Content Addressable Memory for information regarding the E-Series TeraScale, C-Series and S-Series platforms.
www.dell.com | support.dell.com Static Random Access Memory Static Random Access Memory (SRAM) is a rapidly accessed memory that stores information in the form of a lookup table. On Dell Force10 systems, the SRAM stores multicast forwarding information, MPLS routing. Figure 14-1.
There is a default CAM profile and microcode that is preprogrammed in the system.You can configure additional CAM profiles using the templates described in this chapter, as well as define your own CAM-profiles. The provided templates have been qualified by Dell Force10 Networks. FTOS also supports creating individual CAM-profiles, but Dell Force10 does not certify that these templates will function as expected. Applying different CAM profile templates changes the amount of space availability in each region.
www.dell.com | support.dell.com Default CAM-profile The size of CAM partitions is measured in entries. Table 14-2, "Default CAM Profile Partition Size," in Content Addressable Memory for ExaScale shows the number of entries available in each partition for the Default CAM profile. Table 14-2.
Table 14-3.
www.dell.com | support.dell.com CAM/SRAM region minimums and maximums You can create your own CAM-profiles. They are created the same way the CAM-profile templates are created (Select a CAM-profile template), except that you define the region allocations rather than using Dell Force10’s calculations. Note: The CAM-profile templates listed in Table 14-1, "CAM-profile Templates," in Content Addressable Memory for ExaScale have been qualified by Dell Force10.
Table 14-4. Minimum and Maximum CAM/SRAM Region Values (Continued) Partition 40M CAM 10M CAM 0-64 K 0-4 K - - Multicast-FIB 0-32 K 0-8 K PBR 0-32 K 0-8 K QOS 0-32 K 0-8 K System Flow 0-32 K 0-8 K 0-256 K 0-256 K IPv6 Ingress ACL IPv6 Flow MPLS Note: Not all maximum values have been qualified by Dell Force10. Microcode A microcode is a compiled set of instructions for the FPTM.
www.dell.com | support.dell.com Boot Behavior The profile and microcode loaded on the primary RPM determines the profile and microcode that is required on all other chassis components and is called the “chassis profile.” A profile mismatch condition exists if either the CAM profile or the microcode does not match. The following points describe line card boot behavior when the line card profile does not match the chassis profile. • • • A microcode mismatch constitutes a profile mismatch.
• • • If a newly installed line card has a profile different from the primary RPM, the card reboots so that it can load the proper profile. If the standby RPM has a profile different from the primary RPM, the RPM reboots so that it can load the proper profile. Enabling a CAM-profile immediately replaces the existing CAM-profile. You will be prompted to save the running-configuration and reload the system to implement the new CAM-profile.
www.dell.com | support.dell.com Note: The message above does not appear if the default CAM-profile is enabled when you try to enable a new CAM-profile. The validation message appears when changing from a non-default CAM-profile to another non-default CAM-profile. Create new CAM-profile FTOS supports creating individual CAM-profiles, but Dell Force10 does not certify that these templates will function as expected. Follow these steps to create a new CAM-profile.
Assign a microcode to the CAM-profile template Every CAM-profile template must have a microcode to control how packets go through the lookup tables and are forwarded through the system. The default microcode is used with all CAM-profile templates, except VRF. VRF uses its own microcode. Specifying a microcode is mandatory when selecting a CAM profile (though you are not required to change it) Task Command Syntax Command Mode Assign microcode to a defined CAM-profile template.
www.dell.com | support.dell.
System Flow : 4K entries ------------output truncated------------------ Output example: show running cam-profile and show cam-profile profile-name FTOS#show running cam-profile ! cam-profile default enable ! cam-profile vrf microcode vrf FTOS# FTOS#show cam-profile vrf -- Chassis CAM Profile -CamSize : : Profile Name : Microcode Name : L2FIB : Learn : L2ACL : System Flow : Qos : Frrp : L2pt : IPv4FIB : IPv4ACL : IPv4Flow : Mcast Fib/Acl : Pbr : Qos : System Flow : EgL2ACL : EgIpv4ACL : Mpls : IPv6FIB : IP
www.dell.com | support.dell.com View a brief summary output of the currently enabled cam-profile template with the show cam-profile summary command.
15 Configuration Replace and Rollback Configuration Replace and Rollback is supported on platforms ce The E-Series ExaScale platform is supported with FTOS 8.1.1.0 and later. Configuration Replace and Rollback enables you to replace the current running-configuration with different configuration without restarting the chassis.
www.dell.com | support.dell.com Configuring Configuration Replace and Rollback Configuring Configuration Replace and Rollback is a three-step process: 1. Enabling the Archive Service. 2. Archiving a Configuration File. 3. Replacing the Current Running Configuration.
You do not have to enable the archive service again if you save the running configuration after completing task. If you reload the system or upgrade your FTOS version without saving the running configuration you must enable the archive service again. Archiving a Configuration File Archive the current running configuration file using the command archive config from EXEC Privilege mode.
www.dell.com | support.dell.com Replacing the Current Running Configuration Replace the current running configuration with an archived configuration using the command configure replace from EXEC Privilege mode. In the example below: 1. The hostname of the Dell Force10 system is changed from “R1” to “Force10.” 2. The running configuration is replaced with archive_0, in which the hostname is “R1.
Configuring FTOS to Rollback to a Previous Configuration.
www.dell.com | support.dell.com Configuring the Maximum Number of Archive Files (continued).
R1(conf-archive)#time-period 5 R1(conf-archive)#show config ! archive maximum 2 time-period 5 R1(conf-archive)# Copying and Deleting an Archive File Copy an archive file to another location using the command archive backup, as shown in the following example. Delete an archive file using the command archive delete from CONFIG ARCHIVE mode. Viewing and Editing the Contents of an Archive File You cannot view or edit the contents of archived files.
www.dell.com | support.dell.com Viewing the Difference between Configuration Files View the difference between the running-configuration and an archived configuration using the command show run diff. In the following example, the running-configuration is archived as archive_3, and then the hostname is changed to “Force10.” The command show run diff lists each difference in the two files; in this case, there is only one, the hostname. Example 1.
16 Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol is available on platforms: ces Z This chapter contains the following sections: • • • • • • Protocol Overview Implementation Information Configuration Tasks Configure the System to be a DHCP Server Configure the System to be a Relay Agent Configure Secure DHCP Protocol Overview Dynamic Host Configuration Protocol (DHCP) is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to ne
www.dell.com | support.dell.com 308 sends only those; some common options are given in Table 16-1, "Common DHCP Options," in Dynamic Host Configuration Protocol. Figure 16-1. op DHCP Packet Format htype hlen xid hops secs flags ciaddr yiaddr siaddr giaddr chaddr sname Code Table 16-1. | options file Length Value Common DHCP Options Option Code Description Subnet Mask 1 Specifies the clients subnet mask.
Assigning an IP Address using DHCP When a client joins a network: 1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters. 2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters.
www.dell.com | support.dell.com Implementation Information • • • The Dell Force10 implementation of DHCP is based on RFC 2131 and RFC 3046. DHCP is available on VLANs and Private VLANs. IP Source Address Validation is a sub-feature of DHCP Snooping; FTOS uses ACLs internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP Source Address Validation.
The key responsibilities of DHCP servers are: 1. Address Storage and Management: DHCP servers are the owners of the addresses used by DHCP clients.The server stores the addresses and manages their use, keeping track of which addresses have been allocated and which are still available. 2. Configuration Parameter Storage and Management: DHCP servers also store and maintain other parameters that are sent to clients when requested. These parameters specify in detail how a client is to operate. 3.
www.dell.com | support.dell.com Create an IP Address Pool An address pool is a range of IP addresses that may be assigned by the DHCP server. Address pools are indexed by subnet number. To create an address pool: Step Task Command Syntax Command Mode 1 Access the DHCP server CLI context. ip dhcp server CONFIGURATION 2 Create an address pool and give it a name. pool name DHCP 3 Specify the range of IP addresses from which the DHCP server may assign addresses. • network is the subnet address.
Specify a Default Gateway The IP address of the default router should be on the same subnet as the client. Task Command Syntax Command Mode Specify default gateway(s) for the clients on the subnet, in order of preference. default-router address DHCP Enable DHCP Server This feature is available on c and s (S25/S50) platforms only. The DHCP server is disabled by default. Step Task Command Syntax Command Mode 1 Enter the DHCP command-line context.
www.dell.com | support.dell.com Configure a Method of Hostname Resolution Dell Force10 systems are capable of providing DHCP clients with parameters for two methods of hostname resolution. Address Resolution using DNS A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. Step Task Command Syntax Command Mode 1 Create a domain.
To create a manual binding: Step Task Command Syntax Command Mode 1 Create an address pool pool name DHCP 2 Specify the client IP address. host address DHCP 3 Specify the client hardware address or client-identifier. • hardware-address is the client MAC address. type is the protocol of the hardware platform. The default protocol is Ethernet. client-identifier is required for Microsoft clients instead of a hardware addresses.
www.dell.com | support.dell.com Configure the System to be a Relay Agent The following feature is available on platforms: c e s and DHCP clients and servers request and offer configuration information via broadcast DHCP messages. Routers do not forward broadcasts, so if there are no DHCP servers on the subnet, the client does not receive a response to its request and therefore cannot access the network.
To view the ip helper-address configuration for an interface, use the command show ip interface from EXEC privilege mode. R1_E600#show ip int gig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
www.dell.com | support.dell.com • assign IP addresses according to the relay agent. This prevents generating DHCP offers in response to requests from an unauthorized relay agent. The server echoes the option back to the relay agent in its response, and the relay agent can use the information in the option to forward a reply out the interface on which the request was received rather than flooding it on the entire VLAN.
FTOS Behavior: In 8.2.1 releases, ip dhcp snooping trust was required on the port-channel interface as well as on channel members. In subsequent releases, it is no longer necessary nor permitted to configure port-channel members as trusted; configuring the port-channel interface alone as trusted is sufficient, and ports must have the default configuration to be a channel members. When upgrading from 8.2.
www.dell.com | support.dell.com IP DHCP Relay Trust Downstream : Disabled.
The lack of authentication in ARP makes it vulnerable to spoofing. ARP spoofing is a technique attackers use to inject false IP to MAC mappings into the ARP cache of a network device. It is used to launch man-in-the-middle (MITM), and denial-of-service (DoS) attacks, among others. A spoofed ARP message is one in which MAC address in the sender hardware address field and the IP address in the sender protocol field are strategically chosen by the attacker.
www.dell.com | support.dell.com View the number of entries in the ARP database with the show arp inspection database command. FTOS#show arp inspection database Protocol Address Age(min) Hardware Address Interface VLAN CPU ---------------------------------------------------------------------------Internet 10.1.1.251 00:00:4d:57:f2:50 Gi 0/2 Vl 10 CP Internet 10.1.1.252 00:00:4d:57:e6:f6 Gi 0/1 Vl 10 CP Internet 10.1.1.253 00:00:4d:57:f8:e8 Gi 0/3 Vl 10 CP Internet 10.1.1.
IP Source Address Validation IP Source Address Validation (SAV) prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table. A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker. For example, using ARP spoofing an attacker can assume a legitimate client’s identity and receive traffic addressed to it. Then the attacker can spoof the client’s IP address to interact with other clients.
www.dell.com | support.dell.com FTOS creates an ACL entry for each IP+MAC address pair in the binding table and applies it to the interface. 324 | Task Command Syntax Command Mode Display the IP+MAC ACL for an interface for the entire system.
17 Equal Cost Multi-Path ECMP for Flow-based Affinity ECMP for Flow-based Affinity is available only platform: e The hashing algorithm on E-Series TeraScale and E-Series ExaScale are different. Hashing on ExaScale is based on CRC, checksum, or XOR, and the algorithm on TeraScale is based on checksum only. If flow-based affinity is to be maintained by an ExaScale and TeraScale chassis, they must both use the same hashing algorithm and seed value, and ECMP must deterministically choose a next hop.
www.dell.com | support.dell.com With 8 or less ECMPs, the ordering is lexicographic and deterministic. With more than 8 ECMPs, ordering is deterministic, but it is not in lexicographic order. Task Command Syntax Command Mode Enable IPv4 Deterministic ECMP Next Hop. ip ecmp-deterministic CONFIGURATION Enable IPv6 Deterministic ECMP Next Hop. ipv6 ecmp-deterministic CONFIGURATION Note: Packet loss might occur when you enable ip/ipv6 ecmp-deterministic for the first-time only.
Figure 17-1.
| Equal Cost Multi-Path www.dell.com | support.dell.
18 Force10 Resilient Ring Protocol Force10 Resilient Ring Protocol is supported on platforms ce s The E-Series ExaScale platform is supported with FTOS 8.1.1.0 and later. Force10 Resilient Ring Protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a Metropolitan Area Network (MAN) or large campuses.
www.dell.com | support.dell.com Figure 18-1. Normal Operating FRRP Topology R2 TRANSIT Primary Forwarding R ing D ire ction Primary Forwarding Secondary Blocking R1 MASTER Secondary Forwarding Primary Forwarding Secondary Forwarding R3 TRANSIT A Virtual LAN (VLAN) is configured on all node ports in the ring. All ring ports must be members of the Member VLAN and the Control VLAN. The Member VLAN is the VLAN used to transmit data as described earlier.
Ring Failure If a Transit node detects a link down on any of its ports on the FRRP ring, it immediately sends a link-down control frame on the Control VLAN to the Master node. When the Master node receives this control frame, the Master node moves from the Normal state to the Ring-Fault state and unblocks its Secondary port. The Master node clears its routing table, and sends a control frame to all other ring nodes, instructing them to clear their routing tables as well.
www.dell.com | support.dell.com Figure 18-2.
• • • • • The Master node ring port states are : blocking, pre-forwarding, forwarding, and disabled. The Transit node ring port states are: blocking, pre-forwarding, forwarding, and disabled/ STP is disabled on ring interfaces. The Master node secondary port is in blocking state during Normal operation.
www.dell.com | support.dell.com Table 18-1. FRRP Components Concept Explanation Ring Protocol Timers Hello Interval: The interval when ring frames are generated from the Master node’s Primary interface (default 500 ms). The Hello interval is configurable in 50 ms increments from 50 ms to 2000 ms. Dead Interval: The interval when data traffic is blocked on a port. The default is 3 times the Hello interval rate. The dead interval is configurable in 50 ms increments from 50 ms to 6000 ms.
FRRP Configuration These are the tasks to configure FRRP. • • • • • • • Create the FRRP group Configure the Control VLAN • Configure Primary and Secondary ports Configure and add the Member VLANs • Configure Primary and Secondary ports Configure the Master node Configure a Transit node Set FRRP Timers (optional) Enable FRRP Other FRRP related commands are: • Clear FRRP counters Create the FRRP group The FRRP group must be created on each switch in the ring.
www.dell.com | support.dell.com • 336 Member VLANs across multiple rings are not supported in Master nodes Use the commands in the following sequence, on the switch that will act as the Master node, to create the Control VLAN for this FRRP group.
Configure and add the Member VLANs Control and Member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands. For complete information about configuring VLANS in Layer 2 mode, refer to Chapter 28, Layer 2. Be sure to follow these guidelines: • • • All VLANS must be in Layer 2 mode. Control VLAN ports must be tagged. Member VLAN ports except the Primary/Secondary interface can be tagged or untagged.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose 5 member-vlan vlan-id {range} CONFIG-FRRP Identify the Member VLANs for this FRRP group VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs. 6 no disable CONFIG-FRRP Enable this FRRP group on this switch. Set FRRP Timers Step Command Syntax Command Mode Purpose 1 timer {hello-interval|dead-interval} milliseconds CONFIG-FRRP Enter the desired intervals for Hello-Interval or Dead-Interval times.
Command Syntax Command Mode Purpose show frrp summary EXEC or EXEC PRIVELEGED Show the state of all FRRP groups. Ring ID: 1-255 Troubleshooting FRRP Configuration Checks • • • • • • Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same Control VLAN. There can be only one Master node for any FRRP Group. FRRP can be configured on Layer 2 interfaces only.
www.dell.com | support.dell.
R3 TRANSIT interface GigabitEthernet 3/14 no ip address switchport no shutdown ! interface GigabitEthernet 3/21 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 3/14,21 no shutdown ! interface Vlan 201 no ip address tagged GigabitEthernet 3/14,21 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 3/21 secondary GigabitEthernet 3/14 control-vlan 101 member-vlan 201 mode transit no disable Force10 Resilient Ring Protocol | 341
www.dell.com | support.dell.
19 Force10 Service Agent Force10 Service Agent is supported on platforms: ce FTSA is supported on the E-Series ExaScale platform with FTOS 8.2.1.0 and later. Accurate and timely resolution of problems in your system or network requires gathering relevant data at the time a condition manifests, and getting that information to administrators as soon as possible.
www.dell.com | support.dell.com Configure Force10 Service Agent The minimal FTSA configuration is four steps: 1. Enable FTSA. Refer to Enable Force10 Service Agent. 2. Specify the SMTP server to which FTSA will send E-mails upon a trigger event. Refer to Specify an SMTP Server for FTSA. 3. Specify the source E-mail address that FTSA should use when generating E-mails. Refer to Provide an Administrator E-mail Address. 4.
The system displays Message 1 when you enable or disable FTSA. The following example shows the default FTSA configuration. Message 1 FTSA Enabled/Disabled %RPM0-P:CP %CALL-HOME-3-CALLHOME: Call-home service started %RPM0-P:CP %CALL-HOME-3-CALLHOME: Call-home service ended. FTOS(conf-callhome)#show config ! call-home no enable-all server Force10 recipient ftsa@force10networks.
www.dell.com | support.dell.com FTSA Messaging Service The purpose of FTSA is to automatically send information about the switch to the network administrators or Dell Force10 TAC, so that when there is a network problem, the relevant information is collected at the time the problem manifests.
You may enable messaging for all recipients at once, or enable messaging for each recipient individually. Task Command Command Mode Enable messaging for all recipients. enable-all CALLHOME Enable messaging for a individual recipient. enable CALLHOME Add Additional Recipients of FTSA E-mails You can add four more recipients for FTSA E-mails, in addition to Dell Force10 TAC and the administrator, for a total of five recipients.
www.dell.com | support.dell.com Encrypt FTSA Messages Encrypting FTSA message to a recipient other than the default is supported only on platforms: ce Per-recipient, you have a choice of sending FTSA E-mails in clear text or with PGP5 encryption. Messages to the default recipient are configured for encryption using a public encryption key, as shown in the example in Add Additional Recipients of FTSA E-mails. Step Task Command Command Mode 1 Copy the encryption key file to the internal flash.
Set the Frequency of FTSA Type 3 Messages When messaging is enabled, FTSA sends an E-mail every 24 hours containing inventory information to all recipients. There is no facility for setting the frequency for individual recipients. Task Command Command Mode Set the frequency at which FTSA generates inventory E-mails.
www.dell.com | support.dell.com FTOS Behavior: FTOS versions prior to 8.2.1.0 diverted Type 5 messages to the internal flash root directory when you enter the command log-only. Beginning in version 8.2.1.0, FTOS stores these messages in /CALL-HOME-LOGs on the internal flash. FTSA Message Types FTOS displays Message 2 every time FTSA sends a message. Message 2 FTSA Message Sent %RPM0-P:CP %CALL-HOME-HELPER-3-CALLHOME: Callhome service sent a message to Force10 at pubslab@training10.
0036232 FTOS 0 --------------------------------Message Attachment-----------------------------------Chassis Type : E300 Chassis Mode : TeraScale Software Version : 7.8.1.
www.dell.com | support.dell.com RPM1-P CP CALL HOME HELPER-3-CALLHOME Callhome service sent a message to Force10 at pubslab@training10.com FTOS# For FTSA Type 5 Messages, refer to FTSA Policy Sample Configurations.
Create an FTSA Policy Test List Create the list of conditions for which FTSA should search. You may include a pre-defined list (Table 19-1, "Pre-defined Policy Test Lists," in Force10 Service Agent) and specify additional test conditions (Table 19-2, "Custom Policy Test Conditions," in Force10 Service Agent). To create a new, empty policy test list: Task Command Command Mode Create a policy test list and name it.
www.dell.com | support.dell.com Table 19-2, "Custom Policy Test Conditions," in Force10 Service Agent shows the test conditions that are available to add to a custom policy test list. Refer to the Dell Force10 MIB for further description of the given Object Identifiers (OID). You may only specify one test condition within a policy. Table 19-2. Custom Policy Test Conditions Condition Keyword Description OID CPU Usage cpu-1-min CPU utilization in percentage for the last 1 minute.
Condition Command Command Mode Match String cli-show-text “show command” contains string CALLHOME TESTLIST WRED drops test-condition wred-drops slot-number boolean-comparison value sample number CALLHOME TESTLIST The boolean comparison operators behave as follows: • • • • • • • decrease—If the difference between samples, calculated by subtracting the first value from the last, is or less than or equal to the specified value, then the action list is executed.
www.dell.com | support.dell.com 356 To create a new, empty policy action list: Task Command Command Mode Create a policy action list and name it. policy-action-list name CALLHOME Add actions to a policy action list Once you create a policy action list, FTOS enters the CALLHOME ACTIONLIST context. The list you created is initially empty. You may choose one of three pre-defined action lists and add an unlimited number of custom actions. Table 19-3.
Table 19-3.
www.dell.com | support.dell.com Create a Policy and Assign a Test and Action List An FTSA minimally must have a policy test list and policy action list assigned to it. Step Task Command Command Mode 1 Create an FTSA policy and name it. policy name CALLHOME POLICY 2 Assign a test list to a policy. test-list name CALLHOME POLICY 3 Assign a policy action list to a policy.
FTSA Policy Sample Configurations Line card state-change policy configuration The following FTSA policy configuration uses the default test list hardware, which contains a line-card-state-change condition, and the default action list hardware plus the custom action show linecard 4 | grep Status. Linecard 4 is then taken offline to trigger a match against the card-state-change test condition. Configuring an FTSA Policy for a Linecard Down call-home admin-email pubsadmin@training10.
www.dell.com | support.dell.com 0 --------------------------------Message Attachment----------------------------------- Type - 5
show logging driverlog linecard 4 23:19:46.577 UTC Wed Feb 25 2009 show logging driverlog linecard 4 [output omitted] - show logging driverlog cp 23:19:46.879 UTC Wed Feb 25 2009 show logging driverlog cp [output omitted]
- show console lp 1 23:19:47.
www.dell.com | support.dell.com remote-exec cp dhsTestCp [output omitted] - show linecard 4 | grep Status 23:20:07.
Excessive CRC-error policy configuration The following FTSA policy configuration uses the interface-crc match condition to monitor GigabitEthernet 1/2 for greater than 500 CRC errors. When this condition exists, FTSA triggers the action list, which captures a partial output of the command show interfaces gigabitethernet 1/2. Configuring an FTSA Policy for an Excessive CRC-error Condition call-home admin-email pubsadmin@training10.com smtp server-address 192.168.1.
www.dell.com | support.dell.com R6_E300 0 --------------------------------Message Attachment----------------------------------- Type - 5
Debugging FTSA Display FTSA messages using the debug call-home command from EXEC Privilege mode. #02:13:49 : CALL-HOME: Sending the following email 02:13:49 : From: pubsadmin@training10.com To: pubslab@training10.com Subject: Type - 5 Attachment: ramdisk:/crcerror-21_10_04.685.txt 02:13:49 : Message: Type - 5
| Force10 Service Agent www.dell.com | support.dell.
20 GARP VLAN Registration Protocol GARP VLAN Registration Protocol is supported on platform ces GVRP is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Protocol Overview Typical VLAN implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GARP VLAN Registration Protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches.
www.dell.com | support.dell.com % Error: GVRP running. Cannot enable MSTP. ......... FTOS(conf)#protocol gvrp FTOS(conf-gvrp)#no disable % Error: PVST running. Cannot enable GVRP. % Error: MSTP running. Cannot enable GVRP. Configuring GVRP Globally, enable GVRP on each switch to facilitate GVRP communications. Then, GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged.
Basic GVRP configuration is a 2-step process: 1. Enabling GVRP on a Layer 2 Interface. 2. Enabling GVRP on a Layer 2 Interface. Related Configuration Tasks • • Configuring GVRP Registration Configuring a GARP Timer Enabling GVRP Globally Enable GVRP for the entire switch using the command gvrp enable in CONFIGURATION mode, as shown in the following example. Use the show gvrp brief command to inspect the global configuration.
www.dell.com | support.dell.com Configuring GVRP Registration • • Fixed Registration Mode: Configuring a port in fixed registration mode allows for manual creation and registration of VLANs, prevents VLAN de-registration, and registers all VLANs known on other ports on the port. For example, if an interface is statically configured via the CLI to belong to a VLAN, it should not be un-configured when it receives a Leave PDU. So, the registration mode on that interface is FIXED.
Configuring a GARP Timer GARP timers must be set to the same values on all devices that are exchanging information using GVRP: • • • Join: A GARP device reliably transmits Join messages to other devices by sending each Join message two times. Use this parameter to define the interval between the two sending operations of each Join message. The FTOS default is 200ms. Leave: When a GARP device expects to de-register a piece of attribute information, it will send out a Leave message and start this timer.
www.dell.com | support.dell.
21 High Availability High Availability is supported on platforms: ces High availability is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. To support all the features within the HA collection, you should have the latest boot code. The following table lists the boot code requirements as of this FTOS release. Component Boot Code E-Series TeraScale RPM 2.4.2.1 E-Series TeraScale Line Card 2.3.2.
www.dell.com | support.dell.com Component Redundancy Dell Force10 systems eliminates single points of failure by providing dedicated or load-balanced redundancy for each component. RPM Redundancy The current version of FTOS supports 1+1 hitless Route Processor Module (RPM) redundancy. The primary RPM performs all routing, switching, and control operations while the standby RPM monitors the primary RPM.
Version compatibility between RPMs In general, the two RPMs should have the same FTOS version. However, FTOS tolerates some degree of difference between the two versions, as described in Table 21-1, "System Behavior with RPMs with Mismatched FTOS Versions," in High Availability. View the configuration loaded on each RPM using the show redundancy command as shown in the example in Automatic and manual RPM failover. Table 21-1.
www.dell.com | support.dell.com Automatic and manual RPM failover RPM failover is the process of the standby RPM becoming the primary RPM. FTOS fails over to the standby RPM when: 1. communication is lost between the standby and primary RPMs 2. you request a failover via the CLI 3. you remove the primary RPM Use the command show redundancy from EXEC Privilege mode to display the reason for the last failover.
Communication between RPMs E-Series RPMs have three CPUs: Control Processor (CP), Routing Processor 1 (RP1), and Routing Processor 2 (RP2). The CPUs use Fast Ethernet connections to communicate to each other and to the line card CPUs (LP) using Inter-Processor Communication (IPC). The CP monitors the health status of the other processors by sending a heartbeat message.
www.dell.com | support.dell.com Table 21-2. Failover Behaviors Platform Failover Trigger Failover Behavior e RP task or kernel crash on the primary RPM CP on the primary RPM detects the RP IPC timeout and notifies the standby RPM. The standby RPM initiates a failover. FTOS saves an RP application or kernel core dump, the CP trace log, and the CP IPC-related system status. Then the new primary RPM reboots the failed RPM.
Table 21-3. Support for RPM Redundancy by FTOS Version Failover Type Failover Behavior Platform Hot Failover Only the failed RPM reboots. All line cards and SFMs remain online. All application tasks are spawned on the secondary RPM before failover. The running configuration is synchronized at runtime so it does not need to be reapplied during failover. ce s RPM synchronization Data between the two RPMs is synchronized immediately after bootup.
www.dell.com | support.dell.com Force an RPM failover Trigger an RPM failover between RPMs using the command redundancy force-failover rpm from EXEC Privilege mode. Use this feature when: • • you are replacing an RPM, and you are performing a warm upgrade FTOS#redundancy force-failover rpm Peer RPM's SW version is different but HA compatible. Failover can be done by warm or hitless upgrade. All linecards will be reset during warm upgrade.
Online Insertion and Removal You can add, replace, or remove chassis components while the chassis is operating. This section contains the following sub-sections: • • RPM Online Insertion and Removal Line Card Online Insertion and Removal RPM Online Insertion and Removal Dell Force10 systems are functional with only one RPM. If a second RPM is inserted, it comes online as the standby RPM, as shown in the following example.
www.dell.com | support.dell.com Line Card Online Insertion and Removal FTOS detects the line card type when you insert a line card into a online chassis. FTOS writes the line card type to the running-config and maintains this information as a logical configuration if you remove the card (or the card fails), as shown in the following example.
Replace a line card If you are replacing a line card with a line card of the same type, you may replace the card without any additional configuration. If you are replacing a line card with a line card of a different type, remove the card and then remove the existing line card configuration using the command no linecard. If you do not, FTOS reports a card mismatch (Message 6) when you insert the new card, and the installed line card has a card mismatch status.
www.dell.com | support.dell.com Hitless Behavior Hitless Behavior is supported only on platform: ce Hitless behavior is supported on E-Series ExaScale ex with FTOS 8.2.1.0. and later. Hitless is a protocol-based system behavior that makes an RPM failover on the local system transparent to remote systems. The system synchronizes protocol information on the standby and primary RPMs such that, the event of an RPM failover, there is no need to notify remote systems of a local state change.
Software Resiliency During normal operations FTOS monitors the health of both hardware and software components in the background to identify potential failures, even before these failures manifest. Runtime System Health Check Runtime System Health Check is supported on platform: e FTOS runs a system health check to detect data transfer errors within the system. FTOS performs the check during normal operation by interspersing among, test frames among the data frames that carry user and system data.
www.dell.com | support.dell.com For more information on the PCDFO test, refer to the E-Series TeraScale Debugging and Diagnostics chapter or the E-Series ExaScale Debugging and Diagnostics chapter. Note: The BTM applies to E-Series TeraScale, and the FPTM applies to the E-Series ExaScale. Software Component Health Monitoring On each of the line cards and the RPM, there are a number of software components.
Core Dumps A core dump is the contents of RAM being used by a program at the time of a software exception and is used to identify the cause of the exception. There are two types of core dumps, application and kernel. • • The kernel is the central component of an operating system that manages system processors and memory allocation and makes these facilities available to applications. A kernel core dump is the contents of the memory in use by the kernel at the time of an exception.
www.dell.com | support.dell.com Warm Upgrade Warm Upgrade is supported on platform e Warm software upgrades use warm failover, which means that FTOS reboots the secondary RPM and all line cards and SFMs. The chassis remains online during the upgrade, but forwarding is interrupted, as shown in Table 21-4, "Control Plane and Data Plane Status during Warm Upgrade," in High Availability.
Booting the system by this method significantly reduces the time to bring the system online. Using Cache Boot with Warm Upgrade significantly reduces downtime during an upgrade to bring the system online during routine reloads. Cache Boot can be configured during during runtime. Dell Force10 recommends, however, that it be configured it when the system is offline. The bootflash is partitioned so that two separate images can be cached, one for each RPM.
www.dell.com | support.dell.com Table 21-5. Boot Code Requirements for Cache Boot Component Boot Code C-Series RPM 2.7.1.1 C-Series Line Card 2.6.0.1 If you do not have the proper boot code version, the system displays a message similar to Message 7 when you attempt to select a cache boot image (refer to Select the Cache Boot Image). Refer to Upgrading the Boot Code in the Release Notes for instructions on upgrading boot code.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Upgrade result : ================ All cache boot image upgraded to 4.7.5.427 FTOS# View your cache boot configuration using the command show boot system all, as shown in the following example.
www.dell.com | support.dell.com SECONDARY NETWORK CONFIG FILE = variable does not exist CURRENT IMAGE FILE = flash://FTOS-EF-7.7.1.0.
Step 4 Task Command Syntax Command Mode View all In-Service patches on the system. show patch EXEC Patch version 7.8.0.1-EH-rp1-bgp-1.rtp Module bgp Cpu Timestamp RP1 Tue Mar 3 16:10:08 PST 2009 Note: The show patch command can be used on both the primary and secondary RPMs, as shown here: FTOS(standby)#show patch Patch version Module E.1.1.bgp.1.0 bgp E.2.1.l2mgr.1.
www.dell.com | support.dell.com The processes that can be restarted are: • Management-related processes—TACACS+, RADIUS, CLI, SSH, Telnet, Console/Aux • TACACS+/RADIUS—FTOS restarts the process and reapplies the TACACS+ portion of the running configuration. You must enable process restart explicitly. • Console/Aux—FTOS restarts the process; you must log in again after the restart. The threshold for failover is 3 restarts per hour; the fourth restart triggers a failover.
When a process restarts, FTOS displays Message 9. Message 9 System Message for Process Restarts May 8 06:28:35: %RPM0-P:CP %TME-2-PROC_RESTART: Restarting crashed process tacplus You can specify the timestamp in hours so that if the number of restart attempts exceeds the configured limit within this time frame, no further process restarts are attempted.
| High Availability www.dell.com | support.dell.
22 Internet Group Management Protocol Table 22-1. FTOS Support for IGMP and IGMP Snooping Feature Platform IGMP version 1, 2, and 3 ces ces ces IGMP Snooping version 2 IGMP Snooping version 3 Note: When both E-Series TeraScale and ExaScale are supported, only the e symbol is shown. If a feature is supported by one or the other chassis, the specific symbols are shown: e t for E-Series TeraScale or ex for E-Series ExaScale.
www.dell.com | support.dell.com IGMP version 2 IGMP version 2 improves upon version 1 by specifying IGMP Leave messages, which allows hosts to notify routers that they no longer care about traffic for a particular group. Leave messages reduce the amount of time that the router takes to stop forwarding traffic for a group to a subnet (leave latency) after the last host leaves the group.
Sending an Unsolicited IGMP Report A host does not have to wait for a general query to join a group. It may send an unsolicited IGMP Membership Report, also called an IGMP Join message, to the querier. Leaving a Multicast Group 1. A host sends a membership report of type 0x17 (IGMP Leave message) to the all routers multicast address 224.0.0.2 when it no longer cares about multicast traffic for a particular group. 2.
www.dell.com | support.dell.com Figure 22-3. Version (4) IHL IGMP version 3 Membership Report Packet Format TOS (0xc0) Total Length Flags Frag Offset TTL (1) Protocol (2) Header Checksum Type Reserved Src IP Addr Dest IP Addr (224.0.0.
Figure 22-4. IGMP Membership Reports: Joining and Filtering Membership Reports: Joining and Filtering 3 Interface Multicast Group Filter Source Source Address Timer Mode Timer 1/1 224.1.1.1 GMI Exclude None 1/1 224.1.1.1 Include 10.11.1.1 GMI 1/1 224.1.1.1 Include 10.11.1.1 GMI IGMP Group-and-Source Specific Query Non-Querier Querier Type: 0x11 Group Address: 244.1.1.1 Number of Sources: 1 Source Address: 10.11.1.1 1/1 10.11.1.
www.dell.com | support.dell.com Figure 22-5. IGMP Membership Queries: Leaving and Staying in Groups Membership Queries: Leaving and Staying Non-Querier Querier Interface Multicast Group Filter Source Source Address Timer Mode Timer 1/1 224.1.1.1 Include 10.11.1.1 LQMT 10.11.1.2 LQMT Non-querier builds identical table and waits Other Querier Present Interval to assume Querier role 1/1 2/1 224.2.2.2 GMI Exclude None IGMP Group-and-Source Specific Query Type: 0x11 Group Address: 224.1.1.
Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. View IGMP-enabled interfaces using the command show ip igmp interface command in the EXEC Privilege mode. FTOS#show ip igmp interface gig 7/16 GigabitEthernet 7/16 is up, line protocol is up Internet address is 10.87.3.
www.dell.com | support.dell.com Viewing IGMP Groups View both learned and statically configured IGMP groups using the command show ip igmp groups from EXEC Privilege mode. FTOS(conf-if-gi-1/0)#do sho ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Uptime 224.1.1.1 GigabitEthernet 1/0 00:00:03 224.1.2.1 GigabitEthernet 1/0 00:56:55 Expires Never 00:01:22 Last Reporter CLI 1.1.1.
Adjusting the IGMP Querier Timeout Value If there is more than one multicast router on a subnet, only one is elected to be the querier, which is the router that sends queries to the subnet. 1. Routers send queries to the all multicast systems address, 224.0.0.1. Initially, all routers send queries. 2. When a router receives a query it compares the IP address of the interface on which it was received with the source IP address given in the query.
www.dell.com | support.dell.com IGMP Snooping Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather than one unique device. Switches forward multicast frames out of all ports in a VLAN by default, even though there may be only some interested hosts, which is a waste of bandwidth.
Enabling IGMP Immediate-leave Configure the switch to remove a group-port association upon receiving an IGMP Leave message using the command ip igmp fast-leave from INTERFACE VLAN mode. View the configuration using the command show config from INTERFACE VLAN mode, as shown in the example below.
www.dell.com | support.dell.com Configuring the Switch as Querier Hosts that do not support unsolicited reporting wait for a general query before sending a membership report. When the multicast source and receivers are in the same VLAN, multicast traffic is not routed, and so there is no querier. You must configure the switch to be the querier for a VLAN so that hosts send membership reports, and the switch can generate a forwarding table by snooping.
Designating a Multicast Router Interface You can designate an interface as a multicast router interface with the command ip igmp snooping mrouter interface. FTOS also has the capability of listening in on the incoming IGMP General Queries and designate those interfaces as the multicast router interface when the frames have a non-zero IP source address. All IGMP control packets and IP multicast data traffic originating from receivers is forwarded to multicast router interfaces.
www.dell.com | support.dell.
23 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with FTOS. 10/100/1000 Mbps Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet interfaces are supported on platforms ces SONET interfaces are only supported on platform e and are covered in the SONET/SDH chapter.
www.dell.com | support.dell.
Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Time since last interface status change: 00:00:31 FTOS# Use the show ip interfaces brief command in the EXEC Privilege mode to view which interfaces are enabled for Layer 3 data transmission. In the following example, GigabitEthernet interface 1/5 is in Layer 3 mode since an IP address has been assigned to it and the interface’s status is operationally up.
www.dell.com | support.dell.com Enable a Physical Interface After determining the type of physical interfaces available, the user may enter the INTERFACE mode by entering the command interface interface slot/port to enable and configure the interfaces.
For more information on VLANs, refer to Bulk Configuration and for more information on port channels, refer to Port Channel Interfaces. FTOS Behavior: S-Series systems use a single MAC address for all physical interfaces while E-Series and C-Series use a unique MAC address for each physical interface, though this results in no functional difference between these platforms.
www.dell.com | support.dell.com Configure Layer 2 (Data Link) Mode Use the switchport command in INTERFACE mode to enable Layer 2 data transmissions through an individual interface. The user can not configure switching or Layer 2 protocols such as spanning tree protocol on an interface unless the interface has been set to Layer 2 mode. The following example displays the basic configuration found in a Layer 2 interface.
FTOS(conf-if)#ip address 10.10.1.1 /24 % Error: Port is in Layer 2 mode Gi 1/2. FTOS(conf-if)# To determine the configuration of an interface, you can use the show config command in INTERFACE mode or the various show interface commands in EXEC mode. To assign an IP address, use both of the following commands in the INTERFACE mode: Command Syntax Command Mode Purpose no shutdown INTERFACE Enable the interface.
www.dell.com | support.dell.com Management Interfaces Configure Management Interfaces on the E-Series and C-Series On the E-Series and C-Series, the dedicated Management interface is located on the RPM and provides management access to the system. You can configure this interface with FTOS, but the configuration options on this interface are limited. Gateway addresses and IP addresses cannot be configured if it appears in the main routing table of FTOS.
Important Things to Remember — virtual-ip virtual-ip is a CONFIGURATION mode command. You may enter an IPv4 or IPv6 address. • • When applied, the management port on the primary RPM assumes the virtual IP address. Entering the show interfaces and show ip interface brief commands on the primary RPM management interface will display both the virtual IP address and the actual IP address configured on the interface (refer to Displaying Information on a Management Interface).
www.dell.com | support.dell.com Displaying Information on a Management Interface To view information about the primary RPM management port, use the show interface Managementethernet command in EXEC or EXEC Privilege mode. If there are two RPMs on the system, you cannot view information on the interface.
VLAN Interfaces VLANs are logical interfaces and are, by default, in Layer 2 mode. Physical interfaces and port channels can be members of VLANs. For more information on VLANs and Layer 2, refer to Chapter 10, Layer 2, on page 47. Refer also to Chapter 18, VLAN Stacking, on page 367. Note: To monitor VLAN interfaces, use the Management Information Base for Network Management of TCP/ IP-based internets: MIB-II (RFC 1213). Monitoring VLAN interfaces via SNMP is supported only on E-Series.
www.dell.com | support.dell.com Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally. Since this interface is not a physical interface, you can configure routing protocols on this interface to provide protocol stability. You can place Loopback interfaces in default Layer 3 mode.
Port Channel Interfaces Port channel interfaces support link aggregation, as described in IEEE Standard 802.3ad. This section covers the following topics: • • • • Port channel definition and standards Port channel benefits Port channel implementation Configuration task list for port channel interfaces Port channel definition and standards Link aggregation is defined by IEEE 802.
www.dell.com | support.dell.com Port channel implementation FTOS supports two types of port channels: • • Static—Port channels that are statically configured Dynamic—Port channels that are dynamically configured using Link Aggregation Control Protocol (LACP). For details, refer to Chapter 27, Link Aggregation Control Protocol. Table 23-2.
10/100/1000 Mbps interfaces in port channels When both 10/100/1000 interfaces and GigE interfaces are added to a port channel, the interfaces must share a common speed. When interfaces have a configured speed different from the port channel speed, the software disables those interfaces. The common speed is determined when the port channel is first enabled. At that time, the software checks the first interface listed in the port channel configuration.
www.dell.com | support.dell.com Create a port channel You can create up to 255 port channels on an E-Series (255 for TeraScale and ExaScale). You can create up to 128 port channels on an C-Series, 52 port channels with 8 port members per group on an S-Series S50 or S25, and 128 port channels with 8 port members per group on an S-Series S55, S60 and S4810.
To add a physical interface to a port channel, use these commands in the following sequence in the INTERFACE mode of a port channel: Step 1 2 Command Syntax Command Mode Purpose channel-member interface INTERFACE PORT-CHANNEL Add the interface to a port channel. The interface variable is the physical interface type and slot/port information. show config INTERFACE PORT-CHANNEL Double check that the interface was added to the port channel.
www.dell.com | support.dell.com As soon as a physical interface is added to a port channel, the properties of the port channel determine the properties of the physical interface. The configuration and status of the port channel are also applied to the physical interfaces within the port channel. For example, if the port channel is in Layer 2 mode, you cannot add an IP address or a static MAC address to an interface that is part of that port channel.
Configure the minimum oper up links in a port channel (LAG) You can configure the minimum links in a port channel (LAG) that must be in “oper up” status for the port channel to be considered to be in “oper up” status. Use the following command in the INTERFACE mode: Command Syntax Command Mode Purpose minimum-links number INTERFACE Enter the number of links in a LAG that must be in “oper up” status.
www.dell.com | support.dell.com Assign an IP address to a port channel You can assign an IP address to a port channel and use port channels in Layer 3 routing protocols. To assign an IP address, use the following command in the INTERFACE mode: Command Syntax Command Mode Purpose ip address ip-address mask [secondary] INTERFACE Configure an IP address and mask on the interface. • ip-address mask: enter an address in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/24).
Balancing may be applied to IPv4, switched IPv6, and non-IP traffic. For these traffic types, the IP-header-based hash and MAC-based hash may be applied to packets by using the following methods. Table 23-3.
www.dell.com | support.dell.com Note: For IPV6, only the first 32 bits (LSB) of IP Source Address and IP Destination Address are used for hash generation. The following example shows the configuration and show command for packet-based hashing on the E-Series.
To change the IP traffic load balancing default on the C-Series and S-Series, use the following command: Command Syntax Command Mode Purpose [no] load-balance {ip-selection [dest-ip | source-ip]} | {mac [dest-mac | source-dest-mac | source-mac]} | {tcp-udp enable} CONFIGURATION Replace the default IP 4-tuple method of balancing traffic over a port channel.
www.dell.com | support.dell.com The following example shows a sample configuration for the hash-algorithm command. FTOS(conf)# FTOS(conf)#hash-algorithm ecmp xor 26 lag crc 26 nh-ecmp checksum 26 FTOS(conf)# On C-Series and S-Series, the hash-algorithm command is specific to ECMP groups and has different defaults from the E-Series. The default ECMP hash configuration is crc-lower. This takes the lower 32 bits of the hash key to compute the egress port.
Note: When creating an interface range, interfaces appear in the order they were entered and are not sorted. The show range command is available under interface range mode. This command allows you to display all interfaces that have been validated under the interface range context. The show configuration command is also available under the interface range mode. This command allows you to display the running configuration only for interfaces that are part of interface range.
www.dell.com | support.dell.com Overlap port ranges If overlapping port ranges are specified, the port range is extended to the smallest start port number and largest end port number: FTOS(conf)#inte ra gi 2/1 - 11 , gi 2/1 - 23 FTOS(conf-if-range-gi-2/1-23)# Commas The example below shows how to use commas to add different interface types to the range, enabling all Gigabit Ethernet interfaces in the range 5/1 to 5/23 and both Ten Gigabit Ethernet interfaces 1/1 and 1/2.
To show the defined interface-range macro configuration, use the command show running-config in the EXEC mode.
www.dell.com | support.dell.com FTOS#monitor interface gi 3/1 FTOS uptime is 1 day(s), 4 hour(s), 31 minute(s) Monitor time: 00:00:00 Refresh Intvl.
To test the condition of cables on 10/100/1000 BASE-T modules, use the tdr-cable-test command: Step 1 2 Command Syntax Command Mode Usage tdr-cable-test gigabitethernet / EXEC Privilege To test for cable faults on the GigabitEthernet cable. • Between two ports, the user must not start the test on both ends of the cable. • The user must enable the interface before starting the test. • The port should be enabled to run the test or the test prints an error message.
www.dell.com | support.dell.com Assign a debounce time to an interface Command Syntax Command Mode Purpose link debounce time [milliseconds] INTERFACE Enter the time to delay link status change notification on this interface.
Disable port on one SFM This feature must be configured for each interface to shut down in the event that an SFM is disabled. Enter the command disable-on-sfm-failure from INTERFACE mode to disable the port when only a single SFM is available. Link Dampening Interface state changes occur when interfaces are administratively brought up or down or if an interface state changes.
www.dell.com | support.dell.com View the link dampening configuration on an interface using the command show config, or view dampening information on all or specific dampened interfaces using the command show interfaces dampening from EXEC Privilege mode, as shown in the following example.
Table 23-6, "MTU Range," in Interfaces lists the range for each transmission media. Table 23-6. MTU Range Transmission Media MTU Range (in bytes) Ethernet 594-9252 = link MTU 576-9234 = IP MTU Ethernet Pause Frames ces Threshold Settings are supported only on platforms: c s Ethernet Pause Frames is supported on platforms Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it.
www.dell.com | support.dell.com Threshold Settings Threshold Settings are supported only on platforms: cs When the transmission pause is set (tx on), 3 thresholds can be set to define the controls more closely. Ethernet Pause Frames flow control can be triggered when either the flow control buffer threshold or flow control packet pointer threshold is reached.
Command Syntax Command Mode Purpose flowcontrol rx [off | on] tx [off | on] [threshold {<1-2047> <1-2013> <1-2013>}] INTERFACE Control how the system responds to and generates 802.3x pause frames on 1 and 10Gig line cards. Defaults: C-Series: rx off tx off E-Series: rx on tx on S-Series: rx off tx off Parameters: rx on: Enter the keywords rx on to process the received flow control frames on this port. rx off: Enter the keywords rx off to ignore the received flow control frames on this port.
www.dell.com | support.dell.com Link MTU and IP MTU considerations for port channels and VLANs are as follows. Port Channels: • • All members must have the same link MTU value and the same IP MTU value. The port channel link MTU and IP MTU must be less than or equal to the link MTU and IP MTU values configured on the channel members. Example: If the members have a link MTU of 2100 and an IP MTU 2000, the port channel’s MTU values cannot be higher than 2100 for link MTU or 2000 bytes for IP MTU.
Table 23-8, "Platform Differences Concerning Port-pipes," in Interfaces presents these platform differences again. Table 23-8. Platform Differences Concerning Port-pipes Chassis Type Port-pipes Channels / Capacity of Each / Slot Port-pipe Channel (Gbps) Raw Slot Capacity (Gbps) E1200/E1200i-AC/DC 2 9 3.125 56.25 E600/E600i 2 9 3.125 56.25 E300 1 8 3.
www.dell.com | support.dell.com Step Task Command Syntax Command Mode 4 Access the port. interface interface slot/port CONFIGURATION 5 Set the local port speed. speed {10 | 100 | 1000 | auto} INTERFACE 6 Optionally, set full- or half-duplex. duplex {half | full} INTERFACE 7 Disable auto-negotiation on the port. If the speed was set to 1000, auto-negotiation does not need to be disabled. no negotiation auto INTERFACE 8 Verify configuration changes.
Setting Auto-Negotiation Options The negotiation auto command provides a mode option for configuring an individual port to forced master/forced slave once auto-negotiation is enabled. Caution: Ensure that only one end of the node is configured as forced-master and the other is configured as forced-slave. If both are configured the same (that is both as forced-master or both as forced-slave), the show interface command will flap between an auto-neg-error and forced-master/slave states.
www.dell.com | support.dell.com View Advanced Interface Information Display Only Configured Interfaces The following options have been implemented for show [ip | running-config] interfaces commands for (only) linecard interfaces. When the configured keyword is used, only interfaces that have non-default configurations are displayed. Dummy linecard interfaces (created with the linecard command) are treated like any other physical interface.
Configure Interface Sampling Size Use the rate-interval command, in INTERFACE mode, to configure the number of seconds of traffic statistics to display in the show interfaces output. Although any value between 30 and 299 seconds (the default) can be entered, software polling is done once every 15 seconds. So, for example, if you enter “19”, you will actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG.
www.dell.com | support.dell.com Dynamic Counters By default, counting for the following four applications is enabled: • • • • IPFLOW IPACL L2ACL L2FIB For remaining applications, FTOS automatically turns on counting when the application is enabled, and is turned off when the application is disabled. Please note that if more than four counter-dependent applications are enabled on a port pipe, there is an impact on line rate performance.
Clear interface counters The counters in the show interfaces command are reset by the clear counters command. This command does not clear the counters captured by any SNMP program.
| Interfaces www.dell.com | support.dell.
24 IPv4 Addressing IPv4 Addressing is supported on platforms ces IPv4 addressing is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. FTOS supports various IP addressing features. This chapter explains the basics of Domain Name Service (DNS), Address Resolution Protocol (ARP), and routing principles and their implementation in FTOS.
www.dell.com | support.dell.com IP Addresses FTOS supports IP version 4, as described in RFC 791. It also supports classful routing and Variable Length Subnet Masks (VLSM). With VLSM one network can be can configured with different masks. Supernetting, which increases the number of subnets, is also supported. Subnetting is when a mask is added to the IP address to separate the network and host portions of the IP address.
To assign an IP address to an interface, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose interface interface CONFIGURATION Enter the keyword interface followed by the type of interface and slot/port information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information. • For a Loopback interface, enter the keyword loopback followed by a number from 0 to 16383.
www.dell.com | support.dell.com show ip interface Command Example FTOS#show ip int gi 0/8 GigabitEthernet 0/8 is up, line protocol is up Internet address is 10.69.8.1/24 Broadcast address is 10.69.8.
S S S S S S S S S S S S S 6.1.2.6/32 6.1.2.7/32 6.1.2.8/32 6.1.2.9/32 6.1.2.10/32 6.1.2.11/32 6.1.2.12/32 6.1.2.13/32 6.1.2.14/32 6.1.2.15/32 6.1.2.16/32 6.1.2.17/32 11.1.1.0/24 via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.
www.dell.com | support.dell.com Directed Broadcast By default, FTOS drops directed broadcast packets destined for an interface. This default setting provides some protection against Denial of Service (DOS) attacks. To enable FTOS to receive directed broadcasts, use the following command in the INTERFACE mode: Command Syntax Command Mode Purpose ip directed-broadcast INTERFACE Enable directed broadcast. To view the configuration, use the show config command in the INTERFACE mode.
To view current bindings, use the show hosts command. FTOS>show host Default domain is force10networks.com Name/address lookup uses domain service Name servers are not set Host Flags TTL --------------ks (perm, OK) patch1 (perm, OK) tomm-3 (perm, OK) gxr (perm, OK) f00-3 (perm, OK) FTOS> Type ---IP IP IP IP IP Address ------2.2.2.2 192.68.69.2 192.68.99.2 192.71.18.2 192.71.23.1 To view the current configuration, use the show running-config resolve command.
www.dell.com | support.dell.com DNS with traceroute To configure your switch to perform DNS with traceroute, follow the steps below in the CONFIGURATION mode. Command Syntax Command Mode Purpose ip domain-lookup CONFIGURATION Enable dynamic resolution of host names. ip name-server ipv4-address [ipv4-address2 ... ipv4-address6] CONFIGURATION Specify up to 6 IPv4 or IPv6 name servers. The order you entered the servers determines the order of their use.
ARP FTOS uses two forms of address resolution: ARP and Proxy ARP. Address Resolution Protocol (ARP) runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, FTOS creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time. For more information on ARP, refer to RFC 826, An Ethernet Address Resolution Protocol.
www.dell.com | support.dell.com These entries do not age and can only be removed manually. To remove a static ARP entry, use the no arp ip-address command syntax. To view the static entries in the ARP cache, use the show arp static command in the EXEC privilege mode. FTOS#show arp Protocol Address Age(min) Hardware Address Interface VLAN CPU -------------------------------------------------------------------------------Internet 10.1.2.
Clear ARP cache To clear the ARP cache of dynamically learnt ARP information, use the following command in the EXEC privilege mode: Command Syntax Command Mode Purpose clear arp-cache [interface | ip ip-address] [no-refresh] EXEC privilege Clear the ARP caches for all interfaces or for a specific interface by entering the following information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information.
www.dell.com | support.dell.com ARP Learning via Gratuitous ARP Gratuitous ARP can mean an ARP request or reply. In the context of ARP Learning via Gratuitous ARP on FTOS, the gratuitous ARP is a request.
Beginning with FTOS version 8.3.1.0, when ARP Learning via Gratuitous ARP is enabled, the system installs a new ARP entry, or updates an existing entry for all received ARP requests. Figure 24-2. Learning via Gratuitous ARP VLAN ID: 1.1.1.1 ARP Learning via Gratuitous ARP enabled ARP Request Target IP: 1.1.1.3 Host 1 IP: 1.1.1.2 MAC: AA X Target IP is not the VLAN interface IP. Install new entry for Host 1, or update existing Host 1 entry. Drop packet. Host 2 IP: 1.1.1.
www.dell.com | support.dell.com ICMP For diagnostics, Internet Control Message Protocol (ICMP) provide routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply). ICMP Error messages inform the router of problems in a particular packet.
To view if ICMP redirect messages are sent on the interface, use the show config command in the INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only nondefault information is displayed in the show config command output. UDP Helper UDP helper allows you to direct the forwarding IP/UDP broadcast traffic by creating special broadcast addresses and rewriting the destination IP address of packets to match those addresses.
www.dell.com | support.dell.com Enabling UDP Helper Enable UPD helper using the command ip udp-helper udp-ports, as shown in the following example. FTOS(conf-if-gi-1/1)#ip udp-helper udp-port 1000 Force10(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 ip address 2.1.1.1/24 ip udp-helper udp-port 1000 no shutdown View the interfaces and ports on which UDP helper is enabled using the command show ip udp-helper from EXEC Privilege mode, as shown in the following example.
Configurations Using UDP Helper When UDP helper is enabled and the destination IP address of an incoming packet is a broadcast address, FTOS suppresses the destination address of the packet. The following sections describe various configurations that employ UDP helper to direct broadcasts.
www.dell.com | support.dell.com UDP Helper with Subnet Broadcast Addresses When the destination IP address of an incoming packet matches the subnet broadcast address of any interface, the system changes the address to the configured broadcast address and sends it to matching interface. In Figure 24-4, Packet 1 has the destination IP address 1.1.1.255, which matches the subnet broadcast address of VLAN 101.
Figure 24-5. UDP Helper with Configured Broadcast Addresses VLAN 100 IP address: 1.1.0.1/24 Subnet broadcast address: 1.1.0.255 Configured broadcast address: 1.1.255.255 Hosts on VLAN 100: 1.1.0.2, 1.1.0.3, 1.1.0.4 Packet 1 Destination Address: 1.1.255.255 1/2 1/1 Ingress interface IP Address: 2.1.1.1/24 UDP helper enabled 1/3 Packet 2 Switched Packet Destination Address: 1.1.255.255 VLAN 101 IP address: 1.11.1/24 Subnet broadcast address: 1.1.1.255 Configured broadcast address: 1.1.255.
| IPv4 Addressing www.dell.com | support.dell.
25 IPv6 Addressing IPv6 Addressing is supported on platforms: ces Note: The basic IPv6 commands are supported on all platforms. However, not all IPv6-based features are supported on all platforms and on all releases. Refer to Table 25-2, "FTOS and IPv6 Feature Support," in IPv6 Addressing to see which FTOS version supports an IPv6 feature on each platform. IPv6 (Internet Protocol Version 6) is the successor to IPv4.
www.dell.com | support.dell.com Protocol Overview IPv6 is an evolution of IPv4. IPv6 is generally installed as an upgrade in devices and operating systems. Most new devices and operating systems support both IPv4 and IPv6. Some key changes in IPv6 are: • • • • Extended Address Space Stateless Autoconfiguration Header Format Simplification Improved Support for Options and Extensions Extended Address Space The address format is extended from 32 bits to 128 bits.
The router redistribution functionality in Neighbor Discovery Protocol (NDP) is similar to IPv4 router redirect messages. Neighbor Discovery Protocol (NDP) uses ICMPv6 redirect messages (Type 137) to inform nodes that a better router exists on the link. IPv6 Headers The IPv6 header has a fixed length of 40 bytes. This provides 16 bytes each for Source and Destination information, and 8 bytes for general header information.
www.dell.com | support.dell.com Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities. Routers understand the priority settings and handle them appropriately during conditions of congestion.
Table 25-1. Next Header field values Value Description 59 No Next Header 60 Destinations option header Note: This is not a comprehensive table of Next Header field values. Refer to the Internet Assigned Numbers Authority (IANA) web page http://www.iana.org/assignments/protocol-numbers for a complete and current listing. Hop Limit (8 bits) The Hop Limit field shows the number of hops remaining for packet processing.
www.dell.com | support.dell.com Hop-by-Hop Options header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path. It follows the IPv6 header and is designated by the Next Header value 0 (zero) (Table 25-1, "Next Header field values," in IPv6 Addressing). When a Hop-by-Hop Options header is not included, the router knows that it does not have to process any router specific information and immediately processes the packet to its final destination.
Addressing IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). For example, 2001:0db8:0000:0000:0000:0000:1428:57ab is a valid IPv6 address. If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons(::). For example, 2001:0db8:0000:0000:0000:0000:1428:57ab can be shortened to 2001:0db8::1428:57ab. Only one set of double colons is supported in a single address.
www.dell.com | support.dell.com DHCP server is used, but it is specifically configured to always assign the same IP address to a particular computer, and never to assign that IP address to another computer. This allows static IP addresses to be configured in one place, without having to specifically configure each computer on the network in a different way.
Table 25-2. FTOS and IPv6 Feature Support (Continued) IPv6 Routing Static routing 7.4.1 8.2.1 7.8.1 7.8.1 Assign a Static IPv6 Route in this chapter Route redistribution 7.4.1 8.2.1 7.8.1 8.4.2 OSPF, IS-IS, and IPv6 BGP chapters in the FTOS Command Line Reference Guide Multiprotocol BGP extensions for 7.4.1 IPv6 8.2.1 7.8.1 8.4.2 IPv6 BGP in the FTOS Command Line Reference Guide IPv6 BGP MD5 Authentication 8.2.1.0 8.2.1.0 8.2.1.0 8.4.
www.dell.com | support.dell.com Table 25-2. FTOS and IPv6 Feature Support (Continued) IPv6 Multicast PIM-SM for IPv6 7.4.1 8.2.1 8.4.2 8.4.2 IPv6 Multicast in this chapter; IPv6 PIM in the FTOS Command Line Reference Guide PIM-SSM for IPv6 7.5.1 8.2.1 8.4.2 8.4.2 IPv6 Multicast in this chapter IPv6 PIM in the FTOS Command Line Reference Guide MLDv1/v2 7.4.1 8.2.1 8.4.2 8.4.2 IPv6 Multicast in this chapter Multicast IPv6 in the FTOS Command Line Reference Guide MLDv1 Snooping 7.4.1 8.
Path MTU Discovery IPv6 MTU Discovery is supported on platforms ces Path MTU (Maximum Transmission Unit) defines the largest packet size that can traverse a transmission path without suffering fragmentation. Path MTU for IPv6 uses ICMPv6 Type-2 messages to discover the largest MTU along the path from source to destination and avoid the need to fragment the packet. The recommended MTU for IPv6 is 1280.
www.dell.com | support.dell.com IPv6 Neighbor Discovery IPv6 NDP is supported on platforms ces Neighbor Discovery Protocol (NDP) is a top-level protocol for neighbor discovery on an IPv6 network. In lieu of ARP, NDP uses "Neighbor Solicitation" and "Neighbor Advertisement" ICMPv6 messages for determining relationships between neighboring nodes.
Advertise Neighbor Prefixes Specify which IPv6 prefixes are include in Neighbor Advertisements. By default, all prefixes configured as addresses on the interface are advertised. You can control the advertise parameters per prefix; the default keyword can be used to use the default parameters for all prefixes.
www.dell.com | support.dell.com • PIM in Source Specific Multicast (PIM-SSM). PIM-SSM protocol is based on the source specific model for forwarding Multicast traffic across multiple domains on the Internet. It is restricted to shortest path trees (SPTs) to specific sources described by hosts using MLD. PIM-SSM is essentially a subset of PIM-SM protocol, which has the capability to join SPTs.
Change your CAM-Profile on an E-Series system The cam-profile command is supported only on platform e Change your CAM profile to the CAM ipv6-extacl before doing any further IPv6 configuration. Once the CAM profile is changed, save the configuration and reboot your router.
www.dell.com | support.dell.com IPv6FIB IPv6ACL IPv6Flow EgIPv6ACL MicroCode Name : : : : : 6K entries 3K entries 4K entries 1K entries IPv6-ExtACL : : : : : 6K entries 3K entries 4K entries 1K entries IPv6-ExtACL -- Line card 1 -CamSize : 18-Meg : Current Settings : Next Boot --More-- Adjust your CAM-Profile on an C-Series or S-Series The cam-acl command is supported on platforms cs If you plan to implement IPv6 ACLs, you must adjust your CAM settings. The CAM space is allotted in FP blocks.
Assign an IPv6 Address to an Interface IPv6 Addresses are supported on platforms ces Essentially IPv6 is enabled in FTOS simply by assigning IPv6 addresses to individual router interfaces. IPv6 and IPv4 can be used together on a system, but be sure to differentiate that usage carefully. Use the ipv6 address command to assign an IPv6 address to an interface. Command Syntax Command Mode Purpose ipv6 address ipv6 address/mask CONFIG-INTERFACE Enter the IPv6 Address for the device.
www.dell.com | support.dell.com Telnet with IPv6 IPv6 Telnet is supported on platforms ces The Telnet client and server in FTOS support IPv6 connections. You can establish a Telnet session directly to the router using an IPv6 Telnet client, or an IPv6 Telnet connection can be initiated from the router. Note: Telnet to link local addresses is not supported. Command Syntax Command Mode Purpose telnet ipv6 address EXEC or EXEC Privileged Enter the IPv6 Address for the device.
Command Syntax Command Mode Purpose FTOS#show ipv6 ? accounting IPv6 accounting information cam linecard IPv6 CAM Entries for Line Card fib linecard IPv6 FIB Entries for Line Card interface IPv6 interface information mbgproutes MBGP routing table mld MLD information mroute IPv6 multicast-routing table neighbors IPv6 neighbor information ospf OSPF information pim PIM V6 information prefix-list List IPv6 prefix lists route IPv6 routing information rpf RPF table FTOS# Show an IPv6 Interface View the IPv6 c
www.dell.com | support.dell.com The following example illustrates the show ipv6 interface command output.
The following example illustrates the show ipv6 route command output.
www.dell.com | support.dell.com Show the Running-Configuration for an Interface View the configuration for any interface with the following command. Command Syntax Command Mode Purpose show running-config interface type {slot/port} EXEC Show the currently running configuration for the specified interface.
26 Intermediate System to Intermediate System Intermediate System to Intermediate System is supported on platforms: ces IS-IS is supported on the E-Series ExaScale platform in FTOS 8.1.1.0 and later. IS-IS for IPv6 is supported on the E-Series TeraScale, C-Series, and S-Series platforms in FTOS 8.4.2.0 and later. Intermediate System to Intermediate System (IS-IS) protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm.
www.dell.com | support.dell.com Protocol Overview The intermediate-system-to-intermediate-system (IS-IS) protocol, developed by the International Organization for Standardization (ISO), is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Note: This protocol supports routers passing both IP and OSI traffic, though the Dell Force10 implementation supports only IP traffic.
Figure 26-1. ISO Address Format system-id N-selector variable 6 bytes 1 byte FN00060a area address 47.0005.0001.000c.000a.4321.00 Multi-Topology IS-IS FTOS 7.8.1.0 and later support Multi-Topology Routing IS-IS. E-Series ExaScale platform ex supports Multi-Topology IS-IS with FTOS 8.2.1.0 and later. Multi-Topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases.
www.dell.com | support.dell.com Transition Mode All routers in the area or domain must use the same type of IPv6 support, either single-topology or multi-topology. A router operating in multi-topology mode will not recognize the ability of the single-topology mode router to support IPv6 traffic, which will lead to holes in the IPv6 topology.
downloaded into the Forwarding Information Base on the line cards (the data plane) and are still resident. For packets that have existing FIB/CAM entries, forwarding between ingress and egress ports can continue uninterrupted while the control plane IS-IS process comes back to full functionality and rebuilds its routing tables. A new TLV (the Restart TLV) is introduced in the IIH PDUs, indicating that the router supports Graceful Restart.
www.dell.com | support.dell.com By default, FTOS supports dynamic hostname exchange to assist with troubleshooting and configuration. By assigning a name to an IS-IS NET address, you can track IS-IS information on that address easier. FTOS does not support ISO CLNS routing; however, the ISO NET format is supported for addressing.
Configuration Task List for IS-IS The following list includes the configuration tasks for IS-IS: • • • • • • • • • • Enable IS-IS Configure Multi-Topology IS-IS (MT IS-IS) Configure IS-IS Graceful Restart Change LSP attributes Configure IS-IS metric style and cost Change the IS-type Control routing updates Configure authentication passwords Set the overload bit Debug IS-IS Enable IS-IS By default, IS-IS is not enabled. The system supports one instance of IS-IS.
www.dell.com | support.dell.com Step Task Command Syntax Command Mode 3 Enter the interface configuration mode. Enter the keyword interface followed by the type of interface and slot/port information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information. • For the Loopback interface on the RPM, enter the keyword loopback followed by a number from 0 to 16383.
GigabitEthernet 4/22 Loopback 0 Redistributing: Distance: 115 Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: FTOS# level-1-2 level-1-2 none none Use the show isis traffic command in EXEC Privilege mode to view IS-IS protocol statistics.
www.dell.com | support.dell.com Configure Multi-Topology IS-IS (MT IS-IS) Step 1 Task Command Syntax Command Mode Enable Multi-Topology IS-IS for IPv6. Enter the transition keyword to allow an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode.After every router has been configured with the transition keyword, and all the routers are in MT IS-IS IPv6 mode users can remove the transition keyword on each router.
Step 3 Task Command Syntax Command Mode Set the minimum interval between SPF calculations. spf-interval [level-l | level-2 | interval] [initial_wait_interval [second_wait_interval]] ROUTER ISIS AF IPV6 This command is used for IPv6 route computation only when multi-topology is enabled. If using single-topology mode, use the spf-interval command in CONFIG ROUTER ISIS mode to apply to both IPv4 and IPv6 route computations. 4 Implement a wide metric-style globally.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose graceful-restart t3 {adjacency | manual seconds} ROUTER-ISIS Configure Graceful Restart timer T3 to set the time used by the restarting router as an overall maximum time to wait for database synchronization to complete. adjacency: the restarting router receives the remaining time value from its peer and adjusts its T3 value accordingly if user has configured configured this option.
Use the show isis interface command in EXEC Privilege mode to view all interfaces configured with IS-IS routing along with the defaults. show isis interface G1/34 GigabitEthernet 2/10 is up, line protocol is up MTU 1497, Encapsulation SAP Routing Protocol: IS-IS Circuit Type: Level-1-2 Interface Index 0x62cc03a, Local circuit ID 1 Level-1 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.
www.dell.com | support.dell.com To view the configuration, use the show config command in ROUTER ISIS mode or the show running-config isis command in EXEC Privilege mode . FTOS#show running-config isis ! router isis lsp-refresh-interval 902 net 47.0005.0001.000C.000A.4321.00 net 51.0005.0001.000C.000A.4321.00 FTOS# Configure IS-IS metric style and cost All IS-IS links or interfaces are associated with a cost that is used in the SPF calculations.
Use the show isis protocol command in EXEC Privilege mode to view which metric types are generated and received. FTOS#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
www.dell.com | support.dell.com Table 26-3. Correct Value Range for the isis metric command Metric Style Correct Value Range narrow transition 0 to 63 transition 0 to 63 Configuring the distance of a route Configure the distance for a route using the distance command from ROUTER ISIS mode.
eljefe.02-00 FTOS.00-00 * 0x00000001 0x2E7F 0x00000004 0xCDA9 1113 1107 0/0/0 0/0/0 FTOS# Control routing updates Use the following commands in ROUTER ISIS mode to control the source of IS-IS route information. Command Syntax Command Mode Purpose passive-interface interface ROUTER ISIS Disable a specific interface from sending or receiving IS-IS routing information.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose distribute-list prefix-list-name in [interface] ROUTER ISIS Apply a configured prefix list to all incoming IPv4 IS-IS routes. Enter the type of interface and slot/port information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information. • For the Loopback interface on the RPM, enter the keyword loopback followed by a number from 0 to 16383.
Command Syntax Command Mode Purpose distribute-list prefix-list-name in [interface] ROUTER ISIS-AF IPV6 Apply a configured prefix list to all incoming IPv6 IS-IS routes. Enter the type of interface and slot/port information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information. • For the Loopback interface on the RPM, enter the keyword loopback followed by a number from 0 to 16383.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose redistribute {bgp as-number | connected | rip | static} [level-1 level-1-2 | level-2] [metric metric-value] [metric-type {external | internal}] [route-map map-name] ROUTER ISIS Include BGP, directly connected, RIP, or user-configured (static) routes in IS-IS. Configure the following parameters: • level-1, level-1-2, or level-2: Assign all redistributed routes to a level. Default is level-2. • metric range: 0 to 16777215. Default is 0.
Command Syntax Command Mode Purpose redistribute ospf process-id [level-1| level-1-2 | level-2] [metric value] [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] ROUTER ISIS Include specific OSPF routes in IS-IS. Configure the following parameters: • process-id range: 1 to 65535 • level-1, level-1-2, or level-2: Assign all redistributed routes to a level. Default is level-2. • metric range: 0 to 16777215. Default is 0.
www.dell.com | support.dell.com Set the overload bit Another use for the overload bit is to prevent other routers from using this router as an intermediate hop in their shortest path first (SPF) calculations. For example, if the IS-IS routing database is out of memory and cannot accept new LSPs, FTOS sets the overload bit and IS-IS traffic continues to transit the system. Use this command the following command in ROUTER ISIS mode to set the overload bit manually.
Debug IS-IS Enter the debug isis command in EXEC Privilege mode to debug all IS-IS processes. Use the following commands for specific IS-IS debugging. Command Syntax Command Mode Purpose debug isis EXEC Privilege View all IS-IS information. debug isis adj-packets [interface] EXEC Privilege View information on all adjacency-related activity (for example, hello packets that are sent and received).
www.dell.com | support.dell.com IS-IS Metric Styles The following sections provide additional information on IS-IS Metric Styles.
Changing the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow. When you change from one IS-IS metric style to another, the IS-IS metric value (configured with the isis metric command) could be affected. In the following scenarios, the IS-type is either Level-1 or Level-2 or Level-1-2 and the metric style changes. Table 26-5.
www.dell.com | support.dell.com Moving to transition and then to another metric style produces different results (Table 26-6, "Metric Value when Metric Style Changes Multiple Times," in Intermediate System to Intermediate System). Table 26-6.
Sample Configuration The following configurations are examples for enabling IPv6 IS-IS. These are not comprehensive directions. They are intended to give you a some guidance with typical configurations. Note: Only one IS-IS process can run on the router, even if both IPv4 and IPv6 routing is being used. S You can copy and paste from these examples to your CLI. Be sure you make the necessary changes to support your own IP Addresses, Interfaces, Names, etc.
www.dell.com | support.dell.com B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination Gateway ----------------C 10.0.12.0/24 Direct, Gi 1/21 C 192.168.1.
R2(conf)#ex R2#show ip route Codes: C - connected, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is 172.21.212.1 to network 0.0.0.
www.dell.com | support.dell.
Figure 26-2. IPv6 IS-IS Sample Topography Loopback 0 2001:0db8:9999:2:: /48 (192.168.1.2 /24) GigE 2/11 2001:0db8:1021:2:: /48 (10.0.12.2 /24) GigE 2/31 2001:0db8:1023:2:: /48 (10.0.23.2 /24) R2 GigE 1/21 2001:0db8:1021:1:: /48 (10.0.12.1 /24) GigE 3/21 2001:0db8:1023:3:: /48 (10.0.23.3 /24) Loopback 0 R1 2001:0db8:9999:1:: /48 GigE 1/34 (192.168.1.1 /24) 2001:0db8:1022:1:: /48 (10.0.13.1 /24) R3 Loopback 0 2001:0db8:9999:3:: /48 (192.168.1.
www.dell.com | support.dell.
27 Link Aggregation Control Protocol Link Aggregation Control Protocol is supported on platforms ce s LACP addressing is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later.
www.dell.com | support.dell.com Important Points to Remember • • • • • • • • • On ExaScale, LACP is supported on 200 physical ports. Use static LAGs for the remaining ports to avoid unpredictable results. LACP enables you to add members to a port channel (LAG) as long as it has no static members. Conversely, if the LAG already contains a statically defined member (channel-member command), the port-channel mode command is not permitted.
LACP modes FTOS provides the following three modes for configuration of LACP: • • • Off—In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. Active—In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state. A port in Active state also automatically initiates negotiations with other ports by initiating LACP packets.
www.dell.com | support.dell.com LACP Configuration Tasks The tasks covered in this section are: • • • • • Create a LAG Configure the LAG interfaces as dynamic Set the LACP long timeout Monitor and Debugging LACP Configure Shared LAG State Tracking Create a LAG To create a dynamic port channel (LAG), define the LAG and then the LAG interfaces.
Set the LACP long timeout PDUs are exchanged between port channel (LAG) interfaces to maintain LACP sessions. PDUs are transmitted at either a slow or fast transmission rate, depending upon the LACP timeout value. The timeout value is the amount of time that a LAG interface waits for a PDU from the remote system before bringing the LACP session down. The default timeout value is 1 second; it can be configured to be 30 seconds.
www.dell.com | support.dell.com Monitor and Debugging LACP The system log (syslog) records faulty LACP actions. To debug LACP, use the following command: Command Syntax Command Mode Purpose [no] debug lacp [config | events | pdu [in | out | [interface [in | out]]]] EXEC Debug LACP, including configuration and events. Shared LAG State Tracking Shared LAG State Tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG.
Configure Shared LAG State Tracking To configure Shared LAG State Tracking, you configure a failover group: Step Task Command Command Mode 1 Enter port-channel failover group mode. port-channel failover-group CONFIGURATION 2 Create a failover group and specify the two port-channels that will be members of the group. group number port-channel number port-channel number CONFIG-PO-FAILOVER-GRP In the following example, LAGs 1 and 2 have been placed into to the same failover group.
www.dell.com | support.dell.com View the status of a failover group member using the command show interface port-channel, as shown in the following example.
LACP Basic Configuration Example The screenshots in this section are based on the example topology shown in Figure 27-3. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. The sections are: • • • Configuring a LAG on ALPHA Summary of the configuration on ALPHA Summary of the configuration on BRAVO Figure 27-3.
www.dell.com | support.dell.com Figure 27-4. 538 Inspecting a LAG Port Configuration on ALPHA Shows the status of this physical interface, and shows it is part of port channel 10.
Figure 27-5. Inspecting Configuration of LAG 10 on ALPHA Indicates the MAC address assigned to the LAG. This does NOT match any of the physical interface MAC addresses.
www.dell.com | support.dell.
Summary of the configuration on BRAVO Bravo(conf-if-gi-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp Bravo(conf-if-gi-3/21-lacp)#port-channel 10 mode active Bravo(conf-if
www.dell.com | support.dell.com Figure 27-7. Using the show interface Command to Inspect a LAG Port on BRAVO Shows the status of this interface. Also shows it is part of LAG 10. Bravo#show int gig 3/21 GigabitEthernet 3/21 is up, line protocol is up Port is part of Port-channel 10 Hardware is Force10Eth, address is 00:01:e8:09:c3:82 Current address is 00:01:e8:09:c3:82 Shows that this is a Layer 2 port.
Figure 27-9. Using the show lacp Command to Inspect LAG Status FTOS#show lacp 10 Port-channel 10 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e809.c24a Partner System ID: Priority 32768, Address 0001.e806.
www.dell.com | support.dell.
28 Layer 2 Layer 2 features are supported on platforms ces The E-Series ExaScale platform is supported with FTOS 8.1.1.0 and later.
www.dell.com | support.dell.com Set the Aging Time for Dynamic Entries Learned MAC addresses are entered in the table as dynamic entries, which means that they are subject to aging. For any dynamic entry, if no packet arrives on the switch with the MAC address as the source or destination address within the timer period, the address is removed from the table. The default aging time is 1800 seconds. Task Command Syntax Command Mode Disable MAC address aging for all dynamic entries.
Display the MAC Address Table To display the contents of the MAC address table: Task Command Syntax CommandMode Display the contents of the MAC address table. • address displays the specified entry. • aging-time displays the configured aging-time. • count displays the number of dynamic and static entries for all VLANs, and the total number of entries. • dynamic displays only dynamic entries • interface displays only entries for the specified interface. • static displays only static entries.
www.dell.com | support.dell.com To set a MAC learning limit on an interface: Task Command Syntax Command Mode Specify the number of MAC addresses that the system can learn off a Layer 2 interface. mac learning-limit address_limit INTERFACE Three options are available with the mac learning-limit command: dynamic, no-station-move, and station-move, Note: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available for MAC Learning Limit, including limit violations.
mac learning-limit no-station-move The no-station-move option, also known as “sticky MAC,” provides additional port security by preventing a station move. When this option is configured, the first entry in the table is maintained instead of creating a new entry on the new interface. no-station-move is the default behavior. Entries created before this option is set are not affected.
www.dell.com | support.dell.com Station Move Violation Actions Station Move Violation Actions are supported only on platform: ecs Note: On a C-Series or S-Series switch, Station Move Violation actions are supported on interfaces on different line cards; they are not supported on interfaces on the same line card. no-station-move is the default behavior (refer to mac learning-limit no-station-move).
Per-VLAN MAC Learning Limit Per-VLAN MAC Learning Limit is available only on platform: e An individual MAC learning limit can be configured for each VLAN using Per-VLAN MAC Learning Limit. One application of Per-VLAN MAC Learning Limit is on access ports. In Figure 28-1, an Internet Exchange Point (IXP) connects multiple Internet Service Provider (ISP). An IXP can provide several types of services to its customers including public an private peering.
www.dell.com | support.dell.
Note: If this command is not configured, traffic continues to be forwarded to the failed NIC until the ARP entry on the switch times out. Figure 28-3. Configuring mac-address-table station-move refresh-arp Command X MAC: A:B:C:D A:B IP: 1.1.1.
www.dell.com | support.dell.com Default Behavior When an ARP request is sent to a server cluster, either the active server or all of the servers send a reply, depending on the cluster configuration. If the active server sends a reply, the Dell Force10 switch learns the active server’s MAC address. If all servers reply, the switch registers only the last received ARP reply, and the switch learns one server’s actual MAC address (Figure 28-4); the virtual MAC address is never learned.
Configuring the Switch for Microsoft Server Clustering To preserve failover and balancing, the Dell Force10 switch must learn the cluster’s virtual MAC address, and it must forward traffic destined for the server cluster out all member ports in the VLAN connected to the cluster. To ensure that this happens, you must configure the command ip vlan-flooding on the Dell Force10 switch at the time that the Microsoft cluster is configured (Figure 28-6).
www.dell.com | support.dell.com Configuring Redundant Pairs Configuring Redundant Pairs is supported: ces • • On physical interfaces on platforms On static and dynamic port-channel interfaces on platforms ces The Redundant Pairs feature allows you to provide redundancy for Layer 2 links without using Spanning Tree (STP). You create redundant links by configuring pairs of Layer 2 (physical or port-channel) interfaces so that only one interface is up and carries user traffic at any time.
FTOS supports only Gigabit and 10-Gigabit ports and port channels as primary/backup interfaces in redundant pairs. (A port channel is also referred to as a Link Aggregation Group (LAG). Refer to Port Channel Interfaces for more information.) In a redundant pair, any combination of physical and port-channel interfaces is supported as the two interfaces in a redundant pair.
www.dell.com | support.dell.com In the following example, interface 3/41 is a backup interface for 3/42, and 3/42 is DOWN as shown in message Message 1. If 3/41 fails, 3/42 transitions to the UP state, which makes the backup link active. A message similar to Message 1 appears whenever you configure a backup port.
Restricting Layer 2 Flooding Restricting Layer 2 Flooding is supported only on platform: et When Layer 2 multicast traffic must be forwarded on a VLAN that has multiple ports with different speeds on the same port-pipe, forwarding is limited to the speed of the slowest port. Restricted Layer 2 Flooding prevents slower ports from lowering the throughput of multicast traffic on faster ports by restricting flooding to ports with a speed equal to or above a link speed you specify.
www.dell.com | support.dell.com Far-end Failure Detection Far-end Failure Detection is supported only on platform: e Far-end Failure Detection (FEFD) is a protocol that senses remote data link errors in a network. It responds by sending a unidirectional report that triggers an echoed response after a specified time interval. Figure 28-8.
FEFD state changes FEFD enabled systems (comprised of one or more interfaces) will automatically switch between four different modes: Idle, Unknown, Bi-directional, and Err-disabled. 1. An interface on which FEFD is not configured is in Idle state. 2. Once FEFD is enabled on an interface, it transitions to the Unknown state, and sends an FEFD packet to the remote end of the link. 3.
www.dell.com | support.dell.com Configuring FEFD You can configure FEFD for all interfaces from CONFIGURATION mode, or on individual interfaces from INTERFACE mode. Enable FEFD Globally To enable FEFD globally on all interfaces enter the command fefd-global in CONFIGURATION mode. Report interval frequency and mode adjustments can be made by supplementing this command as well.
Step Task Command Syntax Command Mode 1 Setup two or more connected interfaces for Layer 2 or Layer 3 use ip address ip address, switchport INTERFACE 2 Activate the necessary ports administratively no shutdown INTERFACE 3 Enable FEFD on each interface fefd {disable | interval | mode} INTERFACE FTOS(conf-if-gi-1/0)#show config ! interface GigabitEthernet 1/0 no ip address switchport fefd mode normal no shutdown FTOS(conf-if-gi-1/0)#do show fefd | grep 1/0 Gi 1/0 Normal 3 Unknown Debugging FE
www.dell.com | support.dell.com During an RPM Failover 564 In the event that an RPM failover occurs, FEFD will become operationally down on all enabled ports for approximately 8-10 seconds before automatically becoming operational again. 02-05-2009 12:40:38 Local7.Debug 10.16.151.12 Feb 5 07:06:09: %RPM1-S:CP %RAM-6-FAILOVER_REQ: RPM failover request from active peer: User request. 02-05-2009 12:40:38 Local7.Debug 10.16.151.
29 Link Layer Discovery Protocol Link Layer Discovery Protocol is supported only on platforms: ces LLDP is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. This chapter contains the following sections: • • • 802.1AB (LLDP) Overview TIA-1057 (LLDP-MED) Overview Configuring LLDP 802.1AB (LLDP) Overview Link Layer Discovery Protocol (LLDP)—defined by IEEE 802.
www.dell.com | support.dell.com TLVs are encapsulated in a frame called an LLDP Data Unit (LLDPDU) (Figure 29-2), which is transmitted from one LLDP-enabled device to its LLDP-enabled neighbors. LLDP is a one-way protocol. LLDP-enabled devices (LLDP agents) can transmit and/or receive advertisements, but they cannot solicit and do not respond to advertisements. There are five types of TLVs. All types are mandatory in the construction of an LLDPDU except Optional TLVs.
Organizationally Specific TLVs Organizationally specific TLVs can be defined by a professional organization or a vendor. They have two mandatory fields (Figure 29-3) in addition to the basic TLV fields (Figure 29-1): • Organizationally Unique Identifier (OUI)—a unique number assigned by the IEEE to an organization or vendor. OUI Sub-type—These sub-types indicate the kind of information in the following data field. The sub-types are determined by the owner of the OUI. • Figure 29-3.
www.dell.com | support.dell.com Table 29-2. Optional TLV Types Typ e TLV Description IEEE 802.3 Organizationally Specific TLVs 127 MAC/PHY Configuration/ Status Indicates the capability and current setting of the duplex status and bit rate, and whether the current settings are the result of auto-negotiation. This TLV is not available in the FTOS implementation of LLDP, but is available and mandatory (non-configurable) in the LLDP-MED implementation.
TIA Organizationally Specific TLVs The Dell Force10 system is an LLDP-MED Network Connectivity Device (Device Type 4). Network connectivity devices are responsible for: • • transmitting an LLDP-MED capabilities TLV to endpoint devices storing the information that endpoint devices advertise Table 29-3, "TIA-1057 (LLDP-MED) Organizationally Specific TLVs," in Link Layer Discovery Protocol describes the five types of TIA-1057 Organizationally Specific TLVs. Table 29-3.
www.dell.com | support.dell.com LLDP-MED Capabilities TLV The LLDP-MED Capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV. • • The value of the LLDP-MED Capabilities field in the TLV is a 2 octet bitmap (Figure 29-4), each bit represents an LLDP-MED capability (Table 29-4, "FTOS LLDP-MED Capabilities," in Link Layer Discovery Protocol).
LLDP-MED Network Policies TLV A network policy in the context of LLDP-MED is a device’s VLAN configuration and associated Layer 2 and Layer 3 configurations, specifically: • • • • VLAN ID VLAN tagged or untagged status Layer 2 priority DSCP value The application type is a represented by an integer (the Type integer in Table 29-6, "Network Policy Applications," in Link Layer Discovery Protocol), which indicates a device function for which a unique network policy is defined.
www.dell.com | support.dell.com Figure 29-5. TLV Type (127) LLDP-MED Policies TLV TLV Length (8) 7 bits 9 bits Organizationally Organizationally Unique ID Defined Sub-type (00-12-BB) (2) 3 octets 1 octet Application Type (0-255) 1 octet U T X (0) 3 bits VLAN ID (0-4095) L2 Priority (0-7) DSCP Value (0-63) 12 bits 3 bits 6 bits Extended Power via MDI TLV The Extended Power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices.
Configuring LLDP Configuring LLDP is a two-step process: 1. Enabling LLDP. 2. Advertising TLVs. Related Configuration Tasks • • • • • • Viewing the LLDP Configuration Viewing Information Advertised by Adjacent LLDP Agents Configuring LLDPDU Intervals Configuring Transmit and Receive Mode Configuring a Time to Live Debugging LLDP Important Points to Remember • • • • • LLDP is disabled by default. Dell Force10 systems support up to 8 neighbors per interface.
www.dell.com | support.dell.com CONFIGURATION versus INTERFACE Configurations All LLDP configuration commands are available in PROTOCOL LLDP mode, which is a sub-mode of CONFIGURATION mode and INTERFACE mode. • • Configurations made at CONFIGURATION level are global, that is, they affect all interfaces on the system. Configurations made at INTERFACE level affect only the specific interface, and they override CONFIGURATION level configurations.
Advertising TLVs You can configure the system to advertise TLVs out of all interfaces or out of specific interfaces. • • If you configure the system globally, all interfaces will send LLDPDUs with the specified TLVs. If you configure an interface, only the interface will send LLDPDUs with the specified TLVs. If LLDP is configured both globally and at interface level, the interface level configuration overrides the global configuration.
www.dell.com | support.dell.
Viewing All Information Advertised by Adjacent LLDP Agent R1#show lldp neighbors detail ======================================================================== Local Interface Gi 1/21 has 1 neighbor Total Frames Out: 6547 Total Frames In: 4136 Total Neighbor information Age outs: 0 Total Frames Discarded: 0 Total In Error Frames: 0 Total Unrecognized TLVs: 0 Total TLVs Discarded: 0 Next packet will be sent after 7 seconds The neighbors are given below: ------------------------------------------------------
www.dell.com | support.dell.
Configuring a Time to Live The information received from a neighbor expires after a specific amount of time (measured in seconds) called a Time to Live (TTL). The TTL is the product of the LLDPDU transmit interval (hello) and an integer called a multiplier. The default multiplier is 4, which results in a default TTL of 120 seconds. Adjust the TTL value—at CONFIGURATION level or INTERFACE level—using the command multiplier. Return to the default multiplier value using the command no multiplier .
www.dell.com | support.dell.com 580 Debugging LLDP The command debug lldp enables you to view the TLVs that your system is sending and receiving. • • Use the debug lldp brief command to view a readable version of the TLVs. Use the debug lldp detail command to view a readable version of the TLVs plus a hexadecimal version of the entire LLDPDU. Figure 29-8.
Relevant Management Objects FTOS supports all IEEE 802.1AB MIB objects. • • • • Table 29-7. Table , "," in Link Layer Discovery Protocol lists the objects associated with received and transmitted TLVs. Table 29-8, "LLDP System MIB Objects," in Link Layer Discovery Protocol lists the objects associated with the LLDP configuration on the local agent. Table 29-9, "LLDP 802.1 Organizationally Specific TLV MIB Objects," in Link Layer Discovery Protocol lists the objects associated with IEEE 802.
www.dell.com | support.dell.com Table 29-8.
Table 29-9. LLDP 802.1 Organizationally Specific TLV MIB Objects TLV Type TLV Name TLV Variable System LLDP MIB Object 127 Port-VLAN ID PVID Local lldpXdot1LocPortVlanId Remote lldpXdot1RemPortVlanId 127 Port and Protocol VLAN ID port and protocol VLAN supported Local port and protocol VLAN enabled PPVID 127 VLAN Name VID VLAN name length VLAN name Table 29-10.
www.dell.com | support.dell.com Table 29-10.
Table 29-10.
www.dell.com | support.dell.
30 Multicast Listener Discovery Multicast Listener Discovery is supported only on platform: MLD Snooping is supported only on platform: e e Multicast Listener Discovery (MLD) is a Layer 3 protocol that IPv6 routers use to learn of the multicast receivers that are directly connected to them and the groups in which the receivers are interested. Multicast routing protocols (like PIM) use the information learned from MLD to route multicast traffic to all interested receivers.
www.dell.com | support.dell.com Figure 30-1 shows the packet structure of MLD version 1 packets. • • Maximum Response Delay—the maximum amount of time that the Querier waits to receive a response to a General or Multicast-Address-Specific Query. The value is zero in reports and Done messages. Multicast Address — set to zero in General Queries, and set to the relevant multicast address in multicast-address-specific queries and done messages. Figure 30-1.
Leaving a Multicast Group A receiver that is no longer interested in traffic for a particular group should leave the group by sending a Done message to the link-scope all-routers multicast address, FF02::02. When a Querier receives a Done message, it sends a Multicast-Address-Specific Query addressed to the relevant multicast group. Hosts still interested in receiving traffic for that group (according to the suppression mechanism) so that the group table entry is maintained.
www.dell.com | support.dell.com Figure 30-3.
Change MLD Timer Values All non-queriers have a timer that is refreshed when it hears a General Query. If the timer expires, then the router can assume that the Querier is not present, and so it assumes the role of Querier. The Other Querier Present Interval, or Querier Timeout Interval, is the amount of time that passes before a non-querier router assumes that there is no longer a Querier on the link. Task Command Syntax Command Mode Adjust the querier-timeout value.
www.dell.com | support.dell.com Last Member Query Interval The Querier sends a Multicast-Address-Specific Query upon receiving a Done message to ascertain whether there are any remain receivers for a group. The Last Listener Query Interval is the Maximum Response Delay for a Multicast-Address-Specific Query, and also the amount of time between Multicast-Address-Specific Query retransmissions.
Display the MLD Group Table Task Command Syntax Command Mode Display MLD groups. Group information can be filtered, refer to the FTOS Command Line Reference for the options available with this command. show ipv6 mld {groups | interface} EXEC Privilege Clear MLD Groups Clear a specific group or all groups on an interface from the multicast routing table using the command clear ipv6 mld groups from EXEC Privilege mode. Change the MLD Version Task Command Syntax Command Mode Change the MLD version.
www.dell.com | support.dell.com Disable MLD Snooping on a VLAN When MLD is enabled globally, it is by default enabled on all VLANs. Disable snooping on a VLAN, using the command no ipv6 mld snooping from INTERFACE VLAN mode. Note that under the default configuration there is no need to configure ipv6 mld snooping for any VLAN. Configure the Switch as a Querier Hosts that do not support unsolicited reporting wait for a general query before sending a membership report.
Enable Snooping Explicit Tracking The switch can be a querier, and therefore also has the option of updating the group table through explicit-tracking (refer to Explicit Tracking). Whether the switch is the Querier or not, if snooping is enabled, the switch tracks all MLD joins. It has separate explicit tracking table which contains group, source, interface, VLAN and reporter details. Task Command Syntax Command Mode Configure the system to remove a group immediately after receiving a Leave message.
www.dell.com | support.dell.com In Figure 30-4, the host on Port 1 sends an exclude—that is, exclude nothing—report to join group G and receive traffic from all transmitting sources for the group. FTOS creates a (*,G) entry and lists Port 1 in the outgoing interface list. The host on Port 3 sends an include report to join the same group G, but receive traffic from only source S. FTOS creates a (S,G) entry and could list Port 3 as the outgoing interface.
31 Multicast Source Discovery Protocol Multicast Source Discovery Protocol is supported only on platform e MSDP addressing is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Protocol Overview Multicast Source Discovery Protocol (MSDP) is a Layer 3 protocol that connects IPv4 PIM-SM domains. A domain in the context of MSDP is contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as BGP.
www.dell.com | support.dell.com RPs advertise each (S,G) in its domain in Type, Length, Value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 31-2. Source Port MSDP SA Message Format Dest. Port (639) Seq. Number Type Code: 1: 2: 3: 4: 5: 6: 7: Ack.
Related Configuration Tasks • • • • • • • • • • • • • Enable MSDP Manage the Source-active Cache Accept Source-active Messages that fail the RFP Check Limit the Source-active Messages from a Peer Prevent MSDP from Caching a Local Source Prevent MSDP from Caching a Remote Source Prevent MSDP from Advertising a Local Source Terminate a Peership Clear Peer Statistics Clear Peer Statistics Debug MSDP MSDP with Anycast RP MSDP Sample Configurations Figure 31-3.
Configuring OSPF and BGP for MSDP AS 100 Area 0 PC 2 PC 3 2/1 BGP 2/31 R2 2/11 3/21 AS 200 Area 0 R4 4/31 router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 update-source Loopback 0 neighbor 192.168.0.3 no shutdown router ospf 1 network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.168.0.4/32 area 0 3/41 R3 1/21 1/2 router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 192.168.
Figure 31-6. Configuring MSDP R2_E300(conf)#do show ip pim tib PIM Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, A - Candidate for MSDP Advertisement K - Ack-Pending State Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode P + P GM +I P + M PI P GM +I PC 3 Receiver: 239.0.0.
www.dell.com | support.dell.com State: Established Up/Down Time: 00:15:20 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 8/0 SAs learned from this peer: 1 SA Filtering: Input (S,G) filter: none Output (S,G) filter: none Multicast sources in remote domains are stored on the RP in the Source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group.
Clear the Source-active Cache Task Command Syntax Command Mode Clear the SA cache of all, local, or rejected entries, or entries for a specific group. clear ip msdp sa-cache [group-address | local | rejected-sa] CONFIGURATION Enable the Rejected Source-active Cache Active sources can be rejected because • • • • the RPF check failed, the SA limit is reached, the peer RP is unreachable, or because of an SA message format error. Task Command Syntax Command Mode Cache rejected sources.
MSDP Default Peer Scenario 1 Scenario 2 RP5 RP4 RP5 RP4 (S5, G5) (S4, G4) (S3, G3) (S2, G2) (S5, G5) MSDP Peership MSDP Peership (S4, G4) (S2, G2) RP3 RP2 (S3, G3) RP2 Pe er RP3 sh ip il Fa www.dell.com | support.dell.com Figure 31-7.
Task Command Syntax Command Mode Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. If you do not specify an access list, the peer accepts all sources advertised by that peer. All sources from RPs denied by the ACL are subjected to the normal RPF check. ip msdp default-peer ip-address list CONFIGURATION FTOS(conf)#ip msdp peer 10.0.50.2 connect-source Vlan 50 FTOS(conf)#ip msdp default-peer 10.0.50.
www.dell.com | support.dell.com Prevent MSDP from Caching a Local Source You can prevent MSDP from caching an active source based on source and/or group. Since the source is not cached, it is not advertised to remote RPs. Task Command Syntax Command Mode OPTIONAL: Cache sources that are denied by the redistribute list in the rejected SA cache. ip msdp cache-rejected-sa CONFIGURATION Prevent the system from caching local SA entries based on source and group using an extended ACL.
[Router 3] R3_E600(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ip msdp sa-filter in 192.168.0.1 list myremotefilter R3_E600(conf)#do show run acl ! ip access-list extended myremotefilter seq 5 deny ip host 239.0.0.1 host 10.11.4.2 R3_E600(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 192.168.0.
www.dell.com | support.dell.com GroupAddr 239.0.0.1 SourceAddr 10.11.4.2 RPAddr 192.168.0.1 LearnedFrom 192.168.0.1 Expire UpTime 1 00:10:29 [Router 3] R3_E600(conf)#do show ip msdp sa-cache R3_E600(conf)# Display the configured SA filters for a peer using the command show ip msdp peer from EXEC Privilege mode (refer to the example above ). Log Changes in Peership States Task Command Syntax Command Mode Log peership state changes.
SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: none Output (S,G) filter: none Clear Peer Statistics Task Command Syntax Command Mode Reset the TCP connection to the peer and clear all peer statistics. clear ip msdp peer peer-address CONFIGURATION R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
www.dell.com | support.dell.com MSDP with Anycast RP Anycast RP use MSDP with PIM-SM to allow more than one active group to RP mapping. PIM-SM allows only active group to RP mapping, which has several implications: • • • traffic concentration: PIM-SM allows only one active group to RP mapping which means that all traffic for the group must, at least initially, travel over the same part of the network.
To configure Anycast RP: Step Task Command Syntax Command Mode 1 In each routing domain that will have multiple RPs serving a group, create a loopback interface on each RP serving the group with the same IP address. interface loopback CONFIGURATION 2 Make this address the RP for the group. ip pim rp-address CONFIGURATION 3 In each routing domain that will have multiple RPs serving a group, create another loopback interface on each RP serving the group with a unique IP address.
www.dell.com | support.dell.com interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.11/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.
no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.22/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.11 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.
www.dell.com | support.dell.com ! ip ip ip ip ! ip ip ! ip multicast-msdp msdp peer 192.168.0.11 connect-source Loopback 0 msdp peer 192.168.0.22 connect-source Loopback 0 msdp sa-filter out 192.168.0.22 route 192.168.0.1/32 10.11.0.23 route 192.168.0.22/32 10.11.0.23 pim rp-address 192.168.0.3 group-address 224.0.0.0/4 MSDP Sample Configurations The following examples show the running-configurations for the routers shown in figures Figure 31-4, Figure 31-5, Figure 31-6.
MSDP Sample Configuration: R2 Running-config ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.
www.dell.com | support.dell.com ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.
32 Multiple Spanning Tree Protocol Multiple Spanning Tree Protocol is supported on platforms: ces MSTP addressing is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Protocol Overview Multiple Spanning Tree Protocol (MSTP)—specified in IEEE 802.1Q-2003—is an RSTP-based spanning tree variation that improves on PVST+. MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances.
www.dell.com | support.dell.com FTOS supports three other variations of Spanning Tree, as shown in Table 44. Table 32-1. FTOS Supported Spanning Tree Protocols Dell Force10 Term IEEE Specification Spanning Tree Protocol 802.1d Rapid Spanning Tree Protocol 802.1w Multiple Spanning Tree Protocol 802.1s Per-VLAN Spanning Tree Plus Third Party Implementation Information • • • • • The FTOS MSTP implementation is based on IEEE 802.
Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP: Step Task Command Syntax Command Mode 1 Enter PROTOCOL MSTP mode. protocol spanning-tree mstp CONFIGURATION 2 Enable MSTP. no disable PROTOCOL MSTP Verify that MSTP is enabled using the show config command from PROTOCOL MSTP mode, as shown in the following example.
www.dell.com | support.dell.com protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping. View to which instance a VLAN is mapped using the command show spanning-tree mst vlan from EXEC Privilege mode, as shown in the example in Interoperate with Non-FTOS Bridges.
Influence MSTP Root Selection MSTP determines the root bridge, but you can assign one bridge a lower priority to increase the probability that it will become the root bridge. To change the bridge priority: Task Command Syntax Command Mode Assign a number as the bridge priority. A lower number increases the probability that the bridge becomes the root bridge.
www.dell.com | support.dell.com To change the region name or revision: Task Command Syntax Command Mode Change the region name. name name PROTOCOL MSTP Change the region revision number. • Range: 0 to 65535 • Default: 0 revision number PROTOCOL MSTP View the current region name and revision using the command show spanning-tree mst configuration from EXEC Privilege mode, as shown in the following example.
Task Command Syntax Command Mode Change the hello-time parameter. hello-time seconds PROTOCOL MSTP Change the max-age parameter. Range: 6 to 40 Default: 20 seconds max-age seconds PROTOCOL MSTP Change the max-hops parameter. Range: 1 to 40 Default: 20 max-hops number PROTOCOL MSTP Note: With large configurations (especially those with more ports) Dell Force10 recommends that you increase the hello-time.
www.dell.com | support.dell.com Table 32-2, "MSTP Default Port Cost Values," in Multiple Spanning Tree Protocol lists the default values for port cost by interface. Table 32-2.
Configure an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states. The bpduguard shutdown-on-violation option causes the interface hardware to be shutdown when it receives a BPDU.
www.dell.com | support.dell.com Flush MAC Addresses after a Topology Change FTOS has an optimized MAC address flush mechanism for RSTP, MSTP, and PVST+ that flushes addresses only when necessary, which allows for faster convergence during topology changes. However, you may activate the flushing mechanism defined by 802.1Q-2003 using the command tc-flush-standard, which flushes MAC addresses upon every topology change notification.
Router 1 Running-configuration protocol spanning-tree mstp no disable name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 ! interface GigabitEthernet 1/21 no ip address switchport no shutdown ! interface GigabitEthernet 1/31 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged GigabitEthernet 1/21,31 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 1/21,31 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 1/21,31 no shutdown Router
www.dell.com | support.dell.
spanning-tree MSTi vlan 2 200 spanning-tree MSTi vlan 2 300 interface 1/0/31 no shutdown spanning-tree port mode enable switchport protected 0 exit interface 1/0/32 no shutdown spanning-tree port mode enable switchport protected 0 exit interface vlan tagged 1/0/31 tagged 1/0/32 exit 100 interface vlan tagged 1/0/31 tagged 1/0/32 exit 200 interface vlan tagged 1/0/31 tagged 1/0/32 exit 300 Debugging and Verifying MSTP Configuration Display BPDUs using the command debug spanning-tree mstp bpdu from EXEC
www.dell.com | support.dell.com Examine your individual routers to ensure all the necessary parameters match. 1. Region Name 2. Region Version 3. VLAN to Instance mapping The show spanning-tree mst commands will show various portions of the MSTP configuration. To view the overall MSTP configuration on the router, use the show running-configuration spanning-tree mstp in the EXEC Privilege mode (refer to Sample Output for show running-configuration spanning-tree mstp command).
Regional Bridge Id: 32768:0001.e806.953e, CIST Port Id: 128:470 Msg Age: 0, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver3 Len: 96 Name: Tahiti, Rev: 123, Int Root Path Cost: 0 Rem Hops: 20, Bridge Id: 32768:0001.e806.953e 4w0d4h : INST 1: Flags: 0x6e, Reg Root: 32768:0001.e806.953e, Int Root Cost: 0 Brg/Port Prio: 32768/128, Rem Hops: 20 INST 2: Flags: 0x6e, Reg Root: 32768:0001.e806.
www.dell.com | support.dell.
33 Multicast Features Multicast Features are supported on platforms: ces Multicast is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later.
www.dell.com | support.dell.com Enable IP Multicast Enable IP Multicast is supported on platforms ces Prior to enabling any multicast protocols, you must enable multicast routing. Task Command Syntax Command Mode Enable multicast routing. ip multicast-routing CONFIGURATION Multicast with ECMP Dell Force10 multicast uses Equal-cost Multi-path (ECMP) routing to load-balance multiple streams across equal cost links.
Implementation Information • Because protocol control traffic in FTOS is redirected using the MAC address, and multicast control traffic and multicast data traffic might map to the same MAC address, FTOS might forward data traffic with certain MAC addresses to the CPU in addition to control traffic. As the upper five bits of an IP Multicast address are dropped in the translation, 32 different multicast group IDs all map to the same Ethernet address. For example, 224.0.0.
www.dell.com | support.dell.com Limit the Number of Multicast Routes Task Command Syntax Command Mode Limit the total number of multicast routes on the system. ip multicast-limit Range: 1-50000 CONFIGURATION Default: 15000 When the limit is reached, FTOS does not process any IGMP or MLD joins to PIM—though it still processes leave messages—until the number of entries decreases below 95% of the limit.
FTOS Behavior: Do not enter the command ip igmp access-group before creating the access-list. If you do, upon entering your first deny rule, FTOS clears multicast routing table and re-learns all groups, even those not covered by the rules in the access-list, because there is an implicit deny all rule at the end of all access-lists. Therefore, configuring an IGMP join request filter in this order might result in data loss.
www.dell.com | support.dell.com Prevent a PIM Router from Forming an Adjacency To prevent a router from participating in Protocol Independent Multicast (PIM) (for example, to configure stub multicast routing), use the ip pim neighbor-filter command from INTERFACE mode. Prevent a Source from Registering with the RP Use the command ip pim register-filter from CONFIGURATION mode to prevent a source from transmitting to a particular group.
Prevent a PIM Router from Processing a Join Permit or deny PIM Join/Prune messages on an interface using an extended IP access list. Use the command ip pim join-filter to prevent the PIM SM router from creating state based on multicast source and/ or group.
www.dell.com | support.dell.com Prevent an IPv6 Source from Registering with the RP Task Command Syntax Command Mode Configured on the source DR, prevent the source DR from sending register packets to the RP for specific sources and groups.
Task Command Syntax Command Mode Print the network path that a multicast packet takes from a multicast source to receiver, for a particular group. mtrace multicast-source-address multicast-receiver-address multicast-group-address EXEC Privilege FTOS#mtrace 10.11.5.2 10.11.3.2 239.0.0.1 Type Ctrl-C to abort. Mtrace from 10.11.5.2 to 10.11.3.2 via group 239.0.0.1 From source (?) to destination (?) Querying full reverse path... 0 10.11.3.2 -1 10.11.3.1 PIM Reached RP/Core [default] -2 10.11.5.
www.dell.com | support.dell.com Allocate More Buffer Memory for Multicast WRED Allocate more buffer memory to multicast WRED (Weighted Random Early Detection) for bursty multicast traffic that might temporarily become oversubscribed. For example, the example WRED profile in Display Default and Configured WRED Profiles allocates multicast traffic a minimum of 40 megabytes (out of 80 megabytes) of buffer memory and up to 60 megabytes.
34 Object Tracking IPv4/IPv6 Object Tracking is available on platforms: ces This chapter covers the following information: • • • Object Tracking Overview Object Tracking Configuration Displaying Tracked Objects Object tracking allows FTOS client processes, such as VRRP, to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. Note: In release 8.4.1.0, object tracking is supported only on VRRP.
www.dell.com | support.dell.com You can create a tracked object to monitor the metric of the default route 0.0.0.0/0. After you configure the default route as a tracked object, you can configure the VRRP group to track the state of the route. In this way, the VRRP priority of the router with the better metric as determined by OSPF automatically becomes master of the VRRP group.
Tracking Layer 3 Interfaces You can create an object that tracks the Layer 3 state (IPv4 or IPv6 routing status) of an interface. • • The Layer 3 status of an interface is UP only if the Layer 2 status of the interface is UP and the interface has a valid IP address. The Layer 3 status of an interface goes DOWN when its Layer 2 status goes down or the IP address is removed from the routing table.
www.dell.com | support.dell.com • If the scaled metric for a route is greater than or equal to the DOWN threshold or the route is not entered in the routing table, the state of a route is DOWN. The UP and DOWN thresholds are user-configurable for each tracked route. The default UP threshold is 254; the default DOWN threshold is 255. The notification of a change in the state of a tracked object is sent when a metric value crosses a configured threshold.
Object Tracking Configuration You can configure the following types of object tracking for a client: • • • Tracking a Layer 2 Interface Tracking a Layer 3 Interface Tracking an IPv4/IPv6 Route For a complete listing of all commands related to object tracking, refer to the FTOS Command Line Interface. Tracking a Layer 2 Interface You can create an object that tracks the line-protocol state of a Layer 2 interface and monitors its operational status (UP or DOWN).
www.dell.com | support.dell.com FTOS(conf)#track 100 interface gigabitethernet 7/1 line-protocol FTOS(conf-track-100)#delay up 20 FTOS(conf-track-100)#description San Jose data center FTOS(conf-track-100)#end FTOS#show track 100 Track 100 Interface GigabitEthernet 7/1 line-protocol Description: San Jose data center Line protocol is Up 2 changes, last change 00:03:05 Tracked by: Tracking a Layer 3 Interface You can create an object that tracks the routing status of an IPv4 or IPv6 Layer 3 interface.
Step 1 Task Command Syntax Command Mode Configure object tracking on the routing status of an IPv4 or IPv6 interface. track object-id interface interface {ip routing | ipv6 routing} CONFIGURATION Valid object IDs are from 1 to 65535. 2 3 4 (Optional) Configure the time delay used before communicating a change in the status of a tracked interface. (Optional) Identify the tracked object with a text description. (Optional) Display the tracking configuration and the tracked object’s status.
www.dell.com | support.dell.com Tracking an IPv4/IPv6 Route You can create an object that tracks the reachability or metric of an IPv4 or IPv6 route. You specify the route to be tracked by its address and prefix-length values. Optionally, for an IPv4 route you can enter a VRF instance name if the route is part of a VPN routing and forwarding (VRF) table. The next-hop address is not part of the definition of a tracked IPv4/IPv6 route.
Tracking Route Reachability To configure object tracking on the reachability of an IPv4 or IPv6 route, use the following commands. To remove object tracking, enter the no track object-id command. Step 1 Task Command Syntax Command Mode Configure object tracking on the reachability of an IPv4 or IPv6 route. track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} reachability [vrf vrf-name] CONFIGURATION Valid object IDs are from 1 to 65535.
www.dell.com | support.dell.
Step 5 Task Command Syntax Command Mode (Optional) Configure the metric threshold for the UP and/or DOWN routing status to be tracked for the specified route. threshold metric {[up number] [down number]} OBJECT TRACKING Default UP threshold: 254. The routing state is UP if the scaled route metric is less than or equal to the UP threshold. Default DOWN threshold: 255. The routing state is DOWN if the scaled route metric is greater than or equal to the DOWN threshold.
www.dell.com | support.dell.com Command Example: show track FTOS#show track Track 1 IP route 23.0.0.
Command Example: show track resolution FTOS#show track resolution IP Route Resolution ISIS 1 OSPF 1 IPv6 Route Resolution ISIS 1 OSPF 1 Command Example: show track vrf FTOS#show track vrf red Track 5 IP route 192.168.0.
| Object Tracking www.dell.com | support.dell.
35 Open Shortest Path First (OSPFv2 and OSPFv3) ces Open Shortest Path First version 3 (OSPF for IPv6) is supported on platforms c e Open Shortest Path First version 2 (OSPF for IPv4) is supported on platforms OSPF for IPv4 is supported on the E-Series ExaScale platform with FTOS 8.1.1.0; OSPF for IPv6 is supported on E-Series ExaScale with FTOS version 8.2.1.0 and later.
www.dell.com | support.dell.com Protocol Overview Open Shortest Path First (OSPF) routing is a link-state routing protocol that calls for the sending of Link-State Advertisements (LSAs) to all other routers within the same Autonomous System (AS) Areas. Information on attached interfaces, metrics used, and other variables is included in OSPF LSAs. As OSPF routers accumulate link-state information, they use the SPF algorithm (Shortest Path First algorithm) to calculate the shortest path to each node.
Figure 35-1. Autonomous System Areas Router M Router K Router F Router E Router L Area 200 Router D Router C Router G Area 100 Area 0 Router H Router B Router A Router I Router J Area 300 Area Types The Backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any Autonomous System (AS). All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous.
www.dell.com | support.dell.com A Stub Area (SA) does not receive external route information, except for the default route. These areas do receive information from inter-area (IA) routes. Note that all routers within an assigned Stub area must be configured as stubby, and no generate LSAs that do not apply. For example, a Type 5 LSA is intended for external areas and the Stubby area routers may not generate external LSAs. Stubby areas cannot be traversed by a virtual link.
Figure 35-2.
www.dell.com | support.dell.com Area Border Router (ABR) Within an AS, an Area Border (ABR) connects one or more areas to the Backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database. An Area Border Router (ABR) takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is connected to.
Link-State Advertisements (LSAs) A Link-State Advertisement (LSA) communicates the router's local routing topology to all other local routers in the same area. • • OSPFv3 can treat LSAs as having link-local flooding scope, or store and flood them as if they are understood, while ignoring them in their own SPF algorithms. OSPFv2 always discards unknown LSA types.
www.dell.com | support.dell.com Each router link is defined as one of four types: type 1, 2, 3, or 4. The LSA includes a link ID field that identifies, by the network number and mask, the object this link connects to. Depending on the type, the link ID has different meanings.
OSPF Cost OSPF calculates the shortest path to a destination by taking into account the cost of the available OSPF links. In OSPF, a lower link cost indicates a preferred interface to use for sending traffic. An OSPF cost is a value that ranges from 1 to 65535. By default link costs are automatically calculated on an OSPF router according to the bandwidth provided by each interface type; for example, the default cost on a 10GE or 100MB interface is 1 and on a 10MB interface is 10.
www.dell.com | support.dell.com FTOS supports Stub areas, Totally Stub (No Summary) and Not So Stubby Areas (NSSAs) and supports the following LSAs, as discussed earlier in this document. • Router (type 1) • Network (type 2) • Network Summary (type 3) • AS Boundary (type 4) • AS External (type 5) • NSSA External (type 7) • Opaque Link-local (type 9) Graceful Restart Graceful Restart supported on c e and s platforms for both Helper and Restart modes.
Multi-Process OSPF (OSPFv2, IPv4 only) Multi-Process OSPF is supported on platforms and is supported on OSPFv2 with IPv4 only. c e and s with FTOS version 7.8.1.0 and later, Multi-Process OSPF allows multiple OSPFv2 processes on a single router. Multiple OSPFv2 processes allow for isolating routing domains, supporting multiple route policies and priorities in different domains, and creating smaller domains for easier management. • • • • • The E-Series supports up to 28 OSPFv2 processes.
www.dell.com | support.dell.com Confirm RFC 2328 flooding behavior by using the command debug ip ospf packet and look for output similar to the following: 00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.2 aid:1500 chk:0xdbee aut:0 auk: keyid:0 from:Vl 1000 LSType:Type-5 AS External id:160.1.1.0 adv:6.1.0.0 seq:0x8000000c LSType:Type-5 AS External id:160.1.2.0 adv:6.1.0.0 seq:0x8000000c 00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.
Command Example: ip ospf intervals FTOS(conf)#int gi 2/2 FTOS(conf-if-gi-2/2)#ip ospf hello-interval 20 FTOS(conf-if-gi-2/2)#ip ospf dead-interval 80 FTOS(conf-if-gi-2/2)# OSPF Configuration with intervals set FTOS (conf-if-gi-2/2)#ip ospf dead-interval 20 FTOS (conf-if-gi-2/2)#do show ip os int gi1/3 GigabitEthernet 2/2 is up, line protocol is up Internet Address 20.0.0.1/24, Area 0 Process ID 10, Router ID 1.1.1.
www.dell.com | support.dell.com Configuration Task List for OSPFv2 (OSPF for IPv4) Open Shortest Path First version 2 (OSPF for IPv4) is supported on platforms ces 1. Configure a physical interface. Assign an IP address, physical or loopback, to the interface to enable Layer 3 routing. 2. Enable OSPF globally. Assign network area and neighbors. 3. Add interfaces or configure other attributes.
Use these commands on one of the interfaces to enable OSPFv2 routing. Step 1 Command Syntax Command Mode Usage ip address ip-address mask CONFIG-INTERFACE Assign an IP address to an interface. Format: A.B.C.D/M If using a Loopback interface, refer to Loopback Interfaces. 2 no shutdown CONFIG-INTERFACE Enable the interface. Return to CONFIGURATION mode to enable the OSPF process.
www.dell.com | support.dell.com FTOS#show ip ospf 55555 Routing Process ospf 55555 with ID 10.10.10.10 Supports only single TOS (TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 FTOS# Enable Multi-Process OSPF Multi-Process OSPF allows multiple OSPFv2 processes on a single router. Follow the same steps as above, when configuring a single OSPF process. Repeat them as often as necessary for the desired number of processes.
In CONFIGURATION ROUTER OSPF mode, assign the Router ID. The Router ID is not required to be the router’s IP address. Dell Force10 recommends using the IP address as the Router ID for easier management and troubleshooting. Command Syntax Command Mode Usage router-id ip address CONFIG-ROUTER-OSPF-id Assign the Router ID for the OSPFv2 process. IP Address: A.B.C.D Use the no router ospf process-id command syntax in the CONFIGURATION mode to disable OSPF.
www.dell.com | support.dell.com Enable OSPFv2 on interfaces Each interface must have OSPFv2 enabled on it. It must be configured for Layer 3 protocol, and not be shutdown. OSPFv2 can also be assigned to a loopback interface as a virtual interface. OSPF functions and features, such as MD5 Authentication, Grace Period, Authentication Wait Time, etc, are assigned on a per interface basis. Note: If using features like MD5 Authentication, ensure all the neighboring routers are also configured for MD5.
Loopback interfaces also assist in the OSPF process. OSPF will pick the highest interface address as the router-id and a loopback interface address has a higher precedence than other interface addresses. The following text gives an example of the show ip ospf process-id interface command with a Loopback interface. FTOS#show ip ospf 1 int GigabitEthernet 13/23 is up, line protocol is up Internet Address 10.168.0.1/24, Area 0.0.0.1 Process ID 1, Router ID 10.168.253.
www.dell.com | support.dell.com Step Command Syntax Command Mode Usage 4 area area-id stub [no-summary] CONFIG-ROUTER-OSPF-id Configure the area as a stub area. Use the no-summary keywords to prevent transmission in to the area of summary ASBR LSAs. Area ID is the number or IP address assigned when creating the Area . Use the show ip ospf database process-id database-summary command syntax in the EXEC Privilege mode To view which LSAs are transmitted.
Command Syntax Command Mode Usage Note: If you enter the max-metric router-lsa command without an option (on-startup announce-time or on-startup wait-for-bgp [wait-time]), the maximum metric of 65535 is always announced in LSAs sent by the router. Enable passive interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface.
www.dell.com | support.dell.com FTOS#show ip ospf 34 int GigabitEthernet 0/0 is up, line protocol is down Internet Address 10.1.2.100/24, Area 1.1.1.1 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DOWN, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 0.0.0.0 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.
Command Example: show ip ospf process-id (fast-convergence enabled) FTOS(conf-router_ospf-1)#fast-converge 2 FTOS(conf-router_ospf-1)#ex FTOS(conf)#ex FTOS#show ip ospf 1 Routing Process ospf 1 with ID 192.168.67.
www.dell.com | support.dell.com Command Syntax Command Mode Usage ip ospf message-digest-key keyid md5 key CONFIG-INTERFACE Use the MD5 algorithm to produce a message digest or key, which is sent instead of the key. Keyid range: 1 to 255 Key: a character string Be sure to write down or otherwise record the Key. You cannot learn the key once it is configured. You must be careful when changing this key.
Enable OSPFv2 authentication Use the following commands in CONFIGURATION INTERFACE mode to enable or change various OSPF authentication parameters: Command Syntax Command Mode Usage ip ospf authentication-key key CONFIG-INTERFACE Set clear text authentication scheme on the interface. Configure a key that is a text string no longer than eight characters. All neighboring routers must share the same password to exchange OSPF information.
www.dell.com | support.dell.com Command Syntax Command Mode Usage graceful-restart helper-reject router-id CONFIG-ROUTER-OSPF-id Enter the Router ID of the OSPF helper router from which the router does not accept graceful restart assistance. This applies to the specified router only. IP Address: A.B.C.D graceful-restart mode [planned-only | unplanned-only] CONFIG-ROUTER-OSPF-id Specify the operating mode in which graceful-restart functions. FTOS supports the following options: • Planned-only.
Configure virtual links Areas within OSPF must be connected to the backbone area (Area ID 0.0.0.0). If an OSPF area does not have a direct connection to the backbone, at least one virtual link is required. Virtual links must be configured on an ABR connected to the backbone.
www.dell.com | support.dell.com Filter routes To filter routes, use prefix lists. OSPF applies prefix lists to incoming or outgoing routes. Incoming routes must meet the conditions of the prefix lists, and if they do not, OSPF does not add the route to the routing table. Configure the prefix list in CONFIGURATION PREFIX LIST mode prior to assigning it to the OSPF process. Command Syntax Command Mode Usage ip prefix-list prefix-name CONFIGURATION Create a prefix list and assign it a unique name.
Use the following command in CONFIGURATION- ROUTER-OSPF mode to redistribute routes: Command Syntax Command Mode Usage redistribute {bgp | connected | isis | rip | static} [metric metric-value | metric-type type-value] [route-map map-name] [tag tag-value] CONFIG-ROUTER-OSPF-id Specify which routes will be redistributed into OSPF process. Configure the following required and optional parameters: • bgp, connected, isis, rip, or static: enter one of the keyword to redistribute those routes.
www.dell.com | support.dell.com Note: If you are using Multi-Process OSPF, you must enter the Process ID to view information regarding a specific OSPF process. If you do not enter the Process ID, only the first configured process is listed. Use the show running-config ospf command to see the state of all the enabled OSPFv2 processes. Command Syntax Command Mode Usage show running-config ospf EXEC Privilege View the summary of all OSPF process IDs enables on the router.
Use the following command in EXEC Privilege mode to configure the debugging options of an OSPFv2 process: Command Syntax Command Mode Usage debug ip ospf process-id [event | packet | spf] EXEC Privilege View debug messages. To view debug messages for a specific OSPF process ID, enter debug ip ospf process-id. If you do not enter a process ID, the command applies to the first OSPF process.
www.dell.com | support.dell.com Router 1 (left) router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface GigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown Router 2 (center) router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.0.23.
Configuration Task List for OSPFv3 (OSPF for IPv6) Open Shortest Path First version 3 (OSPF for IPv6) is supported on platforms ce The configuration options of OSPFv3 are the same as those for OSPFv2, but may be configured with differently labeled commands. Process IDs and areas need to be specified. Interfaces and addresses need to be included in the process. Areas can be defined as stub or totally stubby.
www.dell.com | support.dell.com Assign IPv6 addresses on an interface Command Syntax Command Mode Usage ipv6 address ipv6 address CONF-INT-type slot/port Assign IPv6 address to the interface. IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). FORMAT: A:B:C::F/128 no shutdown CONF-INT-type slot/port Bring the interface up.
Configure stub areas Command Syntax Command Mode Usage area area-id stub [no-summary] CONF-IPV6-ROUTER-OSPF Configure the area as a stub area. Use the no-summary keywords to prevent transmission in to the area of summary ASBR LSAs. Area ID is a number or IP address assigned when creating the Area. The Area ID can be represented as a number between 0 – 65536 if a dotted decimal format is assigned, rather than an IP address.
www.dell.com | support.dell.com Redistribute routes You can add routes from other routing instances or protocols to the OSPFv3 process. With the redistribute command syntax, you can include RIP, static, or directly connected routes in the OSPF process. Command Syntax Command Mode Usage redistribute {bgp | connected | static} [metric metric-value | metric-type type-value] [route-map map-name] [tag tag-value] CONF-IPV6-ROUTER-OSPF Specify which routes will be redistributed into OSPF process.
OSPFv3 Authentication Using IPsec OSPFv3 Authentication Using IPsec is supported only on platform: et Starting in release 8.4.2.0, OSPFv3 uses the IP Security (IPsec) to provide authentication for OSPFv3 packets. IPsec authentication ensures security in the transmission of OSPFv3 packets between IPsec-enabled routers. IPsec is a set of protocols developed by the IETF to support secure exchange of packets at the IP layer. IPsec supports two encryption modes: Transport and Tunnel.
www.dell.com | support.dell.com OSPFv3 Authentication using IPsec: Configuration Notes OSPFv3 authentication using IPsec is implemented according to the specifications in RFC 4552, including: • • • • To use IPsec, you configure an authentication (using AH) or encryption (using ESP) security policy on an interface or in an OSPFv3 area. Each security policy consists of a security policy index (SPI) and the key used to validate OSPFv3 packets.
• To configure an IPsec security policy for authenticating or encrypting OSPFv3 packets on a physical, port-channel, or VLAN interface or OSPFv3 area, perform any of the following tasks: • Configuring IPsec Authentication on an Interface • Configuring IPsec Encryption on an Interface • Configuring IPsec Authentication for an OSPFv3 Area • Configuring IPsec Encryption for an OSPFv3 Area • Displaying OSPFv3 IPsec Security Policies Configuring IPsec Authentication on an Interface Prerequisite: Before you ena
www.dell.com | support.dell.com Configuring IPsec Encryption on an Interface Prerequisite: Before you enable IPsec encryption on an OSPFv3 interface, you must first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
To remove an IPsec encryption policy from an interface, enter the no ipv6 ospf encryption ipsec spi number command. To remove null encryption on an interface to allow the interface to inherit the encryption policy configured for the OSPFv3 area, enter the no ipv6 ospf encryption null command. To display the configuration of IPsec encryption policies on the router, enter the show crypto ipsec policy command.
www.dell.com | support.dell.com To display the configuration of IPsec authentication policies on the router, enter the show crypto ipsec policy command. Configuring IPsec Encryption for an OSPFv3 Area Prerequisite: Before you enable IPsec encryption in an OSPFv3 area, you must first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
Note that when you configure encryption with the area encryption command, you enable both IPsec encryption and authentication. However, when you enable authentication on an area with the area authentication command, you do not enable encryption at the same time. If you have enabled IPsec authentication in an OSPFv3 area with the area authentication command, you cannot use the area encryption command in the area at the same time.
www.dell.com | support.dell.
inbound esp sas outbound esp sas Interface: TenGigabitEthernet 0/1 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 FTOS has several too
www.dell.com | support.dell.com Use the following commands in EXEC Privilege mode to get general route and links status information.
36 PIM Dense-Mode PIM Dense-Mode is supported on platforms: ces PIM-Dense Mode (PIM-DM) is a multicast protocol that directs routers to forward multicast traffic to all subnets until the router receives a request to stop; this behavior is the opposite of PIM-Sparse Mode, which does not forward multicast traffic to a subnet until the traffic is specifically requested using a PIM Join message.
www.dell.com | support.dell.com Refusing Multicast Traffic If a PIM-DM router has no receivers for a group, it refuses multicast traffic by sending a PIM Prune message to address 224.0.0.13 out of the source interface. The upstream neighbor receives the prune message and determines if it has any remaining neighbors downstream. If it does not, it propagates the prune message upstream out of the source interface.
Figure 36-3. Requesting Multicast Traffic in a PIM-DM Network Source Group Address: 239.192.0.1 R2 Graft Receiver R1 Receiver PIM-DM 003 R3 R4 Configure PIM-DM Configuring PIM-DM is a two-step process: 1. Enable multicast routing using the command ip multicast-routing from CONFIGURATION mode. 2. Enable PIM-DM on an interface. Refer to Enable PIM-DM. Related Configuration Tasks • • Clear the PIM TIB using the command clear ip pim tib from EXEC Privilege mode.
www.dell.com | support.dell.com Figure 36-4. Enabling PIM-DM R1_E600(conf-if-range-gi-1/0,gi-1/12,gi-1/13)#show config ! interface GigabitEthernet 1/0 description Connection to Ixia ip address 2.1.0.1/24 ip pim dense-mode no shutdown ! interface GigabitEthernet 1/12 ip address 2.1.1.1/24 ip pim dense-mode no shutdown ! interface GigabitEthernet 1/13 ip address 2.1.2.
Display the PIM routing table using the command show ip pim tib from EXEC privilege mode, as shown in the example below.
| PIM Dense-Mode www.dell.com | support.dell.
37 PIM Sparse-Mode PIM Sparse-Mode is supported on platforms: ces PIM-SM is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. PIM-Sparse Mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only upon request using a PIM Join message; this behavior is the opposite of PIM-Dense Mode, which forwards multicast traffic to all subnets until it receives a request to stop.
www.dell.com | support.dell.com Protocol Overview To distribute the same traffic to multiple receivers, PIM-SM creates a tree extending from a root, called the Rendezvous Point (RP), down branches that extend to the nodes which have requested the traffic. Nodes requesting the same traffic belong to the same multicast group. Initially, a single PIM-SM tree called a shared tree to distribute traffic.
Sending Multicast Traffic With PIM-SM, all multicast traffic must initially originate from the RP. A source must unicast traffic to the RP so that the RP can learn about the source and create an SPT to it. Then the last-hop DR may create an SPT directly to the source. 1. The source gateway router (first-hop DR) receives the multicast packets and creates an (S,G) entry in its multicast routing table.
www.dell.com | support.dell.
Display the PIM routing table using the command show [ip | ipv6] pim tib from EXEC privilege mode, as shown in the example below. FTOS#show ip pim tib PIM Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 192.1.2.1), uptime 00:29:36, expires 00:03:26, RP 10.87.2.
www.dell.com | support.dell.com Step Task Command Syntax Command Mode 2 Specify the source and group to which the timer will be applied using extended ACLs with permit rules only. [seq sequence-number] permit ip source-address/mask | any | host source-address} {destination-address/mask | any | host destination-address} CONFIG-EXT-NACL 3 Set the expiry time for a specific (S,G) entry (refer to example below).
Override Bootstrap Router Updates PIM-SM routers need to know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. If you have configured a static RP for a group, use the option override with the command [ip | ipv6] pim rp-address to override bootstrap router updates with your static RP configuration.
www.dell.com | support.dell.com Elect an RP using the BSR Mechanism Every PIM router within a domain must map a particular multicast group address to the same RP. The group-to-RP mapping may be statically or dynamically configured. RFC 5059 specifies a dynamic, self-configuring method called the Bootstrap Router (BSR) mechanism, by which an RP is elected from a pool of RP candidates (C-RPs). Some routers within the domain are configured to be C-RPs.
Configure a Designated Router Multiple PIM-SM routers might be connected to a single LAN segment. One of these routers is elected to act on behalf of directly connected hosts. This router is the Designated Router (DR). The DR is elected using hello messages. Each PIM router learns about its neighbors by periodically sending a hello message out of each PIM-enabled interface. Hello messages contain the IP address of the interface out of which it is sent and a DR priority value.
www.dell.com | support.dell.com Set a Threshold for Switching to the SPT Set a Threshold for Switching to the SPT is available only on platform: e Initially, a single PIM-SM tree called a shared tree to distribute traffic. It is called shared because all traffic for the group, regardless of the source, or the location of the source, must pass through the RP. The shared tree is unidirectional; that is, all multicast traffic flows only from the RP to the receivers.
• • The router holds on to the entries learned from the neighbor for the graceful restart interval. If it does not receive a hello from the neighbor within this time, it purges all state associated with the neighbor. If the neighbor restarts and sends a hello with a new GenID before this interval expires, the router sends a join message towards the neighbor for the relevant entries.
www.dell.com | support.dell.com Step 2 Task Command Syntax Command Mode Apply the ACL to an interface on which there might be a source for a group specified in the ACL. This command maps the incoming interface to the (*,G) entry so that the entry can be programmed into hardware. ip pim ingress-interface-map std-access-list INTERFACE Monitoring PIM The PIM MIB is supported only on platform e FTOS fully supports the PIM MIB as specified in RFC 5060 with some exceptions.
Table 37-1.
www.dell.com | support.dell.com • • • • • • 722 | Using PIM hello messages, the switch learns about PIM neighbors and builds a database for the VLAN and port on which the packets are received. The PIM Snooping neighbor database is the same one used for PIM-SM. Each neighbor entry stores the physical or port-channel port on which a hello message from a neighbor is received. PIM hello messages are flooded to all VLAN member ports, except the port on which the message was received.
Configuration Notes and Restrictions The following conditions apply when you configure and use PIM snooping on a switch: • PIM-SM snooping is deployed in a Layer 2 environment and is mutually exclusive with PIM multicast routing. If you enable PIM-SM snooping, you cannot enable PIM-SM or PIM-DM. If you enable PIM-SM snooping, you cannot enable PIM-SM or PIM-DM • PIM-SM snooping is supported with IGMP snooping, and forwards the IGMP report on the port that connects to the PIM DR.
www.dell.com | support.dell.com Similarly, in Figure 37-1, when PIM-SM snooping is enabled and multicast data is sent to VLAN members of group G, the switches forward the data traffic from the server attached to Router B only to the router (Router A) in the multicast group that should receive it. Without PIM-SM snooping, the switches would flood the data to all connected routers, including Routers C and D. Figure 37-2.
Enable PIM Snooping To enable PIM-SM snooping on all VLAN interfaces on a switch, enter the following command. Task Command Command Mode Enable PIM-SM snooping globally on a switch. ip pim snooping enable CONFIGURATION To enable PIM-SM snooping on a VLAN interface, enter the following commands: Task Command Command Mode Enable PIM-SM snooping on a VLAN interface. ip pim snooping VLAN INTERFACE Enable the interface.
www.dell.com | support.dell.com Task Command Command Mode Display information about the VLAN interfaces on which PIM-SM snooping is configured. show ip pim snooping interface [vlan vlan-id] PIM-SM snooping: show ip pim snooping interface EXEC Privilege Display information about the current operation of PIM-SM snooping globally on the switch or on a specified VLAN.
GigabitEthernet 4/11 GigabitEthernet 4/13 RPF 165.87.32.2 Upstream Port 00:00:01/00:02:59 -/- FTOS#show ip pim snooping tib vlan 2 225.1.2.1 165.87.1.7 PIM Multicast Snooping Table Flags: J/P - (*,G) Join/Prune, j/p - (S,G) Join/Prune SGR-P - (S,G,R) Prune Timers: Uptime/Expires * : Inherited port (165.87.1.7, 225.1.2.1), uptime 00:00:08, expires 00:02:52, flags: j Incoming interface: Vlan 2, RPF neighbor 0.0.0.
www.dell.com | support.dell.
38 PIM Source-Specific Mode PIM Source-Specific Mode is supported on platforms: ces PIM-SSM is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. PIM-Source-Specific Mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of Protocol Independent Multicast (PIM), a receiver subscribes to a group only.
www.dell.com | support.dell.com Figure 38-1. PIM-SM with IGMPv2 versus PIM-SM with IGMPv3 R2(conf )#do show ip pim tib PIM Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, A - Candidate for MSDP Advertisement K - Ack-Pending State Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode R3(conf )#do show ip pim tib (*, 239.0.0.
Configure PIM-SM Configuring PIM-SSM is a one-step process: 1. Enable PIM-SM. Refer to Enable PIM-SM. 2. Enable PIM-SSM for a range of addresses. Refer to Enable PIM-SSM. Related Configuration Tasks • Use PIM-SSM with IGMP version 2 Hosts Enable PIM-SSM To enable PIM-SSM: Step Task Command Syntax Command Mode 1 Create an ACL that uses permit rules to specify what range of addresses should use SSM. You must at least include one rule, permit 232.0.0.0/8, which is the default range for PIM-SSM.
www.dell.com | support.dell.com Use PIM-SSM with IGMP version 2 Hosts PIM-SSM requires receivers that support IGMP version 3. You can employ PIM-SSM even when receivers support only IGMP version 1 or version 2 by translating (*,G) entries to (S,G) entries. Translate (*,G) entries to (S,G) entries using the command ip igmp ssm-map acl source from CONFIGURATION mode. In a standard access list, specify the groups or the group ranges that you want to map to a source. Then, specify the multicast source.
Figure 38-2. Using PIM-SM with IGMPv2 versus PIM-SSM with IGMPv2 R2(conf )#do show ip pim tib R3(conf )#do show ip pim tib PIM Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, A - Candidate for MSDP Advertisement K - Ack-Pending State Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.
www.dell.com | support.dell.com SSM Map Information Group : 239.0.0.2 Source(s) : 10.11.5.2 R1(conf)#do show ip igmp groups detail Interface Group Uptime Expires Router mode Last reporter Last reporter mode Last report received Group source list Source address 10.11.5.2 Vlan 300 239.0.0.2 00:00:01 Never IGMPv2-Compat 10.11.3.2 IGMPv2 Join Interface Vlan 400 Group 239.0.0.1 Uptime 00:00:05 Expires Never Router mode INCLUDE Last reporter 10.11.4.
39 Power over Ethernet Power over Ethernet (PoE) is supported only on platforms: cs This chapter contains the following major sections: • • • Configuring Power over Ethernet Power Additional PoE Ports on the S-Series Deploying VOIP FTOS supports Power over Ethernet (PoE), as described by IEEE 802.3af . IEEE 802.3af specifies that a maximum of 15.4 Watts can be transmitted to Ethernet devices over the signal pairs of an unshielded twisted pair (UTP) cable.
www.dell.com | support.dell.com For the C-Series, FTOS requires that a minimum number of AC power supplies (PSU) be installed before PoE can be enabled, and some PSUs are reserved for PoE redundancy, as described in Table 39-2, "PoE Ports per Power Supply Unit in the C-Series*," in Power over Ethernet. Note: The C-Series can provide PoE only through its AC power supplies. Table 39-2.
Related Configuration Tasks • • • • • Manage Ports using Power Priority and the Power Budget Monitor the Power Budget Manage Power Priorities Recover from a Failed Power Supply Power Additional PoE Ports on the S-Series Enabling PoE on a Port PoE is disabled by default. Enable PoE on a port from INTERFACE mode using the command power inline {auto [max_milliwatts] | static [max_milliwatts]}.
www.dell.com | support.dell.com View the amount of power that a port is consuming using the show power inline command from EXEC privilege mode. FTOS(conf-if-range-gi-0/1-48)#do show power inline Interface Admin Inline Power Inline Power Class Allocated Consumed (Watts) (Watts) --------------------------------------Gi 0/1 auto 0.00 0.00 NO_DEVICE Gi 0/2 auto 7.00 3.
Table 39-4, "show power detail Field Description," in Power over Ethernet describes the fields that the show power detail command displays. Table 39-4. show power detail Field Description Field Port Number Unit (S-Series only) The stack member unit ID. Catalog Name (C-Series only) Displays the component’s Dell Force10 catalog number. Slot ID (C-Series only) Displays the slot number in which the line card or RPM is installed.
www.dell.com | support.dell.com This sorted list is dynamically updated by FTOS when: • • • a user changes the power-inline mode or priority the PD advertises a different LLDP-MED priority the PD is connected or disconnected FTOS always uses this sorted list of ports for allocation. When an additional PSU is added, additional ports are powered based on this list, and PSU is removed, this same list is used to remove power from the lowest priority ports.
Determine the Affect of a Port on the Power Budget The PoE power budget is affected differently depending on how PoE is enabled and whether a device is connected: 1. When you configure a port with power inline auto without the max_milliwatts power limit option, power is only allocated after you connect a device to the port. • • • When you connect a device, the maximum power for the device class is allocated if there is sufficient power in the budget. Refer to (Table 39-1).
www.dell.com | support.dell.com Monitor the Power Budget The power budget is the amount of power available from the installed PSUs minus the power required to operate the chassis. Use the show power inline (the first example in Enabling PoE on a Port) and show power detail (the second example in Enabling PoE on a Port) commands to help you determine if power is available for additional PoE ports (1478.40 Watts are supplied per C-Series PSU; max of 790W on S-Series with load-sharing external DC PSU).
Table 39-5. PoE Ports Priorities Configuration Port Number Priority Ports configured with power inline auto Ports with the lowest port numbers in line cards with the lowest slot number 3 Ports with the lowest port numbers 4 You can augment the default prioritization using the command [no] power inline priority {critical | high | low}, where critical is the highest priority, and low is the lowest. FTOS ignores any LLDP-MED priority on this port if you configure a priority with this command.
www.dell.com | support.dell.com Figure 39-2. Order of PoE Termination 0 1 Term i nate 2 PoE For the configuration in the first example in Enabling PoE on a Port: • • • Power for ports 7/1 and 7/2 is terminated first because it is configured with inline power auto. Power for port 7/2 is terminated before PoE for port 7/1 because port 7/1 has a lower port number. Power for port 7/0 is terminated last because it is configured with inline power static.
Deploying VOIP VoIP phones on the market today follow the same basic boot and operations process: 1. Wait for an LLDP from the Ethernet switch. 2. Obtain an IP address from a DHCP server. 3. Send an LLDP-MED frame to the switch. 4. Wait for an LLDP-MED frame from the switch and read the Network Policy TLV to get the VLAN ID, Layer 2 Priority, and DSCP value. 5. Download applications and software from the call manager. 6.
www.dell.com | support.dell.com ! interface Vlan 200 description "Voice VLAN" no ip address tagged GigabitEthernet 6/10-11,22-23,46-47 shutdown ! interface Vlan 300 description "Voice Signaling VLAN" no ip address tagged GigabitEthernet 6/10-11,22-23,46-47 shutdown Configure LLDP-MED for an Office VOIP Deployment VOIP deployments may optionally use LLDP-MED.
FTOS#sh run int gigabitethernet 6/11 ! interface GigabitEthernet 6/11 description "IP Phone X" no ip address portmode hybrid switchport service-policy input HonorDSCP power inline auto no shutdown FTOS#sh run | grep strict-priority strict-priority unicast 2 Honor the incoming dot1p value On the C-Series, if you know traffic originating from the phone is tagged with a dot1p value of 5, you might make the associated queue a strict priority queue, as shown in the example below; on the C-Series, FTOS maps dot1
www.dell.com | support.dell.com Figure 39-5.
class-map match-any pc-subnet match ip access-group pc-subnet ! class-map match-any phone-signalling match ip access-group phone-signalling ! class-map match-any phone-subnet match ip access-group phone-subnet FTOS#sh run policy-map-input ! policy-map-input phone-pc service-queue 1 class-map pc-subnet service-queue 2 class-map phone-signalling service-queue 3 class-map phone-subnet Force10#sh run qos-policy-output ! qos-policy-output data bandwidth-weight 8 ! qos-policy-output signalling bandwidth-weight 64
| Power over Ethernet www.dell.com | support.dell.
40 Policy-based Routing Policy-based Routing is supported on platforms: ces PBR is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. PBR is supported on the E-Series TeraScale, C-Series, and S-Series platforms in FTOS 8.4.2.0 and later.
PBR Example ps Mb ps Operations ps 1.5 ps ps Mb Mb Mb Internet ps 45 10 1.5 With 3 separate internet connections from the Edge Routers, bandwidth can be allotted to meet each department's needs. Some departments will need higher-speed internet access while others will require less bandwidth. Customer Support Sales Mb Marketing 10 Engineering Mb Finance 45 www.dell.com | support.dell.com Figure 40-1.
The traffic is forwarded based on the following: 1. Next-hop addresses are verified. If the specified next hop is reachable, then the traffic is forwarded to the specified next-hop. 2. If the specified next-hops are not reachable, then the normal routing table is used to forward the traffic. 3. FTOS supports multiple next-hop entries in the redirect lists. 4. Redirect-Lists are applied at Ingress.
www.dell.com | support.dell.com Create a Redirect List Use the following command in CONFIGURATION mode: Command Syntax Command Mode Purpose ip redirect-list redirect-list-name CONFIGURATION Create a redirect list by entering the list name. Format: 16 characters Delete the redirect list with the no ip redirect-list command. The following example creates a redirect list by the name of “xyz.
The following text shows a step-by-step example of how to create a rule for a redirect list by configuring: • • • • IP address of the next-hop router in the forwarding route IP protocol number Source address with mask information Destination address with mask information. FTOS(conf-redirect-list)#redirect ? A.B.C.D Forwarding router's address sonet SONET interface FTOS(conf-redirect-list)#redirect 3.3.3.
www.dell.com | support.dell.com Note: Starting in release 8.4.1.2, FTOS supports the use of multiple recursive routes with the same source-address and destination-address combination in a redirect policy on an E-Series ExaScale router. A recursive route is a route for which the immediate next-hop address is learned dynamically through a routing protocol and acquired through a route lookup in the routing table.
Apply a Redirect-list to an Interface using a Redirect-group IP redirect lists are supported on physical interfaces as well as VLAN and port-channel interfaces. Note: When you apply a redirect-list on a port-channel on the E-Series, when traffic is redirected to the next hop and the destination port-channel is shut down, the traffic is dropped. However, on the C-Series, the traffic redirected to the destination port-channel is sometimes switched.
www.dell.com | support.dell.com Show Redirect List Configuration To view the configuration redirect list configuration, use the following command in EXEC mode: Command Syntax Command Mode Purpose show ip redirect-list redirect-list-name EXEC View the redirect list configuration and the associated interfaces. show cam pbr show cam-usage EXEC View the redirect list entries programmed in the CAM. List the redirect list configuration using the show ip redirect-list redirect-list-name command.
Showing CAM PBR Configuration Example FTOS(conf-if-gi-8/1)#do show cam pbr l 8 p0 TCP Flag: Bit 5 - URG, Bit 4 - ACK, Bit 3 - PSH, Bit 2 - RST, Bit 1 - SYN, Bit 0 - FIN Cam Port VlanID Proto Tcp Src Dst SrcIp DstIp Next-hop Egress Index Flag Port Port MAC Port -----------------------------------------------------------------------------------06080 0 N/A IP 0x0 0 0 200.200.200.200 200.200.200.200 199.199.199.199 199.199.199.199 N/A N/A 06081 0 N/A TCP 0x10 0 40 234.234.234.234 255.234.234.234 222.222.222.
www.dell.com | support.dell.com Figure 40-2. PBR Sample Illustration Customer Support 192.168.1.0 /24 192.168.2.0 /24 10.0.0.0 /16 10.1.0.0 /16 GigE 2/11 EDGE_ROUTER 1.5 Mbps 10 Mbps 45 Mbps 10.44.44.13 10.22.22.100 Internet Create the Redirect-List GOLD. EDGE_ROUTER(conf-if-gi-3/23)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#$direct 10.99.99.254 ip 192.168.1.
View Redirect-List GOLD. EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Gi 3/23), ARP resolved seq 10 redirect 10.99.99.254 ip 192.168.2.
| Policy-based Routing www.dell.com | support.dell.
41 Port Monitoring Port Monitoring is supported on platforms: ces Port Monitoring is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Port Monitoring is a feature that copies all incoming or outgoing packets on one port and forwards (mirrors) them to another port. The source port is the monitored port (MD) and the destination port is the monitoring port (MG). Port Monitoring functionality is different between platforms, but the behavior is the same, with highlighted exceptions.
www.dell.com | support.dell.com • The C-Series and S-Series may only have four destination ports per port-pipe. There is no limitation on the total number of monitoring sessions. Table 41-1, "Maximum Number of Monitoring Sessions per System," in Port Monitoring lists the maximum number of monitoring sessions per system. For the C-Series and S-Series, the total number of sessions is derived by consuming a unique destination port in each session, in each port-pipe. Table 41-1.
E-Series TeraScale The E-Series TeraScale system supports 1 monitoring session per port-pipe. E-Series TeraScale supports a maximum of 28 port pipes. On the E-Series TeraScale, FTOS supports a single source-destination statement in a monitor session (Message 2). E-Series TeraScale supports only one source and one destination port per port-pipe (Message 3). Therefore, the E-Series TeraScale supports as many monitoring sessions as there are port-pipes in the system.
www.dell.com | support.dell.com Port Monitoring on C-Series and S-Series The C-Series and S-Series support multiple source-destination statements in a monitor session, but there may only be one destination port in a monitoring session (Message 4). Message 4 One Destination Port in a Monitoring Session Error Message on C-Series and S-Series % Error: Only one MG port is allowed in a session.
In the example below, 0/25 and 0/26 belong to Port-pipe 1. This port-pipe again has the same restriction of only four destination ports, new or used.
www.dell.com | support.dell.com FTOS Behavior: The C-Series and S-Series continue to mirror outgoing traffic even after an MD participating in Spanning Tree Protocol transitions from the forwarding to blocking. Configuring Port Monitoring To configure port monitoring: Step Task Command Syntax Command Mode 1 Verify that the intended monitoring port has no configuration other than no shutdown, as shown in the example below.
Figure 41-3. Port Monitoring Example Host Traffic 1/1 1/3 Server Traffic 1/2 Host Server FTOS(conf-if-gi-1/2)#show config ! interface GigabitEthernet 1/2 no ip address no shutdown Sniffer FTOS(conf )#monitor session 0 FTOS(conf-mon-sess-0)#source gig 1/1 destination gig 1/2 direction rx Port Monitoring 001 Flow-based Monitoring Flow-based Monitoring is supported only on platform e Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead all traffic on the interface.
www.dell.com | support.dell.com FTOS(conf)#monitor session 0 FTOS(conf-mon-sess-0)#flow-based enable FTOS(conf)#ip access-list ext testflow FTOS(config-ext-nacl)#seq 5 permit icmp any any count bytes monitor FTOS(config-ext-nacl)#seq 10 permit ip 102.1.1.
Remote Port Mirroring Example Figure 41-4 shows an example of how remote port mirroring works. Remote port mirroring uses the analyzers shown in the aggregation network in Site A. The VLAN traffic on monitored links from the access network is tagged and assigned to a dedicated L2 VLAN. Monitored links are configured in two source sessions shown with orange and green circles.
www.dell.com | support.dell.com Configuration Notes When you configure remote port mirroring, the following conditions apply: • • • • • You can configure any switch in the network with source ports and destination ports, and allow it to function in an intermediate transport session for a reserved VLAN at the same time for multiple remote-port mirroring sessions. You can enable and disable individual mirroring sessions. BPDU monitoring is not required to use remote port mirroring.
• You can use the default VLAN and native VLANs as a source VLAN. You cannot configure the dedicated VLAN used to transport mirrored traffic as a source VLAN. A destination port for remote port mirroring cannot be used as a source port, including the session in which the port functions as the destination port. A source port channel or source VLAN, which has a member port that is configured as a destination port, cannot be used as a source port channel or source VLAN. • You can use ACLs on a source port.
www.dell.com | support.dell.com Configuration Procedure To configure remote port mirroring, you must configure: 1. A reserved L2 VLAN used to transport (switched) mirrored packets on source, intermediate, and destination switches 2. A source session that consists of multiple source ports and port channels, and (optionally) source VLANs, which are on different source switches and associated with the dedicated VLAN 3.
Configure a Source Session on Multiple Switches Ste p Command Syntax Command Mode Task 2 source {single-interface | range {interface-list | interface-range | mixed-interface-list} } [vlan vlan-id | vlan range {vlan-list | vlan-range | mixed-vlan-list}] destination remote-vlan vlan-id direction {rx | tx | both} MONITOR SESSION Configure the source ports and (optional) source VLANs with the reserved VLAN used to transport mirrored traffic, and the ingress/ egress traffic to be mirrored.
www.dell.com | support.dell.com Configure a Source Session on Multiple Switches Ste p Command Syntax Command Mode Task 4 flow-based enable MONITOR SESSION (Optional) Enable flow-based mirroring for this source session to monitor only specified traffic. Refer to Flow-based Monitoring for more information. 5 Repeat Steps 1 to 4 on other source switches to configure additional source ports for this session.
Configure a Destination Session on Multiple Switches Step Command Syntax Command Mode Task 2 source remote-vlan vlan-id destination {single-interface | range {interface-list | interface-range | mixed-interface-list}} MONITOR SESSION Associate the RPM VLAN used to transport mirrored traffic with this destination session and configure the destination ports to which an analyzer is a connected.
www.dell.com | support.dell.com Displaying Remote-Port Mirroring Configurations To display the current configuration of remote port mirroring for a specified session, enter the show config command in MONITOR SESSION configuration mode.
Sample Configuration: Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches). The following example shows a sample configuration of remote port mirroring on a source switch.
www.dell.com | support.dell.com The following example shows a sample configuration of remote port mirroring on a destination switch. Note that in the show monitor session output of a destination session, the source is the reserved VLAN (for example, remote-vlan 22) and the destination is the destination port (for example, Gi 4/73) to which an analyzer is attached.
42 Private VLANs Private VLANs is available on platforms: cs Private VLANs (PVLANs) provide Layer 2 isolation between ports within the same VLAN. That is, peer-to-peer communication is restricted or blocked. This is done by dividing the VLAN, into subdomains, and then restricting or blocking traffic flow between them.
www.dell.com | support.dell.com There are three types of ports in PVLAN: • • • Host Ports—these ports are the ones that Private VLAN aims to isolate. They are connected to end-stations. Promiscuous Ports—these ports are members of the primary VLAN, and function as gateways to the primary and secondary VLANs. Trunk Ports—trunk ports carry tagged traffic between switches. They have promiscuous and trunk ports as members. Figure 42-2.
Configure Private VLANs Configuring Private VLANs is a 3-step process: 1. Configure PVLAN Ports 2. Place PVLAN Ports in a Secondary VLAN 3. Place the Secondary VLANs in a Primary VLAN Related Configuration Tasks • Private VLAN show Commands Configure PVLAN Ports You must assign switchports a PVLAN Port role—host, promiscuous, or trunk—before you can add them to a primary or secondary VLAN. • • • Host ports may not be a part of a non-private (regular) VLAN.
www.dell.com | support.dell.com Step Task Command Syntax Command Mode 2 Designate the VLAN as a community or isolated VLAN. private-vlan mode {community | isolated} INTERFACE VLAN 3 Add one or more host ports to the VLAN. {tagged | untagged} interface INTERFACE VLAN Place the Secondary VLANs in a Primary VLAN A primary VLAN is a port-based VLAN that is specifically designated as a private VLAN. Doing so enables the VLAN to be divided into secondary VLANs.
43 Per-VLAN Spanning Tree Plus Per-VLAN Spanning Tree Plus is supported platforms: ces Port Monitoring is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Protocol Overview Per-VLAN Spanning Tree Plus (PVST+) is a variation of Spanning Tree—developed by a third party— that allows you to configure a separate Spanning Tree instance for each VLAN. For more information on Spanning Tree, refer to Chapter 55, Spanning Tree Protocol. Figure 43-1.
www.dell.com | support.dell.com FTOS supports three other variations of Spanning Tree, as shown in Table 43-1, "FTOS Supported Spanning Tree Protocols," in Per-VLAN Spanning Tree Plus. Table 43-1. FTOS Supported Spanning Tree Protocols Dell Force10 Term IEEE Specification Spanning Tree Protocol 802.1d Rapid Spanning Tree Protocol 802.1w Multiple Spanning Tree Protocol 802.
Enable PVST+ When you enable PVST+, FTOS instantiates STP on each active VLAN. To enable PVST+ globally: Step Task Command Syntax Command Mode 1 Enter PVST context. protocol spanning-tree pvst PROTOCOL PVST 2 Enable PVST+. no disable PROTOCOL PVST Disable PVST+ Task Command Syntax Command Mode Disable PVST+ globally. disable PROTOCOL PVST Disable PVST+ on an interface or remove a PVST+ parameter configuration.
www.dell.com | support.dell.com The bridge with the bridge value for bridge priority is elected root. Since all bridges use the default priority (until configured otherwise), lowest MAC address is used as a tie-breaker. Assign bridges a low non-default value for bridge priority to increase the likelihood that it will be selected as the STP root. Task Command Syntax Command Mode Assign a bridge priority.
To change PVST+ parameters, use the following commands on the root bridge: Task Command Syntax Command Mode Change the forward-delay parameter. • Range: 4 to 30 • Default: 15 seconds vlan forward-delay PROTOCOL PVST Change the hello-time parameter. Note: With large configurations (especially those with more ports) Dell Force10 recommends that you increase the hello-time. Range: 1 to 10 Default: 2 seconds vlan hello-time PROTOCOL PVST Change the max-age parameter.
www.dell.com | support.dell.com Note: The FTOS implementation of PVST+ uses IEEE 802.1s costs as the default costs. Other implementations use IEEE 802.1d costs as the default costs if you are using Dell Force10 systems in a multi-vendor network, verify that the costs are values you intended. To change the port cost or priority of an interface: Task Command Syntax Command Mode Change the port cost of an interface.
The EdgePort status of each interface is given in the output of the command show spanning-tree pvst, as shown in the example in Influence PVST+ Root Selection. FTOS Behavior: Regarding bpduguard shutdown-on-violation behavior: 1 If the interface to be shutdown is a port channel then all the member ports are disabled in the hardware. 2 When a physical port is added to a port channel already in error disable state, the new member port will also be disabled in the hardware.
www.dell.com | support.dell.com Figure 43-3. PVST+ with Extend System ID Dell Force10 System VLAN unaware Hub P1 untagged in VLAN 10 X P2 untagged in VLAN 20 moves to blocking unless Extended System ID is enabled Task Command Syntax Command Mode Augment the Bridge ID with the VLAN ID. extend system-id PROTOCOL PVST FTOS(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.
PVST+ Sample Configurations The following examples provide the running configurations for the topology shown in Figure 43-2.
www.dell.com | support.dell.
44 Quality of Service Quality of Service (QoS) is supported on platforms: ces Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. The E-Series has eight unicast queues per port and 128 multicast queues per-port pipe. Traffic is queued on ingress and egress. By default, on ingress, all data traffic is mapped to Queue 0, and all control traffic is mapped to Queue 7. On egress control traffic is mapped across all eight queues.
www.dell.com | support.dell.com Table 44-1.
Figure 44-1. Dell Force10 QoS Architecture Marking (DiffServ, 802.1p, Exp) Ingress Packet Processing Packet Classification (ACL) Rate Policing Buffers Class-based Queues Switching Rate Limiting Buffers Class-based Queues Egress Congestion Management (WFQ Scheduling) Egress Packet Processing Traffic Shaping Congestion Avoidance (WRED) Implementation Information Dell Force10’s QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
www.dell.com | support.dell.com Port-based QoS Configurations You can configure the following QoS features on an interface: • • • • • Set dot1p Priorities for Incoming Traffic Configure Port-based Rate Policing Configure Port-based Rate Limiting Configure Port-based Rate Shaping Quality of Service Set dot1p Priorities for Incoming Traffic FTOS Behavior: - Setting dot1p priorities on ingress traffic is supported only on physical port and port-channel interfaces; it is not supported on VLAN interfaces.
Honor dot1p Priorities on Ingress Traffic FTOS Behavior: - Honoring dot1p priorities is supported only on physical port and port-channel interfaces; it is not supported on VLAN interfaces. - By default FTOS does not honor dot1p priorities on ingress traffic. Use the command service-class dynamic dot1p from INTERFACE mode to honor dot1p priorities on ingress traffic, as shown in the output example below.
www.dell.com | support.dell.com Configure Port-based Rate Policing Rate policing ingress traffic on an interface using the command rate police from INTERACE mode, as shown in the example Rate Policing Ingress Traffic. If the interface is a member of a VLAN, you may specify the VLAN for which ingress packets are policed. FTOS Behavior: Rate policing is supported only on physical port interfaces; it is not supported on port-channel and VLAN interfaces.
Configure Port-based Rate Limiting Configure Port-based Rate Limiting is supported only on platform e FTOS Behavior: Rate policing is supported only on physical port interfaces; it is not supported on port-channel and VLAN interfaces. On the C-Series and S-Series, rate shaping is effectively rate limiting because of its smaller buffer size. On the E-Series: — 802.1Q-priority tagged frames are sometimes not rate-limited according to the configured rate-limit value.
www.dell.com | support.dell.com Configure Port-based Rate Shaping Rate shaping buffers, rather than drops, traffic exceeding the specified rate until the buffer is exhausted. If any stream exceeds the configured bandwidth on a continuous basis, it can consume all of the buffer space that is allocated to the port. Apply rate shaping to outgoing traffic on a port using the command rate shape from INTERFACE mode, as shown in the example below.
Policy-based QoS Configurations Policy-based QoS configurations consist of the components shown in Figure 44-2. Figure 44-2.
www.dell.com | support.dell.com 2. Once you create a class-map, FTOS places you in CLASS MAP mode. From this mode, specify your match criteria using the command match ip, as shown in the example below. Match-any class maps allow up to five ACLs, and match-all class-maps allow only one ACL. 3. After you specify your match criteria, link the class-map to a queue using the command service-queue from POLICY MAP mode, as shown in the example below.
Determine the order in which ACLs are used to classify traffic When you link class-maps to queues using the command service-queue, FTOS matches the class-maps according to queue priority (queue numbers closer to 0 have lower priorities). For example, in the example in Create a Layer 3 class map, class-map cmap2 is matched against ingress packets before cmap1. ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.
www.dell.com | support.dell.com Display configured class maps and match criteria Display all class-maps or a specific class map using the command show qos class-map from EXEC Privilege mode. FTOS Behavior: An explicit “deny any" rule in a Layer 3 ACL used in a (match any or match all) class-map creates a "default to Queue 0" entry in the CAM, which causes unintended traffic classification. Below, traffic is classified in two Queues, 1 and 2. Class-map ClassAF1 is “match any,” and ClassAF2 is “match all”.
Create a QoS Policy There are two types of QoS policies: input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. There are two types of input QoS policies: Layer 3 and Layer 2. • • Layer 3 QoS input policies allow you to rate police and set a DSCP or dot1p value. Layer 2 QoS input policies allow you to rate police and set a dot1p value.
www.dell.com | support.dell.com % Info: To set the specified DSCP value 34 (100-010 b) the QoS policy must be mapped to queue 4 (100 b). FTOS(conf-qos-policy-in)#show config ! qos-policy-input my-input-qos-policy set ip-dscp 34 FTOS(conf-qos-policy-in)#end FTOS# Set a dot1p value for egress packets Set a dot1p value for egress packets using the command set mac-dot1p from QOS-POLICY-IN mode. Create an output QoS policy To create an output QoS policy: 1.
Allocate bandwidth to queue The E-Series schedules unicast, multicast, and replication traffic for egress based on the Weighted Fair Queuing algorithm. The C-Series and S-Series schedule packets for egress based on Deficit Round Robin (DRR). These strategies both offer a guaranteed data rate. To allocate an amount bandwidth to a queue using the command bandwidth-percentage on the E-Series.
www.dell.com | support.dell.com Specify WRED drop precedence Specify WRED drop precedence is supported only on platform e Specify a WRED profile to yellow and/or green traffic using the command wred from QOS-POLICY-OUT mode. Refer to Apply a WRED profile to traffic. Create Policy Maps There are two types of policy maps: input and output. Create Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2. 1.
Table 44-5.
www.dell.com | support.dell.com Fall Back to trust diffserve or dot1p Fall Back to trust diffserve or dot1p is available only on platforms: e When using QoS service policies with multiple class maps, you can configure FTOS to use the incoming DSCP or dot1p marking as a secondary option for packet queuing in the event that no match occurs in the class maps. When class-maps are used, traffic is matched against each class-map sequentially from first to last.
The behavior is similar for trust dot1p fallback in a Layer2 input policy map; the dot1p-to-queue mapping is according to Table 44-6, "Default dot1p to Queue Mapping," in Quality of Service. To enable Fall Back to trust diffserve or dot1p: Task Command Syntax Command Mode Classify packets according to their DSCP value as a secondary option in case no match occurs against the configured class maps.
www.dell.com | support.dell.com Create Output Policy Maps Create Output Policy Maps is supported only on platform e 1. Create an output policy map using the command policy-map-output from CONFIGURATION mode. 2. Once you create an output policy map, do one or more of the following: • • • 3. Apply an output QoS policy to a queue Specify an aggregate QoS policy Apply an output policy map to an interface Apply an input policy map to an interface.
QoS Rate Adjustment is disabled by default, and no qos-rate-adjust is listed in the running-configuration. Task Command Syntax Command Mode Include a specified number of bytes of packet overhead to include in rate limiting, policing, and shaping calculations. For example, to include the Preamble and SFD, enter qos-rate-adjust 8. For variable length overhead fields you must know the number of bytes you want to include.
www.dell.com | support.dell.com Figure 44-3. Packet Drop Rate for WREDl No Packets Buffered Early Warning Allotted Space Packet Drop Rate All Pckts 0 Pckts 0KB Min Max Total Buffer Space Buffer Space fnC0045mp You can create a custom WRED profile or use on of the five pre-defined profiles listed in Table 44-7, "Pre-defined WRED Profiles," in Quality of Service. Table 44-7.
Apply a WRED profile to traffic Once you create a WRED profile you must specify to which traffic FTOS should apply the profile. FTOS assigns a color (also called drop precedence)—red, yellow, or green—to each packet based on it DSCP value before queuing it. DSCP is a 6 bit field. Dell Force10 uses the first three bits of this field (DP) to determine the drop precedence. DP values of 110 and 100 map to yellow, and all other values map to green.
www.dell.com | support.dell.com Display WRED Drop Statistics Display the number of packets FTOS dropped by WRED Profile using the command show qos statistics from EXEC Privilege mode, as shown in the example below.
Allocating Bandwidth to Multicast Queues Allocating Bandwidth to Multicast Queues is supported on platform: e The E-Series has 128 multicast queues per port-pipe, which are transparent, and eight unicast queues per port. You can allocate a specific bandwidth percentage per port-pipe to multicast traffic using the command queue egress multicast bandwidth-percentage from CONFIGURATION mode.
www.dell.com | support.dell.
45 Routing Information Protocol Routing Information Protocol is supported only on platforms: ce s RIP is supported on the S-Series following the release of FTOS version 7.8.1.0, and on the C-Series with FTOS versions 7.6.1.0 and after. RIP is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Routing Information Protocol (RIP) is based on a distance-vector algorithm, it tracks distances or hop counts to nearby routers when establishing network connections.
www.dell.com | support.dell.com RIP must receive regular routing updates to maintain a correct routing table. Response messages containing a router’s full routing table are transmitted every 30 seconds. If a router does not send an update within a certain amount of time, the hop count to that route is changed to unreachable (a route hop metric of 16 hops). Another timer sets the amount of time before the unreachable routes are removed from the routing table.
Configuration Task List for RIP • • • • • • • • • Enable RIP globally (mandatory) Configure RIP on interfaces (optional) Control RIP routing updates (optional) Set send and receive version (optional) Generate a default route (optional) Control route metrics (optional) Summarize routes (optional) Control route metrics Debug RIP For a complete listing of all commands related to RIP, refer to the FTOS Command Reference. Enable RIP globally By default, RIP is not enabled in FTOS.
www.dell.com | support.dell.com When the RIP process has learned the RIP routes, use the show ip rip database command in the EXEC mode to view those routes. FTOS#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 160.160.0.0/16 auto-summary 2.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 2.0.0.0/8 auto-summary 4.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 4.0.0.0/8 auto-summary 8.0.0.0/8 [120/1] via 29.10.10.12, 00:00:26, Fa 8.0.0.
To control the source of RIP route information, use the following commands, in the ROUTER RIP mode: Command Syntax Command Mode Purpose neighbor ip-address ROUTER RIP Define a specific router to exchange RIP information between it and the Dell Force10 system. You can use this command multiple times to exchange RIP information with as many RIP networks as you want. passive-interface interface ROUTER RIP Disable a specific interface from sending or receiving RIP routing information.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose redistribute ospf process-id [match external {1 | 2} | match internal] [metric value] [route-map map-name] ROUTER RIP Include specific OSPF routes in RIP. Configure the following parameters: • process-id range: 1 to 65535 • metric range: 0 to 16 • map-name: name of a configured route map. To view the current RIP configuration, use the show running-config command in the EXEC mode or the show config command in the ROUTER RIP mode.
Routing Information Sources: Gateway Distance Last Update Distance: (default is 120) FTOS# To configure the interfaces to send or receive different RIP versions from the RIP version configured globally, use either of the following commands in the INTERFACE mode: Command Syntax Command Mode Purpose ip rip receive version [1] [2] INTERFACE Set the RIP version(s) received on that interface. ip rip send version [1] [2] INTERFACE Set the RIP version(s) sent out on that interface.
www.dell.com | support.dell.com Generate a default route Traffic is forwarded to the default route when the traffic’s network is not explicitly listed in the routing table. Default routes are not enabled in RIP unless specified. Use the default-information originate command in the ROUTER RIP mode to generate a default route into RIP. In FTOS, default routes received in RIP updates from other routes are advertised if the default-information originate command is configured.
The distance command also allows you to manipulate route metrics. Use the command to assign different weights to routes so that the ones with the lower weight or administrative distance assigned are preferred. To set route metrics, use either of the following commands in the ROUTER RIP mode: Command Syntax Command Mode Purpose distance weight [ip-address mask [access-list-name]] ROUTER RIP Apply a weight to all routes or a specific route and ACL.
www.dell.com | support.dell.com RIP Configuration Example The example in this section shows the command sequence to configure RIPv2 on the two routers shown in Figure 45-1 — “Core 2” and “Core 3”. The host prompts used in the example screenshots reflect those names. The screenshots are divided into the following groups of command sequences: • • • • • Configuring RIPv2 on Core 2 Core 2 Output RIP Configuration on Core 3 Core 3 RIP Output RIP Configuration Summary Figure 45-1.
• Using show ip protocols Command to Show RIP Configuration Activity on Core 2: Using show ip protocols command to display Core 2 RIP activity Example of RIP Configuration Response from Core 2 Core2(conf-router_rip)#end 00:12:24: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by Core2#show ip rip database Total number of routes in RIP database: 7 10.11.30.0/24 [120/1] via 10.11.20.1, 00:00:03, GigabitEthernet 2/31 10.300.10.0/24 directly connected,GigabitEthernet 2/42 10.200.10.
www.dell.com | support.dell.
Core 3 RIP Output The screenshots in this section are: • • • Using show ip rip database Command for Core 3 RIP Setup: Using show ip rip database command to display Core 3 RIP database Using show ip routes for Core 3 RIP Setup: Using show ip route command to display Core 3 RIP setup Using show ip protocols Command to Show RIP Configuration Activity on Core 3: Using show ip protocols command to display Core 3 RIP activity Using show ip rip database Command for Core 3 RIP Setup Core3#show ip rip database Tot
www.dell.com | support.dell.
version 2 10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.0 Summary of Core 3 RIP Configuration Using Output of show run Command ! interface GigabitEthernet 3/11 ip address 10.11.30.1/24 no shutdown ! interface GigabitEthernet 3/21 ip address 10.11.20.1/24 no shutdown ! interface GigabitEthernet 3/43 ip address 192.168.1.1/24 no shutdown ! interface GigabitEthernet 3/44 ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
www.dell.com | support.dell.
46 Remote Monitoring Remote Monitoring is supported on platform ces Remote Monitoring is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. This chapter describes the Remote Monitoring (RMON): • • Implementation Fault Recovery Remote Monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information.
www.dell.com | support.dell.com Fault Recovery RMON provides the following fault recovery functions: Interface Down—When an RMON-enabled interface goes down, monitoring continues. However, all data values are registered as 0xFFFFFFFF (32 bits) or ixFFFFFFFFFFFFFFFF (64 bits). When the interface comes back up, RMON monitoring processes resumes. Note: A Network Management System (NMS) should be ready to interpret a down interface and plot the interface performance graph accordingly.
Set rmon alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. To disable the alarm, use the no form of this command: Command Syntax Command Mode Purpose [no] rmon alarm number variable interval {delta | absolute} rising-threshold [value event-number] falling-threshold value event-number [owner string] or CONFIGURATION Set an alarm on any MIB object. Use the no form of this command to disable the alarm.
www.dell.com | support.dell.com The following example configures an RMON alarm using the rmon alarm command. FTOS(conf)#rmon alarm 10 1.3.6.1.2.1.2.2.1.20.1 20 delta rising-threshold 15 1 falling-threshold 0 owner nms1 The above example configures RMON alarm number 10. The alarm monitors the MIB variable 1.3.6.1.2.1.2.2.1.20.1 (ifEntry.ifOutErrors) once every 20 seconds until the alarm is disabled, and checks the rise or fall of the variable. The alarm is triggered when the 1.3.6.1.2.1.2.2.1.20.
Configure RMON collection statistics To enable RMON MIB statistics collection on an interface, use the RMON collection statistics command in interface configuration mode. To remove a specified RMON statistics collection, use the no form of this command. Command Syntax Command Mode Purpose [no] rmon collection statistics {controlEntry integer} [owner ownername] CONFIGURATION INTERFACE (config-if) controlEntry: Specifies the RMON group of statistics using a value.
www.dell.com | support.dell.com Enable an RMON MIB collection history group 842 The following command enables an RMON MIB collection history group of statistics with an ID number of 20 and an owner of “john”, both the sampling interval and the number of buckets use their respective defaults.
47 Rapid Spanning Tree Protocol Rapid Spanning Tree Protocol is supported on platforms: ces RSTP is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Protocol Overview Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol—specified by IEEE 802.1w—that is essentially the same as Spanning-Tree Protocol (STP) but provides faster convergence and interoperability with switches configured with STP and MSTP.
www.dell.com | support.dell.com Related Configuration Tasks • • • • • • • • • Add and Remove Interfaces Modify Global Parameters Modify Interface Parameters Configure an EdgePort Preventing Network Disruptions with BPDU Guard Influence RSTP Root Selection Configuring Spanning Trees as Hitless Fast Hellos for Link State Detection Flush MAC Addresses after a Topology Change Important Points to Remember • • • • RSTP is disabled by default. FTOS supports only one Rapid Spanning Tree (RST) instance.
To configure the interfaces for Layer 2 and then enable them: Step Task Command Syntax Command Mode 1 If the interface has been assigned an IP address, remove it. no ip address INTERFACE 2 Place the interface in Layer 2 mode. switchport INTERFACE 3 Enable the interface. no shutdown INTERFACE Verify that an interface is in Layer 2 mode and enabled using the show config command from INTERFACE mode.
www.dell.com | support.dell.com When you enable Rapid Spanning Tree, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. • • Only one path from any bridge to any other bridge is enabled. Bridges block a redundant path by disabling one of the link ports. Figure 47-2.
We are the root Current root has priority 32768, Address 0001.e801.cbb4 Number of topology changes 4, last change occurred 00:02:17 ago on Gi 1/26 Port 377 (GigabitEthernet 2/1) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.377 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
www.dell.com | support.dell.com Confirm that a port is participating in Rapid Spanning Tree using the show spanning-tree rstp brief command from EXEC privilege mode. R3#show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e80f.
Note: Dell Force10 recommends that only experienced network administrators change the Rapid Spanning Tree group parameters. Poorly planned modification of the RSTG parameters can negatively impact network performance. Table 47-2, "RSTP Default Values," in Rapid Spanning Tree Protocol displays the default values for RSTP. Table 47-2.
www.dell.com | support.dell.com Modify Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • • Port cost is a value that is based on the interface type. The default values are listed in Table 47-2, "RSTP Default Values," in Rapid Spanning Tree Protocol. The greater the port cost, the less likely the port will be selected to be a forwarding port.
Verify that EdgePort is enabled on a port using the show spanning-tree rstp command from the EXEC privilege mode or the show config command from INTERFACE mode; Dell Force10 recommends using the show config command, as shown in the example below. FTOS Behavior: Regarding bpduguard shutdown-on-violation behavior: 1 If the interface to be shutdown is a port channel then all the member ports are disabled in the hardware.
www.dell.com | support.dell.com SNMP Traps for Root Elections and Topology Changes Enable SNMP traps for RSTP, MSTP, and PVST+ collectively using the command snmp-server enable traps xstp. Fast Hellos for Link State Detection Fast Hellos for Link State Detection is available only on platform: s Use RSTP Fast Hellos to achieve sub-second link-down detection so that convergence is triggered faster. The standard RSTP link-state detection mechanism does not offer the same low link-state detection speed.
Displaying STP Guard Configuration To verify the STP guard configured on RSTP port or port-channel interfaces, enter the show spanning-tree rstp guard command. Refer to the Spanning Tree Protocol chapter for information on how to configure and use the STP root guard, loop guard, and BPDU guard features. The following example shows an example for an RSTP network (instance 0) in which: • • • Root guard is enabled on a port that is in a root-inconsistent state.
www.dell.com | support.dell.
48 Security Security features are supported on platforms ces This chapter discusses several ways to provide access security to the Dell Force10 system. Platform-specific features are identified by the c, e or s icons (as shown below). Security features are supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later.
www.dell.com | support.dell.
Suppress AAA Accounting for null username sessions When AAA Accounting is activated, the FTOS software issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. An example of this is a user who comes in on a line where the AAA Authentication login method-list none command is applied.
www.dell.com | support.dell.com FTOS#show accounting Active accounted actions on tty2, User admin Priv 1 Task ID 1, EXEC Accounting record, 00:00:39 Elapsed, service=shell Active accounted actions on tty3, User admin Priv 1 Task ID 2, EXEC Accounting record, 00:00:26 Elapsed, service=shell FTOS# AAA Authentication FTOS supports a distributed client/server system implemented through Authentication, Authorization, and Accounting (AAA) to help secure networks against unauthorized access.
Configure AAA Authentication login methods To configure an authentication method and method list, use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose aaa authentication login {method-list-name | default} method1 [... method4] CONFIGURATION Define an authentication method-list (method-list-name) or specify the default. The default method-list is applied to all terminal lines.
www.dell.com | support.dell.com Enable AAA Authentication To enable AAA authentication, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose aaa authentication enable {method-list-name | default} method1 [... method4] CONFIGURATION • • • default—Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.
Server-side configuration TACACS+: When using TACACS+, Dell Force10 sends an initial packet with service type SVC_ENABLE, and then, a second packet with just the password. The TACACS server must have an entry for username $enable$. RADIUS: When using RADIUS authentication, FTOS sends an authentication packet with the following: Username: $enab15$ Password: Therefore, the RADIUS server must have an entry for this username. AAA Authorization FTOS enables AAA new-model by default.
www.dell.com | support.dell.com By default, commands in FTOS are assigned to different privilege levels. You can access those commands only if you have access to that privilege level. For example, to reach the protocol spanning-tree command, you must log in to the router, enter the enable command for privilege level 15 (this is the default level for the command) and then enter the CONFIGURATION mode. You can configure passwords to control access to the box and assign different privilege levels to users.
Configure the enable password command To configure FTOS, you must use the enable command to enter the EXEC Privilege level 15. After entering the command, FTOS requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level. A password for any privilege level can always be changed. To change to a different privilege level, enter the enable command, followed by the privilege level.
www.dell.com | support.dell.com To assign commands and passwords to a custom privilege level, you must be in privilege level 15 and use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose username name [access-class access-list-name] [privilege level] [nopassword | password [encryption-type] password] CONFIGURATION Assign a user name and password. Configure the optional and required parameters: • name: Enter a text string (up to 63 characters).
FTOS(conf)#username john privilege 8 password john FTOS(conf)#enable password level 8 notjohn FTOS(conf)#privilege exec level 8 configure FTOS(conf)#privilege config level 8 snmp-server FTOS(conf)#end FTOS#show running-config Current Configuration ...
www.dell.com | support.dell.com Specify LINE mode password and privilege You can specify a password authentication of all users on different terminal lines. The user’s privilege level will be the same as the privilege level assigned to the terminal line, unless a more specific privilege level is is assigned to the user.
RADIUS Authentication and Authorization FTOS supports RADIUS for user authentication (text password) at login and can be specified as one of the login authentication methods in the aaa authentication login command. When configuring AAA authorization, you can configure to limit the attributes of services available to a user. When authorization is enabled, the network access server uses configuration information from the user profile to issue the user's session.
www.dell.com | support.dell.com 79 RADIUS_EAP_MSG 80 RADIUS_MSG_AUTHENTICATOR 81 RADIUS_TUNNEL_PRIVATE_GROUP_ID 95 NAS_IPv6_ADDRESS RADIUS exec-authorization stores a user-shell profile and that is applied during user login. You may name the relevant named-lists with either a unique name or the default name.
Auto-command You can configure the system through the RADIUS server to automatically execute a command when you connect to a specific line. To do this, use the command auto-command. The auto-command is executed when the user is authenticated and before the prompt appears to the user. Set access to privilege levels through RADIUS Through the RADIUS server, you can use the command privilege level to configure a privilege level for the user to enter into when they connect to a session.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose aaa authorization exec {method-list-name | default} radius tacacs+ CONFIGURATION Create methodlist with RADIUS and TACACS+ as authorization methods. Typical order of methods: RADIUS, TACACS+, Local, None. If authorization is denied by RADIUS, the session ends (radius should not be the last method specified).
To specify multiple RADIUS server hosts, configure the radius-server host command multiple times. If multiple RADIUS server hosts are configured, FTOS attempts to connect with them in the order in which they were configured. When FTOS attempts to authenticate a user, the software connects with the RADIUS server hosts one at a time, until a RADIUS server host responds with an accept or reject response.
www.dell.com | support.dell.com To view the configuration of RADIUS communication parameters, use the show running-config command in the EXEC Privilege mode. Monitor RADIUS To view information on RADIUS transactions, use the following command in the EXEC Privilege mode: Command Syntax Command Mode Purpose debug radius EXEC Privilege View RADIUS transactions to troubleshoot problems.
To select TACACS as the login authentication method, use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose tacacs-server host {ipv4-address | ipv6-address | host} CONFIGURATION Configure a TACACS+ server host. Enter the IP address or host name of the TACACS+ server. Use this command multiple times to configure multiple TACACS+ server hosts. 2 aaa authentication login {method-list-name | default} tacacs+ [...
www.dell.com | support.dell.com %RPM0-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line vty0 (10.11.9.209) FTOS(conf)#username angeline password angeline FTOS(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline on vty0 (10.11.9.209) %RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password authentication success on vty0 ( 10.11.9.
To specify a TACACS+ server host and configure its communication parameters, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose tacacs-server host {hostname | ipv4-address | ipv6-address} [port port-number] [timeout seconds] [key key] CONFIGURATION Enter the host name or IP address of the TACACS+ server host. Configure the optional communication parameters for the specific host: • port port-number range: 0 to 65335. Enter a TCP port number. The default is 49.
www.dell.com | support.dell.com If rejected by the AAA server, the command is not added to the running config, and messages similar to Message 1 are displayed. Message 1 Configuration Command Rejection 04:07:48: %RPM0-P:CP %SEC-3-SEC_AUTHORIZATION_FAIL: Authorization failure authorization failed for user (denyall) on vty0 ( 10.11.9.
To enable the SSH server for version 1 and 2, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose ip ssh server {enable | port port-number} CONFIGURATION Configure the Dell Force10 system as an SCP/SSH server. To enable the SSH server for version 1 or 2 only, use the following command: Command Syntax Command Mode Purpose ip ssh server version {1|2} CONFIGURATION Configure the Dell Force10 system as an SSH server that uses only version 1 or 2.
www.dell.com | support.dell.com This example shows the use of SCP and SSH to copy a software image from one switch running SSH Server on UDP port 99 to the local switch: FTOS#copy scp: flash: Address or name of remote host []: 10.10.10.1 Port number of the server [22]: 99 Source file name []: test.cfg User name to login remote host: admin Password to login remote host: Destination file name [test.cfg]: test1.
• • When all the three authentication methods are enabled, password authentication is the backup method when the RSA method fails. The files known_hosts and known_hosts2 are generated when a user tries to SSH using version 1 or version 2, respectively. SSH Authentication by Password Authenticate an SSH client by prompting for a password when attempting to connect to the Dell Force10 system. This is the simplest methods of authentication and uses SSH version 1.
www.dell.com | support.dell.com Step 5 Task Command Syntax Command Mode Bind the public keys to RSA authentication. ip ssh rsa-authentication my-authorized-keys flash:// public_key EXEC Privilege Host-based SSH Authentication Authenticate a particular host. This method uses SSH version 2. To configure host-based authentication: Step Task Command Syntax 1 Configure RSA Authentication. Refer to RSA Authentication of SSH, above.
Client-based SSH Authentication SSH from the chassis to the SSH client using using the command ssh ip_address. This method uses SSH version 1 or version 2. If the SSH port is a non-default value, use the command ip ssh server port number, to change the default port number. You may only change the port number when SSH is disabled. When must then still use the -p option with the command ssh. FTOS#ssh 10.16.127.
www.dell.com | support.dell.com FTOS(conf)#ip telnet server enable FTOS(conf)#no ip telnet server enable Trace Lists The Trace Lists feature is supported only on the E-Series: e You can log packet activity on a port to confirm the source of traffic attacking a system. Once the Trace list is enabled on the system, you view its traffic log to confirm the source address of the attacking traffic. In FTOS, Trace lists are similar to extended IP ACLs, except that Trace lists are not applied to an interface.
Creating a trace list Trace lists filter and log traffic based on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses. When configuring the Trace list filters, include the count and bytes parameters so that any hits to that filter are logged.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose 2 seq sequence-number {deny | permit} tcp {source mask | any | host ip-address} [operator port [port]] {destination mask | any | host ip-address} [operator port [port]] [established] [count [byte] | log] TRACE LIST Configure a trace list filter for TCP packets. • source: An IP address as the source IP address for the filter to match.
seq 15 deny ip host 12.45.0.0 any log FTOS(config-trace-acl)# If you are creating a Trace list with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured. FTOS assigns filters in multiples of 5.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose {deny | permit} udp {source mask | any | host ip-address} [operator port [port]] {destination mask | any | host ip-address} [operator port [port]] | log] TRACE LIST Configure a deny or permit filter to examine UDP packets. Configure the following required and optional parameters: • source: An IP address as the source IP address for the filter to match.
FTOS#show ip accounting trace-list dilling Trace List dilling on linecard 0 seq 2 permit ip host 10.1.0.0 any count (0 packets) seq 5 deny ip any any FTOS# VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in FTOS. These depend on which authentication scheme you use — line, local, or remote: Table 48-1.
www.dell.com | support.dell.com The following example shows how to allow or deny a Telnet connection to a user. Users will see a login prompt, even if they cannot login. No access class is configured for the VTY line. It defaults from the local database.
FTOS(config-std-mac)#permit 00:00:5e:00:01:01 FTOS(config-std-mac)#deny any FTOS(conf)# FTOS(conf)#line vty 0 9 FTOS(config-line-vty)#access-class sourcemac FTOS(config-line-vty)#end Security | 889
| Security www.dell.com | support.dell.
49 Service Provider Bridging Service Provider Bridging is supported on platforms: ces This chapter contains the following major sections: • • • • • VLAN Stacking VLAN Stacking Packet Drop Precedence Dynamic Mode CoS for VLAN Stacking Layer 2 Protocol Tunneling Provider Backbone Bridging VLAN Stacking ces VLAN Stacking is supported on E-Series ExaScale ex with FTOS 8.2.1.0. and later. VLAN Stacking is supported on platforms: VLAN Stacking, also called Q-in-Q, is defined in IEEE 802.
VLAN Stacking in a Service Provider Network PCP TPID (0x9100) DEI VID (VLAN 300) TPID (0x8100) PCP CFI (0) VID (VLAN Red) AN 1 00 tagged 100 AN 0 10 VL VL www.dell.com | support.dell.com Figure 49-1.
Create Access and Trunk Ports An access port is a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN. A trunk port is a port on a service provider bridge that connects to another service provider bridge and is a member of multiple service provider VLANs. Physical ports and port-channels can be access or trunk ports. Figure 49-2.
www.dell.com | support.dell.com Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN: Task Command Syntax Command Mode Enable VLAN-Stacking for the VLAN. INTERFACE VLAN vlan-stack compatible Display the status and members of a VLAN using the show vlan command from EXEC Privilege mode. Members of a VLAN-Stacking-enabled VLAN are marked with an M in column Q.
FTOS Options for Trunk Ports 802.1ad trunk ports may also be tagged members of a VLAN so that it can carry single and double-tagged traffic. You can enable trunk ports to carry untagged, single-tagged, and double-tagged VLAN traffic by making the trunk port a hybrid port. Step Task Command Syntax Command Mode 1 Configure a trunk port to carry untagged, single-tagged, and double-tagged traffic by making it a hybrid port. Note: Note: On the C-Series and S-Series, a trunk port can be added to an 802.
www.dell.com | support.dell.com VLAN Stacking in Multi-vendor Networks The first field in the VLAN tag is the Tag Protocol Identifier (TPID), which is two bytes. In a VLAN-stacking network, once the frame is double tagged, the outer tag TPID must match the TPID of the next-hop system. While 802.1Q requires that the inner tag TPID is 0x8100, it does not require a specific value for the outer tag TPID.
TPID 0x8100 on E-Series TeraScale Systems E-Series TeraScale treats TPID 0x8100 as a normal VLAN even when on the outer tag. E-Series TeraScale makes forwarding decisions based strictly on the protocol type, without regard for whether the port is an access port. Therefore, when the outer tag has TPID 0x8100, the system does not remove it from frames egressing an access port. Still, although the frames cannot be decapsulated, the system is able to switch them.
LUE First-byte TPID Match on the E-Series ExaScale TPID 0x9191 VLAN GREEN UE N BL VLA R1-E-Series TeraScale TPID: 0x9191 Building D NB CE PROVIDER RVI SE VLA Figure 49-5. INTE RN ET www.dell.com | support.dell.com FTOS Behavior: The E-Series ExaScale and TeraScale forwards frames with TPID 0x8100 even when its own TPID is not 0x8100. This behavior is required to service ARP and PVST packets, which use TPID 0x8100.
VLAN Stacking with C-Series and S-Series The default TPID for the outer VLAN tag is 0x9100. Beginning with FTOS version 8.2.1.0, both the C-Series and S-Series allow you to configure both bytes of the 2-byte TPID. Previous versions allowed you to configure the first byte only, and thus, the systems did not differentiate between TPIDs with a common first byte. For example 0x8100 and any other TPID beginning with 0x81 were treated as the same TPID, as shown in Figure 49-6. Versions 8.2.1.
Single and Double-tag First-byte TPID Match on C-Series and S-Series VLA NB LUE DEFAULT VLAN www.dell.com | support.dell.com Figure 49-7. TPID 0x8181 R2-C-Series w/ FTOS <8.2.1.0 ED TPID: 0x8181 VLAN R PURPLE VLAN GREEN, VLAN VLAN GREEN UE DEFAULT VLAN N BL R3-C-Series w/ FTOS >=8.2.1.0 VL VLA TPID: 0x8181 AN PU R1-C-Series w/ FTOS <8.2.1.
Table 49-2, "C-Series and S-Series Behaviors for Mis-matched TPID," in Service Provider Bridging details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the C-Series and S-Series. Table 49-2. C-Series and S-Series Behaviors for Mis-matched TPID Network Position Incoming Packet TPID System TPID Match Type Pre-8.2.1.0 8.2.1.
www.dell.com | support.dell.com VLAN Stacking Packet Drop Precedence VLAN Stacking Packet Drop Precedence is available only on platform: cs The Drop Eligible Indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enable Drop Eligibility You must enable Drop Eligibility globally before you can honor or mark the DEI value. Task Command Syntax Command Mode Make packets eligible for dropping based on their DEI value.
Task Command Syntax Command Mode Honor the incoming DEI value by mapping it to an FTOS drop precedence. You may enter the command once for 0 and once for 1. Packets with an unmapped DEI value are colored green. dei honor {0 | 1} {green | red | yellow} INTERFACE Display the DEI-honoring configuration.
www.dell.com | support.dell.com Dynamic Mode CoS for VLAN Stacking Dynamic Mode CoS for VLAN Stacking is available only on platforms: cs One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.1p priority bits in the tag to indicate the level of QoS desired. When an S-Tag is added to incoming customer frames, the 802.1p bits on the S-Tag may be configured statically for each customer or derived from the C-Tag using Dynamic Mode CoS.
FTOS Behavior: For Option A above, when there is a conflict between the queue selected by Dynamic Mode CoS (vlan-stack dot1p-mapping) and a QoS configuration, the queue selected by Dynamic Mode CoS takes precedence. However, rate policing for the queue is determined by QoS configuration.
www.dell.com | support.dell.com To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly: Step Task Command Syntax Command Mode 1 Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag. vman-qos: mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. This method requires half as many CAM entries as vman-qos-dual-fp. vman-qos-dual-fp: mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p.
VLAN Stacking without L2PT SPANNI NG TR Figure 49-10. INTE RN E ETWORK EN RE SPAN NIN G T no spanning-tree T ING TREE ANN SP CE PROVIDER w/ I V R SE EE EE TR Building B no spanning-tree X BPDU w/ destination MAC address: 01-80-C2-00-00-00 Building A You might need to transport control traffic transparently through the intermediate network to the other region.
SPANNI NG TR VLAN Stacking with L2PT E RE INTE RN E T no spanning-tree NETWORK SPAN NIN G www.dell.com | support.dell.com Figure 49-11.
Specify a Destination MAC Address for BPDUs By default, FTOS uses a Force10-unique MAC address for tunneling BPDUs. You can configure another value. Task Command Syntax Command Mode Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network. Default: 01:01:e8:00:00:00 protocol-tunnel destination-mac CONFIGURATION Rate-limit BPDUs on the E-Series In order to rewrite the destination MAC address on BPDUs, they are forwarded to the RPM.
www.dell.com | support.dell.com Debug Layer 2 Protocol Tunneling Task Command Syntax Command Mode Display debugging information for L2PT. debug protocol-tunnel EXEC Privilege Provider Backbone Bridging Provider Backbone Bridging is supported only on platforms: cs IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.
50 sFlow ces sFlow is supported on E-Series ExaScale ex with FTOS 8.1.1.0. and later. Configuring sFlow is supported on platforms • • • • • • • • Enable and Disable sFlow sFlow Show Commands Configure Collectors Polling Intervals Sampling Rate Back-off Mechanism sFlow on LAG ports Extended sFlow Overview FTOS supports sFlow version 5. sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic.
www.dell.com | support.dell.com Figure 50-1. sFlow Traffic Monitoring System sFlow Collector Switch/Router sFlow Datagrams sFlow Agent Poll Interface Counters Interface Counters Flow Samples Switch ASIC Implementation Information Dell Force10’ sFlow is designed so that the hardware sampling rate is per line card port-pipe and is decided based upon all the ports in that port-pipe.
• • • • • • • • • • • FTOS exports all sFlow packets to the collector. A small sampling rate can equate to a large number of exported packets. A backoff mechanism will automatically be applied to reduce this amount. Some sampled packets may be dropped when the exported packet rate is high and the backoff mechanism is about to or is starting to take effect. The dropEvent counter, in the sFlow packet, will always be zero.
www.dell.com | support.dell.com sFlow Show Commands FTOS includes the following sFlow display commands: • • • Show sFlow Globally on page 49 Show sFlow on an Interface on page 50 Show sFlow on a Line Card on page 50 Show sFlow Globally Use the following command to view sFlow statistics: Command Syntax show sflow Command Mode EXEC Purpose Display sFlow configuration information and statistics.
The configuration shown in the example in Show sFlow Globally is also displayed in the running configuration: FTOS#show running-config interface gigabitethernet 1/16 ! interface GigabitEthernet 1/16 no ip address mtu 9252 ip mtu 9234 switchport sflow enable sflow sample-rate 8192 no shutdown Show sFlow on a Line Card Use the following command to view sFlow statistitics on a specified line card: Command Syntax Command Mode show sflow linecard slot-number EXEC Purpose Display sFlow configuration informat
www.dell.com | support.dell.com Polling Intervals The sflow polling-interval command configures the polling interval for an interface in the maximum number of seconds between successive samples of counters to be sent to the collector. This command changes the global default counter polling (20 seconds) interval. You can configure an interface to use a different polling interval.
Sub-sampling Sub-sampling is available only on platform: et The sFlow sample rate is not the frequency of sampling, but the number of packets that are skipped before the next sample is taken. Although a sampling rate can be configured for each port, TeraScale line cards can support only a single sampling rate per port-pipe. Therefore, sFlow Agent uses sub-sampling to create multiple sampling rates per port-pipe.
www.dell.com | support.dell.com sFlow on LAG ports When a physical port becomes a member of a LAG, it inherits the sFlow configuration from the LAG port. Extended sFlow Extended sFlow is supported fully on platform Platforms e c and s support extended-switch information processing only. Extended sFlow packs additional information in the sFlow datagram depending on the type of sampled packet. The following options can be enabled: extended-switch — 802.1Q VLAN ID and 802.
Global default sampling rate: 32768 Global default counter polling interval: 20 Global extended information enabled: none 0 collectors configured 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Important Points to Remember • • • • • The IP destination address has to be learned via BGP in order to export extended-gateway data, prior to FTOS version 7.8.1.0.
| sFlow www.dell.com | support.dell.
51 Simple Network Management Protocol Simple Network Management Protocol is supported on platforms ces SNMP is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Note: On Dell Force10 routers, standard and private SNMP MIBs are supported, including all Get and a limited number of Set operations (such as set valn and copy cmd). Protocol Overview Network management stations use Simple Network Management Protocol (SNMP) to retrieve or alter management data from network elements.
www.dell.com | support.dell.
View your SNMP configuration, using the command show running-config snmp from EXEC Privilege mode, as shown in the following example. FTOS#snmp-server community my-snmp-community ro 22:31:23: %RPM1-P:CP %SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP WARM_START. FTOS#do show running-config snmp ! snmp-server community mycommunity ro FTOS# Read Managed Object Values You may only retrieve (read) managed object values if your management station is a member of the same community as the SNMP agent.
www.dell.com | support.dell.com Write Managed Object Values You may only alter (write) a managed object value if your management station is a member of the same community as the SNMP agent, and the object is writable. To write or write-over the value of a managed object: Task Command To write or write-over the value of a managed object, as shown in the example below. snmpset -v version -c community agent-ip {identifier.instance | descriptor.instance} > snmpset -v 2c -c mycommunity 10.11.131.
Subscribe to Managed Object Value Updates using SNMP By default, the Dell Force10 system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system.
www.dell.com | support.dell.com Table 51-2. Dell Force10 Enterprise-specific SNMP Traps Command Option envmon Trap Examples CARD_SHUTDOWN: %sLine card %d down - %s CARD_DOWN: %sLine card %d down - %s LINECARDUP: %sLine card %d is up CARD_MISMATCH: Mismatch: line card %d is type %s - type %s required.
Table 51-2.
www.dell.com | support.dell.com Table 51-2. Dell Force10 Enterprise-specific SNMP Traps Command Option vrrp ecfm Trap Examples %VRRP-6-VRRP_MASTER: MASTER. %VRRP-6-VRRP_MASTER: leaving MASTER %VRRP-6-VRRP_MASTER: ing MASTER. %VRRP-6-VRRP_MASTER: ing MASTER. %VRRP-6-VRRP_BACKUP: BACKUP. %VRRP-6-VRRP_BACKUP: ing BACKUP.
The relevant MIBs for these functions are: Table 51-3. MIB Objects for Copying Configuration Files via SNMP MIB Object OID Object Values Description copySrcFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.2 1 = FTOS file 2 = running-config 3 = startup-config Specifies the type of file to copy from. Valid values are: • If the copySrcFileType is running-config or startup-config, the default copySrcFileLocation is flash.
www.dell.com | support.dell.com Table 51-3. MIB Objects for Copying Configuration Files via SNMP MIB Object OID Object Values Description copyUserName .1.3.6.1.4.1.6027.3.5.1.1.1.1.9 Username for the server. Username for for the FTP, TFTP, or SCP server. • If the copyUserName is specified so must copyUserPassword. copyUserPassword .1.3.6.1.4.1.6027.3.5.1.1.1.1.10 Password for the server. Password for the FTP, TFTP, or SCP server.
Note: In Unix, enter the command snmpset for help using this command. Place the file f10-copy-config.mib in the directory from which you are executing the snmpset command or in the snmpset tool path. Table 51-4. Copying Configuration Files via SNMP Task Copy the running-config to the startup-config using the following command from the Unix machine: snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 2 copyDestFileType.
www.dell.com | support.dell.com Table 51-4. Copying Configuration Files via SNMP Task snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 2 copyDestFileName.index s filepath/filename copyDestFileLocation.index i 4 copyServerAddress.index a server-ip-address copyUserName.index s server-login-id copyUserPassword.index s server-login-password • • server-ip-address must be preceded by the keyword a.
Dell Force10 provides additional MIB Objects to view copy statistics. These are provided in Table 8. Table 51-5. MIB Objects for Copying Configuration Files via SNMP MIB Object OID Values Description copyState .1.3.6.1.4.1.6027.3.5.1.1.1.1.11 1= running 2 = successful 3 = failed Specifies the state of the copy operation. copyTimeStarted .1.3.6.1.4.1.6027.3.5.1.1.1.1.12 Time value Specifies the point in the up-time clock that the copy operation started. copyTimeCompleted .1.3.6.1.4.1.6027.3.5.
www.dell.com | support.dell.com The first example shows the command syntax using MIB object names, and the second example shows the same command using the object OIDs. In both cases, the object is followed by same index number used in the snmpset command. Obtaining MIB Object Values for a Copy Operation using Object-name Syntax > snmpget -v 2c -c private -m ./f10-copy-config.mib 10.11.131.140 copyTimeCompleted.110 FORCE10-COPY-CONFIG-MIB::copyTimeCompleted.110 = Timeticks: (1179831) 3:16:38.
Display the Ports in a VLAN FTOS identifies VLAN interfaces using an interface index number that is displayed in the output of the command show interface vlan, as shown in the example below. FTOS(conf)#do show interface vlan id 10 % Error: No such interface name.
www.dell.com | support.dell.com The example above shows the output for an S-Series. All hex pairs are 00, indicating that no ports are assigned to VLAN 10. In the example below, Port 0/2 is added to VLAN 10 as untagged. And the first hex pair changes from 00 to 04.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .1.3.6.1.2.1.17.7.1.4.3.1.4.1107787786 x "40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.1107787786 = Hex-STRING: 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SNMPv2-SMI::mib-2.17.7.1.4.3.
www.dell.com | support.dell.com Fetch Dynamic MAC Entries using SNMP Dell Force10 supports the RFC 1493 dot1d table for the default VLAN and the dot1q table for all other VLANs. Note: The 802.1q Q-BRIDGE MIB defines VLANs with regard to 802.1d, as 802.1d itself does not define them. As a switchport must belong a VLAN (the default VLAN or a configured VLAN), all MAC address learned on a switchport are associated with a VLAN. For this reason, the Q-Bridge MIB is used for MAC address query.
In the example below, GigabitEthernet 1/21 is moved to VLAN 1000, a non-default VLAN. Use the objects dot1qTpFdbTable to fetch the MAC addresses learned on non-default VLANs. The instance number is the VLAN number concatenated with the decimal conversion of the MAC address.
www.dell.com | support.dell.com Figure 51-1.
Monitor Port-channels To check the status of a Layer 2 port-channel, use f10LinkAggMib (.1.3.6.1.4.1.6027.3.2). Below, Po 1 is a switchport and Po 2 is in Layer 3 mode. [senthilnathan@lithium ~]$ snmpwalk -v 2c -c public 10.11.1.1 .1.3.6.1.4.1.6027.3.2.1.1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.1 = INTEGER: 1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.2 = INTEGER: 2 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.2.1 = Hex-STRING: 00 01 E8 13 A5 C7 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.2.
www.dell.com | support.dell.com SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkDown IF-MIB::ifIndex.1107755009 = INTEGER: 1107755009 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_DN: Changed interface state to down: Po 1" 2010-02-10 14:22:40 10.16.130.4 [10.16.130.4]: SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500932) 23:36:49.32 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkUp IF-MIB::ifIndex.33865785 = INTEGER: 33865785 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.
52 SONET/SDH SONET/SDH is supported on platform e SONET/SDH is supported on the E-Series ExaScale platform with FTOS 8.1.1.2 and later. FTOS supports two line cards with SONET—Packet-Over-SONET (POS) and PPP-over-SONET/SDH.
www.dell.com | support.dell.com Configuring POS Interfaces POS interfaces require several configuration considerations, including • • • Encapsulation MTU Clock Settings Encapsulation The E-Series’ POS line card requires PPP encapsulation. A SONET interface without encapsulation is always administratively down. Packet Over SONET interfaces require several configuration considerations.
Configuring Maximum Transmission Unit (MTU) Maximum Transmission Unit is an integer value that represents the greatest number of bytes that any given interface on the system can handle. MTU settings allow the router to determine if a large packet needs to be fragmented before transmission. PPP must be enabled on a SONET interface before MTU can become configurable. MTU size can be changed in INTERFACE mode by entering the command mtu size.
www.dell.com | support.dell.com The following example displays the active alarms for the interface.
E-Series POS and 10GE WAN interfaces support the SONET alarms shown in Table 52-1, "Supported SONET Alarms," in SONET/SDH: • • • Section alarms—SLOS, SLOF Line alarms—AIS, RDI, FEBE(REI), SD, SF Path Alarms—AIS, RDI, FEBE(REI), LOP Since E-Series is Terminal Equipment (TE), it must support the alarms in Table 52-1, "Supported SONET Alarms," in SONET/SDH. Table 52-1.
www.dell.com | support.dell.com Task Command Syntax Specify which POS/SDH alarms to report to the remote SNMP server. alarm-report {lais | lrdi | pais | plop | prdi | sd-ber | sf-ber | slof | slos} Command Mode INTERFACE To view active alarms and defects, use the show controllers sonet command in EXEC Privilege mode. Note: Historical data is not saved. The command input will show current information only. Table 52-2.
SONET Syslog Example Syslog messages are generated for Critical, Major, and Minor alarm conditions detected on a SONET interface according to the alarm hierarchy. For example, if a critical alarm condition is detected, a Syslog message is reported for the critical condition, but not for any major and minor alarms that may also be found. If a minor alarm condition is detected, a major or critical condition may also be reported.
www.dell.com | support.dell.com SONET Port Recovery Mechanism This feature automatically clears a condition that could cause a SONET port to hang, and stop sending and receiving data. When enabled, FTOS continuously polls status registers on SONET line cards. A port hang is declared when backpressure is detected on the port, and the port is brought down and then back up to clear the condition.The default detection interval is 60 seconds.
SONET Traps Table 52-4, "SONET Traps and OIDs," in SONET/SDH describes SONET traps supported in the Force10-specific MIB. Table 52-4. SONET Traps and OIDs Trap OID Trap Object SONET_S_LOS Section Loss of Signal 1.3.6.1.4.1.6027.3.3.2.2.0.1 alarm state (1.3.6.1.4.1.6027.3.3.1.2.1.1.3), alarm type(1.3.6.1.4.1.6027.3.3.1.2.1.1.2), ifindex(1.3.6.1.4.1.6027.3.3.1.2.1.1.4), slot(1.3.6.1.4.1.6027.3.3.1.2.1.1.5), port(1.3.6.1.4.1.6027.3.3.1.2.1.1.6) SONET_S_LOF Section Loss of Frame 1.3.6.1.4.1.6027.3.3.2.
www.dell.com | support.dell.com Table 52-4. 952 | SONET Traps and OIDs (Continued) Trap OID Trap Object SONET_P_RDI Path Remote Defect Indication 1.3.6.1.4.1.6027.3.3.2.2.0.18 alarm state (1.3.6.1.4.1.6027.3.3.1.2.1.1.3), alarm type(1.3.6.1.4.1.6027.3.3.1.2.1.1.2), ifindex(1.3.6.1.4.1.6027.3.3.1.2.1.1.4), slot(1.3.6.1.4.1.6027.3.3.1.2.1.1.5), port(1.3.6.1.4.1.6027.3.3.1.2.1.1.6) SONET_P_FEBE Path Far-end Background Block Errors 1.3.6.1.4.1.6027.3.3.2.2.0.19 alarm state (1.3.6.1.4.1.6027.3.3.1.
Table 52-4. SONET Traps and OIDs (Continued) Trap OID Trap Object SONET_SD_BER Signal Degrade Bit Error Rate 1.3.6.1.4.1.6027.3.3.2.2.0.27 alarm state (1.3.6.1.4.1.6027.3.3.1.2.1.1.3), alarm type(1.3.6.1.4.1.6027.3.3.1.2.1.1.2), ifindex(1.3.6.1.4.1.6027.3.3.1.2.1.1.4), slot(1.3.6.1.4.1.6027.3.3.1.2.1.1.5), port(1.3.6.1.4.1.6027.3.3.1.2.1.1.6) SONET_SF_BER Signal Failure Bit Error Rate 1.3.6.1.4.1.6027.3.3.2.2.0.28 alarm state (1.3.6.1.4.1.6027.3.3.1.2.1.1.3), alarm type(1.3.6.1.4.1.6027.3.3.1.2.1.
| SONET/SDH www.dell.com | support.dell.
53 Stacking S-Series Switches Stacking S-Series Switches is supported on platform s Note: S-Series Stacking is not supported on the S60 system. This chapter contains the following sections: • • • S-Series Stacking Overview Important Points to Remember S-Series Stacking Configuration Tasks S-Series Stacking Overview Up to eight S-Series systems can be interconnected so that all of the units function as a single unit.
www.dell.com | support.dell.com Stack-unit State: Stack-unit SW Version: Link to Peer: Active 7.8.1.0 Up -- PEER Stack-unit Status ------------------------------------------------Stack-unit State: Standby Peer stack-unit ID: 2 Stack-unit SW Version: 7.8.1.
1 Management 2 Member 3 Member 4 Member 5 Member 6 Member 7 Member Stack#show system Master priority : Stack#show system Master priority : Stack#show system Master priority : Stack#show system Burned In MAC : Stack#show system Burned In MAC : Stack#show system Burned In MAC : Stack#show system Burned In MAC : online S50N S50N online S50V S50V not present not present not present not present not present stack-unit 0 | grep priority 0 stack-unit 1 | grep priority 0 stack-unit 2 | grep priority 0 stack-unit 0|
www.dell.com | support.dell.com 5 Member not present 6 Member not present 7 Member not present [output omitted] Standalone#show system | grep priority Master priority : 0 -----------------------------STACK BEFORE CONNECTION---------------------------------Stack#show system brief Stack MAC : 00:01:e8:d5:f9:6f -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports --------------------------------------------------------------------------0 Standby online S50V S50V 7.8.1.
3 4 5 6 7 Member Member Member Member Member not not not not not present present present present present Adding a Standalone with a Lower MAC Address but Higher Priority to a Stack—Before -----------------------STANDALONE BEFORE CONNECTION---------------------------------Standalone#show system brief Stack MAC : 00:01:e8:d5:ef:81 -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports --------------------------------------------------------------------------0 Member not present S50V 1 Member not
www.dell.com | support.dell.com Stack#3w1d15h: %STKUNIT1-M:CP %POLLMGR-2-ALT_STACK_UNIT_STATE: Alternate Stack-unit is not present 3w1d15h: %STKUNIT1-M:CP %CHMGR-5-STACKUNITDETECTED: Stack unit 2 present Going for reboot.
Important Points to Remember • • • • You may stack up to eight S-Series systems. You may stack any combination of S-Series models. You may not connect 12G and 24G stack ports. All stack units must have the same version of FTOS.
www.dell.com | support.dell.com Facing the rear of an S-Series unit, stack-port are numbered from left to right, beginning with the highest Ethernet port number (n) plus 1. For example, for a 48-port unit with two 12-Gigabyte stacking modules, the stack-ports are 49, 50, 51, and 52, starting from the left. To add a unit to an existing stack: Step Task Command Syntax Command Mode 1 Verify that each unit has the same FTOS version prior to stacking them together.
Displaying the S-Series Stacking Topology 2 FTOS#show system stack-ports Topology: Ring Interface Connection Link Speed Admin Link Trunk (Gb/s) Status Status Group -----------------------------------------------------------------0/51 2/51 12 up up 0/52 1/50 12 up up 1/49 2/52 12 up up 1/50 0/52 12 up up 2/51 0/51 12 up up 2/52 1/49 12 up up Stacking Cable Redundancy You can connect two units with two stacking cables as shown in, in case of a stacking port, module, or cable failure.
www.dell.com | support.dell.com Three configurable system variables affect how a new unit joins a stack: priority, stack number, and provision. • • • Depending on which has the higher priority, either the standalone unit or the entire stack reloads (excluding the new unit).
4 Member not present 5 Member not present 6 Member not present 7 Member not present [output omitted] -----------------------------STACK BEFORE CONNECTION---------------------------------Stack#show system brief Stack MAC : 00:01:e8:d5:f9:6f -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports --------------------------------------------------------------------------0 Member not present 1 Management online S50N S50N 7.8.1.0 52 2 Standby online S50V S50V 7.8.1.
www.dell.com | support.dell.com Adding a Stack Unit with a Conflicting Stack Provision—Before ------------------------STANDALONE BEFORE CONNECTION---------------------------------Standalone#show system brief Stack MAC : 00:01:e8:d5:ef:81 -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports --------------------------------------------------------------------------0 Management online S50V S50V 7.8.1.
1 Management 2 Standby 3 Member 4 Member 5 Member 6 Member 7 Member [output omitted] online online not present not present not present not present not present S50N S50V S50N S50V 7.8.1.0 7.8.1.0 52 52 Remove a Unit from an S-Series Stack The running-configuration and startup-configuration are synchronized on all stack units. A stack member that is disconnected from the stack maintain this configuration. To remove a stack member from the stack, disconnect the stacking cables from the unit.
www.dell.com | support.dell.com Unit UnitType Status ReqTyp CurTyp Version Ports --------------------------------------------------------------------------0 Member not present S50V 1 Member not present S50N 2 Management online S50V S50V 7.8.1.
Split an S-Series Stack To split a stack, unplug the desired stacking cables.You may do this at any time, whether the stack is powered or unpowered, and the units are online or offline. Each portion of the split stack retains the startup and running configuration of the original stack. For a parent stack that is split into two child stacks, A and B, each with multiple units: • • • • If one of the new stacks receives the primary and the secondary management units, it is unaffected by the split.
www.dell.com | support.dell.com Create a Virtual Stack Unit on an S-Series Stack Use virtual stack units to configure ports on the stack before adding a new unit, or to prevent FTOS from assigning a particular stack-number. Task Command Syntax Command Mode Create a virtual stack unit.
-- Module 0 -Status : not present -- Module 1 -Status Module Type Num Ports Hot Pluggable : : : : online S50-01-12G-2S 2 no - 2-port 12G Stacking (SB) -- Power Supplies -Unit Bay Status Type --------------------------------------------------------------------------0 0 up AC 0 1 absent -- Fan Status -Unit TrayStatus Speed Fan0 Fan1 Fan2 Fan3 Fan4 Fan5 -------------------------------------------------------------------------------0 up low up up up up up up Displaying Information about an S-Series Stack—s
www.dell.com | support.dell.
Manage Redundancy on an S-Series Stack Task Command Syntax Command Mode Reset the current management unit, and make the secondary management unit the new primary. A new secondary is elected, and when the former stack manager comes back online, it becomes a member unit. redundancy force-failover stack-unit EXEC Privilege Prevent the stack manager from rebooting after a failover. This command does not affect a forced failover, manual reset, or a stack-link disconnect.
www.dell.com | support.dell.com Recover from Stack Link Flaps S-Series Stack Link Integrity Monitoring enables units to monitor their own stack ports, and disable any stack port that flaps five times within 10 seconds. FTOS displays console messages the local and remote members of a flapping link, and on the primary and secondary management units as KERN-2-INT messages if the flapping port belongs to either of these units. In the following example, a stack-port on the manager flaps.
Recover from a Card Mismatch State on an S-Series Stack A card mismatch occurs if the stack has a provision for the lowest available stack number which does not match the model of a newly added unit . To recover, disconnect the new unit. Then, either: • • remove the provision from the stack, then reconnect the standalone unit, or renumber the standalone unit with another available stack number on the stack.
www.dell.com | support.dell.com 1 2 3 4 5 6 7 976 | Management Standby Member Member Member Member Member Stacking S-Series Switches online online not present not present not present not present not present S50N S50V S50N S50V 7.8.1.0 7.8.1.
54 Broadcast Storm Control Broadcast Storm Control is supported on platforms: ces This chapter contains the following configuration topics: • • • Layer 3 Broadcast Storm Control Layer 2 Broadcast Storm Control Multicast Storm Control Storm Control Overview FTOS Storm Control is a preventative measure against unexpectedly high rates of broadcast or multicast packets; these traffic bursts are called storms.
www.dell.com | support.dell.com Broadcast Storm Control FTOS offers Layer 3 and Layer 2 broadcast storm control. Layer 3 Broadcast Storm Control Layer 3 Storm Control suppresses all-hosts and subnet broadcasts if they exceed a user-defined packet rate. You can enable Storm Control for Layer 3 broadcasts from INTERFACE mode, CONFIGURATION mode, or both. Each option has a different result. • • • From INTERFACE mode: Storm Control limits ingress broadcast traffic on a single interface.
Task Command Syntax Command Mode On the E-Series, suppress Layer 3 all-hosts and subnet broadcasts on ingress and egress if they exceed a user-defined limit. storm-control broadcast percentage partial-percentage [in | out] CONFIGURATION On the C-Series and S-Series, suppress Layer 3 all-host and subnet broadcasts on ingress if they exceed a user-defined limit.
| Broadcast Storm Control www.dell.com | support.dell.
55 Spanning Tree Protocol Spanning Tree Protocol is supported on platforms: ces STP is supported on the E-Series ExaScale platform with FTOS 8.1.1.2 and later. Protocol Overview Spanning Tree Protocol (STP) is a Layer 2 protocol—specified by IEEE 802.1d—that eliminates loops in a bridged topology by enabling only a single path through the network.
www.dell.com | support.dell.
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that will participate in Spanning Tree must be in Layer 2 mode and enabled. Figure 55-1.
www.dell.com | support.dell.com Enabling Spanning Tree Protocol Globally Spanning Tree Protocol must be enabled globally; it is not enabled by default. To enable Spanning Tree globally for all Layer 2 interfaces: Step Task Command Syntax Command Mode 1 Enter the PROTOCOL SPANNING TREE mode. protocol spanning-tree 0 CONFIGURATION 2 Enable Spanning Tree.
View the Spanning Tree configuration and the interfaces that are participating in STP using the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. show spanning-tree 0 Command Example R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.
www.dell.com | support.dell.com Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the Spanning Tree topology: Task Command Syntax Command Mode Enable Spanning Tree on a Layer 2 interface. spanning-tree 0 INTERFACE Removing an Interface from the Spanning Tree Group To remove a Layer 2 interface from the Spanning Tree topology: Task Command Syntax Command Mode Disable Spanning Tree on a Layer 2 interface. no spanning-tree 0 INTERFACE In FTOS versions prior to 7.6.1.
Table 55-2.
www.dell.com | support.dell.com Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. • • Port cost is a value that is based on the interface type. The greater the port cost, the less likely the port will be selected to be a forwarding port. Port priority influences the likelihood that a port will be selected to be a forwarding port in case that several ports have the same port cost.
Verify that PortFast is enabled on a port using the show spanning-tree command from the EXEC privilege mode or the show config command from INTERFACE mode; Dell Force10 recommends using the show config command, as shown in the following example.
www.dell.com | support.dell.com Note: Note that unless the shutdown-on-violation option is enabled, spanning-tree only drops packets after a BPDU violation; the physical interface remains up, as shown below. FTOS(conf-if-gi-0/7)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e805.fb07 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e85d.
Figure 55-3. Enabling BPDU Guard FTOS(conf-if-gi-3/41)# spanning-tree 0 portfast bpduguard shutdown-on-violation FTOS(conf-if-gi-3/41)#show config ! interface GigabitEthernet 3/41 no ip address switchport spanning-tree 0 portfast bpduguard shutdown-on-violation no shutdown 3/41 Hub Switch with Spanning Tree Enabled To verify the Portfast BPDU loop guard configuration on a port or port-channel interface, enter the show spanning-tree 0 guard [interface interface] command in global configuration mode.
www.dell.com | support.dell.com View only the root information using the show spanning-tree root command (refer to the following example) from EXEC privilege mode. FTOS#show spanning-tree 0 root Root ID Priority 32768, Address 0001.e80d.2462 We are the root of the spanning tree Root Bridge hello time 2, max age 20, forward delay 15 FTOS# STP Root Guard STP Root Guard is supported only on platforms: c et s Use the STP Root Guard feature in a Layer 2 network to avoid bridging loops.
Figure 55-4. STP Root Guard Example Root Guard Configuration You enable STP root guard on a per-port or per-port-channel basis. FTOS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
www.dell.com | support.dell.com To enable the root guard on an STP-enabled port or port-channel interface, enter the spanning-tree rootguard command: Task Command Syntax Command Mode Enable STP root guard on a port or port-channel interface. stp-id: Spanning Tree instance. Range: 0 to 63. cost number: (Optional) Cost value used to select the port as a forwarding port. Range: 0 to 200000.
STP Loop Guard STP Loop Guard is supported only on platforms: c et s Loop Guard Scenario The STP Loop Guard feature provides protection against Layer 2 forwarding loops (STP loops) caused by a hardware failure, such as a cable failure or an interface fault. When a cable or interface fails, a participating STP link may become unidirectional (STP requires links to be bidirectional) and an STP port does not receive BPDUs. When an STP blocking port does not receive BPDUs, it transitions to a forwarding state.
www.dell.com | support.dell.com Loop Guard Configuration You enable STP loop guard on a per-port or per-port channel basis. FTOS Behavior: The following conditions apply to a port enabled with loop guard: • Loop guard is supported on any STP-enabled port or port-channel interface.
Displaying STP Guard Configuration To verify the STP guard configured on port or port-channel interfaces, enter the show spanning-tree 0 guard [interface interface] command. The following example shows an example for an STP network (instance 0) in which: • • • Root guard is enabled on a port that is in a root-inconsistent state. Loop guard is enabled on a port that is in a listening state. BPDU guard is enabled on a port that is in a blocking state.
| Spanning Tree Protocol www.dell.com | support.dell.
56 System Time and Date Chapter 56, System Time and Date settings, and Network Time Protocol are supported on platforms: es c System times and dates can be set and maintained through the Network Time Protocol (NTP). They are also set through FTOS CLIs and hardware settings. On E-Series TeraScale, C-Series and S-Series, the switch can act only as a client to an NTP clock host. On the E-Series ExaScale, the switch can act as a client to an NTP clock host or as a server to other downstream clients.
www.dell.com | support.dell.com NTP is designed to produce three products: clock offset, roundtrip delay, and dispersion, all of which are relative to a selected reference clock. • • • Clock offset represents the amount to adjust the local clock to bring it into correspondence with the reference clock. Roundtrip delay provides the capability to launch a message to arrive at the reference clock at a specified time. Dispersion represents the maximum error of the local clock relative to the reference clock.
Figure 56-1. NTP Fields Source Port (123) Destination Port (123) Length NTP Packet Payload Checksum Range: +32 to -32 Status Leap Indicator Code: 00: No Warning 01: +1 second 10: -1 second 11: reserved Type Precision Est. Error Est.
www.dell.com | support.dell.com Enable NTP NTP client is disabled by default. The system synchronizes with an external clock only when the ntp server command is enabled. To enable NTP client, specify an external NTP server to which the Dell Force10 system will synchronize. Enter the command multiple times to specify multiple servers. You may specify an unlimited number of servers at the expense of CPU resources. NTP server is enabled by default.
Set the Hardware Clock with the Time Derived from NTP Task Command Command Mode Periodically update the system hardware clock with the time value derived from NTP. ntp update-calendar CONFIGURATION R5/R8(conf)#do show calendar 06:31:02 UTC Mon Mar 13 1989 R5/R8(conf)#ntp update-calendar 1 R5/R8(conf)#do show calendar 06:31:26 UTC Mon Mar 13 1989 R5/R8(conf)#do show calendar 12:24:11 UTC Thu Mar 12 2009 Configure NTP broadcasts With FTOS, you can receive broadcasts of time information.
www.dell.com | support.dell.com Configure a source IP address for NTP packets By default, the source address of NTP packets is the IP address of the interface used to reach the network. You can configure one interface’s IP address to be included in all NTP packets.
To configure NTP authentication, use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose ntp authenticate CONFIGURATION Enable NTP authentication. 2 ntp authentication-key number md5 key CONFIGURATION Set an authentication key. Configure the following parameters: number: Range 1 to 4294967295. This number must be the same as the number in the ntp trusted-key command. key: Enter a text string. This text string is encrypted.
www.dell.com | support.dell.com org rec xmt inp (15:8:24.813 (15:8:24.812 (15:8:24.812 (15:8:24.818 UTC UTC UTC UTC Thu Thu Thu Thu Apr Apr Apr Apr 2 2 2 2 2009) 2009) 2009) 2009) rtdel-root delay rtdsp - round trip dispersion refid - reference id org rec - (last?) receive timestamp xmt - transmit timestamp mode - 3 client, 4 server stratum - 1 primary reference clock, 2 secondary reference clock (via NTP) version - NTP version 3 leap - • • • • • • • • • • • 1006 CD7F5368.D0535000 CD7F5368.
FTOS Time and Date The time and date can be set using the FTOS CLI.
www.dell.com | support.dell.com The software clock runs only when the software is up. The clock restarts, based on the hardware clock, when the switch reboots. Command Syntax Command Mode Purpose clock set time month day year EXEC Privilege Set the system software clock to the current time and date. time: Enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format, for example, 17:15:00 is 5:15 pm. month: Enter the name of one of the 12 months in English.
Set daylight savings time FTOS supports setting the system to daylight savings time once or on a recurring basis every year. Set Daylight Saving Time Once Set a date (and time zone) on which to convert the switch to daylight savings time on a one-time basis. Command Syntax Command Mode Purpose clock summer-time time-zone date start-month start-day start-year start-time end-month end-day end-year end-time [offset] CONFIGURATION Set the clock to the appropriate timezone and daylight savings time.
www.dell.com | support.dell.
Command Syntax Command Mode Purpose start-year: Enter a four-digit number as the year. Range: 1993 to 2035 start-time: Enter the time in hours:minutes. For the hour variable, use the 24-hour format, example, 17:15 is 5:15 pm. end-week: If you entered a start-week, Enter the one of the following as the week that daylight savings ends: • • • week-number: enter a number from 1-4 as the number of the week to end daylight savings time.
www.dell.com | support.dell.
57 Upgrade Procedures Find the upgrade procedures Go to the FTOS Release Notes for your system type to see all the requirements to upgrade to the desired FTOS version. Follow the procedures in the FTOS Release Notes for the software version you wish to upgrade to. Get Help with upgrades Direct any questions or concerns about FTOS Upgrade Procedures to Dell Force10 Technical Support Center. You can reach Technical Support: • • • On the Web: www.force10networks.
| Upgrade Procedures www.dell.com | support.dell.
58 VLAN VLANs are supported on platforms: ces This chapter contains the following configuration topics: • • • • • • • Create a VLAN Assign Interfaces to VLANs Enable Routing between VLANs Use a Native VLAN on Trunk Ports Change the Default VLAN ID Set the Null VLAN as the Default VLAN Enable VLAN Interface Counters Virtual LAN Overview A Local Area Network (LAN) is a collection of devices in the same broadcast domain.
www.dell.com | support.dell.com Port-based VLANs On FTOS, a VLAN is a user-defined group of ports (there is also the concept of protocol-based VLANs). Ports in different VLANs do not communicate unless routing is configured between them. A port may belong to more than one VLAN. Typically, ports connected to a host belong to only one VLAN, and ports on an inter-switch link belong to more than one VLAN; these ports are sometimes called trunk ports. Figure 58-1.
Figure 58-3. Tagged and Untagged Ports tagged VLAN 100 tagged VLAN 200 untagged VLAN 100 Ports on either side of the link must have the same tagged/untagged designation, and if tagged, must belong to the same VLAN. Else, the frame is dropped. Figure 58-4.
www.dell.com | support.dell.com Configuring VLANs Configuring a VLAN is a two-step process: 1. Create a VLAN. 2. Add a switchport as a tagged or untagged member port. Refer to Assign Interfaces to VLANs. 3. Optionally, assign an IP address to a VLAN to enable routing between VLANs. Refer to Enable Routing between VLANs.
Task Command Syntax Command Mode FTOS#show vlan Codes: * - Default VLAN, G - GVRP VLANs * NUM 1 2 3 4 5 6 Status Inactive Active Active Active Active Active Q U U U T U U U Ports So 9/4-11 Gi 0/1,18 Gi 0/2,19 Gi 0/3,20 Po 1 Gi 0/12 So 9/0 A VLAN is active only if the VLAN contains interfaces and those interfaces are up. VLAN 1 is inactive because it contains the interfaces that are not up.
www.dell.com | support.dell.
Figure 58-5. Communicating between VLANs VLAN 100 10.11.100.1/24 VLAN 200 10.11.200.1/24 Task Command Syntax Command Mode Assign an IP address to a VLAN interface. ip address address/mask INTERFACE VLAN Use a Native VLAN on Trunk Ports Traditionally, a port may either be an untagged member of a single VLAN or a tagged member of multiple VLANs. However, FTOS allows you to make a port an untagged member and a tagged member of VLANs, concurrently.
www.dell.com | support.dell.com To configure a port so that it has a native VLAN: Step Task 1 Command Remove any Layer 2 or Layer 3 configurations from the interface. Command Mode INTERFACE If the port has any configurations on it when you enter the command portmode hybrid, FTOS rejects the configuration, citing the following message: % Error: Port is in Layer-2 mode . 2 Configure the interface for hybrid mode. portmode hybrid INTERFACE 3 Configure the interface for switchport mode.
Enable VLAN Interface Counters Use a Native VLAN on Trunk Ports is available only on platform: ex Note: VLAN egress counters might be higher than expected because source-suppression drops are counted. Task Command Syntax Command Mode Configure ingress, egress or both counters for VLAN interfaces.
| VLAN www.dell.com | support.dell.
59 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) (VRF) is supported only on platform: e VRF allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time.
www.dell.com | support.dell.com Figure 59-1.
VRF Configuration Notes On E-Series routers, Dell Force10 VRF supports up to 15 VRF instances: 1 to 14 and the default VRF (0). Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 FIB table in the CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). Each VRF uses one FIB.
www.dell.com | support.dell.com Table 59-1. Feature/Capability Supported? Note Port-monitoring Yes Mirroring port (MG) has to be in default-VRF BFD on physical and logical interfaces Yes Supported on default-VRF ports only PVST, MSTP, RSTP and 802.1D STP for VLANs Yes FRRP (if applicable) for VLANs Yes Multicast protocols (PIM-SM, PIM-DM, MSDP) Yes Supported on default-VRF ports only Layer 3 (IPv4/IPv6) ACLs, TraceLists, PBR, QoS on VLANs Yes ACLs supported on all VRF VLAN ports.
CAM Profiles Layer 3 CAM resources are shared among all VRF instances. To ensure that each VRF instance has sufficient CAM space: • On an E-Series Terascale platform, use the cam-profile ipv4-vrf or cam-profile ipv4-v6-vrf command and reload the system command to activate the VRF CAM profile for IPv4 or IPv6. • On an E-Series Exascale platform, use the cam-profile command to set the CAM size.
www.dell.com | support.dell.com Table 59-3. IPv4-v6-VRF CAM Profiles (Single CAM card) CAM Profile Table Allocation (K) L2FIB 32K L2ACL 3K IPv4FIB 64K IPv4ACL 1K IPv4Flow 12K EgL2ACL 1K EgIPv4ACL 11K Reserved 2K IPv6FIB 18K IPv6ACL 4K IPv6Flow 3K EgIPv6ACL 1K DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance. IP addressing Starting in release 8.4.1.
VRF Configuration Note: Starting in FTOS 8.4.2.1, when VRF microcode is loaded on an E-Series ExaScale or TeraScale router, the ip vrf [ default-vlan | vrf-name] command is deprecated, and is replaced by the ip vrf vrf-name vrf-id command. The ip vrf-vlan-block, start-vlan-id default-vrf, and start-vlan-id vlan-start-id commands are also deprecated. The VRF configuration tasks are: 1. Load the VRF CAM Profile 2. Enable VRF 3.
www.dell.com | support.dell.com Enable VRF VRF is enabled by default when VRF microcode is loaded on an E-Series ExaScale or TeraScale router. On an E-Series router, Dell Force10 VRF supports up to 15 VRF instances: 1 to 14 and the default VRF (0). A VRF name is not exchanged between routers. VRF IDs are local to a router.
• • • • • On a switch port on which multiple VLANs are assigned to different VRFs, the source MAC address in packets routed on a VRF may not be the same as the MAC address distributed in ARP requests. As a result, security applications running on neighboring routers that check the source MAC address in incoming packets may find that the address does not match the ARP-learned MAC address. You can assign a static ARP only to a VLAN that is mapped to the default VRF (0) instance.
www.dell.com | support.dell.com Configure VRRP on a VRF Interface Starting in release 8.4.1.0, you can configure the VRRP feature on interfaces that belong to a VRF instance. In previous releases, VRRP was not supported on interfaces that were configured for a non-default VRF. In a virtualized network that consists of multiple VRFs, various overlay networks can exist on a shared physical infrastructure.
Figure 59-3. Set up VRF interfaces interface GigabitEthernet 9/18 ip vrf forwarding blue ip address 11.0.0.1/24 no shutdown interface GigabitEthernet 7/0 ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown interface GigabitEthernet 9/19 ip vrf forwarding orange ip address 21.0.0.1/24 no shutdown interface GigabitEthernet 7/1 ip vrf forwarding orange ip address 20.0.0.1/24 no shutdown interface GigabitEthernet 9/20 ip vrf forwarding green ip address 31.0.0.
www.dell.com | support.dell.com interface GigabitEthernet 7/0 ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface GigabitEthernet 7/1 ip vrf forwarding orange ip address 20.0.0.1/24 no shutdown ! interface GigabitEthernet 7/2 ip vrf forwarding green ip address 30.0.0.1/24 no shutdown ! interface Vlan 128 ip vrf forwarding blue ip address 1.0.0.1/24 tagged TenGigabitEthernet 3/0 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.
switchport no shutdown ! interface GigabitEthernet 9/18 ip vrf forwarding blue ip address 11.0.0.1/24 no shutdown ! interface GigabitEthernet 9/19 ip vrf forwarding orange ip address 21.0.0.1/24 no shutdown ! interface GigabitEthernet 9/20 ip vrf forwarding green ip address 31.0.0.1/24 no shutdown ! interface Vlan 128 ip vrf forwarding blue ip address 1.0.0.2/24 tagged TenGigabitEthernet 3/0 no shutdown interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.
www.dell.com | support.dell.com The following shows the output of the show commands on Router 1. ROUTER 1 FTOS#show ip vrf VRF-Name VRF-ID Interfaces default-vrf 0 blue 1 orange 2 green 3 FTOS#show ip ospf 1 neighbor Neighbor ID Pri State 1.0.0.2 1 FULL/DR FTOS#sh ip ospf 2 neighbor Neighbor ID Pri State 2.0.0.
Gateway of last resort is not set C C O Destination ----------2.0.0.0/24 20.0.0.0/24 21.0.0.0/24 Gateway ------Direct, Vl 192 Direct, Gi 7/1 via 2.0.0.
www.dell.com | support.dell.
60 Virtual Router Redundancy Protocol (VRRP) IPv4 Virtual Router Redundancy Protocol (VRRP) is available on platforms: IPv6 VRRP (VRRP version 3) is available on platforms: ces ces This chapter covers the following information: • • • • • VRRP Overview VRRP Benefits VRRP Implementation VRRP Configuration Sample Configurations Virtual Router Redundancy Protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network.
www.dell.com | support.dell.com Figure 60-1 shows a typical network configuration using VRRP. Instead of configuring the hosts on the network 10.10.10.0 with the IP address of either Router A or Router B as their default router; their default router is the IP Address configured on the virtual router. When any host on the LAN segment wants to access the Internet, it sends packets to the IP address of the virtual router. In Figure 60-1 below, Router A is configured as the MASTER router.
VRRP Implementation On E-Series ExaScale and TeraScale routers, VRRP is implemented as follows: • • When VRF microcode is not loaded, VRRP supports an unlimited total number of VRRP groups on a router and up to 255 VRRP groups on an interface (refer to Table 60-1, "Recommended VRRP Advertise Intervals," in Virtual Router Redundancy Protocol (VRRP)).
www.dell.com | support.dell.com The recommendations in Table 60-1, "Recommended VRRP Advertise Intervals," in Virtual Router Redundancy Protocol (VRRP) may vary depending on various factors like ARP broadcasts, IP broadcasts, or STP before changing the advertisement interval. When the number of packets processed by RP2/CP/FP processor increases or decreases based on the dynamics of the network, the advertisement intervals in may increase or decrease accordingly.
Create a Virtual Router To enable VRRP, you must create a Virtual Router on a physical or VLAN interface. In FTOS, a VRRP Group is identified by the Virtual Router Identifier (VRID). Starting in release 8.4.1.0, you can configure a VRRP group on an interface that belongs to a non-default VRF instance. Prerequisite: The interface on which you create the virtual interface must be enabled and configured with a primary IP address. To enable a Virtual Router, use the following command in the INTERFACE mode.
www.dell.com | support.dell.com Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP Group (VRID). A VRRP group does not transmit VRRP packets until you assign the Virtual IP address to the VRRP group.
Configure a Virtual IP address with these commands in the following sequence in the INTERFACE mode. Step 1 2 Task Command Syntax Command Mode Configure an IPv4 or IPv6 VRRP group. vrrp-group vrid | vrrp-ipv6-group vrid INTERFACE Configure virtual IP addresses for this VRID. VRID range (C-Series and S-Series): 1-255 VRID range (E-Series): 1-255 when VRF microcode is not loaded and 1-15 when VRF microcode is loaded virtual-address ip-address1 [...
www.dell.com | support.dell.com The following example shows the same VRRP group configured on multiple interfaces on different subnets. Note: show vrrp displays all of the active IPv4 groups, and show ipv6 vrrp displays all of the active IPv6 groups. FTOS#do show vrrp -----------------GigabitEthernet 1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.
Command Example: priority in Interface VRRP mode FTOS(conf-if-gi-1/2)#vrrp-group 111 FTOS(conf-if-gi-1/2-vrid-111)#priority 125 Command Example Display: show vrrp FTOS#show vrrp -----------------GigabitEthernet 1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 2343, Gratuitous ARP sent: 5 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.
www.dell.com | support.dell.com Note: As shown in the following example, the VRRP authentication password that you configure is displayed in encrypted form in show running-config (EXEC Privilege) and show config (INTERFACE) command output. To display the VRRP authentication password (as well as all other FTOS passwords) in clear text in show command output, you must enter the no service password-encryption (CONFIGURATION) command.
Command Example Display: show config in VRID mode FTOS(conf-if-gi-1/1-vrid-111)#show conf ! vrrp-group 111 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.
www.dell.com | support.dell.com virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 FTOS(conf-if-gi-1/1-vrid-111)# Track an Interface or Object In previous releases, you could set FTOS to track the state of an interface for a specified virtual group. Starting in release 8.4.1.0, you can track additional objects for a virtual group, such as Layer 3 interfaces (IPv4 and IPv6), IPv4/IPv6 route reachability, and thresholds of IPv4/IPv6 route metrics.
In addition, if you configure a VRRP group on an interface that belongs to a VRF instance and later configure object tracking on an interface for the VRRP group, the tracked interface must belong to the VRF instance.
www.dell.com | support.dell.
VRRP on a VRF Interface VRRP is supported with Virtual Routing and Forwarding (VRF) only on platform: e Starting in release 8.4.1.0, you can configure the VRRP feature on interfaces that belong to a non-default Virtual Routing and Forwarding (VRF) instance on E-Series routers. In previous releases, the VRRP feature was not supported on interfaces that were configured for VRF. For a sample VRRP configuration on a VRF interface, refer to VRRP in VRF Configuration.
www.dell.com | support.dell.com Note: On E-Series routers, the VRID used by the VRRP protocol changes according to whether VRF microcode is loaded or not: • When VRF microcode is not loaded in CAM, the VRID for a VRRP group is the same as the VRID number configured with the vrrp-group or vrrp-ipv6-group command: FTOS(conf)#interface GigabitEthernet 3/0e FTOS(conf-if-gi-3/0)#ip address 1.1.1.1/24 FTOS(conf-if-gi-3/0)#vrrp-group 111 FTOS(conf-if-gi-3/0-vrid-111)#virtual-ip 1.1.1.
Sample Configurations VRRP for IPv4 Configuration The configuration in Figure 60-2 shows how to enable IPv4 VRRP. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, etc. Figure 60-2 shows the VRRP topology created with the CLI configuration in the example in Configure VRRP for IPv4.
www.dell.com | support.dell.com Configure VRRP for IPv4 Router 2 R2(conf)#int gi 2/31 R2(conf-if-gi-2/31)#ip address 10.1.1.1/24 R2(conf-if-gi-2/31)#vrrp-group 99 R2(conf-if-gi-2/31-vrid-99)#priority 200 R2(conf-if-gi-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-gi-2/31-vrid-99)#no shut R2(conf-if-gi-2/31)#show conf interface GigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.
VRRP for IPv6 Configuration The example in Configure VRRP for IPv4 shows an example of a VRRP for IPv6 configuration in which the IPv6 VRRP group consists of two routers. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, etc.
www.dell.com | support.dell.com Note: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be master even if one of two routers has a higher IP or IPv6 address.
State: Backup, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 11, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:0a Virtual IP address: 1::10 fe80::10 VRRP in VRF Configuration The example in this section shows how to enable VRRP operation in a VRF virtualized network for the following scenarios: • • Multiple VRFs on physical interfaces running VRRP Multiple VRFs on VLAN
www.dell.com | support.dell.com Figure 60-4 shows a typical use case in which three virtualized overlay networks are created by configuring three VRFs in two E-Series switches. The default gateway to reach the internet in each VRF is a static route with the next hop being the virtual IP address configured in VRRP. In this scenario, a single VLAN is associated with each VRF. Both Switch-1 and Switch-2 have three VRF instances defined: VRF-1, VRF-2, and VRF-3.
S2(conf)#ip vrf default-vrf 0 ! S2(conf)#ip vrf VRF-1 1 ! S2(conf)#ip vrf VRF-2 2 ! S2(conf)#ip vrf VRF-3 3 ! S2(conf)#interface GigabitEthernet 12/1 S2(conf-if-gi-12/1)#ip vrf forwarding VRF-1 S2(conf-if-gi-12/1)#ip address 10.10.1.2/24 S2(conf-if-gi-12/1)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177. S2(conf-if-gi-12/1-vrid-101)#priority 255 S2(conf-if-gi-12/1-vrid-101)#virtual-address 10.10.1.
www.dell.com | support.dell.com S1(conf)#interface GigabitEthernet 12/4 S1(conf-if-gi-12/4)#no ip address S1(conf-if-gi-12/4)#switchport S1(conf-if-gi-12/4)#no shutdown ! S1(conf-if-gi-12/4)#interface vlan 100 S1(conf-if-vl-100)#ip vrf forwarding VRF-1 S1(conf-if-vl-100)#ip address 10.10.1.5/24 S1(conf-if-vl-100)#tagged gigabitethernet 12/4 S1(conf-if-vl-100)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177.
S2(conf-if-vl-200)#ip vrf forwarding VRF-2 S2(conf-if-vl-200)#ip address 10.10.1.2/24 S2(conf-if-vl-200)#tagged gigabitethernet 12/4 S2(conf-if-vl-200)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 2 will be 178. S2(conf-if-vl-200-vrid-101)#priority 255 S2(conf-if-vl-200-vrid-101)#virtual-address 10.10.1.2 S2(conf-if-vl-200)#no shutdown ! S2(conf-if-gi-12/4)#interface vlan 300 S2(conf-if-vl-300)#ip vrf forwarding VRF-3 S2(conf-if-vl-300)#ip address 20.1.1.
www.dell.com | support.dell.
61 FTOS XML Feature FTOS XML Feature is supported on platforms: ce This chapter describes the FTOS XML Feature in the following major sections: • • • • • • • XML Functionality The Form of XML Requests and Responses The Configuration Request and Response The “Show” Request and Response Configuration Task List XML Error Conditions and Reporting Using display xml as a Pipe Option XML Functionality Through SSH/Telnet client sessions, FTOS XML provides a way of interfacing with the system by entering XML-for
www.dell.com | support.dell.com — show sfm slot ID — show logging 1-65535 — — — — show logging reverse show sfm show sfm all show version — show running-config—Only the full report is supported, no options. — show interfaces—All the options are supported except rate: The Form of XML Requests and Responses To send an XML-formatted command through a Telnet or SSH client session, you first use the terminal xml command to inform FTOS that you wish to switch to XML mode. Refer to Run an FTOS XML session.
Response Format Similarly, every response from FTOS begins with the XML declaration, followed by a “Response” tag: :: :: What goes between the Response tags depends on the type of response, as discussed next.
www.dell.com | support.dell.com The “Show” Request and Response To generate an XML request that encapsulates a “show” command (to request a report), you use the tag instead of the tag as the Operation type. The schema of a show request allows only one , as shown here for the show linecard command. (Note that “show line all” demonstrates that you can use both an abbreviated form of the command and options, just as in the standard CLI):
Run an FTOS XML session Use the following procedure to start, run, and close an FTOS XML session: Step Command Syntax Command Mode Purpose terminal xml EXEC Privilege Invoke XML interface in Telnet and SSH client sessions. 2 [Construct input to the CLI by following the XML request schema, as described in The Form of XML Requests and Responses.] FTOS XML Cut and paste your XML request from a text editor or other type of XML presentation tool, or type your XML request line by line.
www.dell.com | support.dell.com NO_ERROR SEVERITY_INFO Xml request successfully processed. FTOS(xml)# Enter XML request with CTRL-Y or empty line Clear XML request with CTRL-C Exit XML mode with CTRL-Z:
Configure a standard ACL To configure a standard ACL with XML, first enter FTOS XML mode, and then construct a configuration request, as described above. An example of a complete standard ACL configuration request message is: ip access list standard ToOspf seq 5 deny any seq 10 deny 10.2.0.0 /16 seq 15 deny 10.3.0.
www.dell.com | support.dell.com Create an egress ACL and apply rules to the ACL To create an egress ACL and apply rules to the ACL in one single XML request, first enter FTOS XML mode, and then construct the configuration request (refer to Run an FTOS XML session). The following example shows a configuration request message that accomplishes this task:
Error Messages The following strings can appear after the tag: • • • • • XML_PARSE_ERROR CLI_PARSE_ERROR—This error is caused by: — Malformed XML or mismatched XML tags — Invalid CLI commands or keywords — Invalid range of data specified in the CLI command XML_SCHEMA_ERROR—This error is caused by: — Invalid XML method or operation tags — Invalid object hierarchy or value out of range APPLICATION_ERROR—This error is caused by a failure to process the request, or a problem on the FTOS task.
www.dell.com | support.dell.com The XML response to that malformed request is: XML_PARSE_ERROR SEVERITY_ERROR % Error: Parsing error detected in the XML request. XML schema error This following XML request has transposed the and tag sets:
XML application error The command in this XML request makes an invalid request: ip access standard test1 seq 10 permit host 1.2.3.4 log count bytes The error response contains a of “APPLICATION_ERROR”, SEVERITY_ERROR, and a of “% Error: Seq number does not exist.
www.dell.com | support.dell.com Using display xml as a Pipe Option Also, at a CLI prompt in EXEC privilege mode (“enable mode”), you can retrieve XML-formatted responses to the show commands supported by XML (refer to the list of supported show commands in the section XML Functionality). The following table describes how to format a show command with a pipe option that will request that the show command report be presented with XML formatting.
62 E-Series TeraScale Debugging and Diagnostics This chapter addresses E-Series TeraScale Debugging and Diagnostics TeraScale platforms. Refer to Chapter 63, E-Series ExaScale Debugging and Diagnostics for information relating to that platform. In addition to the FTOS high availability features, E-Series and FTOS support several diagnostics and debug features that are integral components to delivering maximum uptime.
www.dell.com | support.dell.com Note: These diagnostics and debugability features are available on TeraScale systems only, unless specifically noted. Overview The FTOS diagnostics and debugging features are a proactive approach to maximizing system uptime and reducing meantime to resolution (MTTR) when a problem occurs.
If three consecutive packets are lost, an error message is logged and then one of the following happens: • The RPM-SFM runtime loopback test failure initiates an SFM walk whenever it is enabled, feasible and necessary. The system automatically places each SFM (in sequential order) in an offline state, runs the loopback test, and then places the SFM back in an active state. This continues until the system determines a working SFM combination.
www.dell.com | support.dell.com • If a line card runtime loopback test fails, the system does not launch an SFM walk. A message is logged indicating the failure. Message 3 Loopback test failure %TSM-2-RPM_LOOPBACK_FAIL: Linecard-SFM dataplane loopback test failed on linecard 6 The runtime dataplane loopback test is enabled by default. To disable this feature, use the following command. Task Command Mode Disable the runtime loopback test on the primary RPM and line cards.
Task Command Mode Disable the automatic bring down of the single faulty SFM identified by the SFM walk during the RPM-SFM runtime loopback test. To re-enable the automatic bring down of an SFM, use the no dataplane-diag disable sfm-bringdown command. dataplane-diag disable sfm-bringdown CONFIGURATION Manual loopback test This manual dataplane loopback test is a supplemental test to the automatic runtime loopback test and can be initiated regardless if the runtime loopback test is enabled or disabled.
www.dell.com | support.dell.com Power the SFM on/off If you suspect that an SFM is faulty and would like to manually disable it to determine whether any packet loss or forwarding issues are resolved, execute the following command. Task Command Mode Power on or off a specific SFM. power-{off | on} sfm slot-number EXEC Note: Execute this command only during an offline diagnostics; this command may bring down the switch fabric.
Reset the SFM When the SFM is taken offline due to an error condition, you can execute the reset sfm command and initiate a manual recovery. Task Command Mode Reset a specific SFM module (power-off and then power-on). reset sfm slot-number EXEC When an error is detected on an SFM module, this command is a manual recovery mechanism. Since this command can be used with live traffic running, the switch fabric will not go down if the switch fabric is in an UP state.
www.dell.com | support.dell.com The following graphic illustrates the E600 and E1200 switch fabric architecture. Each ingress and egress Buffer and Traffic Management (BTM) ASIC maintains nine channel connections to the TeraScale Switch Fabric (TSF) ASIC. Respond to PCDFO events Troubleshooting PCDFO events requires applying some human intelligence to differentiate between transient and systematic failures.
With PCDFO error data alone, it is impossible to arrive at a conclusion which will pinpoint the cause for PCDFO error or reason for packets drop. For example, it is quite possible to have multiple line cards/RPM show different channels with PCDFO error. Nonetheless, PCDFO status is a very useful data point as an indication of the health of the dataplane, particularly when an error is persistent. To disable the PCDFO polling feature, use the following command in CONFIGURATION mode.
www.dell.com | support.dell.com FTOS automatically saves critical information about the IPC failure to NVRAM. Such information includes: • • • • Status counters on the internal Ethernet interface Traffic profile of the inter-CPU bus Kernel drops High CPU exception conditions Upon the next boot, this information is uploaded to a file in the CRASH_LOG directory. Use the following command sequence beginning in EXEC mode to capture this file for analysis by the Dell Force10 TAC.
FTOS actually saves up to three persistent files depending upon the type of failure.
www.dell.com | support.dell.com Command Description show hardware rpm slot-number cp {data-plane | management-port} | party-bus} {counters | statistics} show hardware rpm slot-number {rp1 | rp2} {data-plane | party-bus} {counters | statistics} Display advanced debugging information for the RPM processors.
Important points to remember • • • • Offline diagnostics can be run only on an offline line card and on a standby route processor module (RPM). The primary RPM is not tested. Diagnostics test only connectivity and not the entire data path. A line card must be put into an offline state before diagnostics are run. Complete diagnostics test suite normally runs for 5 to 7 minutes on a single port-pipe line card and 12 to 15 minutes on a dual port-pipe line card.
www.dell.com | support.dell.com Parity error detection and correction There are two types of parity errors: transient and real. • • Transient Parity Error— implies that a read value was corrupted in transit but that the actual memory may not be corrupt. Transient errors are further categorized as a recoverable and phantom. • Recoverable Transient Parity Error—a transient parity error indicated by SRAM that FTOS was able to correct (rewrite).
Message 8 Parity Error Correction Enabled %RPM0-P: CP %CHMGR-5-PARITY_CORRECTION: FPC parity correction feature will be on next reload.
www.dell.com | support.dell.com Jumbo Capable : yes Boot Flash : A: 2.3.1.3 B: 2.3.1.
Buffer full condition When the Trace Ring Buffer fills up, trace logs are saved into the flash so the buffer can be clear for further trace activity. The saved file is named hw_trace_RPM0CP.0, for example. If the buffer fills a second time, a second file is created as hw_trace_RPM0CP.1 and saved to the flash. Following the fifth file created (hw_trace_RPM0CP.4), the saved files are overwritten starting with the,1 version (hw_trace_RPM0CP.1). These files will be saved in flash:/TRACE_LOG_DIR/TRACE_CURR_BOOT.
www.dell.com | support.dell.com CP software exceptions When a RPM resets due to a software exception, the linecard trace files are saved to flash:/ TRACE_LOG_DIR directory. The CP and LP trace file names in the case of a software exception are: • • CP: failure_trace_RPM1_CP LP: failure_trace_RPM1_LP1 For systems with a single RPM, the linecard traces are saved on the failed RPM itself. For systems with dual RPM, linecard trace logs are saved when the CP, RP1, or RP2 crashes.
To manually write the contents of a trace buffer on LP to a file on the flash: Step 1 Task Command Syntax Command Mode Write the buffered trace log to flash. upload trace-log [rp1 | rp2 | linecard] number [hw-trace | sw-trace ] EXEC Privilege Clear the trace buffer Clear the command history buffer using the command clear command-history from EXEC Privilege mode. FTOS#show command-history 10 [12/3 15:40:17]: CMD-(CLI):[show config]by default from console [12/3 15:40:22]: CMD-(CLI):[ping 10.11.80.
www.dell.com | support.dell.com Configure an action upon a hardware error You can configure FTOS to take an action if it encounters an BTM, FPC, or MAC hardware error. Buffer traffic manager hardware errors FTOS displays Message 15, Message 16, Message 17, or Message 18 depending on the type of BTM error. In this case, configure an action using the command hardware monitor linecard asic btm action-on-error. You may place the line card in a problem state, reset the card, or shutdown all ports on the card.
Flexible packet classifier hardware errors FTOS displays Message 19 in case of a parity error on an FPC. Configure an action using the command hardware monitor linecard asic fpc action-on-error. You may place the line card in a problem state, reset the card, or shutdown all ports on the card.
www.dell.com | support.dell.com You may choose to write the core dump directly to an FTP server using the keyword server. However, the server option supports only RP coredumps; it does not support CP coredumps. By default the kernel core dump is sent to the root directory of the internal flash CP and the CORE_DUMP_DIR directory for RP. Application core dump—On the E-Series, the application core dump has the file name format f10{cp|rp{1|2}}.acore.
Once the core dump file has been created with the logging coredump command, the file can be deleted from the Standby RPM flash although the space is not released. The CP kernel core dump file space cannot be recovered by deleting the files. You must format the flash drive to recover the space.
www.dell.com | support.dell.
63 E-Series ExaScale Debugging and Diagnostics This chapter addresses E-Series ExaScale Debugging and Diagnostics ExaScale platforms. Refer to Chapter 62, E-Series TeraScale Debugging and Diagnostics for information relating to that platform. In addition to the FTOS high availability features, FTOS supports several diagnostics and debug features that are integral components to delivering maximum uptime.
www.dell.com | support.dell.com Overview The FTOS diagnostics and debugging features are a proactive approach to maximizing system uptime and reducing meantime to resolution (MTTR) when a problem occurs. This feature set includes a combination of proactive and reactive components designed to alert the user to network events, automatically collect information on the event, and allow the user to collect diagnostic information from the system.
System health checks An automatic runtime loopback test monitors the overall health status of the dataplane. This loopback test runs while the system’s switch fabric is up, detecting potential blockages in the system’s usual data transfer path. Line card loopback checks Periodically, each line card sends a packet through the dataplane channels, verifying the packet is returned, and then verifying the dataplane is functioning as expected.
www.dell.com | support.dell.com • If the loopback packet does not return to the CPU within 1 sec, another loopback packet sent out. • Each loopback packet test failure appears in the show trace linecard output. • Additionally, a system message appears (Message 2). Message 2 Loopback test packet fail message WAGT-(tsa):Rcvd TSM_SWAGT_X3_ALLCHN_LOOPBACK_REQ msg • • • If both packets fail, a failed test result is sent to the internal FTOS task manager (TSM). Another test is initiated 45 seconds later.
Figure 63-1.
www.dell.com | support.dell.com Like the line card to SFM results, line card S3 loopback tests results are displayed when you use the show trace linecard command. Messages appear indicating whether the test was successful or not (Message 4). Message 4 Line card S3 loopback test messages [1/21 11:38:58] LCMGR-(lcMgr):LCCPU-S3 loopback test on PP 0 done, Result: Pass [1/21 11:38:58] LCMGR-(lcMgr):LCCPU-S3 loopback test on PP 1 done, Result: Pass Figure 63-2.
Note: The dataplane runtime loopback configuration does not apply to this manual loopback test. In the example below, the manual loopback test is successful, and no SFM failure is detected. FTOS#diag sfm all-loopback Proceed with dataplane loopback test [confirm yes/no]:yes SFM loopback test completed successfully. FTOS# If the test passes when the switch fabric is down and there are at least (max-1) SFMs in the chassis, then the system will bring the switch fabric back up automatically.
www.dell.com | support.dell.com Proceed with power-off [confirm yes/no]:yes Feb 16 00:03:19: %RPM1-P:CP %TSM-6-SFM_SWITCHFAB_STATE: Switch Fabric: DOWN Feb 16 00:03:20: %RPM1-P:CP %CHMGR-0-MAJOR_SFM: Major alarm: Switch fabric down FTOS# Once the SFM is powered off, the SFM status indicates that the SFM has been powered off by the user. Use the show sfm all command to display the status .
Note: Resetting an SFM in a power-off state is not permitted. Use the command power-on sfm to bring the SFM back to a power-on state. SFM channel monitoring In addition to monitoring the datapath, the SFM channels can be monitored using the Per-Channel Deskew FIFO Overflow (PCDFO) polling feature. The PCDFO polling feature is enabled by default. The PCDFO polling feature monitors data received over the switch fabric. When a DFO error is detected, no automatic action is initiated by the system.
www.dell.com | support.dell.com Respond to PCDFO events Troubleshooting PCDFO events requires applying some human intelligence to differentiate between transient and systematic failures. PCDFO events can be caused by several factors, including: • • • • Backplane noise Data corruption Bad epoch timing Mis-configuration of backplane There are two PCDFO error types: Transient and Systematic. Transient error are non-persistent events that occur as one-events during normal operation.
Inter-CPU timeouts Each RPM consists of three CPUs: • • • Control Processor (CP) Routing Processor 1 (RP1) Routing Processor 2 (RP2) The three CPUs use Fast Ethernet connections to communicate to each other and to the line card CPUs using Inter-Processor Communication (IPC). The CP monitors the health status of the other processors using heartbeat messaging exchange.
www.dell.com | support.dell.com In a dual RPM system, the two RPMs send synchronization messages via inter-RPM communication (IRC). As described in the High Availability chapter, an RPM failover can be triggered by loss of the heartbeat (similar to a keepalive message) between the two RPMs.
show control-traffic Figure 63-4 illustrates the locations in the traffic path associated with each command.
www.dell.com | support.dell.com show ipc-traffic Figure 63-5 illustrates the locations in the traffic path associated with each command.
show hardware commands The show hardware commands give information regarding the state of the hardware. The command syntax defines the FPTM functional area: • • BTM commands relate to the Buffer and Traffic Manager. FPC commands relate to the Flexible Packet Classification.
T S F 3 T S F 3 T S F 3 T S F 3 T S F 3 T S F 3 T S F 3 T S F 3 T S F 3 SFM0 SFM1 SFM2 SFM3 SFM4 SFM5 SFM6 SFM7 SFM8 SFM9 www.dell.com | support.dell.
Global commands Global commands simplify troubleshooting by providing information on the egress and ingress at the same time. The global commands do not point to any specific register. To get information about the registers, use the specific commands (btm, fpc).
www.dell.com | support.dell.com • • • Display the replication configuration for RPIs. This is used to troubleshoot why multicast streams are not reaching all receivers. show hardware linecard {0-13} port-set {0-1 | all} btm {ingress | egress | all} replication-config Display up to 32 WRED high/low threshold registers and WRED curve registers. show hardware linecard {0-13} port-set {0-1 | all} btm {ingress | egress | all} wred-config Display the rate police/limiting configurations; use formula in 1.1.5.
Identify a suspect SFM Step 1 Task Command Mode Capture the link status view from the SFM. show hardware sfm all tsf link-status EXEC Privilege In this example. SFM7 has a failure reported against 3 line cards.
www.dell.com | support.dell.com Identify a suspect line card Step 1 Task Command Mode Capture the link status view from a line card.
Table 63-1.
www.dell.com | support.dell.com Information files and logs Three key types of files are saved to the system flash in order to record ongoing software events and status: Trace logs, Core dumps and Console output file. These types of files are saved to directories on the internal system flash. Trace logs provide information on the software on the RPM and line card status and events. Using the show command history command, you can also view all the commands entered by all users.
Trace logs In addition to the syslog buffer, FTOS buffers trace messages which are continuously written by various FTOS software tasks to report hardware and software events and status information. Each trace message provides the date, time, and name of the FTOS process. All messages are stored in a ring buffer and can be saved to a file either manually or automatically upon failover. • • There are two trace files for CP: software and command-history. There is one trace file for LP: software.
www.dell.com | support.dell.com To manually write the contents of a trace buffer on RP or LP to a file on the flash: Task Command Syntax Command Mode Write the buffered trace log to flash.
Recognize a high CPU condition A high CPU condition exists when any of the messages in Message 10 appear. Message 10 High CPU Condition Feb 13 13:56:16: %RPM1-S:CP %CHMGR-5-TASK_CPU_THRESHOLD: Cpu usage above threshold for task "sysAdmTsk"(100.00%) in CP. Feb 13 13:56:20: %RPM1-S:CP %CHMGR-5-CPU_THRESHOLD: Overall cp cpu usage above threshold. Cpu5SecUsage (100) Feb 13 13:56:20: %RPM1-S:CP %CHMGR-5-TASK_CPU_THRESHOLD_CLR: Cpu usage drops below threshold for task "sysAdmTsk"(0.00%) in CP.
www.dell.com | support.dell.com Software exception handling on line cards If a line card CPU experiences a software exception, the system: • • • Uploads the contents of the buffered trace logs to persistent memory on the RPM. The files are written to the TRACE_LOG directory, and they use the naming convention crash_trace_LPslot#_timestamp. Writes a crash log file to the CRASH_LOG directory. Writes a core dump file to the CORE_DUMP directory for kernel or application core dumps.
Full core dumps RP core dumps are enabled by default. CP core dumps are disabled by default. The core dump file is sent by FTP to the internal flash in the CORE_DUMP_DIR directory once the crashed RPM is back up. Enable full RPM application and kernel core dumps with the following: Task Command Syntax Command Mode Enable RPM core dumps and specify the shutdown mode. logging coredump [cp|rps|server] CONFIGURATION Undo this command using the no logging coredump [cp|rps|server].
www.dell.com | support.dell.
Port-shutdown In a redundant system, you can configure the system to shut down ports when the primary fails and fail over to the back-up system. To do implement that failover use the logging coredump linecard port-shutdown command. Note: Configure the port shutdown before a software exception. In the following example, the ports on line card 13 shut down while the ports on line card 0 remain up during a core dump.
www.dell.com | support.dell.com Step Task Syntax Command Mode FTOS#dir Directory of flash: 1 2 3 drwx drwx drwx 8192 512 4096 Jan 01 1980 00:00:00 +00:00 . Jun 17 2009 12:27:15 +00:00 .. Nov 09 2007 19:55:38 +00:00 CORE_DUMP_DIR 2 Change the directory to CORE_DUMP_DIR. cd CORE_ DUMP_DIR EXEC Privilege 3 List the files in the directory.
Console output The console output files contain console output of a line card or RP1/RP2 information to a file on the internal system flash. The contents are simple and contain basic failure details for and RPM boot failure or a line card exception when a core dump was not successfully saved. The files are generated for the following exceptions.
www.dell.com | support.dell.com Step Task Syntax Command Mode FTOS#cd NVTRACE_LOG_DIR FTOS#dir Directory of flash:/NVTRACE_LOG_DIR 1 drwx 4096 Nov 09 2007 19:55:38 2 drwx 8192 Jan 01 1980 00:00:00 3 -rwx 5114 May 27 2009 11:08:02 show_console_lp2_20090527_110758.log 4 -rwx 8266 Jun 01 2009 00:02:24 show_console_rp2_20090601_000223.log 5 -rwx 8263 Jun 02 2009 11:15:54 show_console_lp7_20090602_111547.log 6 -rwx 8263 Jun 02 2009 11:22:00 show_console_lp7_20090602_112152.
64 Standards Compliance This appendix contains the following sections: • • • IEEE Compliance RFC and I-D Compliance MIB Location Note: Unless noted, when a standard cited here is listed as supported by FTOS, FTOS also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click on “Browse and search IETF documents”, enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
www.dell.com | support.dell.com RFC and I-D Compliance The following standards are supported by FTOS, and are grouped by related protocol. The columns showing support by platform indicate which version of FTOS first supports the standard. Note: Checkmarks () in the E-Series column indicate that FTOS support was added before FTOS version 7.5.1. General Internet Protocols FTOS support, per platform Full Name 768 User Datagram Protocol 7.6.1 7.5.1 8.1.1 793 Transmission Control Protocol 7.6.1 7.
General IPv4 Protocols FTOS support, per platform RFC# Full Name E-Series E-Series S-Series C-Series TeraScale ExaScale 791 Internet Protocol 7.6.1 7.5.1 8.1.1 792 Internet Control Message Protocol 7.6.1 7.5.1 8.1.1 826 An Ethernet Address Resolution Protocol 7.6.1 7.5.1 8.1.1 1027 Using ARP to Implement Transparent Subnet Gateways 7.6.1 7.5.1 8.1.1 1035 DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION (client) 7.6.1 7.5.1 8.1.
www.dell.com | support.dell.com General IPv6 Protocols 1138 FTOS support, per platform | RFC# Full Name 1886 E-Series E-Series TeraScale ExaScale S-Series C-Series DNS Extensions to support IP version 6 7.8.1 7.8.1 8.2.1 1981 (Partial) Path MTU Discovery for IP version 6 7.8.1 7.8.1 8.2.1 2460 Internet Protocol, Version 6 (IPv6) Specification 7.8.1 7.8.1 8.2.1 2461 (Partial) Neighbor Discovery for IP Version 6 (IPv6) 7.8.1 7.8.1 8.2.
Border Gateway Protocol (BGP) FTOS support, per platform S-Series C-Series E-Series TeraScale E-Series ExaScale RFC# Full Name 1997 BGP Communities Attribute 7.8.1 7.7.1 8.1.1 2385 Protection of BGP Sessions via the TCP MD5 Signature Option 7.8.1 7.7.1 8.1.1 2439 BGP Route Flap Damping 7.8.1 7.7.1 8.1.1 2545 Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing 7.8.1 8.2.1 2796 BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP) 7.8.
www.dell.com | support.dell.com Open Shortest Path First (OSPF) 1140 FTOS support, per platform | S-Series C-Series E-Series TeraScal e The OSPF Not-So-Stubby Area (NSSA) Option 7.6.1 7.5.1 8.1.1 2154 OSPF with Digital Signatures 7.6.1 7.5.1 8.1.1 2328 OSPF Version 2 7.6.1 7.5.1 8.1.1 2370 The OSPF Opaque LSA Option 7.6.1 7.5.1 8.1.1 2740 OSPF for IPv6 7.8.1 8.2.1 3623 Graceful OSPF Restart 7.8.1 7.5.1 8.1.
Intermediate System to Intermediate System (IS-IS) FTOS support, per platform E-Series TeraScale E-Series ExaScale OSI IS-IS Intra-Domain Routing Protocol (ISO DP 10589) 8.1.1 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments 8.1.1 2763 Dynamic Hostname Exchange Mechanism for IS-IS 8.1.1 2966 Domain-wide Prefix Distribution with Two-Level IS-IS 8.1.1 3373 Three-Way Handshake for Intermediate System to Intermediate System (IS-IS) Point-to-Point Adjacencies 8.1.
www.dell.com | support.dell.com 1142 Multiprotocol Label Switching (MPLS) FTOS support, per platform | C-Series E-Series ExaScale Full Name 2702 Requirements for Traffic Engineering Over MPLS 8.3.1 3031 Multiprotocol Label Switching Architecture 8.3.1 3032 MPLS Label Stack Encoding 8.3.1 3209 RSVP-TE: Extensions to RSVP for LSP Tunnels 8.3.1 3630 Traffic Engineering (TE) Extensions to OSPF Version 2 8.3.
Multicast FTOS support, per platform S-Series C-Series E-Series TeraScale E-Series ExaScale Host Extensions for IP Multicasting 7.8.1 7.7.1 8.1.1 2236 Internet Group Management Protocol, Version 2 7.8.1 7.7.1 8.1.1 2710 Multicast Listener Discovery (MLD) for IPv6 8.2.1 3376 Internet Group Management Protocol, Version 3 3569 An Overview of Source-Specific Multicast (SSM) 3618 RFC# Full Name 1112 7.8.1 7.7.1 8.1.1 7.8.1 SSM for IPv4 7.7.1 SSM for IPv4 7.5.
www.dell.com | support.dell.com Network Management 1144 FTOS support, per platform | S-Series C-Series E-Series TeraScale E-Series ExaScale Structure and Identification of Management Information for TCP/IP-based Internets 7.6.1 7.5.1 8.1.1 1156 Management Information Base for Network Management of TCP/IP-based internets 7.6.1 7.5.1 8.1.1 1157 A Simple Network Management Protocol (SNMP) 7.6.1 7.5.1 8.1.1 1212 Concise MIB Definitions 7.6.1 7.5.1 8.1.
Network Management (Continued) FTOS support, per platform S-Series C-Series E-Series TeraScale E-Series ExaScale Coexistence Between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework 7.6.1 7.5.1 8.1.1 2578 Structure of Management Information Version 2 (SMIv2) 7.6.1 7.5.1 8.1.1 2579 Textual Conventions for SMIv2 7.6.1 7.5.1 8.1.1 2580 Conformance Statements for SMIv2 7.6.1 7.5.1 8.1.
www.dell.com | support.dell.com Network Management (Continued) FTOS support, per platform 3815 Definitions of Managed Objects for the Multiprotocol Label Switching (MPLS), Label Distribution Protocol (LDP) 5060 Protocol Independent Multicast MIB 7.8.1 7.8.1 7.7.1 8.1.1 ANSI/TIA-1057 The LLDP Management Information Base extension module for TIA-TR41.4 Media Endpoint Discovery information 7.7.1 7.6.1 7.6.1 8.1.1 draft-grant-tacacs -02 The TACACS+ Protocol 7.6.1 7.5.1 8.1.1 7.8.1 7.7.
Network Management (Continued) FTOS support, per platform RFC# Full Name S-Series FORCE10-CS-C HASSIS-MIB Dell Force10 C-Series Enterprise Chassis MIB FORCE10-IF-EX TENSION-MIB Dell Force10 Enterprise IF Extension MIB (extends the Interfaces portion of the MIB-2 (RFC 1213) by providing proprietary SNMP OIDs for other counters displayed in the "show interfaces" output) 7.6.1 FORCE10-LINK AGG-MIB Dell Force10 Enterprise Link Aggregation MIB 7.6.1 E-Series TeraScale E-Series ExaScale 7.6.1 7.6.
www.dell.com | support.dell.com MIB Location Dell Force10 MIBs are under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/csportal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/csportal20/MIBs/MIB_OIDs.aspx Some pages of iSupport require a login. To request an iSupport account, go to: https://www.force10networks.com/CSPortal20/Support/AccountRequest.
www.dell.com | support.dell.com Index Numerics 10/100/1000 Base-T Ethernet line card, auto negotiation 447 100/1000 Ethernet interfaces port channels 424 4-Byte AS Numbers 205 802.1AB 1135 802.1D 1135 802.1p 1135 802.1p/Q 1135 802.1Q 1135 802.1s 1135 802.1w 1135 802.1X 1135 802.3ab 1135 802.3ac 1135 802.3ad 1135 802.3ae 1135 802.3af 1135 802.3ak 1135 802.3i 1135 802.3u 1135 802.3x 1135 802.
www.dell.com | support.dell.
F I Fast Convergence after MSTP-Triggered Topology Changes 408 fast-convergence OSPF 678 File Transfer Protocol. See FTP. flowcontrol 445 Force 10 Resilient Ring Protocol 329 forward delay 849, 986 FRRP 329 FRRP Master Node 329 FRRP Transit Node 329 FTOS 666 FTOS XML session management 1071 FTP 67 I-D (Internet Draft) Compliance 1136 Idle Time 868 IEEE 802.1q 367 IEEE Compliance 1135 IEEE Standard 802.
www.dell.com | support.dell.
configuring 422 defaults 415 definition 422 deleting interface 422 viewing configuration 422 Loopback, Configuring ACLs to LSAs 658 AS Boundary 666 AS External 666 Network 666 Network Summary 666 NSSA External 666 Opaque Area-local 666 Opaque Link-local 666 Router 666 types supported 666 LSPs 498 default value 211 Multi-Topology IS-IS 499 N 148 M MAC hashing scheme 432 management interface 415 accessing 418 configuring a management interface 418 configuring IP address 418 definition 418 IP address consi
www.dell.com | support.dell.
RFC 2338 1042 RFC 2453 821 RFC 3128 876 RFC 791 456 RFC Compliance 1136 RIP adding routes 825 auto summarization default 822 changing RIP version 826 configuring interfaces to run RIP 824 debugging RIP 829 default values 822 default version 823 disabling RIP 824 ECMP paths supported 822 enabling RIP 823 route information 825 setting route metrics 829 summarizing routes 828 timer values 822 version 1 description 821 version default on interfaces 822 RIP routes, maximum 822 RIPv1 821 RIPv2 822 root bridge 848
www.dell.com | support.dell.
local authentication and authorization, local database source of access class 887 radius authentication, support for 888 remote authentication and authorization 874 remote authentication and authorization, 10.0.0.
| Index www.dell.com | support.dell.
